SNMP
This chapter provides information to configure SNMP.
Topics in this chapter include:
SNMP Overview
SNMP Architecture
The Service Assurance Manager (SAM) consists of two elements: managers and agents. The manager is the entity through which network management tasks are facilitated. An agent is a software module integrated into the operating system of the managed device that communicates with the network manager. Managed devices, such as bridges, hubs, routers, and network servers can contain managed objects. A managed object can be a configuration attribute, performance statistic, or control action that is directly related to the operation of a device.
Managed devices collect and store management information and use Simple Network Management Protocol (SNMP). SNMP is an application-layer protocol that provides a message format to facilitate communication between SNMP managers and agents. SNMP provides a standard framework to monitor and manage devices in a network from a central location.
An SNMP manager controls and monitors the activities of network hosts that use SNMP. An SNMP manager can obtain (get) a value from an SNMP agent or store (set) a value in the agent. The manager uses definitions in the management information base (MIB) to perform operations on the managed device such as retrieving values from variables or blocks of data, replying to requests, and processing traps.
Between the SNMP agent and the SNMP manager, the following actions can occur.
The manager can get information from the agent.
The manager can set the value of a MIB object that is controlled by an agent.
The agent can send traps to notify the manager of significant events that occur on the managed device (for example, the 7705 SAR router).
SNMP is supported on network hosts using the IPv4 and IPv6 protocols.
Management Information Base
A MIB is a formal specifications document with definitions of management information used to remotely monitor, configure, and control a managed device or network system. The agent’s management information consists of a set of network objects that can be managed with SNMP. Object identifiers are unique object names that are organized in a hierarchical tree structure. The main branches are defined by the Internet Engineering Task Force (IETF). When requested, the Internet Assigned Numbers Authority (IANA) assigns a unique branch for use by a private organization or company. The branch assigned to the 7705 SAR is 1.3.6.1.4.1.6527.
The SNMP agent provides management information to support a collection of IETF specified MIBs and a number of MIBs defined to manage device parameters and network data unique to the 7705 SAR.
SNMP Versions
The agent supports multiple versions of the SNMP protocol.
SNMP Version 1 (SNMPv1) is the original Internet-standard network management framework.
SNMPv1 provides access control for communities and uses a community string match for authentication.
SNMPv2c uses a community string match for authentication.
SNMP Version 3 (SNMPv3) provides access control for users. In SNMPv3, User-based Security Model (USM) defines the user authentication and encryption features. The View Access Control MIB (VACM) defines the user access control features. The SNMP-COMMUNITY-MIB is used to associate SNMPv1/SNMPv2c community strings with SNMPv3 VACM access control.
SNMPv3 uses a username match for authentication.
Management Information Access Control
By default, the 7705 SAR implementation of SNMP uses SNMPv3. SNMPv3 incorporates security model and security level features. A security model is the authentication type for the group and the security level is the permitted level of security within a security model. The combination of the security level and security model determines which security mechanism handles an SNMP packet.
To implement SNMPv1 and SNMPv2c configurations, several access groups are predefined. These access groups are standard read-only, read-write, and read-write-all access groups and views that can simply be assigned community strings. In order to implement SNMP with security features, security models, security levels, and USM communities must be explicitly configured. Optionally, additional views that specify more specific OIDs (MIB objects in the subtree) can be configured.
Access to the management information in an SNMPv1/SNMPv2c agent is controlled by the inclusion of a community name string in the SNMP request. The community defines the subset of the agent’s managed objects that can be accessed by the requester. It also defines what type of access is allowed: read-only or read-write.
The use of community strings provide minimal security and context checking for both agents and managers that receive requests and initiate trap operations. A community string is a text string that acts like a password to permit access to the agent on the 7705 SAR router.
The 7705 SAR implementation of SNMP has defined three levels of community-named access:
read-only permission — grants only read access to objects in the MIB, except security objects
read-write permission — grants read and write access to all objects in the MIB, except security objects
read-write-all permission — grants read and write access to all objects in the MIB, including security objects
User-Based Security Model Community Strings
User-based security model (USM) community strings associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group.
Views
Views control the access to a managed object. The total MIB of a 7705 SAR router can be viewed as a hierarchical tree. When a view is created, either the entire tree or a portion of the tree can be specified and made available to a user to manage the objects contained in the subtree. Object identifiers (OIDs) uniquely identify managed objects. A view defines the type of operations allowed, such as read, write, or notify.
OIDs are organized in a hierarchical tree with specific values assigned to different organizations. A view defines a subset of the agent’s managed objects controlled by the access rules associated with that view.
Predefined views are available that are particularly useful when configuring SNMPv1 and SNMPv2c.
The SNMP agent associates SNMPv1 and SNMPv2c community strings with an SNMPv3 view.
Access Groups
Access groups associate a user group and a security model with the views the group can access. An access group is defined by a unique combination of a group name, security model (SNMPv1, SNMPv2c, or SNMPv3), and security level (no-authorization-no-privacy, authorization-no-privacy, or privacy).
An access group is a template that defines a combination of access privileges and views. A group can be associated with one or more network users to control their access privileges and views.
Additional access parameters must be explicitly configured if the preconfigured access groups and views for SNMPv1 and SNMPv2c do not meet the security requirements.
Users
By default, authentication and encryption parameters are not configured. Authentication parameters that a user must use in order to be validated by the 7705 SAR can be modified. SNMP authentication allows the device to validate the managing node that issued the SNMP message and determine if the message has been tampered with.
User access and authentication privileges must be explicitly configured. In a user configuration, a user is associated with an access group, which is a collection of users who have common access privileges and views.
SNMP Versions
SNMPv1 and SNMPv2c do not provide security, authentication, or encryption. Without authentication, an unauthorized user could perform SNMP network management functions and eavesdrop on management information as it passes from system to system. Many SNMPv1 and SNMPv2c implementations are restricted read-only access, which, in turn, reduces the effectiveness of a network monitor in which network control applications cannot be supported.
