SNMP

The Simple Network Management Protocol (SNMP) is a protocol is used to exchange management information between network devices. It is used by odmon.com to query device about monitored values. In order to use our services the device must have working and reachable SNMP service (server). There are many devices and operating systems supporting this:

  • Windows 2000/XP Professional and Vista
  • Linux and Unix OS with snmp server installed (e.g. Net-SNMP)
  • Routers and switches (Cisco, Netscreen, Juniper and many others)
  • Wireless bridges and AP
  • And many other

It is the protocol that allow servers like odmon.com to ask devices about specific information like CPU usage or internet traffic information. The answers are stored in the database. It basically looks like this:

How odmon.com uses snmp

The monitoring servers keep asking the device every few minutes in order to know what the trend is for monitored value e.g. CPU usage. This trend is then visualized on the graphs available for the users.

Example graph image

The odmon.com servers need to access monitored device via Internet that is why this device has to be accessible for our servers. In most cases it means that this device needs to have public IP address or has the snmp port (default is UDP 161) redirected from router or firewall inside the network to monitored host. You can test Your snmp service here

 

SNMP details

In SNMP environment there are two basic type of hosts:

  • SNMP Server - also called SNMP agent; it is the managed/monitored device that runs special software process that is gathering all necessary data that might be accessible through snmp. It listens on UDP port 161 (default) for requests. When the request for specific value is received it is first verified in terms of security (e.g. community and host check) and then server replies with value.
  • SNMP Client - also called management system; It requests the data from SNMP host/server. In order to make a query, client must know: community, version, destination host and what is it asking for.

SNMP uses UDP as a transport protocol and standard port for this service is 161 (server is listening on this port). It is possible to run snmp service on different port - it creates more administrative work (we always need to specify snmp port and we have to remember this!) but gives increased security. It is not a way of securing the access but it is a way of avoid random scans or attacks.

There are 3 SNMP versions available for use: SNMPv1, v2 and v3. For basic monitoring it is good to use version 1 or 2. Version 3 is rather new and has new security features but is not widely supported by the network devices. More about versions is in security section

SNMP community
Community is a text string that authorizes messages in version 1 and 2 of snmp. You can think of it as a password that is attached to message. In most devices You might configure two types of community:

  • Read-only (RO) - the community that allows the management system to read from the agent. Default value for most of platforms is "public". Remember to always change the default community.
  • Read-write (RW) - this community allows to actually reconfigure the device. When You want to set e.g. description on interface, You be authorized with read-write community. Default value for most of platforms is "private". Remember to always change the default community.

MIBs and OIDs

SNMP is protocol where management system asks agent about specific value. Since there are thousands of possible variables there must be a way to describe what management is asking about. SNMP uses OID (object identifier) to describe it and every packet contains object identifier (oid). OIDs are organized in a hierarchical tree what is defined in ITU standard. Every OID is a set of numbers divided by dots representing a node a branch of the tree. Typical OID looks like this: .1.3.6.1.2.1.1.1.0 (sysDescr) , where first 4 numbers (iso.org.dod.internet) are almost always the same and represents a sub-tree. Beside well known, standard values like interface descriptions, types etc there are a sub-trees assigned for each vendor where vendor specific values might be implemented. Right now probably the complete SNMP tree has millions of nodes and values describing most of aspects of network and computing hardware. Actually an administrator can see full tree of its device using snmpwalk utility which in fact is requesting all the nodes in one-by-one fashion. In case of Internet core routers the output from snmpwalk can have million lines and it might take few hours to gather all data. An example of SNMP query might be: management system send message “get OID 1.3.6.1.4.1.9.2.1.57”, the device answers “OID 1.3.6.1.4.1.9.2.1.57 = 5”. This particular query is asking about Cisco average CPU usage, which in this case is 5%. The problem with IOD is that it is just a set of numbers in rather non-user friendly way. In order to describe the those numbers the MIBs (Management Information Base) where created. MIBs are simply a files in well known format that might be imported to management system, which allow to translate the numbers in names. Using MIBs the administrator can locate the specific value that he is interested in and then use it for monitoring this value.

SNMP Traps

SNMP traps are a way of notifyng monitoring system about occurring events. It is often used for events like interface down or emergency situation.
Odmon does not support SNMP traps yet.

SNMP Security

Version 1 and 2

When configuring the device in odmon.com you need to provide password to snmp service – so called community string. Community will be used in all SNMP queries to authenticate the server. Without the knowledge of this string it is not possible to get the response. For additional security it is recommended to create access-list or other security mechanism in order to allow only specified servers to access snmp service.

Version 3

Version 3 of SNMP has improved authentication, privacy and access control. It supports multiple users and password security.