Networking

Configure SNMP on a Cisco router or switch


The Simple Network Management Protocol (SNMP) is a necessary tool for every network administrator. You can easily configure it with just a few commands.

SNMP is still the most popular way to monitor the performance of network devices, including Cisco routers and switches. With an SNMP management station, you can graph the performance of network devices. In addition, Cisco devices can send alerts (called traps) to the management station, which you can configure to alert you.

What is SNMP?

There are three versions of SNMP -- v1, v2, and v3. Each has more features than the next. Most network admins today use v2, but v3 offers many more security features.

How does SNMP work? SNMP devices contain configured SNMP agents. The network management system (NMS) talks to the SNMP agents on each device.

The NMS could be a huge system such as HP OpenView or an application that's only there to track performance such as PRTG (which you can download from TechRepublic). For more detailed information on how SNMP works, check out Cisco's Simple Network Management Protocol (SNMP) white paper.

How can SNMP help me?

SNMP can do a variety of things. Here are some ways it has helped me:

  • It can graph Cisco router/switch bandwidth utilization over time, per interface, per direction, etc.
  • It can graph errors on network devices (e.g., CRC errors).
  • It can send alerts when an interface goes up or down.

Do I need an NMS?

Yes, you do need some kind of NMS to make SNMP useful. Configuring SNMP on its own really won't tell you anything. You need an NMS that you can configure to receive, report, and graph the SNMP information.

How can I configure SNMP monitoring?

To configure SNMP, I suggest starting off with the optional step of identifying your device. Here's an example:

Router(config)# snmp-server contact David Davis – Network Admin – 555-1212

Router(config)# snmp-server location Dallas, Texas, USA

Router(config)# snmp-server chassis-id Cisco2610-Router

Next, we need to configure SNMP so that the NMS can monitor it. There are a great many ways to configure SNMP. For this example, we'll configure the bare minimum to allow you to manage a Cisco router or switch.

To do this, we'll create a community string. Think of a community string as a password for certain types of access to the device. Let's configure this device to have a community string good for both reading and writing to the device. Here's an example:

Router(config)# snmp-server community MyCommunity972 RW

Now our NMS, wherever it is on the network, can both read (i.e., view) and write (i.e., change) device configurations and statistics. (With a more advanced NMS, you can use SNMP to make configuration changes on your device, but that isn't SNMP's most popular use.)

We set our community string to MyCommunity972 for this example. Of course, set it using your own internal complex password.

How can I configure SNMP to send alerts?

At this point, we could stop the configuration and still use the NMS like PRTG to begin graphing bandwidth utilization on router or switch interfaces. But let's take it a step further and configure the router or switch to alert the NMS when an interface goes down or up. To do this, you could use a free open source NMS such as OpenNMS or a commercial NMS such as Ipswitch's WhatsUp.

We'll configure the router or switch to send an SNMP trap to host 192.168.1.23 (the NMS) with our community string so we know it's authentic. We want SNMP to send these traps if the interfaces go down or go up, or if someone reboots the router. Here are the commands:

Router(config)# snmp-server host 192.168.1.23 version 2c MyCommunity972

Router(config)# snmp-server enable traps snmp linkdown linkup coldstart warmstart

There are some SNMP vulnerabilities in certain versions of the Cisco IOS 12.0 to 12.3, so be cautious. Make sure you aren't using one of the vulnerable versions, and take steps to configure SNMP as securely as possible.

While it's easy to configure SNMP, configurations can also get very complex. I highly recommend taking the first step of using SNMP to develop a baseline of your router's WAN interface utilization over time. From there, you could move on to more advanced uses for SNMP.

More resources

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

12 comments
banatoh
banatoh

Hello people, I got a 3550 how is used in no switchport, with different IP addresses on it, I trying to have SNMP per port, but I cannot do work...ANY help??? thanks

colin
colin

Nice. Thanks

JoeBeckner
JoeBeckner

This article provides a good bare minimum configuration for SNMP. To add some additional security to SNMP we can add an access list to the configuration as follows using the example: router(config)#snmp-server community MyCommunity972 RW 10 router(config)#access-list 10 permit 192.168.1.23 Adding the 10 on the end of the snmp-server command references access-list 10, which will only allow the NMS with address 192.168.1.23 to access the router. This may be all the SNMP security a small network will need.

pmatusse
pmatusse

Hi David, Now I can't tell whether I?ve dreamed with this or I?ve seen it in one of your articles. My willing is to change all the passwords, which are equal on all my 70 routers on my Intranet, in one take. Can you please advise on how can I do this? Kind regards Pedro Wiliamo Matusse Telecomunica??es de Mo?ambique (Mozambique Telecom) IT Department

ds2002
ds2002

I configured SNMPv3 on my switches polling with WUG, WUG discovered new devices fine, but when trying to discover new interface on that device no joy ! Also when an interface went down it would show down, but when it came back up it would take ~15 mins to show the UP state and sometimes not at all. Anybody have similar issues??? Using authenication and encryption on switches for SNMPv3. Dave

layer.david42
layer.david42

You can configure Windows task schedular to do this task as Zone Alarm pro itself donot support this function.

kcm
kcm

The use of Tool Command Language (TCL, pronounced "tickle") just may solve your problem.? It's solved lots of mine! Go to Cisco's web site and get this document (Cisco IOS Scripting with Tcl), which is a document that illustrates how to write a tcl script to login in to a router, make configuration changes, save the changes, and go on to the next device in a list. There are a couple of other sites with short tutorials online which colleagues of mine have posted: ? Here's a good introductory article on tcl in general from NetMasterClass. Pete Welcher has a good example at the Chesapeake-NetCraftsmen website. To learn more about tcl, go to the Tcl Developer Exchange. Tcl also works on MS? Windows; get it from ActiveState. Kelly

ds2002
ds2002

I use KiwiCatTools (www.KiwiCatTools.com) it's a great tool, I write mem and Backup Configs on all 150 device on my Network once a week. It can do lots more also. DaveOS

Sebastian Zdrojewski
Sebastian Zdrojewski

Why don't you consider a central password management system such as TACACS+ or RADIUS for all the devices? Giving RW grants to an SNMP device could lead to some security issues. I would suggest implementing password servers for the entire network, and SNMP for monitoring purpose.

JoeBeckner
JoeBeckner

I set up What's Up Gold for one of my clients recently monitoring a few dozen Cisco routers and switches, but never had a problem with interfaces not showing back up after being down. What kind of device are you having a problem with?

Editor's Picks