SNMP
Summary
Section titled “Summary”The Simple Network Management Protocol (SNMP) in RouterOS allows remote monitoring and management of the router. RouterOS supports SNMPv2c (community-based) and SNMPv3 (with authentication and encryption).
Command Path
Section titled “Command Path”The SNMP configuration is located at:
- SNMP Settings:
/snmp - SNMP Community:
/snmp community - SNMP Traps:
/snmp(trap-target, trap-community, trap-version properties)
SNMP Versions
Section titled “SNMP Versions”SNMPv2c (Community-Based)
Section titled “SNMPv2c (Community-Based)”SNMPv2c uses community strings for authentication. It’s simple but provides no encryption.
/snmp set enabled=yes/snmp community set name=publicSNMPv3 (Secure)
Section titled “SNMPv3 (Secure)”SNMPv3 provides authentication and optional encryption. It’s recommended for production environments.
SNMPv3 Security Levels
Section titled “SNMPv3 Security Levels”SNMPv3 defines three security levels, each providing different levels of security:
1. noAuthNoPriv (No Authentication, No Privacy)
Section titled “1. noAuthNoPriv (No Authentication, No Privacy)”- Authentication: None
- Encryption: None
- Use case: Testing or trusted networks only
/snmp set enabled=yes/snmp community set name=mycommunity security=noneThis security level sends data in plain text and provides no verification of the sender’s identity.
2. authNoPriv (Authentication, No Privacy)
Section titled “2. authNoPriv (Authentication, No Privacy)”- Authentication: MD5 or SHA1
- Encryption: None
- Use case: Environments where authentication is needed but encryption is not required
/snmp set enabled=yes/snmp community set name=mycommunity security=private authentication-protocol=sha1 authentication-password=authpass123This level verifies the identity of the sender using a hash-based authentication protocol but does not encrypt the data payload.
Authentication Protocols:
- MD5: Faster but less secure (128-bit hash)
- SHA1: More secure but slower (160-bit hash)
3. authPriv (Authentication and Privacy/Encryption)
Section titled “3. authPriv (Authentication and Privacy/Encryption)”- Authentication: MD5 or SHA1
- Encryption: AES or DES
- Use case: Production environments requiring maximum security
/snmp set enabled=yes/snmp community set name=mycommunity security=private authentication-protocol=sha1 authentication-password=authpass123 encryption-protocol=aes encryption-password=encpass123This level provides both authentication and encryption, ensuring that data is both verified and protected from eavesdropping.
Encryption Protocols:
- AES: Recommended (128-bit, 192-bit, or 256-bit)
- DES: Legacy option (56-bit, less secure)
Configuration Examples
Section titled “Configuration Examples”Enable Basic SNMPv2c
Section titled “Enable Basic SNMPv2c”/snmp community set name=publicEnable SNMPv3 with authNoPriv
Section titled “Enable SNMPv3 with authNoPriv”/snmp set enabled=yes/snmp community add name=mycommunity security=private authentication-protocol=sha1 authentication-password=MyAuthPass123Enable SNMPv3 with authPriv (Recommended)
Section titled “Enable SNMPv3 with authPriv (Recommended)”/snmp set enabled=yes/snmp community add name=mycommunity security=private authentication-protocol=sha1 authentication-password=MyAuthPass123 encryption-protocol=aes encryption-password=MyEncPass123Configure SNMP Traps
Section titled “Configure SNMP Traps”/snmp set trap-community=public trap-version=2/snmp set trap-target=192.168.88.100Properties
Section titled “Properties”| Property | Type | Description |
|---|---|---|
| enabled | yes | no | Enable or disable SNMP |
| contact | string | System contact information |
| location | string | System location |
| engine-id | string | SNMP engine ID |
| trap-community | string | Community string for traps |
| trap-version | 1 | 2 | 3 | SNMP version for traps |
Community Properties
Section titled “Community Properties”| Property | Type | Description |
|---|---|---|
| name | string | Community name |
| security | none | authorized | private | Security level |
| read-access | yes | no | Allow read operations |
| write-access | yes | no | Allow write operations |
| authentication-protocol | MD5 | SHA1 | Authentication protocol (SNMPv3) |
| authentication-password | string | Authentication password (SNMPv3) |
| encryption-protocol | DES | AES | Encryption protocol (SNMPv3) |
| encryption-password | string | Encryption password (SNMPv3) |
Troubleshooting
Section titled “Troubleshooting”SNMP Queries Not Working
Section titled “SNMP Queries Not Working”- Verify SNMP is enabled:
/snmp print - Check firewall rules allow SNMP (UDP port 161)
- Verify community name matches
- For SNMPv3, verify security level and passwords are correct
SNMPv3 Authentication Failures
Section titled “SNMPv3 Authentication Failures”- Verify username exists in
/snmp community - Check authentication protocol matches (MD5 or SHA1)
- Ensure password is correct and meets minimum length requirements
- For authPriv, verify encryption settings are correct
Traps Not Being Received
Section titled “Traps Not Being Received”- Verify trap destination is reachable
- Check trap community matches
- Ensure firewall allows UDP port 162 outbound