To implement SNMPv3, an authentication and encryption method must be assigned to a user in order to be validated by the 7705 SAR. SNMP authentication allows the router to validate the managing node that issued the SNMP message and determine if the message was tampered with.
SNMPv3 Authentication and Privacy Protocols
The following SNMPv3 authentication protocols are supported:
-
HMAC -MD5-96
-
HMAC-SHA-96
-
HMAC-SHA-224
-
HMAC-SHA-256
-
HMAC-SHA-384
-
HMAC-SHA-512
The following SNMPv3 privacy protocols are supported:
-
CBC-DES
-
CFB128-AES-128
-
CFB128-AES-192
-
CFB128-AES-256
Configuration Notes
This section describes SNMP configuration guidelines and caveats:
-
To prevent management systems from attempting to manage a partially booted system, SNMP remains in a shutdown state if the configuration file fails to complete during system startup. While shut down, SNMP gets and sets are not processed. However, notifications are issued if an SNMP trap group has been configured.
In order to enable SNMP, the portions of the configuration that failed to load must be initialized properly. Start SNMP with the config>system>snmp>no shutdown command.
-
Use caution when changing the SNMP engine ID. If the SNMP engine ID is changed in the config>system>snmp>engineID engine-id context, the current configuration must be saved and a reboot must be executed. If the configuration is not saved and the system is not rebooted, the previously configured SNMP communities and logger trap-target notify communities will not be valid for the new engine ID.
Configuring SNMP with CLI
This section provides information about configuring SNMP with CLI.
Topics in this chapter include:
SNMP Configuration Overview
This section describes how to configure SNMP components that apply to SNMPv1, SNMPv2c, and SNMPv3 on the 7705 SAR.
Configuring SNMPv1 and SNMPv2c
The 7705 SAR router is based on SNMPv3. To use 7705 SAR routers with SNMPv1 or SNMPv2c, SNMP community strings must be configured. Three predefined access methods are available when SNMPv1 or SNMPv2c access is required. Each access method (r, rw, or rwa) is associated with an SNMPv3 access group that determines the access privileges and the scope of managed objects available. The community command is used to associate a community string with a specific access method and the required SNMP version (SNMPv1 or SNMPv2c). The access methods are:
read-only — grants read-only access to the entire management structure with the exception of the security area
read-write — grants read and write access to the entire management structure with the exception of the security area
read-write-all — grants read and write access to the entire management structure, including security
If the predefined access groups do not meet your access requirements, then additional access groups and views can be configured. The usm-community command is used to associate an access group with an SNMPv1 or SNMPv2c community string.
SNMP trap destinations are configured in the config>log>snmp-trap-group context.
Configuring SNMPv3
The 7705 SAR implements SNMPv3. If security features other than the default views are required, the following parameters must be configured:
-
views
-
access groups
-
SNMP users
Basic SNMP Security Configuration
This section provides information to configure SNMP parameters and provides examples of common configuration tasks. The minimal SNMP parameters are:
For SNMPv1 and SNMPv2c, configure community string parameters.
For SNMPv3:
-
Configure view parameters
-
Configure SNMP group
-
Configure access parameters
-
Configure user with SNMP parameters
The following displays SNMP default views, access groups, and attempts parameters.
ALU-1>config>system>security>snmp# info detail
----------------------------------------------
view iso subtree 1
mask ff type included
exit
view ‟mgmt-view” subtree 1.3.6.1.2.1.2
mask ff type excluded
exit
view ‟mgmt-view” subtree 1.3.6.1.2.1.4
mask ff type included
exit
view no-security subtree 1.3.6.1.6.3.11.2.1
mask ff type included
exit
view no-security subtree 1.3.6.1.6.3.15.1.1
mask ff type included
exit
access group snmp-ro security-model snmpv1 security-level no-auth-
no-privacy read no-security notify no-security
access group snmp-ro security-model snmpv2c security-level no-auth-
no-privacy read no-security notify no-security
access group snmp-rw security-model snmpv1 security-level no-auth-
no-privacy read no-security write no-security notify no-security
access group snmp-rw security-model snmpv2c security-level no-auth-
no-privacy read no-security write no-security notify no-security
access group snmp-rwa security-model snmpv1 security-level no-auth-
no-privacy read iso write iso notify iso
access group snmp-trap security-model snmpv1 security-level no-auth-
no-privacy notify iso
access group snmp-trap security-model snmpv2c security-level no-
auth-no-privacy notify iso
attempts 20 time 5 lockout 10
Configuring SNMP Components
Use the CLI syntax displayed below to configure the following SNMP scenarios:
- CLI Syntax:
-
config>system>security>snmp access group group-name security-model security-model security-level security-level [context context-name [prefix-match]] [read view-name-1] [write view-name-2] [notify view-name-3] attempts [count] [time minutes1] [lockout minutes2] community community-string [hash | hash2] access-permissions [version SNMP-version] usm-community community-string [hash | hash2] group group-name view view-name [subtree oid-value] mask mask-value [type {included | excluded}]
Configuring a Community String
SNMPv1 and SNMPv2c community strings are used to define the relationship between an SNMP manager and agent. The community string acts like a password to allow access to the agent. The access granted with a community string is restricted to the scope of the configured group.
One or more of the following characteristics associated with the string can be specified:
read-only, read-write, and read-write-all permission for the MIB objects accessible to the community
assignment of a unique community string to the management router or management VPLS
the SNMP version: SNMPv1, SNMPv2c, or both
Default access features are preconfigured by the agent for SNMPv1 and SNMPv2c.
