TCP/IP Network Administration (2024)

11.9 Simple Network Management Protocol

Troubleshooting is necessary to recover from problems, but the ultimategoal of the network administrator is to avoid problems. That is alsothe goal of network management software. The network managementsoftware used on TCP/IP networks is based on the Simple NetworkManagement Protocol (SNMP).

SNMP is a client/server protocol. In SNMP terminology, it is describedas a manager/agent protocol. The agent (the server) runs onthe device being managed, which is called the Managed NetworkEntity. The agent monitors the status of the device and reports thatstatus to the manager.

The manager (the client) runs on the Network ManagementStation (NMS). The NMS collects information from all of thedifferent devices that are being managed, consolidates it, and presentsit to the network administrator. This design places all of the datamanipulation tools and most of the human interaction on the NMS.Concentrating the bulk of the work on the manager means that the agentsoftware is small and easy to implement. Correspondingly, most TCP/IPnetwork equipment comes with an SNMP management agent.

SNMP is a request/response protocol. UDP port 161 is its well-knownport. SNMP uses UDP as its transport protocol because it has no needfor the overhead of TCP. "Reliability" is not required because eachrequest generates a response. If the SNMP application does not receivea response, it simply re-issues the request. "Sequencing" is notneeded because each request and each response travels as a singledatagram.

The request and response messages that SNMP sends in the datagrams arecalled Protocol Data Units (PDU). The five PDUs used by SNMP arelisted in Table 11.3These message types allow the manager to requestmanagement information, and when appropriate, to modify thatinformation. The messages also allow the agent to respond to managerrequests and to notify the manager of unusual situations.

The NMS periodically requests the status of each managed device(GetRequest) and each agent responds with the status of its device(GetResponse). Making periodic requests is called polling.Polling reduces the burden on the agent because the NMS decides whenpolls are needed, and the agent simply responds. Pollingalso reduces the burden on the network because the polls originate froma single system at a predictable rate. The shortcoming of polling isthat it does not allow for real-time updates. If a problem occurs on amanaged device, the manager does not find out until the agent is polled. Tohandle this, SNMP uses a modified polling system calledtrap-directed polling.

A trap is an interrupt signaled by a predefined event. When atrap event occurs, the SNMP agent does not wait for the manager to poll;instead it immediately sends information to the manager. Traps allowthe agent to inform the manager of unusual events while allowing themanager to maintain control of polling. SNMP traps are sent on UDPport 162.The manager sends polls on port 161 and listens for traps on port 162. Table 11.4lists the trap events defined in the RFCs.

The last three entries in this table show the roots of SNMP in SimpleGateway Management Protocol (SGMP), which was a toolfor tracking the status of network routers. Routers aregenerally the only devices that have multiple network links to keep trackof and are the only devices that run Exterior Gateway Protocol (EGP).[12]These traps are not significant for most systems.

[12] EGP is covered in Chapter 7.

The most important trap may be the enterpriseSpecific trap. Theevents that signal this trap are defined differently by every vendor'sSNMP agent software. Therefore it is possible for the trap to be tunedto events that are significant for that system. SNMP uses the term"enterprise" to refer to something that is privately defined by avendor or organization as opposed to something that is globally definedby an RFC.

SNMP has twice as much jargon as the rest of networking- and that'ssaying something! Managed Network Entity, NMS, PDU, trap, polling,enterprise- that's just the beginning! We also need to mention (below)what SMI is, what a MIB is, and what ANS.1 is used for. Why thisbewildering array of acronyms and buzzwords? I think there are twomain reasons:

• Network management covers a wide range of different devices, fromrepeaters to mainframe computers. A "vendor-neutral" language isneeded to define terms for the manufacturers of all of this differentequipment.

• SNMP is based on the Common Management Information Protocol(CMIP) that was created by the International StandardsOrganization (ISO). Formal international standards always spend alot of time defining terms because it is important to make terms clearwhen they are used by people from many different cultures who speakmany different languages.

Now that you know why you have to suffer through all of this jargon, let'sdefine a few more important terms.

