How to configure SNMPv2 on Cisco IOS Router

Hi Rene,

I didnt understand the line…

“If you don’t want to use traps, setting the community with the snmp-server community command is all you need”

If we enter “snmp-server enable traps” command then all traps will be enable, right ?

br//
zaman

Hi Zaman,

If you use the snmp-server enable traps command then it will enable all traps yes.

If you don’t want to use traps, you only have to set a community. Your NMS can then reach the network device and access it.

Rene

Hello Rene/Laz,

In which scenarios we use rw community ? I understand we can configure device remotely if rw string is configured, could you please explain this in detail (As never seen it practically). Suppose we we are taking config backup of device on daily basis using solarwinds , do we need rw community string as a prerequisite ?

1 Like

Hello Aniket

SNMP is a protocol that not only monitors network devices, but can also change their configurations. SNMP uses seven PDU types. Only one of those, SetRequest, is used to modify something in the config of the device. Specifically it is a request from an SNMP manager to an agent to change the value of a variable or list of variables. This is the PDU that requires the RW community string.

The RW community string is not involved in config backups, but in actual changes to the config itself.

I hope this has been helpful!

Laz

2 Likes

There’s a lab in GNS3VAULT that states the following:

Configure router Agent so it doesn’t send any traps or informs when something happens with the loopback0 interface.

How do you accomplish this?

Hello Mike

You can disable SNMP traps on an interface by issuing the following command in the interface mode:

Router(config-if)# snmp trap if-monitor

This will disable all SNMP monitoring (traps and informs) on that particular interface.

I hope this has been helpful!

Laz

3 Likes

It has. Thank you very much!

Hi
if it is trap what port need to be open in firewall , I mean which port Nms will isten to and which port network device will listen
And what about the case is not trap
Thanks

Hello Sims

The configuration of the router to use SNMP is independent of the ports that SNMP uses to communicate. You can set up the router to enable traps or not to use them. No matter what you configure, the same ports will be used in communication between the SNMP server and the device.

Specifically, SNMP information to be exchanged between the router and the server, by default, uses well known UDP ports 161 and 162, so those are the ports you should open in your firewall.

I hope this has been helpful!

Laz

1 Like

Hi,
Thanks for the reply . usually NMS will ask you to put a port number , so which port I should ad there . You are saying both ports

Thanks

Hello SIMS

Both ports 161 and 162 are used for communication between the SNMP server and the SNMP agent. Specifically:

From the SNMP manager’s point of view:

  • The SNMP Manager may send requests from any available source port (GET, GETNEXT, GETBULK, SET)
  • The SNMP Manager sends requests to UDP port 161 in the SNMP Agent (GET, GETNEXT, GETBULK, SET).
  • The SNMP Manager receives responses on the same source port it sent the request (RESPONSE).
  • The SNMP manager receives notifications on UDP port 162 (TRAPS and INFORM).

From the SNMP Agent point of view:

  • The SNMP Agent receives requests on UDP port 161 (GET, GETNEXT, GETBULK, SET).
  • The SNMP Agent sends responses back to the source port of the manager (RESPONSE).
  • The SNMP Agent may generate notifications from any available port (TRAPS and INFORM).
  • The SNMP Agent sends the notifications to UDP port 162 of the SNMP Manager (TRAPS and INFORM).

So you see, both ports will be required in both directions for SNMP to function. Note that if you are using secure SNMP, then the ports will be 10161 and 10162 respectively.

I hope this has been helpful!

Laz

1 Like

Hi,

I just want to clarify the purpose of each command because it seems like duplicate info is supplied and it’s confusing me slightly:

Is this only purpose of below command to grant access to the device (with RO permissions) subject to them supplying the correct community string?

snmp-server community TSHOOT ro

And if so, does that mean the following two trap-related commands can be entered without the above command (I included traps & syslog for my next question)?

snmp-server host 192.168.12.2 traps TSHOOT syslog
snmp-server enable traps syslog

I have also seen Cisco documentation showing that if you want to enable a specific trap, you have to do it for both the host, and enable traps command (as per the above example). I’m not sure the logic in that because specifying on the host seems good enough. Is there a reason?

And for the above host command, is specifying the traps option just another way of setting the version? i.e. instead of version 2c.

Thanks for the help.

Sam

Hello Samir

The snmp-server enable command is used to enable traps and syslog for SNMP globally on the device. Here you can selectively choose which traps to enable. In the above example you give, you have enabled syslog traps only.

