Network Management

System
Module 2
Presented by Manju Devaraj

2012 WIPRO LTD | [Link]

Agenda
SNMP Operation
SNMP v3

2012 WIPRO LTD | [Link]

1. SNMP Operation

2012 WIPRO LTD | [Link]

Objectives
At the end of this session, you would be able to:

Explain the SNMP communication model

Explain the SNMP Protocol
Describe the basic concept of SNMP v1
Define SNMP Message Format
Understand the SNMP Instructions
Describe Error Status
Explain SNMP v 2

2012 WIPRO LTD | [Link]

SNMP Communication Model

Host A

Host B

SNMP MANAGER

SNMP AGENT

UDP / IP

UDP / IP

Data Link

Data Link

Physical

Physical

2012 WIPRO LTD | [Link]

SNMP Protocol
The network devices are managed by the management station
Devices run agent software and management station run
manager software
The Manager learns about the network device through the
agent

Hence, both the agent and manager need to share the same
Information model to work together
Agent interact with the Device (back end) to retrieve values

2012 WIPRO LTD | [Link]

SNMP Protocol (Contd.).

The management station and the network device use SLEEK
UDP protocol to send and receive messages
Management station will not instantiate the MIB, it retrieves the
instance from the agent
The manager and the agent use simple interaction: Manager
sends a request message when it wants to retrieve objects and
agent replies
Agent on its own reports any trouble it notices on the device or
TRAPS to the manager

2012 WIPRO LTD | [Link]

How SNMPv1 Messages Function

ClientClient
8

Server
2012 WIPRO LTD | [Link]

SNMP Message Format

------------------------------------------------------| version | community | SNMP PDU |
------------------------------------------------------ version - specifies the SNMP version number
community is OCTET STRING, serves as password for
retrieving/ modifying data
SNMP PDU specifies operation

2012 WIPRO LTD | [Link]

SNMP Protocol Interaction - Get Operation

The Manager sends GET Request to retrieve objects from the
agent. In order to get the objects, the manager needs to specify
object name
The agent responds to GET request by sending to the manager
GET-RESPONSE message with:
A list of requested objects (names) with their values known
as var binding list
In case of error, the index indicates object which caused the
error

10

2012 WIPRO LTD | [Link]

SNMP Protocol Interaction -Get Operation (Contd.).

In order to retrieve scalar objects from the agent, manager has
to send object name suffixed with value ZERO:
eg: sysUpTime.0
In order to retrieve values from a table, the object name is
suffixed with the index value
If the agent doesnt find the object with the name supplied by
the manager it returns noSuchObject , or noSuchInstance if
no instance of object found in the value field of the variable for
SNMPv2.

11

2012 WIPRO LTD | [Link]

Protocol Operation - GET

Management Station
PDU
Type

Req 0
id

Device

Variable
Bindings (names)

Management process

Agent Process
PDU
Type

Req 0
id

0 Name Variable
1
1

MIB

Name
n

Variable
n

Response - No Error

PDU Format GetRequest/Response

PDU Type

12

Request

id

Error Status ErrorIndex

2012 WIPRO LTD | [Link]

Variable Bindings

Protocol Operation GET (too big error)

Management Station
PDU
Type

Req
id

Device

Variable
Bindings (names)

Management
Process

Agent Process
PDU
Type

Req
id

toobig

MIB

NULL

Response Error
too big- message size
Exceeds max size
PDU Format GetRequest/ Response
PDU
Type

13

Request
id

Error
Status

Error
Index

2012 WIPRO LTD | [Link]

Variable
Bindings

Protocol Operation GET (generror error)

Management Station
PDU
Type

Req
id

Device

Variable
Bindings (names)
PDU
Type

Management Process

Req
id

generror

MIB

Index
Of problem
object

Variable Bindings (names)

Agent Process

Response Error
generror- processing of
Variable name fails
PDU Format GetRequest/ Response
PDU Type

14

Request id

Error Status

Error Index

2012 WIPRO LTD | [Link]

Variable Bindings

Error Status for SNMPv1

Values for error status are:
noError (0) request was successfully processed
tooBig (1) Agent could not fit results of request into single
SNMP message.
Min Size :484 bytes.
Max. size 1500 bytes for Ethernet Networks

