Problem Summary

A critical alert was triggered in the NMS dashboard reporting continuously high CPU (95–100%) on one access switch (Cisco Catalyst 2960X).

• Impact Scope: Only 1 switch affected initially
• Location: Floor 2, Building B
• NMS System: SolarWinds (but applies to any SNMP-based tool)
• Frequency: CPU spikes every 30 seconds

The NOC team suspected a misbehaving script or faulty hardware.

---

Symptoms Observed

• CLI access to the switch was delayed or intermittently frozen
• SNMP walk or polling took longer than usual
• End users reported slow or dropped pings to gateway connected to the switch
• Logs showed repeated CPU spikes with process SNMP ENGINE using the most resources:

Switch# show processes cpu sorted | include SNMP
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
125       543123     6123   88712  94.45%  90.12%  80.01%   0  SNMP ENGINE

• show snmp stats revealed heavy polling frequency

---

Root Cause Analysis

Upon reviewing the environment and switch configs, here’s what was discovered:

• Multiple NMS and monitoring tools were polling the same SNMP OIDs at short intervals (every 10 sec)
• Some legacy systems were using SNMPv2c, which lacks security and optimization
• SNMP was enabled globally on all VLANs unnecessarily
• No SNMP view or access list applied, meaning any internal tool could over-query the device
• The switch model had limited CPU power, so excessive SNMP requests overloaded it

Root Cause: Excessive SNMP polling from multiple tools, no access control or rate limiting on SNMP queries

---

The Fix

Step-by-Step Fix:

1. Limit SNMP Access to Trusted Hosts Only access-list 10 permit 192.168.100.10 access-list 10 permit 192.168.100.11 snmp-server community MONITORING-RO RO 10
2. Define SNMP Views to Restrict Unnecessary OIDs snmp-server view LIMITED iso included snmp-server view LIMITED system excluded snmp-server community MONITORING-RO view LIMITED RO 10
3. Reduce Polling Frequency in NMS
   • Set polling interval to 5–10 minutes instead of 10–30 seconds
4. Migrate to SNMPv3 for Performance and Security snmp-server group MONITOR-V3 v3 priv read LIMITED snmp-server user admin MONITOR-V3 v3 auth sha MySecret priv aes 128 MyEncrypt
5. Optional: Disable SNMP temporarily to bring CPU down no snmp-server
6. Reload or clear process (if needed) after change clear snmp-server statistics

---

EVE-NG Lab Topology

• Configure periodic SNMP queries using snmpwalk or tools like LibreNMS/PRTG
• Simulate CPU overload using aggressive polling intervals

---

Verification

CLI Checks:

show processes cpu sorted
show snmp stats
show snmp engine
show memory statistics

SNMP Logs:

debug snmp packets

Tools:

• Use snmpwalk or snmpget to simulate traffic
• Monitor with CPU graph in NMS

Expected Result After Fix:

• CPU usage drops below 30–40%
• SNMP queries processed without lag
• Users stop reporting slowness

---

Key Takeaways

• SNMP is powerful but must be controlled
• Excessive polling can mimic a DoS attack on access switches
• Use ACLs and SNMP views to limit scope
• Always prefer SNMPv3 over v1/v2c for security and control
• Poll only what you need, not the entire MIB
• Avoid enabling SNMP globally on all VLANs or interfaces

---

Best Practices / Design Tips

1. Always apply SNMP ACLs
2. Use SNMP views to restrict access to essential OIDs
3. Centralize SNMP polling tools – avoid duplication
4. Configure device thresholds in NMS to avoid polling storm
5. Use SNMPv3 for all modern deployments
6. Avoid SNMP polling on low-end switches for detailed stats
7. Disable SNMP on interfaces where it’s not needed
8. Enable logging for SNMP packets for audit
9. Review show processes cpu weekly in production
10. Simulate SNMP behavior in labs before pushing to prod

---

FAQs

1. What causes high CPU usage on Cisco switches related to SNMP?

Answer: Continuous or aggressive SNMP polling, especially on devices with limited CPU, can cause the SNMP ENGINE process to spike, degrading switch performance.

---

2. What is the default SNMP polling interval in most NMS tools?

Answer: Usually 5 minutes, but many tools allow customization. In this case, it was set to 10 seconds, which is too aggressive.

---

3. Is SNMPv2c less secure than SNMPv3?

Answer: Yes. SNMPv2c uses community strings (clear-text), while SNMPv3 supports encryption and authentication (SHA, AES).

---

4. How to safely disable SNMP without breaking monitoring?

Answer: First verify which tools use SNMP. Then, apply ACLs and SNMP views gradually before disabling or modifying access.

---

5. Can SNMP polling crash a switch?

Answer: It rarely causes a crash but can lead to high CPU usage, interface flaps, CLI lag, and even loss of control over the device.

---

6. How to limit what SNMP can read from a switch?

Answer: Use SNMP views to define included or excluded OIDs.

---

7. What tools can simulate SNMP load?

Answer: Tools like snmpwalk, snmpbulkwalk, PRTG flood simulations, and NMS test scripts can be used.

---

8. What SNMP versions are supported on Cisco Catalyst switches?

Answer: SNMPv1, SNMPv2c, and SNMPv3 are all supported on most IOS-based switches.

---

9. Can I use SNMP with VLAN ACLs?

Answer: Yes. You can restrict SNMP to specific VLANs and apply access-lists to management interfaces.

---

10. What process shows high CPU if SNMP is causing the issue?

Answer: The process will appear as “SNMP ENGINE” in the output of show processes cpu.

---

11. How to monitor SNMP process usage over time?

Answer: Use tools like Netdata, SolarWinds, or simply track show proc cpu via scripts and log deltas.

---

12. What ports does SNMP use?

Answer:

• SNMP queries: UDP 161
• SNMP traps: UDP 162

---

13. Does SNMPv3 need usernames and passwords?

Answer: Yes. SNMPv3 requires a username, authentication method (e.g., SHA), and privacy protocol (e.g., AES).

---

14. Can SNMPv3 reduce CPU load?

Answer: Slightly. But the biggest benefit is security and access control, which indirectly reduces unwanted polling.

---

15. How to test if SNMP settings are correct?

Answer: Use:

snmpwalk -v2c -c community-string <device-IP>

or

snmpget -v3 -u username -a sha -A authpass -x aes -X privpass <device-IP> <OID>

---

YouTube Link

Watch the Complete CCNP Enterprise: Access Switch High CPU – Excessive SNMP Polling Detected Lab Demo & Explanation on our channel:

---

Final Note

Understanding how to differentiate and implement Access Switch High CPU – Excessive SNMP Polling Detected is critical for anyone pursuing CCNP Enterprise (ENCOR) certification or working in enterprise network roles. Use this guide in your practice labs, real-world projects, and interviews to show a solid grasp of architectural planning and CLI-level configuration skills.

If you found this article helpful and want to take your skills to the next level, I invite you to join my Instructor-Led Weekend Batch for:

CCNP Enterprise to CCIE Enterprise – Covering ENCOR, ENARSI, SD-WAN, and more!

Get hands-on labs, real-world projects, and industry-grade training that strengthens your Routing & Switching foundations while preparing you for advanced certifications and job roles.

Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088

Upskill now and future-proof your networking career!

---