Yours is a perfect example, Scott, of how real users take a function
intended by developers for some little purpose, and run with it to solve
all sorts of unanticipated real-life problems. Then, of course, the speeds
and feeds associated with the original intention don't support the
additional
uses. We could hope that those additional uses would help drive future
development, eh? ;)
It probably won't make you feel any better, but it might help if you
understood that the design point in supporting Smartsets in xnmsnmpconf
was NOT to let you group communities, but to let you adjust things like
timeouts and retries and polling cycles on nodes that had already been
discovered. It was assumed that the node would probably have to be
accessible via snmp BEFORE it showed up in a Smartset. The IP wildcard
slice, however, existed in the product before there were Smartsets, so it
should be expected to support the choice of community string. Then of
course the use of the alternates file came along, and I think we are still
being hit with some wrinkles introduced by that new function, wonderful as
it is.
Note, everybody, that you cannot expect to use xnmsnmpconf to support
a scheme of changing community strings in any simple fashion, since there
is
NO entry for those nodes that use the default community. Any major change
is
going to involve deletions. (Unless you make the default something that is
never used! Now there's an idea.) To make this easier, skip the gui and
use
the export function of the xnmsnmpconf command, edit the file, and import
it. CAVEAT: name resolution can kill you there. It won't re-import if names
(eg for old nodes long gone) do not resolve. So keep it tidy.
As for snmpCollect, the answer from Support is news to me. One of the
options
for the snmpCollect daemon is -J.
"-J minutes
Specifies how often snmpCollect polls the nvcold daemon for changes in
SmartSets. The default is 60 minutes."
That would seem to indicate that it does not check at every poll. Perhaps
that value is smaller than it needs to be for your network? If you turn on
verbose tracing, you can see it working out membership at startup.
We have been told before that nvcold can be a bottleneck, especially for
event processing, and to be careful of having more Smartsets than your
hardware can handle. I would add that reducing the number of stub objects
in the database will help nvcold perform better. An object is an object,
even if it is small, and it looks to me as if several of the daemons
are adversely affected by excessive numbers of useless objects. I make a
point of exluding as much as possible from discovery via negative address
ranges. Start with your DHCP ranges, even if it takes a lot of typing.
You have my sympathy, Scott.
Cordially,
Leslie A. Clark
IBM Global Services - Systems Mgmt & Networking
Detroit
"Scott Barr" <scott_barr AT csgsystems DOT com>@tkg.com on 07/31/2001 11:04:04
AM
Please respond to IBM NetView Discussion <nv-l AT tkg DOT com>
Sent by: owner-nv-l AT tkg DOT com
To: "IBM NetView Discussion" <nv-l AT tkg DOT com>
cc:
Subject: [NV-L] Smartset function in XNMSNMPCONF
This is not exactly a question, just kind of a rant about a couple of
features of NetView that work perfectly on paper but the implementation
will
bite you.
In our environment, we use smartsets - a lot of smartsets. We have router
smartsets, server smartsets, switch smartsets etc. Now, if you look at
XNMSNMPCONF after you have done a full discovery you find a mixture of
entries that fall into a few categories:
1. The NetView server itself
2. Seed file nodes which support SNMP
3. nodes found because they are in wildcard seed ranges
4. nodes found because discovery is on and is unrestricted
Now, here is what my puny brain attempted to do. I wanted an easy way to
change community strings on a regular basis per the request of our router
and security staff. I wanted to use the smartset facility available in
xnmsnmpconf and in data collection. I purged topology database, then
cleared
snmp configuration data (xnmsnmpconf) and cleared data collection entries.
Then I created an entry in SNMP config and in data collection to use a
smartset called Routers to set the SNMP values like retries, timeouts and
community strings and to set the fields I want collected and stored. Now I
have an snmp configuration file with one entry in it and I also have data
collection with one easy to manage simple entry. Last thing I did was
change
the default entry for the community string in SNMP conf. Piece of cake.
Then I started discovery. The first problem I encounted was NetView was
unable to speak to the local SNMP agent on my Sun box (DOH forgot to update
/etc/snmp/conf/snmpd.conf to include new default community string). Fixed
that, started over.
Discovery now began adding stuff. Routers and servers were discovered,
stuff
added to map, a short time later smart sets were populated. After an hour
or
so the vast majority of the network was discovered, I shut off new node
discovery.
Now, I went back and looked in xnmsnmpconf and in data collection and to my
surprise, all the discovered devices had individual entries (which appear
to
override my smartset entry) and further more, the polling defaults, retries
etc. were taken from the default, not from the smartset definition. In
addition, some of the entries had public coded in them (public is listed as
an alternate name in communityNames.conf but it is NOT the default - this
is
specified because some people can't ever seem to figure out that changing
the snmp community string of any host is the first most important security
hole you can fix). I began to receive large numbers of authentication
failures because I was bombing the routers with public community string. I
had to delete each and every entry (except for the smartset). This wouldn't
be so brutal except for that lovely X-windows GUI feature that prevents me
from selecting MORE than one entry. 800 mouseclicks later, the table was
set
up with just the smartset entry in xnmsnmpconf.
