Re: Prevent SNMP queries on specific nodes (359 Views)
Reply
Advisor
ssp
Posts: 38
Registered: ‎04-15-2011
Message 1 of 12 (450 Views)

Prevent SNMP queries on specific nodes

Hello,

 

We have NNM 9.20(UNIX).  Our internal client has insisted that SNMP queries from our NNMi management server has caused issues on specific nodes.  So we put those nodes in the Excluded IP address section.  However, based on the client's node logs(i.e.,community strings & ip address from the NNMi management server shows up in their logs), the SNMP queries continue.  How can we have NNMI do the following?  "Do not ping, do not SNMP query, do NOTHING on the internal client's nodes".  Thanks in advance for any tips

 

Steve

Steve
Honored Contributor
LindsayHill
Posts: 743
Registered: ‎11-16-2011
Message 2 of 12 (429 Views)

Re: Prevent SNMP queries on specific nodes

I would ensure that those addresses are not covered by your discovery ranges. Excluded IP addresses behaves a little differently - if you discover a device, and it has some of those IPs, it will still discover the device, but act like those interfaces don't exist.

 

If those systems are truly so sensitive, they should be disabling SNMP on the devices themselves. Or at least using tight ACLs + different community strings. That is, if they are really serious about SNMP causing problems on those. Or maybe they're just looking to blame the NMS, because, well...it's always the NMS's fault.

CCIE 36708 | @northlandboy | lkhill.com
Advisor
ssp
Posts: 38
Registered: ‎04-15-2011
Message 3 of 12 (426 Views)

Re: Prevent SNMP queries on specific nodes

Thanks, Lindsay.  Unfortunately those IP addresses are covered by our discovery ranges.  We have such a wide discovery range that we can't help but try to "discover" the Excluded IP addresses.  I think the option will have to be as you suggested, shut off SNMP at the node level.  A kludgy way to go for sure, but at least the internal client can't point fingers at the horrific SNMPWALK!  :) 

Steve
Honored Contributor
LindsayHill
Posts: 743
Registered: ‎11-16-2011
Message 4 of 12 (419 Views)

Re: Prevent SNMP queries on specific nodes

One other possibility is to define node-specific communication settings that uses some other SNMP string. Then NNMi will send a handful of polls to that device, but they won't be answered, and so it won't do a full walk.

Or I suppose you could add the device to NNMi, but set it to Unmanaged? That might actually be the best solution here.
CCIE 36708 | @northlandboy | lkhill.com
Honored Contributor
LindsayHill
Posts: 743
Registered: ‎11-16-2011
Message 5 of 12 (417 Views)

Re: Prevent SNMP queries on specific nodes

There is one other method I've used - you can set node-specific communication settings to only use ICMP. That still pings that device, but won't do SNMP.

I've used that with one customer where a particular device was really struggling over a small link.
CCIE 36708 | @northlandboy | lkhill.com
Honored Contributor
dieter boschung
Posts: 236
Registered: ‎12-18-2008
Message 6 of 12 (404 Views)

Re: Prevent SNMP queries on specific nodes

Hi ssp

 

You said: "Do not ping, do not SNMP query, do NOTHING on the internal client's nodes".

 

I would simply change their management mode to either 'Not Managed' or 'Out of Service'.

 

There is a great online help section, search for "Understand the Effects of Setting the Management Mode"; you will find:

 

For nodes, setting the Management Mode to Not Managed or Out of Service has the following effects:

  •     No incidents are generated for the node
  •     The node's SNMP Agent is excluded from fault polling.
  •     The node's interfaces or addresses are excluded from fault and performance polling.
  •     NNMi quits gathering Node Component data.
  •     NNMi deletes all Polled Instances associated with the Not Managed or Out of Service node.
  •     The Active State for any Custom Poller Nodes associated with the Not Managed or Out of Service node becomes Inactive.
  •     The node is removed from any associated Router Redundancy Groups.
  •     Traps related to the node, interface, card, node component, or address, (for example, coldStart or warmStart) are not stored.
  •     The node is excluded from discovery.
  •     Actions ? Polling ? Configuration Poll is no longer available for this node.
  •     The status of a node is set to No Status.
  •     Actions ? Polling ? Status Poll is no longer available for the node or incident related to that node.

Is this what you want to achieve?

Dieter

HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
Advisor
ssp
Posts: 38
Registered: ‎04-15-2011
Message 7 of 12 (398 Views)

Re: Prevent SNMP queries on specific nodes

Hi Dieter,

 

I am liking this option "Unmanaged" that you and Lindsay have proposed.  The best solution is convincing the client that SNMP is not causing issues on his devices.  Thanks.

Steve
Advisor
ssp
Posts: 38
Registered: ‎04-15-2011
Message 8 of 12 (396 Views)

Re: Prevent SNMP queries on specific nodes

Lindsay,

 

Quick question here.  If I set the node specific communications settings to use only ICMP, can the node still send back SNMP information on its own and it will be received by NNMi management server?  Those nodes have the SNMP configuration set to have the NNMi management server as the trap receiver.  The reason I ask is that we trouble ticket on SNMP information sent back by those nodes.  Thanks.

Steve
Advisor
ssp
Posts: 38
Registered: ‎04-15-2011
Message 9 of 12 (388 Views)

Re: Prevent SNMP queries on specific nodes

PS Lindsay,

 

I am a bit new to this, but how can I change/force the individual node setting on the management server to only use ICMP?  Thanks.

 

 

 

 

SNMP.GIF

Steve
Honored Contributor
LindsayHill
Posts: 743
Registered: ‎11-16-2011
Message 10 of 12 (361 Views)

Re: Prevent SNMP queries on specific nodes

Go to Configuration -> Communication Configuration.

Go to the "Specific Node Settings" tab.

Add an entry for your device. Amongst other options, uncheck "Enable SNMP Communication"
CCIE 36708 | @northlandboy | lkhill.com
Honored Contributor
ramesh9
Posts: 1,150
Registered: ‎04-19-2011
Message 11 of 12 (359 Views)

Re: Prevent SNMP queries on specific nodes

For all your queries I would advise you to follow these steps even if it is bit lengthier to do,

 

1.     Identify and list devices for which SNMP queries should not be sent from NNM

2.     Remove these devices from NNM

3.     Create SNMP profile for each device in NNM for discovery of the device as ICMP. Please make sure you would give

         wrong community string. For creating In NNM console goto Configuration->Communication configuration->Specific

         Node Settings

4.     If needed create a new Nodegroup and add these devices to the node group

5.     Identify and remove if any of the devices are still listed in any existing nodegroup which can use SNMP access. You can

        use the command nnmnodegroup.ovpl for this ( Refer NNM reference guide for details of this command ).

Advisor
ssp
Posts: 38
Registered: ‎04-15-2011
Message 12 of 12 (344 Views)

Re: Prevent SNMP queries on specific nodes

Lindsay,

 

I think this is the route to go.  I can still ping the device, but then do no SNMP queries.  Plus the device can still have SNMP running and send traps to the trap receiver.  Thanks.

 

Steve

Steve
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.