YumaWorks YumaPro yp-snmp YANG Based Unified Modular Automation Tools User Manual
- June 4, 2024
- YumaWorks
Table of Contents
YumaWorks YumaPro yp-snmp YANG Based Unified Modular Automation Tools User
Manual
Preface
Legal Statements
- Copyright 2009 – 2012, Andy Bierman, All Rights Reserved.
- Copyright 2012 – 2022, YumaWorks, Inc., All Rights Reserved.
Additional Resources
This document assumes you have successfully set up the software as described in the printed document: YumaPro Installation Guide
Other documentation includes:
- YumaPro Quickstart Guide
- YumaPro User Manual
- YumaPro netconfd-pro Manual
- YumaPro yangcli-pro Manual
- YumaPro yangdiff-pro Manual
- YumaPro yangdump-pro Manual
- YumaPro Developer Manual
- YumaPro API Quickstart Guide
- YumaPro ypgnmi Guide
- YumaPro ypclient-pro Manual
- YumaPro yp-system API Guide
- YumaPro yp-show API Guide
- YumaPro Yocto Linux Quickstart Guide
To obtain additional support you may contact YumaWorks technical support department: support@yumaworks.com
WEB Sites
- YumaWorks
- https://www.yumaworks.com
- Offers support, training, and consulting for YumaPro.
- Netconf Central
- http://www.netconfcentral.org/
- Free information on NETCONF and YANG, tutorials, on-line YANG module validation and documentation database
- Yang Central
- http://www.yang-central.org
- Free information and tutorials on YANG, free YANG tools for download
- NETCONF Working Group Wiki Page
- http://trac.tools.ietf.org/wg/netconf/trac/wiki
- Free information on NETCONF standardization activities and NETCONF implementations
- NETCONF WG Status Page
- http://tools.ietf.org/wg/netconf/
- IETF Internet draft status for NETCONF documents
- libsmi Home Page
- http://www.ibr.cs.tu-bs.de/projects/libsmi/
- Free tools such as smidump, to convert SMIv2 to YANG
Mailing Lists
- NETCONF Working Group
- https://mailarchive.ietf.org/arch/browse/netconf/
- Technical issues related to the NETCONF protocol are discussed on the NETCONF WG mailing list. Refer to the instructions on https://www.ietf.org/mailman/listinfo/netconf for joining the mailing list.
- NETMOD Working Group
- https://datatracker.ietf.org/wg/netmod/documents/
- Technical issues related to the YANG language and YANG data types are discussed on the NETMOD WG mailing list. Refer to the instructions on the WEB page for joining the mailing list.
Conventions Used in this Document
The following formatting conventions are used throughout this document:
Documentation Conventions
Convention
|
Description
---|---
–foo| CLI parameter foo
| Useful or expanded information
| Warning information indicating possibly unexpected side-effects
yp-snmp User Guide
Architectural Components
Introduction
yp-snmp enables the Simple Network Management Protocol (SNMP) to join the other netconfd-pro Northbound interfaces. It does this by linking to the Open Source project Net-SNMP library. This user manual describes how the SNMP function is used, how to convert MIB modules to YANG modules, instrument them, install them on the netconfd-pro server, and then access them with SNMP client tools (agents).
Features
The yp-snmp client has the following features:
- SNMP packet processing within the netconfd-pro server by integrating the libnetsnmp packet processing within the netconfd-pro server (agent library).
- SNMP GET request processing
- SNMP GETNEXT request processing
- SNMP GETBULK request processing
- Asynchronous Notifications – traps & informs
- Support for SNMPv3
- The netconfd-pro SNMP server only fully supports YANG modules that were converted from MIB using smidump tool
SNMP SET is not supported.
Building SNMP support
In order to link Net-SNMP to netconfd-pro the Net-SNMP header files have to be installed on the system you build the server. Also, to run the netconfd-pro server with SNMP support both the snmpd and snmptrapd must be available. To test the SNMP support having the client (agent) tools provide by Net-SNMP, such as snmpget, snmpwalk, snmpbulkget, etc. would be useful to have installed.
