Difference between revisions of "Manual:SNMP"

From MikroTik Wiki
Jump to: navigation, search
(Management information base (MIB))
(Management information base (MIB))
 
(48 intermediate revisions by 9 users not shown)
Line 1: Line 1:
{{Versions|v5}}
+
{{Versions|v5|v6}}
  
 
__TOC__
 
__TOC__
Line 5: Line 5:
 
==Overview==
 
==Overview==
  
<p id="shbox"><b>Standards:</b> <code>RFC 1157</code><br />
+
<p id="shbox"><b>Standards:</b> <code>RFC 1157</code> <code>RFC 3414</code> <code>RFC 3416</code><br />
 
<b>Package:</b> <code>system</code>
 
<b>Package:</b> <code>system</code>
 
</p>
 
</p>
Line 12: Line 12:
 
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. SNMP can be used to graph various data with tools such as CACTI, MRTG or [http://www.mikrotik.com/thedude.php The Dude]
 
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. SNMP can be used to graph various data with tools such as CACTI, MRTG or [http://www.mikrotik.com/thedude.php The Dude]
  
RouterOS supports SNMP v1,2 and 3. SNMP write is also supported.
+
SNMP write support is only available for some OIDs. For supported OIDs SNMP v1, v2 or v3 write is supported
  
  
 
[[File:Total-download-cacti.png|400px|Example Cacti graph made with data from SNMP]]
 
[[File:Total-download-cacti.png|400px|Example Cacti graph made with data from SNMP]]
  
 +
 +
{{Note| SNMP will respond to the query on the interface SNMP request was received from forcing responses to have same source address as request destination sent to the router}}
 +
 +
{{Note| starting 6.18 SNMP implements OID blacklisting. Timeout for OID is 30s when it is blacklisted for 600s.}}
  
 
== Quick Configuration ==
 
== Quick Configuration ==
Line 65: Line 69:
 
|type=string
 
|type=string
 
|default=""
 
|default=""
|desc=
+
|desc=for SNMP v3, used as part of identifier. You can configure suffix part of engine id using this argument. If SNMP client is not capable to detect set engine-id value then this prefix hex have to be used 0x80003a8c04
 
}}
 
}}
  
Line 79: Line 83:
 
|type=string
 
|type=string
 
|default=public
 
|default=public
|desc=Which communities configured in [[#Community | ''community'' menu]] to use.  
+
|desc=Which communities configured in [[#Community | ''community'' menu]] to use when sending out the trap.
 
}}
 
}}
  
Line 86: Line 90:
 
|type=interfaces {{!}} start-trap
 
|type=interfaces {{!}} start-trap
 
|default=
 
|default=
|desc=
+
|desc=What action will generate traps:
 +
* interfaces - interface changes;
 +
* start-trap - snmp server starting on the router
 
}}
 
}}
  
Line 93: Line 99:
 
|type=string {{!}} all
 
|type=string {{!}} all
 
|default=
 
|default=
|desc=
+
|desc=List of interfaces that traps are going to be sent out.
 
}}
 
}}
  
Line 100: Line 106:
 
|type=list of IP/IPv6
 
|type=list of IP/IPv6
 
|default=0.0.0.0
 
|default=0.0.0.0
|desc=
+
|desc=IP (IPv4 or IPv6) addresses of SNMP data collectors that have to receive the trap
 
}}
 
}}
  
{{Mr-arg-table-end
+
{{Mr-arg-table
 
|arg=trap-version
 
|arg=trap-version
 
|type=1{{!}}2{{!}}3
 
|type=1{{!}}2{{!}}3
 
|default=1
 
|default=1
|desc=
+
|desc=Version of SNMP protocol to use for trap
 +
}}
 +
 
 +
{{Mr-arg-table-end
 +
|arg=src-address
 +
|type=IPv4 or IPv6 address
 +
|default=::
 +
|desc=Force the router to always use the same IP source address for all of the SNMP messages
 
