Introduction to SNMP.Here is how it works and why it is important in enterprise network management

Three decades after its release, SNMP remains one of the most widely used protocols by IT departments for network management, and rightly so! Although it has some shortcomings, its flexibility and simplicity meant that it was soon adopted as a standard in the industry.

Many current monitoring tools use SNMP to analyze system performance or make remote configurations.
Its compatibility with devices from different manufacturers facilitates integration into heterogeneous network environments.

In this article we will explain in detail what SNMP is, how it works and why it is considered one of the most versatile protocols in enterprise network management.

SNMP definition

SNMP (Simple Network Management) is a protocol widely used in computer network management to monitor devices such as servers, routers, switches, firewalls, printers and Wi-Fi access points.
It was developed in the 1980s, when enterprise networks began to grow in both size and complexity, becoming more difficult to manage.
Thanks to its simplicity, it soon replaced its predecessor, the Simple Gateway Monitoring Protocol (SGMP).
The Internet Architecture Board (IAB) formalized the definition of SNMP in the document RFC 1157 describing its operation and implementation guidelines.
As an integral part of the TCP/IP protocol suite, SNMP enables communication over networks such as the Internet.
Another outstanding feature of this protocol is that it operates at layer 7 of the OSI model, which is the application layer.
This means that it interacts directly with the applications used by users or administrators.
IT teams often rely on the SNMP protocol to perform many routine network tasks such as:

• Network monitoring: Helps optimize hardware performance and allocate resources efficiently. SNMP monitoring is based on monitoring key metrics such as bandwidth, memory and CPU usage.
• Remote management: System administrators can update firmware, configure devices or reboot them remotely using this protocol.
• Troubleshooting: Setting up TRAPS or alerts allows you to quickly detect and respond to device failures, network congestion or potential security breaches.
• Inventory IT assets: SNMP collects detailed information about devices such as model, manufacturer, serial number or firmware version.
  Creating inventories helps administrators to better plan the growth of the network infrastructure.

SNMP main components

SNMP follows a scheme similar to the client-server model.
Communications are established based on three main elements:

SNMP Manager

Also known as a network management station(NMS).
It acts as a client by sending requests to one or more agents to gather information about devices, modify their configuration or perform management tasks.
In addition to this polling function, the SNMP manager can also receive unsolicited notifications (TRAPS) about important events such as errors or changes in the status of connectors and terminals that could affect network operation.

SNMP Agents

These are programs packaged in most network devices such as computers, routers and printers.
They act as a server, handling read/write requests from the SNMP manager and generating TRAPS.
They can be standard (Net-SNMP) or vendor-specific.

Management Information Base (MIB)

It functions as a shared database for the agent and the SMP manager.
MIBs collect information following a hierarchical tree structure, where each variable represents a specific data or attribute of the managed device (object identifier or OID).
Default values are usually included, although SNMP also allows defining private MIBs from different vendors.
To know the status of a network element, the NMS sends a request to the SNMP agent.
The agent accesses the MIB stored on that device and processes the data to make it compatible with most MIB editors and management tools.
It then organizes them into objects, which can be of two types:

• Scalars: Represent single values, for example, the CPU usage rate of a server.
• Tabular: They represent a set of values organized in the form of a table, for example, the table of network interfaces in a router.

This logical structure of the MIBs greatly facilitates the monitoring and management of the devices.

SNMP protocols and ports

SNMP normally uses the User Datagram Protocol (UDP) for message transfer.
Unlike TCP, UDP is a non-connection-oriented protocol, which means that data is transferred without the need to establish a prior connection between devices.
In addition, it does not include delivery verification or error recovery mechanisms.
This feature allows SNMP to send and receive messages quickly and with minimal overhead.
Other protocols supported by SNMP include Ethernet, Transport Layer Security (TLS), Datagram Transport Layer Security (DTLS) and Transmission Control Protocol (TCD).
However, as mentioned above, most traffic moves through the UDP protocol.
In terms of ports, SNMP agents listen for and receive requests on port 161, while port 162 is reserved for sending unsolicited notifications such as TRAPS and REPORTS.

