This chapter covers network monitoring tools and the Simple Network Management Protocol (SNMP), a foundational technology for collecting and managing device information across a network. For the N10-009 exam, understanding SNMP versions, MIBs, OIDs, and traps is critical, as it appears in roughly 5-8% of questions within Network Operations (Objective 3.3). You will learn the mechanics of SNMP operations, how to configure monitoring tools, and how to interpret SNMP data to troubleshoot and optimize network performance.
Jump to a section
Imagine a large office building with hundreds of rooms, each containing environmental sensors (temperature, humidity, smoke) and actuators (HVAC dampers, lighting controls). The building has a central management console where a facility manager monitors conditions. Each sensor and actuator is a managed device. The manager cannot physically inspect every room, so a standardized protocol is needed. The building uses a 'Building Management Protocol' (BMP) where each sensor has a unique address (like an OID) and reports data on request. The manager's console sends a 'get' message (like SNMP GET) to a sensor to read temperature, or a 'set' message (like SNMP SET) to adjust a damper. Some sensors are configured to autonomously send alerts (like SNMP TRAP) when smoke is detected. The manager also periodically polls all sensors (like SNMP GETNEXT for bulk collection) to log conditions. For security, the BMP uses community strings (like SNMP v1/v2c) or encrypted credentials (like SNMP v3). If a sensor fails to respond, the manager logs an alert. This mirrors SNMP: a manager polls agents (devices) using OIDs to read or write variables in a MIB, and agents can send unsolicited traps to the manager.
What is Network Monitoring and Why It Exists
Network monitoring is the systematic collection and analysis of data from network devices (routers, switches, firewalls, servers, etc.) to ensure availability, performance, and security. Without monitoring, administrators are blind to outages, congestion, or security breaches until users complain. Monitoring tools like SolarWinds, PRTG, Zabbix, and Nagios rely on protocols such as SNMP, NetFlow, and syslog to gather metrics. The CompTIA Network+ N10-009 exam focuses on SNMP as the primary protocol for reading device status and configuration.
SNMP Architecture
SNMP (Simple Network Management Protocol) is an application-layer protocol defined in RFC 1157 (v1), RFC 1901-1908 (v2c), and RFC 3410-3418 (v3). It operates over UDP ports 161 (queries) and 162 (traps). The architecture consists of three components:
SNMP Manager: The central system (e.g., a monitoring server) that sends requests to agents and receives responses or traps.
SNMP Agent: Software running on a managed device (router, switch, printer) that collects local information and responds to manager queries.
Management Information Base (MIB): A hierarchical database that defines the variables (objects) the agent can report. Each variable has a unique Object Identifier (OID), e.g., 1.3.6.1.2.1.1.1.0 for system description.
How SNMP Operates: The Mechanism
SNMP uses a simple request-response model with five basic message types (PDUs) in v1/v2c: - GET: Manager requests a specific OID value from an agent. - GETNEXT: Manager requests the next OID in the MIB tree (used for walking the MIB). - GETBULK (v2c/v3): Manager requests a large block of data efficiently (replaces repeated GETNEXT). - SET: Manager writes a value to an agent (e.g., change a configuration). - TRAP: Agent sends an unsolicited alert to the manager (e.g., interface down). - INFORM (v2c/v3): Like a trap but requires acknowledgment from the manager.
When a manager sends a GET request for OID 1.3.6.1.2.1.2.2.1.10.1 (ifInOctets on interface 1), the agent looks up the OID in its MIB, retrieves the current counter value (e.g., 1,234,567,890 bytes), and sends a response containing the value. The manager then calculates bandwidth utilization by comparing two samples over time.
SNMP Versions and Security
SNMPv1: The original, uses community strings as plaintext passwords. Two community strings: 'public' (read-only) and 'private' (read-write). No encryption or authentication – highly insecure. Still used in lab environments but deprecated in production.
SNMPv2c: Improved protocol efficiency (GETBULK) but same weak security – community strings in plaintext. The 'c' stands for 'community-based'.
SNMPv3: Adds strong security: authentication (MD5 or SHA) and encryption (DES or AES). Supports user-based security model (USM) with usernames and passwords. Required for secure production deployments.