Use the following CLI syntax to configure community options:
- CLI Syntax:
config>system>security>snmp community community-string [hash | hash2] access-permissions [version SNMP-version]
The following example displays community string command usage:
- Example:
config>system>security# snmp config>system>security>snmp# community private hash2 rwa version both config>system>security>snmp# community public hash2 r version v2c
The following example displays the SNMP community configuration:
ALU-1>config>system>security>snmp# info
-------------------------------------------------------
community "uTdc9j48PBRkxn5DcSjchk" hash2 rwa version both
community "Lla.RtAyRW2" hash2 r version v2c
-------------------------------------------------------
ALU-1>config>system>security>snmp#
Configuring View Options
Use the following CLI syntax to configure view options:
- CLI Syntax:
config>system>security>snmp view view-name subtree oid-value mask mask-value[type {included | excluded}]
The following example displays view command usage:
- Example:
config>system>security>snmp# view testview subtree 1 config>system>security>snmp>view$ mask ff type included config>system>security>snmp>view$ exit config>system>security>snmp# view testview subtree 1.3.6.1.2 config>system>security>snmp>view$ mask ff type X config>system>security>snmp>view$ exit
The following example displays the view configuration:
ALU-1>config>system>security>snmp# info
----------------------------------------------
view "testview" subtree 1
mask ff
exit
view testview subtree 1.3.6.1.2
mask ff type excluded
exit
community "private" rwa version both
community "public" r version v2c
----------------------------------------------
ALU-1>config>system>security>snmp#
Configuring Access Options
The access command creates an association between a user group, a security model, and the views that the user group can access. Access must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2c. An access group is defined by a unique combination of the group name, security model, and security level.
Use the following CLI syntax to configure access features:
- CLI Syntax:
config>system>security>snmp access group group-name security-model security-model security-level security-level [context context-name [prefix-match]] [read view-name-1] [write view-name-2] [notify view-name-3]
The following example displays access command usage:
- Example:
ALU-1>config>system>security>snmp# access group testgroup security-model usm security-level auth-no-privacy read testview write testview notify testview
The following example displays the access configuration with the view configurations.
ALU-1>config>system>security>snmp# info
----------------------------------------------
view ‟testview” subtree 1
mask ff
exit
view ‟testview” subtree 1.3.6.1.2
mask ff type excluded
exit
access group ‟testgroup” security-model usm security-level auth-no
-privacy read ‟testview” write ‟testview” notify ‟testview”
community "public" r version both
----------------------------------------------
Use the following CLI syntax to configure user group and authentication parameters:
- CLI Syntax:
config>system>security# user user-name access [ftp] [snmp] [console] snmp authentication none authentication authentication-protocol authentication-key [privacy none] [hash | hash2] authentication authentication-protocol authentication-key privacy privacy-protocol privacy-key [hash|hash2] no authentication group group-name
The following example displays user security command usage:
- Example:
config>system>security# user testuser config>system>security>user$ access snmp config>system>security>user# snmp config>system>security>user>snmp# authentication hash hmac-md5-96 e14672e71d3e96e7a1e19472527ee969 privacy none config>system>security>user>snmp# group testgroup config>system>security>user>snmp# exit config>system>security>user# exit
The following example displays the user’s SNMP configuration.
ALU-1>config>system>security# info
----------------------------------------------
user "testuser"
access snmp
snmp
authentication hash hmac-md5-96 e14672e71d3e96e7a1e19472527ee969
privacy none
group testgroup
exit
exit
...
----------------------------------------------
ALU-1>config>system>security#
Configuring USM Community Options
User-based security model (USM) community strings associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group.
By default, the 7705 SAR implementation of SNMP uses SNMPv3. To implement SNMPv1 and SNMPv2c, USM community strings must be explicitly configured.
Use the following CLI syntax to configure USM community options:
- CLI Syntax:
-
config>system>security>snmp usm-community community-string [hash | hash2] group group-name
The following example displays USM community string command usage. The group ‟testgroup” was configured in the config>system>security>snmp>access CLI context.
- Example:
-
config>system>security>snmp# usm-community "test" hash2 group "testgroup"
The following example displays the SNMP community configuration:
ALU-1>config>system>security>snmp# info
----------------------------------------------
view testview subtree 1
mask ff
exit
view testview subtree 1.3.6.1.2
mask ff type excluded
exit
access group testgroup security-model usm security-level auth-no
-privacy read testview write testview notify testview
community "private" hash2 rwa version both
community "public" hash r version v2c
usm-community "test" group "testgroup"
----------------------------------------------
ALU-1>config>system>security>snmp#
Configuring Other SNMP Parameters
Use the following CLI syntax to modify the system SNMP options:
- CLI Syntax:
-
config>system>snmp engineID engine-id general-port port packet-size bytes no shutdown
The following example displays the system SNMP default values:
ALU-104>config>system>snmp# info detail
----------------------------------------------
shutdown
engineID "0000xxxx000000000xxxxx00"
packet-size 1500
general-port 161
----------------------------------------------
ALU-104>config>system>snmp#
SNMP Command Reference
Command Hierarchies
Configuration Commands
SNMP System Commands
config
- system
- snmp
- engineID engine-id
- no engineID
- general-port port
- no general-port
- packet-size bytes
- no packet-size
- [no] shutdown
- streaming
- [no] shutdown
SNMP Security Commands
config
- system
- security
- snmp
- access group group-name security-model security-model security-level security-level [context context-name [prefix-match]] [read view-name-1] [write view-name-2] [notify view-name-3]
- no access group group-name [security-model security-model] [security-level security-level] [context context-name [prefix-match]] [read view-name-1] [write view-name-2] [notify view-name-3]
- attempts [count] [time minutes1] [lockout minutes2]
- no attempts
- community community-string [hash | hash2] access-permissions [version SNMP-version]
- no community community-string [hash | hash2]
- usm-community community-string [hash | hash2] group group-name
- no usm-community community-string [hash | hash2]
- view view-name subtree oid-value
- no view view-name [subtree oid-value]
- mask mask-value [type {included | excluded}]
- no mask
The following commands configure user-specific SNMP features. See the Security Command Reference section for CLI syntax and command descriptions.
