TCP/IP Fundamentals for Microsoft Windows
This appendix describes the Simple Network Management Protocol (SNMP) and its support in the Microsoft® Windows Server™ 2003 and Windows® XP operating systems. SNMP is used in enterprise network environments to manage many types of network devices. A network administrator must understand SNMP to integrate computers running Windows Server 2003 or Windows XP into an SNMP-managed environment.
On This Page
SNMP is a network management protocol and infrastructure widely used on IP networks. It was originally developed in the Internet community to monitor and troubleshoot routers and bridges. SNMP allows network administrators to manage network devices such as workstation or server computers, routers, switches, and wireless access points.
SNMP can be used to:
Configure devices remotely You can use an SNMP to configure a device across the network from a central management computer.
Monitor network performance You can use an SNMP to systematically and periodically query devices for current performance statistics to monitor network throughput.
Detect network faults or inappropriate access A device can use SNMP to send a message when specific events occur. Common types of conditions to report to a management system include a device being shut down and restarted, a link failure being detected on a router, inappropriate access, and low disk space on a file server.
SNMP uses a distributed architecture consisting of the following components:
SNMP management systems
The SNMP management system, also known as a management station or a management console, is a computer running SNMP management software that sends information and update requests to devices running an SNMP agent.
The SNMP management system requests information from a device, such as the amount of hard disk space available or the number of active sessions. If the management system has been granted write access to a device, the management system can also change a device's configuration.
An SNMP agent is a device running software that collects information and responds to management system requests for information. The SNMP agent software can be configured to determine which statistics are tracked and which management systems are authorized to request information. Typically, agents do not originate messages, but only respond to them. The exception is when the agent is configured to report a specific event, such as a system restart or an inappropriate access.
Figure B-1 shows an example of SNMP being used on a network.
Figure B-1 An example of SNMP being used on a network See full-sized image
SNMP is defined in RFC 1157.
The Management Information Base
The information that an agent can collect and a management system can request from an agent is contained in a Management Information Base (MIB). A MIB is a set of manageable objects representing various types of information about a network device, such as the number of active sessions or the version of network operating system software that is running on a host. SNMP management systems and agents share a common understanding of MIB objects. For a given MIB, the agent maintains information about the objects in the MIB and the management system retrieves the information in the MIB from the agent.
The Hierarchical Name Tree
The name space for MIB objects is hierarchical. It is structured so that each manageable object can be assigned a globally unique name. When a management system requests a data object from an agent, it includes the globally unique name in the request. Authority for parts of the name space is assigned to individual organizations. This allows organizations to assign names to new objects without consulting an Internet authority for each assignment. For example, the name space assigned to the LAN Manager MIB II is 220.127.116.11.4.1.77. LAN Manager is an obsolete Microsoft operating system. Microsoft has also been assigned 18.104.22.168.4.1.311, and all new MIBs for Microsoft-specific technologies are created under that branch. Microsoft has the authority to assign names to objects anywhere below that portion of the name space.
Figure B-2 shows a portion of the SNMP hierarchical name tree.
Figure B-2 The SNMP hierarchical name tree See full-sized image
The object identifier in the hierarchy is written as a sequence of number labels beginning at the root and ending at the object. Labels are separated with periods. For example, the object identifier for MIB II is 22.214.171.124.2.1, corresponding to the object name iso.org.dod.internet.management.mibii. The object identifier for LAN Manager MIB II is 126.96.36.199.4.1.77, corresponding to the object name iso.org.dod.internet.private.enterprise.lanmanager.
The name space used to map object identifiers is separate from the hierarchical name space associated with Domain Name System (DNS) domain names.
SNMP uses the following messages:
Get-request Sent by an SNMP management system to request information about a single MIB object on an SNMP agent (for example, the number of packets forwarded).
Get-next-request An extended type of request message sent by an SNMP management system that can be used to browse an entire tree of management objects. When processing a Get-next-request request for a particular object, the agent returns the identity and value of the next object in the MIB, based on the previous request. The Get-next-request request is useful for dynamic tables, such as an IPv4 or IPv6 route table.
