Simple Network Management Protocol (SNMP) enables monitoring routers and switches connected over an IP network. SNMP delivers information from a managed device to an SNMP manager which collects, stores and analyses the received data for IT operations purposes. For example, an SNMP Trap message is an event-driven notification sent to a manager about any type of system failure or network issue.
SNMP messages are sent over UDP port 161 and 162. An SNMP GET-request is shown in the following packet capture, which is sent to the destination UDP port 161. An SNMP GET-request seeks to obtain information from a managed device, such as the current input/output bandwidth usage of an interface. Note that it is also possible to send SNMP over TCP.
An encrypted SNMPv3 packet is shown in the following capture. It is polling a managed device to retrieve monitoring data. The username and password are created on the managed device and need to match on the monitoring server to enable retrieval of information.
How to configure SNMPv2?
The community string is the authentication method used in SNMPv2. There is no username configuration required for SNMPv2. The community string is added to SNMP packets in cleartext. There is no encryption or password hashing function available in SNMPv2.
Some devices have the default SNMP community string "public" preconfigured. Changing the default community string may provide security benefits. However, if security is a concern, SNMPv3 should be used.
Basic configuration
In the following example, SNMPv2c is enabled on R1. The single command snmp-server community EXAMPLE-COMMUNITY enables read-only access through SNMP. The community string is created on R1, and the SNMP Manager needs to be configured with an identical community string for authentication to succeed. Here, the community string is "EXAMPLE-COMMUNITY".
R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#snmp-server community EXAMPLE-COMMUNITY
R1(config)#
R1(config)#exit
R1#
R1#show snmp stats oid
time-stamp #of times requested OID
11:08:41 UTC Mar 3 2025 42 ciscoMemoryPoolEntry.5
11:08:41 UTC Mar 3 2025 42 ciscoMemoryPoolEntry.6
11:07:51 UTC Mar 3 2025 20 cpmCPUTotalTable.1.4
11:07:46 UTC Mar 3 2025 20 sysUpTime
11:07:46 UTC Mar 3 2025 20 ifAlias
11:07:46 UTC Mar 3 2025 20 ifHCOutOctets
11:07:46 UTC Mar 3 2025 20 ifHCInOctets
R1#
R1#
As displayed on R1 with the above show command, the SNMP Manager has accessed a number of OID addresses, such as "ciscoMemoryPoolEntry.5" and "sysUpTime". SNMPv2c and SNMPv3 have the option to use a single GetBulk Request message type which can query multiple OID variables simultaneously. The following SNMP debug output shows further details about a GetBulk Request received on R1. The requested information is provided in a single SNMP Response message.
R1#show log | begin Log Buffer
Log Buffer (8192 bytes):
SNMP: Get-bulk request, reqid 17896, nonrptr 0, maxreps 10
mib-2.25.3.3.1.2 = NULL TYPE/VALUESrDoSnmp: received get-bulk pdu
CheckClassMIBView: all included
CheckClassMIBView: all included
CheckClassMIBView: all included
CheckClassMIBView: all included
CheckClassMIBView: all included
CheckClassMIBView: all included
CheckClassMIBView: all included
CheckClassMIBView: all included
CheckClassMIBView: all included
CheckClassMIBView: all included
CheckClassMIBView: all included
SNMP: Response, reqid 17896, errstat 0, erridx 0
ifName.1 = Gi0/0
ifName.2 = Gi0/1
ifName.3 = Gi0/2
ifName.4 = Gi0/3
ifName.5 = Nu0
ifName.6 = NV0
ifInMulticastPkts.1 = 0
ifInMulticastPkts.2 = 0
ifInMulticastPkts.3 = 0
ifInMulticastPkts.4 = 0
SNMP: Packet sent via UDP to 192.168.0.61
process_mgmt_req_int: UDP packet being de-queued
[...]
Multiple communities can be configured on a single device. For example, as an alternative to the above configuration, separate communities can be created to provide read-only and read-write SNMP access. This is shown below. With write access, SNMP could be used to change the configuration of R1.
R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#snmp-server community EXAMPLE-COMMUNITY1 ro
R1(config)#snmp-server community EXAMPLE-COMMUNITY2 rw
R1(config)#
R1(config)#exit
R1#
With ACL and SNMP View
In the following example, R1 restricts SNMP access. First, a standard ACL is configured which only permits the SNMP Manager at 192.168.0.61 to access R1 via SNMP. Second, an SNMP View is configured which only permits access to a certain part of the SNMP MIB tree. In other words, even if the SNMP Manager can access R1, it will only be able to retrieve monitoring information about a limited number of system components.
