Skip to content
Industrial Networking for Busy Professionals

5.4 SNMP

With addresses assigned, names resolved, and clocks synchronized, the remaining question is how to monitor the health of the network itself. SNMP provides that visibility.

SNMP — Simple Network Management Protocol

Section titled “SNMP — Simple Network Management Protocol”

SNMP (Simple Network Management Protocol) polls device statistics and receives event notifications. It uses a tree-structured namespace called the MIB (Management Information Base), where each value is identified by an OID (Object Identifier).

SNMP Versions

Section titled “SNMP Versions”
VersionAuthenticationEncryptionStatus
SNMPv1Community string (plaintext)NoneDeprecated. Never use in production.
SNMPv2cCommunity string (plaintext)NoneCommon but insecure.
SNMPv3Username + SHA/MD5AES/DESRequired for IEC 62443 SL 2.

SNMPv1 and v2c transmit the community string in plaintext. An attacker on the network captures the community string and gains read or write access to every device. Use SNMPv3 with SHA-256 authentication and AES-128 encryption.

The following script reads standard MIB-II OIDs from a Hirschmann switch, returning the system description, uptime, and per-port error counters.

from pysnmp.hlapi import (
    getCmd, SnmpEngine, CommunityData, UdpTransportTarget,
    ContextData, ObjectType, ObjectIdentity
)


def snmp_get(host: str, community: str, oid: str) -> str:
    iterator = getCmd(
        SnmpEngine(),
        CommunityData(community, mpModel=1),
        UdpTransportTarget((host, 161), timeout=2, retries=1),
        ContextData(),
        ObjectType(ObjectIdentity(oid))
    )
    error_indication, error_status, _, var_binds = next(iterator)
    if error_indication or error_status:
        return f"ERROR: {error_indication or error_status}"
    return str(var_binds[0][1])


host = "192.168.1.100"
community = "public"
oids = {
    "sysDescr":     "1.3.6.1.2.1.1.1.0",
    "sysName":      "1.3.6.1.2.1.1.5.0",
    "sysUpTime":    "1.3.6.1.2.1.1.3.0",
    "ifInErrors_1": "1.3.6.1.2.1.2.2.1.14.1",
    "ifOutErrors_1":"1.3.6.1.2.1.2.2.1.20.1",
}
for name, oid in oids.items():
    print(f"{name:20s}: {snmp_get(host, community, oid)}")

A rising ifInErrors counter on a ring port indicates CRC errors, which point to a cable, SFP, or EMI problem. Polling this counter every 10 seconds builds a trend that reveals intermittent physical-layer faults before they cause a ring failover.

Key Takeaways

Section titled “Key Takeaways”

Use SNMPv3 for IEC 62443 compliance

SNMPv1 and v2c transmit credentials in plaintext. SNMPv3 with SHA-256 and AES-128 meets IEC 62443 SL 2 requirements.

Poll error counters to catch cable faults

Rising ifInErrors on a port indicates CRC errors from cable, SFP, or EMI problems. Trend the counter to catch intermittent faults.

What Comes Next

Section titled “What Comes Next”

SNMP monitors the network, but it does not solve a fundamental addressing problem: the internet ran out of IPv4 addresses. The next page covers NAT and PAT, the workaround that maps private addresses to public ones.

References

Section titled “References”
  • RFC 3411 — An Architecture for Describing SNMP Management Frameworks (IETF, 2002)