Configuring Simple Network Management Protocol

SNMP versions and security models

This software release supports SNMPv1, SNMPv2C, and SNMPv3. Each version offers distinct features and security models to manage network devices effectively.

Supported SNMP versions

  • SNMPv1: The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.

  • SNMPv2C: The community-string-based administrative framework for SNMPv2, an experimental internet protocol defined in RFC 1901. It retains the bulk retrieval and improved error handling of SNMPv2Classic.

  • SNMPv3: An interoperable standards-based protocol defined in RFCs 2273 to 2275. It provides secure access to devices through these features.

    • Message integrity ensures that a packet was not tampered with in transit.

    • Authentication determines that the message is from a valid source.

    • Encryption prevents unauthorized sources from reading packet contents.


    Note

    Both SNMPv1 and SNMPv2C use a community-based form of security. The management station access is defined by an IP address access control list and a password.

SNMPv3 security models and levels

SNMPv3 provides security models and levels. A security model is an authentication strategy set up for a user and their group. A security level defines the type of security permitted in a security model. Available security models include SNMPv1, SNMPv2C, and SNMPv3.


Note
To select encryption, enter the priv keyword.

The table identifies characteristics and compares combinations of security models and levels:

Table 1. SNMP security models and levels

Model

Level

Authentication

Encryption

Result

SNMPv1

noAuthNoPriv

Community string

No

Uses a community string match for authentication.

SNMPv2C

noAuthNoPriv

Community string

No

Uses a community string match for authentication.

SNMPv3

noAuthNoPriv

Username

No

Uses a username match for authentication.

SNMPv3

authNoPriv

MD5 or SHA

No

Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.

SNMPv3

authPriv

MD5 or SHA

Data Encryption Standard (DES) or Advanced Encryption Standard (AES)

Provides authentication based on HMAC-MD5 or HMAC-SHA algorithms and allows this encryption:

  • DES 56-bit encryption.

  • 3DES 168-bit encryption.

  • AES 128-bit, 192-bit, or 256-bit encryption.

Guidelines and limitations

  • SNMPv1 does not support informs.

  • To prevent SNMPv3 authentication failures, manually configure the SNMP engineID before adding SNMPv3 users. This process ensures that the user is associated with the correct engineID, enabling consistent device management.

SNMP overview

SNMP is a network management protocol used to monitor and manage network devices.

SNMP system components

SNMP system consists of these components:

  • SNMP manager: A system, often part of a network management system (NMS), that requests or changes values in the MIB.

  • SNMP agent: A software component residing on the device that gathers data from the MIB and responds to manager requests.

  • Management information base (MIB): A repository that stores information about device parameters and network data.The agent and MIB reside on the device.

SNMP communication

SNMP enables managers to request or change MIB variable values on agents, and agents to respond or send traps to managers.

  • The SNMP agent contains MIB variables whose values the SNMP manager can request or change.

  • The agent gathers data from the MIB, which stores information about device parameters and network data.

  • An agent can send unsolicited traps to the manager, alerting the SNMP manager to network conditions.

Traps can indicate events such as improper user authentication, device restarts, link status changes, MAC address tracking, TCP connection closure, or loss of connection to a neighbor.

SNMP manager functions

  • The SNMP manager uses information in the MIB to perform various operations for network management.

  • Key SNMP operations include retrieving, storing, and responding to variable values, as well as handling unsolicited messages from agents.

SNMP manager operations

The table describes the main SNMP operations performed by the SNMP manager using the MIB.

Table 2. SNMP Operations

Operation

Description

get-request

Retrieves a value from a specific variable.

get-next-request

Retrieves a value from a variable within a table. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table.

get-bulk-request

Retrieves large blocks of data, such as multiple rows in a table, to minimize transmissions. This operation requires SNMPv2 or later.

get-response

Replies to a get-request, get-next-request, or set-request sent by an NMS.

set-request

Stores a value in a specific variable.

trap

Sends an unsolicited message from an SNMP agent to an SNMP manager when an event occurs.

Note

Exclude the ciscoFlashFileDate MIB object from SNMP manager queries to prevent performance issues. Although this object is published in the MIB, it is not supported on the product.

SNMP agent functions

The SNMP agent is a software component that receives and responds to requests from one or more SNMP managers. The agent tracks the NMS IP address, the number of polls, and the polling timestamp for both IPv4 and IPv6 servers.

SNMP agent request handling

The SNMP agent performs these functions in response to NMS requests:

  • Get a MIB variable: The agent retrieves the value of the requested MIB variable and sends the value to the NMS.

  • Set a MIB variable: The agent retrieves the value of the requested MIB variable and sends the value to the NMS.

SNMP statistics commands

Use these commands to manage SNMP statistics:

  • The show snmp stats hosts command to display the list of SNMP manager requests in the queue.

  • The clear snmp stats hosts command to clear the queue.

SNMP trap notifications

The SNMP agent sends unsolicited trap messages to notify an NMS that a significant event has occurred. Trap conditions include:

  • Port or module status changes (up or down)

  • Spanning-tree topology changes

  • Authentication failures

SNMP community strings

SNMP community strings authenticate access to MIB objects and serve as embedded passwords. For an NMS to access a device, the community string configured on the NMS must match one of the community strings defined on the device.

SNMP community string attributes

SNMP community strings have these attributes. Their configuration affects how management stations interact with devices.

  • Read-only (RO): Grants authorized management stations read access to all MIB objects but denies write access.

  • Read-write (RW): Grants authorized management stations read and write access to all MIB objects but denies access to the community strings.

When you create a cluster, the command device manages message exchange between member devices and the SNMP application. Network Assistant appends the member device number (@esN, where N is the device number) to the first configured RW and RO community strings on the command device. It then copies these strings to the member device.

SNMP MIB variable access

SNMP MIB Variables Access refers to the process by which NMS software interacts with device MIB variables to monitor and manage network devices.

  • NMS software uses MIB variables to set device parameters and poll devices for information.

  • SNMP agents gather data from the MIB and send traps (notifications) to the SNMP manager about network events.

  • SNMP agents respond to MIB-related queries from the SNMP manager in get-request , get-next-request , and set-request formats.

Accessing SNMP MIB variables

SNMP MIB variable access involves communication between NMS software, SNMP agents, and SNMP managers to monitor and manage network devices.

  • NMS software polls devices for specific information using MIB variables.

  • Results from polls can be displayed as graphs and analyzed for troubleshooting, performance monitoring, and configuration verification.

  • SNMP agents send traps to notify the SNMP manager of network events such as authentication failures, restarts, link status changes, and MAC address tracking.

SNMP queries

SNMP agents respond to queries from the SNMP manager using specific request formats.

  1. get-request

  2. get-next-request

  3. set-request

Figure 1. SNMP Network
SNMP agent gathers data from the MIB and responds to the SNMP Manager.

SNMP Flash MIB

The Flash MIB queries flash file data from Cisco devices. The Flash MIB fetches all files from the flash file system, removing the previous 100-file limitation per partition.

Use the snmp mib flash cache command to prefetch all files into the local Flash MIB cache before performing a Flash MIB walk. Retrieving all files from the file system increases the time required to complete a Flash MIB walk.

Flash MIB usage and recommendations

Follow these guidelines to maintain system performance and prevent SNMP walk timeouts:

  • Use the snmp mib flash cache command with caution, as it may impact CPU performance.

  • Set the SNMP walk timeout period to at least 10 seconds and the default retry interval to 5 seconds. These values help prevent SNMP walks from timing out.

SNMP notifications

SNMP notifications are messages that a device sends to SNMP managers when specific events occur. Devices can send these messages as traps or inform requests.

  • Traps are notifications sent without acknowledgment. They may not reach their destination.

  • Inform requests require acknowledgment and can be resent if not received, making them more reliable.

  • Choosing between traps and informs involves a trade-off between reliability and resource consumption.

Notification reliability and resource trade-offs

Traps and informs require a trade-off between reliability and resource consumption.

  • Traps: Unreliable because the receiver does not acknowledge receipt. The sender discards the trap immediately after sending it.

  • Informs: Reliable because the SNMP manager acknowledges receipt with an SNMP response protocol data unit (PDU). The sender holds the inform request in memory until it receives a response or the request times out. If the sender does not receive a response, it resends the inform request.


Note

SNMPv1 does not support informs.
Characteristic Traps Informs
Reliability Low High
Acknowledgment No Yes
Resource consumption Low High
Network traffic Low High (due to retries)

Configuration principle

Follow these guidelines to choose the appropriate notification type:

  • Use inform requests if it is critical that the SNMP manager receives every notification.

  • Use traps if network traffic or device memory is a concern and guaranteed delivery is not required.

SNMP ifIndex MIB Object Values

The SNMP agent's IF-MIB module comes up shortly after reboot. As various physical interface drivers are initialized they register with the IF-MIB module, essentially saying "Give me an ifIndex number". The IF-MIB module assigns the next available ifIndex number on a first-come-first-served basis. That is, minor differences in driver initialization order from one reboot to another can result in the same physical interface getting a different ifIndex number than it had before the reboot (unless ifIndex persistency is enabled of course).

SNMP ENTITY-MIB Identifiers

ENTITY-MIB contains information for managing physical entities such as field-replaceable units (FRUs) on a device. Each entity is identified by a unique index number-entPhysicalIndex that is used to access information about the entity in current and other MIBs. An online insertion and removal (OIR) of the entity results in the entity being assigned the next available entPhysicalIndex number, irrespective of whether a new entity is inserted or an existing entity is reinserted.

SNMP and Syslog Over IPv6

To support both IPv4 and IPv6, IPv6 network management requires both IPv6 and IPv4 transports. Syslog over IPv6 supports address data types for these transports.

Simple Network Management Protocol (SNMP) and syslog over IPv6 provide these features:

  • Support for both IPv4 and IPv6

  • IPv6 transport for SNMP and to modify the SNMP agent to support traps for an IPv6 host

  • SNMP- and syslog-related MIBs to support IPv6 addressing

  • Configuration of IPv6 hosts as trap receivers

For support over IPv6, SNMP modifies the existing IP transport mapping to simultaneously support IPv4 and IPv6. These SNMP actions support IPv6 transport management:

  • Opens User Datagram Protocol (UDP) SNMP socket with default settings

  • Provides a new transport mechanism called SR_IPV6_TRANSPORT

  • Sends SNMP notifications over IPv6 transport

  • Supports SNMP-named access lists for IPv6 transport

  • Supports SNMP proxy forwarding using IPv6 transport

  • Verifies SNMP Manager feature works with IPv6 transport

For information on SNMP over IPv6, including configuration procedures, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

For information about syslog over IPv6, including configuration procedures, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.

Default SNMP Configuration

Feature Default Setting
SNMP agent Disabled1.
SNMP trap receiver None configured.
SNMP traps None enabled except the trap for TCP connections (tty).
SNMP version If no version keyword is present, the default is Version 1.
SNMPv3 authentication If no keyword is entered, the default is the noauth (noAuthNoPriv) security level.
SNMP notification type If no type is specified, all notifications are sent.
1 This is the default when the device starts and the startup configuration does not have any snmp-server global configuration commands.

SNMP Configuration Guidelines

The device requires one of the following global configuration commands configured in order to open SNMP UDP ports 161 and 162 and enable the SNMP agent: snmp-server host , or snmp-server user , or snmp-server community , or snmp-server manager .

An SNMP group is a table that maps SNMP users to SNMP views. An SNMP user is a member of an SNMP group. An SNMP host is the recipient of an SNMP trap operation. An SNMP engine ID is a name for the local or remote SNMP engine.

When configuring SNMP, follow these guidelines:

  • When configuring an SNMP group, do not specify a notify view. The snmp-server host global configuration command auto-generates a notify view for the user and then adds it to the group associated with that user. Modifying the group's notify view affects all users associated with that group.

  • To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device where the user resides.

  • Before you configure remote users for a particular agent, configure the SNMP engine ID, using the snmp-server engineID global configuration command with the remote option. The remote agent's SNMP engine ID and user password are used to compute the authentication and privacy digests. If you do not configure the remote engine ID first, the configuration command fails.

  • When configuring SNMP informs, you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it.

  • If a local user is not associated with a remote host, the device does not send informs for the auth (authNoPriv) and the priv (authPriv) authentication levels.

  • Changing the value of the SNMP engine ID has significant results. A user's password (entered on the command line) is converted to an MD5 or SHA security digest based on the password and the local engine ID. The command-line password is then destroyed, as required by RFC 2274. Because of this deletion, if the value of the engine ID changes, the security digests of SNMPv3 users become invalid, and you need to reconfigure SNMP users by using the snmp-server user username global configuration command. Similar restrictions require the reconfiguration of community strings when the engine ID changes.

  • When you configure the SNMP server host with the default UDP port, 162, the output of the show running-config command does not display the UDP port value. If you specify a UDP port value other than the default by using the snmp-server host {host-addr} community-string udp-port value command, the UDP port number will be displayed in the show running-config command output. You can configure the snmp-server host command with or without the default UDP port 162; however, you cannot configure both simultaneously.

    The following examples are correct:

    Device(config)# snmp-server host 10.10.10.10 community udp-port 163
Device(config)# snmp-server host 10.10.10.10 community
 
Device(config)# snmp-server host 10.10.10.10 community udp-port 163   
Device(config)# snmp-server host 10.10.10.10 community udp-port 162

    The following examples are incorrect:

    Device(config)# snmp-server host 10.10.10.10 community udp-port 163
Device(config)# snmp-server host 10.10.10.10 community
Device(config)# snmp-server host 10.10.10.10 community udp-port 162
 
Device(config)# snmp-server host 10.10.10.10 community udp-port 163
Device(config)# snmp-server host 10.10.10.10 community udp-port 162
Device(config)# snmp-server host 10.10.10.10 community

How to Configure SNMP

The following sections provide information on how to configure SNMP.

SNMP community strings

SNMP community strings authenticate access to MIB objects and serve as embedded passwords. For an NMS to access a device, the community string configured on the NMS must match one of the community strings defined on the device.

SNMP community string attributes

SNMP community strings have these attributes. Their configuration affects how management stations interact with devices.

  • Read-only (RO): Grants authorized management stations read access to all MIB objects but denies write access.

  • Read-write (RW): Grants authorized management stations read and write access to all MIB objects but denies access to the community strings.

When you create a cluster, the command device manages message exchange between member devices and the SNMP application. Network Assistant appends the member device number (@esN, where N is the device number) to the first configured RW and RO community strings on the command device. It then copies these strings to the member device.

Configuring SNMP Groups and Users

You can specify an identification name (engine ID) for the local or remote SNMP server engine on the device. You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users to the SNMP group.

Follow these steps to configure SNMP groups and users on the device.

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

snmp-server engineID { local engineid-string | remote ip-address [ udp-port port-number] engineid-string}

Example:


Device(config)# snmp-server engineID local 1234

Configures a name for either the local or remote copy of SNMP.

  • The engineid-string is a 24-character ID string with the name of the copy of SNMP. You need not specify the entire 24-character engine ID if it has trailing zeros. Specify only the portion of the engine ID up to the point where only zeros remain in the value. The Step Example configures an engine ID of 123400000000000000000000.

  • If you select remote , specify the ip-address of the device that contains the remote copy of SNMP and the optional User Datagram Protocol (UDP) port on the remote device. The default is 162.

Step 4

snmp-server group group-name { v1 | v2c | v3 { auth | noauth | priv} } [ read readview] [ write writeview] [ notify notifyview] [ access access-list]

Example:


Device(config)# snmp-server group public v2c access lmnop

Configures a new SNMP group on the remote device.

For group-name , specify the name of the group.

Specify one of the following security models:

  • v1 is the least secure of the possible security models.

  • v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.

  • v3 , the most secure, requires you to select one of the following authentication levels:

    auth —Enables the Message Digest 5 (MD5) and the Secure Hash Algorithm (SHA) packet authentication.

    noauth —Enables the noAuthNoPriv security level. This is the default if no keyword is specified.

    priv —Enables Data Encryption Standard (DES) packet encryption (also called privacy).

(Optional) Enter read readview with a string (not to exceed 64 characters) that is the name of the view in which you can only view the contents of the agent.

(Optional) Enter write writeview with a string (not to exceed 64 characters) that is the name of the view in which you enter data and configure the contents of the agent.

(Optional) Enter notify notifyview with a string (not to exceed 64 characters) that is the name of the view in which you specify a notify, inform, or trap.

(Optional) Enter access access-list with a string (not to exceed 64 characters) that is the name of the access list.

Step 5

snmp-server user username group-name { remote host [ udp-port port] } { v1 [ access access-list] | v2c [ access access-list] | v3 [ encrypted] [ access access-list] [ auth { md5 | sha} auth-password] } [ priv { des | 3des | aes { 128 | 192 | 256} } priv-password]

Example:


Device(config)#  snmp-server user Pat public v2c

Adds a new user for an SNMP group.

The username is the name of the user on the host that connects to the agent.

The group-name is the name of the group to which the user is associated.

Enter remote to specify a remote SNMP entity to which the user belongs and the hostname or IP address of that entity with the optional UDP port number. The default is 162.

Enter the SNMP version number (v1 , v2c , or v3 ). If you enter v3 , you have these additional options:

  • encrypted specifies that the password appears in encrypted format. This keyword is available only when the v3 keyword is specified.

  • auth is an authentication level setting session that can be either the HMAC-MD5-96 (md5 ) or the HMAC-SHA-96 (sha ) authentication level and requires a password string auth-password (not to exceed 64 characters).

If you enter v3 you can also configure a private (priv ) encryption algorithm and password string priv-password using the following keywords (not to exceed 64 characters):

  • priv specifies the User-based Security Model (USM).

  • des specifies the use of the 56-bit DES algorithm.

  • 3des specifies the use of the 168-bit DES algorithm.

  • aes specifies the use of the DES algorithm. You must select either 128-bit, 192-bit, or 256-bit encryption.

(Optional) Enter access access-list with a string (not to exceed 64 characters) that is the name of the access list.

Note

 
The algorithms — md5 , des , 3des is not supported in a SNMPv3 group when the compliance shield is disabled. You need to enable the compliance shield using the crypto engine compliance shield enable command and reboot the device to configure the algorithms — md5 , des and 3des .

Step 6

end

Example:


Device(config)# end

Returns to privileged EXEC mode.

Step 7

show running-config

Example:


Device# show running-config

Verifies your entries.

Step 8

copy running-config startup-config

Example:


Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Opening or Closing SNMP UDP Ports

The SNMP process uses ports 161 and 162 where port 161 is used for polling the device and port 162 is used for sending notifications from the agent to the server. The SNMP UDP ports remain closed unless one of the requisite commands is configured. This design provides additional security by opening the ports only when needed and prevents a device from listening to a port unnecessarily.

Beginning in user EXEC mode, follow these steps to open the SNMP UDP ports.

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

snmp-server {host | user | community | manager}

Example:

Device(config)# snmp-server host

Opens SNMP UDP ports 161 and 162. Configuring any one of the options (host , user , community , manager ) opens both ports. To close the ports, enter the no form of all the options that you have configured. The ports remain open as long as even one of the keywords is configured.

If you enter the no snmp-server command, without any of the keywords, the SNMP process is shut down and not just the SNMP UDP ports.

Step 4

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Step 5

show udp

Example:

Device# show udp

Displays the SNMP UDP ports. If one of the requisite commands is configured, ports 161 and 162 will display value listen under the remote field.

Step 6

copy running-config startup-config

Example:

Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

SNMP notifications

SNMP notifications are messages that a device sends to SNMP managers when specific events occur. Devices can send these messages as traps or inform requests.

  • Traps are notifications sent without acknowledgment. They may not reach their destination.

  • Inform requests require acknowledgment and can be resent if not received, making them more reliable.

  • Choosing between traps and informs involves a trade-off between reliability and resource consumption.

Notification reliability and resource trade-offs

Traps and informs require a trade-off between reliability and resource consumption.

  • Traps: Unreliable because the receiver does not acknowledge receipt. The sender discards the trap immediately after sending it.

  • Informs: Reliable because the SNMP manager acknowledges receipt with an SNMP response protocol data unit (PDU). The sender holds the inform request in memory until it receives a response or the request times out. If the sender does not receive a response, it resends the inform request.


Note

SNMPv1 does not support informs.
Characteristic Traps Informs
Reliability Low High
Acknowledgment No Yes
Resource consumption Low High
Network traffic Low High (due to retries)

Configuration principle

Follow these guidelines to choose the appropriate notification type:

  • Use inform requests if it is critical that the SNMP manager receives every notification.

  • Use traps if network traffic or device memory is a concern and guaranteed delivery is not required.

Setting the Agent Contact and Location Information

Follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file.

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

snmp-server contact text

Example:

Device(config)# snmp-server contact Dial System Operator at beeper 21555

Sets the system contact string.

Step 4

snmp-server location text

Example:

Device(config)# snmp-server location Building 3/Room 222

Sets the system location string.

Step 5

end

Example:


Device(config)# end

Returns to privileged EXEC mode.

Step 6

show running-config

Example:


Device# show running-config

Verifies your entries.

Step 7

copy running-config startup-config

Example:


Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Limiting TFTP Servers Used Through SNMP

Follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list.

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

snmp-server tftp-server-list access-list-number

Example:

Device(config)# snmp-server tftp-server-list 44

Limits the TFTP servers used for configuration file copies through SNMP to the servers in the access list.

For access-list-number , enter an IP standard access list numbered from 1 to 99 and 1300 to 1999.

Step 4

access-list access-list-number { deny | permit} source [ source-wildcard]

Example:

Device(config)# access-list 44 permit 10.1.1.2

Creates a standard access list, repeating the command as many times as necessary.

For access-list-number , enter the access list number specified in Step 3.

The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.

For source , enter the IP address of the TFTP servers that can access the device.

(Optional) For source-wildcard , enter the wildcard bits, in dotted decimal notation, to be applied to the source. Place ones in the bit positions that you want to ignore.

The access list is always terminated by an implicit deny statement for everything.

Step 5

end

Example:


Device(config)# end

Returns to privileged EXEC mode.

Step 6

show running-config

Example:


Device# show running-config

Verifies your entries.

Step 7

copy running-config startup-config

Example:


Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Disabling the SNMP Agent

The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) of the SNMP agent on the device and shuts down the SNMP process. You reenable all versions of the SNMP agent by entering one of the following commands in global configuration mode: snmp-server host , or snmp-server user , or snmp-server community , or snmp-server manager . There is no Cisco IOS command specifically designated for enabling SNMP.

Follow these steps to disable the SNMP agent.

Before you begin

The SNMP Agent must be enabled before it can be disabled. The SNMP agent is enabled by the first snmp-server global configuration command entered on the device.

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

no snmp-server

Example:


Device(config)# no snmp-server

Disables the SNMP agent operation.

Step 4

end

Example:


Device(config)# end

Returns to privileged EXEC mode.

Step 5

show running-config

Example:


Device# show running-config

Verifies your entries.

Step 6

copy running-config startup-config

Example:


Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

SNMP Examples

This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public . This configuration does not cause the device to send any traps. 

Device(config)# snmp-server community public

This example shows how to permit any SNMP manager to access all objects with read-only permission using the community string public . The device also sends VTP traps to the hosts 192.180.1.111 and 192.180.1.33 using SNMPv1 and to the host 192.180.1.27 using SNMPv2C. The community string public is sent with the traps. 

Device(config)# snmp-server community public
Device(config)# snmp-server enable traps vtp
Device(config)# snmp-server host 192.180.1.27 version 2c public
Device(config)# snmp-server host 192.180.1.111 version 1 public
Device(config)# snmp-server host 192.180.1.33 public

This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public . 

Device(config)# snmp-server community comaccess ro 4
Device(config)# snmp-server enable traps snmp authentication
Device(config)# snmp-server host cisco.com version 2c public

This example shows how to send Entity MIB traps to the host cisco.com . The community string is restricted. The first line enables the device to send Entity MIB traps in addition to any traps previously enabled. The second line specifies the destination of these traps and overwrites any previous snmp-server host commands for the host cisco.com . 

Device(config)# snmp-server enable traps entity
Device(config)# snmp-server host cisco.com restricted entity

This example shows how to enable the device to send all traps to the host myhost.cisco.com using the community string public : 

Device(config)# snmp-server enable traps
Device(config)# snmp-server host myhost.cisco.com public

This example shows how to associate a user with a remote host and to send auth (authNoPriv) authentication-level informs when the user enters global configuration mode: 

Device(config)# snmp-server engineID remote 192.180.1.27 00000063000100a1c0b4011b
Device(config)# snmp-server group authgroup v3 auth
Device(config)# snmp-server user authuser authgroup remote 192.180.1.27 v3 auth md5 mypassword
Device(config)# snmp-server user authuser authgroup v3 auth md5 mypassword
Device(config)# snmp-server host 192.180.1.27 informs version 3 auth authuser config
Device(config)# snmp-server enable traps
Device(config)# snmp-server inform retries 0

This example shows how to display the entries of SNMP Managers polled to an SNMP Agent:

Device# show snmp stats host
Request Count                  Last Timestamp               Address
2                               00:00:01 ago                3.3.3.3
1                               1w2d ago                    2.2.2.2

This example shows the message displayed by the device when you configure any of the three algorithms — md5 , des , 3des in a SNMPv3 group when complaince shield is disabled: 

Device(config)# snmp-server user md5user grp v3 auth md5 cisco1234 priv des
Sep  1 00:14:51.582 IST: %SNMP-6-AUTHPROTOCOLMD5: Authentication protocol md5 support will be deprecated in future
Sep  1 00:14:51.582 IST: %SNMP-6-PRIVPROTOCOLDES: Privacy protocol des support will be deprecated in future
Sep  1 00:14:51.645 IST: %SNMP-5-WARMSTART: SNMP agent on host Switch is undergoing a warm start

This example shows the message displayed by the device when you configure any of the three algorithms — md5 , des , 3des in a SNMPv3 group when complaince shield is enabled. The crypto algorithms is supported along with a warning message: 

Device(config)# snmp-server user md5user grp v3 auth md5 cisco1234
weaker algorithm MD5, DES and 3DES is not allowed for snmp user

Monitoring SNMP Status

To display SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, use the show snmp privileged EXEC command. You also can use the other privileged EXEC commands listed in the table to display SNMP information.

Table 3. Commands for Displaying SNMP Information
Command Purpose

show snmp

Displays SNMP statistics.

Displays information on the local SNMP engine and all remote engines that have been configured on the device.

show snmp group

Displays information on each SNMP group on the network.

show snmp pending

Displays information on pending SNMP requests.

show snmp sessions

Displays information on the current SNMP sessions.

show snmp user

Displays information on each SNMP user name in the SNMP users table.

Note

 
You must use this command to display SNMPv3 configuration information for auth | noauth | priv mode. This information is not displayed in the show running-config output.

Note

By default, most IE switches have the PROFINET feature enabled. According to PROFINET specifications, if an interface requires an SFP module and the SFP module is not present, the SNMP OID IF-MIB::ifOperStatus reports the operational status as notPresent(6). This status is returned when the SFP module is not plugged in, not detected, or is corrupted.