SNMP Simple Network Management Protocol. SNMP and UDP Uses UDP as transport protocol Connectionless Connectionless Port 161 for sending and receiving.

SNMPSNMP

SSimple imple NNetwork etwork MManagement anagement PProtocolrotocol

SNMP and UDPSNMP and UDP

Uses UDP as transport protocolUses UDP as transport protocol ConnectionlessConnectionless Port 161 for sending and receiving requests Port 161 for sending and receiving requests

and answersand answers Port 162 for sending traps and alerts from Port 162 for sending traps and alerts from

managed devicesmanaged devices

SNMP Communities (1/2)SNMP Communities (1/2)

Used by SNMPv1 & SNMPv2Used by SNMPv1 & SNMPv2

Used to establish trust between manager Used to establish trust between manager and agentand agent

Three communitiesThree communities Read OnlyRead Only Read WriteRead Write TrapTrap

SNMP Communities (2/2)SNMP Communities (2/2)

Community stringsCommunity strings Essentially passwordsEssentially passwords DefaultsDefaults

Read Only = “public”Read Only = “public”

Read Write = “private”Read Write = “private” Should be changed before going liveShould be changed before going live Sent in clear text!Sent in clear text! How can security risk be limited?How can security risk be limited?

Structure of Management Structure of Management Information (1/17)Information (1/17)

SMI version 1SMI version 1 RFC 1155RFC 1155 Defines how managed objects are namedDefines how managed objects are named Defines managed objects data typesDefines managed objects data types

SMI version 2SMI version 2 RCFRCF Enhancements for SNMPv2Enhancements for SNMPv2

Structure of Management Structure of Management Information (2/17)Information (2/17)

Definition of managed objectsDefinition of managed objects Name or OIDName or OID

Uniquely identifies a managed objectUniquely identifies a managed object

Two formsTwo forms Human readableHuman readable NumericNumeric

Structure of Management Structure of Management Information (3/17)Information (3/17)

Definition of managed objects (cont.)Definition of managed objects (cont.) Type and SyntaxType and Syntax

Defined using a subset of Abstract Syntax Notation Defined using a subset of Abstract Syntax Notation One (ASN.1)One (ASN.1)

ASN.1ASN.1 Way of specifying how data is represented and Way of specifying how data is represented and

transmitted between managers and agentstransmitted between managers and agents Machine independentMachine independent

Structure of Management Structure of Management Information (4/17)Information (4/17)

Definition of managed objects (cont.)Definition of managed objects (cont.) EncodingEncoding

Single instance of a managed object is encoded Single instance of a managed object is encoded into a string of octets using Basic Encoding Rules into a string of octets using Basic Encoding Rules (BER)(BER)

BERBER Defines how objects are encoded and decodedDefines how objects are encoded and decoded

Structure of Management Structure of Management Information (5/17)Information (5/17)

Naming OIDsNaming OIDs Objects are organized in a treelike hierarchyObjects are organized in a treelike hierarchy OIDs are made up of a series of integers OIDs are made up of a series of integers

separated by periods (.)separated by periods (.) Human readable names translate the Human readable names translate the

numbers into textnumbers into text

Structure of Management Structure of Management Information (6/17)Information (6/17)

1.3.6.1.2.1.1.6.01.3.6.1.2.1.1.6.0 iso.org.dod.internet.mgmt.mib-iso.org.dod.internet.mgmt.mib-

2.system.sysLocation.02.system.sysLocation.0

org (3)

dod (6)

internet (1)

mgmt (2) experimental (3) private (4)directory (1)

mib-2 (1)

tcp (6)

udp (7)

egp (8)

cmot (9)

transmission (10)

snmp (11)

system (1)

interfaces (2)

addresstranslation

(3)

ip (4)

icmp (5)

...

