Simple Network Management Protocol
Simple Network Management Protocol (SNMP) is used as the transport protocol for network management. Network management consists of network management stations communicating with network elements such as hosts, routers, servers, or printers. The agent is the software on the network element (host, router, printer) that runs the network management software. Therefore when the word agent is used it is referring to the network element. The agent will store information in a management information base (MIB). Management software will poll the various network devices and get the information stored in them. RFC 1155, 1157, and 1213 define SNMP with RFC 1157 defining the protocol itself. The manager uses UDP port 61 to send requests to the agent and the agent uses UDP port 62 to send replies or messages to the manager. The manager can ask for data from the agent or set variable values in the agent. Agents can reply and report events.
There are three supporting pieces to TCP/IP network management:
- Management Information BASE (MIB) specifies variables the network elements maintain.
- A set of common structures and a way to reference the variables in the database.
- The protocol used to communicate between the manager and the network element agent which is SNMP.
SNMP collects information two ways:
- The devices on the network are polled by management stations.
- Devices send alerts to SNMP management stations. The public community may be added to the alert list so all management stations will receive the alert.
SNMP must be installed on the devices to do this. SNMP terms:
- Baseline - A report outlining the state of the network.
- Trap - An alert that is sent to a management station by agents.
- Agent - A program at devices that can be set to watch for some event and send a trap message to a management station if the event occurs.
The network manager can set the threshold of the monitored event that will trigger the sending of the trap message. SNMP enables counters for monitoring the performance of the network used in conjunction with Performance Monitor.
An SNMP community is the group that devices and management stations running SNMP belong to. It helps define where information is sent. The community name is used to identify the group. A SNMP device or agent may belong to more than one SNMP community. It will not respond to requests from management stations that do not belong to one of its communities. SNMP default communities are:
- Write = private
- Read = public
SNMP should be protected from the internet with a firewall. Beyond the SNMP community structure, there is one trap that adds some security to SNMP.
- Send Authentication Trap - When a device receives an authentication that fails, a trap is sent to a management station.
Other configuration parameters that affect security are:
- Accepted Community Names - Only requests from computers in the list of community names will be accepted.
- Accept SNMP Packets from Any Host - This is checked by default. Setting specific hosts will increase security.
- Only Accept SNMP Packets from These Hosts - Only requests from hosts on the list of IP addresses are accepted. Use IP, or IPX address or host name to identify the host.
SNMP Message Types
There are five types of messages exchanged in SNMP. They are referred to by Protocol Data Unit (PDU) type.
|0||get-request||Get one or more variables .(manager to element)|
|1||get-next-request||Get next variable after one or more specified variables. (manager to element)|
|2||set-request||Set one or more variables. (manager to element)|
|3||get-response||Return value of one or More variables. (element to manager)|
|4||trap||Notify manager of an event. (element to manager)|
The SNMP message with PDU type 0-3 consists of:
- Version of SNMP
- Community - A clear text password character string
- PDU type
- Request ID - Used to associate the request with the response. For PDU 0-2, it is set by the manager.
- error status - An integer sent by the agent to identify an error condition
|1||too big||Reply does not fit into one message|
|2||no such name||The variable specified does not exist|
|3||bad value||Invalid value specified in a set request.|
|4||read only||The variable to be changed is read only.|
|5||general error||General error|
- error index - Specifies which variable was in error when an error occurred. It is an integer offset.
- name - The name of the variable (being set or read).
- value - The value of the variable (being set or read)
- any other names and values to get/set
The SNMP message with PDU type 4 (trap) consists of:
- PDU type
- Enterprise - The agents OBJECT IDENTIFIER or system objects ID. Falls under a node in the MIB tree.
- agent addr - The IP address of the agent.
- Trap type - Identifies the type of event being reported.
|0||cold start||Agent is booting|
|1||warm start||Agent is rebooting|
|2||link down||An interface has gone down|
|3||link up||An interface has come up|
|4||authentification failure||An invalid community (password) was received in a message.|
|5||egp neighbor loss||An EGP peer has gone down.|
|6||enterprise specific||Look in the enterprise code for information on the trap|
- Specific code - Must be 0.
- Time stamp - The time in 1/100ths of seconds since the agent initialized.
