SNMP

SNMP

Summary

Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. MikroTik RouterOS supports SNMP for monitoring router status, interface statistics, resource usage, and more. SNMP data can be graphed with tools such as CACTI, MRTG, or The Dude.

SNMP write support is available for specific OIDs only, including system identity, reboot, and script execution. For supported OIDs, SNMP v1, v2, or v3 write operations are supported.

SNMP responses are sent from the same IP address that the request was received on, ensuring proper routing in multi-interface configurations.

SNMP communication timeouts can occur when monitoring slow services. If communication between SNMP and a service exceeds 30 seconds (5 minutes for routing service), warning messages appear in the log. In such cases, exclude problematic OIDs from your monitoring configuration.

Quick Configuration

Enable SNMP with basic settings in a few commands:

# Enable SNMP service
[admin@MikroTik] /snmp> set enabled yes

# Set administrative contact information
[admin@MikroTik] /snmp> set contact "[email protected]"

/snmp> set location "Server Room - Rack A"

/snmp> print
enabled: yes
contact: [email protected]
location: Server Room - Rack A
engine-id: ""
trap-community: public
trap-version: 1
trap-target: 0.0.0.0

SNMP General Configuration

Sub-menu level: /snmp

Configure general SNMP settings including enable/disable, contact information, and trap destinations.

Property	Description
contact	Administrative contact information for the device
enabled	Enable or disable the SNMP service
engine-id	SNMPv3 engine ID suffix (prefix 0x80003a8c04 is automatic)
location	Physical location of the device
trap-community	Community name used when sending traps
trap-generators	Events that trigger traps: interfaces (interface changes), start-trap (SNMP service start), temp-exception (temperature threshold reached)
trap-interfaces	Specific interfaces for trap transmission (or all)
trap-target	IP addresses of SNMP trap receivers
trap-version	SNMP version for traps: 1, 2, or 3
src-address	Fixed source IP address for all SNMP messages
vrf	VRF name for incoming SNMP connections (RouterOS 7.19+)

Trap Generator Examples

Configure traps for specific events:

# Enable interface change traps and temperature exception traps
/snmp> set trap-generators=interfaces,temp-exception

# Set trap receiver IP address
/snmp> set trap-target=192.168.1.100

# Use SNMPv2c for traps
/snmp> set trap-version=2

SNMP Community Configuration

Sub-menu level: /snmp community

Configure access rights for SNMP data. Communities define who can access SNMP data and what level of access they have.

Security Considerations

SNMP Version	Security Level	Use Case
v1/v2c	Community string only (cleartext)	Development/lab environments only
v3	Username + password (MD5/SHA1) + encryption (DES/AES)	Production environments

Caution

Default configuration includes one community named public with no security settings. This is insecure and should be modified for production use.

Community Properties

Property	Description	Default
address	IP address or network (e.g., 192.168.1.0/24) allowed to access SNMP	0.0.0.0/0 (all addresses)
authentication-password	Password for SNMPv3 authentication	""
authentication-protocol	SNMPv3 authentication protocol: MD5 or SHA1	MD5
encryption-password	Password for SNMPv3 encryption	""
encryption-protocol	SNMPv3 encryption protocol: DES or AES	DES
name	Community name (acts as username in v3)	""
read-access	Allow read-only access to SNMP data	yes
security	Security level: none, authorized, or private	none
write-access	Allow write access to modify router settings	no

Community Configuration Examples

Create a read-only community for monitoring:

/snmp community> add name=monitoring address=192.168.1.0/24 read-access=yes write-access=no

Create a secure SNMPv3 community:

/snmp community> add name=secureadmin security=private read-access=yes write-access=no
/snmp community> set authentication-protocol=SHA1 authentication-password=StrongAuthPass123
/snmp community> set encryption-protocol=AES encryption-password=StrongEncPass456

Management Information Base (MIB)

A MIB is a database of information maintained by the SNMP agent that managers can query. MikroTik provides a MIB file containing all supported OIDs.

Download the official MikroTik RouterOS MIB file from: https://mikrotik.com/download/tools

Supported MIBs in RouterOS

MIB Name	Purpose
MIKROTIK-MIB	MikroTik-specific device information
MIB-2	Standard network management objects
HOST-RESOURCES-MIB	Host resources (CPU, memory, storage)
IF-MIB	Network interface statistics
IP-MIB	IP addressing and routing information
IP-FORWARD-MIB	IP forwarding table
IPV6-MIB	IPv6 protocol information
BRIDGE-MIB	Bridge and spanning tree information
DHCP-SERVER-MIB	DHCP server statistics
CISCO-AAA-SESSION-MIB	AAA session information
ENTITY-MIB	Physical entity information
UPS-MIB	UPS monitoring data
SQUID-MIB	Proxy server statistics

Object Identifiers (OID)

Each OID identifies a specific variable that can be read or written via SNMP. Use the print oid command to display OID values for any menu item:

