SNMP is great for getting information out of a Cisco device, but is not very useful controlling the device. (although technically, you can push a new config to a Cisco IOS device using a combination of SNMP and TFTP. But sending a whole new config is a pretty blunt instrument for controlling your router or switch).
One of the other commenters mentioned the Cisco IOS XR XML API. It's important to note that the IOS XR XML API is only available on devices that run IOS XR. IOS XR is only used on a few of Cisco's high end carrier class devices, so for 99% of all Cisco routers and switches the IOS XR XML API is not an option.
Other possibilities are SSH or HTTP (many Cisco routers, switches, AP, etc. have an optional web interface). But I'd recommend against either of those. To my knowledge, the web interface isn't very consistent across devices, and a rather surprising number of Cisco devices don't support SSH, or at least don't support it in the base license.
Telnet is really the only way to go, unless you're only targeting a small range of device models. To give you something to compare against, Cisco's own CiscoWorks network management software uses Telnet to connect to managed devices.
I have done a reasonable amount of real world SNMP programming with Cisco switches and find Python on top of Net-SNMP to be quite reasonable. Here is an example, via Google books, of uploading a new Cisco configuration via Net-SNMP and Python: Cisco Switch Upload via Net-SNMP and Python. I should disclose I was the co-author of the book referenced in the link.
Everyone's milage may vary, but I personally do not like using expect, and prefer to use SNMP because it was actually designed to be a "Simple Network Management Protocol". In a pinch, expect is ok, but it would not be my first choice. One of the reasons some companies use expect is that a developer just gets used to using expect. I wouldn't necessarily chock up bypassing SNMP just because there is an example of someone automating telnet or ssh. Try it out for self first.
There can be some truly horrible things that happen with expect, that may not be obvious as well. Because expect waits for input, under the right conditions there be very subtle problems that are difficult to debug. This doesn't mean a very experienced developer can't develop reliable code with expect, but it something to be aware of as well.
One of the other things you may want to look at is an example of using the multiprocessing module to write non-blocking SNMP code. Because this is my first post to stackoverflow I cannot post more then one link, but if you google for it you can find it, or another one on using IPython and Net-SNMP.
One thing to keep in mind when writing SNMP code is that it involves reading a lot of documentation and doing trial and error. In the case of Cisco, the documentation is quite good though.
不使用 SNMP 的原因之一是您可以使用 IOS XR XML API。 使用它来捆绑要发送到设备的命令可能比与 SNMP 交互要容易得多。
SNMP isn't bad but it may not be able to do everything you need it to do. Depending on the library you use and how it hides the details of interacting with SNMP you may have a hard time finding the correct parts of the MIB to change and even knowing what or how to change them to do what you want.
One reason not to use SNMP is that you can do all the configuration you need using the IOS XR XML API. It could be a lot easier to bundle up the commands you want to send to the devices using that than to interact with SNMP.
I've found SNMP to be a pain for management. If you just need to grab a little data it's great; if you need to change things or use if heavily it can be very time consuming. In my case I'm comfortable with the CLI so a Telnet approach works well. I've written some Python scripts to perform administrative tasks on various pieces of network gear using Telnetlib
SNMP has quite a significant CPU hit on the devices in question compared to telnet; I'd recommend telnet wherever possible. (As stated in a previous answer, the IOS XR XML API would be nice, but as far as I know IOS XR is only deployed on high-end carrier grade routers).
In terms of existing configuration management systems, two commercial players are HP Opsware, and EMC Voyence. Both will probably do what you need. I'm not aware of many open source solutions that actually support deploying changes. (RANCID, for example, only does configuration monitoring, not pre-staging and deploying config changes).
If you are going to roll your own solution, one thing I would recommend is sitting down with your network admin and coming up with a best-practice deployment model for the service he's providing (e.g. standardised ACL, QoS queue, and VLAN names; similar entries in ACLs that have the same function for different customers, etc.). Ensure that all the existing deployed config complies with this BP before you start your design, it will make the problem much more manageable. Best of luck.
Sidenote: before you reinvent the wheel writing another service provisioning system/network management system, try looking for existing ones. I know quite a lot of commercial solutions of various degrees of flexibility/functionality, but I am sure there are quite a lot opensource ones.
Cisco has included menu options for helpdesk applications. Basically you telnet to the box and it presents a nice clean menu (press 1, 2, 3). For more info check this link:
Also, you don't want to allow configuration of your firewalls via either telnet or SNMP - ssh is the only way to go. The reason is that ssh encrypts its payload, and will not expose the privileged management credentials to potential interception.
If for some reason you cannot use ssh directly, consider connecting up an ssh-enabled serial console server to the firewall's console port and configuring it that way.
