How to configure SNMPv2 on Cisco IOS Router

This topic is to discuss the following lesson:

Hi Rene,

Are those the only commands to enter the router to get SNMP v2 going? How about the client side?

Thank you in advance.

 

Abdi

Hi Abdi,

That’s all you need to get it going yes. If you want to test this, I can highly recommend to try LibreNMS:

Rene

Hi Rene,

This command to specify the Cisco router as Agent and send snmp trap to the NMS server?

snmp-server host 192.168.12.2 version 2c TSHOOT

So the NMS server is 192.168.12.2 and the TSHOOT is community string of 192.168.12.2?

Davis

Hi Davis,

That’s right. Don’t forget to use the snmp-server enable traps command to specify which traps you want to send.

If you don’t want to use traps, setting the community with the snmp-server community command is all you need. You can use this if you want to read the router/switch with a NMS.

Rene

1 Like

Thanks Rene :slight_smile:

Hi Rene,

I didnt understand the line…

“If you don’t want to use traps, setting the community with the snmp-server community command is all you need”

If we enter “snmp-server enable traps” command then all traps will be enable, right ?

br//
zaman

Hi Zaman,

If you use the snmp-server enable traps command then it will enable all traps yes.

If you don’t want to use traps, you only have to set a community. Your NMS can then reach the network device and access it.

Rene

Hello Rene/Laz,

In which scenarios we use rw community ? I understand we can configure device remotely if rw string is configured, could you please explain this in detail (As never seen it practically). Suppose we we are taking config backup of device on daily basis using solarwinds , do we need rw community string as a prerequisite ?

1 Like

Hello Aniket

SNMP is a protocol that not only monitors network devices, but can also change their configurations. SNMP uses seven PDU types. Only one of those, SetRequest, is used to modify something in the config of the device. Specifically it is a request from an SNMP manager to an agent to change the value of a variable or list of variables. This is the PDU that requires the RW community string.

The RW community string is not involved in config backups, but in actual changes to the config itself.

I hope this has been helpful!

Laz

2 Likes

There’s a lab in GNS3VAULT that states the following:

Configure router Agent so it doesn’t send any traps or informs when something happens with the loopback0 interface.

How do you accomplish this?

Hello Mike

You can disable SNMP traps on an interface by issuing the following command in the interface mode:

Router(config-if)# snmp trap if-monitor

This will disable all SNMP monitoring (traps and informs) on that particular interface.

I hope this has been helpful!

Laz

3 Likes

It has. Thank you very much!

Hi
if it is trap what port need to be open in firewall , I mean which port Nms will isten to and which port network device will listen
And what about the case is not trap
Thanks

Hello Sims

The configuration of the router to use SNMP is independent of the ports that SNMP uses to communicate. You can set up the router to enable traps or not to use them. No matter what you configure, the same ports will be used in communication between the SNMP server and the device.

Specifically, SNMP information to be exchanged between the router and the server, by default, uses well known UDP ports 161 and 162, so those are the ports you should open in your firewall.

I hope this has been helpful!

Laz

1 Like

Hi,
Thanks for the reply . usually NMS will ask you to put a port number , so which port I should ad there . You are saying both ports

Thanks

Hello SIMS

Both ports 161 and 162 are used for communication between the SNMP server and the SNMP agent. Specifically:

From the SNMP manager’s point of view:

  • The SNMP Manager may send requests from any available source port (GET, GETNEXT, GETBULK, SET)
  • The SNMP Manager sends requests to UDP port 161 in the SNMP Agent (GET, GETNEXT, GETBULK, SET).
  • The SNMP Manager receives responses on the same source port it sent the request (RESPONSE).
  • The SNMP manager receives notifications on UDP port 162 (TRAPS and INFORM).

From the SNMP Agent point of view:

  • The SNMP Agent receives requests on UDP port 161 (GET, GETNEXT, GETBULK, SET).
  • The SNMP Agent sends responses back to the source port of the manager (RESPONSE).
  • The SNMP Agent may generate notifications from any available port (TRAPS and INFORM).
  • The SNMP Agent sends the notifications to UDP port 162 of the SNMP Manager (TRAPS and INFORM).

So you see, both ports will be required in both directions for SNMP to function. Note that if you are using secure SNMP, then the ports will be 10161 and 10162 respectively.

I hope this has been helpful!

Laz

1 Like

Hi,

I just want to clarify the purpose of each command because it seems like duplicate info is supplied and it’s confusing me slightly:

Is this only purpose of below command to grant access to the device (with RO permissions) subject to them supplying the correct community string?

snmp-server community TSHOOT ro

And if so, does that mean the following two trap-related commands can be entered without the above command (I included traps & syslog for my next question)?

snmp-server host 192.168.12.2 traps TSHOOT syslog
snmp-server enable traps syslog

I have also seen Cisco documentation showing that if you want to enable a specific trap, you have to do it for both the host, and enable traps command (as per the above example). I’m not sure the logic in that because specifying on the host seems good enough. Is there a reason?

And for the above host command, is specifying the traps option just another way of setting the version? i.e. instead of version 2c.

Thanks for the help.

Sam

Hello Samir

The snmp-server enable command is used to enable traps and syslog for SNMP globally on the device. Here you can selectively choose which traps to enable. In the above example you give, you have enabled syslog traps only.

Now in the snmp-server host command, you can specify what notification types should be sent to the host. If you don’t specify any, then all available trap types are enabled. Remember that you are able to apply multiple snmp-server host commands thus sending traps to multiple SNMP hosts. This allows you to control what traps are sent to what SNMP hosts.

Now according to Cisco, the role of the notification type in the snmp-server host and the snmp-server enable command is somewhat different. Different options are available for each type. Specifically, Cisco states that:

Some notification types cannot be controlled with the snmp-server enable command. Some notification types are always enabled, and others are enabled by a different command. For example, the linkUpDown notifications are controlled by the snmp trap link-status command. These notification types do not require an snmp-server enable command.

Unfortunately, it is not very straightforward and the functionality has to be examined on a case by case basis. The following Cisco command-line documentation shows the way in which each is used and the differences of each:

I hope this has been helpful!

Laz

Hi, yes it has helped clear stuff up. But just to confirm my understanding, if I were to enter the following:

snmp-server enable traps syslog
snmp-server host 192.168.12.2 traps TSHOOT

Even though the snmp-server host command doesn’t specify a trap, it will still only send syslog because that is the only thing enabled globally.

Thanks again for the help.