Overview
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. SNMP can be used to graph various data with tools such as CACTI, MRTG, or The Dude.
SNMP write support is only available for some OIDs. For supported OIDs SNMP v1, v2 or v3 write is supported.
Image Added
Note |
---|
SNMP will respond to the query on the interface SNMP request was received from forcing responses to have same source address as request destination sent to the router |
Note |
---|
SNMP tool collects data from different services running on the system. If, for some reason, communication between SNMP and some service is taking longer time than expected (30 seconds per service, 5 minutes for routing service), you will see a warning in the log stating "timeout while waiting for program" or "SNMP did not get OID data within expected time, ignoring OID". After that, this service will deny SNMP requests for a while before even trying to get requested data again. This error has nothing to do with SNMP service itself. In most cases, such an error is printed when some slow or busy service is monitored through SNMP, and quite often, it is a service that should not be monitored through SNMP, and proper solution in such cases is to skip such OIDs on your monitoring tool. |
Quick Configuration
To enable SNMP in RouterOS:
Code Block |
---|
|
[admin@MikroTik] /snmp> print
enabled: no
contact:
location:
engine-id:
trap-community: (unknown)
trap-version: 1
[admin@MikroTik] /snmp> set enabled yes |
You can also specify administrative contact information in the above settings. All SNMP data will be available to communities configured in the community menu.
General Properties
This sub menu allows to enable SNMP and to configure general settings.
Property | Description |
---|
contact (string; Default: "") | Contact information |
enabled (yes | no; Default: no) | Used to disable/enable SNMP service |
engine-id (string; Default: "") | For SNMP v3, used as part of the identifier. You can configure the suffix part of the engine id using this argument. If the SNMP client is not capable to detect set engine-id value then this prefix hex has to be used 0x80003a8c04 |
location (string; Default: "") | Location information |
trap-community (string; Default: public) | Which communities configured in the community menu to use when sending out the trap. |
trap-generators (interfaces | start-trap; Default: ) | What action will generate traps:- interfaces - interface changes;
- start-trap - SNMP server starting on the router
|
trap-interfaces (string | all; Default: ) | List of interfaces that traps are going to be sent out. |
trap-target (list of IP/IPv6; Default: 0.0.0.0) | IP (IPv4 or IPv6) addresses of SNMP data collectors that have to receive the trap |
trap-version (1|2|3; Default: 1) | A version of SNMP protocol to use for trap |
src-address (IPv4 or IPv6 address; Default: ::) | Force the router to always use the same IP source address for all of the SNMP messages |
vrf (VRF name; default value: main) | Set VRF on which service is listening for incoming connections |
Note |
---|
the engine-id field holds the suffix value of engine-id, usually, SNMP clients should be able to detect the value, as SNMP values, as read from the router. However, there is a possibility that this is not the case. In which case, the engine-ID value has to be set according to this rule: <engine-id prefix> + <hex-dump suffix>, so as an example, if you have set 1234 as suffix value you have to provide 80003a8c04 + 31323334, combined hex (the result) is 80003a8c0431323334 |
Sub-menu: /snmp community |
---|
This sub-menu allows to set up access rights for the SNMP data.
There is little security in v1 and v2c, just Clear text community string („username“) and the ability for Limiting access by IP address.
In the production environment, SNMP v3 should be used as that provides security - Authorization (User + Pass) with MD5/SHA1, Encryption with DES and AES).
Code Block |
---|
|
[admin@MikroTik] /snmp community> print value-list
name: public
address: 0.0.0.0/0
security: none
read-access: yes
write-access: no
authentication-protocol: MD5
encryption-protocol: DES
authentication-password: *****
encryption-password: ***** |
Warning |
---|
Default settings only have one community named public without any additional security settings. These settings should be considered insecure and should be adjusted according to the required security profile. |
Properties
Property | Description |
---|
address (IP/IPv6 address; Default: 0.0.0.0/0) | Addresses from which connections to SNMP server is allowed |
authentication-password (string; Default: "") | Password used to authenticate the connection to the server (SNMPv3) |
authentication-protocol (MD5 | SHA1; Default: MD5) | The protocol used for authentication (SNMPv3) |
encryption-password (string; Default: "") | the password used for encryption (SNMPv3) |
encryption-protocol (DES | AES; Default: DES) | encryption protocol to be used to encrypt the communication (SNMPv3). AES (see rfc3826) available since v6.16. |
name (string; Default: ) |
|
read-access (yes | no; Default: yes) | Whether read access is enabled for this community |
security (authorized | none | private; Default: none) |
|
write-access (yes | no; Default: no) | Whether write access is enabled for this community |
Management information base (MIB)
The Management Information Base (MIB) is the database of information maintained by the agent that the manager can query. You can download the latest MikroTik RouterOS MIB file from here: www.mikrotik.com/downloads
Used MIBs in RouterOS:
- MIKROTIK-MIB
- MIB-2
- HOST-RESOURCES-MIB
- IF-MIB
- IP-MIB
- IP-FORWARD-MIB
- IPV6-MIB
- BRIDGE-MIB
- DHCP-SERVER-MIB
- CISCO-AAA-SESSION-MIB
- ENTITY-MIB
- UPS-MIB
- SQUID-MIB
Object identifiers (OID)
Each OID identifies a variable that can be read via SNMP. Although the MIB file contains all the needed OID values, you can also print individual OID information in the console with the print oid command at any menu level:
Code Block |
---|
|
[admin@MikroTik] /interface> print oid
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name=.1.3.6.1.2.1.2.2.1.2.1 mtu=.1.3.6.1.2.1.2.2.1.4.1
mac-address=.1.3.6.1.2.1.2.2.1.6.1 admin-status=.1.3.6.1.2.1.2.2.1.7.1
oper-status=.1.3.6.1.2.1.2.2.1.8.1 bytes-in=.1.3.6.1.2.1.2.2.1.10.1
packets-in=.1.3.6.1.2.1.2.2.1.11.1 discards-in=.1.3.6.1.2.1.2.2.1.13.1
errors-in=.1.3.6.1.2.1.2.2.1.14.1 bytes-out=.1.3.6.1.2.1.2.2.1.16.1
packets-out=.1.3.6.1.2.1.2.2.1.17.1 discards-out=.1.3.6.1.2.1.2.2.1.19.1
errors-out=.1.3.6.1.2.1.2.2.1.20.1 |
Traps
SNMP traps enable the router to notify the data collector of interface changes and SNMP service status changes by sending traps. It is possible to send out traps with security features to support SNMPv1 (no security). SNMPv2 and variants and SNMPv3 with encryption and authorization.
For SNMPv2 and v3 you have to set up an appropriately configured community as a trap-community to enable required features (password or encryption/authorization).
SNMP write
SNMP write allows changing router configuration with SNMP requests. Consider securing access to the router or to router's SNMP, when SNMP and write-access are enabled.
To change settings by SNMP requests, use the command below to allow SNMP to write for the selected community.
Code Block |
---|
|
/snmp community set <number> write-access=yes |
System Identity
It's possible to change router system identity by SNMP set command.
Code Block |
---|
|
$ snmpset -c public -v 1 192.168.0.0 1.3.6.1.2.1.1.5.0 s New_Identity |
- snmpset - SNMP application used for SNMP SET requests to set information on a network entity;
- public - router's community name;
- 192.168.0.0 - IP address of the router;
- 1.3.6.1.2.1.1.5.0 - SNMP value for router's identity;
SNMPset command above is equal to the RouterOS command:
Code Block |
---|
|
/system identity set identity=New_Identity |
Reboot
It's possible to reboot the router with SNMP set command, you need to set the value for reboot SNMP settings, which is not equal to 0.
Code Block |
---|
|
$ snmpset -c public -v 1 192.168.0.0 1.3.6.1.4.1.14988.1.1.7.1.0 s 1 |
- 1.3.6.1.4.1.14988.1.1.7.1.0, SNMP value for the router reboot;
- s 1, snmpset command to set value, value should not be equal to 0;
Reboot SNMPset command is equal to the RouterOS command:
Run Script
SNMP write allows running scripts on the router from the system script menu when you need to set value for the SNMP setting of the script.