发布评论
评论(9)
SNMP 非常适合从 Cisco 设备获取信息,但对于控制设备却不太有用。 (尽管从技术上讲,您可以使用SNMP和TFTP的组合将新配置推送到Cisco IOS设备。但是发送全新配置对于控制路由器或交换机来说是一种相当生硬的工具)。
其他评论者之一提到了 Cisco IOS XR XML API。 请务必注意,IOS XR XML API 仅在运行 IOS XR 的设备上可用。 IOS XR 仅在少数思科高端运营商级设备上使用,因此对于 99% 的思科路由器和交换机来说,IOS XR XML API 不是一个选项。
其他可能性是 SSH 或 HTTP(许多 Cisco 路由器、交换机、AP 等都有可选的 Web 界面)。 但我建议不要使用其中任何一个。 据我所知,Web 界面在不同设备之间并不是非常一致,并且数量相当惊人的 Cisco 设备不支持 SSH,或者至少在基本许可证中不支持它。
Telnet 实际上是唯一的方法,除非您只针对一小部分设备型号。 为了给您提供比较,思科自己的 CiscoWorks 网络管理软件使用 Telnet 连接到托管设备。
SNMP is great for getting information out of a Cisco device, but is not very useful controlling the device. (although technically, you can push a new config to a Cisco IOS device using a combination of SNMP and TFTP. But sending a whole new config is a pretty blunt instrument for controlling your router or switch).
One of the other commenters mentioned the Cisco IOS XR XML API. It's important to note that the IOS XR XML API is only available on devices that run IOS XR. IOS XR is only used on a few of Cisco's high end carrier class devices, so for 99% of all Cisco routers and switches the IOS XR XML API is not an option.
Other possibilities are SSH or HTTP (many Cisco routers, switches, AP, etc. have an optional web interface). But I'd recommend against either of those. To my knowledge, the web interface isn't very consistent across devices, and a rather surprising number of Cisco devices don't support SSH, or at least don't support it in the base license.
Telnet is really the only way to go, unless you're only targeting a small range of device models. To give you something to compare against, Cisco's own CiscoWorks network management software uses Telnet to connect to managed devices.
我不会使用 SNMP,而是考虑一种名为“expect”的小语言。 它为这些路由器提供了一个非常好的期望/响应处理器。
I wouldn't use SNMP, instead look at a little language called 'expect'. it makes for a very nice expect/response processor for these routers.
我已经使用 Cisco 交换机完成了相当数量的现实世界 SNMP 编程,并发现 Net-SNMP 之上的 Python 非常合理。 以下是通过 Google 图书通过 Net-SNMP 和 Python 上传新 Cisco 配置的示例:通过 Net-SNMP 和 Python 上传思科交换机< /a>. 我应该透露我是链接中引用的书籍的合著者。
每个人的情况可能有所不同,但我个人不喜欢使用
expect,而更喜欢使用SNMP,因为它实际上被设计为“简单网络管理协议”。 在紧要关头,expect 也可以,但它不会是我的第一选择。 一些公司使用expect的原因之一是开发人员只是习惯了使用expect。 我不一定会因为有人自动化 telnet 或 ssh 的例子而对绕过 SNMP 感到震惊。 先自己尝试一下。可能会发生一些真正可怕的事情,但这些事情可能并不明显。 因为expect等待输入,所以在适当的条件下会出现非常难以调试的微妙问题。 这并不意味着经验丰富的开发人员无法使用 Expect 开发可靠的代码,但这也是需要注意的。
您可能想要查看的其他内容之一是使用多处理模块编写非阻塞 SNMP 代码的示例。 因为这是我在 stackoverflow 上发布的第一篇文章,所以我不能发布多个链接,但如果你用 google 搜索,你可以找到它,或者另一个关于使用 IPython 和 Net-SNMP 的链接。
编写 SNMP 代码时要记住的一件事是,它涉及阅读大量文档并进行反复试验。 就思科而言,文档非常好。
I have done a reasonable amount of real world SNMP programming with Cisco switches and find Python on top of Net-SNMP to be quite reasonable. Here is an example, via Google books, of uploading a new Cisco configuration via Net-SNMP and Python: Cisco Switch Upload via Net-SNMP and Python. I should disclose I was the co-author of the book referenced in the link.
Everyone's milage may vary, but I personally do not like using
expect, and prefer to use SNMP because it was actually designed to be a "Simple Network Management Protocol". In a pinch, expect is ok, but it would not be my first choice. One of the reasons some companies use expect is that a developer just gets used to using expect. I wouldn't necessarily chock up bypassing SNMP just because there is an example of someone automating telnet or ssh. Try it out for self first.There can be some truly horrible things that happen with expect, that may not be obvious as well. Because expect waits for input, under the right conditions there be very subtle problems that are difficult to debug. This doesn't mean a very experienced developer can't develop reliable code with expect, but it something to be aware of as well.
One of the other things you may want to look at is an example of using the multiprocessing module to write non-blocking SNMP code. Because this is my first post to stackoverflow I cannot post more then one link, but if you google for it you can find it, or another one on using IPython and Net-SNMP.
