 | Understanding SNMP |
| Management Information Databases (MIB) |
| Installing and Configuring SNMP Service |
Have you ever had to configure a router on the another floor of your building, or a bridge at a location across town? You may have lost half a day driving back and forth between locations. What if you wanted to know how efficiently a switch in Europe is running, and you are stuck back in North America?
Simple Network Management Protocol (SNMP) makes these routine tasks performed at your desk. SNMP is a full Internet standard that is endorsed and supported by nearly every manufacturer of network equipment and software. SNMP gives client/server functionality to network maintenance and monitoring.
After reading this chapter, you will understand the principles behind SNMP and be able to install and t configure it to work with a third-party management system.
Simple Network Management Protocol (SNMP) is an Internet standard defined in RFC 1157. SNMP provides a simple method for remotely managing virtually any network device. A network device could be a network card in a server, a program or service running on a server, or a standalone network device such as a hub or router.
The SNMP standard defines a two-tiered approach to network device management: a central management system and the management information base (MIB) located on the managed device. The management system can monitor one or many MIBs, allowing centralized management of a network. From a management system you can see valuable performance and operation statistics from network devices, allowing you to diagnose network health without leaving your office.
The goal for a management system is to provide centralized network management. Any computer running SNMP management software is referred to as a management system. For a management system to be able to perform centralized network management, it must be able to collect and analyze many things, including:
| Network protocol identification and statistics |
| Dynamic identification of computers attached to the network (referred to as discovery) |
| Hardware and software configuration data |
| Computer performance and usage statistics |
| Computer event and error messages |
| Program and application usage statistics |
Now, you may be thinking, "Can’t Windows NT do a lot of this with its built-in functionality?" In most cases, yes. That’s one of the reasons Windows NT has become a popular network operating system. But SNMP extends such functionality beyond a server, allowing management of any network device that supports SNMP. It is also an open standard, allowing it to manage any device or software manufactured to support it.
Would you rather do your network configuration crouched in a cramped wiring closet, or sitting at your desk enjoying a cup ‘a joe? In a large internetwork, the particular wiring closet you need may be 1000 miles away!
SNMP was originally developed to assist in configuring and managing bridges and routers. As it evolved, it gained more functionality and extensibility. Being an open Internet standard, it didn’t take long for manufacturers of a variety of network devices to incorporate it into their products.
SNMP allows large networks to be brought under control from a central location. Reconfiguring a network device from anywhere in the world results in huge cost savings for a company. It may also mean that fewer administrators can effectively manage the network.
Besides allowing network managers to remotely configure network devices, SNMP also allows managers to monitor devices, both passively and actively. In a passive scenario, a network device can signal a problem to the management console, getting the network manager’s attention. In an active scenario, the manager may have the management console routinely gather statistics from SNMP-enabled devices. Looking at that data, the manager can make proactive decisions, rather than waiting for a resource to run out and network users to start complaining. SNMP is a popular Internet standard for making large-scale network management possible.
An SNMP-managed network requires two things to function: an SNMP management system, and an SNMP agent. The management system allows network managers to view and configure network devices from a central location.
The SNMP agents respond to management system requests, sending information or configuring the network device for the management system. In rare instances, SNMP agents send information to management systems when there is an error or some other problem. When an SNMP agent decides to send information to a management system, it is called a trap. A trap can be initiated only by an SNMP agent. Management systems can respond to traps, but they can not issue traps.
SNMP defines communities, which are logical groupings of management systems and agents. Communities allow network managers to specify which management systems agents respond to. They also allow the managers to specify which management systems agents should send traps to.
SNMP communities allow network managers not only to logically group SNMP management systems and agents, it also allows them to secure the SNMP system. By default, all SNMP management systems and agents belong to the "public" community. This makes default configuration a snap, but it could lead to problems as the network manager loses control of SNMP access.
An SNMP management system is any computer running SNMP management software. UNIX has long been a favorite platform for management software, but Windows NT has made huge inroads into this market. You can now pick just about any platform to be your management system.
Management systems obtain data about network devices and make this information available to a network administrator through textual, graphical, or object-oriented user interfaces. The manager system sends SNMP messages to SNMP agents. A management system can issue three commands to SNMP agents: get, get-next, and set.
