Download Events and Traps

Unit 6: Router Management
Lesson 6-3: Events and Traps
At a Glance
Prior to standardization of an Internet protocol, such as SNMP, the
software designer must document the design in the Internet Engineering
Task Force’s (IETF) Request for Comments (RFC) series. This is the place
for the dissemination of ideas pertaining to Internet protocols. The RFC
receives reviews and undergoes revision as part of the official process of
adoption as an Internet protocol standard.
It is within the IETF’s RFC series that one can find the standards for the
six generic traps used by the SNMP agent. The traps inform the SNMP
manager when certain conditions or extraordinary events have occurred,
for example, a device has a link down condition.
These generic traps and the Nortel Networks event messages associated
with router management are the topics of this lesson.
What You Will Learn
After completing this lesson, you will be able to do the following:
•
Define events, traps, and trap-directed polling.
•
Identify six generic SNMP traps.
•
Identify types of events that can be trapped.
•
Demonstrate how to use the Events Monitor.
•
Demonstrate how to use the Trap Monitor.
•
Demonstrate the use of the Event Manager to display and save event
logs from the ARN.
•
Configure the ARN to send traps to a specific IP station.
ST0025804A
293
Lesson 6-3 : Events and Traps
•
294
ST0025804A
Routing
Unit 6: Router Management
Tech Talk
•
Entity—An entity is the protocol that generates an event message.
•
Generic Trap—RFC 1155 outlines seven SNMP traps that are
considered generic since they are common to all SNMP protocols.
•
IETF—The Internet Engineering Task Force is the governing body that
reviews proposed Internet protocols and provides the RFC series for
review of all proposed protocols.
•
Polling—The SNMP manager polls or frequently requests to the agent
to gather information on the status of the network.
•
RFC—A Request for Comment is a document submitted to the IETF for
the purpose of reviewing, revising, and standardizing new Internet
protocols. Numbers are assigned to each RFC for identification
purposes.
•
Threshold—A threshold is a maximum value for a variable that should
not be exceeded and is set by the network manager.
•
Trap-directed Polling—Trap-directed polling is a compromise solution
to acquiring the complete status of the network. When an
extraordinary event occurs, a trap is generated by the agent to inform
the manager. After that, the manager is responsible to periodically poll
the agent for follow up information to determine the extent of the
problem.
ST0025804A
295
Lesson 6-3 : Events and Traps
Events
In terms of router management, an event is something that happens
during the operation of a router that often signals a need for attention. An
event message within SNMP typically provides a detailed description,
along with an event code, of the operating status of a router.
Events are always associated with a particular entity, the protocol that
generates an event message, for example, ARP or IP, and its code. Each
event message also describes the severity level of the event.
Severity Levels of Event Messages
296
Severity
Description
Code
Information
Indicates routing events that usually
require no action
2
Warning
Indicates that a service acted in an
unexpected manner
4
Fault
Indicates a major service disruption,
usually caused by a configuration,
network, or hardware problem.
8
Trace
Indicates information about each packet
that traveled through the network.
10
ST0025804A
Routing
Unit 6: Router Management
Event messages associated with Nortel Networks routers are too numerous
to list in this lesson. However, as an example of some of the event
messages seen on a Nortel Networks router, the tables below outline the
specific event messages issued by the SNMP entity and what actions, if
any, a network manager should take.
The entity code assigned to SNMP events is 3.
