Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
5.4.2. SNMP Versions
The history of SNMP security is a cautionary tale. v1 and v2c send community strings in plaintext—anyone sniffing the network can capture them. For years, "public" was the default read-only community string on most devices. Attackers knew this and scanned entire networks looking for devices they could query.
| Version | Authentication | Encryption | Status |
|---|---|---|---|
| SNMPv1 | Community string (plaintext) | None | Legacy—avoid |
| SNMPv2c | Community string (plaintext) | None | Still common, unfortunately |
| SNMPv3 | Username + password (hashed) | Yes (DES/AES) | Use this! |
The "c" in v2c stands for "community"—it kept the insecure authentication from v1. SNMPv3 finally fixed security by adding real authentication and encryption. If you're deploying SNMP today, use v3.
Common configuration (v2c—know this for the exam, but use v3 in production):
Router(config)# snmp-server community READSTRING ro ! Read-only access
Router(config)# snmp-server community WRITESTRING rw ! Read-write access (dangerous!)
Router(config)# snmp-server host 10.1.1.100 READSTRING ! Send traps here
Router(config)# snmp-server enable traps ! Enable trap notifications
⚠️ Exam Trap: A read-write community string lets the management station change device configuration. If an attacker gets your RW community string, they own your network. Use ACLs to restrict which IPs can use SNMP.