Category: Monitoring

What is SNMP?

nocc monitoring

The Simple Network Management Protocol (SNMP) made simple.

All administrator and engineers should have a basic understanding of SNMP.  Not knowing what SNMP can do for you is like not understanding the fuel gage on your car. I’m driving and my car seems to be running fine. Why am I stopping? My car is not moving.  What does that E on that funny gage mean?

First, let’s talk about this handy little protocol. SNMP (Simple Network Management Protocol) allows systems management tools to collect information from network devices, servers, printers and other devices on an IP network. It is the most widely used management protocol in use today. Most all System management software use SNMP to allow administrators to remotely monitor the performance of their network devices.  For the purpose of this article, routers, switches, servers, power distribution units (PDU- fancy word for a power strip), KVM’s and any other device that is SNMP capable will be referenced as a network device. SNMP was developed in 1988 and the RFC was published in 1990. SNMP functions at the Application Layer (Layer 7) of the OSI model. This is the same layer where some other popular protocols function such as SMTP, FTP, Telnet, SSH, IMAP and POP.  I find that some Network Admins and Engineers are surprised by this fact. The communication method is port to port. SNMP listens on port 161. Port 162 is used for the TRAP service.

The SNMP communications process consists of a Manager and an Agent.  The Manager is an application running on a PC, Server or appliance that initiates the SNMP request to the managed network device. One of the most popular and exceptional Managers is SolarWinds Network Performance Monitor (NPM).  There are many others.

The Agent receives the request from the Manager and responds back to the port from which the Manager initiated the request.  Pretty simple.

whatissnmp1

Below is a WireShark packet capture of the SNMP traffic between the Manager and the managed network device.  As you can see, the request was initiated from port 62288 on the Manager to port 161 on the managed network device.  I’ve found that a good number of administrators and engineers think that SNMP traffic originates on port 161 of the Manager. This is incorrect. The Manager sends the GET request from a random high port to port 161 on the managed network device.

  • Traffic from the Manager to the network device.

whatissnmp2

  • The response from the managed network device to the Manager.

whatissnmp3

There are only three actions that SNMP employs.  Five if you want to include the two additional versions of GET.

GET – This request is the most common action.  The Manger asks the target device for information.

  • GetNext – This action is used with SNMP-Walk type programs. It just gets the next variable.
  • GetBulk – This action returns information using multiple GetNext requests.

SET – I don’t want to get ahead of myself but I must state the dangers of using SET. Don’t use this action for SNMP version 1 or 2. These versions are not secure.  The community string is sent in clear text and can be easily intercepted using a protocol sniffer.  See the WireShark traffic above.  I have the community string blacked out in the capture. SET will change network device configurations.  For this action to work the SNMP Agent running on the device will need a Read/Write (RW) community string.  Again, do not set a R/W community string on any device using SNMP v1 or v2. It can be used with SNMP v3 but I would still recommend against using it at all.  Use SSH or some other secure method to make changes to you network devices. And it goes without saying; do not allow SNMP access through a Public (Internet) facing interface.

Trap – This is an action performed by SNMP on the device. The Manager listens on port 162 for traps.

Now lets talk about SNMP versions.  SNMP version 1 and 2 are nearly the same. There were improvements from 1 to 2 and small changes to version 2c. Many network devices use version 2c. I do not want to get too far in the weeds. If you want the details of each version upgrade, review the RFC’s.   Version 1 and 2 are the easiest to configure.  There is nothing wrong with using version 2 if that is the only version your device supports. Version 3 is recommended if your network device supports this version.  At first you may think version 3 is too complicated to configure but it becomes easier once you have done it a couple of times on different devices. The security features provided by SNMP v3 are as follows:

  • Message integrity – Ensuring that a packet has not been tampered with in transit.
  • Authentication – Determining that the message is from a valid source.
  • Encryption – Scrambling the contents of a packet.

