Home > Articles > Cisco > CCNP Routing and Switching

CCNP SWITCH 642-813: Simple Network Management Protocol (SNMP)

  • Print
  • + Share This
A key topic on the CCNP SWITCH exam, The Simple Network Management Protocol (SNMP) is a protocol that allows a network device to share information about itself and its activities In this article, expert network architect and author of best-selling CCNP SWITCH 642-813 Official Certification Guide Dave Hucaby helps you understand the basics of how SNMP works and the differences between the different SNMP versions as well as how you might apply SNMP to monitor a switched network.
From the author of

The Simple Network Management Protocol (SNMP) is a protocol that allows a network device to share information about itself and its activities. A complete SNMP system consists of the following parts:

  • SNMP manager—A network management system that uses SNMP to poll and receive data from any number of network devices. The SNMP manager is usually an application that runs in a central location.
  • SNMP agent—A process that runs on the network device being monitored. All types of data are gathered by the device itself and stored in a local database. The agent can then respond to SNMP polls and queries with information from the database and it can send unsolicited alerts or “traps” to an SNMP manager.

In the case of Catalyst switches in the network, each switch automatically collects data about itself, its resources, and each of its interfaces. This data is stored in a Management Information Base (MIB) database in memory, and is updated in real time.

The MIB is organized in a structured, hierarchical fashion, forming a tree structure. In fact, the entire MIB is really a collection of variables that are stored in individual, more granular MIBs that form the branches of the tree. Each MIB is based on the Abstract Syntax Notation 1 (ASN.1) language. Each variable in the MIB is referenced by an object identifier (OID), a long string of concatenated indexes that follow the path from the root of the tree all the way to the variable’s location.

Fortunately, only the SNMP manager and agent need to be concerned with interpreting the MIBs. As far as the SWITCH exam and course go, you should just be aware that the MIB structure exists and that it contains everything that can be monitored about a switch.

To see any of the MIB data, an SNMP manager has to send an SNMP poll or query to the switch. The query contains the OID of the specific variable being requested so that the agent running on the switch knows what information to return. An SNMP manager can use the following mechanisms to communicate with an SNMP agent, all over UDP port 161:

  • Get Request—The value of one specific MIB variable is needed.
  • Get Next Request—The next or subsequent value following an initial Get Request is needed.
  • Get Bulk Request—Entire tables or lists of values in a MIB variable are needed.
  • Set Request—A specific MIB variable needs to be set to a value.

SNMP polls or requests are usually sent by the SNMP manager at periodic intervals. This makes real-time monitoring difficult, as changing variables won’t be noticed until the next poll cycle. However, SNMP agents can send unsolicited alerts to notify the SNMP manager of real-time events at any time. Alerts can be sent using the following mechanisms, over UDP port 162:

  • SNMP trap—News of an event (interface state change, device failure, and so on) is sent without any acknowledgement that the trap has been received.
  • Inform request—News of an event is sent to an SNMP manager, and the manager is required to acknowledge receipt by echoing the request back to the agent.

SNMP Versions

As network management has evolved, SNMP has developed into three distinct versions. The original, SNMP version 1 (SNMPv1), is defined in RFC1157. It uses simple one-variable Get and Set requests, along with simple SNMP traps. SNMP managers can gain access to SNMP agents by matching a simple “community” text string. When a manager wants to read or write a MIB variable on a device, it sends the community string in the clear, as part of the request. If that community string matches the agent’s community string, then the request is granted.

In theory, only managers and agents belonging to the same “community” should be able to communicate. In practice, any device has the potential to read or write variables to an agent’s MIB database by sending the right community string, whether it’s a legitimate SNMP manager or not. This creates a huge security hole in SNMPv1.

The second version of SNMP, SNMPv2C (RFC 1901), was developed to address some efficiency and security concerns. For example, SNMPv2c adds 64-bit variable counters, extending the useful range of values over the 32-bit counters used in SNMPv1. In addition, SNMPv2C offers the bulk request, making MIB data retrieval more efficient. It also offers inform requests, which make real-time alerts more reliable by requiring confirmation of receipt.

Despite the intentions of its developers, SNMPv2C does not address any security concerns over that of SNMPv1. SNMPv2C does offer 64-bit variable counters, which extend the capability to keep track of very large numbers like byte counters found on very high-speed interfaces. With SNMPv2C, MIB variables can be obtained in a bulk form with a single request. In addition, event notifications sent from an SNMPv2C agent can be in the form of SNMP traps or inform requests. The latter form requires an acknowledgment from the SNMP manager that the inform message was received.

The third generation of SNMP, SNMPv3, is defined in RFCs 3410 through 3415. It addresses the security features that are lacking in the earlier versions. SNMPv3 can authenticate SNMP managers through usernames. When usernames are configured on the SNMP agent of a switch, they can be organized into SNMPv3 group names.

Each SNMPv3 group is defined with a security level that describes the extent to which the SNMP data will be protected. Data packets can be authenticated to preserve their integrity, encrypted to obscure their contents, or both. The following security levels are available. The naming scheme uses “auth” to represent packet authentication and “priv” to represent data privacy or encryption.

  • noAuthNoPriv—SNMP packets are neither authenticated nor encrypted.
  • authNoPriv—SNMP packets are authenticated, but not encrypted.
  • authPriv—SNMP packets are authenticated and encrypted.