config
- system
- security
- [no] user user-name
- [no] snmp
- authentication {[none] | [[hash] {md5 key-1 | sha key-1} privacy {privacy-level | key-2}]
- group group-name
- [no] group
Show Commands
show
- snmp
- counters
- streaming
- counters
- system
- information
- security
- access-group [group-name]
- communities
- user [user-id] [detail]
- view [view-name] [capabilities] [detail]
Command Descriptions
Configuration Commands
SNMP System Commands
snmp
Syntax
snmp
Context
config>system
Description
This command enables the context to configure SNMP parameters.
engineID
Syntax
[no] engineID engine-id
Context
config>system>snmp
Description
This command sets the SNMP engine ID to uniquely identify the SNMPv3 node. By default, the engine ID is generated using information from the system backplane.
If the SNMP engine ID is changed in the config>system>snmp>engineID engine-id context, the current configuration must be saved and a reboot must be executed. If the configuration is not saved and the system is not rebooted, the previously configured SNMP communities and logger trap-destination notify communities will not be valid for the new engine ID.
This command could be used, for example, when a chassis is replaced. Use the engine ID of the first system and configure it in the new system to preserve SNMPv3 security keys. This allows management stations to use their existing authentication keys for the new system.
Ensure that the engine IDs are not used on multiple systems. A management domain can only have one instance of each engine ID.
The no form of the command reverts to the default setting.
Default
the engine ID is system-generated
Parameters
- engine-id
an identifier from 10 to 64 hexadecimal digits (5 to 32 octet number), uniquely identifying this SNMPv3 node. This string is used to access this node from a remote host with SNMPv3.
general-port
Syntax
general-port port-number
no general-port
Context
config>system>snmp
Description
This command configures the port number used by this node to receive SNMP request messages and to send replies. SNMP notifications generated by the agent are sent from the port specified in the config>log>snmp-trap-group>trap-target command.
The no form of the command reverts to the default value.
Default
161
Parameters
- port-number
the port number used to send SNMP traffic other than traps
packet-size
Syntax
packet-size bytes
no packet-size
Context
config>system>snmp
Description
This command configures the maximum SNMP packet size generated by this node. If the packet size exceeds the MTU size of the egress interface, the packet will be fragmented.
The no form of the command reverts to the default value.
Default
1500 bytes
Parameters
- bytes
the SNMP packet size in bytes
shutdown
Syntax
[no] shutdown
Context
config>system>snmp
Description
This command administratively disables SNMP agent operations. System management can then only be performed using the CLI. Shutting down SNMP does not remove or change configuration parameters other than the administrative state. This command does not prevent the agent from sending SNMP notifications to any configured SNMP trap destinations. SNMP trap destinations are configured under the config>log>snmp-trap-group context.
This command is automatically invoked in the event of a reboot when the processing of the configuration file fails to complete or when an SNMP persistent index file fails while the bof persist on command is enabled.
The no form of the command administratively enables SNMP.
Default
no shutdown
streaming
Syntax
streaming
Context
config>system>snmp
Description
This command enables the proprietary SNMP request/response bundling and TCP-based transport mechanism for optimizing network management of the router nodes. In higher-latency networks, synchronizing router MIBs from network management via streaming takes less time than synchronizing via classic SNMP UDP requests. Streaming operates on TCP port 1491 and runs over IPv4 or IPv6.
shutdown
Syntax
[no] shutdown
Context
config>system>snmp>streaming
Description
This command administratively disables the proprietary SNMP request/response bundling and TCP-based transport mechanism for optimizing network management of the router nodes.
The no form of the command administratively re-enables SNMP request/response bundling and the TCP-based transport mechanism.
Default
shutdown
SNMP Security Commands
snmp
Syntax
snmp
Context
config>system>security
Description
This command enables the context to configure SNMPv1, SNMPv2c, and SNMPv3 parameters
access group
Syntax
[no] access group group-name security-model {snmpv1 | snmpv2c | usm} security-level {no-auth-no-privacy | auth-no-privacy | privacy}[context context-name [prefix-match {exact | prefix}]][read view-name-1][write view-name-2][notify view-name-3]
Context
config>system>security>snmp
Description
This command creates an association between a user group, a security model, and the views that the user group can access. Access parameters must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2c. An access group is defined by a unique combination of the group name, security model, and security level.
Access must be configured unless security is limited to SNMPv1/SNMPv2c with community strings (see community).
Default access group configurations cannot be modified or deleted.
To remove the user group with associated security models and security levels, use the command no access group group-name.
To remove a security model and security level combination from a group, use the command no access group group-name security-model {snmpv1 | snmpv2c | usm} security-level {no-auth-no-privacy | auth-no-privacy | privacy}.
Default
n/a
Parameters
- group-name
specifies a unique group name up to 32 characters
- security-model {snmpv1 | snmpv2c | usm}
specifies the security model required to access the views configured in this node. A group can have multiple security models. For example, one view may only require SNMPv1/ SNMPv2c access while another view may require USM (SNMPv3) access rights.
- security-level {no-auth-no-priv | auth-no-priv | privacy}
specifies the required authentication and privacy levels to access the views configured in this node
- security-level no-auth-no-privacy
specifies that no authentication and no privacy (encryption) is required. When configuring the user’s authentication, select the none option.
- security-level auth-no-privacy
specifies that authentication is required but privacy (encryption) is not required. When this option is configured, both the group and the user must be configured for authentication.
- security-level privacy
specifies that both authentication and privacy (encryption) is required. When this option is configured, both the group and the user must be configured for authentication. The user must also be configured for privacy.
- context-name
specifies a set of SNMP objects that are associated with the context-name. The context name is treated as either a full context name string or a context name prefix depending on the keyword specified (exact or prefix).