Now in the snmp-server host command, you can specify what notification types should be sent to the host. If you don’t specify any, then all available trap types are enabled. Remember that you are able to apply multiple snmp-server host commands thus sending traps to multiple SNMP hosts. This allows you to control what traps are sent to what SNMP hosts.

Now according to Cisco, the role of the notification type in the snmp-server host and the snmp-server enable command is somewhat different. Different options are available for each type. Specifically, Cisco states that:

Some notification types cannot be controlled with the snmp-server enable command. Some notification types are always enabled, and others are enabled by a different command. For example, the linkUpDown notifications are controlled by the snmp trap link-status command. These notification types do not require an snmp-server enable command.

Unfortunately, it is not very straightforward and the functionality has to be examined on a case by case basis. The following Cisco command-line documentation shows the way in which each is used and the differences of each:

I hope this has been helpful!

Laz

Hi, yes it has helped clear stuff up. But just to confirm my understanding, if I were to enter the following:

snmp-server enable traps syslog
snmp-server host 192.168.12.2 traps TSHOOT

Even though the snmp-server host command doesn’t specify a trap, it will still only send syslog because that is the only thing enabled globally.

Thanks again for the help.

Hello Samir

Yes, this seems to be the case. The Cisco Command Reference for the snmp-server enable command indicates the following:

The snmp-server enable traps syslog command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.

Although this seems to be the case based on the descriptions shown here, because of the somewhat complex nature of how these two commands interact, the best way to determine exactly what is being sent is to try it out.

I hope this has been helpful!

laz

Hi Lazaros,

Yes it has been helpful, thanks very much (again).

Sam

1 Like

I set it up on two routers with access list in the community, but for some reason on one of the routers there is no input/output packets coming. It’s the same config as the other that works just fine. What would be causing this?

Hello Lewis

Hmm, without more information, it is difficult to diagnose such behavior.

If one is working and the other is not, it is highly unlikely that the configuration is exactly the same. If it is, then the problem may be hardware related or due to some malfunction in the device. I suggest you take a closer look and try to replicate everything exactly. If you need further help, share with us your progress and let us know a little bit more about your topology and config so that we can help you further.

I hope this has been helpful!

Laz

Hello, everyone!

So if I understand this correctly, the moment I issue the snmp-server community text ro/rw command, I’ll be able to retrieve information from this device and also SET specific configuration parameters on it?

Because I originally thought you also have to issue the snmp-server host x.x.x.x command.

Also, what versions will be enabled if we don’t specify on in the snmp-server host command?

And one last thing. Although I’ve specified version 2c - snmp-server host x.x.x.x version 2c, the SNMP server can still communicate with the managed device using v1. Is this normal?

Thank you in advance.

David

Hello David

The snmp-server community text ro/rw command is indeed all that’s necessary to allow an SNMP manager to retrieve information from the network device or agent, and also to set specific configuration parameters. The ability to retrieve and set depends of course on the ro (read only) or rw (read/write) setting in the command.

The snmp-server host x.x.x.x command serves a different purpose. This command tells the SNMP agent where to send unsolicited messages, specifically traps and informs. Unsolicited messages are those messages sent by an SNMP agent to an SNMP manager without the manager first requesting that information. These messages are used to alert the manager about specific events or conditions that have occurred in the agent device.

If the snmp-server host command is not issued, no unsolicited messages are sent. But as long as the snmp-server community command is set, SNMP information can be retrieved by the SNMP monitor.

According to the Cisco command reference links below, the default value for the SNMP version found within the snmp-server host command is version 1, however, this may depend upon the platform and IOS versions. Using the context-sensitive help in the CLI may inform you of the default value for this on your platform.

The version number specified in this command has to do with the types of traps and informs that will be used. Specifically:

  • SNMP version 1 doesn’t use informs, and has a particular format for traps.
  • SNMP version 2 introduces informs and changes the format of traps
  • SNMP version 3 doesn’t change the format of these messages, but adds security features like authentication and encryption.

What version you configure will change these formats and parameters such that the receiving SNMP server will receive the appropriate types of messages.

So the question is, if you use version 2c on the command, is this backward compatible with an SNMP manager that understands version 1 formats? I haven’t found any documentation making this claim. When you say that “the SNMP server can still communicate with the managed device using v1,” can you clarify what you mean?

Take a look at these Cisco command references for these commands for more info:

I hope this has been helpful!

Laz