Nortel Networks SNMP Events for Fault and Warning Severity
Error
Code
Severity
Message
Meaning
Action
1
Fault
System error
SNMP
experienced a
fatal error and is
restarting
automatically
Verify that
the
configuration
is correct
5
Warning
Duplicate
community
An SNMP
community was
created with the
same name as
an existing
community
None. SNMP
deletes the
duplicate
community
6
Warning
No
corresponding
community for
the manager
A manager was
created with an
IP address that
has no
association with
an existing
community
None. SNMP
deletes the
manager
record
41
Warning
Agent detected
death of Trap
Manager
The entity that
sends SNMP
traps failed
None. The
system
recovers
automatically
55
Warning
Agent received
trap switches
for an
unknown
entity
An attempt was
made to
configure traps
for an entity
using an invalid
entity number
None
ST0025804A
297
Lesson 6-3 : Events and Traps
Nortel Networks SNMP Events for Info and Trace Severity
Error
Code
Severity
Message
Meaning
Action
7
Info
Protocol
initializing
The SNMP
agent is
initializing
None
50
Info
The Agent
reset the
counters for
the manager in
a community
The counter was
reset for the
proprietary
SNMP security
system
None
52
Info
Agent changed
the
authentication
mode
The TI was used
to change the
authentication
mode of the
SNMP agent on
the router
Mode 1
indicates the
router is set to
operate in
trivial security
mode. Mode 3
sets the router
to operate in
proprietary
security mode
8
Trace
Agent received
and
unauthorized
request from
an IP address
in a
community
The SNMP
agent received
an SNMP packet
from an
unknown
community and
manager
None. SNMP
drops the
packet without
a response. The
message may
indicate an
attempt to
breach security
In addition to the information within the tables, the event message also
displays the following information:
298
•
Date and time the event was issued.
•
The Slot number hosting the entity that generated the event.
•
The entity that generated the event.
ST0025804A
Routing
Unit 6: Router Management
Check Your Understanding
♦ Classify the severity of the following event messages from a Nortel
Networks router and propose what actions should be taken to
rectify the problems. Include the severity code of the event message.
1. Event Message: Connector XCVR<no.>excessive collisions.
Message meaning: The CSMA/CD entity dropped a frame after
it detected collisions on 16 successive transmission attempts
over a specified connector.
2. Event Message: Connector XCVR<connector_no.>: MAC device
does not support 10 Mb/s operation. 100Base-TX assumed.
Message meaning: The line is configured to either 10Base-T or
10Base-T full-duplex, but this is not a supported setting. The
router attempts to configure the line to 100Base-TX.
♦ Speculate the meaning of the event message: “Duplicate interface
<ipv6_address> address <ipv6_address> detected-disabled.” What
action should be taken with such a message? What is the severity
level and code?
ST0025804A
299
Lesson 6-3 : Events and Traps
Traps
Trap and event messages are closely related. Trap messages are a concise
form of event messages, and they are generated by the same source.
Generic traps are unsolicited messages that the agent sends to the network
management station.
RFC 1157 defines the standards for six generic traps used by the agent to
inform the SNMP manager when certain conditions or extraordinary
events have occurred.
•
coldStart—Indicates that the sending entity is restarting itself and that
the agent’s configuration or the protocol implementation may be
altered. The code for this trap is 0.
•
warmStart—Indicates that the sending entity is restarting but neither
the agent’s configuration or the protocol implementation is altered. The
code for this trap is 1.
•
linkUp—Indicates that the sending agent recognizes that one of the
communication links has come up (become functional). The code for this
trap is 3.
•
linkDown—Indicates that the sending agent recognizes that one of the
communications links has failed or gone down (no longer functional).
The code for this trap is 2.
•
authenticationFailure—Indicates that the sending machine is the
addressee of a protocol message that is not authenticated. The code for
this trap is 4.
•
egpNeighborloss—Indicates the peer relationship between EGP
neighbors is down. The code for this trap is 5.
RFC 1157 also defines one other trap, the Enterprise Specific trap. This
trap is open ended to use this trap to notify the SNMP manager of events
that are vendor specific. The Enterprise Specific trap indicates that the
sending entity recognizes a vendor specific event has occurred. The code
for this trap is 6.
Thresholds
The possibility that multiple traps may occur simultaneously or even
consecutively leads to the possibility for increased network congestion. As
a means of reducing the number of traps generated, it is possible to assign
a threshold. A threshold is a maximum value for a variable that should not
be exceeded and is set by the network manager. When the variable reaches
the threshold, the system generates an event or trap.
300
ST0025804A
Routing
Unit 6: Router Management
Trap-directed Polling
As a network manager, it is important to be informed about the status of
the network. This presents a problem with the reporting of traps and
events. As stated before, most traps are unsolicited messages that indicate
there is a problem. The messages are sent only when the problem has
already occurred. However, the network manager may want information
before a situation becomes a problem.