SUN (42)

microsoft(311)

apple (63)

enterprise (1)

cisco (9)

IBM (2)

HP (11)

proteon (1)

Internet Activities Board (IAB) Administered Vendor Administered

wellfleet (18) unassigned (9118)

iso (1)

Naming OIDsNaming OIDs

Structure of Management Structure of Management Information (8/17)Information (8/17)

Structure of Management Structure of Management Information (9/17)Information (9/17)

Structure of Management Structure of Management Information (10/17)Information (10/17)

Defining OIDsDefining OIDs Syntax attribute provides for definition of Syntax attribute provides for definition of

managed objects through a subset of ASN.1managed objects through a subset of ASN.1 Datatypes define what kind of information a Datatypes define what kind of information a

managed object can holdmanaged object can hold Similar to datatypes used in programmingSimilar to datatypes used in programming

Structure of Management Structure of Management Information (11/17)Information (11/17)

SNMPv1 DatatypesSNMPv1 DatatypesInteger (32 bit)Integer (32 bit)

StringString

Counter (32 bit)Counter (32 bit)

OIDOID

NULL (not used)NULL (not used)

SequenceSequence

Sequence ofSequence of

IpAddressIpAddress

NetworkAddressNetworkAddress

GaugeGauge

TimeTicksTimeTicks

OpaqueOpaque

Structure of Management Structure of Management Information (12/17)Information (12/17)

MIB-1MIB-1

Structure of Management Structure of Management Information (13/17)Information (13/17)

Extensions to the SMI in V2Extensions to the SMI in V2 Integer32 – same as INTEGERInteger32 – same as INTEGER Counter32 – same as COUNTERCounter32 – same as COUNTER Gauge32 – same as GAUGEGauge32 – same as GAUGE Unsigned32 – decimal valueUnsigned32 – decimal value

0 to 20 to 23232 – 1, inclusive – 1, inclusive Counter64 – similar to Counter32Counter64 – similar to Counter32

Max value of Max value of 18,556,744,073,709,551,61518,556,744,073,709,551,615 BITS – An enumeration of non-negative bitsBITS – An enumeration of non-negative bits

Structure of Management Structure of Management Information (14/17)Information (14/17)

MIB-II MIB-II

Structure of Management Structure of Management Information (15/17)Information (15/17)

MIB-II (cont.)MIB-II (cont.) Currently, there are 108 subordinates or Currently, there are 108 subordinates or

object groups under MIB-2. object groups under MIB-2. These are the result of specific RFC’s for These are the result of specific RFC’s for

various protocols, etc.various protocols, etc.

Structure of Management Structure of Management Information (16/17)Information (16/17)

MIB-II (cont.)MIB-II (cont.)

Structure of Management Structure of Management Information (17/17)Information (17/17)

MIB-II (cont.)MIB-II (cont.) System (1.3.6.1.2.1.1) – Objects pertaining to system operationSystem (1.3.6.1.2.1.1) – Objects pertaining to system operation

Uptime, system contact, system nameUptime, system contact, system name interfaces (1.3.6.1.2.1.2) – interface informationinterfaces (1.3.6.1.2.1.2) – interface information at (1.3.6.1.2.1.3) – address translationat (1.3.6.1.2.1.3) – address translation ip (1.3.6.1.2.1.4) – ip information, including routingip (1.3.6.1.2.1.4) – ip information, including routing icmp (1.3.6.1.2.1.5) – icmp informationicmp (1.3.6.1.2.1.5) – icmp information tcp (1.3.6.1.2.1.6) – tcp information, including connection statetcp (1.3.6.1.2.1.6) – tcp information, including connection state udp (1.3.6.1.2.1.7) – udp statisticsudp (1.3.6.1.2.1.7) – udp statistics egp (1.3.6.1.2.1.8) – egp statistics, including neighbor tableegp (1.3.6.1.2.1.8) – egp statistics, including neighbor table transmission (1.3.6.1.2.1.10) – no objects defined (other sub-transmission (1.3.6.1.2.1.10) – no objects defined (other sub-

trees)trees) snmp (1.3.6.1.2.1.11) – performance of snmp implementationsnmp (1.3.6.1.2.1.11) – performance of snmp implementation

SNMP OperationsSNMP Operations

getget

getnextgetnext

getbulk (v2, v3)getbulk (v2, v3)

setset

getresponsegetresponse

traptrap

notification (v2, v3)notification (v2, v3)

inform (v2, v3)inform (v2, v3)

report (v2, v3)report (v2, v3)

Variable BindingVariable Binding A list of MIB objects that allows a request’s recipient A list of MIB objects that allows a request’s recipient

to see what the originator wants to knowto see what the originator wants to know OID = OID = valuevalue

SNMP Operations (2/15)SNMP Operations (2/15)

SNMP Operations (3/15)SNMP Operations (3/15)