[admin@MikroTik] /interface> print oid

Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name=.1.3.6.1.2.1.2.2.1.2.1 mtu=.1.3.6.1.2.1.2.2.1.4.1
mac-address=.1.3.6.1.2.1.2.2.1.6.1 admin-status=.1.3.6.1.2.1.2.2.1.7.1
oper-status=.1.3.6.1.2.1.2.2.1.8.1 bytes-in=.1.3.6.1.2.1.2.2.1.10.1
packets-in=.1.3.6.1.2.1.2.2.1.11.1 discards-in=.1.3.6.1.2.1.2.2.1.13.1
errors-in=.1.3.6.1.2.1.2.2.1.14.1 bytes-out=.1.3.6.1.2.1.2.2.1.16.1
packets-out=.1.3.6.1.2.1.2.2.1.17.1 discards-out=.1.3.6.1.2.1.2.2.1.19.1
errors-out=.1.3.6.1.2.1.2.2.1.20.1

Common OIDs

Description	OID
System Name	.1.3.6.1.2.1.1.5.0
System Description	.1.3.6.1.2.1.1.1.0
System Uptime	.1.3.6.1.2.1.1.3.0
Interface Name	.1.3.6.1.2.1.2.2.1.2.X
Interface Bytes In	.1.3.6.1.2.1.2.2.1.10.X
Interface Bytes Out	.1.3.6.1.2.1.2.2.1.16.X
Router Reboot	.1.3.6.1.4.1.14988.1.1.7.1.0
Script Execute	.1.3.6.1.4.1.14988.1.1.18.1.1.2.X

SNMP Traps

SNMP traps enable the router to proactively notify monitoring systems of events. Supported events include interface status changes and SNMP service startup/shutdown.

Trap Configuration

# Configure trap receiver
/snmp> set trap-target=192.168.1.100 trap-community=public trap-version=2

# Enable interface change traps
/snmp> set trap-generators=interfaces

Trap Versions

Version	Security	Use Case
v1	None	Legacy systems
v2c	Community string	General monitoring
v3	Authentication + encryption	Secure environments

SNMP Write Operations

SNMP write allows modifying router configuration through SNMP SET requests. Enable write access carefully due to security implications.

Only enable SNMP write access when necessary and restrict access by IP address. Consider using SNMPv3 with encryption for write operations.

Enable Write Access

# Enable write access for a community
/snmp community> set 0 write-access=yes

System Identity

Change router identity via SNMP:

snmpset -c public -v 1 192.168.0.0 1.3.6.1.2.1.1.5.0 s "New_Router_Name"

This command is equivalent to:

/system identity set identity="New_Router_Name"

Router Reboot

Trigger a router reboot via SNMP:

snmpset -c public -v 1 192.168.0.0 1.3.6.1.4.1.14988.1.1.7.1.0 s "1"

The value must be non-zero to trigger the reboot action.

Run Script

Execute a predefined script via SNMP:

snmpset -c public -v 1 192.168.0.0 1.3.6.1.4.1.14988.1.1.8.1.1.3.X s "1"

Where X is the script number (starting from 1).

Run Script via GET Request

Since RouterOS 6.37, scripts can be triggered via SNMP GET requests. This requires write access on the community.

Create scripts first:

/system script add name=reboot-script owner=admin policy=reboot source="/system reboot"
/system script add name=status-script owner=admin policy=read source=":put \"Status check\""

Query available scripts:

snmpwalk -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.8
# Returns script names and OIDs

Execute script via GET:

snmpget -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.1
# Script output is returned

Examples

Complete SNMPv3 Configuration

# Enable SNMP service
/snmp> set enabled=yes contact="[email protected]" location="Data Center Rack 1"

/snmp community> add name=SNMPv3Read security=authorized address=10.0.0.0/8
/snmp community> set authentication-protocol=SHA1 authentication-password=AuthPass123!
/snmp community> set encryption-protocol=AES encryption-password=EncPass456!

/snmp community> add name=SNMPv3Full security=private read-access=yes write-access=no
/snmp community> set authentication-protocol=SHA1 authentication-password=FullAuth789!
/snmp community> set encryption-protocol=AES encryption-password=FullEnc012!

/snmp> set trap-target=10.100.1.50 trap-version=3
/snmp> set trap-community=SNMPv3Full

Basic SNMPv2c Configuration

/snmp> set enabled=yes contact="[email protected]" location="Office Building"
/snmp community> add name=monitoring address=192.168.100.0/24 read-access=yes
/snmp> set trap-target=192.168.100.10 trap-community=monitoring

Monitor Interface Statistics

# Get interface bytes in for ether1 (index 1)
snmpget -v2c -cpublic 192.168.88.1 .1.3.6.1.2.1.2.2.1.10.1

# Walk all interface statistics
snmpwalk -v2c -cpublic 192.168.88.1 IF-MIB::ifTable

# Monitor CPU usage (HOST-RESOURCES-MIB)
snmpget -v2c -cpublic 192.168.88.1 .1.3.6.1.4.1.2021.11.9.0

Related Information

• Official MIB Download: https://mikrotik.com/download/tools
• RFC 1157: SNMP v1 Specification
• RFC 1901-1908: SNMP v2c Specification
• RFC 3411-3418: SNMP v3 Architecture and Protocols
• Related Topics:
  • Log - System logging configuration
  • Interface stats and monitor-traffic - Interface monitoring
  • Netwatch - Host monitoring tool