Code Block |
---|
|
$ snmpset -c public -v 1 192.168.0.0 1.3.6.1.4.1.14988.1.1.8.1.1.3.X s 1 |
- X, script number, numeration starts from 1;
- s 1, snmpset command to set value, the value should not be equal to 0;
The same command on RouterOS:
Code Block |
---|
|
/system script> print
Flags: I - invalid
0 name="test" owner="admin" policy=ftp,reboot,read,write,policy,
test,winbox,password,sniff last-started=jan/01/1970
01:31:57 run-count=23 source=:beep
/system script run 0 |
Running scripts with GET
It is possible to run /system scripts via SNMP GET request of the script OID (since 6.37). For this to work SNMP community with write permission is required. OIDs for scripts can be retrieved via the SNMPWALK command as the table is dynamic.
Add script:
Code Block |
---|
|
/system script
add name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/sy reboot "
add name=script2 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="[:put output]" |
Get the script OID table
Code Block |
---|
|
$ snmpwalk -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.8
iso.3.6.1.4.1.14988.1.1.8.1.1.2.1 = STRING: "script1"
iso.3.6.1.4.1.14988.1.1.8.1.1.2.2 = STRING: "script2"
iso.3.6.1.4.1.14988.1.1.8.1.1.3.1 = INTEGER: 0
iso.3.6.1.4.1.14988.1.1.8.1.1.3.2 = INTEGER: 0 |
To run the script use table 18
Code Block |
---|
|
$ snmpget -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
iso.3.6.1.4.1.14988.1.1.18.1.1.2.2 = STRING: "output" |
/snmp
SNMP settings
edit
Edit items
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'contact', 'value': 1}, {'key': 'enabled', 'value': 0}, {'key': 'engine-id', 'value': 3}, {'key': 'location', 'value': 2}, {'key': 'src-address', 'value': 4}, {'key': 'trap-community', 'value': 6}, {'key': 'trap-generators', 'value': 8}, {'key': 'trap-interfaces', 'value': 9}, {'key': 'trap-target', 'value': 5}, {'key': 'trap-version', 'value': 7}]}}]}}]}
...
Name of editable property
export
Print or save an export script that can be used to restore configuration
...
Type: switch
value: True
...
Only exports user-changed settings without defaults
...
Type: string
...
File name
Name of the file that will be stored in FTP access area.
...
Type: switch
value: True
...
Hides sensitive information like passwords from beeing printed
...
Type: switch
value: True
...
Creates export with output without line wraps
...
Type: switch
value: True
...
Creates output with all RouterOS settings (including the default ones)
get
Gets value of item's property
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'contact', 'value': 1}, {'key': 'enabled', 'value': 0}, {'key': 'engine-id', 'value': 3}, {'key': 'location', 'value': 2}, {'key': 'src-address', 'value': 4}, {'key': 'trap-community', 'value': 6}, {'key': 'trap-generators', 'value': 8}, {'key': 'trap-interfaces', 'value': 9}, {'key': 'trap-target', 'value': 5}, {'key': 'trap-version', 'value': 7}]}}]}}]}
...
Name of the value you want to get
print
Print values of item properties
...
Type: switch
value: True
...
Prints out output as value (used in scripting)
...
Type: switch
sysc: 3
value: True
...
Type: string
...
Print the content of the submenu into specific file
...
Displays information and refreshes it in selected time interval
...
Type: switch
value: True
...
Displays information in one piece
send-trap
...
Type: string
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'counter32', 'value': 65}, {'key': 'integer', 'value': 2}, {'key': 'ip-address', 'value': 64}, {'key': 'nullobj', 'value': 5}, {'key': 'obj-id', 'value': 6}, {'key': 'string', 'value': 4}, {'key': 'timeticks', 'value': 67}, {'key': 'unsigned', 'value': 71}]}}]}}]}
constant: True
...
Type: string
set
Change item properties
...
Type: string
...
Informative only settings for the NMS
...
Type: bool
...
Defines whether SNMP service is enabled or not
SNMP service is disabled by default
...
Type: string
...
Type: string
...
Informative only settings for the NMS
...
Type: alt
ip: ip_arg
ip6: ip6_arg
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'remote_mapping', 'sub': [{'key': 'path', 'value': '{34,1}'}]}}]}
...