Exam Tip: The exam asks which SNMP version provides encryption and authentication – answer is v3. Also, v2c supports GETBULK but lacks security.
MIBs and OIDs
A MIB is a text file that defines the structure of managed objects. OIDs are numeric labels in a tree hierarchy, e.g., 1.3.6.1.2.1 corresponds to iso.org.dod.internet.mgmt.mib-2. Common OIDs include:
- 1.3.6.1.2.1.1.1.0 – sysDescr (system description)
- 1.3.6.1.2.1.1.3.0 – sysUpTime (time since last reboot)
- 1.3.6.1.2.1.2.2.1.10.1 – ifInOctets interface 1
- 1.3.6.1.2.1.2.2.1.16.1 – ifOutOctets interface 1
Managers use MIB files to translate numeric OIDs into human-readable names. Without the MIB, the manager sees only numbers.
Traps and Notifications
Traps are event-driven messages from agent to manager. Common trap types (defined in RFC 1215): - coldStart: Agent rebooting - warmStart: Agent reinitializing but configuration unchanged - linkDown: Interface went down - linkUp: Interface came up - authenticationFailure: Invalid community string received - egpNeighborLoss: EGP neighbor lost - enterpriseSpecific: Custom trap defined by vendor
Traps are unreliable because they use UDP and are not acknowledged. For reliable delivery, use INFORMs (acknowledged). The exam tests that traps use UDP port 162 and are unsolicited.
Configuring SNMP on Cisco Devices (Example)
To enable SNMP agent on a Cisco router:
! Enable SNMP v2c with read-only community 'public'
snmp-server community public ro
! Enable SNMP v2c with read-write community 'private'
snmp-server community private rw
! Specify SNMP server (manager) to receive traps
snmp-server host 192.168.1.100 version 2c public
! Enable traps for specific events
snmp-server enable traps snmp linkdown linkup
! Set contact and location for sysLocation and sysContact
snmp-server location "Data Center A"
snmp-server contact "admin@example.com"To verify:
show snmp
show snmp community
show snmp hostMonitoring Tools and Their SNMP Usage
SolarWinds Orion: Polls devices via SNMP GET, receives traps, and calculates utilization. Uses GETBULK for large MIB walks.
PRTG Network Monitor: Similar, supports SNMP v1/v2c/v3. Can also use WMI and NetFlow.
Zabbix: Open-source, polls agents or uses SNMP. Can trigger alerts based on thresholds (e.g., CPU > 90%).
Nagios: Uses SNMP plugins (e.g., check_snmp) to monitor devices.
MRTG: Classic tool that polls ifInOctets/ifOutOctets every 5 minutes to graph bandwidth.
Interaction with Other Protocols
SNMP often works alongside: - Syslog: For event logging (separate from SNMP traps). Syslog uses UDP 514. - NetFlow/sFlow: For traffic flow analysis (not SNMP but complementary). - ICMP: Ping/traceroute for reachability (SNMP for in-depth stats). - RMON: Remote Monitoring MIB (RFC 2819) extends SNMP for proactive network monitoring.
Performance Considerations
Polling too frequently can overload devices or the network. Typical polling intervals:
Interface statistics: every 5 minutes
CPU/memory: every 1-5 minutes
Environmental sensors: every 30 seconds
SNMP uses UDP, so packets can be lost. For critical alerts, use INFORMs or combine with syslog.
Troubleshooting SNMP
Common issues:
- No response: Check UDP 161 reachability, community string mismatch, ACL blocking SNMP.
- Missing OIDs: Agent may not support the MIB; use snmpwalk to discover.
- High CPU on agent: Too many polling requests; reduce frequency or use GETBULK.
Command-line tools:
# Linux: snmpget, snmpwalk, snmptrap
snmpget -v2c -c public 192.168.1.1 1.3.6.1.2.1.1.1.0
snmpwalk -v2c -c public 192.168.1.1 .1.3.6.1.2.1.2
# Windows: Use SolarWinds Engineer's Toolset or PRTGManager Sends GET Request
The SNMP manager constructs a UDP packet with destination port 161, source port ephemeral, and the GET PDU containing the community string and the OID to query. The packet is sent to the agent's IP address. The manager then waits for a response with a timeout (default 5 seconds). If no response, the manager may retry (default 3 times) before marking the device as unreachable.