Need for SNMP monitoring tools

Today, managing enterprise networks without monitoring software is almost unthinkable due to their size and complexity.
SNMP monitoring tools help administrators better understand the network topology.
These tools access MIBs and collect metrics that are crucial to performance, such as CPU usage, bandwidth, memory status or device temperature.
With the information obtained, they generate detailed graphs and reports that help interpret the data.
This makes it possible to identify trends and anticipate problems that could affect network performance, such as abnormal traffic patterns or devices that are reaching their capacity limits.
This granular visibility provided by monitoring tools is key in network management as it allows for in-depth analysis of the status of each component, improving both the security and performance of devices monitored via SNMP. Finally, the monitoring software facilitates centralized management of the entire network infrastructure.
IT technicians can modify parameters and make remote configurations, significantly reducing the need for manual intervention and ensuring continuous and reliable network operation.

SNMP operation

SNMP operates at the application layer of the OSI model and follows a communication scheme based on the client-server model.
To implement the SNMP protocol and start monitoring the network with this system it is necessary to follow the following steps:

• Configure the Network Management System (NMS). This software application centralizes all network administration processes.
• Enable SNMP agents on the devices to be monitored. Most devices designed for enterprise environments come with an integrated SNMP agent, but for it to work it must be enabled and configured correctly.
  This involves setting parameters such as the SNMP version, the SNMP community (which is a sort of password to access device information), and the addresses of the network management systems with which it must communicate.
  Once the SNMP agents are enabled and configured, the NMS will automatically detect the devices on the network.
• The next step is to configure the MIB, i.e. to define the type of data that SNMP agents can collect.
• Initiate network monitoring by requesting specific information from SNMP agents based on MIBs, e.g., how many data packets have passed through the router or if there are errors on a network interface.
• Configure TRAPS or unsolicited notifications to be sent by agents if certain predefined conditions are met.
• The NMS will process the data in real time and create detailed reports of network activity.
  Administrators should analyze these reports and make the necessary adjustments to optimize performance, e.g. change device configurations to avoid bottlenecks or replace faulty hardware.

SNMP messages: GET, SET and TRAPS requests

The NMS can monitor SNMP devices and receive snapshots of the information in two different ways:

• Polling: These are synchronous queries launched by the SNMP manager sending a command (GET, GET NEXT, SET) to a device at a remote location in order to obtain specific information or modify certain parameters.
  The SNMP agent installed on that device will answer the request and send a response back with the requested data.
• Through TRAPS: These are asynchronous notifications, sent from a remote agent to the SNMP management station without prior request.
  These alerts are triggered if a specific event occurs, such as a server failure or interface downtime.
  TRAPS plays a very important role in network monitoring, allowing proactive maintenance and rapid troubleshooting before a critical system failure occurs.

SNMP versions

Currently, there are three versions of SNMP: SNMPv1, SNMPv2 and SNMPv3.
They differ from each other in different aspects such as security level or data transfer efficiency.

SNMPv1

It is the first version of SNMP.
It was developed in 1988 and is defined in RFC 1028.
Before the advent of SNMP, network management relied on proprietary solutions created by the hardware manufacturers themselves, which made interoperability difficult.
SNMPv1 offered basic management capabilities and was relatively easy to implement, so it soon became a standard.
However, today this version is somewhat outdated as it has a basic level of security based on community strings (plain text passwords) and lacks encryption mechanisms.
This means that transferred data could be intercepted in the event of a cyber-attack.
For this reason, it is recommended to use SNMPv1 only in local area networks (LANs).
Another added difficulty is its 32-bit counter architecture, which is too small for modern networks that handle large volumes of data.

SNMPv2

The next version of SNMP appeared in 1993 and is defined in RFC 1901 and RFC 1441.
It introduced some performance improvements, for example, it supports a 64-bit counter architecture.
However, it also lacks encryption and uses a simple security scheme based on SNMPv1 community strings.
Within the SNMPv2 family, several subversions were developed, with SNMPv2c being the most widely used due to its simplicity and improved compatibility.

SNMPv3

It is the most recent version of SNMP.
It was released in 2002 and is defined in RFC 3410.
SNMPv3 is based on the features of SNMPv2c, but introduces some important improvements in the security area such as user authentication and data packet encryption.
It also facilitates remote configuration of SNMP entities. Important new features in SNMPv3:

• Identification of SNMP entities using the snmpEngineID identifier.
  This is a key element for security as it allows checking the origin of the data and verifying that it comes from a trusted source.
• Support for the USM (User-based Security Model) which facilitates message authentication and also provides encryption options to prevent information from being intercepted.
  USM is one of the main reasons why SNMPv3 is considered more secure than previous versions.
• View-based access control (VACM) that allows defining specific permissions for different groups of users.
  This adds a layer of security to the remote management of SNMP entities, preventing unauthorized access to the network.
• Timeless module that provides protection against delays or replay attacks.