}}
 
}}
  
== Community ==
+
{{Note| engine-id field holds the suffix value of engine-id, usually SNMP clients should be
 +
able to detect the value, as SNMP values, as read from the router. However there is a
 +
possibility that this is not the case. In which case, the engine-ID value has to be set
 +
according to this rule: <engine-id prefix> + <hex-dump suffix>, so as an example, if you
 +
have set 1234 as suffix value you have to provide 80003a8c04 + 31323334, combined hex (the
 +
result) is 80003a8c0431323334 }}
 +
 
 +
== Community Properties ==
  
 
<p id="shbox"><b>Sub-menu:</b> <code>/snmp community</code></p>
 
<p id="shbox"><b>Sub-menu:</b> <code>/snmp community</code></p>
Line 119: Line 139:
 
There is little security in v1 and v2c, just Clear text community string („username“) and ability for Limiting access by IP adress.  
 
There is little security in v1 and v2c, just Clear text community string („username“) and ability for Limiting access by IP adress.  
  
Since SNMP v3, better options have been introduced - Authorisation (User + Pass) with MD5/SHA1, Encryption with DES.  
+
In production environment SNMP v3 should be used as that provides security - Authorisation (User + Pass) with MD5/SHA1, Encryption with DES (and since v6.16, AES).  
  
 
<pre>
 
<pre>
Line 157: Line 177:
 
|type=string
 
|type=string
 
|default=""
 
|default=""
|desc=Password used to authenticate connection to the server
+
|desc=Password used to authenticate connection to the server (SNMPv3)
 
}}
 
}}
  
Line 164: Line 184:
 
|type=MD5 {{!}} SHA1
 
|type=MD5 {{!}} SHA1
 
|default=MD5
 
|default=MD5
|desc=Protocol used for authentication
+
|desc=Protocol used for authentication (SNMPv3)
 
}}
 
}}
  
Line 171: Line 191:
 
|type=string
 
|type=string
 
|default=""
 
|default=""
|desc=
+
|desc=password used for encryption (SNMPv3)
 
}}
 
}}
  
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=encryption-protocol
 
|arg=encryption-protocol
|type=DES
+
|type=DES {{!}} AES
 
|default=DES
 
|default=DES
|desc=
+
|desc=encryption protocol to be used to encrypt the communication  (SNMPv3). AES (see rfc3826) available since v6.16.
 
}}
 
}}
  
Line 211: Line 231:
 
== Management information base (MIB) ==  
 
== Management information base (MIB) ==  
  
The Management Information Base (MIB) is the database of information maintained by the agent that the manager can query. You can download the latest MikroTik [http://mikrotik.com/download/Mikrotik.mib RouterOS MIB] file.  
+
The Management Information Base (MIB) is the database of information maintained by the agent that the manager can query. You can download the latest MikroTik [https://box.mikrotik.com/f/a41daf63d0c14347a088/?dl=1 RouterOS MIB] file (''Last updated: 10-DEC-2019'').
  
MIBs used in RouterOS v5.x:
+
MIBs used in RouterOS v6.x:
 
* MIKROTIK-MIB
 
* MIKROTIK-MIB
 
* MIB-2
 
* MIB-2
Line 247: Line 267:
 
== Traps ==
 
== Traps ==
  
SNMP traps enable an agent to notify the management station of significant events by way of an unsolicited SNMP message.
+
SNMP traps enable router to notify data collector of interface changes and SNMP service status changes by sending traps. It is possible to send out traps with security features to support SNMPv1 (no security). SNMPv2 and variants and SNMPv3 with encryption and authorization.  
 +
 
 +
For SNMPv2 and v3 you have to set up appropriately configured community as a ''trap-community'' to enable required features (password or encryption/authorization)
  
 
== SNMP write ==
 
== SNMP write ==
  
 
Since RouterOS v3, SNMP write is supported for some functions. SNMP write allows to change router configuration with SNMP requests. Consider to secure access to router or to router's SNMP, when SNMP and write-access are enabled.
 
Since RouterOS v3, SNMP write is supported for some functions. SNMP write allows to change router configuration with SNMP requests. Consider to secure access to router or to router's SNMP, when SNMP and write-access are enabled.
 