- prefix-match
specifies the context-name prefix-match keywords, exact or prefix
- read view-name-1
specifies the keyword and variable of the view to read the MIB objects. This command must be configured for each view to which the group has read access.
- write view-name-2
specifies the keyword and variable of the view to configure the contents of the agent. This command must be configured for each view to which the group has write access.
- notify view-name-3
specifies the keyword and variable of the view to send a trap about MIB objects. This command must be configured for each view to which the group has notify access.
attempts
Syntax
attempts [count][time minutes1][lockout minutes2]
no attempts
Context
config>system>security>snmp
Description
This command configures a threshold value for the number of unsuccessful SNMP connection attempts allowed in a specified time frame. The command parameters are used to counter denial of service (DOS) attacks through SNMP.
If the threshold is exceeded, the host is locked out for the lockout time period.
If multiple attempts commands are entered, each command overwrites the previously entered command.
The no form of the command resets the parameters to the default values.
Default
attempts 20 time 5 lockout 10
Parameters
- count
the number of unsuccessful SNMP attempts allowed for the specified time
- time minutes1
the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the host is locked out
- lockout minutes2
the lockout period, in minutes, during which the host is not allowed to log in. When the host exceeds the attempted count times in the specified time, then that host is locked out from any further login attempts for the configured time period.
community
Syntax
community community-string[hash | hash2]access-permissions[version SNMP-version]
no community community-string[hash | hash2]
Context
config>system>security>snmp
Description
This command creates SNMP community strings for SNMPv1 and SNMPv2c access. This command is used in combination with the predefined access groups and views. To create custom access groups and views and associate them with SNMPv1 or SNMPv2c access, use the usm-community command.
When configured, community implies a security model for SNMPv1 and SNMPv2c only.
For SNMPv3 security, the snmp command must be configured.
The no form of the command removes a community string.
Default
n/a
Parameters
- community-string
configures the SNMPv1/SNMPv2c community string
- hash1 | hash2
configures the hashing scheme for the community string
- access-permissions
defines the access permissions
- version
specifies the SNMP version
usm-community
Syntax
usm-community community-string[hash | hash2] group group-name
no usm-community community-string[hash | hash2]
Context
config>system>security>snmp
Description
This command is used to associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group.
The 7705 SAR implementation of SNMP uses SNMPv3. In order to implement SNMPv1 and SNMPv2c configurations, several access groups are predefined. In order to implement SNMP with security features (version 3), security models, security levels, and USM communities must be explicitly configured. Optionally, additional views that specify more specific OIDs (MIB objects in the subtree) can be configured.
The no form of this command removes a community string.
Default
n/a
Parameters
- community-string
configures the SNMPv1/SNMPv2c community string to determine the SNMPv3 access permissions to be used
- hash1 | hash2
configures the hashing scheme for the community string
- group
specifies the group that governs the access rights of this community string. This group must be configured first in the config>system>security>snmp>access group context.
- group-name
specifies the group name
view
Syntax
view view-name subtree oid-value
no view view-name[subtree oid-value]
Context
config>system>security>snmp
Description
This command configures a view. Views control the accessibility of a MIB object within the configured MIB view and subtree. Object identifiers (OIDs) uniquely identify MIB objects in the subtree. OIDs are organized hierarchically with specific values assigned by different organizations.
When the subtree (OID) is identified, a mask can be created to select the portions of the subtree to be included or excluded for access using this particular view. See the mask command. The views configured with this command can subsequently be used in read, write, and notify commands that are used to assign specific access group permissions to created views and assigned to particular access groups.
Multiple subtrees can be added or removed from a view name to tailor a view to the requirements of the user access group.
The no view view-name command removes a view and all subtrees.
The no view view-name subtree oid-value command removes a sub-tree from the view name.
Default
no views are defined
Parameters
- view-name
the 1 to 32 character view name
- oid-value
the object identifier (OID) value for the view-name. This value, for example, 1.3.6.1.6.3.11.2.1, combined with the mask and include and exclude statements, configures the access available in the view.
It is possible to have a view with different subtrees with their own masks and include and exclude statements. This allows you to customize visibility and write capabilities for specific user requirements
mask
Syntax
mask mask-value[type {included | excluded}]
no mask
Context
config>system>security>snmp>view view-name
Description
The mask value and the mask type, along with the oid-value configured in the view command, determines the access of each sub-identifier of an object identifier (MIB subtree) in the view.
Each bit in the mask corresponds to a sub-identifier position; for example, the most significant bit for the first sub-identifier, the next most significant bit for the second sub-identifier, and so on. If the bit position on the sub-identifier is available, it can be included or excluded.
For example, the MIB subtree that represents MIB-II is 1.3.6.1.2.1. The mask that catches all MIB-II is 0xfc or 0b11111100.
Only a single mask may be configured per view and OID value combination. If more than one entry is configured, each subsequent entry overwrites the previous entry.
Per RFC 2575, View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), each MIB view is defined by two sets of view subtrees, the included view subtrees, and the excluded view subtrees. Every view subtree, both the included and the excluded ones, are defined in this table. To determine if a particular object instance is in a particular MIB view, compare the object instance’s object identifier (OID) with each of the MIB view’s active entries in this table. If none match, then the object instance is not in the MIB view. If one or more match, then the object instance is included in, or excluded from, the MIB view according to the value of vacmViewTreeFamilyType in the entry whose value of vacmViewTreeFamilySubtree has the most sub-identifiers.
The no form of this command removes the mask from the configuration.
Default
no mask
Parameters
- mask-value
the mask value associated with the OID value determines whether the sub-identifiers are included or excluded from the view
The mask can be entered in either:
hexadecimal format (for example, 0xfc)
binary format (for example, 0b11111100)
Note: If the number of bits in the bit mask is less than the number of sub-identifiers in the MIB subtree, then the mask is extended with ones until the mask length matches the number of sub-identifiers in the MIB subtree.
