SNMP Versions (v1, v2c, v3) – Detailed Guide

1. What Is SNMP?

SNMP (Simple Network Management Protocol) is an application-layer protocol used to monitor, manage, and configure network devices — routers, switches, servers, printers, UPS units, and more. It operates over UDP and enables centralised management via a Network Management System (NMS).

SNMP has evolved through three major versions, each improving on the security and capability limitations of its predecessor. Understanding the differences is a core CCNA exam topic and critical for real-world network management.

  SNMP Architecture
  -----------------
  NMS / Manager          SNMP Agent           MIB
  (SolarWinds,    GET/SET  (Cisco IOS,    sysDescr.0
   PRTG, Zabbix) -------> Linux, Windows) ifOperStatus.1
        ^                      |            hrDiskFull
        |    TRAP / INFORM      |
        +----------------------+

  UDP 161: Manager queries Agent  (GET, SET, GETBULK)
  UDP 162: Agent sends alerts to Manager  (TRAP, INFORM)

Related pages: SNMP Overview | SNMP Community Strings | SNMP Traps | Standard ACLs | ACL Overview | Firewalls | Syslog | show logging | Common Port Numbers | Step-by-Step: SNMPv2c & v3 Configuration

2. SNMP Components

ComponentRoleExamples
Manager (NMS)Central monitoring system that queries agents and receives trapsSolarWinds NPM, PRTG, Zabbix, Nagios, Cisco DNA Center. See Network Automation Overview.
AgentSoftware process running on each managed device that responds to SNMP queries and generates trapsCisco IOS SNMP agent on routers and switches, Net-SNMP (Linux), Windows SNMP Service
MIB (Management Information Base)Hierarchical database defining all manageable parameters — a schema of what can be monitored or configured via SNMPIF-MIB (interfaces), IP-MIB (routing), CISCO-PROCESS-MIB
OID (Object Identifier)A unique dot-notation identifier for each parameter in the MIB tree1.3.6.1.2.1.1.1.0 = sysDescr.0

3. SNMP Operations

OperationDirectionPurposeVersion
GETManager → AgentRequest the value of a specific OIDv1, v2c, v3
GET-NEXTManager → AgentRetrieve the next OID in the MIB tree (used for walking)v1, v2c, v3
GETBULKManager → AgentRetrieve multiple OIDs in a single request — far more efficient than repeated GET-NEXTv2c, v3 only
SETManager → AgentWrite (modify) a configuration value on the agentv1, v2c, v3
TRAPAgent → ManagerAsynchronous event notification (fire-and-forget, no acknowledgement). See SNMP Traps.v1, v2c, v3
INFORMAgent → ManagerAcknowledged trap — agent retries until manager confirms receiptv2c, v3 only
RESPONSEAgent → ManagerReply to GET, SET, or INFORM messagesv1, v2c, v3

4. SNMP Ports

PortProtocolUsed For
UDP 161UDPStandard SNMP queries — Manager sends GET/SET to Agent. See Common Port Numbers.
UDP 162UDPSNMP Traps and Informs — Agent sends unsolicited alerts to Manager. See SNMP Traps.

5. SNMPv1

SNMPv1 was defined in RFC 1157 (1990) — the original SNMP specification. It established the fundamental manager/agent/MIB architecture still in use today.

Authentication

Uses Community Strings — plain text shared "passwords" (e.g., public, private) included in every packet. No actual cryptographic authentication exists.

Supported Operations

GET, GET-NEXT, SET, TRAP (basic format with generic-trap and specific-trap fields). See SNMP Traps for trap details.

Limitations

  • No authentication (community strings are trivial to spoof or sniff)
  • No encryption — all data including community strings travels in plaintext
  • No GETBULK — retrieving large MIB tables requires many sequential GET-NEXT operations (slow)
  • No INFORM — traps are completely unacknowledged
  • 32-bit counters only — wrap-around issues on high-speed interfaces

Use Case

Legacy environments, backwards-compatibility in lab/testing setups. Not recommended for production networks. Use ACLs to restrict access if v1 cannot be avoided.

6. SNMPv2c

SNMPv2c (RFC 1901, 1905, 1906 — 1996) is the most widely deployed version today due to its improved performance and broad NMS support, despite retaining SNMPv1's insecure community string model.