The get operation allows the management system to request a specific value. The value could be a fixed value, such as maximum number of users, or a variable value, such as a current CPU utilization.
The get-next operation simply gets the next value in the hierarchical SNMP object being queried. Typically, a management console will issue one get command to get to the object it is interested in, then simply issue many get-next commands in succession to get all the values it wants.
For instance, an SNMP agent may have an object for performance counters. If the management system wanted to gather all the performance information on the object, it would issue a get command to the agent requesting the first value in the performance object. After that it would simply issue get-next commands repeatedly until the last performance counter was reached.
The set command allows a management system to configure a remote SNMP agent. This can be very handy in a larger internetwork. Most values an agent has are read-only so the set command is rarely carried out.
An SNMP agent simply responds to get, get-next, and set commands issued by a management system. Any network device running SNMP agent software is an agent. Usually they are servers and intelligent routers, hubs, and bridges.
The SNMP agent does have one command at its disposal: the trap. An SNMP agent uses the trap command to report events (usually bad ones) to one or more management systems. A trap may be issued if there is a security breach or serious network error.
The trap allows SNMP agents to report errors without waiting for a management console to ask for the information. This is very important to efficiently monitor a network. An error can grow if not caught quickly. Having an SNMP management system constantly querying SNMP agents would be a drain on network resources, not to mention the SNMP agent’s resources.
Windows NT includes an SNMP agent service with its TCP/IP protocol stack. The Windows NT-based SNMP service is an optional service that is installed after TCP/IP is installed on a Windows NT-based computer. After the SNMP service is installed on a computer, it automatically starts each time the computer is started, as illustrated in Figure 12-1.
WARNING! If you install the SNMP service after installing Windows NT 4.0 Service Pack 2 or higher, you must reinstall the Service Pack for the SNMP service to operate properly. (See Microsoft Knowledge Base article Q163595 for more information.)
The SNMP service allows Windows NT computers to report their status to management systems. It also allows the management system to query Windows NT computers for performance statistics. In fact, the Windows NT Performance Monitor requires SNMP to be installed in order to monitor TCP/IP performance statistics, even if you are not using SNMP to manage your network.
Figure 1 SNMP MIB with TCP/IP Protocols
Management Information Bases (MIB) are the building blocks in any SNMP implementation. MIBs define a hierarchical structure of manageable objects, which define what may be monitored and/or configured on a network device with a management system.
Every device that is to be managed by SNMP must have a MIB to define what can be done with the device. The MIB will define several things about the objects:
| The association between the host hardware or software component (object) and an object name and an object identifier. |
| A definition of the data type used to define the object. |
| A textual description of the object. |
| An index method used for objects that are a complex data type. |
| The read or write access that is allowed on the object. |
Windows NT includes several MIBs for monitoring and configuring several NT services. The Internet II MIB is a standard Internet MIB for common Internet functions, and LAN Manager II MIB is for managing Windows NT-based services. The DHCP MIB allows management of a Dynamic Host Configuration Protocol service running on Windows NT, and the WINS MIB for managing a Windows Internet Name Server service running on Windows NT.
The Internet MIB II is an Internet standard MIB defined in RFC 1213 and is a superset of a previous standard, Internet MIB I. Internet MIB II provides a standard set of objects essential to fault tolerance and management in an Internet environment. Internet MIB II defines 171 objects for the management system.
The LAN Manager MIB II defines 86 objects for management on a Windows NT system. These include a share, session, user, logon, and statistical information. This MIB would be useful for monitoring Windows NT logon/file/print services.
The DHCP MIB allows an SNMP management system to manage and monitor the Dynamic Host Configuration Protocol service running on a Windows NT server. DHCP MIB defines 14 objects for monitoring. This MIB is automatically installed when the DHCP Server service is installed.
The WINS MIB allows an SNMP management system to manage and monitor the Windows Internet Name Server service running on a Windows NT server. WINS MIB defines 72 objects for monitoring and configuring the WINS Server. This MIB is automatically installed when the WINS service is installed.