R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#ip access-list standard EXAMPLE-ACL
R1(config-std-nacl)#permit host 192.168.0.61
R1(config-std-nacl)#
R1(config-std-nacl)#exit
R1(config)#
R1(config)#snmp-server view EXAMPLE-VIEW 1.3.6.1.4.1.9.9.109.1.1.1.1.4.1 included
R1(config)#
R1(config)#snmp-server community EXAMPLE-COMMUNITY view EXAMPLE-VIEW ro EXAMPLE-ACL
R1(config)#
R1(config)#exit
R1#
R1#
R1#show run | section ^snmp
snmp-server view EXAMPLE-VIEW cpmCPUTotalTable.1.4.1 included
snmp-server community EXAMPLE-COMMUNITY view EXAMPLE-VIEW RO EXAMPLE-ACL
snmp-server chassis-id
R1#
R1#
The SNMP View only allows the Manager to access the OID (Object ID) for CPU Uptime monitoring. The SNMP View configuration denies (excludes) access to any system component that is not explicitly included. If an excluded system component is queried with an SNMP Get request, R1 replies with a "NO_SUCH_OBJECT" SNMP Get response. This is also shown in the following debug output.
R1#show log | beg Log Buffer
Log Buffer (8192 bytes):
SNMP: Packet received via UDP from 192.168.0.61 on GigabitEthernet0/1
SNMP: Get request, reqid 35651, errstat 0, erridx 0
ciscoMemoryPoolEntry.6.1 = NULL TYPE/VALUE
ciscoMemoryPoolEntry.5.1 = NULL TYPE/VALUE
ciscoMemoryPoolEntry.6.2 = NULL TYPE/VALUE
ciscoMemoryPoolEntry.5.2 = NULL TYPE/VALUESrDoSnmp: received get pdu
CheckClassMIBView: all excluded
No such object.
CheckClassMIBView: all excluded
No such object.
CheckClassMIBView: all excluded
No such object.
CheckClassMIBView: all excluded
No such object.
SNMP: Response, reqid 35651, errstat 0, erridx 0
ciscoMemoryPoolEntry.6.1 = NO_SUCH_OBJECT_EXCEPTION
ciscoMemoryPoolEntry.5.1 = NO_SUCH_OBJECT_EXCEPTION
ciscoMemoryPoolEntry.6.2 = NO_SUCH_OBJECT_EXCEPTION
ciscoMemoryPoolEntry.5.2 = NO_SUCH_OBJECT_EXCEPTION
SNMP: Packet sent via UDP to 192.168.0.61
process_mgmt_req_int: UDP packet being de-queued
[...]
With optional data and custom DSCP
In the following scenario, additional data is included with the SNMP configuration on R1. Contact information and a location is added, which will appear in R1's configuration, however it will not have an effect on SNMP traffic flow or data retrieval.
Meanwhile, the IP DSCP value 48 (CS6) is assigned to SNMP packets originating from R1. This translates to the IP Precedence value 6. The default SNMP DSCP value is 0 which is reserved for the lowest priority best effort traffic.
R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#snmp-server community EXAMPLE-COMMUNITY
R1(config)#snmp-server contact EXAMPLE-CONTACT
R1(config)#snmp-server location EXAMPLE-LOCATION
R1(config)#snmp-server ip dscp 48
R1(config)#
R1(config)#exit
R1#
R1#
Network Control services such as the routing protocol OSPF, the fast failure detection protocol BFD, as well as DHCP, NHRP, and NTP all use the IP DSCP value 48 by default. A notable exception is the routing protocol EIGRP for IPv6 which uses DSCP value 56 (CS7).
How to configure SNMPv3?
SNMPv3 requires the configuration of a username, even with the NoAuthNoPriv security level. The username is added to SNMPv3 packets in cleartext. Optionally, password authentication can be configured. The authentication password is hashed before transmission between the SNMP Agent and Manager. Additionally, the message data (MIB OID values) can be encrypted, this is called the AuthPriv security level.
SNMPv3 does not use a community string. Three parts are often combined when configuring SNMPv3: a view, a group, and the username. In case the SNMP view is not configured, a default read-only view will be automatically used.