Key Improvements Over v1

  • GETBULK — retrieves large MIB table sections in a single request; dramatically faster than repeated GET-NEXT (essential for interface tables on large routers)
  • INFORM — acknowledged trap that guarantees delivery or triggers retransmission. See SNMP Traps.
  • 64-bit counters — resolves the 32-bit counter wrap-around issue on Gigabit+ interfaces
  • Improved error codes and response handling

Authentication

Still uses community strings — same plaintext model as v1. The "c" in v2c stands for "community".

Variants

  • SNMPv2c: Community-string based — the version actually deployed everywhere
  • SNMPv2u / SNMPv2p: Proposed user-based security models that were never widely adopted — superseded by SNMPv3

Use Case

Non-critical monitoring networks where operational simplicity is prioritised over security — small/medium businesses, internal management VLANs with strict ACL controls, legacy NMS platforms that don't support v3.

7. SNMPv3

SNMPv3 (RFC 3410–3415 — 2002) is the current standard, adding comprehensive security to the SNMP framework without changing the fundamental manager/agent/MIB architecture.

Key Improvement: Security

SNMPv3 introduces the User-Based Security Model (USM) and View-Based Access Control Model (VACM). See AAA Authentication Methods for broader access-control context.

  • Authentication: HMAC-MD5 or HMAC-SHA — cryptographic proof that the message came from the claimed sender and hasn't been tampered with
  • Privacy (Encryption): DES-56 or AES-128/192/256 — the entire SNMP PDU is encrypted, protecting data from interception
  • Anti-replay protection: Engine ID + timestamp prevent old messages from being replayed by an attacker
  • Access control: VACM allows fine-grained control over which users can access which portions of the MIB

SNMPv3 Security Levels

Security LevelAuthenticationEncryptionUse Case
noAuthNoPrivNone — username onlyNoneTesting / migration from v2c (least secure)
authNoPrivHMAC-MD5 or SHANoneAuthenticated but unencrypted — acceptable for trusted management networks
authPrivHMAC-MD5 or SHADES or AESFull security — recommended for all production environments

Configuring SNMPv3 on Cisco IOS

! Step 1: Create an SNMP group with authPriv security
Router(config)# snmp-server group MONITORING v3 priv

! Step 2: Create a user in that group with SHA auth and AES encryption
Router(config)# snmp-server user MONUSER MONITORING v3 auth sha AuthP@ss priv aes 128 PrivP@ss

! Step 3: Configure SNMPv3 trap receiver
Router(config)# snmp-server host 192.168.1.100 version 3 priv MONUSER

! Step 4: Verify
Router# show snmp user
Router# show snmp group

See SNMPv2c & v3 Configuration Lab for a full step-by-step walkthrough.

Use Case

All modern, security-sensitive production environments — enterprise networks, data centres, banks, healthcare, government. SNMPv3 is the only SNMP version recommended for any network where data confidentiality and integrity matter. Pair with SSH-secured management access and syslog for a complete monitoring and security posture.

8. Full Version Comparison

FeatureSNMPv1SNMPv2cSNMPv3
RFC1157 (1990)1901/1905 (1996)3410–3415 (2002)
AuthenticationCommunity string (plaintext)Community string (plaintext)User-Based (HMAC-MD5/SHA). See AAA Authentication.
EncryptionNoneNoneDES or AES (optional, per user)
GETBULKNoYesYes
INFORMNoYes — see SNMP TrapsYes
64-bit CountersNoYesYes
Security ModelNoneNoneUSM + VACM
Anti-replayNoNoYes (Engine ID + timestamp)
Best Use CaseLegacy / Lab onlyNon-critical internal networksAll production / enterprise networks

9. When to Use Which Version

VersionChoose WhenAvoid When
v1Forced by legacy equipment compatibility; isolated lab environments. Restrict with ACLs.Any network with internet exposure or sensitive data
v2cLegacy NMS that doesn't support v3; small internal-only management VLAN with strict ACL controls; need for GETBULK performanceAny network with regulatory compliance requirements (PCI-DSS, HIPAA, etc.)
v3All production networks; anywhere credentials could be intercepted; regulatory compliance; management traffic crossing untrusted segments. Combine with SSH and firewall rules.Very old devices that physically cannot run v3 (rare)

10. Conclusion

SNMP is foundational for network monitoring and management. While SNMPv1 established the architecture and v2c added performance improvements, SNMPv3 is the only version that provides the security — authentication, encryption, and access control — required for modern production networks. Migrate to SNMPv3 with authPriv wherever possible, and restrict remaining v1/v2c deployments with strict ACLs and network segmentation. Complement SNMP monitoring with syslog for event logging and show logging for real-time log review on Cisco devices. See the full SNMP Overview for architecture context, and the SNMPv2c & v3 Configuration Lab for hands-on configuration steps.