15

2012 WIPRO LTD | [Link]

Error Status
noSuchName(2) Object specified which agent did not know
based on specified community. Most common source is
reading objects that do not exist.
badValue(3) a set value tried to modify an object with invalid
or inconsistent value.
readOnly (4) defined in v1 to indicate that a set operation tried
to modify a variable that according to community profile
cannot be written into. In reality this isnt used as if you try to
set a read-only object noSuchName error status is returned
genErr (5) any other error

16

2012 WIPRO LTD | [Link]

SNMPv2 to SNMPv1 Error Mapping

SNMPv2 Error Status
noError
tooBig
noSuchName
badValue
readOnly
genErr
wrongValue
wrongEncoding
wrongType
wrongLength
Inconsistent Value
noAccess
notWritable
noCreation
17

SNMPv1 Error Status

noError
tooBig
noSuchName
badValue
readOnly
genErr
badValue
badValue
badValue
badValue
badValue
noSuchName
noSuchName
noSuchName
2012 WIPRO LTD | [Link]

SNMPv2 Exceptions
For SNMP GET requests we can get back noSuchObject and
noSuchInstance Exception
For SNMP GETNEXT requests we can get back
endOfMibView.
For SNMP SET requests we cannot get back any exceptions.
For SNMP GETBULK requests we can get back
endOfMibView

18

2012 WIPRO LTD | [Link]

SNMP Protocol Interaction SNMP Table

The SNMP table is represented as ASN.1 SEQUENCE OF type.
Each table has an Entry which is SEQUENCE Type.
Each column in the table entry is identified by the object identifier

Each row is identified by the index value

In order to retrieve values from a table, the object name is suffixed
with the index value
The agent need to create the rows in the table either during start
up or when the manager sends a SET request to the agent

19

2012 WIPRO LTD | [Link]

SNMP Protocol InteractionGet Next Operation

Get Next operation is similar to Get Request. However, Get

Next operation retrieves the - next lexicographically ordered
object

Get Next operation allows the manager to search through the

table, without having to know the index value

20

2012 WIPRO LTD | [Link]

Get Request
Consider following MIB table a subset of ifTable
Instance
1
2
3
4
5
6

21

ifIndex
1
2
3
4
5
6

ifDescr
ethernet
ethernet
serial
ppp
ethernet
ethernet

ifType
6
6
22
23
6
6

2012 WIPRO LTD | [Link]

Get Request Illustration

If a mangement station issues a:
GetRequest(sysUpTime.0, ifIndex.1,ifDescr.2, ifType.4)

The agent will respond typically with:

sysUptime.0
287231
ifIndex.1
1
ifDescr.2
ethernet
ifTypes.4
23
GetRequest can query scalars & objects from diff. rows

22

2012 WIPRO LTD | [Link]

Get Next Request

Consider this table:
ifIndex ifInOctets ifInUcastPkts ifInNUcastPkts
1
200123
560
912
2
4587213
8876
1780
3
755943
8761
1020
4
8837722
110211
4390
5 398765321 301392159
3259
6
983141
65211
3251

23

2012 WIPRO LTD | [Link]

GetNextRequest Illustration
Issue a GetNextRequest(ifInOctets, ifInUcastPkts,
ifInNUcastPkts)

Response will be:

ifInOctets.1
200123
ifInUcastPkts.1
560
ifInNUcastPkts.1
912
GetNestRequest automatically returns the queried columns of
the first row. The response will also have the index of the first
row instance, i.e 1 in example

24

2012 WIPRO LTD | [Link]

GetNextRequest Illustration (Contd.).

Issue a GetNextRequest(ifInOctets.1, ifInUcastPkts.1,
ifInNUcastPkts.1)
using index of first row.
Response will be fields of next row:
ifInOctets.2
4587213
ifInUcastPkts.2
8876
ifInNUcastPkts.2
1780

25

2012 WIPRO LTD | [Link]

Protocol Operation Getbulk

Management Station
PDU
Type

Req
id

Nonrepeaters

Maxrepetitions

Device
Variable
Bindings

Agent Process
PDU
Type

Management Process

Req
id

Nonrepeaters

PDU Format for getbulk

PDU
Type

26

Request
nonmaxid
repeaters repetitions

2012 WIPRO LTD | [Link]

Variable
Bindings

MIB
Maxrepetitions

Variable
Bindings

GetBulkRequest

27

2012 WIPRO LTD | [Link]

SNMP Protocol Interaction SET Operation

Manager sends Set Request to set value of objects. In order to

set object values, manager need to specify both the object
name and the value
Agent responds to the SET request with same PDU as GETRESPONSE PDU

