Post on 29-Jun-2019
bdNOG 6 – Bogra, Bangladesh
Overview
• WhatisSNMP?• Pollingandquerying• OIDsandMIBs• No=fica=ons• SNMPv3
WhatisSNMP?
• SNMP-SimpleNetworkManagementProtocol– Structuredprotocol,structuredinforma=on– Forqueryingnetworkdevicestateandreceivingno=fica=ons
– Alsocanbeusedtochangestate– Industrystandard,hundredsoftoolsexistthatuseit– Supportedonanydecentnetworkequipment– Transport:UDPports161and162(no=fica=ons)
UsesforSNMP• Typicalqueries
– BytesIn/Outonaninterface,errors– CPUload– Up=me– TemperatureorothervendorspecificOIDs
• Forhosts(serversorworksta=ons)– Diskspace– InstalledsoUware– Runningprocesses
• WindowsandUNIXhaveSNMPagents
SNMPVersions• v1(1988)Originalspecifica=on
– Historic• v2(1996)FailedStandard
– Security+newdatatypes+newoperators– 64-bitcounters,get-bulk,v2no=fica=ons– View-basedaccesscontrolmodel(VACM)introduced– Historic,nocurrentimplementa=onsleU
• v2c(1996)Defactostandard– v2datatypesandoperators– v1security(communitystring)(simplesecuritymodel)– Historic
• v3(1998)Robustsecurity– User/viewbasedsecurity(USM/VACM)– FullInternetStandard
• WewilluseSNMPv2candv3inthisclass
SNMProles
• Terminology—WewillbeusingManagerandAgent
• Manager(themonitoringsta=on)– Some=mesknownastheSNMPclient– SNMPv3callsittheCommandGeneratorandNo=fica=onReceiver
• Agent(runningontheequipment/server)– Some=mesknownastheSNMPserver– SNMPv3callsittheCommandResponderandNo=fica=onOriginator
HowdoesSNMPwork?Basicoperators• get (manager->agent)
– Queryforavalue• getnext (manager->agent)
– Getnextvalue(e.g.listofvaluesforatable)• getresponse (agent->manager)
– Responsetoget,getnext,orset,includeserrorreturns• set (manager->agent)
– Setavalue,orperformanac=on• trap (agent->manager)
– Spontaneousno=fica=onfromequipment(linedown,temperatureabovethreshold,...)
HowdoesSNMPwork?
• Query/responsebased– Monitoringgenerallyusesget,getnext,getbulk– Changingstateusesset– Responseisalwaysagetresponse– getbulkrequiresv2corv3
• No=fica=onsaredeliveredastrapsorinforms– trapsareunacknowledged– informsareacknowledged(v2c,v3)– Usev2cformattraps– Nooneusesinforms
TheSNMPdatabase
• Theinforma=onofferedbyadeviceisavailableinitsManagementInforma=onBase(MIB)– SNMPusesObjectIden=fiers(OIDs)toorganizethisinforma=on
– OIDsarekeystoiden=fyingeachpieceofdata– OIDsareorganizedintoatreestructurethatistheMIB
– MIBfilesdocumentpartsoftheMIBonadevice
OIDs
• OID:ObjectIden=fier– Auniquekeytoselectapar=cularitemofdatainthedevice
– Thesamepieceofinforma=onisalwaysfoundatthesameOID.That'ssimple!
– AnOIDisavariable-lengthstringofnumbers,e.g.– .1.3.6.1.2.1.1.3
• Allocatedhierarchicallyinatreetoensureuniqueness(similartoDNS)
IfEmailAddresseswereOIDs• user@bdnog.org
– wouldhavebeensomethinglike:• user@bdnog.enterprises.private.internet.dod.org.isouser@99999.1.4.1.6.3.1– exceptthatwereversetheordering,pujngiso(1)first:
• .1.3.6.1.4.1.99999.117.115.101.114– Notethepor=onaUer99999—itspells“user”inasciidopeddecimal!
• Don'tworryaboutthedeeplybranchedtree.WhatmapersisthatOIDsareunique.– Ensuresvendorsdon'thaveconflic=ngOIDs– ThenumericOIDiswhatgetssentonthewire
OIDsandMIBfiles• ReadfromleUtorightOIDcomponentsseparatedby'.'– .1.3.6.1.4.1.9....
• EachOIDcorrespondstoalabel– .1.3.6.1.2.1.1.5=>sysName
• Thecompletepath:– .iso.org.dod.internet.mgmt.mib-2.system.sysName
• HowdoweconvertfromOIDstoLabels(andviceversa)?
• UsetheMIBsfiles!
TheMIBTree
SNMPandSecurity• SNMPversions1and2careinsecure• SNMPversion3wascreatedtofixthis• SNMPv3authen=ca=onisbasedonauser
– “User-basedSecurityModel”(USM)• Authen=cityandintegrity• Keysareusedforusersandmessageshavedigitalsignaturesgeneratedwithahashfunc=on(MD5orSHA)
• Privacy• Messagescanbeencryptedwithsecret-key(private)algorithms(DESorAES)
• Temporaryvalidity• U=lizesasynchronizedclockwitha150secondwindowwithsequencechecking
SNMPv3SecurityLevels
• noAuthNoPriv– Noauthen=ca=on,noprivacy
• authNoPriv– Authen=ca=onwithnoprivacy
• authPriv– Authen=ca=onwithprivacy
CiscoSNMPConfigura=on• Read-only
– CiscoSNMPConfigura=on– snmp-servercommunityNetManageRO– EnablesSNMPv1andv2c
snmp-server group ReadGroup v3 auth snmp-server user admin ReadGroup v3 auth sha NetManage
– SNMPv3authen=ca=on,noencryp=on• Read-write
snmp-server group WriteGroup v3 auth write v1default snmp-server user admin-rw WriteGroup v3 auth sha NetManage
priv aes 128 NetWrite
– CiscoallowsauthNoPrivandauthPrivquerieswiththisuser– Youcouldalsodefinearead-writeuserwithoutencryp=on(priv)– NotethatwerecommendusingSNMPversion3ifyouwantwrite
accessusingthesetoperator
Net-SNMPConfigura=on• Addacommunitystringbyediting /etc/snmp/snmpd.confand
adding:rocommunity NetManage 10.10.0.0/16
• AddtheSNMPv3user# service snmpd stop# net-snmp-create-v3-user -a SHA –A NetManage admin # service snmpd start
• Modifyyouruserconfigura=onfile~/.snmp/snmp.conf,adding:defVersion 3 defCommunity NetManage defSecurityName admin defSecurityLevel authNoPriv defAuthPassphrase NetManage defAuthType SHA
QueryinganSNMPagent• UsingNet-SNMPcommandlinetools...• Sometypicalcommandsforquerying:
– snmpget – snmpwalk – snmpbulkwalk (requires v2c or v3) – snmpstatus– snmptable
• Syntax:snmpXXX -v1 -c<community> host [OID] snmpXXX -v2c -c<community> host [OID] snmpXXX -v3 -lauthNoPriv -u<user> -aSHA -A<pass> host [OID}
• However,becauseyou'vesetupthesnmp.conffile,it'smucheasiersnmpxxxhost[OID]
• Or,ifyouwanttoforcetheversiontov2c,forexample:– snmpxxx -v2c host [OID]
QueryinganSNMPagent
• Let'slookatsomeexamples– snmpstatus10.10.0.254– snmpget10.10.0.254ifNumber.0– snmpwalk-v2c10.10.0.254ifDescr
QueryinganSNMPagent• Community:
– A”security”string(password)todefinewhetherthequeryingmanagerwillhaveRO(readonly)orRW(readwrite)access
– Thisisthesimplestformofauthen=ca=oninSNMP• OID
– Avalue,forexample,.1.3.6.1.2.1.1.5.0 – oritsnameequivalent:sysName.0
• Let'saskforthesystem'sname(usingtheOIDabove)– Whythe.0?Whatdoyouno=ce?
QueriesUsingsnmp.conf
• Twowalks:# snmpwalk 10.10.0.252 sysUpTime DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1946738) 5:24:27.38 # snmpwalk -v2c 3 10.10.0.252 sysUpTime DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1953429) 5:25:34.29
• FirstwalkusedSNMPv3asitwasthedefaultinsnmp.conf,secondwalkspecifiedSNMPv2c,andusedthecommunitystringfromsnmp.conf.
SNMPfailure:noresponse?
• ThedevicemightbeofflineorunreachableThedevicemightnotberunninganSNMPagent
• Thedevicemightbeconfiguredwithadifferentcommunitystring
• ThedevicemightbeconfiguredtorefuseSNMPqueriesfromyourIPaddress
• Inallofthesecasesyouwillgetnoresponse
SNMPBestPrac=ces• SecureyourSNMPaccessandtraffic:
– ManagementVLAN– Accesslists– UseSNMPv3withauthen=ca=onforqueriesandsetswherepossible
• UseSNMPv2ctraps– Beperformapedthanv1traps– Accurate=mestamps
• Donoharm– Onlypollasfastasyoureallyneed– PossibletodriveCPUloadondevicesupandaffectotherprotocol
processing– Itdoesnogoodtopollevery5secondsifthedeviceupdatesthe
counterevery10
Multi Router Traffic Grapher (MRTG) The Multi Router Traffic Grapher (MRTG) is a tool to monitor
the traffic load on network-links. – MRTG generates HTML pages containing PNG images which
provide an almost live visual representation of this traffic. Check http://oss.oetiker.ch/mrtg/ for more information.
– From the mrtg pages:
“You have a router, you want to know what it does all day long? Then MRTG is for you. It will monitor SNMP network devices and draw pretty pictures showing how much traffic has passed through each interface.”
MRTG continued • MRTG has been the most common network traffic
measurement tool for all Service Providers during this millenium.
• MRTG uses simple SNMP queries on a regular interval to generate graphs.
• External readers for MRTG graphs can create other interpretation of data.
• MRTG software can be used not only to measure network traffic on interfaces, but also build graphs of anything that has an equivalent SNMP MIB - like CPU load, disk availability, temperature, etc...
• Data sources can be anything that provides a counter or gauge value – not necessarily SNMP. – For example, graphing round trip times.
• MRTG generates each graph every 5 minutes. This can create considerable overhead if you are graphing for many devices (100’s of routers with multiple interfaces for instance…). – Example: 500 routers, 2 interfaces each = 1000 graphs
to generate. Potential CPU overhead.
• Very few customizable graphing options.
• MRTG management itself can be tedious work (see next slide…)
MRTG issues
RunningMRTG• Install or compile required packages
– apt-get install mrtg • Make cfg files for router interfaces with cfgmaker
• Create html pages from the cfg files with indexmaker
• Trigger MRTG periodically from cron or run it in daemon mode
MRTG graphs
Ques=ons!