The Internet Information Server MIB allows an SNMP management system to manage and monitor the Internet Information Server running on a Windows NT server. The Internet Information Server MIB doesn’t actually define any objects. The FTP, Gopher, and HTTP Server MIBs are all derived from the Internet Information Server MIB (don’t forget that SNMP MIBs are hierarchical). The FTP Server MIB defines 16 objects, the Gopher Server MIB defines 18 objects, and the HTTP Server MIB defines 22 objects for monitoring. These MIBs are automatically installed when these services are installed.
The Simple Network Configuration Protocol defines a hierarchical tree for naming management objects (see Figure 12-2). The structure allows each manageable object to have a unique name in the tree. When a management system queries an agent, it provides an object name or number to tell the agent what object it wants the agent to process.
To simplify additions to the name tree, individual organizations may be assigned authority over a single branch, allowing them to control the objects on that branch. In this way, companies can introduce and extend MIBs and have to register only once.
Figure 2 SNMP Hierarchical Name Tree
The name tree defines both an English name and a number for each object. When specifying either an object name or an object number, it is listed from the root of the tree to the object, separated by periods. Table 12-1 shows a few examples.
| MIB Name | Object name | Object number |
| Internet MIB II | iso.org.dod.internet.management.mibii | 1.3.6.1.2.1 |
| LAN Manager MIB II | iso.org.dod.internet.private.enterprise.lanmanger | 1.3.6.1.4.1.77 |
Table 1 MIB Names, Object Names, and Object Numbers
If you look at Figure 12-2, you can see that Microsoft has been assigned number 1.3.6.1.4.1.311 for its use. For example, the DHCP and WINS MIBs both fall under this number. So why does LAN Manager have its own number? Quite simply, it was given a number before Microsoft as a whole received its number.
Most of the time you do not need to worry about object names and numbers. Instead you will just focus on individual MIBs. However, you will need to acquaint yourself with the hierarchy in case any questions are posed on the exam, or if you need to diagnose your SNMP configuration using the SNMP Utility (covered later in the chapter).
Before SNMP can be used on Windows NT, it must be installed and configured. While installation is very easy, configuration is more challenging and requires some preparation. Before installing the SNMP service, an administrator must identify the following information:
| The contact person and location for the administrator of the local computer |
| Community names that can be shared by hosts on the network |
| IP address, IPX address, or network computer name of the SNMP management console, or consoles, that will be the destination for trap messages generated by computers within a specific community. (Not all SNMP management consoles must also be trap destinations.) |
The SNMP service requires a management system to report to. You must have at least one management system on the network in order to use the SNMP service, unless you want to monitor TCP/IP performance statistics using only Performance Monitor.
The Microsoft SNMP service is not installed by default when the TCP/IP protocol is installed. The SNMP service must be installed manually. It is installed using the Network control panel applet. Follow these steps to install the SNMP service:
Figure 3 The Agent Tab from SNMP Properties Sheet
The Contact and Location fields are optional, but can be useful for providing additional information. The Services section allows you to define what services the agent provides, as listed in Table 12-2. Each service provides information regarding activity at different levels of the OSI model. The defaults are Application, Internet, and End-to-End.
| Service | Check if the server… |
| Physical | Manages Physical layer devices such as repeaters |
| Manages Data Link layer devices such as bridges | |
| Internet | Acts as a gateway (like a router) |
| End-to-End | Acts as an IP host. Always have this one selected |
| Application | Uses TCP/IP applications. Should also always be selected |
Table 2 The Five SNMP Services and Their Functions
Exercise 12-1 Installing an SNMP Agent
The SNMP agent is installed from Network control panel applet. Click on the Start button on the taskbar, select Settings, then select Control Panel.
The traps and security tabs of the SNMP service properties sheet allow you to enforce some amount of security in an SNMP managed network. It is important to work out a security plan for SNMP, because by default it is not secure, allowing virtually any management system to make requests, possibly using set in harmful manner (whether intentionally or not).
SNMP allows security to be controlled by two methods: communities, and directed traps. A community is a logical grouping of one or more management systems and one or more SNMP agents. Traps can be directed to specific management systems within SNMP communities.
