3.5. SNMP Command Reference
3.5.1. Command Hierarchies
3.5.1.1. Configuration Commands
3.5.1.1.1. SNMP System Commands
3.5.1.1.2. SNMP Security Commands
The following commands configure user-specific SNMP features. Refer to the Security section for CLI syntax and command descriptions.
3.5.2. Command Descriptions
3.5.2.1. Configuration Commands
3.5.2.1.1. SNMP System Commands
engineID
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command sets the SNMP engine ID to uniquely identify the SNMPv3 node. By default, the engine ID is generated using information from the system backplane.
If the SNMP engine ID is changed using the config>system>snmp>engineID engine-id command, the current configuration must be saved and a reboot must be executed. If not, the previously configured SNMP communities and logger trap-target notify communities will not be valid for the new engine ID.
 | Note: In conformance with IETF standard RFC 2274, User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), hashing algorithms that generate SNMPv3 MD5 or SHA security digest keys use the engineID. Changing the SNMP engineID invalidates all SNMPv3 MD5 and SHA security digest keys and may render the node unmanageable |
When a chassis is replaced, use the engine ID of the first system and configure it in the new system to preserve SNMPv3 security keys. This allows management stations to use their existing authentication keys for the new system.
Ensure that the engine IDs are not used on multiple systems. A management domain can only have one instance of each engineID.
The no form of this command reverts to the default setting.
Default
The engine ID is system generated.
Parameters
general-port
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command configures the port number used by this node to receive SNMP request messages and to send replies.
| Note: SNMP notifications generated by the agent are sent from the port specified in the config>log>snmp-trap-group>trap-target CLI command. |
The no form of this command reverts to the default value.
Default
general-port 161
Parameters
packet-size
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command configures the maximum SNMP packet size generated by this node. If the packet size exceeds the MTU size of the egress interface, the packet will be fragmented.
The no form of this command to reverts to the default value.
Default
packet-size 1500
Parameters
snmp
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command enables the context to configure SNMP parameters.
shutdown
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command administratively disables SNMP agent operations. System management can then only be performed using the command line interface (CLI). Shutting down SNMP does not remove or change configuration parameters other than the administrative state.
This command does not prevent the agent from sending SNMP notifications to any configured SNMP trap destinations. SNMP trap destinations are configured in the config>log>snmp-trap-group context.
This command is automatically invoked in the event of a reboot when the processing of the configuration file fails to complete or when an SNMP persistent index file fails while the bof persist on command is enabled.
The no form of this command administratively enables SNMP, which is the default state.
Default
no shutdown
3.5.2.1.2. SNMP Security Commands
access
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command creates an association between a user group, a security model, and the views that the user group can access. Access parameters must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2. An access group is defined by a unique combination of the group name, security model, and security level.
Access must be configured unless security is limited to SNMPv1/SNMPv2c with community strings (see the community command).
Default access group configurations cannot be modified or deleted.
To remove the user group with associated, security models, and security levels, use the no access group group-name command.
To remove a security model and security level combination from a group, use the no access group group-name security-model {snmpv1 | snmpv2c | usm} security-level {no-auth-no-privacy | auth-no-privacy | privacy} command.
Parameters
attempts
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command configures a threshold value of unsuccessful SNMP connection attempts allowed in a specified time frame. The command parameters are used to counter denial of service (DOS) attacks through SNMP.
If the threshold is exceeded, the host is locked out for the configured lockout time period.
If multiple attempts commands are entered, each new command overwrites the previously entered command.
The no form of this command resets the parameters to the default values.
Default
attempts 20 time 5 lockout 10
Parameters
community
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command enables SNMP community strings for SNMPv1 and SNMPv2c access. This command is used in combination with the predefined access groups and views. To create custom access groups and views and associate them with SNMPv1 or SNMPv2c access, use the usm-community command.
When configured, this command implies a security model for SNMPv1 and SNMPv2c only. For SNMPv3 security, the access command must be configured.
The no form of this command removes a community string.