Type: multi_arg
+arg: {'producer': 'enum_arg', 'sub': [{'key': '#mapping', 'value': {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'remote_mapping', 'sub': [{'key': 'path', 'value': '{34,2}'}]}}]}}, {'key': 'acc', 'value': {'producer': '"u0"', 'sub': []}}]}
switchIds: {4294967295}
...
Type: obj_arg
+arg: {'producer': 'enum_arg', 'sub': [{'key': '#mapping', 'value': {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'remote_mapping', 'sub': [{'key': 'path', 'value': '{20,0}'}]}}]}}, {'key': 'acc', 'value': {'producer': '"u19"', 'sub': []}}]}
...
Type: obj_arg
+arg: {'producer': 'alt_arg', 'sub': [{'key': '#arg', 'value': {'producer': '', 'sub': [{'key': 'ip', 'value': {'producer': 'ip_arg', 'sub': [{'key': 'acc', 'value': {'producer': '"be u10"', 'sub': []}}]}}, {'key': 'ipv6', 'value': {'producer': 'ip6_arg', 'sub': [{'key': 'acc', 'value': {'producer': '"ae"', 'sub': []}}, {'key': 'sysc', 'value': 0}]}}]}}]}
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': '1', 'value': 0}, {'key': '2', 'value': 1}, {'key': '3', 'value': 3}]}}]}}]}
constant: True
SNMP community management
add
Create a new item
...
Type: obj_arg
+arg: {'producer': 'alt_arg', 'sub': [{'key': '#arg', 'value': {'producer': '', 'sub': [{'key': 'ip', 'value': {'producer': 'ip_prefix_arg', 'sub': [{'key': 'acc1', 'value': {'producer': '"be u8"', 'sub': []}}, {'key': 'acc2', 'value': {'producer': '"be u9"', 'sub': []}}]}}, {'key': 'ipv6', 'value': {'producer': 'ip6_prefix_arg', 'sub': [{'key': 'acc1', 'value': {'producer': '"a16"', 'sub': []}}, {'key': 'acc2', 'value': {'producer': '"u17"', 'sub': []}}]}}]}}]}
...
Type: string
sensitive: True
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'MD5', 'value': 0}, {'key': 'SHA1', 'value': 1}]}}]}}]}
constant: True
...
Type: arg_node
noexport: True
...
ID of item to make a copy from
...
Type: string
sensitive: True
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'AES', 'value': 1}, {'key': 'DES', 'value': 0}]}}]}}]}
constant: True
...
Type: string
...
Community name
...
Type: bool
...
Enables or disables the read access for the community
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'authorized', 'value': 1}, {'key': 'none', 'value': 0}, {'key': 'private', 'value': 2}]}}]}}]}
constant: True
...
Type: bool
edit
Edit items
...
Type: arg_node
...
Item number
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'addresses', 'value': 1}, {'key': 'authentication-password', 'value': 7}, {'key': 'authentication-protocol', 'value': 5}, {'key': 'encryption-password', 'value': 8}, {'key': 'encryption-protocol', 'value': 6}, {'key': 'name', 'value': 0}, {'key': 'read-access', 'value': 3}, {'key': 'security', 'value': 2}, {'key': 'write-access', 'value': 4}]}}, {'key': 'help', 'value': {'producer': '', 'sub': [{'key': 0, 'value': 'Community name'}, {'key': 3, 'value': 'Enables or disables the read access for the community'}]}}]}}]}
...
Name of editable property
export
Print or save an export script that can be used to restore configuration
...
Type: switch
value: True
...
Only exports user-changed settings without defaults
...
Type: string
...
File name
Name of the file that will be stored in FTP access area.
...
Type: switch
value: True
...
Hides sensitive information like passwords from beeing printed
...
Type: switch
value: True
...
Creates export with output without line wraps
...
Type: switch
value: True
...
Creates output with all RouterOS settings (including the default ones)
find
Find items by value
...
Type: query_arg
query: True
...
Generates output depending on values supplied (used mainly for scripting)
get
Gets value of item's property
...
Type: arg_node
...