One way to detect an impending problem is to assign thresholds that are
lower than the maximum to allow for ample time for adjustment. This
process would result in an increase in the delivery of trap messages. The
advantage is that it also provides immediate notification of an event.
Trap Notification of Threshold Value Exceeded
NMS
Manager
Trap
Threshold
Exceded!
Trap
MIB Variables
T
I
MIB Variable Legend
E= # of Errors
I= IP Addresses
T=Threshold level of
network traffic
E
Agent
(Router)
The disadvantage is that the sending agent transmits the message without
knowing if the receiving manager is ready to actually receive the message.
These trap messages are quite large, since they contain all the information
necessary to thoroughly inform the manager of the exact problem.
ST0025804A
301
Lesson 6-3 : Events and Traps
Another way to predict an impending problem is to set up the manager to
poll the agents periodically. By polling, the manager is regularly sending
requests for information from the agent. This action allows the manager to
get frequent updates on the system. However, there is a problem in
determining how often the manager should poll the agent. Polling also
increases network congestion.
Polling: SNMP Manager Regularly Requests Information From Agent
NMS
Manager
GetRequest
Poll #2
GetRequest
Poll #1
MIB Variables
T
I
MIB Variable Legend
E= # of Errors
I= IP Addresses
T= Threshold Level
of Network Traffic
E
Agent
(Router)
302
ST0025804A
Routing
Unit 6: Router Management
Trap-directed polling is a compromise solution to acquiring the complete
status of the network. When an extraordinary event occurs, a trap is
generated by the agent to inform the manager. After that, the manager is
responsible to periodically poll the agent for follow up information to
determine the extent of the problem. Although periodic polling is still
needed, the frequency is reduced.
Trap-directed Polling: Both Traps and Polls are Exchanged
NMS
Manager
GetRequest
Polling
Threshold
Exceded!
Trap
MIB Variables
T
I
MIB Variable Legend
E= # of Errors
I= IP Addresses
T=Threshold level of
network traffic
E
Agent
(Router)
ST0025804A
303
Lesson 6-3 : Events and Traps
Check Your Understanding
♦ As a network manager, speculate what thresholds should be set to
monitor the network most efficiently. What variables should be
polled regularly for information to maintain an efficient network?
304
ST0025804A
Routing
Unit 6: Router Management
Try It Out
The Events Monitor
In this lab you will learn to:
•
Use the Events Manager to display and save event logs from the ARN.
Materials Needed:
•
Nortel Networks' Advanced Remote Node (ARN) Router
•
Classroom Network
•
Windows 95 PC
•
Site Manager
•
Any Word Processor (e.g., MS Word)
•
Pen/Pencil and Paper
•
Student Portfolio
During this lab, work in teams of three. Record your experiences, results,
speculations, and conclusions in your portfolio. Write a summary of the lab.
Part One: Viewing Events
1. On the Start/Programs menu, open Site Manager.
2. Open the Events Manager:
a. Click Tools.
b. Click Events Manager.
3. When the Events Manager screen appears, click Options.
4. Click Router Connection.
5. Type the IP address of the router to which you want to connect.
6. Click OK.
7. From the Events Manager screen, click File.
8. Click Get Current Log File.
ST0025804A
305
Lesson 6-3 : Events and Traps
9. Displayed in the right-hand column of the event log is the event code
for each event.
10. From the Events Manager screen, click View.
11. Click Filters.
12. When the Filter Parameters screen appears, perform the following
steps:
a. Highlight Fault, Warning, and Information.
b. Choose the slot where you want filtering to occur.
c. Choose the entities on which you wish to filter.
d. When you finish making your filter selections, click OK.
13. From the Events Manager screen, activate the filter:
a. Clicking View.
b. Then click Refresh.
Part Two: Saving Log Files
1. From the Events Manager screen, save the displayed event log to an
ASCII text file:
a. Click File.
b. Then click Save Output to Disk.
2. Enter a directory path where you want to save the file in the Selection
Window (for example, C:\My Documents).
