bdNOG 6 – Bogra, Bangladesh

Overview

•  WhatisSNMP?•  Pollingandquerying•  OIDsandMIBs•  No=fica=ons•  SNMPv3

WhatisSNMP?

•  SNMP-SimpleNetworkManagementProtocol–  Structuredprotocol,structuredinforma=on–  Forqueryingnetworkdevicestateandreceivingno=fica=ons

– Alsocanbeusedtochangestate–  Industrystandard,hundredsoftoolsexistthatuseit–  Supportedonanydecentnetworkequipment–  Transport:UDPports161and162(no=fica=ons)

UsesforSNMP•  Typicalqueries

–  BytesIn/Outonaninterface,errors–  CPUload– Up=me–  TemperatureorothervendorspecificOIDs

•  Forhosts(serversorworksta=ons)– Diskspace–  InstalledsoUware–  Runningprocesses

•  WindowsandUNIXhaveSNMPagents

SNMPVersions•  v1(1988)Originalspecifica=on

–  Historic•  v2(1996)FailedStandard

–  Security+newdatatypes+newoperators–  64-bitcounters,get-bulk,v2no=fica=ons–  View-basedaccesscontrolmodel(VACM)introduced–  Historic,nocurrentimplementa=onsleU

•  v2c(1996)Defactostandard–  v2datatypesandoperators–  v1security(communitystring)(simplesecuritymodel)–  Historic

•  v3(1998)Robustsecurity–  User/viewbasedsecurity(USM/VACM)–  FullInternetStandard

•  WewilluseSNMPv2candv3inthisclass

SNMProles

•  Terminology—WewillbeusingManagerandAgent

•  Manager(themonitoringsta=on)–  Some=mesknownastheSNMPclient–  SNMPv3callsittheCommandGeneratorandNo=fica=onReceiver

•  Agent(runningontheequipment/server)–  Some=mesknownastheSNMPserver–  SNMPv3callsittheCommandResponderandNo=fica=onOriginator

HowdoesSNMPwork?Basicoperators•  get (manager->agent)

–  Queryforavalue•  getnext (manager->agent)

–  Getnextvalue(e.g.listofvaluesforatable)•  getresponse (agent->manager)

–  Responsetoget,getnext,orset,includeserrorreturns•  set (manager->agent)

–  Setavalue,orperformanac=on•  trap (agent->manager)

–  Spontaneousno=fica=onfromequipment(linedown,temperatureabovethreshold,...)

HowdoesSNMPwork?

•  Query/responsebased– Monitoringgenerallyusesget,getnext,getbulk–  Changingstateusesset–  Responseisalwaysagetresponse–  getbulkrequiresv2corv3

•  No=fica=onsaredeliveredastrapsorinforms–  trapsareunacknowledged–  informsareacknowledged(v2c,v3)– Usev2cformattraps– Nooneusesinforms

TheSNMPdatabase

•  Theinforma=onofferedbyadeviceisavailableinitsManagementInforma=onBase(MIB)– SNMPusesObjectIden=fiers(OIDs)toorganizethisinforma=on

– OIDsarekeystoiden=fyingeachpieceofdata– OIDsareorganizedintoatreestructurethatistheMIB

– MIBfilesdocumentpartsoftheMIBonadevice

OIDs

•  OID:ObjectIden=fier– Auniquekeytoselectapar=cularitemofdatainthedevice

– Thesamepieceofinforma=onisalwaysfoundatthesameOID.That'ssimple!

– AnOIDisavariable-lengthstringofnumbers,e.g.–  .1.3.6.1.2.1.1.3

•  Allocatedhierarchicallyinatreetoensureuniqueness(similartoDNS)

IfEmailAddresseswereOIDs•  user@bdnog.org

–  wouldhavebeensomethinglike:•  user@bdnog.enterprises.private.internet.dod.org.isouser@99999.1.4.1.6.3.1–  exceptthatwereversetheordering,pujngiso(1)first:

•  .1.3.6.1.4.1.99999.117.115.101.114–  Notethepor=onaUer99999—itspells“user”inasciidopeddecimal!

•  Don'tworryaboutthedeeplybranchedtree.WhatmapersisthatOIDsareunique.–  Ensuresvendorsdon'thaveconflic=ngOIDs–  ThenumericOIDiswhatgetssentonthewire

OIDsandMIBfiles•  ReadfromleUtorightOIDcomponentsseparatedby'.'–  .1.3.6.1.4.1.9....

•  EachOIDcorrespondstoalabel–  .1.3.6.1.2.1.1.5=>sysName

•  Thecompletepath:–  .iso.org.dod.internet.mgmt.mib-2.system.sysName

•  HowdoweconvertfromOIDstoLabels(andviceversa)?

•  UsetheMIBsfiles!

TheMIBTree

SNMPandSecurity•  SNMPversions1and2careinsecure•  SNMPversion3wascreatedtofixthis•  SNMPv3authen=ca=onisbasedonauser

–  “User-basedSecurityModel”(USM)•  Authen=cityandintegrity•  Keysareusedforusersandmessageshavedigitalsignaturesgeneratedwithahashfunc=on(MD5orSHA)

•  Privacy•  Messagescanbeencryptedwithsecret-key(private)algorithms(DESorAES)

•  Temporaryvalidity•  U=lizesasynchronizedclockwitha150secondwindowwithsequencechecking

SNMPv3SecurityLevels

•  noAuthNoPriv– Noauthen=ca=on,noprivacy

•  authNoPriv– Authen=ca=onwithnoprivacy

•  authPriv– Authen=ca=onwithprivacy

CiscoSNMPConfigura=on•  Read-only

–  CiscoSNMPConfigura=on–  snmp-servercommunityNetManageRO–  EnablesSNMPv1andv2c

snmp-server group ReadGroup v3 auth snmp-server user admin ReadGroup v3 auth sha NetManage