The Structure of Management Information (SMI) defines how datashould be presented in an SNMP environment. The SMI is documented inRFC 1155 and RFC 1065, Structure and Identification of Management Information forTCP/IP-based Internets. The SMI defines how managed objects arenamed, the syntax in which they are defined, and how they are encodedfor transmission over the network. The SMI is based onprevious ISO work.

Each managed object is given a globally unique name called an objectidentifier. The object identifier is part of a hierarchical name spacethat is managed by the ISO. The hierarchical name structure is used,just like it is in DNS, to guarantee that each name is globally unique.In an object identifier, each level of the hierarchy is identified bya number.

Objects are defined just as formally as they are named. The syntax usedto define managed objects is Abstract Syntax Notation One (ASN.1).ASN.1 is ISO Standard 8824, Specification of Abstract Syntax NotationOne (ASN.1). It is a very formal set of language rules for defining data. It makes the data definition independent of incompatibilitiesbetween systems and character sets. ASN.1 also includes a set of rulesfor encoding data for transfer over a network. These rules are definedin ISO Standard 8825, Specification of Basic Encoding Rules for AbstractSyntax Notation One (ASN.1). The Basic Encoding Rules (BER) definethat bit 8 of an octet is sent first, that 2's complement is used for signedintegers, and other nitty-gritty details of data transmission.

Every object managed by SNMP has a unique object identifierdefined by the ASN.1 syntax and encoding defined by BER. When all of theseunique objects are grouped together, they are called the ManagementInformation Base (MIB). The MIB refers to all information thatis managed by SNMP. However, we usually refer to "a MIB" or "the MIBs" (plural), meaning theindividual databases of management information formally defined by anRFC or privately defined by a vendor.

MIBI and MIBII are standards defined by RFCs. MIBII is a superset ofMIBI, and is the standard MIB for monitoring TCP/IP. It provides suchinformation as the number of packets transmitted into and out of aninterface, and the number of errors that occurred sending and receivingthose packets- useful information for spotting usage trends andpotential trouble spots. Every agent supports MIBI or MIBII.

Some systems also provide a private MIB in addition to the standardMIBII. Private MIBs add to the monitoring capability by providingsystem-specific information. Most UNIX systems do not provide privateMIBs. Private MIBs are most common on network hardware like routers,hubs, and switches.

No matter what MIBs are provided by the agents, it is the monitoringsoftware that displays the information for the system administrator. Aprivate MIB won't do you any good unless your network monitoringsoftware also supports that MIB. For this reason, most administratorsprefer to purchase a monitor from the vendor that supplies the bulk oftheir network equipment. Another possibility is to select a monitorthat includes a MIB compiler, which gives you the most flexibility.A MIB compiler reads in the ASN.1 description of a MIB and adds the MIBto the monitor. A MIB compiler makes the monitor extensiblebecause if you can get the ASN.1 source from the network equipmentvendor, you can add the vendor's private MIB to your monitor.

MIB compilers are only part of the advanced features offered by somemonitors. Some of the features offered are:

Network maps

Some monitors automatically draw a map of the network.Colors are used to indicate the state (up, down, etc.) of the deviceson the network. At a glance, the network manager sees the overall stateof the network.

Tabular data displays

Data displayed in tables or rendered intocharts is used to make comparisons between different devices. Somemonitors output data that can then be read into a standard spreadsheetor graphing program.

Filters

Filters sift the data coming in from the agents in order todetect certain conditions.

Alarms

Alarms indicate when "thresholds" are exceeded or specialevents occur. For example, you may want an alarm to trigger when yourserver exceeds some specified number of transmit errors.

Don't be put off by the jargon. All of this detail is necessary toformally define a network management scheme that is independent of themanaged systems, but you don't need to memorize it. You need to knowthat a MIB is a collection of management information, that an NMS isthe network management station, and that an agent runs in each manageddevice in order to make intelligent decisions when selecting an SNMPmonitor. This information provides that necessary background. Thefeatures available in network monitors vary widely; so does the price.Select an SNMP monitor that is suitable for the complexity of yournetwork and the size of your budget.