GETGET Initiated by the NMSInitiated by the NMS NMS sends request to agentNMS sends request to agent Agent processes requestAgent processes request Agent sends getresponse back to NMSAgent sends getresponse back to NMS

snmpget cisco.ora.com public .1.3.6.1.2.1.1.6.0snmpget cisco.ora.com public .1.3.6.1.2.1.1.6.0

System.sysLocation.0 = “”System.sysLocation.0 = “”

SNMP Operations (4/15)SNMP Operations (4/15)

GETNEXTGETNEXT Lets you issue a sequence of commands to Lets you issue a sequence of commands to

retreive a group of values from a MIBretreive a group of values from a MIB For each MIB object, a separate GETNEXT For each MIB object, a separate GETNEXT

requests and GETRESPONSE are generatedrequests and GETRESPONSE are generated Traverses a subtree in lexicographic orderTraverses a subtree in lexicographic order

SNMP Operations (5/15)SNMP Operations (5/15)

snmpwalk cisco.ora.com public systemsnmpwalk cisco.ora.com public systemsystem.sysDescr.0 = “Cisco IOS Software, C2600 Software (C2600-system.sysDescr.0 = “Cisco IOS Software, C2600 Software (C2600-

IPBASE-M), Version 12.3(8)T3, RELEASE SOFTWARE (fc1) IPBASE-M), Version 12.3(8)T3, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2004 by Cisco Systems, Inc. Compiled Tue 20-Jul-04 17:03 by 1986-2004 by Cisco Systems, Inc. Compiled Tue 20-Jul-04 17:03 by eaarmas”eaarmas”

system.sysObjectID.0 = OID: enterprises.9.1.19system.sysObjectID.0 = OID: enterprises.9.1.19

system.sysUpTime.0 = Timeticks: (27210723) 3 days, 3:35:07.23system.sysUpTime.0 = Timeticks: (27210723) 3 days, 3:35:07.23

system.sysContact.0 = “”system.sysContact.0 = “”

system.sysName.0 = “cisco.ora.com”system.sysName.0 = “cisco.ora.com”

system.sysLocation.0 = “”system.sysLocation.0 = “”

system.sysServices.0 = 6system.sysServices.0 = 6

SNMP Operations (6/15)SNMP Operations (6/15)

GETBULKGETBULK Allows a NMS to retrieve a large section of a Allows a NMS to retrieve a large section of a

table at oncetable at once Tells agent to send back as much information Tells agent to send back as much information

as possible – incomplete responses possibleas possible – incomplete responses possible Two fields requiredTwo fields required

Nonrepeaters – tells command that first N objects Nonrepeaters – tells command that first N objects can be retreived with a simple getnext operationcan be retreived with a simple getnext operation

Max-repetitions – tells command to attempt up to Max-repetitions – tells command to attempt up to M getnext operations to retrieve remaining objectsM getnext operations to retrieve remaining objects

SNMP Operations (7/15)SNMP Operations (7/15)

Snmpbulkget –v2c public –Cn1 –Cr3 Snmpbulkget –v2c public –Cn1 –Cr3 linux.ora.com sysDescr ifInOctets linux.ora.com sysDescr ifInOctets ifOutOctetsifOutOctets

System.sysDescr.0 = “Linux snort 2.4.1-10 #1 Thu Sep 6 17:27:27 EDT System.sysDescr.0 = “Linux snort 2.4.1-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown”2001 i686 unknown”

Interfaces.ifTable.ifEntry.ifInOctets.1 = 70840Interfaces.ifTable.ifEntry.ifInOctets.1 = 70840

Interfaces.ifTable.ifEntry.ifOutOctets.1 = 70840Interfaces.ifTable.ifEntry.ifOutOctets.1 = 70840

Interfaces.ifTable.ifEntry.ifInOctets.2 = 143548020Interfaces.ifTable.ifEntry.ifInOctets.2 = 143548020

Interfaces.ifTable.ifEntry.ifOutOctets.2 = 111725152Interfaces.ifTable.ifEntry.ifOutOctets.2 = 111725152

Interfaces.ifTable.ifEntry.ifInOctets.3 = 0Interfaces.ifTable.ifEntry.ifInOctets.3 = 0

Interfaces.ifTable.ifEntry.ifOutOctets.3 = 0Interfaces.ifTable.ifEntry.ifOutOctets.3 = 0

SNMP Operations (8/15)SNMP Operations (8/15)

SETSET Change the value of a managed objectChange the value of a managed object Create a new row in a tableCreate a new row in a table