3. Decide on a name for the log.
4. Enter the name of the log in the Selection Window after the path you
chose.
5. Click OK.
306
ST0025804A
Routing
Unit 6: Router Management
Rubric: Suggested Evaluation Criteria and Weightings
Criteria
%
Complete record of procedural results.
25
Summary, analysis, synthesis and conclusions
50
Organization and summary in format suitable for
reproduction
25
TOTAL
100
ST0025804A
Your Score
307
Lesson 6-3 : Events and Traps
Stretch Yourself
The Trap Monitor
In this activity you will learn to:
•
Configure an ARN to send traps to a specific IP station.
•
Using the Configuration Manager, specify the types of traps and events
that you want the router to send to a trap monitor.
•
Set up the Trap Monitor tool within Site Manager to receive traps from
a specific router.
•
Using the Trap Monitor tool, filter received traps.
During this lab, work in teams of three. Record your experiences, results,
speculations, and conclusions in your portfolio. Write a summary of the lab.
Materials Needed:
•
Nortel Networks' Advanced Remote Node (ARN) Router
•
Classroom Network
•
Windows 95 PC
•
Site Manager
•
Any Word Processor (e.g., MS Word)
•
Pen/Pencil and Paper
•
Student Portfolio
Part One: Configuring the Router to Send Traps
1. Open Site Manager from the Start/Programs menu.
2. Click Tools.
3. Click Configuration Manager.
4. Click Dynamic Mode.
308
ST0025804A
Routing
Unit 6: Router Management
5. Add the IP address of your management workstation as a manager
within a community:
a. Click Protocols.
b. Click IP.
c. Click SNMP.
d. Click Communities.
6. When the SNMP community list appears, select the community
“secure” or “public” depending on what community name appears.
7. Look at the managers associated with the community:
a. Click Community.
b. Click Managers.
8. The IP address of your Site Manager workstation may already be
displayed as a manager. (The default 0.0.0.0 address can not be used.)
If not, then add it:
a. Click Manager.
b. Click Add Manager.
c. Type in the IP address of your Site Manager workstation.
Part Two: Specifying the Class of Traps and the UDP Port
1. In the SNMP Manager List on your screen, select the IP address of
your workstation.
2. Verify that all (not just generic) traps will be sent to this manager:
a. Click Manager.
b. Click Edit Manager.
c. If Generic is displayed, highlight it and delete it.
d. Type ALL.
e. Click OK.
3. Back out of the secure community configuration:
a. Click File.
b. Click Edit.
c. Click File again.
ST0025804A
309
Lesson 6-3 : Events and Traps
d. Click Edit again.
Part Three: Specifying Entities on Which to Trap
1. For any entity, on a per slot basis, you can configure the router to trap
on any event. To set this up:
a. Click Protocols.
b. Click IP.
c. Click SNMP.
d. Click Trap Configuration.
e. Click Interfaces.
2. Within the Trap Configuration window, set it up so that traps will
occur for all entities on all slots for event severity of Fault, Info,
Warning, and Trace.
a. Click All Entities.
b. Click the boxes next to Fault, Warning, Trace, and Info.
c. Click Update.
3. Click Save to save the trap configuration.
4. Click File.
5. Click Exit to exit Configuration Manager.
6. A dialog box will appear to name the file. Type trap.cfg for the file
name.
7. Click Save.
8. Click OK when the Site Manager brings up an OK dialog box.
Part Four: Activating the Trap Monitor and Enabling Trap Reception
1. Once activated, the Trap Monitor dynamically displays all incoming
trap messages. From the main Site Manager screen:
a. Click Tools.
b. Click Trap Monitor.
2. Verify that your workstation is not being filtered out:
a. Click View.
310
ST0025804A
Routing
Unit 6: Router Management
b. Click Set Address Filters.
3. Note that an address of 0.0.0.0 in the Address Filters window means
any router is accepted and an address of 255.255.255.255 means that
no other router is accepted. You should have either .0.0.0.0 or the IP
address of your router in the first filter field.
4. Click Save to save the address filter setup.
5. Verify that the appropriate severity levels are enabled:
a. Click View.
b. Click Select Trap Types.
c. Make sure the Fault, Warning, Info, and Trace are enabled. If not,
click in the box next to each event type.
