SNMP Communities

Overview

NetStacks stores SNMP credentials in the same encrypted vault used for SSH passwords and keys. SNMP credentials are used for device discovery, monitoring, and polling device health metrics. The vault supports SNMP v1, v2c (community string-based) and SNMPv3 (user-based security model with authentication and privacy).

For production networks, SNMPv3 with both authentication and privacy (authPriv) is strongly recommended. SNMP v1 and v2c transmit community strings in plaintext over the network, making them suitable only for isolated management networks or legacy devices that do not support v3.

• SNMP v1/v2c community string credentials
• SNMPv3 user-based security with authentication (MD5, SHA, SHA-256) and privacy (DES, AES-128, AES-256)
• All SNMP secrets encrypted at rest in the credential vault using AES-256-GCM
• Used for device discovery, health monitoring, and interface polling
• Assignable to individual devices or groups for automated polling

How It Works

SNMP v1/v2c

SNMP v1 and v2c use a community string as the sole authentication mechanism. The community string is essentially a password sent in plaintext with every SNMP request. NetStacks stores community strings encrypted in the vault and only decrypts them in memory when making SNMP requests to devices.

SNMPv3 Security Model

SNMPv3 uses a User-based Security Model (USM) with three components:

• Username — Identifies the SNMP user on the device
• Authentication protocol and key — Verifies the identity of the sender using HMAC with MD5, SHA-1, or SHA-256. The auth key is stored encrypted in the vault.
• Privacy protocol and key — Encrypts the SNMP payload using DES, AES-128, or AES-256. The priv key is stored encrypted in the vault separately from the auth key.

How SNMP Credentials Are Used

When the Controller polls a device or runs an SNMP-based discovery scan, it retrieves the assigned SNMP credential from the vault, decrypts the community string or auth/priv keys in memory, constructs the SNMP request, sends it to the device, and then discards the decrypted values.

Step-by-Step Guide

Step 1: Create a v2c Community String Credential

1. Navigate to Credentials → Add Credential
2. Select type: SNMP Community
3. Enter a name (e.g., "Production Read-Only Community")
4. Select SNMP version: v2c
5. Enter the community string (e.g., n3tst4cks_r0)
6. Select a credential folder and click Save

Step 2: Create an SNMPv3 Credential with Auth and Priv

1. Navigate to Credentials → Add Credential
2. Select type: SNMPv3
3. Enter a name (e.g., "SNMPv3 Monitoring — Production")
4. Enter the SNMPv3 username configured on the device
5. Select authentication protocol: SHA-256 (recommended)
6. Enter the authentication key
7. Select privacy protocol: AES-128 or AES-256
8. Enter the privacy key
9. Select a credential folder and click Save

Step 3: Associate an SNMP Credential with a Device

1. Navigate to Devices and select a device
2. Click Edit
3. In the SNMP Credential dropdown, select the SNMP credential
4. Click Save
5. The Controller will use this credential for all SNMP operations on the device

Step 4: Test SNMP Connectivity

1. Navigate to the device detail page
2. Click Test SNMP
3. The Controller sends an SNMP GET request for sysDescr.0 using the assigned credential
4. A success response shows the device's system description
5. A failure indicates connectivity or credential issues

Code Examples

Create an SNMP v2c Credential via API

curl -X POST https://controller.example.net/api/credentials \
  -H "Authorization: Bearer ${API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Read-Only Community",
    "description": "SNMPv2c read-only community for production network monitoring",
    "credential_type": "snmp_v2c",
    "secret": "n3tst4cks_r0_pr0d",
    "folder_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "metadata": {
      "snmp_version": "2c",
      "access": "read-only",
      "environment": "production"
    }
  }'

Create an SNMPv3 Credential via API

curl -X POST https://controller.example.net/api/credentials \
  -H "Authorization: Bearer ${API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "SNMPv3 Monitoring - Production",
    "description": "SNMPv3 authPriv credential for production device monitoring",
    "credential_type": "snmp_v3",
    "username": "netstacks_monitor",
    "secret": "AuthPassw0rd!Str0ng",
    "folder_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "metadata": {
      "snmp_version": "3",
      "security_level": "authPriv",
      "auth_protocol": "SHA-256",
      "priv_protocol": "AES-128",
      "priv_key": "PrivK3y!Encrypt10n"
    }
  }'

Test SNMP Connectivity from the Command Line

# Test SNMPv2c connectivity
snmpwalk -v2c -c n3tst4cks_r0_pr0d 10.0.1.1 sysDescr.0
# Expected: SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software ...