28

2012 WIPRO LTD | [Link]

Protocol Operation - SET

PDU
Type

Management Station
Req 0 0 Name Variable Name Variable
n
id
1
1
n

Device
Agent Process

PDU
Type

Management Process

Req 0
id

0 Name Variable
1
1

PDU Format SetRequest/Response

29

Request
id

Name Variable
n
n

If no Validation error
Phase-2 :
If no updation error
The values are set

PDU
Type

MIB

Error
Status

Error
Index

2012 WIPRO LTD | [Link]

Variable
Bindings

Protocol Operation Trapv2

Device

Management Station
PDU type

Req Id

00

VariableMIB
Bind List

Management process
Agent Process

Trap PDU GeneratedUnusual Event

occurrence
PDU Format for Trap
PDU
Type

30

Request
id

Error
Status

Error
Index

2012 WIPRO LTD | [Link]

Variable
Bindings

Trap PDU
Format for SNMPv2 Trap PDU
----------------------------------------------------------| 0xA7 | reqid | 0 | 0 | variable bindings |
----------------------------------------------------------PDU format identical to Get, GetNext or Set .Info about trap embedded
in variable bindings.

First variable provides agents value of sysUpTime when Trap

generated.
Next variable is snmpTrapOID.0 which identifies what type of
trap it is

31

2012 WIPRO LTD | [Link]

NOTIFICATION-TYPE
SNMPv2 Traps are defined by this macro.
linkDown NOTIFICATION-TYPE
OBJECTS { ifIndex, ifAdminStatus ,
ifOperStatus}
STATUS current
DESCRIPTION
A linkdown trap .
::= { snmpTraps 3}

32

2012 WIPRO LTD | [Link]

SNMPv1 Trap PDU

Trap message is sent by agent to manager at UDP port 162
whereas GetRequest and GetResponse goes to UDP port
161.
Format of SNMPv1 Trap PDU:
-----------------------------------------------------------------| 0xA4 | ent. | addr | gen. | spec. | ts | var bind |
------------------------------------------------------------------

33

2012 WIPRO LTD | [Link]

Generic Traps
Six Generic Traps are defined:
coldStart (0)
warmStart (1)
linkDown(2)
linkUp (3)
authenticationFailure(4)
egpNeighbourLoss(5)

34

2012 WIPRO LTD | [Link]

Informs
Informs are like SNMPv2 Traps but they are acknowledged.
InformsRequest PDU is:
----------------------------------------------------------| 0xA6 | reqid | 0 | 0 | variable bindings |
----------------------------------------------------------

35

Type Value of 0xA6 indicates it is an Informs message.

This can also be sent from one manager to another.

2012 WIPRO LTD | [Link]

SNMP Message BER Encoding Example

36

2012 WIPRO LTD | [Link]

SNMP Message BER Encoding Example (Contd.).

37

2012 WIPRO LTD | [Link]

Workbook 8
Explore the AdventNet Manager and access the agent on Linux
machine and see how the manager and agent interact.
Capture in Ethereal the exchange between manager and agent and
note the port number used by manager and agent and also the
various filelds in the SNMP message.
Use snmpget, snmpgetnext, snmpbulkget for
accessing MIB objects both scalars and table objects.
Use snmptrap to generate traps which can be seen on
AdventNet Trap Viewer.

38

2012 WIPRO LTD | [Link]

Workbook 9
Make an SNMP request to the agent from your manager and
trace byte wise the SNMP request and response in Ethereal.

39

2012 WIPRO LTD | [Link]

Summary
In this session we discussed:

40

SNMP communication model

SNMP Protocol
Basic concept of SNMP v1
SNMP Message Format
SNMP Instructions
Error Status
SNMP v 2

2012 WIPRO LTD | [Link]

2. SNMP v3

41

2012 WIPRO LTD | [Link]

Objectives
At the end of this session, you would be able to:

Explain the SNMP v 3 Architecture

Describe SNMP Entity, Application and Engine
Define SNMP v 3 Agent Architecture
Explain Function of SNMP Engine
Explain SNMP v 3 Message structure and Access control
system
Explain SMI v 2 Enhancements

