SNMP

SNMP v2c and v3 community/user configuration, trap destinations, and MIB object navigation.

SNMPv2c — Community-Based

Read-only community string with ACL restriction
Switch(config)# access-list 99 permit 10.50.1.0 0.0.0.255
Switch(config)# snmp-server community <COMMUNITY-RO> RO 99
Read-write community string (use sparingly)
Switch(config)# snmp-server community <COMMUNITY-RW> RW 99
SNMPv2c sends the community string in cleartext. Anyone on the wire can sniff it. Use SNMPv3 with auth+priv for anything beyond lab environments. At minimum, restrict v2c access with an ACL.

SNMPv3 — User-Based Security

Create an SNMPv3 group with auth+priv (SHA authentication, AES encryption)
Switch(config)# snmp-server group MONITOR-GROUP v3 priv
Create an SNMPv3 user bound to the group
Switch(config)# snmp-server user monitor-user MONITOR-GROUP v3 auth sha <AUTH-PASS> priv aes 128 <PRIV-PASS>
snmp-server user does not appear in show running-config for security reasons. Use show snmp user to verify it exists.
SNMPv3 with a restricted view — expose only interface MIB
Switch(config)# snmp-server view IF-ONLY iso.3.6.1.2.1.2 included
Switch(config)# snmp-server group RESTRICTED-GROUP v3 priv read IF-ONLY
Switch(config)# snmp-server user restricted-user RESTRICTED-GROUP v3 auth sha <AUTH-PASS> priv aes 128 <PRIV-PASS>

Views are how you limit what OID subtrees a user can access. iso.3.6.1.2.1.2 is the interfaces MIB (IF-MIB).

Traps and Informs

Send traps to a monitoring server — SNMPv2c
Switch(config)# snmp-server host 10.50.1.100 version 2c <COMMUNITY-RO>
Switch(config)# snmp-server enable traps snmp linkdown linkup
Switch(config)# snmp-server enable traps config
Switch(config)# snmp-server enable traps envmon
Send informs instead of traps — informs are acknowledged, traps are fire-and-forget
Switch(config)# snmp-server host 10.50.1.100 informs version 2c <COMMUNITY-RO>
SNMPv3 trap receiver
Switch(config)# snmp-server host 10.50.1.100 version 3 priv monitor-user

SNMP Source Interface

Ensure traps originate from a predictable IP
Switch(config)# snmp-server source-interface traps Loopback0

Querying from Linux

snmpwalk — walk an OID subtree (v2c)
snmpwalk -v2c -c <COMMUNITY-RO> 10.50.1.10 IF-MIB::ifDescr

Expected output:

IF-MIB::ifDescr.1 = STRING: GigabitEthernet1/0/1
IF-MIB::ifDescr.2 = STRING: GigabitEthernet1/0/2
...
snmpget — retrieve a single OID value
snmpget -v2c -c <COMMUNITY-RO> 10.50.1.10 SNMPv2-MIB::sysUpTime.0
snmpwalk with SNMPv3 auth+priv
snmpwalk -v3 -l authPriv \
  -u monitor-user \
  -a SHA -A <AUTH-PASS> \
  -x AES -X <PRIV-PASS> \
  10.50.1.10 IF-MIB::ifOperStatus
Install snmp and snmp-mibs-downloader on Debian/Ubuntu, or net-snmp-utils on RHEL/Arch, to get snmpwalk and MIB resolution.

Common OIDs

OID / MIB Name Description Type

SNMPv2-MIB::sysDescr.0

Device description (model, firmware)

STRING

SNMPv2-MIB::sysUpTime.0

Uptime in hundredths of a second

TimeTicks

IF-MIB::ifDescr

Interface names

STRING

IF-MIB::ifOperStatus

Interface up/down (1=up, 2=down)

INTEGER

IF-MIB::ifInOctets / ifOutOctets

Bytes in/out per interface

Counter32

IF-MIB::ifHCInOctets / ifHCOutOctets

64-bit byte counters (high capacity)

Counter64

HOST-RESOURCES-MIB::hrProcessorLoad

CPU utilization per core

INTEGER

ENTITY-MIB::entPhysicalDescr

Physical inventory (modules, fans, PSU)

STRING

Use ifHCInOctets/ifHCOutOctets (64-bit) instead of ifInOctets/ifOutOctets (32-bit) on high-speed interfaces. A 10Gbps link wraps a 32-bit counter in ~3.4 seconds.

Verification on the Device

Switch# show snmp
Switch# show snmp user
Switch# show snmp group
Switch# show snmp host
Switch# show snmp community

show snmp gives aggregate packet counts — useful for confirming that polls are arriving. If inBadCommunityNames is climbing, something is sending requests with the wrong community string.