Re: SNMP Trap reception - trapd or MLM?

["James Shanks" <jshanks@us.ibm.com>]

This is a multipart message in MIME format.

Huh?  Pardon me, Danny, but yes,
I think you are complicating things terribly if we are talking UNIX, which 
I thought we were.

Why do you want MLM on the same box as NetView if it is NOT there to 
filter traps?  It makes no sense to have him there for any other purpose 
that I can see.  NetView (netmon) can handle the polling of his own subnet 
just fine. 

And I don't understand what you are asking when you say,

"Can I use the MLM to do the local subnet discovery and status polling and
have trapd receive the SNMP traps or does the MLM use SNMP to communicate
with NetView?"

because the two issues are independent.  Yes, you can have traps sent 
right to trapd even if you are monitoring the devices which send them via 
MLM.  But then your firewall must permit UDP traffic destined for port 
162.  If your MLM is outside the firewall, then it will send the traps to 
trapd using TCP.  But then your MLM is remote and not on the same box as 
NetView.

Traps and MLM status  polling are independent.  But netmon and MLM 
(midmand) do communicate using SNMP.  That's how (a) netmon discovers that 
a remote box is an MLM and (b) how it gets the MLM to send it status 
updates -- by SNMP gets.  And that is how you configure the MLM using 
smconfig on the NetView box.  You need a write community name because 
smconfig does an SNMP set to cause MLM to update his tables. 

Finally I am mystified when you say that you are using MLM until you can 
get CNAT deployed.  MLM and CNAT are not interchangeable.   To use  MLM 
your firewalls still have to permit SNMP traffic, and they also have to be 
lowered in the beginning because netmon will not put the device on the map 
if he cannot ping it.  Once it is on the map it's a different story, but 
SNMP traffic on port 161/UDP is still required across your firewall.  And 
if  NetView on the other side gets traps directly, then it has to pass 
162/UDP as well.

Have you read Steve Hochstetler's redbook on the  subject of firewalls and 
NetView ? 
Go to  http://www.redbooks.ibm.com/ and get "Extending Network Management 
Through Firewalls", SG24-6229-00
You may change your mind about the whole thing.


James Shanks
Level 3 Support  for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group
 





Danny H Williams/UK/IBM@IBMGB
Sent by: owner-nv-l@tkg.com
10/26/2001 06:13 AM
Please respond to IBM NetView Discussion

 
        To:     nv-l@tkg.com
        cc: 
        Subject:        [NV-L] SNMP Trap reception - trapd or MLM?

 

Hi All

Another question in the saga of Danny and the MLMs:

Is it better to have an MLM on a NetView server receive SNMP traps, or 
send
them directly to trapd? Currently I am not planning on filtering the SNMP
traps anywhere but at the source of the trap - i.e. if the trap is sent, I
am interested in it. I have read on the NV-L archives of people using MLMs
to filter traps but this doesn't apply to me.

I have been trying to work out how the MLM communicates with the NetView
server but am failing miserably.

Can I use the MLM to do the local subnet discovery and status polling and
have trapd receive the SNMP traps or does the MLM use SNMP to communicate
with NetView?

One configuration I have considered is to have trapd configured to listen
on 162/udp for the normal traps and 165/tcp to receive stuff from the MLM.
I could configure the MLM to listen on port 162/tcp for anything else that
is floating around (not that there should be - but just in case).

Am I complicating stuff terribly. Have I missed something fundamental. I
have been RTFM'ing but am still confused.

(By the way - the MLMs are to get around a firewall NAT issue until I can
install CNAT)

Cheers,

Danny

_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l



Huh?  Pardon me, Danny, but yes,
I think you are complicating things terribly if we are talking UNIX, which I thought we were.

Why do you want MLM on the same box as NetView if it is NOT there to filter traps?  It makes no sense to have him there for any other purpose that I can see.  NetView (netmon) can handle the polling of his own subnet just fine. 

And I don't understand what you are asking when you say,

"Can I use the MLM to do the local subnet discovery and status polling and
have trapd receive the SNMP traps or does the MLM use SNMP to communicate
with NetView?"

because the two issues are independent.  Yes, you can have traps sent right to trapd even if you are monitoring the devices which send them via MLM.  But then your firewall must permit UDP traffic destined for port 162.  If your MLM is outside the firewall, then it will send the traps to trapd using TCP.  But then your MLM is remote and not on the same box as NetView.

Traps and MLM status  polling are independent.  But netmon and MLM (midmand) do communicate using SNMP.  That's how (a) netmon discovers that a remote box is an MLM and (b) how it gets the MLM to send it status updates -- by SNMP gets.  And that is how you configure the MLM using smconfig on the NetView box.  You need a write community name because smconfig does an SNMP set to cause MLM to update his tables.  

Finally I am mystified when you say that you are using MLM until you can get CNAT deployed.  MLM and CNAT are not interchangeable.   To use  MLM your firewalls still have to permit SNMP traffic, and they also have to be lowered in the beginning because netmon will not put the device on the map if he cannot ping it.  Once it is on the map it's a different story, but SNMP traffic on port 161/UDP is still required across your firewall.  And if  NetView on the other side gets traps directly, then it has to pass 162/UDP as well.

Have you read Steve Hochstetler's redbook on the  subject of firewalls and NetView ?  
Go to  http://www.redbooks.ibm.com/ and get "Extending Network Management Through Firewalls", SG24-6229-00
You may change your mind about the whole thing.


James Shanks
Level 3 Support  for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group

Danny H Williams/UK/IBM@IBMGB Sent by: owner-nv-l@tkg.com 10/26/2001 06:13 AM Please respond to IBM NetView Discussion

To:        nv-l@tkg.com         cc:                 Subject:        [NV-L] SNMP Trap reception - trapd or MLM?

Hi All

Another question in the saga of Danny and the MLMs:

Is it better to have an MLM on a NetView server receive SNMP traps, or send
them directly to trapd? Currently I am not planning on filtering the SNMP
traps anywhere but at the source of the trap - i.e. if the trap is sent, I
am interested in it. I have read on the NV-L archives of people using MLMs
to filter traps but this doesn't apply to me.

I have been trying to work out how the MLM communicates with the NetView
server but am failing miserably.

Can I use the MLM to do the local subnet discovery and status polling and
have trapd receive the SNMP traps or does the MLM use SNMP to communicate
with NetView?

One configuration I have considered is to have trapd configured to listen
on 162/udp for the normal traps and 165/tcp to receive stuff from the MLM.
I could configure the MLM to listen on port 162/tcp for anything else that
is floating around (not that there should be - but just in case).

Am I complicating stuff terribly. Have I missed something fundamental. I
have been RTFM'ing but am still confused.

(By the way - the MLMs are to get around a firewall NAT issue until I can
install CNAT)

Cheers,

Danny

_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l