- type {included | excluded}
specifies whether to include or exclude MIB subtree objects
included - all MIB subtree objects that are identified with a 1 in the mask are available in the view
excluded - all MIB subtree objects that are identified with a 1 in the mask are denied access in the view
Show Commands
counters
Syntax
counters
Context
show>snmp
Description
This command displays SNMP counter information. SNMP counters will continue to increase even when SNMP is shut down. Some internal modules communicate using SNMP packets.
Output
The following output is an example of SNMP counters information, and SNMP Counters Field Descriptions describes the fields.
Output ExampleA:ALU-1# show snmp counters
==============================================================================
SNMP counters:
==============================================================================
in packets : 463
------------------------------------------------------------------------------
in gets : 93
in getnexts : 0
in sets : 370
out packets: 463
------------------------------------------------------------------------------
out get responses : 463
out traps : 0
variables requested: 33
variables set : 497
==============================================================================
A:ALU-1#
Label |
Description |
---|---|
in packets |
The total number of messages delivered to SNMP from the transport service |
in gets |
The number of SNMP get request PDUs accepted and processed by SNMP |
in getnexts |
The number of SNMP get next PDUs accepted and processed by SNMP |
in sets |
The number of SNMP set request PDUs accepted and processed by SNMP |
out packets |
The total number of SNMP messages passed from SNMP to the transport service |
out get responses |
The number of SNMP get response PDUs generated by SNMP |
out traps |
The number of SNMP Trap PDUs generated by SNMP |
variables requested |
The number of MIB objects requested by SNMP |
variables set |
The number of MIB objects set by SNMP as the result of receiving valid SNMP set request PDUs |
streaming
Syntax
streaming
Context
show>snmp
Description
This command enables the context to display streaming counters information.
counters
Syntax
counters
Context
show>snmp>streaming
Description
This command displays counters information for the proprietary SNMP streaming protocol.
Output
The following output is an example of SNMP streaming counters information, and SNMP Streaming Counters Field Descriptions describes the fields.
Output Example*A:custDoc sar8# show snmp streaming counters
==============================================================================
STREAMING counters:
==============================================================================
in getTables : 722
in getManys : 26
------------------------------------------------------------------------------
out responses : 848
==============================================================================
Label |
Description |
---|---|
in getTables |
Displays the number of GetTable request packets received |
in getManys |
Displays the number of GetMany request packets received |
out responses |
Displays the number of response packets sent |
information
Syntax
information
Context
show>system
Description
This command lists the SNMP configuration and statistics.
Output
The following output is an example of system information, and System Information Field Descriptions describes the fields.
Output ExampleA:7705:Dut-A# show system information
===============================================================================
System Information
===============================================================================
System Name : A:7705:Dut-A
System Type : 7705 SAR-8 v2
Chassis Topology : Standalone
System Version : B-0.0.I323
Crypto Module Version :
CPM: SARCM 3.0 DP: SARDCM 1.0
System Contact : Fred Information Technology
System Location : Bldg.1-floor 2-Room 201
System Coordinates : N 85 58 23, W 34 56 12
System Active Slot : A
System Up Time : 1 days, 02:03:17.62 (hr:min:sec)
SNMP Port : 161
SNMP Engine ID : 0000197f00006883ff000000
SNMP Engine Boots : 58
SNMP Max Message Size : 1500
SNMP Admin State : Enabled
SNMP Oper State : Enabled
SNMP Index Boot Status : Not Persistent
SNMP Sync State : OK
Tel/Tel6/SSH/FTP Admin : Enabled/Disabled/Enabled/Disabled
Tel/Tel6/SSH/FTP Oper : Up/Down/Up/Down
BOF Source : cf3:
Image Source : primary
Config Source : primary
Last Booted Config File: cf3:/config.cfg
Last Boot Cfg Version : FRI APR 20 16:24:27 2007 UTC
Last Boot Config Header: # TiMOS-B-5.0.R3 both/hops NOKIA 7705 SAR #
Copyright (c) 2016 Nokia. All rights
reserved. # All use subject to applicable license
agreements. # Built on Wed Feb 13 19:45:00 EST 2016 by
builder in /rel5.0/R3/panos/main # Generated TUE
MAR 11 16:24:27 2016 UTC
Last Boot Index Version: N/A
Last Boot Index Header : # TiMOS-B-5.0.R3 both/hops NOKIA 7705 SAR #
Copyright (c) 2016 Nokia. All rights
reserved. # All use subject to applicable license
agreements. # Built on Wed Feb 13 19:45:00 EST 2016 by
builder in /rel5.0/R3/panos/main # Generated TUE
MAR 11 16:24:27 2016 UTC
Last Saved Config : N/A
Time Last Saved : N/A
Changes Since Last Save: Yes
User Last Modified : admin
Time Last Modified : 2016/03/19 10:03:09
Max Cfg/BOF Backup Rev : 5
Cfg-OK Script : N/A
Cfg-OK Script Status : not used
Cfg-Fail Script : N/A
Cfg-Fail Script Status : not used
Microwave S/W Package : invalid
Management IP Addr : 192.168.xxx.xxx/24
Primary DNS Server : 192.168.xxx.xxx
Secondary DNS Server : N/A
Tertiary DNS Server : N/A
DNS Domain : domain.com
DNS Resolve Preference : ipv4-only
BOF Static Routes :
To Next Hop
192.xxx.0.0/16 192.xxx.1.1
ATM Location ID : 01:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
ATM OAM Retry Up : 2
ATM OAM Retry Down : 4
ATM OAM Loopback Period : 10
ICMP Vendor Enhancement: Disabled
Eth QinQ Untagged SAP : False
===============================================================================
A:7705:Dut-A#
Label |
Description |
---|---|
System Name |
The configured system name |
System Type |
The 7705 SAR chassis model |
Chassis Topology |
The chassis setup – always Standalone |
System Version |
The version of the installed software load |
Crypto Module Version |
The cryptographic module in the release |
System Contact |
A text string that describes the system contact information |
System Location |
A text string that describes the system location |
System Coordinates |
A text string that describes the system coordinates |