42

2012 WIPRO LTD | [Link]

SNMPv3 Architecture

43

2012 WIPRO LTD | [Link]

SNMP Entity, Applications and Engine

SNMP Entity

SNMP Applications

SNMP Engine
Implements functions to provide
services to applications

44

2012 WIPRO LTD | [Link]

SNMPv3 Agent Architecture

45

2012 WIPRO LTD | [Link]

Functions of SNMP Engine

1. Accepts outgoing PDUs. Does the following

Encryption

Insert authentication code

Encapsulation of PDUs in messages

2. Accepts incoming PDUs. Does the following

46

Authentication

Decryption

Extraction of PDUs from messages

2012 WIPRO LTD | [Link]

SNMP v3 Message Structure

snmpv3

msgVersion
msgID
msgMaxSize
msgFlags

reportable,
priv,auth

msgSecurityModel

1,2,3

msgSecurityParameters
contextEngineID
contextName

PDU
47

Used by message
processing subsystem

2012 WIPRO LTD | [Link]

Used by security and

access control

Functions of Access Control Subsystem

1. Authorization services to control access to MIBs for
reading and setting of managed objects. Operates on
SNMP PDUs.

2. So far the only defined model is View Based Access

Control Model.

48

Security Subsystem: privacy and authentication,

works on SNMP messages

Access Control: authorized access, works on PDUs

2012 WIPRO LTD | [Link]

SNMPv3 Access Control

49

2012 WIPRO LTD | [Link]

A MIB View

50

2012 WIPRO LTD | [Link]

VACM

OID
security
name vacmSecurityToGroupTablegroupNam
e

vacmViewTree
FamilyTable
MIB
View

vacmAccessTable

security model

security level

context name

mess type(read,write ,
notify)

51

2012 WIPRO LTD | [Link]

SNMP v3 Message Structure

52

2012 WIPRO LTD | [Link]

USM Message Structure

53

2012 WIPRO LTD | [Link]

USM Message Parameters

[Link]: snmpEngineID of the source for a
Trap, Response or Report and of the destination for a Get,
GetNext, GetBulk, Set, Informs
2. msgAuthoritativeEngineBoots: snmpEngineBoots value which
represents the number of times SNMP engine has reinitialized
itself since its initial configuration
3. msgAuthoritativeEngineTime: snmpEngineTime represents
number of seconds since SNMP Engine last incremented the
snmpEngineBoots object.
4. msgUserName: user on whose behalf message is exchanged.
5. msgAuthenticationParameters: HMAC message code

6. msgPrivacyParameters: initial value of DES CBC algoritham

54

2012 WIPRO LTD | [Link]

Authentication
There are three goals in authentication:
(1) to verify that the user is really who he says he is
(2) to verify the user's message was not changed during
transport
(3) to verify that the message is not being replayed (copy the
message and play it over again in the future).
Authentication is optional in SNMPv3. There may be situations
where the users are trusted and/or the data is not sensitive. In
these cases, the organization may not want to incur the
overhead of using authentication.
This is referred to as noauth/nopriv.

55

2012 WIPRO LTD | [Link]

Authentication (Contd.).
Sending an authenticated SNMPv3 packet:
1. The entire packet is created. The authentication flag is turned

on in the msgFlags, and the msgAuthenticationParameters is

zeroed out.
2. A message digest is computed of the packet using the secret
authentication key for the user specified in msgUserName. The
algorithm used HMAC (MD5 or SHA )is determined by the
authentication protocol specified for the user.
3. The computed message digest is inserted in the message.
4. The packet is sent.

56

2012 WIPRO LTD | [Link]

Privacy with DES

The SNMPv3 USM privacy facility enables managers and
agents to encrypt messages to prevent eavesdropping by third
parties.
Manager entity and agent entity must share a secret key.
When privacy is invoked between a principal and a remote
engine, all traffic between them is encrypted using the Data
Encryption Standard (DES).
The cipher-block-chaining (CBC) mode of DES is used by
USM.

57

2012 WIPRO LTD | [Link]

MAX-ACCESS in SMIv2
MAX-ACCESS clause: can be
a) not accessible
b) accessible for notify
c) read only
d) read-write
e) read-create

58

2012 WIPRO LTD | [Link]

Status in SMIv2
Status : either
a) Current
b) Obsolete
c) Deprecated

59

2012 WIPRO LTD | [Link]

SNMP V2 Enhancements
In SNMP v2, SMI (Structure of Management Information) has
10 datatypes, whereas SNMP v1 has got only 8 datatypes
except Unsigned32 and Counter64
SNMP v2 has got categories of conceptual tables that prohibit
as well as allow row creation and deletion by manager
(depending upon the requirements). But no such conceptual
categories are found in SNMP v1. (RowStatus column in v2)