Agent Receives and Processes Request
The SNMP agent on the device receives the UDP packet on port 161. It checks the community string: if 'public' and the request is GET, it proceeds. If the community string is invalid, it sends an authenticationFailure trap (if configured) and drops the request. The agent then looks up the OID in its MIB tree. If the OID exists, it retrieves the current value (e.g., a counter, string, or gauge). If the OID is not supported, it returns an error status 'noSuchName'.
Agent Sends Response PDU
The agent constructs a response PDU containing the same request ID, error status (0 for success), and the value(s). It sends this as a UDP packet from port 161 to the manager's source port. The manager receives the response and extracts the value. The entire transaction is stateless; the manager correlates using request ID.
Manager Calculates Metric
The manager stores the returned value (e.g., ifInOctets = 1,234,567,890). After a polling interval (e.g., 300 seconds), it sends another GET for the same OID. It subtracts the previous value from the current, divides by the interval, and multiplies by 8 to get bits per second. For example: (1,234,600,000 - 1,234,567,890) / 300 * 8 = 856 bps. This calculation is done for both inbound and outbound to show utilization.
Agent Sends Trap to Manager
When a significant event occurs (e.g., interface link down), the agent immediately constructs a trap PDU (v1: generic trap type, specific code, timeticks, etc.) and sends it to the manager's trap receiver port (UDP 162). The manager does not acknowledge v1/v2c traps. The trap includes the agent's IP, uptime, and OID-value bindings describing the event. The manager logs the trap and may trigger an alert.
In a typical enterprise network, a monitoring platform like SolarWinds Orion is deployed on a dedicated server in the data center. The server is configured to poll thousands of devices (routers, switches, firewalls, wireless controllers) every 5 minutes using SNMPv2c with a read-only community string. For security, community strings are complex and changed quarterly. The platform also listens for SNMP traps on UDP 162 from all devices. When a switch port goes down, the agent sends a linkDown trap; the monitoring system instantly creates an alert and sends an email to the NOC.
Another scenario: a cloud provider monitors customer virtual routers using SNMPv3 with authentication (SHA) and encryption (AES). Each customer has a unique username and password. The monitoring tool uses GETBULK to efficiently walk the MIB-2 interfaces table across hundreds of VMs. Bandwidth graphs are generated every 5 minutes. If a VM's CPU OID returns a value above 90%, an alert triggers auto-scaling.
A common misconfiguration is setting too short a polling interval (e.g., 30 seconds) on a large network. This can overwhelm the management server and the devices, causing dropped polls and false alerts. Best practice is to use 5-minute intervals for most counters and 1-minute for critical metrics. Also, forgetting to configure trap receivers means events are missed; always verify with show snmp host on Cisco devices. Another pitfall: using SNMPv1 in production – community strings are sent in plaintext and can be sniffed. Always use SNMPv3 or at minimum restrict SNMP access via ACLs to only the management server IP.
The N10-009 exam tests SNMP under Objective 3.3 (Network Operations) and specifically in the context of monitoring tools. Key areas: - SNMP versions: Know that v3 provides authentication and encryption. v2c supports GETBULK but no security. v1 is legacy. - Ports: UDP 161 for queries, UDP 162 for traps. Exam questions often mix these up (e.g., 'Which port does SNMP use for traps?' – answer 162). - Trap vs. Inform: Traps are unacknowledged; INFORMs are acknowledged. Exam may ask 'Which SNMP message type provides reliable delivery?' – answer INFORM. - Community strings: 'public' is read-only, 'private' is read-write. Exam may ask 'Which community string allows configuration changes?' – answer 'private'. - MIB/OID: Know that MIB is a database, OID is the address. Exam may show an OID like 1.3.6.1.2.1.1.1.0 and ask what it represents (sysDescr). - Common wrong answers: Candidates often choose TCP instead of UDP for SNMP – remember SNMP uses UDP for low overhead. Another trap: thinking SNMP v2c provides encryption – it does not. Also, confusing SNMP with syslog (syslog uses UDP 514). - Edge cases: The exam may test that SNMP SET requires read-write community. Also, that GETBULK is only in v2c/v3. For traps, the agent initiates the connection (not the manager). Eliminate wrong answers by focusing on the underlying mechanism: SNMP is a client-server (manager-agent) protocol where the manager polls and agent responds, except traps where the agent initiates.