SNMP Operations (9/15)SNMP Operations (9/15)

snmpget cisco.ora.com public system.sysLocation.0snmpget cisco.ora.com public system.sysLocation.0

system.sysLocation.0 = “”system.sysLocation.0 = “”

snmpset cisco.ora.com private system.sysLocation.0 s snmpset cisco.ora.com private system.sysLocation.0 s “Atlanta, GA”“Atlanta, GA”

system.sysLocation.0 = “Atlanta, GA”system.sysLocation.0 = “Atlanta, GA”

snmpget cisco.ora.com public system.sysLocation.0snmpget cisco.ora.com public system.sysLocation.0

system.sysLocation.0 = “Atlanta, GA”system.sysLocation.0 = “Atlanta, GA”

*sysLocation is defined as a string in RFC 1213*sysLocation is defined as a string in RFC 1213

SNMP Operations (10/15)SNMP Operations (10/15)

Error ResponsesError Responses SNMPv1SNMPv1

noError(0)noError(0)

tooBig(1)tooBig(1)

noSuchName(2)noSuchName(2)

badValue(3)badValue(3)

readOnly(4)readOnly(4)

genErr(5)genErr(5)

SNMP Operations (11/15)SNMP Operations (11/15)

Error Responses Error Responses (cont.)(cont.) SNMPv2SNMPv2

noAccess(6)noAccess(6)

wrongType(7)wrongType(7)

wrongLength(8)wrongLength(8)

wrongEncoding(9)wrongEncoding(9)

wrongValue(10)wrongValue(10)

noCreation(11)noCreation(11)

resourceUnavailable(13)resourceUnavailable(13)

commitFailed(14)commitFailed(14)

undoFailed(15)undoFailed(15)

authorizationError(16)authorizationError(16)

notWritable(17)notWritable(17)

inconsistentName(18)inconsistentName(18)

SNMP Operations (12/15)SNMP Operations (12/15)

SNMP TrapsSNMP Traps A way for agents to tell the NMS that A way for agents to tell the NMS that

something bad has happenedsomething bad has happened Originate from agents & sent to Originate from agents & sent to

predetermined destination (NMS, log server, predetermined destination (NMS, log server, etc.)etc.)

Prone to getting lostProne to getting lost

SNMP Operations (13/15)SNMP Operations (13/15)

SNMP Traps (cont.)SNMP Traps (cont.) Seven generic trap numbersSeven generic trap numbers

coldStart (0)coldStart (0) An agent has rebooted or startedAn agent has rebooted or started

warmStart (1)warmStart (1) An agent has reinitialized An agent has reinitialized

linkDown (2)linkDown (2) An interface on the device has gone downAn interface on the device has gone down

linkUp (3)linkUp (3) An interface on the device has come upAn interface on the device has come up

SNMP Operations (14/15)SNMP Operations (14/15)

SNMP Traps (cont.)SNMP Traps (cont.) Seven generic trap numbers (cont.)Seven generic trap numbers (cont.)

authenticationFailure (4)authenticationFailure (4) Indicates that a wrong community string was used to try Indicates that a wrong community string was used to try

to access the agentto access the agent

egpNeighborLoss (5)egpNeighborLoss (5) An EGP neighbor has gone downAn EGP neighbor has gone down

enterpriseSpecific (6)enterpriseSpecific (6) General catchallGeneral catchall Enterprise specificEnterprise specific Defined under the Defined under the private-enterpriseprivate-enterprise branch of the SMI branch of the SMI

SNMP Operations (15/15)SNMP Operations (15/15)

SNMP InformSNMP Inform SNMPv2SNMPv2 Allows for acknowledged sending of trapsAllows for acknowledged sending of traps

SNMP reportSNMP report Defined in the draft for SNMPv2 but never Defined in the draft for SNMPv2 but never

implementedimplemented Now part of SNMPv3Now part of SNMPv3

SNMP MessagesSNMP Messages

SNMPv1 & SNMPv2 messagesSNMPv1 & SNMPv2 messages Consist of a header and PDUConsist of a header and PDU

Header consists of 2 fieldsHeader consists of 2 fieldsVersionVersion

Community nameCommunity name

Header PDU

SNMP PDU Formats (1/5)SNMP PDU Formats (1/5)