Item number
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'addresses', 'value': 1}, {'key': 'authentication-password', 'value': 7}, {'key': 'authentication-protocol', 'value': 5}, {'key': 'default', 'value': 17}, {'key': 'encryption-password', 'value': 8}, {'key': 'encryption-protocol', 'value': 6}, {'key': 'name', 'value': 0}, {'key': 'read-access', 'value': 3}, {'key': 'security', 'value': 2}, {'key': 'write-access', 'value': 4}]}}, {'key': 'help', 'value': {'producer': '', 'sub': [{'key': 0, 'value': 'Community name'}, {'key': 3, 'value': 'Enables or disables the read access for the community'}]}}]}}]}
...
Name of the value you want to get
print
Print values of item properties
...
Type: switch
value: True
...
Controls if print to file overwrites or appends to content of an existing file
...
Type: switch
interesting: False
value: True
...
Prints out output as value (used in scripting)
...
Type: switch
value: True
...
Displays brief description
...
Type: switch
value: True
...
Shows only the count of special login users
...
Type: switch
sysc: 3
value: True
...
Type: switch
value: True
...
Displays detailed information
...
Type: string
...
Print the content of the submenu into specific file
...
Type: switch
value: True
...
Updates output in real-time
...
Type: switch
value: True
...
Will output changes that have occured after invoking command
...
Type: switch
value: True
...
¯_(ツ)_/¯ (Requires: Option.npk)
...
Type: arg_node
noexport: True
...
Print parameters only from specified item
...
Displays information and refreshes it in selected time interval
...
Type: obj_arg
+arg: {'producer': 'enum_arg', 'sub': [{'key': '#mapping', 'value': {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'addresses', 'value': 1}, {'key': 'authentication-password', 'value': 7}, {'key': 'authentication-protocol', 'value': 5}, {'key': 'default', 'value': 17}, {'key': 'encryption-password', 'value': 8}, {'key': 'encryption-protocol', 'value': 6}, {'key': 'name', 'value': 0}, {'key': 'read-access', 'value': 3}, {'key': 'security', 'value': 2}, {'key': 'write-access', 'value': 4}]}}, {'key': 'help', 'value': {'producer': '', 'sub': [{'key': 0, 'value': 'Community name'}, {'key': 3, 'value': 'Enables or disables the read access for the community'}]}}]}}]}}, {'key': 'acc', 'value': {'producer': '"ufd0007"', 'sub': []}}, {'key': 'hint', 'value': 'Name of the value you want to get'}, {'key': 'setUnsetAcc', 'value': {'producer': '"bfd0008"', 'sub': []}}]}
...
Names of properties
...
Type: switch
value: True
...
Prints static IDs for selected submenu (Requires: Option.npk)
...
Type: switch
interesting: False
value: True
...
Show details in compact and machine friendly format
...
Type: switch
interesting: False
value: True
...
Show properties one per line
...
Type: query_arg
query: True
...
Generates output depending on values supplied (used mainly for scripting)
...
Type: switch
value: True
...
Displays information in one piece
remove
Remove item
...
Type: arg_node
...
List of item numbers
set
Change item properties
...
Type: obj_arg
+arg: {'producer': 'alt_arg', 'sub': [{'key': '#arg', 'value': {'producer': '', 'sub': [{'key': 'ip', 'value': {'producer': 'ip_prefix_arg', 'sub': [{'key': 'acc1', 'value': {'producer': '"be u8"', 'sub': []}}, {'key': 'acc2', 'value': {'producer': '"be u9"', 'sub': []}}]}}, {'key': 'ipv6', 'value': {'producer': 'ip6_prefix_arg', 'sub': [{'key': 'acc1', 'value': {'producer': '"a16"', 'sub': []}}, {'key': 'acc2', 'value': {'producer': '"u17"', 'sub': []}}]}}]}}]}
...
Type: string
sensitive: True
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'MD5', 'value': 0}, {'key': 'SHA1', 'value': 1}]}}]}}]}
constant: True
...
Type: string
sensitive: True
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'AES', 'value': 1}, {'key': 'DES', 'value': 0}]}}]}}]}
constant: True
...
Type: string
...
Community name
...
Type: arg_node
...
List of item numbers
...
Type: bool
...
Enables or disables the read access for the community
...
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'authorized', 'value': 1}, {'key': 'none', 'value': 0}, {'key': 'private', 'value': 2}]}}]}}]}
constant: True
...