One thing to keep in mind when writing SNMP code is that it involves reading a lot of documentation and doing trial and error. In the case of Cisco, the documentation is quite good though.
SNMP 不错,但它可能无法完成您需要它做的所有事情。 根据您使用的库以及它如何隐藏与 SNMP 交互的详细信息,您可能很难找到要更改的 MIB 的正确部分,甚至很难知道更改哪些内容或如何更改它们来执行您想要的操作。
不使用 SNMP 的原因之一是您可以使用 IOS XR XML API。 使用它来捆绑要发送到设备的命令可能比与 SNMP 交互要容易得多。
SNMP isn't bad but it may not be able to do everything you need it to do. Depending on the library you use and how it hides the details of interacting with SNMP you may have a hard time finding the correct parts of the MIB to change and even knowing what or how to change them to do what you want.
One reason not to use SNMP is that you can do all the configuration you need using the IOS XR XML API. It could be a lot easier to bundle up the commands you want to send to the devices using that than to interact with SNMP.
我发现 SNMP 给管理带来了麻烦。 如果您只需要获取一点数据,那就太好了; 如果您需要更改某些内容或大量使用,这可能会非常耗时。 就我而言,我对 CLI 很满意,因此 Telnet 方法效果很好。 我编写了一些 Python 脚本,使用 Telnetlib
I've found SNMP to be a pain for management. If you just need to grab a little data it's great; if you need to change things or use if heavily it can be very time consuming. In my case I'm comfortable with the CLI so a Telnet approach works well. I've written some Python scripts to perform administrative tasks on various pieces of network gear using Telnetlib
与 telnet 相比,SNMP 对相关设备的 CPU 占用相当大; 我建议尽可能使用 telnet。 (正如之前的回答所述,IOS XR XML API 会很好,但据我所知,IOS XR 仅部署在高端运营商级路由器上)。
就现有的配置管理系统而言,两个商业参与者是HP Opsware和EMC Voyence。 两者都可能满足您的需要。 我不知道有多少开源解决方案实际上支持部署更改。 (例如,RANCID 只进行配置监控,而不是预暂存和部署配置更改)。
如果您要推出自己的解决方案,我建议的一件事是与您的网络管理员坐下来,为他提供的服务提出最佳实践部署模型(例如标准化 ACL、QoS 队列和 VLAN 名称;类似ACL 中对不同客户具有相同功能的条目等)。 在开始设计之前,确保所有现有的已部署配置都符合此 BP,这将使问题更易于管理。 祝你好运。
SNMP has quite a significant CPU hit on the devices in question compared to telnet; I'd recommend telnet wherever possible. (As stated in a previous answer, the IOS XR XML API would be nice, but as far as I know IOS XR is only deployed on high-end carrier grade routers).
In terms of existing configuration management systems, two commercial players are HP Opsware, and EMC Voyence. Both will probably do what you need. I'm not aware of many open source solutions that actually support deploying changes. (RANCID, for example, only does configuration monitoring, not pre-staging and deploying config changes).
If you are going to roll your own solution, one thing I would recommend is sitting down with your network admin and coming up with a best-practice deployment model for the service he's providing (e.g. standardised ACL, QoS queue, and VLAN names; similar entries in ACLs that have the same function for different customers, etc.). Ensure that all the existing deployed config complies with this BP before you start your design, it will make the problem much more manageable. Best of luck.
旁注:在重新发明轮子编写另一个服务供应系统/网络管理系统之前,请尝试寻找现有的系统。 我知道很多不同程度的灵活性/功能的商业解决方案,但我确信有很多开源解决方案。
Sidenote: before you reinvent the wheel writing another service provisioning system/network management system, try looking for existing ones. I know quite a lot of commercial solutions of various degrees of flexibility/functionality, but I am sure there are quite a lot opensource ones.
思科已包含帮助台应用程序的菜单选项。 基本上你远程登录到盒子,它会呈现一个漂亮干净的菜单(按 1、2、3)。 有关详细信息,请检查此链接:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/frf001.html#wp1050026
Cisco has included menu options for helpdesk applications. Basically you telnet to the box and it presents a nice clean menu (press 1, 2, 3). For more info check this link:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/frf001.html#wp1050026
再次投票给期望。
另外,您不想允许通过 telnet 或 SNMP 配置防火墙 - ssh 是唯一的方法。 原因是 ssh 对其有效负载进行加密,并且不会将特权管理凭据暴露给潜在的拦截。
如果由于某种原因无法直接使用 ssh,请考虑将启用 ssh 的串行控制台服务器连接到防火墙的控制台端口并以这种方式进行配置。
Another vote for expect.
Also, you don't want to allow configuration of your firewalls via either telnet or SNMP - ssh is the only way to go. The reason is that ssh encrypts its payload, and will not expose the privileged management credentials to potential interception.
If for some reason you cannot use ssh directly, consider connecting up an ssh-enabled serial console server to the firewall's console port and configuring it that way.