SNMP uses UDP port 161 for queries and 162 for traps.
SNMPv3 is the only version with authentication and encryption.
Community strings 'public' (read-only) and 'private' (read-write) are used in v1/v2c.
Traps are unsolicited alerts from agent to manager; INFORMs are acknowledged.
MIB defines the structure of OIDs; OIDs are numeric identifiers for managed objects.
GETBULK (v2c/v3) retrieves multiple OIDs in one request, more efficient than GETNEXT.
Polling intervals typically 5 minutes for standard metrics; shorter for critical.
SNMP SET requires read-write community or appropriate SNMPv3 credentials.
Common monitoring tools: SolarWinds, PRTG, Zabbix, Nagios – all use SNMP.
SNMP packets are UDP, so they can be lost; use INFORMs for critical alerts.
On Cisco devices, 'snmp-server community public ro' enables read-only access.
Troubleshoot with 'snmpget' and 'snmpwalk' command-line tools.
These come up on the exam all the time. Here's how to tell them apart.
SNMPv2c
Uses community strings (plaintext) for authentication.
No encryption; data sent in cleartext.
Supports GETBULK for efficient bulk retrieval.
Simple to configure, but insecure.
Widely used in lab and legacy environments.
SNMPv3
Uses user-based security model (USM) with usernames and passwords.
Provides authentication (MD5/SHA) and encryption (DES/AES).
Also supports GETBULK.
More complex configuration but secure.
Required for production networks with security compliance.
Mistake
SNMP uses TCP for reliable communication.
Correct
SNMP uses UDP (ports 161/162). It relies on application-layer retries for reliability. TCP would add overhead and is not used.
Mistake
SNMPv2c provides encryption.
Correct
SNMPv2c uses community strings in plaintext, just like v1. No encryption or authentication. Only SNMPv3 provides security features.
Mistake
Traps are sent from the manager to the agent.
Correct
Traps are unsolicited messages from the agent to the manager (port 162). The manager does not request them; the agent sends them on events.
Mistake
SNMP community strings are case-insensitive.
Correct
Community strings are case-sensitive. 'Public' and 'public' are different. Configurations must match exactly.
Mistake
GETBULK is available in SNMPv1.
Correct
GETBULK was introduced in SNMPv2c. SNMPv1 only supports GET, GETNEXT, and SET.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SNMP uses UDP port 161 for queries (GET, GETNEXT, GETBULK, SET) from manager to agent, and UDP port 162 for traps and INFORMs from agent to manager. The exam often tests these port numbers, so memorize them.
SNMPv2c uses community strings in plaintext for authentication and no encryption. SNMPv3 adds authentication (using MD5 or SHA) and encryption (using DES or AES) via the User-based Security Model (USM). SNMPv3 is more secure but more complex to configure.
An OID (Object Identifier) is a numeric address that identifies a specific variable in a device's MIB (Management Information Base). The MIB is a hierarchical database that defines all manageable objects. For example, OID 1.3.6.1.2.1.1.1.0 corresponds to sysDescr in the MIB-2 tree.
A trap is an unsolicited message from an agent to a manager that is not acknowledged by the manager. An inform is similar but requires an acknowledgment, making it more reliable. INFORMs are supported in SNMPv2c and v3.
Poll the ifInOctets and ifOutOctets OIDs for an interface at two times. Subtract the first value from the second, divide by the time interval in seconds, and multiply by 8 to get bits per second. For example, if ifInOctets goes from 1,000,000 to 1,100,000 over 300 seconds, utilization = (100,000 * 8) / 300 = 2,666.67 bps.
A community string is a plaintext password used in SNMPv1/v2c to authenticate requests. The default read-only community is 'public', and the default read-write community is 'private'. These should be changed in production for security.
Yes, using the SNMP SET operation. However, it requires a read-write community string (v1/v2c) or appropriate SNMPv3 credentials. SET is often disabled in production due to security risks.
You've just covered Network Monitoring Tools and SNMP — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?