System Active Slot |
The active CSM slot |
System Up Time |
The time since the last boot |
SNMP Port |
The port number used by this node to receive SNMP request messages and to send replies |
SNMP Engine ID |
The SNMP engine ID to uniquely identify the SNMPv3 node |
SNMP Engine Boots |
The number of times that the SNMP engine has booted |
SNMP Max Message Size: |
The maximum SNMP packet size generated by this node |
SNMP Admin State |
Enabled — SNMP is administratively enabled and running |
Disabled — SNMP is administratively shut down and not running |
|
SNMP Oper State |
Enabled — SNMP is operationally enabled |
Disabled — SNMP is operationally disabled |
|
SNMP Index Boot Status |
Persistent — system indexes are saved between reboots |
Not Persistent — system indexes are not saved between reboots |
|
Tel/Tel6/SSH/FTP Admin |
The administrative state of the Telnet, Telnet IPv6, SSH, and FTP sessions |
Tel/Tel6/SSH/FTP Oper |
The operational state of the Telnet, Telnet IPv6, SSH, and FTP sessions |
BOF Source |
The location of the BOF |
Image Source |
Primary — Indicates that the directory location for runtime image file was loaded from the primary source |
Secondary — Indicates that the directory location for runtime image file was loaded from the secondary source |
|
Tertiary — Indicates that the directory location for runtime image file was loaded from the tertiary source |
|
Config Source |
Primary — Indicates that the directory location for configuration file was loaded from the primary source |
Secondary — Indicates that the directory location for configuration file was loaded from the secondary source |
|
Tertiary — Indicates that the directory location for configuration file was loaded from the tertiary source |
|
Last Booted Config File |
The URL and filename of the last loaded configuration file |
Last Boot Cfg Version |
The date and time of the last boot |
Last Boot Config Header |
The header information such as image version, date built, date generated |
Last Boot Index Version |
The version of the persistence index file read when this CSM card was last rebooted |
Last Boot Index Header |
The header of the persistence index file read when this CSM card was last rebooted |
Last Saved Config |
The location and filename of the last saved configuration file |
Time Last Saved |
The date and time of the last time configuration file was saved |
Changes Since Last Save |
Yes — There are unsaved configuration file changes |
No — There are no unsaved configuration file changes |
|
User Last Modified |
The username of the user who last modified the configuration file |
Time Last Modified |
The date and time of the last modification |
Max Cfg/BOF Backup Rev |
The maximum number of backup revisions maintained for a configuration file. This value also applies to the number of revisions maintained for the BOF file. |
Cfg-OK Script |
URL — the location and name of the CLI script file executed following successful completion of the boot-up configuration file execution |
N/A — no CLI script file is executed |
|
Cfg-OK Script Status |
Successful/Failed — the results from the execution of the CLI script file specified in the Cfg-OK Script location |
Not used — no CLI script file was executed |
|
Cfg-Fail Script |
URL — the location and name of the CLI script file executed following a failed boot-up configuration file execution |
Not used — no CLI script file was executed |
|
Cfg-Fail Script Status |
Successful/Failed — the results from the execution of the CLI script file specified in the Cfg-Fail Script location |
Not used — no CLI script file was executed |
|
Microwave S/W Package |
N/A |
Management IP Addr |
The management IP address and mask |
Primary DNS Server |
The IP address of the primary DNS server |
Secondary DNS Server |
The IP address of the secondary DNS server |
Tertiary DNS Server |
The IP address of the tertiary DNS server |
DNS Domain |
The DNS domain name of the node |
DNS Resolve Preference |
N/A |
BOF Static Routes |
To — the static route destination |
Next Hop — the next hop IP address used to reach the destination |
|
Metric — displays the priority of this static route versus other static routes |
|
None — no static routes are configured |
|
ATM Location ID |
For ATM OAM loopbacks — the address of the network device referenced in the loopback request |
ATM OAM Retry Up |
N/A |
ATM OAM Retry Down |
N/A |
ATM OAM Loopback Period |
N/A |
ICMP Vendor Enhancement |
Enabled — inserts one-way timestamp in outbound SAA ICMP ping packets |
Disabled — one-way timestamping is not performed on outbound SAA ICMP ping packets |
|
Eth QinQ untagged SAP |
True: QinQ untagged SAPs are enabled |
False: QinQ untagged SAPs are disabled |
access-group
Syntax
access-group [group-name]
Context
show>system>security
Description
This command displays access group information.
Parameters
- group-name
-
the access group name
Output
The following output is an example of access group information, and System Access Group Field Descriptions describes the fields.
Output ExampleA:ALU-1# show system security access-group
===============================================================================
Access Groups
===============================================================================
group name security security read write notify
model level view view view
-------------------------------------------------------------------------------
snmp-ro snmpv1 none no-security no-security
snmp-ro snmpv2c none no-security no-security
snmp-rw snmpv1 none no-security no-security no-security
snmp-rw snmpv2c none no-security no-security no-security
snmp-rwa snmpv1 none iso iso iso
snmp-rwa snmpv2c none iso iso iso
snmp-trap snmpv1 none iso
snmp-trap snmpv2c none iso
-------------------------------------------------------------------------------
No. of Access Groups: 8
===============================================================================
A:ALU-1#
A:ALU-1# show system security access-group snmp-ro
===============================================================================
Access Groups
===============================================================================
group name security security read write notify
model level view view view
-------------------------------------------------------------------------------
snmp-ro snmpv1 none no-security no-security
-------------------------------------------------------------------------------
No. of Access Groups: 1
...