Catalyst switches offer one additional means of limiting SNMP access: An access list can be configured to permit only specific SNMP manager IP addresses. You should configure and apply an access list to your SNMP configurations whenever possible.

Because SNMP is a universal method for monitoring all sorts of network devices, it isn’t unique to LAN switches. Therefore, you should understand the basics of how SNMP works, the differences between the different SNMP versions, and how you might apply SNMP to monitor a switched network. You can use Table 1 as a memory aid for your exam study.

Table 1—A Comparison of SNMP Versions and Their Features



Data Protection

Unique Features


Community String


32-bit counters


Community String


Added bulk request and inform request message types, 64-bit counters


Username authentication

Hash-based MAC (SHA or MD5)

DES, 3DES, AES (128, 192, 256-bit) encryption

Added user authentication, data integrity, and encryption

Configuring SNMPv1 and SNMPv2C

You should be familiar with the basic SNMP configuration. Fortunately, this involves just a few commands, as follows:

Switch(config)# access-list access-list-number permit ip-addr
Switch(config)# snmp-server community string [ro | rw] [access-list-number]
Switch(config)# snmp-server host host-address community-string [trap-type]

First, define a standard IP access list that permits only the IP addresses of your SNMP agent machines. Then apply that access list to the SNMPv1 community string with the snmp-server community command. Use the ro keyword to allow read-only access by the SNMP manager; otherwise, use the rw keyword to allow both read and write access.

Finally, use the snmp-server host command to identify the IP address of the SNMP manager where SNMP traps will be sent. By default, all types of traps are sent. You can use the ? key in place of trap-type to see a list of the available trap types.

In Example 1, the switch is configured to allow SNMP polling from network management stations at and The community string MonitorIt is used to authenticate the SNMP requests. All possible SNMP traps are sent to

Example 1—Configuring SNMPv1 Access

Switch(config)# access-list 10 permit
Switch(config)# access-list 10 permit 
Switch(config)# snmp-server community MonitorIt ro 10
Switch(config)# snmp-server host MonitorIt

Configuring SNMPv2C

Configuring SNMPv2C is very similar to SNMPv1. The only difference is with SNMP trap or inform configuration. You can use the following commands to configure basic SNMPv2C operation:

Switch(config)# access-list access-list-number permit ip-addr
Switch(config)# snmp-server community string [ro | rw] [access-list-number]
Switch(config)# snmp-server host host-address [informs] version 2c community-string

In the snmp-server host command, use the version 2c keywords to identify SNMPv2C operation. By default, regular SNMP traps are sent. To use inform requests instead, add the informs keyword.

Configuring SNMPv3

SNMPv3 configuration is a bit more involved than versions 1 or 2C, due mainly to the additional security features.

Switch(config)# access-list access-list-number permit ip-addr
Switch(config)# snmp-server group group-name v3 {noauth | auth | priv}
Switch(config)# snmp-server user user-name group-name v3 auth {md5 | sha}
 auth-password priv {des | 3des | aes {128 | 192 | 256} priv-password [access-list-number]
Switch(config)# snmp-server host host-address [informs] version 3 {noauth | auth | priv}
 user-name [trap-type]

First, use the snmp-server group command to define a group-name that will set the security level policies for SNMPv3 users. The security level is defined by the noauth (no packet authentication or encryption), auth (packets are authenticated but not encrypted), or priv (packets are both authenticated and encrypted) keyword. Only the security policy is defined in the group; no passwords or keys are required yet.

Next, define a username that an SNMP manager will use to communicate with the switch. Use the snmp-server user command to define the user-name and associate it with the SNMPv3 group-name. The v3 keyword configures the user to use SNMPv3.

The SNMPv3 user must also have some specifics added to its security policy. Use the auth keyword to define either MD5 or SHA as the packet authentication method, along with the auth-password text string that will be used in the hash computation. The priv keyword defines the encryption method (DES, 3DES, or AES 128/192/256-bit), and the priv-password text string that will be used in the encryption algorithm.

The same SNMPv3 username, authentication method and password, and encryption method and password must also be defined on the SNMP manager so it can successfully talk to the switch.

Finally, you can use the snmp-server host command to identify the SNMP manager that will receive either traps or informs. The switch can use SNMPv3 to send traps and informs, using the security parameters that are defined for the SNMPv3 user-name.

In Example 2, a switch is configured for SNMPv3 operation. Access list 10 permits only stations at and with SNMP access. SNMPv3 access is defined for a group named NetOps, using the priv (authentication and encryption) security level. One SNMPv3 user named mymonitor is defined; the network management station will use that username when it polls the switch for information. The username will require SHA packet authentication and AES-128 encryption, using the s3cr3tauth and s3cr3tpr1v passwords, respectively.

Finally, SNMPv3 informs will be used to send alerts to station using the priv security level and username mymonitor.

Example 2—Configuring SNMPv3 Access

Switch(config)# access-list 10 permit
Switch(config)# access-list 10 permit
Switch(config)# snmp-server group NetOps v3 priv
Switch(config)# snmp-server user mymonitor NetOps v3 auth sha s3cr3tauth priv aes 128 s3cr3tpr1v 10
Switch(config)# snmp-server host informs version 3 priv mymonitor
  • + Share This
  • 🔖 Save To Your Account