- Any other names and values
Types of data used:
- INTEGER - Some have minimum and maximum values.
- OCTET STRING - The number of bytes in the string is before the string.
- DISPLAY STRING - Each byte must be an ASCII value
- OBJECT IDENTIFIER - Specifies a data type allocated by an organization with responsibility for a group of identifiers. A sequence of integers separated by decimals which follow a tree structure.
- NULL - Used as the value of all variables in a get request.
- IpAddress - A 4 byte long OCTET STRING. One byte for each byte of the IP address.
- PhysAddress - A 6 byte octet string specifying an ethernet or hardware address.
- Counter - A 32 bit unsigned integer
- GaugeAn unsigned 32 bit integer with a value that can increase or decrease but wont fall below a minimum or exceed a maximum.
- TimeTicks - Time counter. Counts in 1/100 of seconds.
- SEQUENCE - Similar to a programming structure with entries of type IPAddress called udpLocalAddress and type INTEGER called udpLocalPort.
- SEQUENCE OF - An array with elements with one type.
The MIB data structure RFC 1213
In the above list the data type "OBJECT IDENTIFIER" is listed as a part of the management information database. These object identifiers are referenced very similar to a DNS tree with a directory at the top called root. Each node in the tree is given a text name and is also referenced numerically similar to IP addresses. There are multiple levels in the tree with the bottom level being variables, and the next one up is called group. The packets sent in SNMP use numeric identifiers rather than text. All identifiers begin with iso(1).org(3).dod(6).internet(1).mgmt(2).mib(1). Numerically, that is 22.214.171.124.2.1. In text it is "iso.org.dod.internet.mgmt.mib". Under mib are the following groups. The information in these groups is not complete and you should refer to the RFC for full information.
- sysDesc (DisplayString) - Description of entity
- sysObjectID (ObjectID) - Vendors ID in the subtree (126.96.36.199.4.1.
- sysUPTime (Timer) - Time the system has been up
- sysContact (DisplayString) - Name of contact person
- sysName (DisplayString) - Domain name of the element such as mymachine.mycompany.com
- sysLocation (DisplayString) - Physical location of the element.
- sysServices 0x1-physical, 0x02-datalink, 0x04-internet, 0x08 end to end, 0x40-application. If the bit is set the service is provided
- ifNumber (INTEGER) - Number of network interfaces
- ifTable (table)
- ifDescr - Description of interface
- ifType - 6=ethernet, 7=802.3 ethernet, 9=802.5 token ring, 23 = PPP, 28=SLIP
- ifSpeed - Bits/second
- ifAdminStatus - Desired state of interface 1=up, 2=down, 3=testing
- ifOperStatus - Current state of interface 1=up, 2=down, 3=testing
- ifInOctets - Total bytes received
- at - Address translation group
- atIfIndex (INTEGER) - Interface number
- atPhysAddress (PhyAddress)
- atNetAddress (NetworkAddress) - IP address
- ipDefaultTTL (INTEGER)
- ipInReceives (counter)
- ipInHdrErrors (counter)
- ipInAddrErrors (counter)
- ipForwDatagrams (counter)
- ipInUnknownProtos (counter)
- ipInDiscards (counter)
- ipInDelivers (counter)
- ipOutRequests (counter)
- ipOutDiscards (counter)
- ipOutNoRoutes (INTEGER)
- ipReasmTimeout (counter)
- ipReasmReqds (counter) - Number of IP fragments received that need to be reassembled.
- ipReasmOKs (counter)
- ipReasmFails (counter)
- ipFragOKs (counter)
- ipFragFails (counter)
- ipFragCreates (counter)
- ipRoutingDiscards (counter)
- ipAddrTable (table)
- ipAddrEntry (index)
- udpInDatagrams (counter) - UDP datagrams delivered to user processes.
- udpNoPorts (counter) - UDP datagrams which were not received at the port since there was no application to receive it.
- udpInErrors (counter) - Number of UDP datagrams not delivered for reasons other than no applications available to receive them.
- udpOutDatagrams (counter) - Number of UDP datagrams sent.
- udpTable (table)
- udpEntry - Specifies the table entry number
The ordering of data in the MIB is numeric. When the getnext function is used it gets the next data based on the numeric ordering.