Skip to content
Industrial Networking for Busy Professionals

5.4 SNMP

With addresses assigned, names resolved, and clocks synchronized, the remaining question is how to monitor the health of the network. SNMP delivers that visibility.

SNMP — Simple Network Management Protocol

Section titled “SNMP — Simple Network Management Protocol”

SNMP (Simple Network Management Protocol) polls device statistics and receives event notifications. SNMP uses a tree-structured namespace called the MIB (Management Information Base), where each value is identified by an OID (Object Identifier).

SNMP Versions

Section titled “SNMP Versions”
VersionAuthenticationEncryptionStatus
SNMPv1Community string (plaintext)NoneDeprecated. Do not use in production.
SNMPv2cCommunity string (plaintext)NoneCommon but insecure.
SNMPv3Username + SHA/MD5AES/DESRequired for IEC 62443 SL 2.

SNMPv1 and v2c transmit the community string in plaintext. An attacker on the network captures the community string and gains read or write access to every device. Use SNMPv3 with SHA-256 authentication and AES-128 encryption.

The following script reads standard MIB-II OIDs from a Hirschmann switch, returning the system description, uptime, and per-port counters for detected errors.

from pysnmp.hlapi import (
    getCmd, SnmpEngine, CommunityData, UdpTransportTarget,
    ContextData, ObjectType, ObjectIdentity
)


def snmp_get(host: str, community: str, oid: str) -> str:
    iterator = getCmd(
        SnmpEngine(),
        CommunityData(community, mpModel=1),
        UdpTransportTarget((host, 161), timeout=2, retries=1),
        ContextData(),
        ObjectType(ObjectIdentity(oid))
    )
    error_indication, error_status, _, var_binds = next(iterator)
    if error_indication or error_status:
        return f"ERROR: {error_indication or error_status}"
    return str(var_binds[0][1])


host = "192.168.1.100"
community = "public"
oids = {
    "sysDescr":     "1.3.6.1.2.1.1.1.0",
    "sysName":      "1.3.6.1.2.1.1.5.0",
    "sysUpTime":    "1.3.6.1.2.1.1.3.0",
    "ifInErrors_1": "1.3.6.1.2.1.2.2.1.14.1",
    "ifOutErrors_1":"1.3.6.1.2.1.2.2.1.20.1",
}
for name, oid in oids.items():
    print(f"{name:20s}: {snmp_get(host, community, oid)}")

A rising ifInErrors counter on a ring port indicates CRC detected errors, which point to a cable, SFP, or EMI issue. Polling this counter every 10 seconds builds a trend that reveals intermittent physical-layer faults before the faults cause a ring failover.

Key Takeaways

Section titled “Key Takeaways”

Use SNMPv3 for IEC 62443 compliance

SNMPv1 and v2c transmit credentials in plaintext. SNMPv3 with SHA-256 and AES-128 meets IEC 62443 SL 2 requirements.

Poll detected-error counters to catch cable faults

Rising ifInErrors on a port indicates CRC detected errors from cable, SFP, or EMI issues. Trend the counter to catch intermittent faults.

What Comes Next

Section titled “What Comes Next”

SNMP monitors the network, but SNMP does not solve a fundamental addressing issue: the internet ran out of IPv4 addresses. The next page covers NAT and PAT, the workaround that maps private addresses to public addresses.

References

Section titled “References”
  • RFC 3411 — An Architecture for Describing SNMP Management Frameworks (IETF, 2002)