Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
IP Services Foundational

SNMP — Simple Network Management Protocol

How monitoring systems pull metrics and receive alerts from network devices. Covers SNMPv1/v2c/v3, community strings, traps vs informs, MIB / OID navigation, and why SNMPv3 is the only one acceptable in 2026.

TL;DR
  • SNMP is the old-but-still-everywhere protocol for network monitoring. Manager polls agents (GET) or agents push alerts (TRAP).
  • Three versions: v1 (broken), v2c (community-string auth, plaintext), v3 (encryption + per-user auth).
  • In 2026 use v3 always for production. v2c only on isolated management networks where you accept the risk.

Mental model

You manage 50 switches. You want to know: is each one up? CPU load? Interface utilization? Memory? Bandwidth on Gi0/24 over the last hour?

SNMP is the protocol that lets your monitoring system pull this info from every device on a schedule, and lets devices push critical events to your system in real time.

Two flows:

  • Polling (GET) — manager asks agent: “what’s your CPU?” every 5 minutes.
  • Traps (asynchronous) — agent pushes: “my interface just went down.” Immediately.

For 25 years, SNMP has been the dominant network monitoring protocol. It’s being replaced by streaming telemetry (gRPC / NETCONF subscriptions, see NETCONF & YANG), but you’ll meet SNMP on every device for a long time yet.

Three versions — only v3 is OK for production

VersionAuthEncryptionUse?
v1Community string (plain text)NoneNever
v2cCommunity string (plain text)NoneOnly on isolated mgmt VLANs
v3Username + password (hashed/encrypted)Optional AES-256 encryptionYes — production

Community strings in v1/v2c are essentially passwords sent in plain text. Anyone sniffing the management network can read them. Anyone reading them can poll your devices and read all configuration.

SNMPv3 uses real authentication (HMAC-SHA) and optional encryption (AES). It’s not perfect (still UDP, replay protection is finicky) but it’s the only acceptable choice for production.

SNMP messages

MessageDirectionPurpose
GET / GET-NEXT / GET-BULKManager → AgentRead one or many values
SETManager → AgentWrite a value (rare in practice — usually monitoring is read-only)
RESPONSEAgent → ManagerReply to GET / SET
TRAPAgent → ManagerAsync alert. Fire-and-forget.
INFORMAgent → ManagerAcknowledged alert (more reliable than trap)

For CCNA: know GET, TRAP, INFORM. TRAP vs INFORM — the difference is whether the manager acknowledges receipt. INFORM is retried if the manager doesn’t ACK. TRAP is sent once and forgotten.

Ports

  • UDP 161 — agent (polled by manager)
  • UDP 162 — manager (receives traps from agents)

Both UDP, so neither is guaranteed delivery. SNMP traps in particular can be lost.

MIB and OID — the data model

SNMP data lives in a MIB (Management Information Base) — a hierarchical tree of values. Every node in the tree has a unique OID (Object Identifier), like 1.3.6.1.2.1.2.2.1.10.1 (which means interface Gi0/0 inbound octet count).

Real OIDs are unreadable. You’ll work with named MIBs:

ifInOctets.1            ← human form
1.3.6.1.2.1.2.2.1.10.1  ← OID form

Common MIBs you’ll touch:

  • IF-MIB — interface stats (counters, errors, status)
  • HOST-RESOURCES-MIB — CPU, memory, storage
  • CISCO-PROCESS-MIB — Cisco-specific CPU details
  • CISCO-MEMORY-POOL-MIB — Cisco memory details
  • BGP4-MIB, OSPF-MIB — routing protocol state

Monitoring systems (PRTG, SolarWinds, LibreNMS, Zabbix) ship with pre-built MIBs and templates — you rarely need to look up OIDs by hand.

Commands — SNMPv3 config (recommended)

! Create a view limiting what can be read (good practice)
SW1(config)# snmp-server view READ-VIEW iso included
SW1(config)# snmp-server view READ-VIEW 1.3.6.1.6.3 excluded     ! exclude SNMP config from view

! Create an SNMPv3 group
SW1(config)# snmp-server group ADMINS v3 priv read READ-VIEW

! Create an SNMPv3 user (auth + privacy)
SW1(config)# snmp-server user monitor ADMINS v3 auth sha auth-password priv aes 256 priv-password

! Where to send traps
SW1(config)# snmp-server host 10.0.99.5 version 3 priv monitor

! Enable trap types
SW1(config)# snmp-server enable traps
SW1(config)# snmp-server enable traps snmp linkdown linkup coldstart warmstart
SW1(config)# snmp-server enable traps config
SW1(config)# snmp-server enable traps cpu threshold