Getbulk-request Sent by an SNMP management system to request that the data transferred by the agent be as large as possible within the restraints of maximum message size. This message minimizes the number of message exchanges required to retrieve a large amount of management information.
Set-request Sent by an SNMP management system to assign an updated value for a MIB object the agent (provided write access is enabled on the SNMP agent). Management systems use Set-request messages to remotely configure SNMP agents.
Get-response Sent by the SNMP agent in response to a Get-request, Get-next-request, Getbulk-request, or Set-request message.
Trap An unsolicited message sent by an SNMP agent to an SNMP management system when the agent detects that a certain type of event has occurred. The SNMP management system that receives a trap message is known as a trap destination. For example, a trap message might be sent when a device is restarted.
The Get-request, Get-next-request, Getbulk-request, and Set-request messages are sent by a management system to an agent as a unicast UDP message sent to the IPv4 address of the agent and destination UDP port 161. An agent sends the Trap message to a management system as a unicast UDP message sent to the IPv4 address of the management system and destination UDP port 162.
Figure B-3 shows the exchange of messages between an SNMP management system and an SNMP agent.
Figure B-3 The exchange of messages between an SNMP management system and an SNMP agent See full-sized image
All SNMP messages are sent without data protection. To protect SNMP messages, use Internet Protocol security (IPsec) to protect traffic between SNMP management systems and agents. Both the management system and the agent must support IPsec. For more information about IPsec, see Chapter 13, "Internet Protocol Security (IPsec) and Packet Filtering."
Management systems and agents belong to an SNMP community, which is a collection of hosts grouped together for administrative purposes. The use of a community name provides context checking for agents that receive requests and initiate traps, and for management systems that initiate requests and receive traps. An agent will not accept a request from a management system outside its configured communities. A management system will not accept a trap from an agent outside its configured communities.
You use community names primarily as an element for organization, not security. SNMP messages are typically sent without IPsec protection. By capturing unprotected SNMP messages, a malicious user can determine the SNMP community name and send their own SNMP messages with the correct community name.
There is no relationship between community names and domain or workgroup names. Community names represent a named context for groups of the components of SNMP infrastructure.
Agents and management systems can be members of multiple communities at the same time, allowing for flexibility in configuring the administrative elements of your SNMP infrastructure.
Figure B-4 shows an example of two defined communities—IT and Admin.
Figure B-4 An example of SNMP communities See full-sized image
Only the agents and management systems that are members of the same community can communicate with each other. For example:
Agent1 can receive and send messages to Manager2 because they are both members of the Admin community.
Agent2, Agent3, and Agent4 can receive and send messages to Manager1 because they are all members of the IT community.
The default name for many SNMP agents is Public. The SNMP service for Windows Server 2003 does not have a configured SNMP community name. The SNMP service for Windows XP uses the default name of Public.
How SNMP Works
The following steps describe how SNMP works in a typical get operation:
An SNMP management system sends a request to an SNMP agent.
The request is a Get-request, Get-next-request, or Getbulk-request message with one or more data objects and a community name, and is sent to the SNMP agent's IPv4 address and destination UDP port 161. For example, the SNMP management system sends a Get-request message with the community name IT requesting the number of active sessions.
The SNMP agent receives the SNMP message.
The community name is verified. If the community name is invalid or the packet is malformed, it is silently discarded. If the community name is valid, the request is passed to the appropriate MIB component. The MIB component returns the requested information to the agent. For this example, the SNMP agent retrieves the number of active sessions from the MIB.
The SNMP agent sends a Get-response message to the SNMP management system with the requested information.
For this example, the SNMP agent sends a Get-response message with the community name IT that contains the number of active sessions.
Figure B-5 shows this process.
Figure B-5 An example of how SNMP works See full-sized image
Windows SNMP Service
The SNMP service in Windows Server 2003 and Windows XP is SNMP agent software that provides information to management systems running SNMP management software. The SNMP service:
Responds to requests for status information from multiple hosts.