To simplify SNMP v3 remember these steps. I purposely left out the version 3 configuration commands. You need to research the commands needed to configure your particular network device.  Be sure and get some type of SNMP troubleshooting tool with detailed diagnostics capability to check SNMP connectivity to the managed network device.  You can make changes with the CLI or modify snmp.conf files till the cows come home but if the SNMP service is not available to the Manager, then the cows will never come home.

  • Create an access list to limit SNMP requests from authorized Management Servers.
  • Set the location and point of contact information.
  • Create a ”View”. This command determines what variables the SNMP Manager can query. Do not restrict access to the MIB tree. I’ve found that this level of restriction is hardly ever justified.  Include from MIB tree ISO down.
  • Create a Group that is authorized to use this view.
  • Create a user and add to this group.

Windows has not caught up with other network device manufacturers. Microsoft does not support SNMP version 3.  More than likely, this is due to Microsoft wanting you to use its WMI protocol.  I’ll address WMI in another article.

You have probably heard the term MIB or OID tossed around when engineers are discussing SNMP.

MIB stands for Management Information Base and is a collection of information organized hierarchically. You can compare a MIB to a DNS server.

OIDs or Object Identifiers uniquely identify managed objects in a MIB hierarchy. This is depicted as a tree. The levels in the tree are assigned by different organizations. Top-level MIB OIDs belong to different standard organizations. Vendors define private branches. This is where they set their own unique objects for their products however they do use the top level OID’s when possible. Why recreate a CPU performance variable OID when one already exists at the top level.  But a printer manufacture may want an OID variable to indicate ink levels in a color printer for their own management software.  This variable OID is published by the printer manufacture and you can use it to build custom SNMP graphs or alerts. Just remember this….a Management device looks up the OID in the MIB and uses the OID to query the target device for a variable.  It’s that simple.

SolarWinds publishes updates to their MIB monthly. The most critical part of any Manager is the number of standard and proprietary MIBs it supports. Without the correct MIBs, the data collected from a remote device is difficult to interpret and use. SolarWinds MIB Browser is shipped with over 250,000 precompiled unique OIDs from hundreds of standard and vendor MIBs – the largest collection in the industry. SolarWinds engineers continually update the MIB database with the latest MIBs.

This is a screenshot of the MIB tree using SolarWinds MIB Browser.  I simply pointed it at a Cisco device and the tool connected with the Read Only (RO) community string.  Now all I need to do is expand the tree down to the branch that interests me.  Issue a GET command and the device returns the variable I requested.  In this case I issued a few GETNext commands. Following the tree in the left pane we see that Cisco is using the standard OID for the six variables in the right pane. The lower left pane displays information about the OID. The OID for System Up Time is 1.3.6.1.2.1.1.3.

whatissnmp4

 

As I mentioned before, vendors create and publish their own MIB’s.  The SolarWinds MIB has incorporated more than a 1000 Cisco specific MIBs.

whatissnmp5

This concludes our computer-side chat about SNMP.  SNMP can help you manage your network no matter how big or small. Remember these points.

  • Use SNMP version 3 whenever possible.
  • The Manager does not initiate the SNMP request from port 161.
  • An MIB is a database used to manage network devices. It contains OIDs.
  • Check for additional vendor MIBs.
  • Stay away from network management tools that use the SET command but do not support SNMP version 3.

Article References:

Cisco MIB/OID on-line application.

SolarWinds MIB Browser tool

SNMP RFC 1157

 

Advertisements

Want to spruce up your SolarWinds Network Atlas Maps?

Solarwinds includes an application called Network Atlas. This application creates maps for use with Network Performance Monitor (NPM) and Enterprise Operations Console (EOC). This tool creates maps that are stored inside the Solarwinds Database. They are not files stored on the hard drive. All configuration data is stored in the database.  This allows you to recover the Solarwinds installation by just restoring the database but I’ll save that for another post.

Back to Maps. The graphics included in Network Atlas are not bad. You can create a decent looking map using the built in graphics. However, if you want to use vendor specific graphics or your own graphics they must be imported.  I’m not referring to the background image function provided by Network Atlas.  Background images cannot be connected to objects in the Solarwinds database. They simply provide something other than a plain white background.

Changing the graphics that represent database objects is an easy way to develop maps that relate to your environment and just plain look good. Lets face it, if you build a map with nothing but round LED’s that represent objects, It would not be very useful or interesting to the end user. You need to convey to the user how and why the service they are monitoring is important.  A good way to do this is to use graphics that represent your environment.

There are two ways to get custom graphics into the database. You can use the copy and paste method or create multiple images with different color back grounds to represent different operational states. I prefer the copy and paste method. Visio has some great looking graphics that can represent objects in the database. Nearly every major IT manufacturer and application developer provides free Visio stencils.  Just search for “Visio Stencils” with your favorite search engine. So, the first thing you do is find an interesting graphic. I’ll use a Dell Server 910 graphic I imported from a set of Dell stencils.  Simply right-click on the stencil and choose “copy”.

visio

 

Switch to Network Atlas, right-click on on the map and click “Paste”.  An input box will appear and give you two choices. “Paste the image from the Clipboard as a new object” or “Use the image from the Clipboard as a new map background”. Choose “Paste the image from the clipboard as a new object”, enter a name for the new image and click “OK”.

import

The new graphic is now part of the map and has been placed in the C:\Users\<logged on User>\AppData\Roaming\SolarWinds\NetworkAtlas\Maps\Orion\localhost\NetObjects\Imported. Once it is added to a map, it becomes part of the database and is available to all users that view the map with the Solarwinds Web interface. To delete the graphic from the database simply delete it from the location specified above.

The next step is to apply a object indicator style and add the graphic.  I am kinda partial to the “Pad Underneath” style.

graphic

After selecting the style, click the “Select Graphic” and choose the graphic you just imported to augment the style.

import1

Now your object indicator looks like this…..

import2

Not only can you now use the object graphic to represent an object in Solarwinds, you can drop other indicators on the image and use it like a background.

SNMP version 3 configuration for Cisco router or switch

snmp SNMP v1 and v2 are not really worthy of a post. You can configure v1 or v2 with one command and are not secure.
There are only a few commands required to configure SNMP v3. It’s no that difficult but, as with everything Cisco, it’s sometimes difficult for non-CCIE’s to read their documentation.
Connect to you router with your favorite SSH client. I think nearly everyone uses Putty. Log in and make your way to the enable prompt. The first thing I would do is check for existing snmp-server lines in the current config file. Someone may have already tried to configure your router.
This command displays any line in the config file that contains snmp and should result in no output. If it did you may want to clean up your router before getting started.

Router#show run | include snmp

You also need to check for any SNMP v3 users or groups that may have been created. Should produce no output.

Router#show snmp user
Router#show snmp group

Ok. Lets get started. First let’s limit SNMP queries from one particular IP. In my previous post concerning SNMP (highlight)this would be the Manager. Make your way to the config prompt and create an access list that matches your network.

Example:
Router(config)#access-list 10 permit (IP of your Manager) log
Next we need to add point of contact information.

Example:
Router(config)#snmp-server contact Google Glasses Jr.
Router(config)#snmp-server location Secret Floating Google Datacenter
Router(config)#snmp-server chassis-id (serial number)

You do not need to create what is called a VIEW. A VIEW is simply a way to limit what MIB trees the SNMP user account can access. By default the top level down is included. Let’s move on to creating a Group.
Example: We are creating a group called npm that uses authpriv and users in this group must make requests from IP’s listed in access list 10.

Router(config)#snmp-server group npm v3 priv access 10

Now lets create a user.

Example: We are creating a user called orion, adding him/her to the npm group, setting SHA authentication, and AES128 encryption.

Router(config)#snmp-server user orion npm v3 auth sha (password) priv aes 128 (password)

And that’s it. It’s not difficult. Here is the output of the above actions:

smmp1

snmp2

snmp3

Happy monitoring.