⚡ What is SNMP?
SNMP (Simple Network Management Protocol) is a protocol used to monitor and manage network devices — routers, switches, firewalls, servers, printers — from a central location. It lets a network management system collect performance data (CPU usage, bandwidth, error rates), check device status, and make configuration changes remotely. SNMP uses UDP port 161 for queries and UDP port 162 for traps (alerts sent by devices). Three versions exist — SNMPv3 is the only one considered secure.

Why SNMP exists

Managing a network with hundreds of routers, switches, and servers individually would be impossible at scale. SNMP solves this by giving a central network management station (NMS) a standardised way to query any managed device for its current status and statistics — without logging into each device separately.

Think of it as a health-monitoring system for your entire network infrastructure. The NMS can poll every device every few minutes, collect data, graph trends, and send alerts when something goes wrong — all automatically.

🖥️
Central controller
SNMP Manager (NMS)
The network management station that sends queries and receives data. Runs monitoring software like SolarWinds, PRTG, or Nagios. Polls agents on a schedule and collects metrics.
📡
On each device
SNMP Agent
Software running on a managed device (router, switch, server) that responds to queries from the manager. Maintains a local database of device statistics called the MIB.
📊
Data store
MIB (Management Information Base)
A structured database of variables the agent can report — CPU load, interface status, bytes in/out, error counts. Each variable has a unique identifier called an OID.
🔔
Proactive alerts
SNMP Trap
Instead of waiting to be polled, the agent proactively sends a trap to the manager when a significant event occurs — a link going down, a threshold exceeded, a device rebooting.

How SNMP communication works

SNMP communication happens in two directions — the manager polling agents, and agents sending unsolicited traps. Both use UDP, which makes SNMP lightweight but also connectionless.

SNMP message types
GetRequest       Manager → Agent  (UDP 161)
                 Ask for the value of a specific OID
                 e.g. "What is the current CPU utilisation?"

GetNextRequest   Manager → Agent  (UDP 161)
                 Walk through the MIB tree sequentially

GetBulkRequest   Manager → Agent  (UDP 161) — SNMPv2c+
                 Retrieve large amounts of data efficiently

SetRequest       Manager → Agent  (UDP 161)
                 Change a value on the device
                 e.g. "Change the interface description"

GetResponse      Agent → Manager  (UDP 161)
                 Reply to any Get or Set request

Trap             Agent → Manager  (UDP 162)
                 Unsolicited alert — sent when an event occurs
                 e.g. link down, high temperature, auth failure

Inform           Agent → Manager  (UDP 162) — SNMPv2c+
                 Like a trap but requires acknowledgement
⚡ Port 161 vs port 162 — always tested

UDP 161 — SNMP queries (manager polling agents). The agent listens on 161.

UDP 162 — SNMP traps (agents sending alerts to manager). The manager listens on 162.

Memory trick: the manager asks on 161, the device tells on 162. Both are UDP — SNMP is connectionless by design to reduce overhead on managed devices.

OIDs and MIBs

Every piece of information an SNMP agent can report is identified by an OID (Object Identifier) — a dotted numeric string that uniquely identifies a variable in the global SNMP namespace. The collection of all OIDs a device supports is defined in its MIB (Management Information Base).

OID structure — example
1.3.6.1.2.1.1.1.0  → sysDescr — system description string
1.3.6.1.2.1.1.3.0  → sysUpTime — how long since last reboot
1.3.6.1.2.1.2.2.1.10.1  → ifInOctets — bytes received on interface 1
1.3.6.1.2.1.2.2.1.16.1  → ifOutOctets — bytes sent on interface 1

Structure: iso.org.dod.internet.mgmt.mib-2.interfaces...
Each number represents a branch in the OID tree

You don't need to memorise OIDs for the exam — but you do need to understand that OIDs are the addressing system SNMP uses to identify specific data points, and that the MIB is the schema defining which OIDs a device supports and what they mean.

SNMPv1 vs SNMPv2c vs SNMPv3

The version of SNMP in use determines the security level of your network monitoring. This is one of the most heavily tested SNMP topics — the exam will ask you to identify which version to use and why the older versions are security risks.

Version Authentication Encryption Status Key fact
SNMPv1 Community string (plaintext) None Avoid Original version. Community string sent in cleartext — trivial to intercept. No encryption whatsoever.
SNMPv2c Community string (plaintext) None Legacy Added GetBulk and Inform — more efficient. Still sends community strings in plaintext. No real security improvement over v1.
SNMPv3 Username + MD5/SHA hashing AES or 3DES Recommended Adds authentication, encryption, and message integrity. The only version that should be used in production environments.