# Test SNMPv3 connectivity with authPriv
snmpwalk -v3 -l authPriv \
  -u netstacks_monitor \
  -a SHA-256 -A "AuthPassw0rd!Str0ng" \
  -x AES -X "PrivK3y!Encrypt10n" \
  10.0.1.1 sysDescr.0

# Get interface table (useful for monitoring)
snmpwalk -v2c -c n3tst4cks_r0_pr0d 10.0.1.1 ifDescr
# SNMPv2-MIB::ifDescr.1 = STRING: GigabitEthernet0/0/0
# SNMPv2-MIB::ifDescr.2 = STRING: GigabitEthernet0/0/1

Device-Side SNMPv3 Configuration (Cisco IOS-XE)

! Configure SNMPv3 on a Cisco IOS-XE device
conf t

! Create an SNMPv3 group with read-only access
snmp-server group NETSTACKS_GRP v3 priv read NETSTACKS_VIEW

! Create an SNMPv3 user with SHA-256 auth and AES-128 priv
snmp-server user netstacks_monitor NETSTACKS_GRP v3 \
  auth sha256 AuthPassw0rd!Str0ng \
  priv aes 128 PrivK3y!Encrypt10n

! Define the SNMP view
snmp-server view NETSTACKS_VIEW iso included

exit
write memory

Questions & Answers

Q: What SNMP versions does NetStacks support?

A: NetStacks supports SNMP v1, v2c (community string-based), and SNMPv3 (user-based security model). SNMPv3 with authPriv (authentication and privacy) is recommended for all production networks. SNMP v1 and v2c are available for legacy devices and isolated management networks.

Q: How do I set up SNMPv3 with authentication and privacy?

A: Create an SNMPv3 credential in NetStacks with a username, authentication protocol (SHA or SHA-256), authentication key, privacy protocol (AES-128 or AES-256), and privacy key. Then configure the same username and keys on the target device. NetStacks encrypts all keys in the vault and decrypts them only during SNMP operations.

Q: What is the difference between authentication and privacy in SNMPv3?

A: Authentication (auth) verifies the identity of the SNMP message sender using HMAC with a shared key, ensuring the message was not forged. Privacy (priv) encrypts the SNMP message payload so it cannot be read by anyone intercepting the network traffic. Using both (authPriv) is recommended for production.

Q: How is SNMP used in NetStacks?

A: SNMP is used for device discovery (finding devices on a network), health monitoring (polling CPU, memory, interface counters), and inventory collection (reading system descriptions, serial numbers, and module information). SSH is used for configuration management and terminal access.

Q: Can I test SNMP connectivity before using a credential for monitoring?

A: Yes. On the device detail page, click Test SNMP to send a single SNMP GET request using the assigned credential. The Controller will query sysDescr.0 and report whether the device responded. You can also test manually from the command line using snmpwalk.

Q: Why should I avoid using default community strings?

A: The default community strings public (read-only) and private (read-write) are well-known and are the first values attackers try when scanning networks. Using default strings effectively gives anyone on your management network the ability to read or modify device configurations via SNMP.

Troubleshooting

SNMP timeout (no response from device)

If SNMP requests time out with no response:

• Verify the device is reachable from the Controller: ping 10.0.1.1
• Check that UDP port 161 is open: nc -zuv 10.0.1.1 161
• Verify SNMP is enabled on the device: show snmp on Cisco, show snmp community on Juniper
• Check firewall rules — SNMP uses UDP, which may be blocked by stateful firewalls
• Verify the community string matches exactly (case-sensitive)

SNMPv3 authentication failures

If SNMPv3 requests fail with authentication errors:

• Verify the username matches exactly on both the Controller and the device
• Confirm the authentication protocol matches (e.g., SHA vs SHA-256)
• Re-enter the authentication key — it may have been stored with trailing whitespace
• Check the device's SNMPv3 configuration: show snmp user on Cisco

# Debug SNMPv3 authentication issues
snmpwalk -v3 -l authPriv \
  -u netstacks_monitor \
  -a SHA-256 -A "AuthPassw0rd!Str0ng" \
  -x AES -X "PrivK3y!Encrypt10n" \
  10.0.1.1 sysDescr.0 2>&1

# If you see "authorizationError" - check user/group/view config on device
# If you see "Authentication failure" - verify auth protocol and key

Device not responding to SNMP polls

If a device was previously responding but stopped:

• Check if the device rebooted and lost its SNMP configuration (verify with show running-config | include snmp)
• Verify the SNMP credential has not expired in NetStacks
• Check for ACLs on the device that may restrict SNMP access to specific source IPs
• Verify the Controller's IP is in the device's SNMP access list

Related Features

Explore related monitoring and credential features:

• Credential Vault — How SNMP community strings and auth/priv keys are encrypted and stored
• Adding Devices — Associate SNMP credentials with devices for monitoring
• Device Types — Understand which device types support which SNMP versions
• Credential Folders — Organize SNMP credentials by environment or site
• Audit Logs — Track SNMP credential usage and access events