Reports significant events (traps) to multiple hosts as they occur.
Uses host names and IPv4 addresses to identify the hosts to which it reports information and from which it receives requests.
The Windows SNMP service is a Windows Sockets application. It provides an internal infrastructure that allows third-party software and hardware developers to create their own MIBs for use with the Windows SNMP service and for the development of SNMP management system applications.
The SNMP service in Windows Server 2003 supports the following MIBs:
Internet MIB II
Internet MIB II is a superset of the previous standard, Internet MIB I. Internet MIB II defines objects essential for either fault or configuration analysis. Internet MIB II is defined in RFC 1212.
LAN Manager MIB II
LAN Manager MIB II defines objects for share, session, user, and logon information. Most LAN Manager MIB II objects have read-only access because typically SNMP messages are not protected.
The Dynamic Host Configuration Protocol (DHCP) MIB defines objects to monitor DHCP server activity. This MIB is automatically installed when the DHCP server service is installed. It contains objects for monitoring DHCP, such as the number of DHCPDiscover messages received and the number of addresses leased out to DHCP clients.
The Windows Internet Name Service (WINS) MIB defines objects to monitor WINS server activity. This MIB is automatically installed when the WINS Server service is installed. It contains objects for monitoring WINS, such as the number of resolution requests successfully processed, the number of resolution requests that failed, and the date and time of the last database replication.
The Internet Information Services (IIS) MIBs define objects to monitor File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP) activity. These MIBs are automatically installed when IIS is installed. They contain objects for monitoring the FTP and Web services of IIS and include counters for total bytes sent and total files sent.
RADIUS Server MIBs
The Remote Authentication Dial-In User Service (RADIUS) Server MIBs define objects to monitor RADIUS server authentication and accounting activity. These MIBs are automatically installed when the Internet Authentication Service (IAS) is installed. They contain objects for monitoring the RADIUS server, such as the number of authentication requests successfully processed and the number of accounting requests.
The RADIUS Authentication Server MIB is defined in RFC 2619. The RADIUS Accounting Server MIB is defined in RFC 2621.
Installing and Configuring the SNMP Service
To install the SNMP service in Windows Server 2003 and Windows XP, do the following:
Click Start, click Control Panel, double-click Add Or Remove Programs, and then click Add/Remove Windows Components.
In Components, click Management And Monitoring Tools (but do not select or clear its check box), and then click Details.
Select the Simple Network Management Protocol check box, and click OK.
The SNMP service starts automatically after installation.
Unlike many services in Windows, the SNMP service does not have a corresponding snap-in. Instead, you configure the SNMP service through additional tabs on the properties of the SNMP service in the Services snap-in.
To configure the SNMP service, do the following:
Click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.
In the console tree, open Services And Applications, and then click Services.
In the details pane, right-click SNMP Service, and then click Properties.
You configure the SNMP service from the following tabs:
On the Agent tab, you can configure a contact person, the physical location of the computer, and enable and disable the types of information that you want the SNMP service to collect. By default the Applications, Internet, and End-to-end categories are enabled.
Figure B-6 shows the Agent tab.
Figure B-6 The Agent tab for the SNMP service
On the Traps tab, you configure the community name that is included in Trap messages and the trap destinations—a list of IPv4 addresses to which Trap messages are sent.
Figure B-7 shows the Traps tab.
Figure B-7 The Traps tab for the SNMP service
On the Security tab, you configure the following:
Whether the SNMP service will send a trap to all trap destinations if it receives a request that does not contain a recognized community name.
The list of accepted community names.
Whether to accept SNMP messages from any host, or from a list of hosts by IPv4 address or host name.
Figure B-8 shows the Security tab.
Figure B-8 The Security tab for the SNMP service
You can use the Evntcmd.exe tool at a command prompt to configure SNMP traps based on events recorded in system logs. You can also use Evntcmd.exe to specify where trap messages are sent within an SNMP community.