Community strings — the SNMPv1/v2c security problem

SNMPv1 and SNMPv2c use community strings as a basic form of authentication — essentially a shared password included in every SNMP message. There are two types:

👁️
Read access
Read-Only Community String
Allows the manager to query (GET) data from the agent. Default value is almost always "public" — one of the most dangerously predictable defaults in networking.
✏️
Write access
Read-Write Community String
Allows the manager to both query and modify (SET) values on the device. Default is typically "private". An attacker with this string can change device configuration.
⚠️ Why SNMPv1/v2c are security risks

Community strings are sent in plaintext. Anyone capturing network traffic with a packet analyser can read them directly — no decryption needed. With the read-write community string, an attacker can reconfigure network devices remotely.

Default community strings ("public" and "private") are well-known and are actively scanned for by attackers. Devices left with defaults are trivially exploitable.

Best practice: Use SNMPv3 exclusively. If you must use v1/v2c, change community strings from defaults, restrict SNMP access via ACLs to only the management station's IP, and consider placing SNMP traffic on a dedicated out-of-band management VLAN.

SNMPv3 security model

SNMPv3 replaces community strings with a proper security framework using three configurable security levels:

SNMPv3 security levels
noAuthNoPriv   No authentication, no encryption
               Username only — still weak, not recommended

authNoPriv     Authentication (MD5 or SHA), no encryption
               Verifies identity but traffic still readable

authPriv       Authentication + Encryption (AES or 3DES)
               Full security — use this in production
               Credentials verified, traffic encrypted end-to-end
📌 SNMPv3 terminology the exam uses

USM (User-based Security Model) — handles authentication and encryption using named users and credentials rather than community strings.

VACM (View-based Access Control Model) — controls which OIDs a user can access, providing granular read/write permissions per user.

SNMP in network monitoring — real-world context

In practice, SNMP is what powers most enterprise network monitoring platforms. Tools like SolarWinds NPM, PRTG, Nagios, Zabbix, and LibreNMS all use SNMP to collect metrics from managed devices.

A typical deployment polls every managed device every 5 minutes, collects interface traffic counters, CPU and memory utilisation, and interface error rates, then graphs the data over time. SNMP traps provide near-real-time alerting — a switch sending a trap the moment a port goes down is far faster than waiting for the next polling cycle.

⚡ SNMP exam summary — what to know cold

Port 161 UDP — SNMP queries (manager to agent). Port 162 UDP — SNMP traps (agent to manager).

SNMPv1/v2c — community strings in plaintext, security risk. SNMPv3 — username/password + AES encryption, the only secure version.

Trap = unsolicited alert from agent to manager. Poll/Get = manager asking agent for data. Set = manager changing a value on the device.

MIB = the schema of what data a device can report. OID = the unique identifier for each data point within the MIB.

Exam scenarios

💬 "Which protocol is used to monitor and manage network devices from a central management station?" → SNMP (Simple Network Management Protocol)
💬 "A network administrator receives an alert from a switch that an interface went down. The switch sent this notification without being polled. What is this called?" → An SNMP trap — sent proactively by the agent to the manager on UDP port 162
💬 "Which port does an SNMP agent listen on for queries from the management station?" → UDP port 161
💬 "Which SNMP version sends community strings in cleartext, making it a security risk?" → SNMPv1 and SNMPv2c — both transmit community strings unencrypted
💬 "Which SNMP version should be used in a production environment that requires authentication and encryption?" → SNMPv3 with authPriv security level — provides both authentication (SHA) and encryption (AES)
💬 "A security audit finds that all network devices have SNMP enabled with the community string set to 'public'. What is the risk?" → Any attacker on the network can query all device data — 'public' is the well-known default read-only community string for SNMPv1/v2c
💬 "What is the database called that defines all the variables an SNMP agent can report?" → MIB — Management Information Base
💬 "An SNMP community string grants read-write access to managed devices. What is the risk if this string is intercepted?" → An attacker could use the SetRequest operation to modify device configuration remotely

Studying for Network+?

The N10-009 study guide, Dion Training practice exams, and Professor Messer's free course.

See Network+ Resources →

Related Articles

What is NTP? Network+ Cheat Sheet Port Numbers Reference Network Troubleshooting Commands Firewall Basics Explained VLANs Explained What is a Switch? How to Pass Network+ Best Network+ Resources