Home » SNMP Deep Dive: SNMPv3, MIB, OID, Trap, Polling, SNMP Security และ SNMP Monitoring Best Practices
SNMP Deep Dive: SNMPv3, MIB, OID, Trap, Polling, SNMP Security และ SNMP Monitoring Best Practices
SNMP Deep Dive: SNMPv3, MIB, OID, Trap, Polling, SNMP Security และ SNMP Monitoring Best Practices
SNMP (Simple Network Management Protocol) เป็น protocol มาตรฐานสำหรับ network monitoring SNMPv3 เพิ่มความปลอดภัยด้วย authentication และ encryption, MIB (Management Information Base) เก็บ structure ของข้อมูล, OID (Object Identifier) ระบุ data point แต่ละตัว, Trap เป็น event notification แบบ push, Polling เป็นการ query แบบ pull, SNMP Security ป้องกันการโจมตี และ Best Practices ใช้งานอย่างมีประสิทธิภาพ
SNMP เป็น protocol ที่ใช้กันแพร่หลายที่สุดสำหรับ network monitoring: 95%+ ของ network devices รองรับ SNMP แม้จะมี alternatives ใหม่ (gNMI, NETCONF) แต่ SNMP ยังเป็น de facto standard เพราะ universal support อย่างไรก็ตาม ปัญหาหลัก: SNMPv1/v2c ส่ง community string เป็น plaintext → ต้องใช้ SNMPv3 เสมอในสภาพแวดล้อม production และ SNMP polling ทุก 5 นาทีอาจพลาด micro-bursts → ใช้ร่วมกับ streaming telemetry
SNMP Versions
| Version |
Security |
Features |
Recommendation |
| SNMPv1 |
Community string (plaintext) — no encryption |
Basic GET, SET, TRAP |
Do NOT use — insecure, deprecated |
| SNMPv2c |
Community string (plaintext) — no encryption |
GetBulk, Inform, 64-bit counters |
Acceptable for isolated management VLANs only |
| SNMPv3 |
USM: authentication (MD5/SHA) + encryption (DES/AES) |
All v2c features + security model |
Required for production — always use AuthPriv |
SNMP Operations
| Operation |
Direction |
Function |
| GET |
Manager → Agent |
Request specific OID value — e.g., get interface speed of GigE0/1 |
| GETNEXT |
Manager → Agent |
Get next OID in MIB tree — used to walk through MIB sequentially |
| GETBULK (v2c+) |
Manager → Agent |
Get multiple OIDs in single request — much more efficient than multiple GETNEXTs |
| SET |
Manager → Agent |
Change value on device — e.g., disable interface, change hostname (write access required) |
| TRAP |
Agent → Manager |
Unsolicited notification — device sends alert when event occurs (link down, CPU high) |
| INFORM (v2c+) |
Agent → Manager |
Like TRAP but with acknowledgment — reliable delivery (retransmit if no ACK) |
| RESPONSE |
Agent → Manager |
Reply to GET/SET/GETBULK with requested data or error code |
MIB & OID Structure
| Concept |
Detail |
| MIB |
Hierarchical database defining what data is available on device — text file (.mib) describing OIDs |
| OID |
Dotted number identifying specific data: 1.3.6.1.2.1.1.1.0 = sysDescr (device description) |
| Standard MIBs |
RFC-defined: IF-MIB (interfaces), HOST-RESOURCES-MIB (CPU/memory), ENTITY-MIB (hardware) |
| Enterprise MIBs |
Vendor-specific: Cisco, Juniper, Arista each have proprietary MIBs for device-specific features |
| MIB Tree |
iso(1).org(3).dod(6).internet(1).mgmt(2).mib-2(1) = standard MIB-2 tree |
| Common OIDs |
sysUpTime (.1.3.6.1.2.1.1.3.0), ifInOctets (.1.3.6.1.2.1.2.2.1.10), ifOperStatus (.1.3.6.1.2.1.2.2.1.8) |
SNMPv3 Security
| Security Level |
Authentication |
Encryption |
Use |
| noAuthNoPriv |
Username only (no password) |
None |
Never use — equivalent to SNMPv1 |
| authNoPriv |
HMAC-MD5 or HMAC-SHA (password verified) |
None |
Minimal — authenticates but data visible (use in trusted networks only) |
| authPriv |
HMAC-SHA-256/SHA-512 (recommended) |
AES-128/256 |
Required — always use this level in production |
SNMP Trap Configuration
| Trap Type |
OID/Event |
Importance |
| linkDown |
Interface goes down |
Critical — detect interface failures immediately |
| linkUp |
Interface comes up |
Informational — track recovery events |
| authenticationFailure |
SNMP auth failed (wrong community/user) |
Security — detect unauthorized access attempts |
| coldStart/warmStart |
Device reboot |
Critical — unexpected reboots indicate hardware/software issues |
| bgpEstablished/bgpBackwardTransition |
BGP session state change |
Critical for ISPs — BGP flaps affect routing |
| cpuRising/memoryRising |
CPU/memory exceeds threshold |
Warning — proactive capacity management |
| configChange |
Configuration was modified |
Audit — track who changed what and when |
SNMP Monitoring Best Practices
| Practice |
Detail |
| Use SNMPv3 AuthPriv |
Always — v1/v2c community strings are plaintext → anyone on network can sniff them |
| Dedicated Management VLAN |
SNMP traffic on separate management network — isolate from user traffic |
| ACL on Devices |
Restrict SNMP access to monitoring server IPs only — deny all other SNMP sources |
| Poll Interval |
5 minutes for capacity metrics, 1 minute for critical interfaces — balance load vs visibility |
| Use GETBULK |
More efficient than multiple GETs — reduces polling overhead and device CPU impact |
| 64-bit Counters |
Use ifHCInOctets/ifHCOutOctets (64-bit) for high-speed interfaces — 32-bit wraps at ~4.3GB |
| Trap + Poll |
Don’t rely on traps alone (UDP, unreliable) — use traps for instant alerts + polling for baseline data |
| NMS Tools |
Zabbix, LibreNMS, PRTG, Nagios, SolarWinds — choose based on scale and budget |
ทิ้งท้าย: SNMP = Universal Network Monitoring Protocol
SNMP Deep Dive Versions: v1/v2c (plaintext, insecure) → v3 (AuthPriv: SHA + AES — always use this) Operations: GET (pull data), GETBULK (efficient pull), SET (change config), TRAP/INFORM (push alerts) MIB/OID: hierarchical data structure — standard (IF-MIB, HOST-RESOURCES) + vendor enterprise MIBs v3 Security: noAuthNoPriv (never) → authNoPriv (minimal) → authPriv (required — SHA-256 + AES-256) Traps: linkDown, authFailure, coldStart, BGP transitions, CPU/memory — configure for critical events Best Practices: v3 AuthPriv, management VLAN, ACL restrict, 64-bit counters, GETBULK, trap + poll combined Key: SNMP is 30+ years old but still essential — 95% device support, use v3 for security, combine with streaming telemetry for modern observability
อ่านเพิ่มเติมเกี่ยวกับ Network Observability Telemetry OpenTelemetry gNMI และ Network Monitoring SNMP NetFlow Prometheus Grafana ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