Parameters
- r — Grants only read access to objects in the MIB, except security objects.
- rw — Grants read and write access to all objects in the MIB, except security.
- rwa — Grants read and write access to all objects in the MIB, including security.
- vpls-mgmt — Assigns a unique SNMP community string to the management virtual router.
mask
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
The mask value and mask type, along with the oid-value configured in the view command, determines the access of each sub-identifier of an object identifier (MIB subtree) in the view.
Each bit in the mask corresponds to a sub-identifier position; for example, the most significant bit for the first sub-identifier, the next most significant bit for the second sub-identifier, and so on. If the bit position on the sub-identifier is available, it can be included or excluded.
For example, the MIB subtree that represents MIB-II is 1.3.6.1.2.1. The mask that catches all MIB-II would be 0xfc or 0b11111100.
Only a single mask may be configured per view and OID value combination. If more than one entry is configured, each subsequent entry overwrites the previous entry.
Per RFC 2575, View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), each MIB view is defined by two sets of view subtrees: the included view subtrees, and the excluded view subtrees. Every view subtree, both the included and the excluded, are defined in this table. To determine whether a particular object instance is in a particular MIB view, compare the OID with each of the MIB view active entries in this table. If none match, the object instance is not in the MIB view. If one or more match, the object instance is included in, or excluded from, the MIB view according to the value of vacmViewTreeFamilyType in the entry whose value of vacmViewTreeFamilySubtree has the most sub-identifiers.
The no form of this command removes the mask from the configuration.
Parameters
The mask can be entered either
- in hex; for example, 0xfc
- in binary; for example, 0b11111100
| Note: If the number of bits in the bit mask is less than the number of sub-identifiers in the MIB subtree, the mask is extended with ones until the mask length matches the number of subidentifiers in the MIB subtree. |
Included means that all MIB subtree objects that are identified with a 1 in the mask are available in the view.
Excluded means that all MIB subtree objects that are identified with a 1 in the mask are denied access in the view.
snmp
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command enables the context to configure SNMPv1, SNMPv2, and SNMPv3 parameters.
usm-community
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command is used to associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group.
The Nokia implementation of SNMP uses SNMPv3. To implement SNMPv1 and SNMPv2c configurations, several access groups are predefined. To implement SNMP with security features (Version 3), security models, security levels, and USM communities must be explicitly configured. Optionally, additional views that specify more specific OIDs (MIB objects in the subtree) can be configured.
The no form of this command removes a community string.
Parameters
view
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command configures a view. Views control the accessibility of an MIB object within the configured MIB view and subtree. OIDs uniquely identify MIB objects in the subtree. OIDs are organized hierarchically with specific values assigned by different organizations.
When the subtree (OID) is identified, a mask can be created to select the portions of the subtree to be included or excluded for access using this particular view. See the mask command for more information. The views configured with this command can subsequently be used in read, write, and notify commands, which are used to assign specific access group permissions to created views and assigned to particular access groups.
Multiple subtrees can be added or removed from a view name to tailor a view to the requirements of the user access group.
The no view view-name command removes a view and all subtrees.
The no view view-name subtree oid-value removes a sub-tree from the view name.
Parameters
It is possible to have a view with different subtrees with their own masks and include and exclude statements. This allows for customizing visibility and write capabilities to specific user requirements.
3.5.2.2. Show Commands
counters
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command displays SNMP counters information. SNMP counters will continue to increase even when SNMP is shut down. Some internal modules communicate using SNMP packets.
Output
The following output is an example of SNMP counter information, and Table 27 describes the output fields.
Table 27: Output Fields: SNMP Counters
Label | Description |
in packets | Displays the total number of messages delivered to SNMP from the transport service |
in gets | Displays the number of SNMP get request PDUs accepted and processed by SNMP |
in getnexts | Displays the number of SNMP get next PDUs accepted and processed by SNMP |
in sets | Displays the number of SNMP set request PDUs accepted and processed by SNMP |
out packets | Displays the total number of SNMP messages passed from SNMP to the transport service |
out get responses | Displays the number of SNMP get response PDUs generated by SNMP |
out traps | Displays the number of SNMP Trap PDUs generated by SNMP |
variables requested | Displays the number of MIB objects requested by SNMP |
variables set | Displays the number of MIB objects set by SNMP as the result of receiving valid SNMP set request PDUs |
information
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command lists the SNMP configuration and statistics.
