This is a multipart message in MIME format. Huh? Pardon me, Danny, but yes,
I think you are complicating things terribly if we are talking UNIX, which
I thought we were.
Why do you want MLM on the same box as NetView if it is NOT there to
filter traps? It makes no sense to have him there for any other purpose
that I can see. NetView (netmon) can handle the polling of his own subnet
just fine.
And I don't understand what you are asking when you say,
"Can I use the MLM to do the local subnet discovery and status polling and
have trapd receive the SNMP traps or does the MLM use SNMP to communicate
with NetView?"
because the two issues are independent. Yes, you can have traps sent
right to trapd even if you are monitoring the devices which send them via
MLM. But then your firewall must permit UDP traffic destined for port
162. If your MLM is outside the firewall, then it will send the traps to
trapd using TCP. But then your MLM is remote and not on the same box as
NetView.
Traps and MLM status polling are independent. But netmon and MLM
(midmand) do communicate using SNMP. That's how (a) netmon discovers that
a remote box is an MLM and (b) how it gets the MLM to send it status
updates -- by SNMP gets. And that is how you configure the MLM using
smconfig on the NetView box. You need a write community name because
smconfig does an SNMP set to cause MLM to update his tables.
Finally I am mystified when you say that you are using MLM until you can
get CNAT deployed. MLM and CNAT are not interchangeable. To use MLM
your firewalls still have to permit SNMP traffic, and they also have to be
lowered in the beginning because netmon will not put the device on the map
if he cannot ping it. Once it is on the map it's a different story, but
SNMP traffic on port 161/UDP is still required across your firewall. And
if NetView on the other side gets traps directly, then it has to pass
162/UDP as well.
Have you read Steve Hochstetler's redbook on the subject of firewalls and
NetView ?
Go to http://www.redbooks.ibm.com/ and get "Extending Network Management
Through Firewalls", SG24-6229-00
You may change your mind about the whole thing.
James Shanks
Level 3 Support for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group
Danny H Williams/UK/IBM@IBMGB
Sent by: owner-nv-l AT tkg DOT com
10/26/2001 06:13 AM
Please respond to IBM NetView Discussion
To: nv-l AT tkg DOT com
cc:
Subject: [NV-L] SNMP Trap reception - trapd or MLM?
Hi All
Another question in the saga of Danny and the MLMs:
Is it better to have an MLM on a NetView server receive SNMP traps, or
send
them directly to trapd? Currently I am not planning on filtering the SNMP
traps anywhere but at the source of the trap - i.e. if the trap is sent, I
am interested in it. I have read on the NV-L archives of people using MLMs
to filter traps but this doesn't apply to me.
I have been trying to work out how the MLM communicates with the NetView
server but am failing miserably.
Can I use the MLM to do the local subnet discovery and status polling and
have trapd receive the SNMP traps or does the MLM use SNMP to communicate
with NetView?
One configuration I have considered is to have trapd configured to listen
on 162/udp for the normal traps and 165/tcp to receive stuff from the MLM.
I could configure the MLM to listen on port 162/tcp for anything else that
is floating around (not that there should be - but just in case).
Am I complicating stuff terribly. Have I missed something fundamental. I
have been RTFM'ing but am still confused.
(By the way - the MLMs are to get around a firewall NAT issue until I can
install CNAT)
Cheers,
Danny
_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l
Huh? Pardon me, Danny, but yes,
I think you are complicating things terribly if we are talking UNIX, which I thought we were.
Why do you want MLM on the same box as NetView if it is NOT there to filter traps? It makes no sense to have him there for any other purpose that I can see. NetView (netmon) can handle the polling of his own subnet just fine.
And I don't understand what you are asking when you say,
"Can I use the MLM to do the local subnet discovery and status polling and
have trapd receive the SNMP traps or does the MLM use SNMP to communicate
with NetView?"
because the two issues are independent. Yes, you can have traps sent right to trapd even if you are monitoring the devices which send them via MLM. But then your firewall must permit UDP traffic destined for port 162. If your MLM is outside the firewall, then it will send the traps to trapd using TCP. But then your MLM is remote and not on the same box as NetView.
Traps and MLM status polling are independent. But netmon and MLM (midmand) do communicate using SNMP. That's how (a) netmon discovers that a remote box is an MLM and (b) how it gets the MLM to send it status updates -- by SNMP gets. And that is how you configure the MLM using smconfig on the NetView box. You need a write community name because smconfig does an SNMP set to cause MLM to update his tables.
Finally I am mystified when you say that you are using MLM until you can get CNAT deployed. MLM and CNAT are not interchangeable. To use MLM your firewalls still have to permit SNMP traffic, and they also have to be lowered in the beginning because netmon will not put the device on the map if he cannot ping it. Once it is on the map it's a different story, but SNMP traffic on port 161/UDP is still required across your firewall. And if NetView on the other side gets traps directly, then it has to pass 162/UDP as well.
Have you read Steve Hochstetler's redbook on the subject of firewalls and NetView ?
Go to http://www.redbooks.ibm.com/ and get "Extending Network Management Through Firewalls", SG24-6229-00
You may change your mind about the whole thing.
James Shanks
Level 3 Support for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group
| Danny H Williams/UK/IBM@IBMGB
Sent by: owner-nv-l AT tkg DOT com
10/26/2001 06:13 AM
Please respond to IBM NetView Discussion
|
To: nv-l AT tkg DOT com
cc:
Subject: [NV-L] SNMP Trap reception - trapd or MLM?
|
Hi All
Another question in the saga of Danny and the MLMs:
Is it better to have an MLM on a NetView server receive SNMP traps, or send
them directly to trapd? Currently I am not planning on filtering the SNMP
traps anywhere but at the source of the trap - i.e. if the trap is sent, I
am interested in it. I have read on the NV-L archives of people using MLMs
to filter traps but this doesn't apply to me.
I have been trying to work out how the MLM communicates with the NetView
server but am failing miserably.
Can I use the MLM to do the local subnet discovery and status polling and
have trapd receive the SNMP traps or does the MLM use SNMP to communicate
with NetView?
One configuration I have considered is to have trapd configured to listen
on 162/udp for the normal traps and 165/tcp to receive stuff from the MLM.
I could configure the MLM to listen on port 162/tcp for anything else that
is floating around (not that there should be - but just in case).
Am I complicating stuff terribly. Have I missed something fundamental. I
have been RTFM'ing but am still confused.
(By the way - the MLMs are to get around a firewall NAT issue until I can
install CNAT)
Cheers,
Danny
_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l
|