NoAuthNoPriv
In the following example, a minimal SNMPv3 configuration is applied on R1 without user authentication, and without SNMP message encryption. Furthermore, an SNMP View is not configured, and as a result the default View is added to the SNMP Group. This let's the SNMP Manager access the entire MIB OID tree on R1.
R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#snmp-server group EXAMPLE-GROUP v3 noauth
R1(config)#
R1(config)#snmp-server user EXAMPLE-USER EXAMPLE-GROUP v3
R1(config)#
R1(config)#exit
R1#
R1#
R1#show snmp user
User name: EXAMPLE-USER
Engine ID: 8000000903005254001368E6
storage-type: nonvolatile active
Authentication Protocol: None
Privacy Protocol: None
Group-name: EXMPLE-GROUP
R1#
R1#
R1#show snmp group | begin EXAMPLE
groupname: EXAMPLE-GROUP security model:v3 noauth
contextname: <no context specified> storage-type: nonvolatile
readview : v1default writeview:
notifyview: <no notifyview specified>
row status: active
R1#
R1#
R1#show snmp stats oid
time-stamp #of times requested OID
10:25:59 UTC Mar 4 2025 104 cpmCPUTotalTable.1.4
10:25:54 UTC Mar 4 2025 104 sysUpTime
10:25:54 UTC Mar 4 2025 104 ifAlias
10:25:54 UTC Mar 4 2025 104 ifHCOutOctets
10:25:54 UTC Mar 4 2025 104 ifHCInOctets
10:25:49 UTC Mar 4 2025 208 ciscoMemoryPoolEntry.5
10:25:49 UTC Mar 4 2025 208 ciscoMemoryPoolEntry.6
R1#
AuthNoPriv
In the following example, SNMPv3 is configurd with user authentication and without encryption. This means, R1 and the SNMP Manager need to have an identical pre-shared key (password). A hash value is created from the password on both devices using SHA. The hash parameter is transmitted in SNMP messages between R1 and the SNMP Manager. Meanwhile, the SNMP system monitoring data is not encrypted.
R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#snmp-server view EXAMPLE-VIEW iso included
R1(config)#
R1(config)#snmp-server group EXAMPLE-GROUP v3 auth read EXAMPLE-VIEW
R1(config)#
R1(config)#snmp-server user EXAMPLE-USER EXAMPLE-GROUP v3 auth sha P4SSW0RD
R1(config)#
R1(config)#exit
R1#
R1#
R1#show snmp user
User name: EXAMPLE-USER
Engine ID: 8000000903005254001368E6
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: None
Group-name: EXAMPLE-GROUP
R1#
R1#
AuthPriv
In the following example, SNMPv3 is configured to authenticate the username and password, as well as to encrypt SNMP messages transmitted between R1 and the SNMP Manager. Specifically, only the SNMP monitored and queried system data is encrypted.
R1>
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#ip access-list standard EXAMPLE-ACL
R1(config-std-nacl)#permit host 192.168.0.61
R1(config-std-nacl)#
R1(config-std-nacl)#exit
R1(config)#
R1(config)#snmp-server view EXAMPLE-VIEW iso included
R1(config)#
R1(config)#snmp-server group EXAMPLE-GROUP v3 priv read EXAMPLE-VIEW access EXAMPLE-ACL
R1(config)#
R1(config)#snmp-server user EXAMPLE-USER EXAMPLE-GROUP v3 auth sha P4SSW0RD1 priv aes 128 P4SSW0RD2
R1(config)#
R1(config)#exit
R1#
R1#show snmp user
User name: EXAMPLE-USER
Engine ID: 8000000903005254001368E6
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: EXAMPLE-GROUP
R1#
R1#
How to configure SNMP Traps and Informs?
SNMP traps and informs are event-driven proactive notification messages designed to signal an unexpected failure or other change of state in a monitored system. Traps and informs are sent from the SNMP Agent to the SNMP Manager destined to UDP port 162. An SNMP trap does not require acknowledgement, however an inform message is acknowledged by the SNMP Manager.
Trap notifications for different monitored services need to be enabled in configuration, either separately or all at once. The trap destination IP address (or destination hostname/domain name) needs to be added as well. Trap messages can be sent over SNMPv2 or SNMPv3 as shown in the next sections of this blog post.
Enable all traps (SNMPv2)
In the following example, all SNMP traps are enabled, and trap messages will be sent to the IP address 192.168.0.61 (SNMP Manager) destined to UDP port 162. This may result in a lot of unsolicited/event-driven SNMP data received on the Manager, some of the information may not be necessary.
