SNMP – N10-008 CompTIA Network+ : 3.1

The Simple Network Management Protocol is the foundation for network monitoring. In this video, you’ll learn about SNMP, common MIBs, and SNMP traps.

SNMP stands for the Simple Network Management Protocol. SNMP consists of a centralized database of information contained within our infrastructure devices. We refer to this database of data as a MIB, or a Management Information Base. Inside of the database are a series of statistics that we can gather from these devices. We call these object identifiers, or OIDs. For example, we might have a management workstation that is sending one of these OID requests.

This one is specifically how many bytes have gone into a particular interface on a router. The router interprets that request, compiles that information from the Management Information Base, and sends that particular metric back to the management station. There are a few different versions of SNMP that you may run into. The very first version was SNMPv1. This used these Management Information Base structure tables but sent all of this information across the network without any type of encryption or protection.

Everything was in the clear. And if you were capturing this data with the protocol analyzer, you would be able to see all the queries and all the responses. An updated version of SNMP was created, SNMPv2. This allowed for some new types of data sources on the remote device and allowed us to query multiple OIDs at the same time and receive all of those responses in one single packet. Unfortunately, SNMPv2 did not include any type of protections either, and everything was sent in the clear, just like SNMPv1.

Networks that are concerned about security are probably running SNMPv3. This includes extensive protections of the data, including a message integrity check, authentication, and encryption of the data across the network. To be able to retrieve those metrics from that remote device, we need to know what to ask for. And the information that we’re asking for is called an object identifier, or an OID. These OIDs are series’ of numbers. You can see an example of an SNMP OID

Each one of those numbers is referring to a different part of the SNMP tree. The first number, 1, refers to iso. The second number, 3, refers to org. Third number, 6, refers to dod. The next number, 1, refers to internet, and so on. So you could spell out what each of these particular sections mean by their number. But when you’re sending this information across the network, all you’re sending is a series of numbers. This means that you could have a very large Management Information Base that contains hundreds or even thousands of OIDs that you could reference.

You have to be sure that you’re requesting exactly the OID that you need to be able to receive the information back from that device. And not only are there well known OIDs that you could be referencing. But some manufacturers will define their own private Management Information Bases that have their own set of OIDs that you have to know. Usually, these proprietary MIBs are documented by the manufacturer, and you can usually integrate those into your management workstation.

This allows your management workstations to have a standard query that they can perform, knowing that they’re receiving exactly the type of information that they need. With the right software, you could even walk through the MIB. This is a MIB-walking application that allowed me to query one particular IP address on my network, And in that device, I found thousands and thousands of OIDs, all within different Management Information Bases on this device.

Now, we can see the very first one that was gathered was a system description OID. You can see the letters and numbers associated with that. And you could see that it is a Brother NC-8200w, Firmware version Q, which means that this particular device is a laser printer on my network. As you can see, there is an extensive amount of information that we can gather from this device. There are SNMPv2 MIBs. There are interface MIBs. There are IP MIBs and some MIBs specific to TCP and UDP.

In some cases, you may have to walk through the MIB to find exactly the information you’re looking for, at which point you could make a note of what that OID happens to be. And then you can use that in your management workstation to be able to constantly retrieve that data. If you do that, you could start creating a trend of this information and be able to compare different metrics over time. This is an example of the information that you could gather over time and create some graphs based on these well-known SNMP MIBs.

So far, we’ve described this SNMP process as very proactive, which means we have to query the device. It responds back with a value. And then we would need to perform trending of that value over time. This obviously means that we would need to constantly perform polling to that device, to be able to collect and trim that information. And if you have tens, hundreds, or thousands of devices, you may find it increasingly difficult to be able to perform all of these polls. Instead, we could configure the remote device to be able to perform its own monitoring, and when it exceeds a particular value, to send an alert message directly to us, instead of us having to constantly poll.

We refer to this as an SNMP trap. This SNMP trap is an alarm or an alert that is sent reactively to the management workstation, usually over udp port 162. This allows us to be informed immediately if any problems are occurring, if we’ve configured it to check for these values. For example, we could tell a device that, if the number of cyclic redundancy errors increases by a factor of 5, to send a trap back to the management workstation, at which point the monitoring station can send an alarm or an alert directly to our phones.

It can show that icon on the screen as being red. It can make a sound. Or it can perform some automated functions in the background to somehow work around the problems that have been received. Usually, you’ll find that your management station is using a combination of these to be able to poll and receive traps, to be able to get the best view of what’s happening on your network.