====Writable options====
 
  
 
To change settings by SNMP requests, use the command below to allow SNMP write for the selected community,
 
To change settings by SNMP requests, use the command below to allow SNMP write for the selected community,
Line 261: Line 281:
 
/snmp community set <number> write-access=yes
 
/snmp community set <number> write-access=yes
 
</pre>
 
</pre>
 +
 +
  
 
====System Identity====
 
====System Identity====
Line 270: Line 292:
 
</pre>
 
</pre>
  
* '''snmpset''', SNMP application used for SNMP SET requests to set information on a network entity;
+
* ''snmpset'' - SNMP application used for SNMP SET requests to set information on a network entity;
* '''public''', router's community name;
+
* ''public'' - router's community name;
* '''192.168.0.0''', IP address of the router;
+
* ''192.168.0.0'' - IP address of the router;
* '''1.3.6.1.2.1.1.5.0''', SNMP value for router's identity;
+
* ''1.3.6.1.2.1.1.5.0'' - SNMP value for router's identity;
  
 
SNMPset command above is equal to the RouterOS command,
 
SNMPset command above is equal to the RouterOS command,
Line 315: Line 337:
 
/system script> print  
 
/system script> print  
 
Flags: I - invalid  
 
Flags: I - invalid  
  0  name="kaka" owner="admin" policy=ftp,reboot,read,write,policy,
+
  0  name="test" owner="admin" policy=ftp,reboot,read,write,policy,
 
test,winbox,password,sniff last-started=jan/01/1970
 
test,winbox,password,sniff last-started=jan/01/1970
 
01:31:57 run-count=23 source=:beep  
 
01:31:57 run-count=23 source=:beep  
Line 321: Line 343:
 
/system script run 0
 
/system script run 0
 
</pre>
 
</pre>
 +
 +
==== Runing scripts with GET ====
 +
 +
It is possible to run '''/system scripts''' via SNMP GET request of the script OID (since 6.37). For this to work SNMP community with write permission is required. OIDs for scripts can be retrieved via SNMPWALK command as the table is dynamic.
 +
 +
Add script:
 +
/system script
 +
add name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
 +
    "/sy reboot "
 +
add name=script2 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
 +
    "[:put output]"
 +
 +
 +
Get the script OID table
 +
$ snmpwalk -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.8
 +
iso.3.6.1.4.1.14988.1.1.8.1.1.2.1 = STRING: "script1"
 +
iso.3.6.1.4.1.14988.1.1.8.1.1.2.2 = STRING: "script2"
 +
iso.3.6.1.4.1.14988.1.1.8.1.1.3.1 = INTEGER: 0
 +
iso.3.6.1.4.1.14988.1.1.8.1.1.3.2 = INTEGER: 0
 +
 +
To run script use table 18
 +
$ snmpget -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
 +
iso.3.6.1.4.1.14988.1.1.18.1.1.2.2 = STRING: "output"
 +
 +
== See Also ==
 +
 +
* [[SNMP MRTG]]
 +
  
  
 
{{cont}}
 
{{cont}}
 +
  
 
[[Category:Manual]]
 
[[Category:Manual]]
 
[[Category:SNMP]]
 
[[Category:SNMP]]
 +
[[Category:Tools]]

Latest revision as of 09:52, 22 January 2020

Version.png

Applies to RouterOS: v5

Overview

Standards: RFC 1157 RFC 3414 RFC 3416
Package: system


Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. SNMP can be used to graph various data with tools such as CACTI, MRTG or The Dude

SNMP write support is only available for some OIDs. For supported OIDs SNMP v1, v2 or v3 write is supported


Example Cacti graph made with data from SNMP


Icon-note.png

Note: SNMP will respond to the query on the interface SNMP request was received from forcing responses to have same source address as request destination sent to the router


Icon-note.png

Note: starting 6.18 SNMP implements OID blacklisting. Timeout for OID is 30s when it is blacklisted for 600s.


Quick Configuration

To enable SNMP in RouterOS:

[admin@MikroTik] /snmp> print 
       enabled: no
       contact: 
       location: 
       engine-id: 
       trap-community: (unknown)
       trap-version: 1
[admin@MikroTik] /snmp>  set enabled yes

You can also specify administrative contact information in the above settings. All SNMP data will be available to communities configured in community menu.