–  SNMPv3authen=ca=on,noencryp=on•  Read-write

snmp-server group WriteGroup v3 auth write v1default snmp-server user admin-rw WriteGroup v3 auth sha NetManage

priv aes 128 NetWrite

–  CiscoallowsauthNoPrivandauthPrivquerieswiththisuser–  Youcouldalsodefinearead-writeuserwithoutencryp=on(priv)–  NotethatwerecommendusingSNMPversion3ifyouwantwrite

accessusingthesetoperator

Net-SNMPConfigura=on•  Addacommunitystringbyediting /etc/snmp/snmpd.confand

adding:rocommunity NetManage 10.10.0.0/16

•  AddtheSNMPv3user# service snmpd stop# net-snmp-create-v3-user -a SHA –A NetManage admin # service snmpd start

•  Modifyyouruserconfigura=onfile~/.snmp/snmp.conf,adding:defVersion 3 defCommunity NetManage defSecurityName admin defSecurityLevel authNoPriv defAuthPassphrase NetManage defAuthType SHA

QueryinganSNMPagent•  UsingNet-SNMPcommandlinetools...•  Sometypicalcommandsforquerying:

–  snmpget –  snmpwalk –  snmpbulkwalk (requires v2c or v3) –  snmpstatus–  snmptable

•  Syntax:snmpXXX -v1 -c<community> host [OID] snmpXXX -v2c -c<community> host [OID] snmpXXX -v3 -lauthNoPriv -u<user> -aSHA -A<pass> host [OID}

•  However,becauseyou'vesetupthesnmp.conffile,it'smucheasiersnmpxxxhost[OID]

•  Or,ifyouwanttoforcetheversiontov2c,forexample:–  snmpxxx -v2c host [OID]

QueryinganSNMPagent

•  Let'slookatsomeexamples– snmpstatus10.10.0.254– snmpget10.10.0.254ifNumber.0– snmpwalk-v2c10.10.0.254ifDescr

QueryinganSNMPagent•  Community:

– A”security”string(password)todefinewhetherthequeryingmanagerwillhaveRO(readonly)orRW(readwrite)access

–  Thisisthesimplestformofauthen=ca=oninSNMP•  OID

– Avalue,forexample,.1.3.6.1.2.1.1.5.0 –  oritsnameequivalent:sysName.0

•  Let'saskforthesystem'sname(usingtheOIDabove)– Whythe.0?Whatdoyouno=ce?

QueriesUsingsnmp.conf

•  Twowalks:# snmpwalk 10.10.0.252 sysUpTime DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1946738) 5:24:27.38 # snmpwalk -v2c 3 10.10.0.252 sysUpTime DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1953429) 5:25:34.29

•  FirstwalkusedSNMPv3asitwasthedefaultinsnmp.conf,secondwalkspecifiedSNMPv2c,andusedthecommunitystringfromsnmp.conf.

SNMPfailure:noresponse?

•  ThedevicemightbeofflineorunreachableThedevicemightnotberunninganSNMPagent

•  Thedevicemightbeconfiguredwithadifferentcommunitystring

•  ThedevicemightbeconfiguredtorefuseSNMPqueriesfromyourIPaddress

•  Inallofthesecasesyouwillgetnoresponse

SNMPBestPrac=ces•  SecureyourSNMPaccessandtraffic:

–  ManagementVLAN–  Accesslists–  UseSNMPv3withauthen=ca=onforqueriesandsetswherepossible

•  UseSNMPv2ctraps–  Beperformapedthanv1traps–  Accurate=mestamps

•  Donoharm–  Onlypollasfastasyoureallyneed–  PossibletodriveCPUloadondevicesupandaffectotherprotocol

processing–  Itdoesnogoodtopollevery5secondsifthedeviceupdatesthe

counterevery10

Multi Router Traffic Grapher (MRTG) The Multi Router Traffic Grapher (MRTG) is a tool to monitor

the traffic load on network-links. –  MRTG generates HTML pages containing PNG images which

provide an almost live visual representation of this traffic. Check http://oss.oetiker.ch/mrtg/ for more information.

–  From the mrtg pages:

“You have a router, you want to know what it does all day long? Then MRTG is for you. It will monitor SNMP network devices and draw pretty pictures showing how much traffic has passed through each interface.”

MRTG continued •  MRTG has been the most common network traffic

measurement tool for all Service Providers during this millenium.

•  MRTG uses simple SNMP queries on a regular interval to generate graphs.

•  External readers for MRTG graphs can create other interpretation of data.

•  MRTG software can be used not only to measure network traffic on interfaces, but also build graphs of anything that has an equivalent SNMP MIB - like CPU load, disk availability, temperature, etc...

•  Data sources can be anything that provides a counter or gauge value – not necessarily SNMP. –  For example, graphing round trip times.

•  MRTG generates each graph every 5 minutes. This can create considerable overhead if you are graphing for many devices (100’s of routers with multiple interfaces for instance…). –  Example: 500 routers, 2 interfaces each = 1000 graphs

to generate. Potential CPU overhead.

•  Very few customizable graphing options.

•  MRTG management itself can be tedious work (see next slide…)

MRTG issues

RunningMRTG•  Install or compile required packages

–  apt-get install mrtg •  Make cfg files for router interfaces with cfgmaker

•  Create html pages from the cfg files with indexmaker

•  Trigger MRTG periodically from cron or run it in daemon mode

MRTG graphs

Ques=ons!