SNMP Community Strings – Complete Guide
1. What Is an SNMP Community String?
An SNMP Community String acts like a shared password in SNMPv1 and SNMPv2c. It is embedded in every SNMP message exchanged between an SNMP Manager (e.g., PRTG, Zabbix, SolarWinds) and an SNMP Agent running on a managed device (e.g., a Cisco router, switch, or Linux server). The agent validates the string before responding to any request or permitting any configuration change.
Community strings determine the permission level granted to the manager — whether it can only read device data (read-only) or can also write configuration values (read-write).
SNMP Manager SNMP Agent
(SolarWinds, PRTG, Zabbix) (Router, Switch, Server)
| |
|-- GET sysDescr.0 [community: public] -->|
|<-- sysDescr = "Cisco IOS XE 17.06.01a" -|
| |
|-- SET sysName.0 [community: private] --->| <- RW required
|<-- SET Response OK ----------------------|
Related pages: SNMP Overview | SNMP Versions (v1 / v2c / v3) | SNMP Traps | Standard & Extended ACLs | ACL Overview | NTP | Syslog | NetFlow Monitoring | Firewalls | Step-by-Step: SNMPv2c & v3 Configuration
2. Types of Community Strings
There are two functional types, each granting a different level of access to the device's Management Information Base (MIB).
| Type | Access Level | Default Example | Typical Use Case | Risk Level |
|---|---|---|---|---|
| Read-Only (RO) | Retrieve (GET) data only — cannot modify anything | public |
Monitoring tools: PRTG, SolarWinds, Zabbix, Nagios | Medium — exposes device stats if intercepted |
| Read-Write (RW) | Retrieve and modify (SET) configuration values | private |
Automated provisioning tools (Ansible), network automation scripts | High — unauthorised use can reconfigure devices |
⚠️ Critical Security Warning: The default strings public (RO) and private (RW) are universally known and actively scanned for by attackers. Change them immediately in any production environment.
3. How SNMP Community Strings Work
When an SNMP manager issues a GET or SET request, the community string is embedded in the SNMP packet header in plaintext. The agent compares the received string against its locally configured strings. Matching an RO string grants read access; matching an RW string grants full read-write access. If there is no match, the request is silently discarded.
Example — Linux SNMP query using snmpget:
snmpget -v 2c -c public 192.168.1.1 sysDescr.0-v 2c— Use SNMP version 2c-c public— Community string (the "password")192.168.1.1— Target SNMP agent IPsysDescr.0— OID for the system description
Expected response:
sysDescr.0 = STRING: Cisco IOS XE Software, Version 17.06.01aBecause the community string travels in plaintext, any device on the path can capture it with a packet sniffer such as Wireshark. This is the fundamental security weakness of SNMPv1/v2c that SNMPv3 was designed to address.
4. Configuring Community Strings on Cisco IOS
Step 1 — Enable the SNMP Agent and Define Strings
Router(config)# snmp-server community MyROString RO
Router(config)# snmp-server community MyRWString RWStep 2 — Restrict Access by Source IP Using an ACL (Recommended)
Without an ACL, any host that knows the community string can query the device. Binding the string to an ACL limits queries to authorised management stations only.
Router(config)# access-list 10 permit 192.168.1.100
Router(config)# snmp-server community MyROString RO 10Only the host 192.168.1.100 may now query using MyROString. All other sources are implicitly denied.
Step 3 — Verify the Configuration
Router# show snmp communityExpected output:
Community name: MyROString
Storage type: nonvolatile
Access: Read-only
IP ACL: 10
Community name: MyRWString
Storage type: nonvolatile
Access: Read-writeOptional — Set Device Contact and Location
Router(config)# snmp-server contact [email protected]
Router(config)# snmp-server location "Server Room 1, Rack 4"5. Security Risks and Best Practices
⚠️ Key Risks
| Risk | Impact |
|---|---|
Default strings (public/private) | Attackers immediately enumerate or alter device configurations |
| Community strings sent in plaintext | Captured by any on-path packet sniffer — credentials exposed in one capture |
| RW strings used for monitoring | Monitoring needs only RO — unnecessary RW access greatly expands the attack surface |
| No ACL restricting SNMP source | Any host that guesses the string gains unrestricted access to the device MIB |
✅ Best Practices
- Use long, complex, unique community strings — e.g.,
N3tM0n!t0r_2025$Sec - Apply ACLs to every community string to restrict which managers can query the device
- Assign RO strings to monitoring tools; reserve RW only for automation that genuinely requires write access
- Disable SNMP entirely on devices that do not require monitoring:
no snmp-server - Migrate to SNMPv3 with
authPrivfor all production systems - Rotate community strings periodically and whenever staff with access departs
6. Testing Community Strings
Using snmpget — Query a Single OID (Linux)
snmpget -v 2c -c MyROString 192.168.1.1 sysDescr.0
snmpget -v 2c -c MyROString 192.168.1.1 sysUpTime.0Using snmpwalk — Walk the Entire MIB Tree
snmpwalk -v 2c -c MyROString 192.168.1.1snmpwalk recursively queries every OID reachable with that string — useful for discovering all data a device exposes. May take several seconds on large devices.
Verifying SNMP Status on the Cisco Device
Router# show snmp
Router# show snmp community
Router# show snmp host7. Community Strings vs SNMPv3
SNMPv3 replaces community strings with a proper user-based security model (USM), delivering authentication and optional encryption that community strings fundamentally cannot provide.
| Feature | SNMPv1 / SNMPv2c | SNMPv3 |
|---|---|---|
| Authentication | Community string (plaintext) | Username + HMAC-MD5 or HMAC-SHA |
| Encryption | None — all data in plaintext | DES or AES-128 (configured per user) |
| Access Control | RO / RW per community string | Role-based views via VACM |
| Replay Protection | None | Engine ID + timestamp anti-replay |
| Security Level | Low | High (authPriv = auth + encryption) |
| Recommended for | Legacy or isolated lab environments only | All modern production networks |
8. Advanced: SNMP Views — Restricting MIB Visibility
Even with a correctly configured community string, you may want to limit which portions of the MIB a manager can access. SNMP views let you include or exclude specific OID subtrees from a community string's scope.
Router(config)# snmp-server view MyInterfaceView ifEntry included
Router(config)# snmp-server community MonitorOnly view MyInterfaceView RO 10The community string MonitorOnly can now only retrieve interface statistics (ifEntry subtree). CPU, memory, routing table, and all other MIB objects are invisible to that string — minimising exposure.
9. Common Misconfigurations and Troubleshooting
| Problem | Symptom / Risk | Fix |
|---|---|---|
Default strings (public/private) | Immediate unauthorised access risk | Replace with complex, unique strings immediately |
| No ACL on community string | Any host can query the device | Bind with: snmp-server community <str> RO <acl> |
| RW string used for monitoring | Over-privileged; unnecessary attack surface | Create a dedicated RO string for monitoring tools |
| SNMP queries timing out | No response from agent | Verify show snmp, check UDP port 161 is not blocked by firewall or ACL |
10. Summary
- Community Strings = Shared passwords for SNMPv1/v2c access control
- RO = Read device data only | RW = Read and modify configurations
- Never use default values (
public/private) in production - Always bind ACLs to community strings to restrict authorised managers by IP
- Migrate to SNMPv3 (
authPriv) for encrypted, authenticated management in production - Verify with
show snmp community; test from Linux withsnmpget/snmpwalk