Need help securing your Ubiquiti routers? Configuring IPSEC links between locations? The extended guides for Ubiquiti EdgeRouter Hardening and IPSEC Site-to-Site VPNs are now available on the Solutions page.
SNMP is easy to configure on Ubiquiti devices with just a few commands. It runs on UDP port 161, and just like with Mikrotik or any other router brand it's used to monitor network interface statistics, CPU and RAM utilization, and more. Network monitoring suites like Solarwinds, PRTG, Zenoss, and others can use SNMP to graph statistics over time, giving you a running log of device performance.
By default SNMP isn't configured on EdgeOS-based Ubiquiti devices, though on many other platforms it is, with a default community string of "public". Right out of the box SNMP has a few attributes that you can configure, including a device's location, contact information, and description. This is great when you're onboarding new administrators, and helps keep everything straight.
First, set the location, contact, and description information for your device.
configure set service snmp location "Virginia, USA" set service snmp description "Office Edge Router" set service snmp contact "firstname.lastname@example.org"
There's all the basic device information in just a few commands. Next we need to configure an SNMP community. The SNMP community is just a string of text that an SNMP probe or collector will use to extract statistics from the device. Different communities can have different permissions allowing SNMP to read and write, view specific types of statistics, and more. The community string must match on the device(s) being monitored and the collector.
By default many manufacturers have the SNMP community set to "public", which is very well-known and should be modified immediately. SNMP can be a goldmine of information for an attacker doing reconnaissance, trying to fingerprint devices and identify vulnerabilities. Some compliance standards like PCI-DSS specifically call out having "public" SNMP communities configured as a compliance violation. The following command will create a new SNMP community "manitonetworks" and gives it Read-Only permissions.
set service snmp community manitonetworks set service snmp community manitonetworks authorization ro
With the device details configured and the new community string set it's possible to probe SNMP and get some basic statistics about the device once we configure the device to listen on a particular interface. The following command configures the device to listen on the interface configured for 192.168.1.1.
set service snmp listen-address 192.168.1.1
SNMP should only listen on trusted interfaces - if someone knows or guesses your community string they will have full access to the device's information and performance statistics. Best practice is to configure SNMP to listen on a physical management interface or VLAN subinterface.
Now commit and save the configuration changes. With the SNMP configuration complete you can add the device to your network monitoring software, add the community string, and that's it.