Comparison of versions

The following table shows a comparison of the different versions of the SNMP protocol.

Generally speaking, SNMPv3 is considered the most secure and recommended option for public networks or environments where security is important.
However, in private networks protected by a firewall, SNMPv2c would be the most suitable option since it has a higher performance as it does not demand so many processing resources.
In addition, its configuration is simpler compared to SNMPv3, which requires managing access levels and other security parameters.

SNMP commands

In SNMP, different commands are used to manage and monitor network devices.
Some, such as GET, GET NEXT and GET BULK, are queries sent from the SNMP management station requesting specific data from the MIB.
Other commands, such as SET, are used to make configuration changes, and finally there are alerts or notifications of important events such as TRAP and INFORM that are sent asynchronously from the SNMP agents.

Basic SNMP commands

• GET: It is a command used by the SNMP administrator to obtain specific information from a device, such as CPU usage, network traffic or interface status.
  It has existed since the first version of the protocol.
• GET NEXT: Retrieves the next value in the MIB tree.
  It is useful for navigating through tables or lists of objects.
  For example, if a technician needs to create a list of all network components, he can use the GET NEXT command.
• GET BULK: Introduced in SNMPv2 version.
  It allows retrieving large amounts of data with a single request.
  For example, an SNMP administrator could use GET BULK to retrieve all entries in a routing table.
• SET: Allows you to remotely modify the configuration of a device or assign new values to it, e.g. reboot an interface or change the name of a host.

Notification commands

• TRAPS: These are asynchronous notifications automatically sent by the SNMP agent to the NMS when an important event occurs.
  Some TRAPS (Cold Start, Warm Start, Link Down, Authentication Failure) are generic and predefined by the IETF, but specific TRAPS can also be configured, for example, to alert about temperature increase in a server.
  It is important to periodically update the MIB files and create filtering rules to avoid irrelevant notifications.
  On the other hand, we must not forget that the information obtained from TRAPS monitoring is relevant in audits and it is recommended to keep a complete log of all network events to identify patterns and trends that repeat over time.
• INFORM: This is a command that was introduced with SNMPv2 to allow the SNMP manager to send an acknowledgement upon receipt of TRAPS from an agent.
  This option is configured in the MIB of the monitored device.
  Some agents are configured to continue sending TRAPS until a REPORT is received.

SNMP security

The IETF designated SNMPv3 as a standard, recommending its use for WANs that have higher security requirements.
It allows up to three different levels to be configured:

• NoAuthNoPriv: Represents the lowest security level as no authentication is required and messages are not encrypted.
  It should only be used in closed and secure networks.
• AuthNoPriv: Requires authentication, so only authorized users can send and receive messages.
  However, these are not encrypted and could be intercepted during transmission, but not altered or forged.
• AuthPriv: Provides authentication and encryption.
  Offers the highest level of protection in SNMPv3.

As with any network management protocol, in SNMP, security is also a major issue.
Administrators can make their networks more secure by implementing some basic measures such as changing the default community strings in SNMPv1 and SNMPv2 to prevent unauthorized access, configuring the firewall to only allow traffic from trusted IP addresses, and enabling authentication and encryption options if working with SNMPv3.
In addition, it is important to use SNMP monitoring tools to detect any suspicious activity on the network.

SNMP configuration

Almost all network devices come with a pre-installed SNMP agent that communicates with the NMS.
However, in order for it to work properly and start collecting and sending data we need to activate and configure it.
On servers and devices with Windows, Linux and macOS operating systems this configuration can be complex, as it is necessary to set user permissions, specify IP addresses and install additional components.
Here is a small example guide.

SNMP installation and configuration on Windows systems

• On Windows Server and other versions of the operating system SNMP is not enabled by default.
  You must go to: Control Panel > Programs and Features > Enable or disable Windows features.
• Find and check the “Simple Network Management Protocol (SNMP)” option .
  Click “OK” and wait for the installation to finish.
• Restart the server for the changes to take effect.
• Next, go to “Services” (you can search for the ‘services.msc’ function in the Start Menu search bar).
  Locate the SNMP service and right-click on “Properties”.
• Configure the SNMP service and make the necessary settings.
  For example, you can add community strings and define read or write permissions from the “Security” tab .
  You can also configure TRAPS so that automatic alerts are sent if certain events occur.
• Click “Apply” to save the changes and start the SNMP service.
  To verify that it is working properly use the ‘snmpwalk’ command .