Commands — SNMPv2c (only on isolated networks)

! Read-only community
SW1(config)# snmp-server community public RO

! Read-write — basically gives full control. Use sparingly.
SW1(config)# snmp-server community secret RW

! ACL restricting which IPs can query
SW1(config)# ip access-list standard SNMP-ALLOWED
SW1(config-std-nacl)# permit host 10.0.99.5
SW1(config)# snmp-server community public RO SNMP-ALLOWED

! Trap host
SW1(config)# snmp-server host 10.0.99.5 version 2c public

Verification

SW1# show snmp
SW1# show snmp user
SW1# show snmp host
SW1# show snmp group
SW1# show snmp view

From your laptop (Linux/macOS), test with snmpwalk:

$ snmpwalk -v3 -l authPriv -u monitor -a SHA -A auth-password \
    -x AES -X priv-password 10.0.0.1 ifDescr

If you get back the list of interface descriptions, SNMPv3 is working.

Common mistakes

  1. Using v2c with default communities (public / private). Anyone on the management VLAN can poll your devices. Always set unique community strings — or better, use v3.

  2. Read-write community enabled with default password. An attacker who guesses the community can reconfigure everything via SNMP SET. Use RO only unless you actively need writes; if you do, use long random community strings on v3.

  3. No ACL on SNMP. Polling can come from anyone if no ACL is set. Always restrict by source IP.

  4. Traps over UDP, no fallback. UDP traps can be lost. For critical alerts, use INFORM (acknowledged) instead.

  5. Polling too aggressively. 1-second polls on 500 devices = constant CPU on devices. Match polling rate to monitoring need (1-5 min is typical).

  6. Confusing community string with username. v2c uses a community string (one “password” shared by everyone). v3 uses per-user credentials. v3 is properly authenticated; v2c is not.

  7. Forgetting snmp-server enable traps. Configured a trap host but no events arriving? Probably forgot to enable specific trap types globally.

Lab to try tonight

  1. Install LibreNMS, PRTG, or any SNMP monitoring tool (free tier available for most).
  2. Configure SNMPv3 on a Cisco router using the commands above. Use strong passwords.
  3. Add the device to your monitoring tool with SNMPv3 credentials.
  4. Verify metrics appear (CPU, interface utilization, uptime).
  5. shutdown an interface — verify a trap arrives in the monitoring tool.
  6. From CLI: snmpwalk -v3 ... against the device. Match the values to what the GUI shows.
  7. Bonus: install a v2c community and try snmpwalk -v2c -c public .... Notice the plain-text community in tcpdump capture.

Cheat strip

ConceptPlain English
SNMPv1 / v2cCommunity-string auth, plain text. Don’t use in 2026.
SNMPv3Per-user, hashed auth, optional AES encryption. Use this.
ManagerThe polling / receiving system
AgentThe device being polled
GETManager reads from agent
TRAPAgent pushes event to manager (UDP, no ACK)
INFORMAgent pushes event, waits for ACK (more reliable)
OIDObject Identifier — tree path like 1.3.6.1.2.1.2.2.1.10.1
MIBModule defining a chunk of OIDs (IF-MIB, etc.)
UDP 161Polling (agent listening)
UDP 162Traps (manager listening)
Read-only / read-writeRO is safe; RW = remote config. Limit RW carefully.
← Previous topic

QoS Basics

How routers and switches handle congestion — classifying packets, marking them with DSCP, queueing by priority, and shaping/policing traffic. Why VoIP and video deserve special treatment over file downloads.
Next topic →

TCP Connection States

What every TCP socket goes through from CLOSED to ESTABLISHED to TIME_WAIT. Covers each state, why TIME_WAIT exists (and frustrates web servers), and how `netstat`/`ss` shows you what's really happening.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Related topics

IP Services

NTP — Network Time Protocol

How every device on the network ends up with the same clock. Covers stratum hierarchy, client and server config, authentication, and why broken NTP makes log correlation a nightmare.

 Automation & Programmability

REST APIs for Network Engineers

Modern Cisco devices expose REST APIs so you can configure them with HTTP requests and JSON instead of SSH and screen-scraping. Covers verbs (GET/POST/PUT/DELETE), authentication, data formats, and where REST fits in network automation.

 IP Services

Syslog

Send every device's log messages to a central server. Covers severity levels (0-7), facilities, message format, where to send logs (local buffer / console / monitor / server), and the eternal question of how much logging is too much.

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages