SNMP is the backbone of network monitoring — without it, you'd be logging into every switch and router to check interface stats, CPU load, or error counters. For the CCNA 200-301 exam (objective 4.5), you need to understand the critical differences between SNMPv2c and SNMPv3, especially around security. In real networks, choosing the wrong version can expose your entire infrastructure to attackers or break monitoring entirely. This chapter will give you the exact knowledge to pass the exam and configure SNMP securely in production.
Jump to a section
Imagine a gated community with a security guard at the entrance. SNMPv2c is like a community where the guard only checks that you know the community name — like a simple password that everyone shares. If you say 'SunsetGlen' at the gate, you're in. You can walk around, read mailboxes (GET), leave packages (SET), and even listen to conversations (traps). The problem? Anyone who overhears 'SunsetGlen' can reuse it. There's no encryption, no authentication beyond that shared phrase, and no way to know if a message was tampered with. This is exactly how SNMPv2c works: it uses community strings (like 'public' or 'private') sent in plaintext. Any attacker with a packet sniffer can grab these strings and gain full read-write access to your network devices.
SNMPv3, on the other hand, is like a community with three layers of security: a guard who checks your photo ID (authentication), a sealed envelope for your messages (encryption), and a tamper-evident seal (integrity). You don't just say a password — you provide a username and a hashed authentication key. Even if someone intercepts your credentials, they can't reuse them because the authentication uses a challenge-response mechanism. Your messages are encrypted so no one can read them in transit. And if someone tries to modify a message, the receiver will detect it. This is the security model of SNMPv3: it offers noAuthNoPriv (just a username, no security), authNoPriv (MD5 or SHA authentication, no encryption), and authPriv (authentication plus DES or AES encryption). The exam expects you to know these three security levels and when to use each. In short: v2c is fast and simple but insecure; v3 is slower due to crypto overhead but essential for any network that crosses untrusted links or touches the internet.
What is SNMP and Why Does It Exist?
Simple Network Management Protocol (SNMP) is an application-layer protocol used to collect and organize information about managed devices on IP networks. It allows network administrators to monitor device health, detect failures, and even change configurations remotely. SNMP operates over UDP (ports 161 for queries, 162 for traps) and is defined by the IETF in RFCs 1157 (v1), 1901-1908 (v2c), and 3410-3418 (v3). The 'c' in v2c stands for 'community' — the original security model from v1 that v2c inherited.
SNMP Components
SNMP has three key components: the managed device (e.g., router, switch) running an SNMP agent, the Network Management Station (NMS) running the SNMP manager, and the Management Information Base (MIB) — a hierarchical database of object identifiers (OIDs) that define what can be monitored or controlled. The agent collects data from the device's MIB and responds to manager requests. The manager can issue GET, GETNEXT, GETBULK (v2c/v3), and SET requests. Agents can also send unsolicited TRAP or INFORM messages to the manager to alert about events.
SNMPv2c: The Community String Model
SNMPv2c uses a simple, password-like authentication mechanism: the community string. This string is sent in plaintext in every SNMP message. There are typically two community strings: one for read-only access (often 'public') and one for read-write access (often 'private'). The agent compares the incoming community string against its configured strings. If they match, the request is processed; otherwise, it's dropped. This is essentially no security — anyone with a sniffer can capture the community string and gain full access. v2c also improved over v1 by adding GETBULK (to retrieve large tables efficiently) and more detailed error codes. However, security was not addressed.
SNMPv3: The Security Model
SNMPv3 introduces a user-based security model (USM) and view-based access control model (VACM). It provides three security levels:
noAuthNoPriv: Uses a username only, no authentication or encryption. This is equivalent to v2c in terms of security but with a username instead of a community string. Not recommended for production.
authNoPriv: Provides authentication (MD5 or SHA) to verify the message origin and integrity, but no encryption. The message is still sent in plaintext, so payloads can be read.
authPriv: Provides both authentication and encryption (DES, 3DES, or AES). This is the most secure level.
Authentication uses a shared secret key (the auth key) that is never sent over the wire. Instead, a hash is computed and included in the message. Encryption uses a separate privacy key. Both keys are derived from a passphrase configured on the manager and agent.
SNMP Message Flow
The NMS sends a GET request to the agent on UDP port 161. The request includes the community string (v2c) or username/security parameters (v3).
The agent receives the request, checks security (community string or authentication), looks up the requested OID in its MIB, and sends a GET-RESPONSE back to the NMS on port 161.
For traps, the agent sends an unsolicited TRAP message to the NMS on UDP port 162. The NMS does not acknowledge traps (v2c/v3). INFORM messages (v2c/v3) are acknowledged, providing reliable delivery.
Key Differences Between v2c and v3
| Feature | SNMPv2c | SNMPv3 | |---------|---------|--------| | Security | Community string (plaintext) | Username + auth/privacy keys | | Authentication | None (string match only) | MD5, SHA | | Encryption | None | DES, 3DES, AES | | Message Integrity | None | Yes (via hash) | | Complexity | Low | Higher (key management) | | Overhead | Low | Higher (crypto processing) | | Backward Compatible | Yes with v1 | No (different message format) |
IOS Configuration Examples
To configure SNMPv2c on a Cisco device:
! Set the read-only community string
snmp-server community public RO
! Set the read-write community string
snmp-server community private RW
! Specify the NMS host to receive traps
snmp-server host 192.168.1.100 traps version 2c public
! Enable traps
snmp-server enable trapsTo configure SNMPv3 with authPriv:
! Create an SNMP group with security model v3 and privacy
snmp-server group ADMIN v3 priv
! Create a user and assign to the group
snmp-server user netadmin ADMIN v3 auth sha MyAuthKey priv aes 128 MyPrivKey
! Specify the NMS host to receive traps (v3, user netadmin)
snmp-server host 192.168.1.100 traps version 3 priv netadmin
! Enable traps
snmp-server enable trapsVerification Commands
Use show snmp to display SNMP status, including community strings (v2c) or users (v3). Use show snmp user to list SNMPv3 users. Use show snmp group to list groups.
Example output:
Router# show snmp
Chassis: FTX1234567
Contact: admin@example.com
Location: Data Center
SNMP packets input: 0
SNMP packets output: 0
...
Community strings:
Community 'public' - Access: RO
Community 'private' - Access: RW
...Router# show snmp user
User name: netadmin
Engine ID: 800000090300001122334455
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: ADMINInteraction with Other Protocols
SNMP often works with syslog for logging events. While syslog sends text messages, SNMP traps are structured and can be parsed automatically by NMS. SNMP can also be used with NetFlow for traffic monitoring, but NetFlow is a separate protocol. For device discovery, SNMP is used to poll ARP tables and routing tables. ACLs can be used to restrict SNMP access to trusted NMS hosts only.
Assess Security Requirements
Before configuring SNMP, determine whether your network needs authentication and encryption. If devices are on a trusted, isolated management network, v2c may be acceptable. If SNMP traffic traverses the internet or untrusted links, or if compliance (e.g., PCI-DSS) requires encryption, use v3 with authPriv. On the exam, look for keywords like 'secure', 'encrypted', 'authenticated' — that points to v3 authPriv. If the question mentions 'simple configuration' or 'legacy device', v2c may be the answer.
Configure SNMPv2c Community Strings
On the Cisco device, use `snmp-server community <string> RO` for read-only access and `snmp-server community <string> RW` for read-write. The community string acts like a password. For example: `snmp-server community public RO` and `snmp-server community private RW`. Avoid using default strings like 'public' or 'private' in production. The exam may test that v2c sends community strings in plaintext — a key security flaw.
Configure SNMPv3 Users and Groups
First create a group with the security level: `snmp-server group <group-name> v3 <noauth|auth|priv>`. Then create a user assigned to that group: `snmp-server user <username> <group-name> v3 auth {md5|sha} <auth-password> [priv {des|3des|aes {128|192|256}} <priv-password>]`. For authPriv, both auth and priv clauses are required. Example: `snmp-server user admin ADMIN v3 auth sha MyAuthKey priv aes 128 MyPrivKey`. Note that the passwords are not stored as plaintext; they are used to derive keys.
Configure SNMP Trap Destination
Specify where to send traps using `snmp-server host <ip-address> [traps|informs] version <1|2c|3> [noauth|auth|priv] <community-or-username>`. For v2c: `snmp-server host 192.168.1.100 traps version 2c public`. For v3: `snmp-server host 192.168.1.100 traps version 3 priv netadmin`. Use `snmp-server enable traps` to enable the traps you want (e.g., snmp-server enable traps snmp linkdown linkup). The exam may ask about the difference between traps (unacknowledged) and informs (acknowledged).
Verify SNMP Configuration
Use `show snmp` to see overall status, community strings (v2c), and user info (v3). Use `show snmp user` and `show snmp group` for v3 details. Use `show running-config | include snmp` to see the running config. Also, test from the NMS by sending a GET request (e.g., using snmpget command). If the NMS cannot reach the device, check ACLs and UDP ports 161/162. On the exam, you may be given output from `show snmp` and asked to identify the security level or community strings.
Secure SNMP with ACLs
To restrict SNMP access to specific NMS hosts, use an ACL and apply it with `snmp-server community <string> RO <acl-number>` or `snmp-server group <group-name> v3 priv access <acl-number>`. For example: `access-list 10 permit host 192.168.1.100` then `snmp-server community public RO 10`. This ensures only the NMS can poll the device. Without ACLs, any device that can reach the SNMP port can attempt to read the MIB. The exam often tests this as a best practice for both v2c and v3.
In a large enterprise with hundreds of routers and switches, SNMPv2c is still widely used on isolated management networks. For example, a data center might have a dedicated out-of-band management network where all devices are connected to a separate VLAN, and the NMS is the only host in that VLAN. In this scenario, v2c is acceptable because the network is physically and logically isolated. However, if the management traffic must traverse a shared network (e.g., the corporate WAN), v3 is mandatory. I once worked with a financial institution that had to comply with PCI-DSS; they used SNMPv3 with authPriv (SHA and AES-128) across all devices. The overhead was noticeable — CPU usage on older routers increased by 5-10% due to crypto operations — but it was necessary for compliance.
Another common scenario is monitoring remote branch offices. The branch router connects to the head office over the internet via VPN. SNMPv2c traffic over the internet would be a security nightmare. So we configured SNMPv3 on the branch routers and the head-end NMS. We also used ACLs to restrict SNMP access to only the NMS IP. Misconfiguration can be disastrous: if the auth or privacy keys don't match between the agent and manager, the device becomes unmanageable via SNMP. You'll get timeouts and no data. In one case, a junior engineer typed the wrong auth password (case-sensitive) and the entire branch was unmonitored for a day until we corrected it. Always use a consistent key management process, like storing keys in a secure vault.
Performance considerations: v3 with encryption adds latency to each SNMP poll. For large MIB walks (e.g., reading the entire routing table), the time can double. Some organizations use v2c for bulk data collection and v3 for critical alerts. Also, traps are lightweight; the overhead of v3 on trap messages is minimal. In production, you might configure v2c on thousands of devices for polling and v3 only for write-access (SET) and traps. The exam doesn't test these nuances, but understanding them helps you choose the right answer in scenario questions.
The CCNA 200-301 exam objective 4.5 covers 'Configure and verify SNMP (v2c and v3)'. Expect 2-4 questions on SNMP, typically comparing v2c and v3, or asking you to identify the correct configuration command. The most common wrong answers stem from confusing the security levels of v3. Candidates often think 'authNoPriv' provides encryption — it does not. Another trap: assuming v3 is backward compatible with v2c. It is not; they use different message formats. A third trap: thinking that community strings in v2c are encrypted. They are sent in plaintext. A fourth: forgetting that SNMP uses UDP, not TCP. Questions about ports: 161 for manager-agent communication, 162 for traps.
Specific values to memorize: v3 security levels: noAuthNoPriv (username only), authNoPriv (MD5/SHA auth, no encryption), authPriv (auth + DES/3DES/AES encryption). Default community strings often shown as 'public' (RO) and 'private' (RW). The command to set a user: snmp-server user <name> <group> v3 auth sha <password> priv aes 128 <password>. The command to set a trap host: snmp-server host <ip> traps version 3 priv <username>.
For scenario questions, use this elimination strategy: If the question mentions 'secure', 'encrypted', 'authenticated', eliminate v2c and v3 noAuthNoPriv. If it says 'simple', 'legacy', or 'no security', pick v2c or v3 noAuthNoPriv. If it mentions 'MD5' or 'SHA', it's v3 with auth. If it mentions 'DES' or 'AES', it's v3 with priv. Watch for 'which version supports encryption?' — only v3 authPriv. Also, remember that v2c supports GETBULK, which v1 does not. But the exam focuses on v2c vs v3.
Finally, be ready to interpret show snmp output. If you see 'Community strings' with a string name, it's v2c. If you see 'User name' and 'Authentication Protocol', it's v3. The exam may show partial output and ask you to identify the version or security level.
SNMPv2c uses community strings sent in plaintext; no authentication or encryption.
SNMPv3 offers three security levels: noAuthNoPriv, authNoPriv, and authPriv.
authPriv provides both authentication (MD5/SHA) and encryption (DES/3DES/AES).
SNMP uses UDP port 161 for queries and port 162 for traps.
Traps are unacknowledged; informs are acknowledged (v2c and v3).
The command to create an SNMPv3 user is: snmp-server user <name> <group> v3 auth {md5|sha} <password> priv {des|3des|aes} <password>.
Use ACLs to restrict SNMP access to trusted NMS hosts.
v2c and v3 are not backward compatible; they use different message formats.
These come up on the exam all the time. Here's how to tell them apart.
SNMPv2c
Uses community strings (plaintext).
No authentication or encryption.
Simple configuration.
Supported on all devices.
No user-based access control.
SNMPv3
Uses usernames and keys.
Provides authentication (MD5/SHA) and encryption (DES/3DES/AES).
More complex configuration.
Requires crypto support; may impact CPU.
User-based access control (VACM).
Mistake
SNMPv3 authNoPriv provides encryption.
Correct
authNoPriv provides authentication (MD5 or SHA) but no encryption. The message payload is still sent in plaintext. Only authPriv provides encryption.
The word 'auth' might imply security, but 'NoPriv' explicitly means no privacy (encryption).
Mistake
SNMPv2c community strings are encrypted.
Correct
Community strings are sent in plaintext over the network. Anyone with a packet sniffer can capture them.
Many assume that because it's a 'password', it must be hidden. But v2c has no encryption mechanism.
Mistake
SNMPv3 can use the same community strings as v2c.
Correct
SNMPv3 uses usernames and keys, not community strings. There is no backward compatibility in terms of security credentials.
The exam sometimes presents a mixed environment; candidates may incorrectly assume v3 can fall back to v2c authentication.
Mistake
SNMP uses TCP for reliable delivery.
Correct
SNMP uses UDP. Traps are unacknowledged; informs use UDP but are acknowledged at the application layer.
Many protocols use TCP, so candidates default to TCP. But SNMP is lightweight and uses UDP to minimize overhead.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The main difference is security. SNMPv2c uses community strings sent in plaintext, providing no real security. SNMPv3 offers user-based authentication (MD5/SHA), encryption (DES/3DES/AES), and message integrity. v3 also supports view-based access control (VACM). v2c is simpler but insecure; v3 is more complex but secure. For the exam, remember that v3 is the only version that supports encryption.
Yes, a device can be configured to support both SNMPv2c and SNMPv3 simultaneously. You can configure community strings for v2c and users for v3. The agent will respond based on the version in the request. However, the NMS must use the appropriate version and credentials. This is common during migration from v2c to v3.
There is no default community string by default. However, many older devices or configurations use 'public' for read-only and 'private' for read-write. The exam may present these as examples. Always configure custom strings and use ACLs to restrict access.
SNMP uses UDP port 161 for manager-to-agent communication (GET, SET, etc.) and UDP port 162 for agent-to-manager traps and informs. The exam may ask you to identify these ports.
A trap is an unsolicited message from agent to manager that is not acknowledged. An inform is also unsolicited but requires an acknowledgment from the manager, providing reliable delivery. Informs consume more resources because the manager must send an acknowledgment. Both are supported in v2c and v3.
Use 'show snmp user' to list users and their authentication/privacy protocols. Use 'show snmp group' to see groups and security levels. Use 'show snmp' for overall status. Example: 'show snmp user' might show 'User name: admin, Authentication Protocol: SHA, Privacy Protocol: AES128'.
SNMPv2c is simpler to configure and has lower overhead. In isolated management networks where physical security is strong, the risk is acceptable. Many legacy devices do not support v3. Also, v2c supports GETBULK, which is useful for large data retrieval. The exam expects you to know both versions and when to use each.
You've just covered SNMP v2c vs v3 — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?