SNMP Versions (v1, v2c, v3) Quiz

1. What is the primary purpose of SNMP?

Correct answer is D. SNMP provides a standardised framework for monitoring device health (CPU, memory, interfaces) and managing configurations from a centralised NMS. It does not encrypt general traffic, assign IPs, or route packets. See SNMP Overview for the complete architecture.

2. Which four components make up the SNMP architecture?

Correct answer is A. The SNMP architecture consists of: the Manager (NMS that sends queries), the Agent (software on each managed router or switch), the MIB (schema of all manageable parameters), and OIDs (unique dot-notation identifiers for each parameter). See SNMP Overview.

3. Which transport protocol and ports does SNMP use?

Correct answer is C. SNMP uses UDP (connectionless) for low overhead. UDP 161 is used by agents to receive GET and SET queries from the manager. UDP 162 is used by the manager to receive Traps and Informs from agents. Both ports must be open in any firewall between the manager and agents. See Common Port Numbers for the full reference.

4. What type of authentication does SNMPv1 use?

Correct answer is B. SNMPv1 uses community strings — plain text shared passwords embedded in every packet. While they provide a basic access gate, they offer no real security: they can be trivially captured with a packet sniffer like Wireshark and spoofed by any attacker on the network path.

5. What is the major security limitation of SNMPv1?

Correct answer is A. SNMPv1 has no encryption and no cryptographic authentication — community strings are sent in plaintext. Any device on the network path can capture them with Wireshark. This is why SNMPv1 should never be used on networks where traffic could be intercepted. Use ACLs to limit which hosts can query the device if v1 cannot be replaced.

6. Which new operation was introduced in SNMPv2c that significantly improves performance?

Correct answer is D. GETBULK retrieves large blocks of MIB data (entire interface tables, routing tables) in a single request, replacing many sequential GET-NEXT calls. This dramatically reduces the number of UDP packets needed to poll large routers and switches, and is one of the primary reasons SNMPv2c replaced v1 in most deployments.

7. What is the primary security improvement in SNMPv3 over v1 and v2c?

Correct answer is B. SNMPv3 introduces the User-Based Security Model (USM) providing HMAC-SHA or HMAC-MD5 authentication — cryptographic proof that the message is from the claimed sender and hasn't been tampered with. Optional AES or DES encryption protects the payload from interception. These features are completely absent in v1 and v2c. See AAA Authentication Methods for how this fits into broader access control.

8. What are the three SNMPv3 security levels in order from least to most secure?

Correct answer is C. SNMPv3 security levels from weakest to strongest: noAuthNoPriv (username only, no crypto — equivalent to v1/v2c); authNoPriv (authenticated but unencrypted — message integrity without confidentiality); authPriv (authenticated and encrypted — full security, recommended for production). See SNMPv2c & v3 Configuration Lab for Cisco IOS setup.

9. Which SNMP version is recommended for all modern, security-sensitive production networks?

Correct answer is A. SNMPv3 with authPriv provides authentication (ensuring message integrity and sender identity) and encryption (protecting data from interception) — the only SNMP version with real security. SNMP should be used with v3 in production, not disabled entirely, as it is essential for monitoring and management. Complement it with syslog for event logging and firewall rules to restrict management traffic.

10. Which SNMP operation is used by agents to notify managers of events without being polled?

Correct answer is D. TRAP messages are sent asynchronously by SNMP agents to notify managers of events (link failures, reboots, authentication failures) without the manager having to poll. INFORM is a more reliable variant introduced in v2c that requires manager acknowledgement. GET/GETBULK are manager-initiated operations. Compare with syslog, which also delivers unsolicited event messages but over UDP 514 using a different protocol.

← Back to Home