===============================================================================
A:ALU-1#
Label |
Description |
---|---|
Group name |
The access group name |
Security model |
The security model required to access the views configured in this node |
Security level |
The required authentication and privacy levels to access the views configured in this node |
Read view |
The view to read the MIB objects |
Write view |
The view to configure the contents of the agent |
Notify view |
The view to send a trap about MIB objects |
No. of access groups |
The total number of configured access groups |
communities
Syntax
communities
Context
show>system>security
Description
This command lists SNMP communities and characteristics.
Output
The following output is an example of communities information, and Communities Field Descriptions describes the fields.
Output ExampleA:ALU-1# show system security communities
=============================================================================
Communities
=============================================================================
community access view version group name
-----------------------------------------------------------------------------
private rw iso v1 v2c snmp-rwa
cli-readonly r iso v2c cli-readonly
cli-readwrite rw iso v2c cli-readwrite
-----------------------------------------------------------------------------
No. of Communities: 3
=============================================================================
A:ALU-1#
Label |
Description |
---|---|
Community |
The community string name for SNMPv1 and SNMPv2c access only |
Access |
r: The community string allows read-only access to all objects in the MIB except security objects |
rw: The community string allows read-write access to all objects in the MIB except security objects |
|
rwa: The community string allows read-write access to all objects in the MIB including security objects |
|
mgmt: The unique SNMP community string assigned to the management router |
|
View |
The view name |
Version |
The SNMP version |
Group Name |
The access group name |
No of Communities |
The total number of configured community strings |
user
Syntax
user [user-id][detail]
Context
show>system>security
Description
This command displays user information.
Parameters
- user-id
-
the name of the user
- detail
-
displays all information associated with the specified use
Output
The following output is an example of user information, and User Field Descriptions describes the fields.
Output ExampleA:ALU-1# show system security user
===============================================================================
Users
===============================================================================
user id New User Permissions Password Login Failed Local
Pwd console ftp snmp Expires Attempts Logins Conf
-------------------------------------------------------------------------------
admin n y n n never 2 0 y
testuser n n n y never 0 0 y
-------------------------------------------------------------------------------
Number of users : 2
===============================================================================
A:ALU-1#
Label |
Description |
---|---|
User ID |
The name of a system user |
Need New PWD |
Yes: the user must change their password at the next login |
No: the user is not forced to change their password at the next login |
|
User Permissions |
Console: specifies whether the user is permitted console/Telnet access |
FTP: specifies whether the user is permitted FTP access |
|
SNMP: specifies whether the user is permitted SNMP access |
|
Password expires |
The date on which the current password expires |
Attempted logins |
The number of times the user has attempted to log in, irrespective of whether the login succeeded or failed |
Failed logins |
The number of unsuccessful login attempts |
Local Conf. |
Y: password authentication is based on the local password database |
N: password authentication is not based on the local password database |
view
Syntax
view [view-name][detail | capabilities]
Context
show>system>security
Description
This command lists one or all views and permissions in the MIB-OID tree.
Parameters
- view-name
-
the name of the view
- detail
-
displays all groups associated with the view
- capabilities
-
displays all views, including excluded MIB-OID trees from unsupported features
Output
The following output is an example of system security view information, and System Security View Field Descriptions describes the fields.
Output ExampleA:ALU-1# show system security view
===============================================================================
Views
===============================================================================
view name oid tree mask permission
-------------------------------------------------------------------------------
iso 1 included
no-security 1 included
no-security 1.3.6.1.6.3 excluded
no-security 1.3.6.1.6.3.10.2.1 included
no-security 1.3.6.1.6.3.11.2.1 included
no-security 1.3.6.1.6.3.15.1.1 included
-------------------------------------------------------------------------------
No. of Views: 6
===============================================================================
A:ALU-1# show system security view no-security detail
===============================================================================
Views
===============================================================================
view name oid tree mask permission
-------------------------------------------------------------------------------
no-security 1 included
no-security 1.3.6.1.6.3 excluded
no-security 1.3.6.1.6.3.10.2.1 included
no-security 1.3.6.1.6.3.11.2.1 included
no-security 1.3.6.1.6.3.15.1.1 included
-------------------------------------------------------------------------------
No. of Views: 5
===============================================================================
=======================================
no-security used in
=======================================
group name
---------------------------------------
snmp-ro
snmp-rw
=======================================
A:ALU-1#
A:ATMIMA1>config# show system security view capabilities
===============================================================================
Views
===============================================================================
view name oid tree mask permission
-------------------------------------------------------------------------------
iso 1 included
iso 1.0.8802 no-support
iso 1.3.6.1.3.37 no-support
iso 1.3.6.1.3.92 no-support
iso 1.3.6.1.3.95 no-support
iso 1.3.6.1.2.1.14 no-support
iso 1.3.6.1.2.1.15 no-support
iso 1.3.6.1.2.1.23 no-support
iso 1.3.6.1.2.1.51 no-support
iso 1.3.6.1.2.1.68 no-support
iso 1.3.6.1.2.1.85 no-support
iso 1.3.6.1.2.1.100 no-support
iso 1.3.6.1.2.1.4.39 no-support
iso 1.3.6.1.2.1.5.20 no-support
===============================================================================
A:ALU-1#
Label | Description |
---|---|
View name |
The name of the view. Views control the accessibility of a MIB object within the configured MIB view and subtree. |
OID tree |
The Object Identifier (OID) value. OIDs uniquely identify MIB objects in the subtree. |
Mask |
The mask value and the mask type, along with the oid-value configured in the view command, determines the access of each sub-identifier of an object identifier (MIB subtree) in the view |
Permission |
Included: specifies to include MIB subtree objects |
Excluded: specifies to exclude MIB subtree objects |
|
No-support: specifies not to support MIB subtree objects |
|
No. of Views |
The total number of configured views |
Group name |
The access group name |