General Properties

Sub-menu: /snmp


This sub menu allows to enable SNMP and to configure general settings.


Property Description
contact (string; Default: "") Contact information
enabled (yes | no; Default: no) Used to disable/enable SNMP service
engine-id (string; Default: "") for SNMP v3, used as part of identifier. You can configure suffix part of engine id using this argument. If SNMP client is not capable to detect set engine-id value then this prefix hex have to be used 0x80003a8c04
location (string; Default: "") Location information
trap-community (string; Default: public) Which communities configured in community menu to use when sending out the trap.
trap-generators (interfaces | start-trap; Default: ) What action will generate traps:
  • interfaces - interface changes;
  • start-trap - snmp server starting on the router
trap-interfaces (string | all; Default: ) List of interfaces that traps are going to be sent out.
trap-target (list of IP/IPv6; Default: 0.0.0.0) IP (IPv4 or IPv6) addresses of SNMP data collectors that have to receive the trap
trap-version (1|2|3; Default: 1) Version of SNMP protocol to use for trap
src-address (IPv4 or IPv6 address; Default: ::) Force the router to always use the same IP source address for all of the SNMP messages
Icon-note.png

Note: engine-id field holds the suffix value of engine-id, usually SNMP clients should be able to detect the value, as SNMP values, as read from the router. However there is a possibility that this is not the case. In which case, the engine-ID value has to be set according to this rule: <engine-id prefix> + <hex-dump suffix>, so as an example, if you have set 1234 as suffix value you have to provide 80003a8c04 + 31323334, combined hex (the result) is 80003a8c0431323334


Community Properties

Sub-menu: /snmp community


This sub-menu allows to set up access rights for the SNMP data.

There is little security in v1 and v2c, just Clear text community string („username“) and ability for Limiting access by IP adress.

In production environment SNMP v3 should be used as that provides security - Authorisation (User + Pass) with MD5/SHA1, Encryption with DES (and since v6.16, AES).


[admin@MikroTik] /snmp community> print value-list 
                     name: public
                  address: 0.0.0.0/0
                 security: none
              read-access: yes
             write-access: no
  authentication-protocol: MD5
      encryption-protocol: DES
  authentication-password: *****
      encryption-password: *****

Icon-warn.png

Warning: Default settings only have one community named public without any additional security settings. These settings should be considered insecure and should be adjusted according required security profile.



Properties

Property Description
address (IP/IPv6 address; Default: 0.0.0.0/0) Addresses from which connections to SNMP server is allowed
authentication-password (string; Default: "") Password used to authenticate connection to the server (SNMPv3)
authentication-protocol (MD5 | SHA1; Default: MD5) Protocol used for authentication (SNMPv3)
encryption-password (string; Default: "") password used for encryption (SNMPv3)
encryption-protocol (DES | AES; Default: DES) encryption protocol to be used to encrypt the communication (SNMPv3). AES (see rfc3826) available since v6.16.
name (string; Default: )
read-access (yes | no; Default: yes) Whether read access is enabled for this community
security (authorized | none | private; Default: none)
write-access (yes | no; Default: no) Whether write access is enabled for this community. Read more >>

Management information base (MIB)

The Management Information Base (MIB) is the database of information maintained by the agent that the manager can query. You can download the latest MikroTik RouterOS MIB file (Last updated: 10-DEC-2019).

MIBs used in RouterOS v6.x:

  • MIKROTIK-MIB
  • MIB-2
  • HOST-RESOURCES-MIB
  • IF-MIB
  • IP-MIB
  • IP-FORWARD-MIB
  • IPV6-MIB
  • BRIDGE-MIB
  • DHCP-SERVER-MIB
  • CISCO-AAA-SESSION-MIB
  • ENTITY-MIB
  • UPS-MIB
  • SQUID-MIB

Object identifiers (OID)

Each OID identifies a variable that can be read via SNMP. Although the MIB file contains all the needed OID values, you can also print individual OID information in the console with the print oid command at any menu level:

[admin@MikroTik] /interface> print oid

Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name=.1.3.6.1.2.1.2.2.1.2.1 mtu=.1.3.6.1.2.1.2.2.1.4.1 
       mac-address=.1.3.6.1.2.1.2.2.1.6.1 admin-status=.1.3.6.1.2.1.2.2.1.7.1 
       oper-status=.1.3.6.1.2.1.2.2.1.8.1 bytes-in=.1.3.6.1.2.1.2.2.1.10.1 
       packets-in=.1.3.6.1.2.1.2.2.1.11.1 discards-in=.1.3.6.1.2.1.2.2.1.13.1 
       errors-in=.1.3.6.1.2.1.2.2.1.14.1 bytes-out=.1.3.6.1.2.1.2.2.1.16.1 
       packets-out=.1.3.6.1.2.1.2.2.1.17.1 discards-out=.1.3.6.1.2.1.2.2.1.19.1 
       errors-out=.1.3.6.1.2.1.2.2.1.20.1 

Traps

SNMP traps enable router to notify data collector of interface changes and SNMP service status changes by sending traps. It is possible to send out traps with security features to support SNMPv1 (no security). SNMPv2 and variants and SNMPv3 with encryption and authorization.

For SNMPv2 and v3 you have to set up appropriately configured community as a trap-community to enable required features (password or encryption/authorization)

SNMP write

Since RouterOS v3, SNMP write is supported for some functions. SNMP write allows to change router configuration with SNMP requests. Consider to secure access to router or to router's SNMP, when SNMP and write-access are enabled.

To change settings by SNMP requests, use the command below to allow SNMP write for the selected community, Write-access option for SNMP is available from v3.14,

/snmp community set <number> write-access=yes


System Identity

It's possible to change router system identity by SNMP set command,

snmpset -c public -v 1 192.168.0.0 1.3.6.1.2.1.1.5.0  s New_Identity
  • snmpset - SNMP application used for SNMP SET requests to set information on a network entity;
  • public - router's community name;
  • 192.168.0.0 - IP address of the router;
  • 1.3.6.1.2.1.1.5.0 - SNMP value for router's identity;

SNMPset command above is equal to the RouterOS command,

/system identity set identity=New_Identity

Reboot

It's possible to reboot the router with SNMP set commamd, you need to set value for reboot SNMP settings, which is not equal to 0,

snmpset -c public -v 1 192.168.0.0 1.3.6.1.4.1.14988.1.1.7.1.0 s 1
  • 1.3.6.1.4.1.14988.1.1.7.1.0, SNMP value for the router reboot;
  • s 1, snmpset command to set value, value should not be equal to 0;

Reboot snmpset command is equal to the RouterOS command,

/system reboot

Run Script

SNMP write allows to run scripts on the router from system script menu, when you need to set value for SNMP setting of the script,

 
snmpset -c public -v 1 192.168.0.0 1.3.6.1.4.1.14988.1.1.8.1.1.3.X s 1
  • X, script number, numeration starts from 1;
  • s 1, snmpset command to set value, value should not be equal to 0;

The same command on RouterOS,


/system script> print 
Flags: I - invalid 
 0   name="test" owner="admin" policy=ftp,reboot,read,write,policy,
test,winbox,password,sniff last-started=jan/01/1970
01:31:57 run-count=23 source=:beep 

/system script run 0

Runing scripts with GET

It is possible to run /system scripts via SNMP GET request of the script OID (since 6.37). For this to work SNMP community with write permission is required. OIDs for scripts can be retrieved via SNMPWALK command as the table is dynamic.

Add script:

/system script
add name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
   "/sy reboot "
add name=script2 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
   "[:put output]"


Get the script OID table

$ snmpwalk -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.8
iso.3.6.1.4.1.14988.1.1.8.1.1.2.1 = STRING: "script1"
iso.3.6.1.4.1.14988.1.1.8.1.1.2.2 = STRING: "script2"
iso.3.6.1.4.1.14988.1.1.8.1.1.3.1 = INTEGER: 0
iso.3.6.1.4.1.14988.1.1.8.1.1.3.2 = INTEGER: 0

To run script use table 18

$ snmpget -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
iso.3.6.1.4.1.14988.1.1.18.1.1.2.2 = STRING: "output"

See Also


[ Top | Back to Content ]