Setting an
Engine ID
This example shows
how to set the identification of the local SNMP engine:
snmp-server engineID local 00:00:00:09:00:00:00:a1:61:6c:20:61
Note |
After the engine
ID has been configured, the SNMP agent restarts.
|
Verifying the
Identification of the Local SNMP Engines
This example shows
how to verify the identification of the local SNMP engine:
config
show snmp engineid
SNMP engineID 00000009000000a1ffffffff
Creating a
View
There are two ways
to create a view:
- You can include the object
identifier (OID) of an ASN.1 subtree of a MIB family from a view by using the
included
keyword of the
snmp-server
view
command.
- You can exclude the OID
subtree of the ASN.1 subtree of a MIB family from a view by using the
excluded
keyword of the
snmp-server
view
command.
This example shows
how to create a view that includes the sysName (1.3.6.1.2.1.1.5) object:
config
snmp-server view SNMP_VIEW1 1.3.6.1.2.1.1.5 included
This example shows
how to create a view that includes all the OIDs of a system group:
config
snmp-server view SNMP_VIEW1 1.3.6.1.2.1.1 included
This example shows
how to create a view that includes all the OIDs under the system group except
the sysName object (1.3.6.1.2.1.1.5), which has been excluded:
config
snmp-server view SNMP_VIEW1 1.3.6.1.2.1.1 included
snmp-server view SNMP_VIEW1 1.3.6.1.2.1.1.5 excluded
Verifying
Configured Views
This example shows
how to display information about the configured views:
RP/0/RP0/CPU0:router# show snmp view
v1default 1.3.6.1 - included nonVolatile active
SNMP_VIEW1 1.3.6.1.2.1.1 - included nonVolatile active
SNMP_VIEW1 1.3.6.1.2.1.1.5 - excluded nonVolatile active
Creating
Groups
If you do not
explicitly specify a notify, read, or write view, the
Cisco IOS XR software uses the v1 default (1.3.6.1). This example shows how to create a
group that utilizes the default view:
RP/0/RP0/CPU0:router(config)# snmp-server group group-name v3 auth
The following
configuration example shows how to create a group that has read access to all
the OIDs in the system except the sysUpTime object (1.3.6.1.2.1.1.3), which has
been excluded from the view applied to the group, but write access only to the
sysName object (1.3.6.1.2.1.1.5):
!
snmp-server view view_name1 1.3.6.1.2.1.1 included
snmp-server view view_name1 1.3.6.1.2.1.1.3 excluded
snmp-server view view_name2 1.3.6.1.2.1.1.5 included
snmp-server group group_name1 v3 auth read view_name1 write view_name2
!
Verifying
Groups
This example shows
how to verify the attributes of configured groups:
RP/0/RP0/CPU0:router# show snmp group
groupname: group_name1 security model:usm
readview : view_name1 writeview: view_name2
notifyview: v1default
row status: nonVolatile
Creating and
Verifying Users
Given the following
SNMPv3 view and SNMPv3 group configuration:
!
snmp-server view view_name 1.3.6.1.2.1.1 included
snmp-server group group_name v3 noauth read view_name write view-name
!
This example shows
how to create a noAuthNoPriv user with read and write view access to a system
group:
config
snmp-server user noauthuser group_name v3
Note |
The user must
belong to a noauth group before a noAuthNoPriv user can be created.
|
Only one remote host can be assigned to the same username for SNMP version 3. If you configure the same username with different
remote hosts, only the last username and remote host combination will be accepted and will be seen in the show running configuration.
In the case of multiple SNMP managers, multiple unique usernames are required.
This example shows the same username case which only the last configuration will be accepted:
snmp-server user username nervectrgrp remote 10.69.236.146 udp-port 162 v3 auth sha <password> priv aes 128 <password>
snmp-server user username nervectrgrp remote 10.214.127.2 udp-port 162 v3 auth sha <password> priv aes 128 <password>
snmp-server user username nervectrgrp remote 10.69.236.147 udp-port 162 v3 auth sha <password> priv aes 128 <password>
RP/0/RP0/CPU0:router# show run snmp-server user
snmp-server user username nervectrgrp remote 10.69.236.147 udp-port 162 v3 auth sha encrypted <password> priv aes 128 encrypted <password>
This example shows all 3 hosts for username1, username2, and username3 will be accepted.
:
snmp-server user username1 nervectrgrp remote 10.69.236.146 udp-port 162 v3 auth sha <password> priv aes 128 <password>
snmp-server user username2 nervectrgrp remote 10.214.127.2 udp-port 162 v3 auth sha <password> priv aes 128 <password>
snmp-server user username3 nervectrgrp remote 10.69.236.147 udp-port 162 v3 auth sha <password> priv aes 128 <password>
RP/0/RP0/CPU0:router# show run snmp-server user
snmp-server user batmanusr1 nervectrgrp remote 10.69.236.146 udp-port 162 v3 auth sha encrypted <password> priv aes 128 encrypted <password>
snmp-server user batmanusr2 nervectrgrp remote 10.214.127.2 udp-port 162 v3 auth sha encrypted <password> priv aes 128 encrypted <password>
snmp-server user batmanusr3 nervectrgrp remote 10.69.236.147 udp-port 162 v3 auth sha encrypted <password> priv aes 128 encrypted <password>
This example shows
how to verify the attributes that apply to the SNMP user:
RP/0/RP0/CPU0:router# show snmp user
User name: noauthuser
Engine ID: localSnmpID
storage-type: nonvolatile active
Given the
following SNMPv3 view and SNMPv3 group configuration:
!
snmp-server view SNMP_VIEW1 1.3.6.1.2.1.1 included
snmp-server group SNMP_GROUP1 v3 auth notify SNMP_VIEW1 read SNMP_VIEW1 write SNMP_VIEW1
!
This example shows
how to create a user with authentication (including encryption), read, and
write view access to a system group:
config
snmp-server user userv3authpriv SNMP_GROUP1 v3 auth md5 password123 priv aes 128 password123
Given the following
SNMPv3 view and SNMPv3 group configuration:
!
snmp-server view view_name 1.3.6.1.2.1.1 included
snmp group group_name v3 priv read view_name write view_name
!
This example shows
how to create authNoPriv user with read and write view access to a system
group:
RP/0/RP0/CPU0:router(config)# snmp-server user authuser group_name v3 auth md5 clear auth_passwd
Note |
Because the group
is configured at a security level of Auth, the user must be configured as
“auth” at a minimum to access this group (“priv” users could also access this
group). The authNoPriv user configured in this group, authuser, must supply an
authentication password to access the view. In the example, auth_passwd is set
as the authentication password string. Note that
clear
keyword is specified before the auth_passwd password string.
The
clear
keyword indicates that the password string being supplied is
unencrypted.
|
This example shows
how to verify the attributes that apply to SNMP user:
RP/0/RP0/CPU0:router# show snmp user
User name: authuser
Engine ID: localSnmpID
storage-type: nonvolatile active
Given the following
SNMPv3 view and SNMPv3 group configuration:
!
snmp view view_name 1.3.6.1.2.1.1 included
snmp group group_name v3 priv read view_name write view_name
!
This example shows
how to create an authPriv user with read and write view access to a system
group:
config
snmp-server user privuser group_name v3 auth md5 clear auth_passwd priv des56 clear priv_passwd
Note |
Because the
group has a security level of Priv, the user must be configured as a “priv”
user to access this group. In this example, the user, privuser, must supply
both an authentication password and privacy password to access the OIDs in the
view.
|
This example shows
how to verify the attributes that apply to the SNMP user:
RP/0/RP0/CPU0:router# show snmp user
User name: privuser
Engine ID: localSnmpID
storage-type: nonvolatile active