Chapter 5 SNMPv1: Communication and Functional Models

Chapter 5SNMPv1:Communication and Functional Models

Network SNMP Architecture SNMP Manager SNMP Agent SNMP Manager Application SNMP Agent Application Get-Request GetNext-Request Set-Request Get-Response Trap Get-Request GetNext-Request Set-Request Get-Response Trap SNMP SNMP UDP UDP IP IP 網路介面網路介面

SNMP Messages • Get-Request • Get-Next-Request • Set-Request • Get-Response • Trap • Generic trap • Specific trap

Administrative Model • Based on community profile and policy • SNMP Entities: • SNMP application entities - Reside in management stations and network elements - Manager and agent • SNMP protocol entities - Communication processes (PDU handlers) - Peer processes that support application entities

SNMP Community • Security in SNMPv1 is community-based • Authentication scheme in manager and agent • Community: Pairing of two application entities • Community name: String of octets • Two applications in the same community communicate with each other • Application could have multiple community names • Communication is not secured in SNMPv1 - no encryption

SNMP Community • Community • Relationship between an Agent and Managers. • Community Name • Used to validate the SNMP messages. • SNMP Password. • Default ‘Get’ community name: “public”. • Authentication Failure • Agent sends “Authentication Failure Trap” to Manager.

SNMP Community

Community Profile • MIB view • An agent is programmed to view only a subset of managed objects of a network element • Access mode • Each community name is assigned an access mode:: read-only and read-write • Community profile = MIB view + access mode • Operations on an object determined by community profile and the access mode of the object • Total of four access privileges • Some objects, such as table and table entry are non-accessible

Community Profile community

Access Policy • Administration model is SNMP access policy • SNMP community paired with SNMP community profile is SNMP access policy

Access Policy

Generalized Administration Model

Proxy Access Policy

Protocol Entities

Any 161 Any 162 Default UDP Ports for SNMP Management Station Network Elements (NEs) Manager Agent SNMP SNMP UDP UDP IP IP 網路介面網路介面

Protocol Entities • Protocol entities support application entities • Communication between remote peer processes • Message consists of • Version identifier • Community name • Protocol Data Unit • Message encapsulated and transmitted

SNMP Message • SNMP Message • Version Identifier • Community Name • Protocol Data Unit • The length of SNMP messages should not exceed 484 octets. Message ::= SEQUENCE { version INTEGER {version-1(0)}, community OCTET STRING, data ANY } SNMP PDU Version Community

SNMP PDUs

SNMP PDU PDU ::= SEQUENCE { request-id INTEGER, error-status INTEGER { noError(0), tooBig(1), noSuchName(2), badValue(3), readOnly(4), genErr(5)}, error-index INTEGER, variable-bindings SEQUENCE OF { name ObjectName, value ObjectSyntax } } Five SNMP PDUs: [0]PDU [1] PDU [2] PDU [3] PDU [4] Trap-PDU GetRquest ::= GetNextRequest ::= GetResponse ::= SetRequest ::= Trap ::= PDU: Protocol Data Unit

error-status • noError(0) • tooBig(1) • The size of the GetResponse-PDU to be generated exceeds a local limitation. • noSuchName(2) • Any object name in the variable-bindings does not match the name of some object available in the MIB view. • badValue(3) • The value of any object named in the variable-bindings field does not manifest a type, length, and value that is consistent with that required for the variable. • readOnly(4) • To set the value of an object with read-only access mode. • genErr(5) • Any object named in the variable-bindings field cannot be accessed for reasons not covered by any of the foregoing rules.

error-index • The index of the first variable, in the variable-bindings, with an error as indicated in the error-status field. • If there are more than one error in the variable-bindings? • Only the first error is indicated. • For those variables without any error? • Atomic vs. Best-effort • SNMP is atomic!

variable-bindings . . . name name name value value value SNMP PDU (cont.) GetRequest, GetNextRequest, SetRequest PDU type request-id 0 0 variable-bindings GetResponse PDU type request-id variable-bindings error-status error-index

Trap-PDU • Enterprise: • Type of Object generating trap. • Agent Address: • Address of object generating trap. • Generic Trap: • Generic trap type. • Specific Trap: • Enterprise specific trap. • Time Stamp: • Time elapsed between the last • initialization of the network entity and • the generation of the trap. • Variable Bindings • “Interesting” information Trap-PDU ::= [4] IMPLICIT SEQUENCE { enterprise OBJECT IDENTIFIER, agent-addr NetworkAddress, generic-trap INTEGER { coldStart(0), warmStart(1), linkDown(2), linkUp(3), authenticationFailure(4), egpNeighborLoss(5), enterpriseSpecific(6)}, specific-trap INTEGER, time-stamp TimeTicks, variable-bindings VarBindList } generic-trap time-stamp specific-trap PDU type agent-addr enterprise variable-bindings

Trap Type

Generic Trap Example Enterprise: .1.3.6.1.4.1.311.1.1.3.1.1 Agent-Address: 10.10.13.137 Generic-Trap: 4 Specific-Trap: 0 Timestamp: 29756264 #VarBinds: 0