6. Click OK.
Part Five: Generating Traps
1. Pull the serial cable off the back of the router. Do any traps occur?
2. How long did it take for a trap message to occur after you pulled the
cable off? Record this time in your records for your summary.
3. Did you see any other traps displayed? If so, record the information
displayed for your summary.
Rubric: Suggested Evaluation Criteria and Weightings
Criteria
%
Complete record of procedural results.
25
Summary, analysis, synthesis and conclusions
50
Organization and summary in format suitable for
reproduction
25
TOTAL
100
ST0025804A
Your Score
311
Lesson 6-3 : Events and Traps
Network Wizards
Research Requests for Comments
As a network manager, keeping up to date on new developments is
essential. As stated in this lesson, the Requests for Comments (RFC) are
the vehicle used for developers to share their work on the creation or
improvement of Internet related protocols.
The information in RFCs is presented in a much different fashion than you
are probably used to seeing everyday. Interpreting them can be interesting
and useful in your future dealings with emerging protocols.
Materials Needed:
•
Windows 95 PC
•
Internet Connection
•
Any Word Processor (e.g., MS Word)
•
Pen/Pencil and Paper
•
Student Portfolio
1. Research six Internet locations that house RFCs for downloading.
2. After you have found several locations, document the type of site, either
a WWW location or an FTP site. Include in your documentation the
URL or FTP address for the site.
3. Download three RFCs about SNMP and related topics.
4. Compare the information presented in Unit 6 with the information
presented in the RFCs. With the knowledge you have from the lessons,
are you able to interpret the information in the RFCs?
5. In a presentation to the class, explain your interpretation of one of the
RFCs you have researched.
Rubric: Suggested Evaluation Criteria and Weightings
312
Criteria
%
Documentation of six research sites
25
Insightful and accurate interpretation of RFC
25
Quality class presentation of research
50
TOTAL
100
ST0025804A
Your Score
Routing
Unit 6: Router Management
Summary
In this lesson, you learned the following:
•
The definition of events, traps, and trap-directed polling.
•
The identification of six generic SNMP traps.
•
The identification of the types of events that can be trapped.
•
How to use the Events Monitor.
•
How to use the Trap Monitor.
•
Use of the Event Manager to display and save event logs from the ARN.
•
How to configure the ARN to send traps to a specific IP station.
Review Questions
Name_______________
Lesson 6-3: Events and Traps
Part A
1. Define the meaning of the words “event” and “trap” in networking.
2. Define the term “trap-directed polling.” Include with your definition a
diagram illustrating the term.
ST0025804A
313
Lesson 6-3 : Events and Traps
Part B
Place an “X” next to the generic traps. Write a description of the event for
each trap.
Trap Names
314
Event Descriptions
1.
linkDown
2.
enterprise
Specific
3.
authentication
Failure
4.
coldStart
5.
warmStart
6.
linkUp
7.
egpNeighborloss
ST0025804A
Routing
Unit 6: Router Management
Part C
1. Write a short essay identifying the types of events that a network
manager would want trapped by SNMP to improve the network’s
performance. Include a discussion as to how setting thresholds might
improve monitoring.
Scoring
Rubric: Suggested Evaluation Criteria and Weightings
Criteria
%
Your Score
Part A: Define events, traps, and trapdirected polling
Part B: Identify six generic SNMP traps
Part C: Identify types of events that can be
trapped
TOTAL
100
Try It Out: Demonstrate how to use the
Events Monitor
100
Stretch Yourself: Demonstrate how to use the
Trap Monitor
100
Network Wizards
100
FINAL TOTAL
400
Resources
Bay Networks. (1999). Accelerated Router Configuration, Bay Networks,
Inc., Billerica, Massachusetts.
Bay Networks. (1998). Configuring SNMP, BootP, DHCP, RARP
Services, Bay Networks, Inc., Billerica, Massachusetts.
Bay Networks. (1998). Event Messages for Routers, Bay Networks, Inc.,
Billerica, Massachusetts.
ST0025804A
315