Output
The following output is an example of SNMP configuration and statistics information, and Table 28 describes the output fields.
Table 28: Output Fields: System Information
Label | Description |
System Name | Displays the name configured for the device |
System Contact | Displays the text string that identifies the contact name for the device |
System Location | Displays the text string that identifies the location of the device |
System Coordinates | Displays the text string that identifies the system coordinates for the device location; for example, “37.390 -122.0550" is read as latitude 37.390 north and longitude 122.0550 west |
System Up Time | Displays the time since the last reboot |
SNMP Port | Displays the port which SNMP sends responses to management requests |
SNMP Engine ID | Displays the ID for either the local or remote SNMP engine to uniquely identify the SNMPv3 node |
SNMP Max Message Size | Displays the maximum size SNMP packet generated by this node |
SNMP Admin State | Enabled — SNMP is administratively enabled Disabled — SNMP is administratively disabled |
SNMP Oper State | Enabled — SNMP is operationally enabled Disabled — SNMP is operationally disabled |
SNMP Index Boot Status | Persistent — Persistent indexes at the last system reboot was enabled Disabled — Persistent indexes at the last system reboot was disabled |
SNMP Sync State | The state when the synchronization of configuration files between the primary and secondary s finish |
Telnet/SSH/FTP Admin | Displays the administrative state of the Telnet, SSH, and FTP sessions |
Telnet/SSH/FTP Oper | Displays the operational state of the Telnet, SSH, and FTP sessions |
BOF Source | The boot location of the BOF |
Image Source | primary — Specifies whether the image was loaded from the primary location specified in the BOF secondary — Specifies whether the image was loaded from the secondary location specified in the BOF tertiary — Specifies whether the image was loaded from the tertiary location specified in the BOF |
Config Source | primary — Specifies whether the configuration was loaded from the primary location specified in the BOF secondary — Specifies whether the configuration was loaded from the secondary location specified in the BOF tertiary — Specifies whether the configuration was loaded from the tertiary location specified in the BOF |
Last Booted Config File | Displays the URL and filename of the configuration file used for the most recent boot |
Last Boot Cfg Version | Displays the version of the configuration file used for the most recent boot |
Last Boot Config Header | Displays header information of the configuration file used for the most recent boot |
Last Boot Index Version | Displays the index version used in the most recent boot |
Last Boot Index Header | Displays the header information of the index used in the most recent boot |
Last Saved Config | Displays the filename of the last saved configuration |
Time Last Saved | Displays the time the configuration was most recently saved |
Changes Since Last Save | Yes — The configuration changed since the last save No — The configuration has not changed since the last save |
Time Last Modified | Displays the time of the last modification |
Max Cfg/BOF Backup Rev | Displays the maximum number of backup revisions maintained for a configuration file This value also applies to the number of revisions maintained for the BOF |
Cfg-OK Script | URL — The location and name of the CLI script file executed following successful completion of the boot-up configuration file execution N/A — No CLI script file is executed |
Cfg-OK Script Status | Successful/Failed — The results from the execution of the CLI script file specified in the Cfg-OK Script location Not used — No CLI script file was executed |
Cfg-Fail Script | URL — The location and name of the CLI script file executed following a failed boot-up configuration file execution Not used — No CLI script file was executed |
Cfg-Fail Script Status | Successful/Failed — The results from the execution of the CLI script file specified in the Cfg-Fail Script location Not used — No CLI script file was executed |
Management IP address | Displays the Management IP address of the node |
DNS Server | Displays the DNS address of the node |
DNS Domain | Displays the DNS domain name of the node |
BOF Static Routes | To — The static route destination Next Hop — The next hop IP address used to reach the destination Metric — Displays the priority of this static route versus other static routes None — No static routes are configured |
access-group
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command displays access group information.
Output
The following output is an example of access group information, and Table 29 describes the output fields.
Table 29: Output Fields: Access Group
Label | Description |
Group name | Displays the access group name |
Security model | Displays the security model required to access the views configured in this node |
Security level | Specifies the required authentication and privacy levels to access the views configured in this node |
Read view | Specifies the view to read the MIB objects |
Write view | Specifies the view to configure the contents of the agent |
Notify view | Specifies the view to send a trap about MIB objects |
No. of access groups | Displays the total number of configured access groups |
authentication
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command displays authentication information.
Output
The following output is an example of authentication information, and Table 30 describes the output fields.
Table 30: Output Fields: Authentication
Label | Description |
sequence | Displays the authentication order in which password authentication, authorization, and accounting is attempted among RADIUS, TACACS+, and local passwords. |
server address | Displays the address of the RADIUS, TACACS+, or local server |
status | Displays the status of the server |
type | Displays the server type |
timeout (secs) | Displays the number of seconds the server will wait before timing out |
single connection | Specifies whether a single connection is established with the server The connection is kept open and is used by all the TELNET/SSH/FTP sessions for AAA operations |
retry count | Displays the number of attempts to retry contacting the server |
radius admin status | Displays the administrative status of the RADIUS protocol operation |
tacplus admin status | Displays the administrative status of the TACACS+ protocol operation |
health check | Specifies whether the RADIUS and TACACS+ servers will be periodically monitored Each server will be contacted every 30 seconds If in this process a server is found to be unreachable, or a previously unreachable server starts responding, based on the type of the server, a trap will be sent |
No. of Servers | Displays the total number of servers configured |
keychain
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command displays keychain information.
Parameters
Output
The following output is an example of keychain information, and Table 31 describes the output fields.
Table 31: Output Fields: Keychain
Label | Description |
TCP-Option number send | Displays the TCP option number to be inserted in the header of sent TCP packets |
TCP-Option number receive | Displays the TCP option number that will be accepted in the header of received TCP packets |
management-access-filter
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command displays management access filter information for IP and MAC filters.
ip-filter
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command displays management-access IP filters.
Parameters
Output
The following output is an example of management access IP filter information, and Table 32 describes the output fields.
Table 32: Output Fields: IP Filter
Label | Description |
Def. action | Permit — Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted Deny — Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued Deny-host-unreachable — Specifies that packets not matching the configured selection criteria in the filter entries are denied |
Entry | Displays the entry ID in a policy or filter table |
Description | Displays a text string describing the filter |
Src IP | Displays the source IP address used for management access filter match criteria |
Src Interface | Displays the interface name for the next-hop to which the packet should be forwarded if it hits this filter entry |
Dest port | Displays the destination port |
Match | Displays the number of times a management packet has matched this filter entry |
Protocol | Displays the IP protocol to match |
Action | Displays the action to take for packets that match this filter entry |
password-options
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command displays password options.
Output
The following output is an example of password option information, and Table 33 describes the output fields.
Table 33: Output Fields: Password Options
Label | Description |
Password aging in days | Displays the number of days a user password is valid before the user must change their password |
Number of invalid attempts permitted per login | Displays the maximum number of unsuccessful login attempts allowed for a user |
Time in minutes per login attempt | Displays the time in minutes that user is to be locked out |
Lockout period (when threshold breached) | Displays the number of minutes the user is locked out if the threshold of unsuccessful login attempts has exceeded |
Authentication order | Displays the most preferred method to authenticate and authorize a user |
Configured complexity options | Displays the complexity requirements of locally administered passwords, HMAC-MD5-96, HMAC-SHA-96 and DES-keys configured in the authentication section |
Minimum password length | Displays the minimum number of characters required in the password |
profile
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command displays user profiles for CLI command tree permissions.
Parameters
Output
The following output is an example of user profile information, and Table 34 describes the output fields.
Table 34: Output Fields: Security Profile
Label | Description |
User Profile | default — The action to be given to the user profile if none of the entries match the command administrative — Specifies the administrative state for this profile |
Def. Action | none — No action is given to the user profile when none of the entries match the command permit-all — The action to be taken when an entry matches the command |
Entry | 10 - 80 Each entry represents the configuration for a system user |
Description | Displays a text string describing the entry |
Match Command | administrative — Enables the user to execute all commands configure system security — Enables the user to execute the config system security command enable-admin — Enables the user to enter a special administrative mode by entering the enable-admin command exec — Enables the user to execute (exec) the contents of a text file as if they were CLI commands entered at the console exit — Enables the user to execute the exit command help — Enables the user to execute the help command logout — Enables the user to execute the logout command password — Enables the user to execute the password command show config — Enables the user to execute the show config command show — Enables the user to execute the show command show system security — Enables the user to execute the show system security command |
Action | permit — Enables the user access to all commands deny-all — Denies the user access to all commands |
snmp
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command displays SNMP information.
community
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command lists SNMP communities and characteristics.
Parameters
Output
The following output is an example of SNMP community information, and Table 35 describes the output fields.
Table 35: Output Fields: Community
Label | Description |
Community | Displays the community string name for SNMPv1 and SNMPv2c access only |
Access | r — The community string allows read-only access rw — The community string allows read-write access rwa — The community string allows read-write access mgmt — The unique SNMP community string assigned to the management router |
View | Displays the view name |
Version | Displays the SNMP version |
Group Name | Displays the access group name |
No of Communities | Displays the total number of configured community strings |
ssh
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command displays all the SSH sessions and the SSH status and fingerprint.
Output
The following output is an example of SSH session information, and Table 36 describes the output fields.
Table 36: Output Fields: SSH
Label | Description |
SSH status | SSH is enabled — Displays that SSH server is enabled SSH is disabled — Displays that SSH server is disabled |
Key fingerprint | The key fingerprint is the server identity Clients trying to connect to the server verify the server's fingerprint If the server fingerprint is not known, the client may not continue with the SSH session since the server might be spoofed |
Connection | Displays the IP address of the connected routers (remote client) |
Encryption | des — Data encryption using a private (secret) key 3des — An encryption method that allows proprietary information to be transmitted over untrusted networks |
Username | Displays the name of the user |
Number of SSH sessions | Displays the total number of SSH sessions |
users
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command displays user information.
Output
The following output is an example of user information, and Table 37 describes the output fields.
Table 37: Output Fields: Users
Label | Description |
User ID | Displays the name of a system user |
Need New PWD | Yes — The user must change their password at the next login No — The user is not forced to change their password at the next login |
User Permission | Console — Specifies whether the user is permitted console/Telnet access FTP — Specifies whether the user is permitted FTP access SNMP — Specifies whether the user is permitted SNMP access |
Password expires | Displays the date on which the current password expires |
Attempted logins | Displays the number of times the user has attempted to login irrespective of whether the login succeeded or failed |
Failed logins | Displays the number of unsuccessful login attempts |
Local Conf. | Y — Password authentication is based on the local password database N — Password authentication is not based on the local password database |
view
Syntax
Context
Supported Platforms
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Description
This command lists one or all views and permissions in the MIB-OID tree.
Output
The following output is an example of MIB-OID tree views and permissions information, and Table 38 describes the output fields.
Table 38: Output Fields: Security View
Label | Description |
View name | Displays the name of the view. Views control the accessibility of a MIB object within the configured MIB view and subtree |
OID tree | Displays the Object Identifier (OID) value OIDs uniquely identify MIB objects in the subtree |
Mask | Displays the mask value and the mask type, along with the oid-value configured in the view command, determines the access of each sub-identifier of an object identifier (MIB subtree) in the view |
Permission | Included — Specifies to include MIB subtree objects Excluded — Specifies to exclude MIB subtree objects |
No. of Views | Displays the total number of configured views |
Group name | Displays the access group name |