Enterprise-Specific Traps • Traps defined by enterprises • Identification of Enterprise-Specific Traps • Enterprise  Enterprise OID • Generic-Trap  6 • Specific-Trap  an Integer

Enterprise Trap Example Enterprise: .1.3.6.1.4.1.522 Agent-Address: 10.10.13.24 Generic-Trap: 6 Specific-Trap: 4 Timestamp: 143739963 VariableBindings: (4) .1.3.6.1.4.1.522.3.14.23.1.2.11687128: 02:18:25 .1.3.6.1.4.1.522.3.14.23.1.3.11687128: 14 .1.3.6.1.4.1.522.3.14.23.1.4.11687128: (Info): Station 00092d142581 Associated .1.3.6.1.4.1.522.3.14.23.1.5.11687128: AssociationOK

Agent Manager

Get-Next Request A B T E 1.1 1.2 2.1 2.2 3.1 3.2 Z

Lexicographic Order

Get-Next Request MIB Tree : In SNMP, Only leaf objects have values. ＊ 4 5 6 :Non-Leaf Object 1 2 3 :Leaf Object

Get-Next Requests with Indices

SNMP Get-Request Example >>snmpget-d 10.144.18.118 .1.3.6.1.2.1.1.1.0 Transmitted 41 bytes to camry (10.144.18.118) port 161: Initial Timeout: 0.80 seconds 0: 30 27 02 01 00 04 06 70 75 62 6c 69 63 a0 1a 02 0'.....public... 16: 02 18 bc 02 01 00 02 01 00 30 0e 30 0c 06 08 2b .........0.0...+ 32: 06 01 02 01 01 01 00 05 00 -- -- -- -- -- -- -- ................ 0: SNMP MESSAGE (0x30): 39 bytes 2: INTEGER VERSION (0x2) 1 bytes: 0 (SNMPv1) 5: OCTET-STR COMMUNITY (0x4) 6 bytes: "public" 13: GET-REQUEST-PDU (0xa0): 26 bytes 15: INTEGER REQUEST-ID (0x2) 2 bytes: 6332 19: INTEGER ERROR-STATUS (0x2) 1 bytes: noError(0) 22: INTEGER ERROR-INDEX (0x2) 1 bytes: 0 25: SEQUENCE VARBIND-LIST (0x30): 14 bytes 27: SEQUENCE VARBIND (0x30): 12 bytes 29: OBJ-ID (0x6) 8 bytes: .1.3.6.1.2.1.1.1.0 39: NULL (0x5) 0 bytes

SNMP Get-Response Example Received 69 bytes from 10.144.18.118 port 161: 0: 30 43 02 01 00 04 06 70 75 62 6c 69 63 a2 36 02 0C.....public.6. 16: 02 18 bc 02 01 00 02 01 00 30 2a 30 28 06 08 2b .........0*0(..+ 32: 06 01 02 01 01 01 00 04 1c 53 75 6e 20 53 4e 4d .........Sun SNM 48: 50 20 41 67 65 6e 74 2c 20 53 55 4e 57 2c 55 6c P Agent, SUNW,Ul 64: 74 72 61 2d 31 -- -- -- -- -- -- -- -- -- -- -- tra-1........... 0: SNMP MESSAGE (0x30): 67 bytes 2: INTEGER VERSION (0x2) 1 bytes: 0 (SNMPv1) 5: OCTET-STR COMMUNITY (0x4) 6 bytes: "public" 13: RESPONSE-PDU (0xa2): 54 bytes 15: INTEGER REQUEST-ID (0x2) 2 bytes: 6332 19: INTEGER ERROR-STATUS (0x2) 1 bytes: noError(0) 22: INTEGER ERROR-INDEX (0x2) 1 bytes: 0 25: SEQUENCE VARBIND-LIST (0x30): 42 bytes 27: SEQUENCE VARBIND (0x30): 40 bytes 29: OBJ-ID (0x6) 8 bytes: .1.3.6.1.2.1.1.1.0 39: OCTET-STR (0x4) 28 bytes: "Sun SNMP Agent, SUNW,Ultra-1" system.sysDescr.0 : DISPLAY STRING- (ascii): Sun SNMP Agent, SUNW,Ultra-1

SNMP-Walk- Use of SNMP Get-Next Request • snmpwalk 10.144.18.118 .1.3.6.1.2.1.1 system.sysDescr.0 : DISPLAY STRING- (ascii): Sun SNMP Agent, SUNW,Ultra-1 system.sysObjectID.0 : OBJECT IDENTIFIER: .iso.org.dod.internet.private.enterprises.42.2.1.1 system.sysUpTime.0 : Timeticks: (198219958) 22 days, 22:36:39.58 system.sysContact.0 : DISPLAY STRING- (ascii): lino@ms.chttl.com.tw system.sysName.0 : DISPLAY STRING- (ascii): camry system.sysLocation.0 : DISPLAY STRING- (ascii): Information Technology Laboratory 3F system.sysServices.0 : INTEGER: 72(01001000)B