SNMP installation and configuration on Linux systems

Debian-based distributions (e.g. Ubuntu)

• Update the package repository: sudo apt-get update.
• Install the SNMP daemon (‘snmpd‘): sudo apt-get install snmpd.
• Configure the SNMP daemon.
  The main configuration file is: /etc/snmp/snmpd.conf.
  We open it with a text editor and change the desired parameters, for example, we can specify the community string rocommunity public by replacing “public” with the desired access control (IP addresses that can access the SNMP service).
  We can also add the location and contact.
• Restart the SNMP daemon after applying the changes: sudo systemct1 restart snmpd.

Red Hat-based distributions (e.g., CentOS)

• Update the package repository: sudo um update.
• Install the SNMP daemon (‘net-snmp-utils‘): sudo yum install net-snmp-utils.
• Configure the SNMP daemon from the configuration file: /etc/snmp/snmpd.conf
• Restart the SNMP daemon after applying the changes: sudo systemt1 restart snmpd

To verify that SNMP is working correctly, we can use the ‘snmpwalk‘ command.

SNMP installation and configuration on macOS systems

Current versions of macOS include SNMP by default.

• Open a new terminal window.
• Create a backup copy of the default SNMP configuration file.
  You will find it in: /usr/local/etc/snmp/snmpd.conf
• Configure the community, location, contact.
  In the row com2sec mynetwork public replaces with the network address and subnet mask.
  It also replaces the community string “public” with the authorized IP addresses.
• Save the new configuration file and exit the editor.
• Enable the SNMP daemon by starting a LaunchDaemon: sudo launchctl load -w /System/Library/LaunchDaemons/org.net-snmp.snmpd.plist
• Check the new configuration with the ‘snmpwalk‘ command.

Use of a MIB browser

Once the SNMP agent has been configured, the next step to start monitoring the network in real time is to install a MIB browser.
As already mentioned, MIBs are hierarchical databases that contain information about device performance (CPU usage, memory, network traffic, etc.).
SNMP agents access these MIBs to query specific data and send it to the network management station(NMS).
The problem is that this data is often complex in structure and difficult for network administrators to interpret.
The OIDs which are the object identifiers included in the MIB files are usually represented by a sequence of numbers separated by dots and are unintuitive to humans.
This is where the MIB browser comes into play.
This tool transforms the alphanumeric sequences of OIDs into descriptive names and allows you to view the hierarchy of MIB variables in a simpler and more visual way.
In addition, it facilitates other network administration tasks such as adding definitions and specifying additional variables.
In the following section we will continue explaining the usefulness of this and other Pandora FMS tools for SNMP monitoring.

Pandora FMS tools for SNMP

Pandora FMS monitors the IT infrastructure using network modules.
These modules are in charge of executing the polls over the selected network protocol, in this case SNMP.
To optimize workflows, network administrators can use a series of tools included in the Pandora FMS suite, such as wizards for the massive creation of modules, integrated MIB browsers and advanced options to automate some routine tasks.

SNMP Wizards

They allow the mass creation of SNMP modules.
Two wizards are available:

• SNMP Wizard: Creates modules to monitor device performance parameters such as memory status, CPU usage, etc.
  This wizard uses a plugin called snmp_remote.pl to perform the queries.
  To activate it, it is necessary to first define the IP address of the device, the SNMP community and other parameters.
  Then we launch the ‘snmpwalk’ command to check the configuration, and it is possible to start creating the necessary monitoring modules.
• SNMP Interfaces Wizard: We will use it to massively extract information from the ports of a network device.

Both wizards can create SNMP modules and perform queries with static OID for monitoring data that does not change frequently or modules for queries with dynamic OID for data that is constantly changing (disk space, running processes or memory usage in percent).

SNMP Console

It is the Pandora FMS TRAPS reception console.
To activate it and start receiving notifications we have to look for the snmpconsole parameter in the pandora_server.conf file and enable it.
The TRAPS are stored in the file /var/log/pandora/pandora_snmptrap.logSNMPConsole provides a graphical interface where the administrators can consult the status of a notification (if it has been validated or not), the OID of the agent that sent it and the elapsed time since the alert was generated.
Each TRAP has a different background color indicating the priority level of the alert. From this screen we can validate the TRAPS or delete them.
We can also configure specific alerts using filtering rules or upload new MIBs from the Operation>Monitoring>SNMP>MIB Upload navigation menu. If you use SNMPv3 you have to previously validate the sending and receiving of TRAPS using the “createUser” directive and specify the user name and Engine ID of the SNMP entity sending the TRAPS.