60

2012 WIPRO LTD | [Link]

Textual conventions
TEXTUAL CONVENTIONS
TO REFINE SEMANTICS OF EXISTING TYPES
EXAMPLE:
RunState ::= TEXTUAL CONVENTION
STATUS current
DESCRIPTION "..."
SYNTAX INTEGER{
running(1)
runable(2)
waiting(3)
exiting(4)}

61

2012 WIPRO LTD | [Link]

Some Textual Conventions

62

PhysAddress
MacAddress
TruthValue
AutonomousType
InstancePointer
VariablePointer
RowPointer
RowStatus
TimeStamp
TimeInterval
DateAndTime
StorageType
TDomain
TAddress

2012 WIPRO LTD | [Link]

RowStatus Textual Convention

TO:

VIA:

[Link]
[Link]
[Link]
[Link]

63

STATUS:

[Link] ACTIVE
[Link] NOT READY
[Link] ACTIVE
[Link] ACTIVE

2012 WIPRO LTD | [Link]

Row Status Values

1. active
2. notInService
3. notReady
4. createAndGo
5. createAndWait
6. destroy

64

2012 WIPRO LTD | [Link]

Definition of Implementation Requirements

The module-compliance construct
Defines implementation requirements for agents
newMibCompliance MODULE-COMPLIANCE
STATUS ...
DESCRIPTION ...
MODULE 1

MODULE ...
MANDATORY-GROUPS ...
GROUP ...
OBJECT ...

MODULE n
::= { ... }
65

2012 WIPRO LTD | [Link]

OBJECT-GROUP Construct
TO DEFINE A SET OF RELATED OBJECT TYPES
EXAMPLE:
newMibScalarGroup OBJECT-GROUP
OBJECTS { address, name, uptime }
STATUS current
DESCRIPTION "The collection of
scalar objects."
::= { demoGroups 1 }

66

2012 WIPRO LTD | [Link]

Sample MODULE-COMPLIANCE statement

snmpFrameworkMIBCompliances OBJECT IDENTIFIER ::=
{ snmpFrameworkMIBConformance
1}
snmpFrameworkMIBGroups OBJECT IDENTIFIER ::=
{snmpFrameworkMIBConformance
2}
-- compliance statements
snmpFrameworkMIBCompliance MODULE-COMPLIANCE
STATUS
current
DESCRIPTION "The compliance statement for SNMP engines
which implement the SNMP Management
Framework MIB.
MODULE
-- this module
MANDATORY-GROUPS { snmpEngineGroup }
::= { snmpFrameworkMIBCompliances 1 }
67

2012 WIPRO LTD | [Link]

OBJECT-GROUP Definition
-- units of conformance
snmpEngineGroup OBJECT-GROUP
OBJECTS {
snmpEngineID,
snmpEngineBoots,
snmpEngineTime,
snmpEngineMaxMessageSize
}
STATUS
current
DESCRIPTION "A collection of objects for identifying and
determining the configuration and current
timeliness
values of an SNMP engine. "
::= { snmpFrameworkMIBGroups 1 }
68

2012 WIPRO LTD | [Link]

SNMP V1 and V2 Comparison

SNMP V1

SNMP V2

The Trap PDU was defined

independently
The operation Get Bulk was
never defined
Inform Request was not
defined

69

Trap PDU redefined to be

same as that of GetRequest
Get Bulk operation was
defined
Inform Request PDU was
defined for an acknowledged
trap & to exchange info
between mgmt stations

2012 WIPRO LTD | [Link]

Workbook 10
Observe the demo for configuring an SNMPv3 Agent.
Implement View Based Access Control on the v3 Agent in
your system and test it out.

70

2012 WIPRO LTD | [Link]

Summary
In this session we discussed:

71

Explain the SNMP v 3 Architecture

Describe SNMP Entity, Application and Engine
Define SNMP v 3 Agent Architecture
Explain Function of SNMP Engine
Explain SNMP v 3 Message structure and Access control system
Explain SMI v 2 Enhancements

2012 WIPRO LTD | [Link]

References
1. Forouzan, Behrouz A. Data Communication and Networking. Ed 4.
New Delhi: Tata Mcgraw Hill, 2006.
2. Zeltseman, Dave. Practical guide to SNMP v3 and Network
Management. New Delhi: Pearson Publication, 2008.
3. Interworking Labs (2012). Implementing Secure Network
Management. Retrieved on May 2, 2012, from,
[Link]

72

2012 WIPRO LTD | [Link]

Thank You

73

2012 WIPRO LTD | [Link]