SNMPv1SNMPv1 Get, GetNext, Response, and SetGet, GetNext, Response, and Set

PDUtype

RequestID

ErrorStatus

ErrorIndex

Object 1Value 1

Object 2Value 2

Object nValue n

Variable Bindings

SNMP PDU Formats (2/5)SNMP PDU Formats (2/5)

SNMPv1 (cont.)SNMPv1 (cont.) TrapTrap

EnterpriseAgent

Address

GenericTrapType

SpecificTrapCode

TimeStamp

Object 1Value 1

Object 2Value 2

Object nValue n

Variable Bindings

SNMP PDU Formats (3/5)SNMP PDU Formats (3/5)

SNMPv2SNMPv2 Get, GetNext, Inform, Response, Set, & TrapGet, GetNext, Inform, Response, Set, & Trap

PDUType

RequestID

ErrorStatus

ErrorIndex

Object 1Value 1

Object 2Value 2

Object nValue n

Variable Bindings

SNMP PDU Formats (4/5)SNMP PDU Formats (4/5)

SNMPv2SNMPv2 GetBulkGetBulk

PDUType

RequestID

Non-Repeaters

Max-Repetitions

Object 1Value 1

Object 2Value 2

Object nValue n

Variable Bindings

SNMP PDU Formats (5/5)SNMP PDU Formats (5/5)

Host ManagementHost Management

Host Resources MIBHost Resources MIB 1.3.6.1.2.1.251.3.6.1.2.1.25 Defines a basic framework for managing hostsDefines a basic framework for managing hosts

hrSystem (1)hrSystem (1) Uptime, system date, system users, system processesUptime, system date, system users, system processes

hrStorage (2) & hrDevice (3)hrStorage (2) & hrDevice (3) Objects pertaining to system storage and system utilizationObjects pertaining to system storage and system utilization

hrSWRun (4), hrSWRunPerf (5), & hrSWInstalled (6) hrSWRun (4), hrSWRunPerf (5), & hrSWInstalled (6) Objects pertaining to OS and software running or installedObjects pertaining to OS and software running or installed

Vendor specific MIBs are defined to provide Vendor specific MIBs are defined to provide more detailed information about their hostsmore detailed information about their hosts

Remote Monitoring (1/4)Remote Monitoring (1/4)

RMON MIBRMON MIB 1.3.6.1.2.1.161.3.6.1.2.1.16

statisticsstatisticshistoryhistoryalarmalarmhostshostshostTopNhostTopNmatrixmatrixfilterfiltercapturecaptureeventevent

Remote Monitoring (2/4)Remote Monitoring (2/4)

Statistics (1.3.6.1.2.1.16.1)Statistics (1.3.6.1.2.1.16.1) Statistics about all interfaces being monitoredStatistics about all interfaces being monitored

History (1.3.6.1.2.1.16.2)History (1.3.6.1.2.1.16.2) Periodic statistical samples from the statistics Periodic statistical samples from the statistics

groupgroup

Alarm (1.3.6.1.2.1.16.3)Alarm (1.3.6.1.2.1.16.3) Configure polling interval and threshold for Configure polling interval and threshold for

RMON objectsRMON objects

Remote Monitoring (3/4)Remote Monitoring (3/4)

Hosts (1.3.6.1.2.1.16.4)Hosts (1.3.6.1.2.1.16.4) Records traffic stats for each host on the Records traffic stats for each host on the

networknetwork

hostTopN (1.3.6.1.2.1.16.5)hostTopN (1.3.6.1.2.1.16.5) Used to generate reports on hosts that top a Used to generate reports on hosts that top a

list ordered by a parameter in the host tablelist ordered by a parameter in the host table

Matrix (1.3.6.1.2.1.16.6)Matrix (1.3.6.1.2.1.16.6) Error and utilization information for sets of two Error and utilization information for sets of two

addressesaddresses

Remote Monitoring (4/4)Remote Monitoring (4/4)

Filter (1.3.6.1.2.1.16.7)Filter (1.3.6.1.2.1.16.7) Matches packets based on a filter equationMatches packets based on a filter equation When packet meets filter, an event may be When packet meets filter, an event may be

triggeredtriggered

Capture (1.3.6.1.2.16.8)Capture (1.3.6.1.2.16.8) Allows packets to be captured if they meet a Allows packets to be captured if they meet a

filter in the filter groupfilter in the filter group

Event (1.3.6.1.2.16.9)Event (1.3.6.1.2.16.9) Controls the definition of RMON eventsControls the definition of RMON events