Now, the data collection issue more or less took care of itself once the
SNMP config was squared away. I paid no further attention to my now
normally-functioning system. Until I noticed that SNMP collect daemon was
running at about 75-90% of my CPU on a periodic basis. After discussion
with
support I came to the conclusion that the reason it was running so high was
due to the SNMPcollect daemon having to do a database query prior to each
collection function. To resolve this, (you guessed it) I had to put
individual entries back in the xnmsnmpconf for each managed devices and set
the retries, timeouts and polling intervals individually (again).
Don't get me wrong, the smartset facility in data collection and in
xnmsnmpconf are great. Just wish I could use them. I don't know how this
feature got deployed when clearly it will not get used in the vast majority
of implementations or at least there should be some warning about its
shortcomings.
-----Original Message-----
From: Thomas Kunz [mailto:t-kunz AT admin.ndis.umn DOT edu]
Sent: Tuesday, July 31, 2001 9:22 AM
To: scott_barr AT csgsystems DOT com; nv-l AT tkg DOT com
Subject: RE: [NV-L] community name changes
We are at 6.01 and AIX 4.3.3 and have also seen this problem. Could someone
please
reply with all the specific files that you are referring to? (i.e.
community
names files ...)
Do I update these files through Netview or through AIX?
Thanks and have a great day! :-)
Tom Kunz
OIT/PTS Network & AIX Systems Support
University of Minnesota
1300 S. 2nd St.
Mpls., MN. 55454-1083
Suite 660
Phone: 612-624-8086
Fax: 612-626-1332
Email: t-kunz AT cafe.tc.umn DOT edu
>>> scott_barr AT csgsystems DOT com 07/31/01 07:45AM >>>
I have seen this behavior and I am running 6.02. I changed global default
and left the community names file empty. Later, after doing initital
discovery I put my company-defined community string in and added nodes to
discovery. From time to time, I have to go in and whack the public entry.
No
idea why this happens but the trigger is when I see routers sending in SNMP
authentication failure traps. I know there is something screwy here but I
haven't been able to make it happen in a controlled fashion.
-----Original Message-----
From: owner-nv-l AT tkg DOT com [mailto:owner-nv-l AT tkg DOT com]On Behalf Of
Leslie
Clark
Sent: Monday, July 30, 2001 8:18 PM
To: IBM NetView Discussion
Subject: Re: [NV-L] community name changes
Don, I have seen confusing behavior in this area a lot. First, do you know
that at 6.01, public is used as if it were in the alternates file whether
you
want it or not, and at 6.02 it is not used unless specified? I hope you
are at 6.01,
because the explanation would be easier. The next odd thing I have been
seeing is the insertion of bogus communities. But I believe that in almost
every
case those turned out to be for nodes that had name resolution problems.
Cleaning
up the name resolution in both directions and a couple of demandpolls ( or
rediscovering the node) cleared it up. I know, I know, you couldn't
possibly have
any name resolution problems....;) My routine now includes:
fix any name problems for the node
delete any related xnmsnmpconf entries (name or address)
demandpoll (it will always work, because it tries everything)
check snmp using one of the MIB appls, which only checks xnmsnmpconf
If it works for Monitor..MIB Values..System Info, then it should work for
snmpCollect, I think. The snmpCol.trace will tell you if it also has name
issues.
Cordially,
Leslie A. Clark
IBM Global Services - Systems Mgmt & Networking
Detroit
"Davis, Donald" <donald.davis AT firstcitizens DOT com>@tkg.com on 07/30/2001
05:39:38 PM
Please respond to IBM NetView Discussion <nv-l AT tkg DOT com>
Sent by: owner-nv-l AT tkg DOT com
To: "'NV-L AT tkg DOT com'" <NV-L AT tkg DOT com>
cc:
Subject: [NV-L] community name changes
For the sake of this discussion, let's say that my Global Default community
name is "raleigh".
I have a default communityNames.conf file with no entrys (all comments).
I am NOT using the "-h" netmon flag. (alternate community strings during
all
polls)
Nodes using "raleigh" mysteriously are being added in xnmsnmpconf with a
unique community name of "public".
This really messes up SNMP data collection statistics :(
Has anyone else seen this?
What is happening here?
How do I turn this "feature" OFF ?
Don Davis
Systems Engineer Consultant
Enterprise Management
First Citizens Bank
100 East Tryon Road
Raleigh, NC. 27603-3526
919-716-8448
----------------------------------------------------------------------------
--
This electronic mail and any files transmitted with it are confidential and
are intended solely for the use of individual or entity to whom they are
addressed. If you are not the intended recipient or the person responsible
for delivering the electronic mail to the intended recipient, be advised
that you have received this electronic mail in error and that any use,
dissemination, forwarding, printing, or copying of this electronic mail is
strictly prohibited. If you have received this electronic mail in error,
please immediately notify the sender by return mail.
============================================================================
==
_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l
_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l
_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l
**************************************************************************
This e-mail and its attachments have been scanned for viruses.
NDIS/ADCS University of Minnesota
**************************************************************************
_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l
|
