Allied-Telesis AT-iMG624A Router Manual PDF (Setup & Configuration Guide)

Page 131 / 998 Scroll up to view Page 126 - 130

Configuring notification filters

SNMP

1-99

iMG/RG Software Reference Manual (System Configuration)

1.6.4

Configuring notification filters

After the SNMP entity has been properly configured to send notifications, the SNMP engine will dutifully send

SNMPv1, SNMPv2c, and SNMPv3 notification messages on behalf of the notification generator application.

Depending upon the nature of the specific notification generator application, this may result in the sending of

few or many notifications.

A well-designed notification generator application will send enough notifications to be useful to a notification

receiver application, but not too many notifications that it produces “noise”.

The SNMPv3 administration framework allows an SNMP entity which contains both a notification receiver appli-

cation and a command generator application to “turn down the noise” by filtering notifications at the source.

In the SNMP entity containing the notification originator, there are two MIB tables which control notification fil-

tering: the

snmpNotifyFilterProfileTable

and the

snmpNotifyFilterTable

. By sending SNMP

Set requests to create new rows in these tables, the SNMP entity with the notification receiver application can

specify what kinds of notifications should not be sent to it.

This section describes the

snmpNotifyFilterProfileTable

and the

snmpNotifyFilterTable

in

terms of the corresponding entries in the

snmpd.cnf

file. Using this information, some notification filters can

be pre-configured before the

AGENT

entity is launched.

Configuring a notification filter is a process that requires two steps:

•

Create a notification filter.

•

Associate the notification filter with one or more notification parameters.

1.6.4.1 Creating a notification filter

To create a notification filter, add one or more

snmpNotifyFilterEntry

definition in the

snmpd.cnf

file

accordingly the following syntax:

snmpNotifyFilterEntry.<snmpNotifyFilterProfileName> <snmpNotifyFil-

terSubtree> <snmpNotifyFilterMask> <snmpNotifyFilterType> <snmpNoti-

fyFilterStorageType>

snmpNotifyFilterProfileName

is a human readable string representing the name of this notification filter.

snmpNotifyFilterSubtree

is an OID which specifies the MIB sub-tree containing notifications objects to be filtered. The value of this OID

may be specified in dotted-decimal format or by the English name.

snmpNotifyFilterMask

modifies the set of notifications and objects identified by

snmpNotifyFilterSubtree

(a detailed explana-

tion follows).This object is an

OctetString

represented as a sequence of hexadecimal numbers separated by

Page 132 / 998

SNMP

Configuring notification filters

iMG/RG Software Reference Manual (System Configuration)

1-100

colons. Each octet is within the range 0x00 through 0xff. A zero-length

OctetString

is represented with a

dash (-).

snmpNotifyFilterType

is included or excluded. This object indicates whether the family of filter sub-trees defined by this entry are

included in or excluded from a filter.

snmpNotifyFilterStorageType

is

nonVolatile

,

permanent

, or

readOnly

.

The

snmpNotifyFilterMaskfield

allows filtering of MIB view at a finer granularity than that of the

snmpNotifyFilterSubtree

and

snmpNotifyFilterType

pair alone. For instance, a filter can be

made to apply to one row of a table only (see the example below).

The value causes the corresponding

snmpNotifyFilterMask

to be a NULL string, which in turn allows all

objects ‘below’ the

snmpNotifyFilterSubtree

entry to be filtered.

The

snmpNotifyFilterMask

is built using octets that correspond to the OID being filtered.

For example, one may wish to restrict a filter of the

ifTable

to only the second row, all columns. The OID

for

ifEntry.0.2

is:

1.3.6.1.2.1.2.2.1.0.2

The

snmpNotifyFilterMask

is a series of ones and zeros used for masking out parts of the filter.

A zero indicates a

WILD

CARD

(i.e. matches anything), and a one indicates an exact match must be made. So:

FIGURE 1-18

snmpNotifyFilterMask

would require an exact match on all fields except the table column (i.e. the 0 in

ifEntry.0.2

).

Using the above example, the bits of the

snmpNotifyFilterMask

would be grouped into bytes, and then

the right end padded with ones if necessary to fill out the last byte:

FIGURE 1-19

snmpNotifyFilterMask (continued)

OID

snmpNotifyFilterMask

1 . 3 . 6 . 1 . 2 . 1 . 2 . 2 . 1 . 0 . 2

1 1 1 1 1 1 1 1 1 0 1

1 1 1 1

ff

1 1 1 1

byte 1

bf

byte 2

hex value

original mask

padded with 1’s

Page 133 / 998

Configuring source address checking

SNMP

1-101

iMG/RG Software Reference Manual (System Configuration)

So the

snmpNotifyFilterMask

entry would be

ff:bf

With this value for

snmpNotifyFilterMask

and all other appropriate entries in the con figuration file, a

notification containing values from any of the following

ifTable

objects would match the filter and would not

be sent:

ifIndex.2

ifDescr.2

ifType.2

ifMtu.2

ifSpeed.2

ifPhysAddress.2

ifAdminStatus.2

ifOperStatus.2

ifLastChange.2

ifInUcastPkts.2

ifInErrors.2

ifOutUcastPkts.2

ifOutErrors.2

ifOutQLen.2

ifSpecific.2

1.6.4.2 Associating a filter with a notification parameter

To create a notification filter, add one or more

snmpNotifyFilterProfileEntry

definition in the

snmpd.cnf

file accordingly the following syntax:

snmpNotifyFilterProfileEntry <snmpTargetParamsName> <snmpNotifyFil-

terProfileName> <snmpNotifyFilterProfileStorageType>

snmpTargetParamsName

is a

snmpTargetParamsName

defined in the

snmpTargetParamsTable

snmpNotifyFilterProfileName

is a

snmpNotifyFilterProfileName

defined in the

snmpNotifyFilterTable

snmpNotifyFilterProfileStorageType

is

nonVolatile

,

permanent

, or

readOnly

.

