📄Building a Digital Inventory Using SNMP & ARP Tables📍

Ronald BartelsRonald Bartels
4 min read

Creating an accurate digital inventory of devices in a network is a critical task for network administrators. While traditional methods like port scanning can identify active devices, they often face challenges such as being blocked by firewalls, generating false positives, or causing unnecessary network strain.

A more efficient and firewall-agnostic method involves using SNMP (Simple Network Management Protocol) to extract switch port and ARP tables to map MAC addresses to IP addresses. This approach allows administrators to create a comprehensive inventory of devices without intrusive scanning methods. Here's how to do it.

Why SNMP & ARP Tables are Superior to Port Scans

1. Firewall-Agnostic
Firewalls often block port scans, rendering the results incomplete. In contrast, SNMP queries and ARP table lookups rely on network management protocols and internal device configurations, bypassing firewall restrictions.

2. Granular Detail
Using SNMP and ARP tables provides detailed information such as the physical switch port, VLAN, MAC address, and IP address of each device, offering a richer dataset than a simple port scan.

3. Low Network Overhead
Port scans can flood a network with probes, potentially causing performance issues or triggering security alerts. SNMP queries, when used efficiently, are much lighter on network resources.

Step-by-Step Guide to Create a Digital Inventory

1. Prerequisites

  • SNMP Enabled Devices: Ensure that switches and routers have SNMP enabled. Use SNMPv3 for secure communication.

  • Management Tools: A network monitoring tool or SNMP client like snmpwalk, net-snmp, or a script in Python using libraries like pysnmp.

  • Network Access: Access to the switches and routers from which you will pull the SNMP and ARP data.

2. Extract Switch Port Tables Using SNMP

Switch port tables hold the MAC addresses of devices connected to each port. To extract this information:

  • OID for Bridge MIB: Use the dot1dTpFdbTable (OID: 1.3.6.1.2.1.17.4.3) to query the forwarding database (FDB) of the switch. This provides a list of MAC addresses and their associated ports.

    Example command:

      bashCopy codesnmpwalk -v2c -c COMMUNITY SWITCH_IP 1.3.6.1.2.1.17.4.3

    This will return data similar to:

      vbnetCopy codedot1dTpFdbAddress.0.12.34.56.78.9a = STRING: 00:12:34:56:78:9A
  dot1dTpFdbPort.0.12.34.56.78.9a = INTEGER: 5

    Here, the MAC address 00:12:34:56:78:9A is on port 5.

  • Map to Interface Index: Correlate the port number with the interface name using the ifTable (OID: 1.3.6.1.2.1.2.2).

    Example command:

      bashCopy codesnmpwalk -v2c -c COMMUNITY SWITCH_IP 1.3.6.1.2.1.2.2

    This provides details like:

      vbnetCopy codeifDescr.5 = STRING: GigabitEthernet0/1

3. Extract ARP Tables from Routers

ARP tables link IP addresses to MAC addresses, providing the missing piece to complete the inventory.

  • Use SNMP to query the ipNetToMediaTable (OID: 1.3.6.1.2.1.4.22) on the router.

    Example command:

      bashCopy codesnmpwalk -v2c -c COMMUNITY ROUTER_IP 1.3.6.1.2.1.4.22

    This returns:

      vbnetCopy codeipNetToMediaPhysAddress.1.192.168.1.10 = STRING: 00:12:34:56:78:9A
  ipNetToMediaNetAddress.1.192.168.1.10 = STRING: 192.168.1.10

    Here, the MAC address 00:12:34:56:78:9A corresponds to the IP 192.168.1.10.

4. Correlate Data for a Complete Inventory

Combine the data from the switch and router to create a unified inventory:

Switch PortMAC AddressIP AddressDevice Name
GigabitEthernet0/100:12:34:56:78:9A192.168.1.10Workstation-01

Tools like Excel, custom scripts, or network inventory software can automate this correlation process.

5. Automate the Process

Using Python, you can automate these steps. For instance:

pythonCopy codefrom pysnmp.hlapi import *

def snmp_query(ip, oid, community):
    result = []
    for (errorIndication, errorStatus, errorIndex, varBinds) in nextCmd(
        SnmpEngine(),
        CommunityData(community),
        UdpTransportTarget((ip, 161)),
        ContextData(),
        ObjectType(ObjectIdentity(oid)),
        lexicographicMode=False,
    ):
        if errorIndication or errorStatus:
            print(f"Error: {errorIndication or errorStatus}")
            break
        for varBind in varBinds:
            result.append(varBind)
    return result

# Example Usage
switch_ip = "192.168.1.2"
community = "public"
mac_table_oid = "1.3.6.1.2.1.17.4.3"
arp_table_oid = "1.3.6.1.2.1.4.22"

mac_table = snmp_query(switch_ip, mac_table_oid, community)
arp_table = snmp_query(switch_ip, arp_table_oid, community)

for entry in mac_table:
    print(entry)

Advantages of SNMP and ARP-Based Inventory

  1. Firewall Independence: No reliance on untrustworthy port scans.

  2. Accurate Mapping: Direct correlation of physical ports to IPs and MACs.

  3. Real-Time Data: Reflects current network state without assumptions.

  4. Scalable: Suitable for large networks.

Wrap

Using SNMP and ARP tables to create a digital inventory is a robust, firewall-friendly alternative to port scanning. It provides accurate, actionable data that improves network management and security. Businesses equipped with such an inventory can quickly identify devices, trace issues, and ensure a well-documented and secure network environment.

2
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

snmpARPinventory

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa