3.6. SNMP Command Reference

3.6.1. Command Hierarchies

  1. Configuration Commands
    1. SNMP System Commands
    2. SNMP Security Commands
  2. Show Commands

3.6.1.1. Configuration Commands

3.6.1.1.1. SNMP System Commands

config
— system
— snmp
engineID engine-id
— no engineID
general-port port
— no general-port
packet-size bytes
— no packet-size
[no] shutdown

3.6.1.1.2. SNMP Security Commands

config
— system
— security
snmp
access group group-name security-model security-model security-level security-level [context context-name [prefix-match]] [read view-name-1] [write view-name-2] [notify view-name-3]
— no access group group-name [security-model security-model] [security-level security-level] [context context-name [prefix-match]] [read view-name-1] [write view-name-2] [notify view-name-3
attempts [count] [time minutes1] [lockout minutes2]
— no attempts
community community-string [hash | hash2] access-permissions [version SNMP-version]
— no community community-string [hash | hash2]
usm-community community-string [hash | hash2] group group-name
— no usm-community community-string [hash | hash2]
view view-name subtree oid-value
— no view view-name [subtree oid-value]
mask mask-value [type {included | excluded}]
— no mask

The following commands configure user-specific SNMP features. Refer to the Security section for CLI syntax and command descriptions.

config
— system
— security
[no] users user-name
[no] snmp
authentication {[none] | [[hash] {md5 key-1 | sha key-1} privacy {privacy-level key-2}]
group group-name
[no] group

3.6.1.2. Show Commands

show
snmp
— system
information
— security
access-group [group-name]
authentication [statistics]
keychain [key-chain] [detail]
management-access-filter
ip-filter [entry entry-id]
password-options
profile [profile-name]
snmp
community [community-string]
ssh
user [user-id] [detail]
view [view-name] [detail]

3.6.2. Command Descriptions

  1. Configuration Commands
  2. Show Commands

3.6.2.1. Configuration Commands

  1. SNMP System Commands
  2. SNMP Security Commands

3.6.2.1.1. SNMP System Commands

snmp

Syntax 
snmp
Context 
config>system
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command enables the context to configure SNMP parameters.

engineID

Syntax 
[no] engineID engine-id
Context 
config>system>snmp
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command sets the SNMP engineID to uniquely identify the SNMPv3 node. By default, the engineID is generated using information from the system backplane.

If SNMP engine ID is changed in the config>system>snmp>engineID context, the current configuration must be saved and a reboot must be executed. If not, the previously configured SNMP communities and logger trap-target notify communities will not be valid for the new engine ID.

Note:

In conformance with IETF standard RFC 2274, User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), hashing algorithms which generate SNMPv3 MD5 or SHA security digest keys use the engineID. Changing the SNMP engineID invalidates all SNMPv3 MD5 and SHA security digest keys and may render the node unmanageable.

When a chassis is replaced, use the engine ID of the first system and configure it in the new system to preserve SNMPv3 security keys. This allows management stations to use their existing authentication keys for the new system.

Ensure that the engine IDs are not used on multiple systems. A management domain can only have one instance of each engineID.

The no form of this command reverts to the default.

Default 

the engine ID is system generated

Parameters 
engine-id—
Specifies an identifier from 10 to 64 hexadecimal digits (5 to 32 octet number), uniquely identifying this SNMPv3 node. This string is used to access this node from a remote host with SNMPv3.

general-port

Syntax 
general-port port-number
no general-port
Context 
config>system>snmp
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command configures the port number used by this node to receive SNMP request messages and to send replies. SNMP notifications generated by the agent are sent from the port specified in the config log snmp-trap-group trap-target command.

The no form of this command reverts to the default value.

Default 

161

Parameters 
port-number—
Specifies the port number used to send SNMP traffic other than traps.
Values—
1 to 65535 (decimal)

 

packet-size

Syntax 
packet-size bytes
no packet-size
Context 
config>system>snmp
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command configures the maximum SNMP packet size generated by this node. If the packet size exceeds the MTU size of the egress interface the packet will be fragmented.

The no form of this command reverts to the default value.

Default 

1500

Parameters 
bytes—
Specifies the SNMP packet size, in bytes.
Values—
484 to 9216

 

shutdown

Syntax 
[no] shutdown
Context 
config>system>snmp
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command administratively disables SNMP agent operations. System management can then only be performed using the command line interface (CLI). Shutting down SNMP does not remove or change configuration parameters other than the administrative state. This command does not prevent the agent from sending SNMP notifications to any configured SNMP trap destinations. SNMP trap destinations are configured under the config>log>snmp-trap-group context.

This command is automatically invoked in the event of a reboot when the processing of the configuration file fails to complete or when an SNMP persistent index file fails while the bof persist on command is enabled.

The no form of this command administratively enables SNMP.

Default 

no shutdown

3.6.2.1.2. SNMP Security Commands

snmp

Syntax 
snmp
Context 
config>system>security
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command enables the context to configure SNMPv1, SNMPv2, and SNMPv3 parameters.

access

Syntax 
[no] access group group-name security-model security-model security-level security-level [context context-name [prefix-match]] [read view-name-1] [write view-name-2] [notify view-name-3]
Context 
config>system>security>snmp
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command creates an association between a user group, a security model, and the views that the user group can access. Access parameters must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2. An access group is defined by a unique combination of the group name, security model and security level.

Access must be configured unless security is limited to SNMPv1/SNMPv2c with community strings. See the community command for more information.

Default access group configurations cannot be modified or deleted.

Use the no access group group-name command to remove the user group with associated security models and security levels

Use the no access group group-name security-model {snmpv1 | snmpv2c | usm} security-level {no-auth-no-privacy | auth-no-privacy | privacy} command to remove a security model and security level combination from a group.

Parameters 
group-name—
Specifies a unique group name, up to 32 characters.
security-model {snmpv1 | snmpv2c | usm}
Specifies the security model required to access the views configured in this node. A group can have multiple security models. For example, one view may only require SNMPv1/ SNMPv2c access while another view may require USM (SNMPv3) access rights.
security-level {no-auth-no-priv | auth-no-priv | privacy}
Specifies the required authentication and privacy levels to access the views configured in this node.
security-level no-auth-no-privacy—
Specifies that no authentication and no privacy (encryption) is required. When configuring the user’s authentication, select the none option.
security-level auth-no-privacy—
Specifies that authentication is required but privacy (encryption) is not required. When this option is configured, both the group and the user must be configured for authentication.
security-level privacy—
Specifies that both authentication and privacy (encryption) is required. When this option is configured, both the group and the user must be configured for authentication. The user must also be configured for privacy.
context context-name
Specifies a set of SNMP objects that are associated with the context-name. The context-name is treated as either a full context-name string or a context name prefix depending on the keyword specified (exact or prefix).
read view-name
Specifies the keyword and variable of the view to read the MIB objects. This command must be configured for each view to which the group has read access.
write view-name
Specifies the keyword and variable of the view to configure the contents of the agent, up to 32 characters. This command must be configured for each view to which the group has write access.
notify view-name
Specifies keyword and variable of the view to send a trap about MIB objects. This command must be configured for each view to which the group has notify access.

attempts

Syntax 
attempts [count] [time minutes1] [lockout minutes2]
no attempts
Context 
config>system>security>snmp
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command configures a threshold value of unsuccessful SNMP connection attempts allowed in a specified time frame. The command parameters are used to counter denial of service (DOS) attacks through SNMP.

If the threshold is exceeded, the host is locked out for the lockout time period.

If multiple attempts commands are entered, each command overwrites the previously entered command.

The no form of this command reverts the parameters to the default values.

Default 

attempts 20 time 5 lockout 10

Parameters 
count—
Specifies the number of unsuccessful SNMP attempts allowed for the specified time.
Values—
1 to 64

 

Default—
20
time minutes1
Specifies the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the host is locked out.
Values—
0 to 60

 

Default—
5
lockout minutes2
Specifies the lockout period, in minutes, where the host is not allowed to login.

When the host exceeds the attempted count times in the specified time, that host is locked out from any further login attempts for the configured time period.

Values—
0 to 1440

 

Default—
10

community

Syntax 
community community-string [hash | hash2] access-permissions [version SNMP-version]
no community community-string]
Context 
config>system>security>snmp
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command creates SNMP community strings for SNMPv1 and SNMPv2c access. This command is used in combination with the predefined access groups and views. To create custom access groups and views and associate them with SNMPv1 or SNMPv2c access, use the usm-community command.

When configured, community implies a security model for SNMPv1 and SNMPv2c only.

For SNMPv3 security, the access command must be configured.

The no form of this command removes a community string.

Parameters 
community-string—
Specifies the SNMPv1 / SNMPv2c community string.
Values—
hash, hash2

 

access-permissions—
Specifies the access permissions.
Values—
r — Grants only read access to objects in the MIB, except security objects.
rw — Grants read and write access to all objects in the MIB, except security.
rwa — Grants read and write access to all objects in the MIB, including security.
vpls-mgmt — Assigns a unique SNMP community string to the management virtual router.

 

version {v1 | v2c | both}
Keyword to configure the scope of the community string to be for SNMPv1, SNMPv2c, or both SNMPv1 and SNMPv2c access.
Default—
both

usm-community

Syntax 
usm-community community-string [hash | hash2] group group-name
no usm-community community-string [hash | hash2]
Context 
config>system>security>snmp
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command is used to associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group.

The Nokia implementation of SNMP uses SNMPv3. To implement SNMPv1 and SNMPv2c configurations, several access groups are predefined. To implement SNMP with security features (Version 3), security models, security levels, and USM communities must be explicitly configured. Optionally, additional views which specify more specific OIDs (MIB objects in the subtree) can be configured.

The no form of this command removes a community string.

Parameters 
community-string—
Specifies the SNMPv1/SNMPv2c community string to determine the SNMPv3 access permissions to be used.
Values—
hash, hash2

 

group—
Specifies the group that governs the access rights of this community string. This group must be configured first in the config>system>security>snmp>access> group context.

view

Syntax 
view view-name subtree oid-value
no view view-name [subtree oid-value]
Context 
config>system>security>snmp
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command configures a view. Views control the accessibility of a MIB object within the configured MIB view and subtree. Object identifiers (OIDs) uniquely identify MIB objects in the subtree. OIDs are organized hierarchically with specific values assigned by different organizations.

After the subtree (OID) is identified, a mask can be created to select the portions of the subtree to be included or excluded for access using this particular view. See the mask command for more information. Views configured with this command can subsequently be used in read, write, and notify commands which are used to assign specific access group permissions to created views and assigned to particular access groups.

Multiple subtrees can be added or removed from a view name to tailor a view to the requirements of the user access group.

The no view view-name command removes a view and all subtrees.

The no view view-name subtree oid-value removes a sub-tree from the view name.

Parameters 
view-name—
Specifies a view name, up to 32 characters.
oid-value—
Specifies the object identifier (OID) value for the view-name. This value, for example, 1.3.6.1.6.3.11.2.1, combined with the mask and include and exclude statements, configures the access available in the view.

It is possible to have a view with different subtrees with their own masks and include and exclude statements. This allows for customizing visibility and write capabilities to specific user requirements.

mask

Syntax 
mask mask-value [type {included | excluded}]
no mask
Context 
config>system>security>snmp>view
 
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command enables the context to configure the mask value and the mask type and, along with the oid-value configured in the view command, determines the access of each sub-identifier of an object identifier (MIB subtree) in the view.

Each bit in the mask corresponds to a sub-identifier position. For example, the most significant bit for the first sub-identifier, the next most significant bit for the second sub-identifier, and so on. If the bit position on the sub-identifier is available, it can be included or excluded.

For example, the MIB subtree that represents MIB-II is 1.3.6.1.2.1. The mask that catches all MIB-II would be 0xfc or 0b11111100.

Only a single mask may be configured per view and OID value combination. If more than one entry is configured, each subsequent entry overwrites the previous entry.

Per RFC 2575, View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), each MIB view is defined by two sets of view subtrees, the included view subtrees and the excluded view subtrees. Every such view subtree, both the included and the excluded ones, are defined in this table. To determine whether a particular object instance is in a particular MIB view, compare the object instance’s object identifier (OID) with each of the MIB view’s active entries in this table. If none match, the object instance is not in the MIB view. If one or more match, the object instance is included in, or excluded from, the MIB view according to the value of vacmViewTreeFamilyType in the entry whose value of vacmViewTreeFamilySubtree has the most sub-identifiers.

The no form of this command removes the mask from the configuration.

Parameters 
mask-value—
Specifies the mask value associated with the OID value determines whether the sub-identifiers are included or excluded from the view. (Default: all 1s)

The mask can be entered in the following formats:

  1. hexadecimal, for example, 0xfc
  2. binary, for example, 0b11111100
Note:

If the number of bits in the bit mask is less than the number of sub-identifiers in the MIB subtree, the mask is extended with ones until the mask length matches the number of sub-identifiers in the MIB subtree.

type {included | excluded}
Specifies whether to include or exclude MIB subtree objects.
Values—
included — MIB subtree objects that are identified with a 1 in the mask are available in the view.
excluded — MIB subtree objects that are identified with a 1 in the mask are denied access in the view.

 

Default—
included

3.6.2.2. Show Commands

information

Syntax 
information
Context 
show>system
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command displays the SNMP configuration and statistics.

Output 

The following output is an example of SNMP configuration and statistics information, and Table 27 describes the output fields.

Sample Output
Sample output for 7210 SAS D:
 
*A:SAS-D>show>system# information
 
===============================================================================
System Information
===============================================================================
System Name            : SAS-D
System Type            : 7210 SAS-D 6F4T-1
System Version         : B-3.0.S66
System Contact         :
System Location        :
System Coordinates     :
System Up Time         : 10 days, 01:24:01.43 (hr:min:sec)
 
SNMP Port              : 161
SNMP Engine ID         : 0000197f0000003f11abca11
SNMP Max Message Size  : 1500
SNMP Admin State       : Disabled
SNMP Oper State        : Disabled
SNMP Index Boot Status : Not Persistent
SNMP Sync State        : N/A
 
Tel/Tel6/SSH/FTP Admin : Disabled/Disabled/Enabled/Disabled
Tel/Tel6/SSH/FTP Oper  : Down/Down/Up/Down
 
BOF Source             : N/A
Image Source           : primary
Config Source          : N/A
Last Booted Config File: N/A
Last Boot Cfg Version  : N/A
Last Boot Config Header: N/A
Last Boot Index Version: N/A
Last Boot Index Header : N/A
Last Saved Config      : cf1:\smitha.cfg
Time Last Saved        : 1970/01/01 00:04:11
Changes Since Last Save: Yes
User Last Modified     : admin
Time Last Modified     : 1970/01/11 00:44:21
Max Cfg/BOF Backup Rev : 5
Cfg-OK Script          : N/A
Cfg-OK Script Status   : not used
Cfg-Fail Script        : N/A
Cfg-Fail Script Status : not used
 
Management IP Addr     : 0.0.0.0/0
Primary DNS Server     : N/A
Secondary DNS Server   : N/A
Tertiary DNS Server    : N/A
DNS Domain             :
DNS Resolve Preference : ipv4-only
BOF Static Routes      : None
===============================================================================
*A:SAS-D>show>system#
Table 27:  Output Fields: System Information 

Label

Description

System Name

The name configured for the device

System Contact

The text string that identifies the contact name for the device

System Location

The text string that identifies the location of the device

System Coordinates

The text string that identifies the system coordinates for the device location

For example, “37.390 -122.0550" is read as latitude 37.390 north and longitude 122.0550 west.

System Up Time

The time since the last reboot

SNMP Port

The port which SNMP sends responses to management requests

SNMP Engine ID

The ID for either the local or remote SNMP engine to uniquely identify the SNMPv3 node

SNMP Max Message Size

The maximum size SNMP packet generated by this node

SNMP Admin State

Enabled — SNMP is administratively enabled

Disabled — SNMP is administratively disabled

SNMP Oper State

Enabled — SNMP is operationally enabled

Disabled — SNMP is operationally disabled

SNMP Index Boot Status

Persistent — Persistent indexes at the last system reboot was enabled

Disabled — Persistent indexes at the last system reboot was disabled

SNMP Sync State

The state when the synchronization of configuration files between the primary and secondary s finish

Telnet/SSH/FTP Admin

Displays the administrative state of the Telnet, SSH, and FTP sessions

Telnet/SSH/FTP Oper

Displays the operational state of the Telnet, SSH, and FTP sessions

BOF Source

The boot location of the BOF

Image Source

primary — Specifies whether the image was loaded from the primary location specified in the BOF

secondary — Specifies whether the image was loaded from the secondary location specified in the BOF

tertiary — Specifies whether the image was loaded from the tertiary location specified in the BOF

Config Source

primary — Specifies whether the configuration was loaded from the primary location specified in the BOF

secondary — Specifies whether the configuration was loaded from the secondary location specified in the BOF

tertiary — Specifies whether the configuration was loaded from the tertiary location specified in the BOF

Last Booted Config File

Displays the URL and filename of the configuration file used for the most recent boot

Last Boot Cfg Version

Displays the version of the configuration file used for the most recent boot

Last Boot Config Header

Displays header information of the configuration file used for the most recent boot

Last Boot Index Version

Displays the index version used in the most recent boot

Last Boot Index Header

Displays the header information of the index used in the most recent boot

Last Saved Config

Displays the filename of the last saved configuration

Time Last Saved

Displays the time the configuration was most recently saved

Changes Since Last Save

Yes — The configuration changed since the last save

No — The configuration has not changed since the last save

Time Last Modified

Displays the time of the last modification

Max Cfg/BOF Backup Rev

The maximum number of backup revisions maintained for a configuration file

This value also applies to the number of revisions maintained for the BOF.

Cfg-OK Script

URL — The location and name of the CLI script file executed following successful completion of the boot-up configuration file execution

N/A — No CLI script file is executed

Cfg-OK Script Status

Successful/Failed — The results from the execution of the CLI script file specified in the Cfg-OK Script location

Not used — No CLI script file was executed

Cfg-Fail Script

URL — The location and name of the CLI script file executed following a failed boot-up configuration file execution

Not used — No CLI script file was executed

Cfg-Fail Script Status

Successful/Failed — The results from the execution of the CLI script file specified in the Cfg-Fail Script location

Not used — No CLI script file was executed

Management IP address

The Management IP address of the node

DNS Server

The DNS address of the node

DNS Domain

The DNS domain name of the node

BOF Static Routes

To — The static route destination

Next Hop — The next hop IP address used to reach the destination

Metric — Displays the priority of this static route versus other static routes

None — No static routes are configured

access-group

Syntax 
access-group group-name
Context 
show>system>security
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command displays access-group information.

Output 

The following output is an example of access group information, and Table 28 describes the output fields.

Sample Output
A:ALA-1# show system security access-group
===============================================================================
Access Groups
===============================================================================
group name        security  security  read          write         notify
                  model     level     view          view          view
-------------------------------------------------------------------------------
snmp-ro           snmpv1    none      no-security                 no-security
snmp-ro           snmpv2c   none      no-security                 no-security
snmp-rw           snmpv1    none      no-security   no-security   no-security
snmp-rw           snmpv2c   none      no-security   no-security   no-security
snmp-rwa          snmpv1    none      iso           iso           iso
snmp-rwa          snmpv2c   none      iso           iso           iso
snmp-trap         snmpv1    none                                  iso
snmp-trap         snmpv2c   none                                  iso
-------------------------------------------------------------------------------
No. of Access Groups: 8
===============================================================================
A:ALA-1#
 
 
A:ALA-1# show system security access-group detail
===============================================================================
Access Groups
===============================================================================
group name        security  security  read          write         notify
                  model     level     view          view          view
-------------------------------------------------------------------------------
snmp-ro           snmpv1    none      no-security                 no-security
-------------------------------------------------------------------------------
No. of Access Groups: 
...
===============================================================================
A:ALA-1#
Table 28:  Output Fields: Security Access Group 

Label

Description

Group name

The access group name

Security model

The security model required to access the views configured in this node

Security level

Specifies the required authentication and privacy levels to access the views configured in this node

Read view

Specifies the view to read the MIB objects

Write view

Specifies the view to configure the contents of the agent

Notify view

Specifies the view to send a trap about MIB objects

No. of access groups

The total number of configured access groups

authentication

Syntax 
authentication [statistics]
Context 
show>system>security
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command displays authentication information.

Output 

The following output is an example of authentication information, and Table 29 describes the output fields.

Sample Output
A:ALA-49>show>system>security# authentication
===============================================================================
Authentication                  sequence : radius tacplus local
===============================================================================
server address   status  type    timeout(secs)  single connection  retry count
-------------------------------------------------------------------------------
10.10.10.103     up      radius  5              n/a                5
10.10.0.1        up      radius  5              n/a                5
10.10.0.2        up      radius  5              n/a                5
10.10.0.3        up      radius  5              n/a                5
-------------------------------------------------------------------------------
radius admin status  : down
tacplus admin status : up
health check         : enabled
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
A:ALA-49>show>system>security# 
Table 29:  Output Fields: Authentication 

Label

Description

sequence

The authentication order in which password authentication, authorization, and accounting is attempted among RADIUS, TACACS+, and local passwords

server address

The address of the RADIUS, TACACS+, or local server

status

The status of the server

type

The type of server

timeout (secs)

Number of seconds the server will wait before timing out

single connection

Specifies whether a single connection is established with the server

The connection is kept open and is used by all the TELNET/SSH/FTP sessions for AAA operations.

retry count

The number of attempts to retry contacting the server

radius admin status

The administrative status of the RADIUS protocol operation

tacplus admin status

The administrative status of the TACACS+ protocol operation

health check

Specifies whether the RADIUS and TACACS+ servers will be periodically monitored

Each server will be contacted every 30 seconds. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, based on the type of the server, a trap will be sent.

No. of Servers

The total number of servers configured

keychain

Syntax 
keychain [key-chain] [detail]
Context 
show>system>security
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command displays keychain information.

Parameters 
key-chain—
Specifies the keychain name to display.
detail—
Displays detailed keychain information.
Output 

The following output is an example of keychain information.

Sample Output
*A:ALA-A# show system security keychain test
===============================================================================
Key chain:test
===============================================================================
TCP-Option number send : 254 Admin state : Up
TCP-Option number receive : 254 Oper state : Up
===============================================================================
*A:ALA-A# 

management-access-filter

Syntax 
management-access-filter
Context 
show>system>security
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command displays management access filter information for IP and MAC filters.

ip-filter

Syntax 
ip-filter [entry entry-id]
Context 
show>system>security>mgmt-access-filter
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command displays management-access IP filters.

Parameters 
entry-id—
Displays information for the specified entry.
Values—
1 to 9999

 

Output 

The following output is an example of management access IP filter information, and Table 30 describes the output fields.

Sample Output
*7210-SAS>show>system>security>management-access-filter# ip-filter entry 1
 
===============================================================================
IPv4 Management Access Filter
===============================================================================
filter type   : ip
Def. Action   : permit
Admin Status  : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry         : 1
Description   : (Not Specified)
Src IP        : undefined
Src interface : undefined
Dest port     : undefined
Protocol      : undefined
Router        : undefined
Action        : none
Log           : disabled
Matches       : 0
===============================================================================
*7210-SAS>show>system>security>management-access-filter# 
Table 30:  Output Fields: IP Filter 

Label

Description

Def. action

Permit — Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted

Deny — Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued

Deny-host-unreachable — Specifies that packets not matching the configured selection criteria in the filter entries are denied

Entry

The entry ID in a policy or filter table

Description

A text string describing the filter

Src IP

The source IP address used for management access filter match criteria

Src Interface

The interface name for the next-hop to which the packet should be forwarded if it hits this filter entry

Dest port

The destination port

Match

The number of times a management packet has matched this filter entry

Protocol

The IP protocol to match

Action

The action to take for packets that match this filter entry

password-options

Syntax 
password-options
Context 
show>system>security
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command displays password options.

Output 

The following output is an example of password options, and Table 31 describes the output fields.

Sample Output
A:ALA-48>show>system>security# password-options
===============================================================================
Password Options
===============================================================================
Password aging in days                           : 365
Number of invalid attempts permitted per login   : 5
Time in minutes per login attempt                : 5
Lockout period (when threshold breached)         : 20
Authentication order                             : radius tacplus local
Configured complexity options                    :
Minimum password length                          : 8
===============================================================================
A:ALA-48>show>system>security#
Table 31:  Output Fields: Password Options 

Label

Description

Password aging in days

Number of days a user password is valid before the user must change their password

Number of invalid attempts permitted per login

Displays the maximum number of unsuccessful login attempts allowed for a user

Time in minutes per login attempt

Displays the time in minutes that user is to be locked out

Lockout period (when threshold breached)

Displays the number of minutes the user is locked out if the threshold of unsuccessful login attempts has exceeded

Authentication order

Displays the most preferred method to authenticate and authorize a user

Configured complexity options

Displays the complexity requirements of locally administered passwords, HMAC-MD5-96, HMAC-SHA-96 and DES-keys configured in the authentication section

Minimum password length

Displays the minimum number of characters required in the password

profile

Syntax 
profile [profile-name]
Context 
show>system>security
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command displays user profiles for CLI command tree permissions.

Parameters 
profile-name—
Specifies the profile name to display information about a single user profile. If no profile name is displayed, the entire list of profile names are listed.
Output 

The following output is an example of user profile information, and Table 32 describes the output fields.

Sample Output
A:ALA-48>config>system>snmp# show system security profile
===============================================================================
User Profile
===============================================================================
User Profile : test
Def. Action  : none
-------------------------------------------------------------------------------
Entry        : 1
Description  :
Match Command:
Action       : unknown
===============================================================================
User Profile : default
Def. Action  : none
-------------------------------------------------------------------------------
Entry        : 10
Description  :
Match Command: exec
Action       : permit
-------------------------------------------------------------------------------
Entry        : 20
Description  :
Match Command: exit
Action       : permit
-------------------------------------------------------------------------------
Entry        : 30
Description  :
Match Command: help
Action       : permit
-------------------------------------------------------------------------------
...
-------------------------------------------------------------------------------
Entry        : 80
Description  :
Match Command: enable-admin
Action       : permit
===============================================================================
 
User Profile : administrative
Def. Action  : permit-all
-------------------------------------------------------------------------------
Entry        : 10
Description  :
Match Command: configure system security
Action       : permit
-------------------------------------------------------------------------------
Entry        : 20
Description  :
Match Command: show system security
Action       : permit
===============================================================================
-------------------------------------------------------------------------------
No. of profiles: 3
===============================================================================
A:ALA-48>config>system>snmp#
Table 32:  Output Fields: Profile 

Label

Description

User Profile

default — The action to be given to the user profile if none of the entries match the command

administrative — Specifies the administrative state for this profile

Def. Action

none — No action is given to the user profile when none of the entries match the command

permit-all — The action to be taken when an entry matches the command

Entry

10 to 80 — Each entry represents the configuration for a system user

Description

A text string describing the entry

Match Command

administrative — Enables the user to execute all commands

configure system security — Enables the user to execute the config system security command

enable-admin — Enables the user to enter a special administrative mode by entering the enable-admin command

exec — Enables the user to execute (exec) the contents of a text file as if they were CLI commands entered at the console

exit — Enables the user to execute the exit command

help — Enables the user to execute the help command

logout — Enables the user to execute the logout command

password — Enables the user to execute the password command

show config — Enables the user to execute the show config command

show — Enables the user to execute the show command

show system security — Enables the user to execute the show system security command

Action

permit — Enables the user access to all commands

deny-all — Denies the user access to all commands

snmp

Syntax 
snmp
Context 
show
show>system>security
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command enables the context to displays SNMP information.

community

Syntax 
community
community community-string
Context 
show>system>security>snmp
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command lists SNMP communities and characteristics.

Parameters 
community-string—
Specifies the community name, up to 32 characters.
Output 

The following output is an example of SNMP community information, and Table 33 describes the output fields.

Sample Output
A:Dut-P# show system security snmp community 
==============================================================================
Communities
==============================================================================
community           access  view                version   group name
------------------------------------------------------------------------------
cli-readonly        r       iso                 v2c       cli-readonly
cli-readwrite       rw      iso                 v2c       cli-readwrite
private             rwa     iso                 v1 v2c    snmp-rwa
public              rwa     iso                 v1 v2c    snmp-rwa
------------------------------------------------------------------------------
No. of Communities: 4
==============================================================================
A:Dut-P#
Table 33:  Output Fields: SNMP Community 

Label

Description

Community

Displays the community string name for SNMPv1 and SNMPv2c access only

Access

r — The community string allows read-only access

rw — The community string allows read-write access

rwa — The community string allows read-write access

mgmt — The unique SNMP community string assigned to the management router

View

Displays the view name

Version

Displays the SNMP version

Group Name

Displays the access group name

No of Communities

Displays the total number of configured community strings

ssh

Syntax 
ssh
Context 
show>system>security
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command displays all the SSH sessions as well as the SSH status and fingerprint.

Output 

The following output is an example of SSH session information, and Table 34 describes the output fields.

Sample Output
A:ALA-7# show system security ssh 
SSH is enabled
Key fingerprint: 34:00:f4:97:05:71:aa:b1:63:99:dc:17:11:73:43:83 
=======================================================
Connection Encryption Username
=======================================================
192.168.5.218 3des admin
-------------------------------------------------------
Number of SSH sessions : 1
======================================================= 
A:ALA-7# 
 
A:ALA-49>config>system>security# show system security ssh
SSH is disabled
 
A:ALA-49>config>system>security#
Table 34:  Output Fields: SSH 

Label

Description

SSH status

SSH is enabled — Displays that SSH server is enabled

SSH is disabled — Displays that SSH server is disabled

Key fingerprint

The key fingerprint is the server’s identity. Clients trying to connect to the server verify the server's fingerprint. If the server fingerprint is not known, the client may not continue with the SSH session since the server might be spoofed.

Connection

The IP address of the connected router(s) (remote client)

Encryption

des — Data encryption using a private (secret) key

3des — An encryption method that allows proprietary information to be transmitted over untrusted networks

Username

The name of the user

Number of SSH sessions

The total number of SSH sessions

user

Syntax 
users [user-id] [detail]
Context 
show>system>security
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command displays user information.

Output 

The following output is an example of user information, and Table 35 describes the output fields.

Sample Output
A:ALA-1# show system security user
===============================================================================
Users
===============================================================================
user id           need    user permissions  password    attempted failed  local
                  new pwd console ftp snmp  expires     logins    logins  conf
-------------------------------------------------------------------------------
admin             n       y       n   n     never       2         0       y
testuser          n       n       n   y     never       0         0       y
-------------------------------------------------------------------------------
Number of users : 2
===============================================================================
A:ALA-1# 
Table 35:  Output Fields: Security User 

Label

Description

User ID

The name of a system user

Need New PWD

Yes — The user must change their password at the next login

No — The user is not forced to change their password at the next login

User Permission

Console — Specifies whether the user is permitted console/Telnet access

FTP — Specifies whether the user is permitted FTP access

SNMP — Specifies whether the user is permitted SNMP access

Password expires

The date on which the current password expires

Attempted logins

The number of times the user has attempted to login irrespective of whether the login succeeded or failed

Failed logins

The number of unsuccessful login attempts

Local Conf.

Y — Password authentication is based on the local password database

N — Password authentication is not based on the local password database

view

Syntax 
view [view-name] [detail]
Context 
show>system>security
Supported Platforms 

Supported on all 7210 SAS platforms as described in this document

Description 

This command lists one or all views and permissions in the MIB-OID tree.

Output 

The following output is an example of permissions views, and Table 36 describes the output fields.

Sample Output
A:ALA-1# show system security view
===============================================================================
Views
===============================================================================
view name         oid tree                        mask              permission
-------------------------------------------------------------------------------
iso               1                                                 included
no-security       1                                                 included
no-security       1.3.6.1.6.3                                       excluded
no-security       1.3.6.1.6.3.10.2.1                                included
no-security       1.3.6.1.6.3.11.2.1                                included
no-security       1.3.6.1.6.3.15.1.1                                included
-------------------------------------------------------------------------------
No. of Views: 6
===============================================================================
A:ALA-1#
A:ALA-1# show system security view no-security detail
===============================================================================
Views
===============================================================================
view name         oid tree                        mask              permission
-------------------------------------------------------------------------------
no-security       1                                                 included
no-security       1.3.6.1.6.3                                       excluded
no-security       1.3.6.1.6.3.10.2.1                                included
no-security       1.3.6.1.6.3.11.2.1                                included
no-security       1.3.6.1.6.3.15.1.1                                included
-------------------------------------------------------------------------------
No. of Views: 5
===============================================================================
=======================================
no-security used in
=======================================
group name
---------------------------------------
snmp-ro
snmp-rw
=======================================
A:ALA-1#
Table 36:  Output Fields: Security View 

Label

Description

View name

The name of the view

Views control the accessibility of a MIB object within the configured MIB view and subtree.

OID tree

The Object Identifier (OID) value

OIDs uniquely identify MIB objects in the subtree.

Mask

The mask value and the mask type, along with the oid-value configured in the view command, determines the access of each sub-identifier of an object identifier (MIB subtree) in the view.

Permission

Included — Specifies to include MIB subtree objects

Excluded — Specifies to exclude MIB subtree objects

No. of Views

The total number of configured views

Group name

The access group name