The following instructions will install Net-SNMP and its client tools. NOTE: there are many parameters for building NetSNMP, this is only one of them. For other options please refer to http://www.net-snmp.org/
First download the version of Net-SNMP you wish to use. The following instructions use net-snmp-5.7.3 as an example. This will install the binaries and .h header files needed:
When you have Net-SNMP installed then you can build the server. Use the WITH_SNMP=1 flag to build netconfd-pro with SNMP support from the source code:
To test the SNMP client features, GET, WALK, etc., the IF-MIB has been included and built as a Server Instrumentation Library (SIL) and you will need to build and install the IF-MIB SIL. From the netconf directory:
To run netconfd-pro server you should launch it with the parameters below to allow you to see the debug messages as the examples are running and also avoid any issues with existing configurations. The load-module command loads the IF- MIB SIL described previously:
NOTE: the server needs to be run at the root level as it uses restricted ports as part of the SNMP standard.
snmpget example
To run snmpget against the loaded IF-MIB SIL:
snmpwalk example
To run snmpwalk against the loaded IF-MIB SIL:
snmpbulkget example
To run snmpbulkget against the loaded IF-MIB SIL:
Traps and Informs
NOTE: currently only SNMP Traps Version 2 are supported by the server.
To demonstrate SNMP traps make sure the following line exists in the
snmpd.conf file:
In order to collect and display the traps the following application can be used. Snmptrapd is an SNMP application that receives and logs SNMP TRAP and INFORM messages.
To test that the setup is correct and that receiving notifications is working simulate sending an SNMP trap from a second terminal session using the following command, which sends a linkDown notification:
In the trap server terminal window you should see:
If this works, then you can test with netconfd-pro.
SNMP security and SNMP v3
This section describes briefly the security aspects for SNMP requests specifically about authentication and authorization. The authentication mechanism is built into Net-SNMP
- Authentication in SNMP Versions 1 and 2c is provided by a password (community string) sent in clear text between a manager and agent.
- SNMP v3 defines a number of security-related capabilities. The initial specifications defined the USM and VACM, which were later followed by a transport security model that provided support for SNMPv3 over SSH and SNMPv3 over TLS and DTLS.
Netconfd-pro implements NACM (NETCONF Access Control Model) to manage and control the access to YANG objects supported by the device. Since NACM already provides the authorization, VACM has to be disabled when processing SNMP v3 requests. More information about the configuration and management of Net-SNMP authentication is available on-line as part of Net-SNMP documentation.
Security configuration files
Net-SNMP makes use of 2 configuration files to control its operation and the management information provided.
- /var/net-snmp/snmpd.conf – This file contains the SNMP v3 specific configuration related to allowed user names and passwords.
- /usr/local/share/snmp/snmpd.conf – This file contains generic configuration information including SNMP v1 and v2c related community strings that perform basic authentication. If not found in the path specified before, the configuration file may be found in the /etc/yumapro/snmpd.conf.
Adding SNMP v3 user
Adding a new SNMP v3 user can be performed by using the scripts available as part of Net-SNMP as below. The command below adds a user “admin” with authentication and privacy. Authentication makes use of SHA and the password for authentication is “password1”. Similarly for privacy, DES is used and the associated password for privacy is “password2”.
Note: The netconfd-pro server must be stopped before running the above command. Once the command above is run, then the netconfd-pro can be run again which will make use of this updated configuration file.
Adding SNMP v1/v2c user
As mentioned earlier, SNMP v1 and v2c make use of community strings for authentication. The allowed community strings along with the access permissions is configured in the snmpd.conf file. The tokens that control these parameters are “rocommunity” for read only access and “rwcommunity” for read-write access.
Netconfd-pro Hooks Into Net-SNMP
The netconfd-pro server is always listening on port 161 and 162 for SNMP agent requests when the server is started with — with-snmp=true. During boot time the netconfd-pro creates Trap sinks and enables the netconfd-pro SNMP server. This includes:
- SNMP configuration file parsing
- Registering a handler for incoming SNMP packets. This is the callback registered for incoming packets
- Registering the Network Service Address Point (NSAP) with the net snmp library and setup an agent session on the given transport. In this step netconfd-pro links the net-snmp library and registers all the needed callbacks and handlers that will be used for packet handling, PDU creation, and reply output
Then the server starts to check if there is any SNMP messages to process. It checks for any packets from the network. If there are any packets to process the server calls the net-snmp API to process them.
