What Is SNMP and How Does It Work?

What is SNMP and How Does It Work?

SNMP stands for Simple Network Management Protocol. It is often not simple; it does not only apply to network devices and often cannot be used for management of devices, only monitoring. It is definitely a protocol, however. 

In this blog we will cover:

What Is SNMP?

SNMP is mainly used for the collection of data about devices, such as CPU load, memory usage, etc. SNMP is supported on practically all network equipment (switches, routers, load balancers, for example), but also on most server operating systems, some storage devices, and even some server application software.

If you have a non-trivial (i.e. greater than zero) amount of IT infrastructure whose availability matters – because it generates revenue or enables others to do their jobs – then you need a way to be sure your infrastructure is working, and working well. If you want to sleep, you need an alternative to staying up all night watching the output of the command line tool top to watch the processes on your server. Especially if you have 1,000 servers and 100 routers.

The standard way to solve this is to run a monitoring system, which queries the servers, routers, switches, and other devices, at regular interval, asks them how they are doing, and generates alerts (which you can receive via email, text, or voice call) if any of them report they are not doing well.

SNMP provides a standard message format that the monitoring system, routers, switches, servers, storage arrays, UPS devices, etc., can all speak – even though they will be running different operating systems. Of course, there are different versions of SNMP, and different security issues, and different types of information that the different devices can report.

For ensuring the performance, availability, and capacity of your infrastructure, enabling and using SNMP and a monitoring system to collect and alert on data is the way to go. This system can scale from monitoring one device to tens of thousands, sending alerts only when something is wrong.

How SNMP Agents and Network Management Stations Work

Discussions about SNMP often involve two concepts: SNMP agents, and Network Management Stations. To put it simply: a Network Management Station (NMS) asks questions; an SNMP agent answers them.

The SNMP agent is a software process that receives SNMP queries, retrieves the data being asked for, and replies back. Most routers, switches, firewalls, and other systems without a full operating system will have SNMP support built into the software. General purpose servers (Linux, Solaris, AIX, Windows, FreeBSD, etc) may not have an SNMP agent installed by default, depending on the installation options chosen, but one can be added at any time. The most common SNMP agent for Linux and Unix based systems is the net-snmp agent, which runs as snmpd (the SNMP Daemon.) Installing, configuring, and running this agent will add SNMP support to any system that supports it.

A Network Management Station is harder to pin down. It could be anything from a single Linux machine with snmpwalk that is used to do ad hoc command line queries against devices, to a simple management system like WhatsUp Gold, to a complete powerful system like LogicMonitor (where the collectors initiate the SNMP questions, but the storage, analysis, and alerting is centralized in a SaaS infrastructure.) But as noted above: if a system initiates SNMP questions, it can be thought of as an NMS. (Note that a system can have both the SNMP agent and an NMS installed.)

Both SNMP agents and NMS’s will talk over SNMP to each other:  i.e. a defined IP protocol – the standard message format mentioned earlier

The Versions of SNMP

There are three commonly used versions of SNMP. Here is a breakdown of the key differences between each version. 

SNMP version 1: The oldest flavor. Easy to set up – it only requires (and only supports) a plaintext community string as a security. The biggest downsides are that it does not support 64-bit counters, only 32-bit counters, and that it has little security.

SNMP version 2c: In practical terms, v2c is identical to version 1, except it adds support for 64-bit counters. This matters, especially for interfaces: even a 1Gbps interface can wrap a 32-bit counter in 34 seconds. This means that a 32-bit counter being polled at one minute intervals is useless, as it cannot tell whether successive samples of 30 and 40 are due to the fact that only 10 octets were sent in that minute, or due to the fact that 4294967306 (2^32 +10) octets were sent in that minute. Most devices support SNMP V2c nowadays and generally do so automatically. There are some devices that require you to explicitly enable v2c – in which case, you should always do so. There is no downside.

SNMP version 3: This version adds security to the 64-bit counters. SNMP version 3 adds both encryption and authentication, which can be used together or separately. Setup is more complex than just defining a community string – but then, what security is not? But if you require security, this is the way to do it.

Which Version of SNMP Should You Use?

The only security measures for SNMP versions 1 and 2c are a community string sent in plaintext, and the ability to limit the IP addresses that can issue queries. This is effectively no security from someone with access to the network – such a person will be able to see the community string in plaintext, and spoofing a UDP packet’s source IP is trivial. However, if your device is set up to only allow SNMP read-only access, the risk is relatively small and confined to evil people with access to your network. If you have evil people with this access, people reading device statistics by SNMP is probably not what you need to be worrying about. So, if you can accept the weak security model of SNMP v2c, use that. If not, use V3 with encryption and authentication.

Hopefully, you’ve gained an understanding of what SNMP is. SNMP is the most widely deployed management protocol; it is simple to understand (although not always to use) and enjoys ubiquitous support. While some systems have alternate management systems – most notably Windows, which uses WMI in preference – a good knowledge of SNMP will take you a long way in being equipped to monitor a variety of devices and servers.