Feature: Net-SNMP Context Name

[adrianmarsh]

Feature request to at somepoint add the ability to use Net-SNMP's relay feature. To do this I think that a "Context Name" needs adding to the Device properties, and passed to the snmp "get" function. Not sure if it would rely on php-snmp having support for it too. Don't see it listed as a parameter in :

string snmpget ( string hostname, string community, string object_id [, int timeout [, int retries]] )

[TheWitness]

Please educate me please... Three of four paragraphs is all I require.....

TheWitness

[adrianmarsh]

This is do do with the other posting here.

Basically one parameter of the net-snmp daemon lets you set it up as a relay. According to the net-snmp documentation (I've yet to experiment in depth), you can have net-snmp either relay by specific OID, OR you can use a context name parameter within the snmp request, and match that name against another agents IP address. The netsnmp agent will then match incoming snmp queries to the other agents and forward the request (act like a relay), and also pass the messages back.

In my network, I've my "general" lab network accessable corporate-wide, but theres also a private network (10.10.10.x). For security requirements I have to keep this seperate, and of course its not routable, but I have one PC that acts as a bridge for OA&M. I was hoping to set that PC up with the relayed net-snmp daemon on a private port, and then I'd be able to access the 10.10.10.x machines.

For that to work, Cacti would have to be able to :

a) Know about the relay "context name"
b) Be able to use that in the snmp-gets.

Hope thats enough. Looking in the php SNMP website I don't see where the support for the context name is, but I don't know PHP too well so maybe I've missed it.

Of course I could achieve the same thing by putting another NIC in the cacti PC, but then I'd be increasing the security risk on the corp<>Private bridge, and if I had several private networks then I wouldn't really want to have to add a new NIC for each one, just to measure the stats.

[rony]

Um... I was thinking about this..

Does <Community>@<context> work as the community? I've seen this some devices as a way to get access to a certain card.

[harrie]

There seem to exist two forms of relay I guess.

The first one is an SNMPv3 defined one in which the SNMP agent
functions like a proxy as defined in the standard. However,
I am not sure if this is fully implemented with NET-SNMP.


The second one is the PROXY-MIB defined by the NET-SNMP
developers. This MIB is not really a MIB as we know it, but more
a way to include a part of a MIB from another SNMP agent.
From an SNMP manager perspective, the relay is not visible
and transparant. For that reason, no additional parameters
like context would be needed.

[adrianmarsh]

Harrie,

There is this section of the manualfor net-snmp, that suggest it does support the proxy method:

proxy [-Cn CONTEXTNAME] [SNMPCMD ARGS] HOST OID [REMOTEOID]
This token specifies that any incoming requests under OID should be proxied on to another HOST instead. If a CONTEXTNAME is specified, it assigns the proxied tree to a particular context name within the local agent. This is the proper way to query multiple agents through a single proxy. Assign each remote agent to a different context name. Then you can use "snmpwalk -n contextname1" to walk one remote proxied agent and "snmpwalk -n contextname2" to walk another, assuming you are using SNMPv3 to talk to the proxy (snmpv1 and snmpv2c context mappings aren't currently supported but might be in the future). Optionally, relocate the local OID tree to the new location at the REMOTEOID. To authenticate to HOST you should use the appropriate set of SNMPCMD ARGS. See the snmpcmd(1) manual page for details.
Examples:
# assigns the entire mib tree on remotehost1 to the context of the
# same name:
proxy -Cn remotehost1 -v 1 -c public remotehost1 .1.3
# ditto, but for remotehost 2
proxy -Cn remotehost2 -v 1 -c public remotehost2 .1.3
# proxies only the ucdavis enterprises tree to the remote host using snmpv1
proxy -v 1 -c public remotehost .1.3.6.1.4.1.2021
# uses v3 to access remotehost and converts the remote .1.3.6.1.2.1.1
# oid to local .1.3.6.1.3.10 oid (another way to access mulitple hosts
# without using contexts)
proxy -v 3 -l noAuthNoPriv -u user remotehost .1.3.6.1.3.10 .1.3.6.1.2.1.1

I'm not sure which would be the best way to go though. I'm also wondering if the whole thing might not be easier with a basic port forwarder, but i'm not sure if w2kAS has this built in or not.

[ackmie]

I have a snmp proxy currently running in my forewalls I have developed for my clients hete is the example of the proxy strings that I need to add to the SNMPD on the gateway device to proxy for hosts in the LAN.

com2sec -Cn <context> <security name> default <community string>
group <group name> v1 <security name>
access <group name> <context> any noauth exact all none none
proxy -Cn <context> -v 1 -c <community string> <host> .1.3

The limits to this is that you query in v1 syntax to the IP of the gateway device and ech entry MUST have an individual community string.

I had this running with cacti but I am now not getting any data getting to cacti. Though I am able to query the gateway device to get data from a host it is proxying for. It is able to see the system description data and all of the things that it is able to graph when creating a graph, but unable to add data to the graph. Where am I best to look??

[adrianmarsh]

Does cacti graph for other non-proxied items ?

[ackmie]

Yes it is doing it for other hosts

[adrianmarsh]

You should switch on some of the debug options in cacti, and when the poller runs, look to see what values were returned. Choose a specific failing device and OID to start with, trace it through. Most likely its producing a "U". If it is, then you'd have to figure out why.

Remember, SNMP works (default) over UDP, so Cacti will send an SNMPget message to the SNMP client, and the client has to transmit it back seperately.

One of the problems with private networks, and having to use a proxy is that maybe that Cacti can communicate to the Client, but that the network routes defined may mean the Client cannot communicat back to the Cacti server.

One solution to this may be to use TCP instead, which may be supported (I think) in SNMPv3 (not sure).

I stopped work on this for other priorities, but maybe I'll pick it up again with some of your settings..

[daRavert]

No luck using contexts so I've tried a different approach to the SNMP proxy mechanism: I'm having Cacti query a number of snmpds running on a single host on different ports using SNMP v3. Each daemon is configured to proxy requests for a single host.
CLI snmpgets work well this way but somehow Cacti messes things up; eventhough the queries and the resulting data appear to be correct, the data stored in the rrds is the same for all hosts.
So for instance proxiedhost1_load_1min_123.rrd appears to be the same as proxiedhost2_load_1min_345.rrd. I have a feeling that this is caused by the fact that the target IP address for all these hosts are the same, i.e. the proxy address, and thus Cacti treats them as being the same..
Bug or feature? Any way around this?

Cacti version is 0.8.6h and is graphing perfectly for many non-proxied targets..

[adrianmarsh]

What do you see in the debug in Cacti ? I'd suggest:

- Clear the log
- Enable full debug
- Allow one session to run
- Disable full debug
- Zip up the file and attach it to the forum

[daRavert]

The cactid README explains a lot:

"If you are polling a device that has multiple agents on multiple ports, Cactid will not work for you yet."

This info should be on the Cactid Information page. It surely would have saved me a lot of time..
Anyways. I haven't gotten the SVN cactid to work and cmd.php is too slow for my setup. Any idea when there will be a new release that fixes the SNMP port issue?

[TheWitness]

The SVN cactid does support polling at multiple ports...

TheWitness

[TheWitness]

Cacti 0.8.7 and Cactid (provided with a few Caveot's like you can not use php_snmp) will support multiple snmp Context's. I need a few testers. It will be available in Beta3 next week.

TheWitness