For SNMP requests, e.g. snmpget on a get2 node, the server will perform the following:
- Parse the incoming packet (OID; request type ,get, getnext, etc)
- Resolve the internal SNMP request type, request on indexed node, on
- scalar with no any indexes, etc., based on the request type the server will adjust the target object resolution
- Then the server will either try to find the best next OID and repeat the same steps or proceed to the actual value retrieval
- In order to get the get2 value, the server calls the get2 callbacks starting from the table of the target node – the target node will always be a leaf
Based on the callback’s results, the server creates a new PDU to return, sets the return value(s) for the requested Varbind list in that PDU, and sends that packet back to the agent.
For config true and virtual nodes all the steps are the same except the server does not call get2 callbacks, it locates the requested Table in the database first, during the RESTCONF parse path processing, and after that the best value is retrieved from that Table.
Yp-snmp – NETCONF and SNMP Message Paths
Message Paths Diagram
When converted MIB modules are loaded into netconfd-pro server the Northbound protocols, such as NETCONF, access the YANG datastores in the usual way, i.e. through the message path colored red in the above diagram. Any notifications are handled in the usual way.
SNMP messages are processed by the Net-SNMP process and the netconfd pro server with the SIL providing the instrumentation, i.e. the message path colored yellow in the diagram above. The server generates any SNMP Traps necessary.
Creating MIB Instrumentation
To convert a MIB module to a YANG module and add Server Instrumentation Library (SIL) code the following steps should be followed. The example below uses the IF-MIB. An example version of the IF-MIB SIL is provided with YumaPro SDK.
-
Convert the selected MIB module to a YANG module using the smidump tool from: https://www.ibr.cs.tu-bs.de/projects/libsmi/download.html?lang=de
-
You should validate the conversion using yangdump-pro. If you want to supply additional parameters to yangdump-pro for your environment see the user manual yumapro yangdump-manual.pdf or man pages.
-
Copy the yang files into your work folder.
-
Run make_sil_dir_pro to generates the instrumentation source code.
-
Modify the instrumentation code as needed. You will see the tag that say “insert xxx code”. The process of converting the MIB to YANG creates smi:oid “x.y.z” tags in the YANG module for leaf instrumentation. Only the leafs with the smi:oid tag will be seen from an SNMP client. See the following section “SNMP to YANG mapping”
-
Once you’ve finished with the instrumentation code compile the code using.
-
install the code using.
NOTE: “DEBUG=1” is an optional and used to enable debug logging.
This will install the generated library in the system path for netconfd-pro to
load.
SNMP to YANG mapping
Only YANG objects that have the smi:oid “x.y.z” tags will be visible for netconfd-pro SNMP engine. All other objects will be ignored, and the server will report that there is no such an object or will jump into the next object in case of snmpgetnext.
YANG data model cannot be utilized in full if it needs to represent MIB module. After the MIB to YANG conversion the YANG module will have several limitations and some of the regular YANG features and properties will be either ignored by the netconfd-pro server or even invalid. The following list illustrates the limitations:
- List or container may not have an OID number (smi:oid “x.y.z” tags), since they may not have analogy in the MIB modules;
- The generic architecture for the YANG module must always be /container/list/leaf or /container/leaf in case of scalar objects. There should not be nested structures, nested architecture. Although, the netcond-pro server is capable to handle the complex nested architecture, it is still not recommended;
- Choice, case statements and their leaf nodes are ignored and will be invisible to netconfd-pro SNMP server;
- If an object has a “deprecated” statement or the “status” is not current, e.g.: “obsolete”, the object will be ignored;
- Leafref, augment, uses, etc. are all allowed to be present in the converted YANG module but must be dealt with caution.
NOTE:
The netconfd-pro SNMP server only fully supports YANG modules that were
converted from MIB using smidump tool. Even though, it is possible to make an
existing module to be SNMP server compatible but it may take a lot effort and
may not be even possible since the data model will have to be adjusted. It is
not recommended to manually convert YANGmodule to be SNMP compatible and the
netconfd-pro server problems related to this module will not be supported.
References
- Network Configuration (netconf)
- NETCONF WG - Network Configuration | IETF Community Wiki
- libsmi - A Library to Access SMI MIB Information
- Net-SNMP
- NetconfCentral
- Network Modeling (netmod)
- netconf
- Download
- netconf Info Page
- YANG-driven Automated Network Management Tools | YumaWorks
- YANG-driven Automated Network Management Tools | YumaWorks
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>