By default, the SNMP service will respond to commands from, and management systems in, the public community. All management systems and agents are members of this community. You can see how this would diminish the security of SNMP. Therefore it is important to specify the community names of trusted management systems, and remove the public community from the list of accepted communities.
SNMP can provide you with a sense of security. If your network is connected to the Internet, a firewall should be in place to prevent intrusion from other SNMP management consoles. You can have the SNMP service send a trap to the trap destination when a request does not match your community name. The SNMP service can be configured to accept requests from numerous community names, not just one. A host must belong to a community name on this list to accept requests. To tighten up security even more, you can clear the option to accept packets from every host with a matching community name, and supply a list of hosts within a community to accept requests. Then, even if the community name matches, SNMP screens it before accepting a request.
— by D. Lynn White, MCT, MCSE
When configuring security for the Windows NT SNMP service, the traps and security tabs allow you to set the security. The Traps tab (show in Figure 12-4) allows you to specify who to send SNMP traps to. The Security tab allows you to set who the SNMP service will accept requests from.
Figure 4 The Traps Tab from SNMP Properties Sheet
In the Community Name section, you may add the community names that you want the SNMP service to send its traps to.
You may further refine security by specifying which hosts in a particular community the SNMP service will send traps to. A community may have many management systems, but you may want only a select few to receive traps from a particular SNMP service. You may set this on the traps properties sheet.
The Security tab (shown in Figure 12-5) allows you to secure the SNMP service from management systems. It allows you to define which SNMP communities the service will accept requests from. To further increase security, the Security tab allows you to specify one or more specific management systems to accept requests from.
Figure 5 The Security Tab from SNMP Properties Sheet
The Send Authentication Traps allows the SNMP service to send a trap when a host is not listed in the Accepted Community Names or defined as a host to accept packets from (assuming the service is not configured to accept packets from any host). This way when an unauthorized management system attempts to access the SNMP service, the real management systems can see this and know who attempted the access.
By default, the SNMP service responds to any management system in the public community. This allows virtually any management system to view variables from the SNMP service. You should have private communities defined in an SNMP management system, and use these communities to restrict who may query the SNMP service. Add the community name of any management systems you want to allow to view the SNMP service under the Accepted Community Names section using the Add button.
By default, the SNMP service allows any SNMP management system to send commands. This includes set commands, which could severely affect services on the Windows NT computer. For more security, it is important to change the Accept SNMP Packets From Any Host setting to Only Accept SNMP Packets From These Hosts and give a list of trusted management systems.
Agents can belong to more than one community as well. For example, all of your DCHP Servers may be in a community called DHCP_server and all of your WINS Servers may be in a community called WINS_server. Usually DHCP and WINS servers are separate machines, but not always. So if you have a machine running both DHCP and WINS, you would want that computer to also list both DHCP_server and WINS_server in the Accepted Community Names section.
On very large internetworks, there may be several levels of network management with many management systems. To simplify things, there may be several different communities, one for each group of network managers. Agents can pick who manages them from the appropriate communities, picking one or even all of the communities.
Exercise 12-2 Configuring SNMP Agent Parameters
Once the SNMP service is installed, you will want to configure the parameters to assure proper and secure operation. By default, the SNMP service will respond to requests from any management system in the public community. This will allow it to function with just about any management system, but only at the sacrifice of security.
Having seen how to configure the Windows NT SNMP service, let’s try looking at some scenarios and how to resolve them:
Start Q&A
| "My management console doesn’t belong to the public community…" | On the Security tab, add the proper community under Accepted Community Names. |
| "I want to make sure unauthorized management consoles don’t query my agent…" | Select Only Accept SNMP Packets From These Hosts and enter the trusted management systems address(es). |
| "If there is an error, I want the SNMP service to report it…" | On the Traps tab, add the community name you want, then add the host names. |
The Microsoft Windows NT 4.0 Resource Kit contains the program, SNMPUTIL.EXE. This utility allows the SNMP service to be verified that it can communicate with management systems correctly. The SNMP utility allows SNMP commands to be sent to the local SNMP service as though they were issued by a management system and then view the results. The syntax is very straightforward:
snmputil command agent community object_identifier_(OID)
There are three valid commands that can be used with SNMPUTIL: get, get-next, and walk. Get simply gets the value of the requested object. Get-next requests the next object following the specified object. Walk allows stepping through the MIB branch specified in the OID.