In the following example, three types of trap messages are enabled on R1, and the details of each are described below.
The command snmp-server enable traps snmp enables a group of standard "generic traps" that were originally defined in RFC 1215. This includes trap messages triggered by a device restart, interface state change (link up/down), and SNMP Manager authentication failure. An authentication failure may produce the following SNMP debug output on a Cisco device.
SNMP: Packet received via UDP from 192.168.0.61 on GigabitEthernet0/1SrParseV3SnmpMessage: No matching Engine ID.
SrParseV3SnmpMessage: Failed.
SrDoSnmp: authentication failure, Unknown Engine ID
SNMP: Report, reqid 3479, errstat 0, erridx 0
internet.6.3.15.1.1.4.0 = 1210
SNMP: Packet sent via UDP to 192.168.0.61
process_mgmt_req_int: UDP packet being de-queued
SNMP: Packet received via UDP from 192.168.0.61 on GigabitEthernet0/1SrParseV3SnmpMessage:Wrong User Name.
SrParseV3SnmpMessage: Failed.
SrDoSnmp: authentication failure, Unknown User Name
SNMP: Report, reqid 2147483647, errstat 0, erridx 0
internet.6.3.15.1.1.3.0 = 1210
SNMP: Packet sent via UDP to 192.168.0.61
The command snmp-server enable traps ospf enables a group of OSPF traps which are triggered by events such as enabling OSPF on a device interface or exchanging LSAs with neighbors. Information included in OSPF traps are the router ID, area number, interface IP address, and LSA type among others. The RFC 1253 provides further details.
The command snmp-server enable traps ipsla sends a trap message when the status of an IP SLA changes. For example, an IP SLA reaction-configuration can be combined with SNMP trap messages to measure the round-trip time (RTT) and send alerts when a specific RTT threshold is exceeded.
In the following example, SNMPv3 trap messages are enabled for a group of standard "generic traps". As a result, when a link status changes (up/down) on R1, an SNMPv3 trap message is sent to the SNMP Manager located at the IP address 192.168.0.61.
R1>
R1>enable
Password:
R1#
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#snmp-server group EXAMPLE-GROUP v3 noauth
R1(config)#
R1(config)#snmp-server user EXAMPLE-USER EXAMPLE-GROUP v3
R1(config)#
R1(config)#snmp-server enable traps snmp
R1(config)#
R1(config)#snmp-server host 192.168.0.61 version 3 noauth EXAMPLE-USER snmp
R1(config)#
R1(config)#exit
R1#
R1#
R1#show run | section ^snmp
snmp-server user EXAMPLE-USER EXAMPLE-GROUP v3
snmp-server group EXAMPLE-GROUP v3 noauth
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server host 192.168.0.61 version 3 noauth EXAMPLE-USER snmp
R1#
R1#
Enable SNMPv2 informs
In the following example, all SNMP traps are enabled. However, instead of sending trap messages, R1 will send inform requests to the SNMP Manager which is located at the IP address 192.168.0.61.
R1>
R1>enable
Password:
R1#
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#snmp-server enable traps
R1(config)#
R1(config)#snmp-server host 192.168.0.61 informs version 2c public
R1(config)#
R1(config)#exit
R1#
R1#
SNMP and NETCONF/RESTCONF comparison
NETCONF (RFC 6241) and RESTCONF (RFC 8040) are network management protocols that support the features offered by SNMP. However additionally, NETCONF/RESTCONF enable API-based programmatic interaction with network devices, which is an important aspect of automation, and widely used in SD-WAN deployments and subscription-based telemetry with near real-time network monitoring.
NETCONF communicates over SSH (TCP port 830) or DTLS/TLS, and RESTCONF uses HTTPS to exchange protocol messages. Both of these communication methods provide strong security features by default. Meanwhile, only SNMPv3 provides options for authentication and encryption (AuthPriv security level).
NETCONF/RESTCONF use the YANG structured data model to deliver device configuration and network management information. This is in contrast to the SNMP MIB OID tree model.
Use at your own risk: networkstudysite.com makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information found on this website. Full disclaimer on the About page.
Privacy Policy:
networkstudysite.com does not install browser cookies to collect or store your data.
Thank you for your interest in this blog post!
Looking for something else? View infographics, explore the archives or read the recommended posts below:
