Embed Size (px)
Citation preview
Chapter 6 SNMP 1
Chapter 6 Overview Simple Network Management Protocol
o SNMPv1 SNMP packet format Structure of MIB tree MIB-2 objects SNMP commands SNMP security Network mgmt system functions
Chapter 6 SNMP 2
SNMP Recall that SNMP is
o An application layer protocolo Used to transfer info between mgmt
station and mgmt agent SNMP is part of network
managemento Like HTTP is part of Web browsing
Chapter 6 SNMP 3
Web Browsing Web browsing requires
o Web browser on your computero HTTPo Web server(s) with datao Software on Web servero Communication architecture
Chapter 6 SNMP 4
Network Management Network management requires
o Management application, mgmt processes, management MIB
o SNMPo Agent process, agent MIBo Communication architecture
Chapter 6 SNMP 5
Management Environment
Components of mgmt environment
Management Station Management Agent
TCP/IPProtocol
Stack
Application Layer SNMP Mgmt Process
Transport Layer
Network Layer
Network InterfaceLayer
MAC Layer
Physical Layer
ManagementApplication
TCP/IPProtocol
Stack
Application Layer SNMP Agent Process
Transport Layer
Network Layer
Network InterfaceLayer
MAC Layer
Physical Layer
VirtualMIB
MIB
Physical Network
Chapter 6 SNMP 6
Mgmt Application This is the main part of NMS software Application that requests and manages
info from agents Display results in a usable format
o Graphs, pictures, etc. May display data in the ISO mgmt
categories
Chapter 6 SNMP 7
Mgmt Process Mgmt processes support mgmt
application Application programs that do
necessary functionso For example, process accesses MIB
variable and passes it to SNMP
Chapter 6 SNMP 8
Mgmt Station SNMP Processes packet to be sent to
agent, and those received from agent
Note that SNMP packet containso Version numbero Community stringo SNMP commando List of variables
Chapter 6 SNMP 9
Mgmt Agent SNMP Like previous slide, but on agent For received SNMP packet
o Extract MIB variableo Pass MIB variable to agent process
Chapter 6 SNMP 10
Agent Process Purpose is to get the requested
data Agent must locate the data in
“virtual database” Then prepare date for
o Mgmt agent SNMP (previous slide)
Chapter 6 SNMP 11
Essential Mgmt Components
Essential mgmt components include… MIB on Mgmt Station
o Stores MIB variables NMS application software
o Display, analyze data SNMP
o Format used for request/reply messages Agent process
o Gathers data from virtual database
Chapter 6 SNMP 12
SNMPv1 Packet SNMPv1 packet has the form
Version Community Name Protocol Data Unit (PDU)
Version the version of SNMPo SNMPv1 is “0” in version field
Community name like a passwordo Agent can limit who can see whato Sent “in the clear”, so not very secure
Chapter 6 SNMP 13
SNMPv1 PDU PDU for Get-Request, Get-Next-
Request and Set-Request has fields:
Request ID like a sequence number
Error status error in Get-Response Error index first variable in
VarBindList that caused error
Request Error Error VarBindList ID Status Index
Chapter 6 SNMP 14
SNMPv1 PDU
Error statuso 0 = noErroro 1 = tooBig (PDU has too many bytes)o 2 = noSuchName (no object with requested
name)o 3 = badValue (invalid no. for PDU type)o 4 = readOnly (incorrect implementation of
SNMP)o 5 = genErr (any other error)
Chapter 6 SNMP 15
SNMPv1 PDU VarBindList list of pairs of the form
o Variable ID Object Identifier as defined in SMI specification
o Variable value actual value, which could be integer, IP address, etc.
Variable ID Variable Value
Chapter 6 SNMP 16
SNMP Commands SNMP commands (numbered 0 thru 4)
o Get-Request request value(s) from agent MIB
o Get-Next-Request next MIB element (based on object identifier) in lexicographic order Can use this to “walk” the MIB tree
o Get-Response response from agento Set-Request write a value in agent’s MIB
For example, the value might shut down device
o Trap unsolicited msg from agent
Chapter 6 SNMP 17
SNMP Trap Trap PDU is of the form
o Enterprise Object Identifier for device that created trap message
o Agent address IP address of deviceo Generic trap number 7 categorieso Specific trap number code numbero Time stamp time since device
initializedo VarBindList same as defined previously
Enterprise Agent Generic Specific Time VarBindList Address Trap Trap Stamp
Number Number
Chapter 6 SNMP 18
SMI Structure of Management Info
o RFC 1155 The data structure on the agent Object Identifier mapped to value
stored on subsystemo NIC is example of a subsystemo MAC address could be desired value
Chapter 6 SNMP 19
SMI Each object has a name
o Groups of related objects also defined Each object has a type
o For example, “integer” Types can be
o Simple a single valueo Constructed multiple objects of simple
type
Chapter 6 SNMP 20
SMI SMI specification uses subset of
Abstract Syntax Notation One (ASN.1) o Formal specification of MIB objects
ASN.1 used to specifyo Name of objecto Type of objecto Read, read-write, or not accessibleo Brief description of object
See Appendix B for info on ASN.1
Chapter 6 SNMP 21
SMI Object Tree
0 is the root Example:
Object ID of sysDescr(1) is 1.3.6.1.2.1.1.1
Chapter 6 SNMP 22
SMI Object Tree MIB objects identified as on previous
slide Tree can be arbitrarily deep MIB-2 defined with 10 groups
o System, interfaces, address translation, IP, ICMP, TCP, UDP, EGP, transmission, SNMP
o Later added 13 more groups (extensions)o Group can contain many objects, and these
objects can be “constructed” type
Chapter 6 SNMP 23
Proprietary MIBs and RMON
If not enough groups in MIB-2…o …can create a proprietary MIB
Proprietary MIBs are listed under enterpriseo Enterprise is a sub-node of private (4)
RMONo Remote Monitoring Standardo An extension of MIB-2o Deals with traffic on a network segment
Chapter 6 SNMP 24
SMI Tree
MIB-2 (1) IP has 23 objects
o ipRouteTable (21) ipRouteEntry (1),
consists of 13 column objects
mib-2 (1)
system (1)
interfaces (2)
at (3)
ip (4)
icmp (5)
tcp (6)
udp (7)
egp (8)
transmission (10)
snmp (11)
ipRouteTable (21)
ipRouteEntry (1)
1.3.6.1.2.1
ipRouteNextHop 1.3.6.1.2.1.4.21.1.7
Chapter 6 SNMP 25
ipRouteEntry
An instance of ipRouteEntry consists of all 13 columns in the table above
How to select column 7?o 1.3.6.1.2.1.4.21.1.7o Note that the result is a column, not a value
How to specify row 3 of column 7?o ipRouteDest serves as Index Objecto 1.3.6.1.2.1.4.21.1.7.10.3.4.5
ipRouteEntry = 1.3.6.1.2.1.4.21.1ipRoute
Dest (1)
ipRouteifindex
(2)
ipRouteMetric 1
(3)
ipRouteMetric 2
(4)
ipRouteMetric 3
(5)
ipRouteMetric 4
(6)
ipRouteNextHop
(7)
ipRouteType(8)
ipRouteProtocol
(9)
ipRouteAge(10)
ipRouteMask(11)
ipRouteMetric 5
(12)
ipRouteInfo(13)
10.3.4.3 110.3.4.4 210.3.4.5 3
Chapter 6 SNMP 26
wsnmp wsnmp is SNMP command line program Suppose we want to get sysDescr
Why does “get sysDescr” fail? Get-Request returns an instance (a value)
o sysDescr is an object Must include Index Object of 0
Chapter 6 SNMP 27
wsnmp Recall Get-Next-Request gets next object in
MIB tree (in lexicographic order)
getnext sysDescro sysDescr is at 1.3.6.1.2.1.1.1 in MIB treeo sysDescr.0, i.e., 1.3.6.1.2.1.1.1.0, is next
location in MIB tree that contains a valueo The value at sysDescr.0 is “Hardware: x86 … “
Chapter 6 SNMP 28
wsnmp Recall Get-Next-Request gets next object in
MIB tree (in lexicographic order)
getnext sysDescr.0o sysDescr.0 is at 1.3.6.1.2.1.1.1.0 in MIB tree o 1.3.6.1.2.1.1.2.0, sysObjectID.0, is next
location with a valueo Value of sysObjectID.0 is
1.3.6.1.4.1.311.1.1.3.1.3
Chapter 6 SNMP 29
MIB-2 System Group
Note that “311” (on previous slide) stands for IBM
system (1)
sysDescr (1)
sysServices (7)
sysObjectID (2)
sysUpTime (3)
sysContact (4)
sysName (5)
sysLocation (6)
1.3.6.1.2.1.1
Chapter 6 SNMP 30
Get-Request vs Get-Next-Request
Spse you use Get-Requesto If no value for requested object (or other
error), NULL and error returnedo As we saw with “get sysDescr”
Spse you use Get-Next-Requesto If no value for specified object, you will still
get next value in MIB treeo This is a good thing!
Chapter 6 SNMP 31
Get-Request vs Get-Next-Request
What is result of GetNextRequest(ipRouteEntry)?o Address of ipRouteEntry is 1.3.6.1.2.1.4.21.1o Next value in MIB is at index 1.3.6.1.2.1.4.21.1.1.10.3.4.3o Result: ipRouteDest.10.3.4.3 = 10.3.4.3
What is GetNextRequest(ipRouteDest.10.3.4.5)?o ipRouteDest.10.3.4.5 is 1.3.6.1.2.1.4.21.1.1.10.3.4.5o Next value in MIB tree is at 1.3.6.1.2.1.4.21.1.2.10.3.4.3o Result: ipRouteifIndex.10.3.4.3 = 1
ipRouteEntry = 1.3.6.1.2.1.4.21.1ipRoute
Dest (1)
ipRouteifindex
(2)
ipRouteMetric 1
(3)
ipRouteMetric 2
(4)
ipRouteMetric 3
(5)
ipRouteMetric 4
(6)
ipRouteNextHop
(7)
ipRouteType(8)
ipRouteProtocol
(9)
ipRouteAge(10)
ipRouteMask(11)
ipRouteMetric 5
(12)
ipRouteInfo(13)
10.3.4.3 110.3.4.4 210.3.4.5 3
Chapter 6 SNMP 32
Get-Request vs Get-Next-Request
What is GetNextRequest(ipRouteifIndex.10.3.4.3)?o ipRouteifIndex.10.3.4.3 is 1.3.6.1.2.1.4.21.1.2.10.3.4.3o Next value in MIB tree is at 1.3.6.1.2.1.4.21.1.2.10.3.4.4o Result: ipRouteifIndex.10.3.4.4 = 2
What is result of GetNextRequest(ipRouteTable)?o Recall address of ipRouteTable is 1.3.6.1.2.1.4.21o Next value in MIB is at index 1.3.6.1.2.1.4.21.1.1.10.3.4.3o Result: ipRouteDest.10.3.4.3 = 10.3.4.3
ipRouteEntry = 1.3.6.1.2.1.4.21.1ipRoute
Dest (1)
ipRouteifindex
(2)
ipRouteMetric 1
(3)
ipRouteMetric 2
(4)
ipRouteMetric 3
(5)
ipRouteMetric 4
(6)
ipRouteNextHop
(7)
ipRouteType(8)
ipRouteProtocol
(9)
ipRouteAge(10)
ipRouteMask(11)
ipRouteMetric 5
(12)
ipRouteInfo(13)
10.3.4.3 110.3.4.4 210.3.4.5 3
Chapter 6 SNMP 33
Get-Next-Request Can use Get-Next-Request to access all
values in a tableo Even if we don’t know how many rows in
table Can access values in MIB tree from a
given starting point on Can “walk” the MIB tree in lexicographic
order A nice feature!
Chapter 6 SNMP 34
Set Command Recall Set-Request used to remotely
“set” (write) a value For example,
o SetRequest(sysContact = Frank)o Would change value of sysContact to
“Frank”o Response to this would be Get-Response
with sysContact = Frank
Chapter 6 SNMP 35
Security We mentioned previously the SNMP
method of authentication o A community name acts like a passwordo More than one mgmt station may have
access Authorization is also a concern
o Assuming that you have access…o …then what are you allowed to do?
Chapter 6 SNMP 36
Security SNMP security features
Authentication Authorization (Rights) MIB Access• Community
Name• SNMP Access Mode
q Read-Onlyq Read-Write
• read-only• read-write• write-only• not-accessible
• MIB Viewq Objectq Object 2 • •q Object N
SNMP community profileo Access mode specifies type of accesso MIB view specifies access or not
Chapter 6 SNMP 37
Security SNMP security features
Authentication Authorization (Rights) MIB Access• Community
Name• SNMP Access Mode
q Read-Onlyq Read-Write
• read-only• read-write• write-only• not-accessible
• MIB Viewq Objectq Object 2 • •q Object N
SNMP Access Policyo Combination of all of the above
Chapter 6 SNMP 38
Security SNMP Access Mode MIB Access Mapping between these given below
SNMP Access Mode MIB Access ResolutionRead-Only Read-Only Object available for Get and Trap operations
Read-Write Object available for Get and Trap operationsWrite-Only Object available for Get and Trap operations but
the value is implementation dependentNot-accessible Object is unavailable
Read-Write Read-Only Object available for Get and Trap operationsRead-Write Object available for Get, Set and Trap
operationsWrite-Only Object available for Get, Set and Trap
operations but the value is implementationdependent for Get and Trap operations
Not-Accessible Object is unavailable
Chapter 6 SNMP 39
Proxy SNMP agent can act as a proxy
o To collect mgmt values Device might not support SNMP Might be used to improve performance
Chapter 6 SNMP 40
Meterware NMS MIB browser
screen Much easier
than command line mode!
Chapter 6 SNMP 41
Meterware NMS Meterware “decodes” the
information and presents it in a readable formo Also presents hex view
See book for more pictures of Meterware output
Chapter 6 SNMP 42
Chapter 6 Summary Components of mgmt environment Format of SNMP messages
o Get-Requesto Get-Next-Requesto Command line
Security (or lack thereof) Meterware NMS