SNMP Trap Example Transmitted 64 bytes to 10.144.18.100 port 162: 0: 30 3e 02 01 00 04 06 70 75 62 6c 69 63 a4 31 06 0>.....public.1. 16: 09 2b 06 01 04 01 84 64 01 01 40 04 0a 90 12 74 .+.....d..@....t 32: 02 01 06 02 03 01 86 9f 43 01 00 30 13 30 11 06 ........C..0.0.. 48: 04 2b 06 01 01 04 09 54 72 61 70 20 74 65 73 74 .+.....Trap test 0: SNMP MESSAGE (0x30): 62 bytes 2: INTEGER VERSION (0x2) 1 bytes: 0 (SNMPv1) 5: OCTET-STR COMMUNITY (0x4) 6 bytes: "public" 13: V1-TRAP-PDU (0xa4): 49 bytes 15: OBJ-ID ENTERPRISE (0x6) 9 bytes: .1.3.6.1.4.1.612.1.1 26: IPADDRESS AGENT-ADDR (0x40) 4 bytes: 10.144.18.116 32: INTEGER GENERIC-TRAP (0x2) 1 bytes: 6 35: INTEGER SPECIFIC-TRAP (0x2) 3 bytes: 99999 40: TIMETICKS TIME-STAMP (0x43) 1 bytes: 0 (0x0) 43: SEQUENCE VARBIND-LIST (0x30): 19 bytes 45: SEQUENCE VARBIND (0x30): 17 bytes 47: OBJ-ID (0x6) 4 bytes: .1.3.6.1.1 53: OCTET-STR (0x4) 9 bytes: "Trap test"

net-snmp (Windows) • Download: • http://sourceforge.net/projects/net-snmp/files/net-snmp%20binaries/5.5-binaries/ • Choose net-snmp-5.5.0-2.x64.exe or net-snmp-5.5.0-1.x86.exe • Installation: • if php-snmp or GetIf has been installed before net-snmp, • the mib directory will be C:\usr\mibs • Copy "C:\Program Files\net-snmp\usr\share\snmp\mibs" to C:\usr\mibs • Unzip http://ycchen.im.ncnu.edu.tw/nm/macroRemoved.zip to C:\usr\mibs • Commands: • snmpget, snmpgetnext, snmpset, snmpwalk, ... • See http://www.net-snmp.org/wiki/index.php/Tutorials • Examples: • snmpget -v 1 -c public 10.32.10.84 .1.3.6.1.2.1.1.1.0 • snmpget -v 1 -c public 10.32.10.84 ifNumber.0 sysUpTime.0 • snmpget -v 2c -c public 10.32.10.84 SNMPv2-MIB::sysUpTime.0 • snmpwalk -v 1 -c public 10.32.10.84 system • snmpgetnext -d -v 1 -c public 10.32.10.84 ifInOctets.1

TYPE: i INTEGER u UNSIGNED c COUNTER32 s STRING x HEX STRING d DECIMAL STRING n NULLOBJ o OBJID t TIMETICKS a IPADDRESS b BITS snmptrapd, snmptrap • snmptrapd-L o snmptrapd.conf • "\usr\etc\snmp\snmptrapd.conf" authCommunity log comm logOption o 或 logOption f C:\logs\snmptraps.log • snmptrap snmptrap -v 1 -c comm 10.10.1.15 .1.3.6.1.4.1.19652 10.34.11.78 2 0 "" ifIndex.3 i 3 snmptrap -v 1 -c comm 10.10.1.15 .1.3.6.1.4.1.19652 10.34.11.78 6 99 "" snmptrap -v 1 -c comm managerIP enterpriseOID agentAddress genericTrap SpecificTrap timeStamp oid type value oid type value …

注意事項 • Windows 作業系統本身也有snmptrap指令，但與net-snmp之snmptrap指令不同。 • 在Command Line模式下，執行snmptrap後，若snmptrapd沒收到trap，可能是執行Windows的snmptrap。 • 解決之道 • 將net-snmp之snmptrap.exe改名 • snmptrap.exe位於目錄"usr\bin\" • "snmptrap.exe" "netsnmptrap.exe" netsnmptrap -v 1 -c comm …

Get System Information • Get “System Group” of MIB II • Use get_request or get_next_request sysDescr .1.3.6.1.2.1.1.1.0 sysObjectID .1.3.6.1.2.1.1.2.0 sysUptime .1.3.6.1.2.1.1.3.0 sysContact .1.3.6.1.2.1.1.4.0 sysName .1.3.6.1.2.1.1.5.0 sysLocation .1.3.6.1.2.1.1.6.0

Get Interface Information • Get “Interface Group” of MIB II • Repeatedly Use “get_next_request” • Note: We don’t know the ifIndex values in ifTable. • First get the next object of .ifTable.ifEntry.0 • Then repeatedly “get_next” • Until the whole subtree is visited.

Traffic Monitoring • Get “ifInOctets” and “ifOutOctets” of MIB II Interface Group • t1: C1 t2: C2 (C2 - C1 )  8  100% Utilization (%) = (t2 - t1)  Bandwidth

SNMP MIB Group

Chapter 5 SNMPv1: Communication and Functional Models