How SNMP Works
SNMP uses a manager-agent model. The SNMP manager is your monitoring software (LibreNMS, Zabbix, Grafana with SNMP data source). The SNMP agent is software running on each monitored device (built into Cisco IOS, Junos, Linux net-snmp, Windows SNMP service). The manager sends queries to the agent, which responds with the requested data.
Communication uses UDP port 161 for queries and responses, and UDP port 162 for traps. A trap is an unsolicited notification sent from the agent to the manager when an event occurs — link down, high CPU, temperature threshold exceeded. Traps eliminate constant polling for event detection.
The MIB: What Data SNMP Can Read
All data accessible via SNMP is defined in a MIB (Management Information Base) — a hierarchical database of variable definitions. Each variable has an OID (Object Identifier) — a dotted numerical path like 1.3.6.1.2.1.2.2.1.10.1 (interface 1 octets in counter). OIDs are standardized for common variables (CPU, memory, interfaces) via standard MIBs (IF-MIB, HOST-RESOURCES-MIB) and vendor-specific for proprietary data (Cisco, Juniper, Ubiquiti all publish their own enterprise MIBs).
The SNMP walk command (snmpwalk -v2c -c public 192.168.1.1) queries an agent for all OIDs in its MIB tree, showing you everything available to monitor. Monitoring tools import MIB files to translate OID numbers into human-readable variable names.
SNMPv1 vs v2c vs v3
SNMP has three versions with significant security differences. SNMPv1 (1988): original version, plaintext community strings, no authentication. Essentially no security. SNMPv2c (1996): same plaintext community strings, but added 64-bit counters (important for high-speed interfaces) and improved PDU types. Still no encryption. SNMPv3 (2002): adds proper authentication (MD5 or SHA) and encryption (DES, AES) via the USM (User-based Security Model). SNMPv3 is the only version suitable for use on internet-facing or untrusted network segments.
Despite SNMPv3 being available for over two decades, SNMPv2c with read-only community string public remains extremely common in enterprise networks because of legacy equipment and management inertia. At minimum, never use the default community string public on any device, and always restrict SNMP access by source IP using ACLs on the device.
SNMP Version Comparison
| Version | Authentication | Encryption | 64-bit Counters | Security Level | Use Case |
|---|---|---|---|---|---|
| SNMPv1 | Community string (plaintext) | None | No | None | Legacy only; avoid |
| SNMPv2c | Community string (plaintext) | None | Yes | None | Internal trusted networks only |
| SNMPv3 noAuthNoPriv | Username only | None | Yes | Low | Better than v2c but still no encryption |
| SNMPv3 authNoPriv | HMAC-MD5 or HMAC-SHA | None | Yes | Medium | Authenticated, unencrypted |
| SNMPv3 authPriv | HMAC-SHA-256 | AES-128 or AES-256 | Yes | High | Production; any network segment |
Frequently Asked Questions
What is an SNMP community string?
A community string in SNMPv1 and v2c acts as a shared password. Devices are typically configured with a read-only community (default: public) that allows monitoring but not configuration changes, and a read-write community (default: private) that allows changing device settings. These are transmitted in plaintext — anyone on the network can read them with a packet capture. Always change defaults and restrict SNMP access by IP ACL.
What can I monitor with SNMP in a homelab?
Interface traffic (in/out octets, packets, errors), CPU utilization, memory usage, disk usage, system uptime, and temperature on supported hardware. Managed switches expose interface counters per port — useful for monitoring traffic on each VLAN. Routers expose WAN and LAN interface statistics. LibreNMS is the most popular open-source SNMP monitoring platform for homelab use — it auto-discovers devices and builds dashboards automatically.
Is SNMP still relevant with newer monitoring tools?
Yes. While newer monitoring approaches use REST APIs, streaming telemetry, and metrics agents (Prometheus node_exporter, Telegraf), SNMP remains the only monitoring interface on many switches, routers, UPS units, and printers that do not have an API. A complete homelab monitoring stack typically uses both: SNMP for network devices and metrics agents for servers.
What port does SNMP use?
UDP port 161 for SNMP queries (manager to agent) and responses (agent to manager). UDP port 162 for SNMP traps (unsolicited notifications from agent to manager). SNMP uses UDP rather than TCP because monitoring traffic should not block on connection establishment — fast, stateless polling is preferred even at the cost of occasional lost packets.