1.6.5

Configuring source address checking

A feature of SNMP Research software allows the SNMP engine to perform additional authentication of an

incoming SNMPv1, SNMPv2c, or SNMPv3 message by checking the source address of the message.

Page 134 / 998

SNMP

Configuring source address checking

iMG/RG Software Reference Manual (System Configuration)

1-102

To configure a source address (from which a message will be received), add one or more

snmpTargetAd-

drEntry

definition in the

snmpd.cnf

file accordingly the following syntax:

snmpTargetAddrEntry <snmpTargetAddrName> <snmpTargetAddrTDomain>

<snmpTargetAddrTAddress> <snmpTargetAddrTimeout> <snmpTargetAddrRe-

tryCount> <snmpTargetAddrTagList> <snmpTargetAddrParams> <snmpTar-

getAddrStorageType> <snmpTargetAddrTMask> <snmpTargetAddrMMS>

snmpTargetAddrName

is a human readable string representing the name of this target.

snmpTargetAddrTDomain

is an OID which indicates the network type (UDP/IP, IPX, etc.). For UDP/IP transport type, the OID value (in

dotted format) is

1.3.6.1.6.1.1

or equivalent (in English name)

snmpUDPDomain

.

snmpTargetAddrTAddress

is a valid address in the

snmpTargetAddrTDomain

. For example, if the

snmpTargetAddrTDomain

is

snmpUDPDomain

, a valid address would be

192.147.142.35:

0. This address is compared to the source

address of an incoming message to determine if the message should be received or rejected. The scope of this

comparison is controlled by the value of

snmpTargetAddrTMask

(see below).

snmpTargetAddrTimeout

is an integer which must be present but is ignored by the SNMP engine. This field should be set to zero.

snmpTargetAddrRetryCount

is an integer which must be present but is ignored by the SNMP engine. This field should be set to zero.

snmpTargetAddrTagList

is a quoted string containing one or more (space-separated) tags. These tags correspond to the value of

usmTargetTag

in the

usmUserTable

and to the value of

snmpCommunityTransportTag

in the

snmpCommunityTable

.

An incoming SNMPv1 or SNMPv2c message will not be rejected if:

•

The community string in the incoming message matches a con figured

snmpcommunityname

, and

•

The

snmpcommunityentry

has a

snmpcommunitytransporttag

with one or more correspond-

ing tag(s) in the

snmptargetaddrtable

, and

•

The source address of the incoming message is validated by

snmptargetaddrtaddress

(masked by

snmptargetaddrtmask

) of a corresponding

snmptargetaddrentry

An incoming SNMPv3 message will not be rejected if:

•

The user identified by the incoming message matches a configured usmusername, and

•

The usmuserentry has a usmtargettag with one or more corresponding tag(s) in the snmptargetaddrtable,

•

The source address of the incoming message is validated by snmptargetaddrtaddress (masked by snmptar-

getaddrtmask) of a corresponding snmptargetaddrentry

Page 135 / 998

Configuring source address checking

SNMP

1-103

iMG/RG Software Reference Manual (System Configuration)

snmpTargetAddrParams

is a human readable string which must be present but is ignored by the SNMP engine. This field should be set to

a dash (-).

snmpTargetAddrStorageType

is

nonVolatile

,

permanent

, or

readOnly

.

snmpTargetAddrTMask

is a bit field mask for the

snmpTargetAddrTAddress

and appears in the

snmpd.cnf

file in the same for-

mat as the

snmpTargetAddrTAddress

. For example, if

snmpTargetAddrTDomain

is

‘

snmpUDPDomain

‘, a valid mask would be

255.255.255.0:0

. This mask is used in conjunction with the

snmpTargetAddrTAddress

to determine if an incoming request has arrived from an authorized address.

Note:

The value trailing the colon should ALWAYS be zero

The value of

snmpTargetAddrTMask

identifies which bits of the source address should be compared to the

value of

snmpTargetAddrTAddress

. A bit value of ‘1’in the mask means that the corresponding bit in the

source address should be compared to the corresponding bit in the value of

snmpTargetAddrTAddress

. A

bit value of 0 in the mask means that corresponding bit in the source address is a “don’t care” case in the com-

parison.

snmpTargetAddrMMS

is an integer which is the maximum message size (in bytes) that can be transmitted between the local host and

the host with address

snmpTargetAddrTAddress

without risk of fragmentation. The default value is 2048.

1.6.5.1 Matching exactly one source address

If

snmpTargetAddrTMask

is

255.255.255.255:0

, then all bits have ‘1’ as value

FIGURE 1-20

snmpTargetAddrTMask

This indicates that the source address must exactly match the value of

snmpTargetAddrTAddress

, or the

incoming SNMP request will be rejected.

1.6.5.2 Matching any source address

If

snmpTargetAddrTMask

is

0.0.0.0:0

, then all bits have ‘0’ as value:

255

byte 1

1 1 1 1

255

byte 2

1 1 1 1

255

byte 3

1 1 1 1

255

byte 4

1 1 1 1

binary

decimal

Rate

Popular Allied-Telesis Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share