The SNMP utility can be very useful for verifying the SNMP configuration. For example:
snmputil getnext DHCPserver Public .1.3.6.1.4.1.311.1.3.2.1.1.1
This command would return the Object ID (OID) and counter value for the OID, in this case the number of IP leases that the DHCP Server names DHCPserver has issued.
The Simple Network Management Protocol (SNMP) is an Internet standard for monitoring and configuring network devices. An SNMP network is composed of management systems and agents. Management systems monitor agents use get, get-next, and set commands to gather statistics and configure devices. Agents respond to the get, get-next, and set commands. Occasionally agents will issue their own command, trap, to alert management systems to extraordinary events.
The Management Information Base (MIB) defines management objects for a network device. Both management systems and agents understand MIBs and what they define. Windows NT includes several MIBs: Internet MIB II, LAN Manager MIB II, DHCP MIB, and WINS MIB. The Internet Information Server MIB doesn’t define any objects itself, but the HTTP, FTP, and Gopher MIBs are derived from it.
The Windows NT SNMP service allows you to configure a variety of parameters: which communities it belongs to, whether to accept SNMP queries from all hosts or only certain ones, and what communities and hosts to send traps to. The service can also be told what roles (router, server, etc.) the NT computer fills and report only pertinent information regarding those roles. The Windows NT 4.0 Resource Kit includes tools such as SNMPUTIL.EXE for verifying the configuration of the SNMP service.
| Simple Network Management Protocol (SNMP) provides a simple method for remotely managing virtually any network device. |
| The SNMP standard defines a two-tiered approach to network device management: a central management system and the management information base (MIB) located on the managed device. |
| SNMP allows large networks to be brought under control from a central location. |
| An SNMP-managed network requires two things to function: an SNMP management system, and an SNMP agent. |
| An SNMP management system is any computer running SNMP management software. |
| An SNMP agent simply responds to get, get-next, and set commands issued by a management system. |
| It is important to know which commands are issued by management systems, and which are issued by agents. Get, get-next, and set are issued only by SNMP management systems. Trap is issued only by SNMP agents. |
| The Windows NT-based SNMP service is an optional service that is installed after TCP/IP is installed on a Windows NT-based computer. |
| If you install the SNMP service after installing Windows NT 4.0 Service Pack 2 or higher, you must reinstall the Service Pack for the SNMP service to operate properly. |
| You must know when SNMP is needed. You can-not perform Performance Monitor monitoring of TCP/IP without first installing the SNMP service. |
| Management Information Bases (MIB) define a hierarchical structure of manageable objects, which define what may be monitored and/or configured on a network device with a management system. |
| Internet MIB II provides a standard set of objects essential to fault tolerance and management in an Internet environment. |
| The LAN Manager MIB II defines 86 objects for management on a Windows NT system. These include a share, session, user, logon, and statistical information. |
| The DHCP MIB allows an SNMP management system to manage and monitor the Dynamic Host Configuration Protocol service running on a Windows NT server. |
| The WINS MIB allows an SNMP management system to manage and monitor the Windows Internet Name Server service running on a Windows NT server. |
| The Internet Information Server MIB allows an SNMP management system to manage and monitor the Internet Information Server running on a Windows NT server. |
| The Simple Network Configuration Protocol defines a hierarchical tree for naming management objects. |
| The SNMP service must be installed manually. |
| It is important to know how to install the SNMP service. You must know that it is installed from the Services tab of the Network control panel applet. |
| The traps and security tabs of the SNMP service properties sheet allow you to enforce some amount of security in an SNMP managed network. |
| You must know how to configure the SNMP service. Understand what SNMP communities are, how to configure security for SNMP agents, and how to configure traps. Know the three tabs from the SNMP Service properties (Agent, Traps, and Security) and what each one configures. |
| The SNMPUTIL.EXE. utility allows the SNMP service to be verified that it can communicate with management systems correctly. |
| Be sure you know which commands are initiated by the management system and which commands are initiated by the agent. |