SNMP Browser

It is the Pandora FMS MIB Browser.
We can access this tool from the Monitoring>SNMP>SNMP Browser menu. We only need to know the IP, the community and the OID identifier of the device to start getting information.
It also allows to select several OID and add them to a single SNMP agent to get a more centralized view of the data.

Pandora FMS MIB Manager

It allows the manual loading of polling MIBs while TRAPS MIBs are managed from SNMP Console, as we saw in the previous section.
You can check all the information about Pandora FMS tools for SNMP monitoring by visiting this link.

SNMP limitations and challenges

Although SNMP is considered a standard in network administration, it also has a number of limitations that should not be overlooked.

Scalability

It is rare for modern applications to use SNMP, as most have their own monitoring interfaces such as REST APIs, web services APIs and JMX, among others.
On the other hand, virtualization technologies and cloud computing require more dynamic monitoring than SNMP traditionally offers.
This protocol was created at a time when network infrastructures were much simpler, so it is not well suited to today’s demands.
Cloud architectures demand high scalability and the ability to manage large volumes of data in real time.
Although SNMPv2 introduced the GET BULK command to retrieve large amounts of data in a single request, there is still a limit to the amount of information that can be transmitted in a single message.
In addition, SNMP focuses on standard metrics such as network traffic or CPU usage.
While it can monitor some metrics for Cloud and virtualized environments, it is not the ideal protocol for these types of networks.

Communication overload

This is one of the most important limitations of SNMP.
The polling-based model can increase network traffic and consume too many resources.
In large networks with many connected devices, the system could be overloaded, affecting overall performance.
On the other hand, implementing a high level of security (as with SNMPv3 authentication and encryption) can further increase the processing load and delay responses.
To overcome this problem, some monitoring tools allow multiple polling systems to be configured so that a slow device does not interfere with the data collection rate.

Implementation-specific extensions

This refers to the use of private MIBs.
MIBs can be general (defined in RFC 3418) or private, i.e. developed by manufacturers.
The latter may be incompatible with each other, so monitoring tools must be prepared to interpret and use the information provided by these MIBs.

Conclusion

To this day, SNMP remains an essential protocol for network monitoring thanks to its broad support for almost all network devices.
Unlike APIs and other more modern protocols that require additional libraries to operate, SNMP requires fewer resources.
For this reason it is the ideal choice for monitoring traditional network infrastructures where stability is a priority, while virtualization or cloud computing environments require more dynamic protocols.
SNMP will probably evolve in the future into a complementary role working alongside other protocols that offer more advanced real-time monitoring and data analysis capabilities, such as telemetry-based systems or RESTful APIs.
These protocols tend to be more efficient and scalable, making them suitable for large and complex networks.
In this context, monitoring tools will be essential to ensure interoperability and manage hybrid environments where SNMP is integrated with other protocols and APIs.
In addition, the implementation of new technologies such as AI or Machine Learning in these tools will help to make networks more secure every day, regardless of whether they use SNMP or another protocol.

Frequently Asked Questions (FAQs)

What is SNMP?

SNMP (Simple Network Management Protocol) is a standard protocol for exchanging information between network devices.
It operates at layer 7 or application layer of the OSI model and is part of the TPC/IP protocol suite.

What are SNMP agents?

These are software modules installed on managed devices (servers, routers, switches).
Their function is to collect information on the performance of each of the network components and transfer it to the NMS.

What are SNMP MIBs?

They are databases shared between agents and SNMP managers where network device information is stored.
MIBs have a hierarchical tree structure where each element (called object identifier or OID) represents a specific attribute of the managed device.

Does SNMP provide security?

SNMPv1 and SNMPv2 have limited string-based security, while SNMPv3 offers a higher level of protection including encryption and authentication mechanisms.
The latter version is considered the most suitable for public networks or enterprise environments where security is a priority.

What is the purpose of SNMP traps?

The main purpose of TRAPS is proactive network monitoring, i.e., to identify potential problems in network devices and send alerts to administrators to address them before they become critical failures.
In addition, SNMP TRAPS is also useful for auditing purposes as the recorded data can be analyzed to improve decision making and to check if the company’s security policies are being complied with.