-
SNMP Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
-
action (event) through rising (test threshold)
-
sample (event trigger) through snmp mib event sample
-
snmp mib event trigger owner through snmp-server enable informs
-
snmp-server enable traps ospf cisco-specific state-change through snmp-server enable traps voice poor-qov
-
snmp-server enable traps through snmp-server enable traps ospf cisco-specific retransmit
-
snmp-server engineID local through snmp trap link-status
-
startup (test boolean) through write mib-data
-
Index
-
Feedback
Contents
snmp-server engineID local through snmp trap link-status
- snmp-server engineID local
- snmp-server group
- snmp-server host
- snmp-server inform
- snmp-server location
- snmp-server packetsize
- snmp-server system-shutdown
- snmp-server tftp-server-list
- snmp-server trap-source
- snmp-server user
- snmp-server view
snmp-server engineID local
To specify the Simple Network Management Protocol (SNMP) engine ID on the local device, use the snmp-server engineID local command in global configuration mode. To remove the configured engine ID, use the no form of this command.
Command Default
An SNMP engine ID is generated automatically but is not displayed or stored in the running configuration. You can display the default or configured engine ID by using the show snmp engineID command.
Command History
Release
Modification
12.0(3)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 3.2SE
This command was implemented in Cisco IOS XE Release 3.2SE.
Cisco IOS XE Release 3.3SE
This command was implemented in Cisco IOS XE Release 3.3SE.
Usage Guidelines
The SNMP engine ID is a unique string used to identify the device for administrative purposes. You do not need to specify an engine ID for the device; a default string is generated using Cisco’s enterprise number (1.3.6.1.4.1.9) and the MAC address of the first interface on the device. For further details on the SNMP engine ID, see RFC 2571.
If you specify your own ID, note that the entire 24-character engine ID is not needed if it contains trailing zeros. Specify only the portion of the engine ID up until the point where only zeros remain in the value. For example, to configure an engine ID of 123400000000000000000000, you can specify snmp-server engineID local 1234.
The value for the engine ID is displayed in hexadecimal value pairs. If the length of the input is an odd number, the last digit will be prepended with a zero ("0"). For example, if the engine ID is 12345, the ID is treated as 12:34:05 internally. Hence, the engine ID is displayed as 123405 in the show running configuration command output.
Changing the value of the SNMP engine ID has significant effects. A user's password (entered on the command line) is converted to a message digest5 algorithm (MD5) or Secure Hash Algorithm (SHA) security digest. This digest is based on both the password and the local engine ID. The command line password is then destroyed, as required by RFC 2274. Because of this deletion, if the local value of the engineID changes, the security digests of SNMPv3 users will become invalid, and the users will have to be reconfigured.
Similar restrictions require the reconfiguration of community strings when the engine ID changes. A remote engine ID is required when an SNMPv3 inform is configured. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
snmp-server group
To configure a new Simple Network Management Protocol (SNMP) group, use the snmp-server group command in global configuration mode. To remove a specified SNMP group, use the no form of this command.
snmp-server group group-name { v1 | v2c | v3 { auth | noauth | priv } } [ context context-name ] [ read read-view ] [ write write-view ] [ notify notify-view ] [ access [ ipv6 named-access-list ] [ acl-number | acl-name ] ]
no snmp-server group group-name { v1 | v2c | v3 { auth | noauth | priv } } [ context context-name ]
Syntax Description
group-name
Name of the group.
v1
Specifies that the group is using the SNMPv1 security model. SNMPv1 is the least secure of the possible SNMP security models.
v2c
Specifies that the group is using the SNMPv2c security model.
The SNMPv2c security model allows informs to be transmitted and supports 64-character strings.
v3
Specifies that the group is using the SNMPv3 security model.
SMNPv3 is the most secure of the supported security models. It allows you to explicitly configure authentication characteristics.
auth
Specifies authentication of a packet without encrypting it.
noauth
Specifies no authentication of a packet.
priv
Specifies authentication of a packet with encryption.
context
(Optional) Specifies the SNMP context to associate with this SNMP group and its views.
context-name
(Optional) Context name.
read
(Optional) Specifies a read view for the SNMP group. This view enables you to view only the contents of the agent.
read-view
(Optional) String of a maximum of 64 characters that is the name of the view.
The default is that the read-view is assumed to be every object belonging to the Internet object identifier (OID) space (1.3.6.1), unless the read option is used to override this state.
write
(Optional) Specifies a write view for the SNMP group. This view enables you to enter data and configure the contents of the agent.
write-view
(Optional) String of a maximum of 64 characters that is the name of the view.
The default is that nothing is defined for the write view (that is, the null OID). You must configure write access.
notify
(Optional) Specifies a notify view for the SNMP group. This view enables you to specify a notify, inform, or trap.
notify-view
(Optional) String of a maximum of 64 characters that is the name of the view.
By default, nothing is defined for the notify view (that is, the null OID) until the snmp-server host command is configured. If a view is specified in the snmp-server group command, any notifications in that view that are generated will be sent to all users associated with the group (provided a SNMP server host configuration exists for the user).
Cisco recommends that you let the software autogenerate the notify view. See the “Configuring Notify Views” section in this document.
access
(Optional) Specifies a standard access control list (ACL) to associate with the group.
ipv6
(Optional) Specifies an IPv6 named access list. If both IPv6 and IPv4 access lists are indicated, the IPv6 named access list must appear first in the list.
named-access-list
(Optional) Name of the IPv6 access list.
acl-number
(Optional) The acl-numberargument is an integer from 1 to 99 that identifies a previously configured standard access list.
acl-name
(Optional) The acl-name argument is a string of a maximum of 64 characters that is the name of a previously configured standard access list.
Command History
Release
Modification
11.(3)T
This command was introduced.
12.0(23)S
The context context-name keyword and argument pair was added.
12.3(2)T
The context context-name keyword and argument pair was integrated into Cisco IOS Release 12.3(2)T, and support for standard named access lists (acl-name) was added.
12.0(27)S
The ipv6 named-access-list keyword and argument pair was added.
12.2(25)S
This command was integrated into Cisco IOS Release 12.2(25)S.
12.3(14)T
The ipv6 named-access-list keyword and argument pair was integrated into Cisco IOS Release 12.3(14)T.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Cisco IOS XE Release 2.1
This command was introduced on Cisco ASR 1000 Series Routers.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Cisco IOS XE Release 3.2SE
This command was implemented in Cisco IOS XE Release 3.2SE.
Cisco IOS XE Release 3.3SE
This command was implemented in Cisco IOS XE Release 3.3SE.
Usage Guidelines
When a community string is configured internally, two groups with the name public are autogenerated, one for the v1 security model and the other for the v2c security model. Similarly, deleting a community string will delete a v1 group with the name public and a v2c group with the name public.
No default values exist for authentication or privacy algorithms when you configure the snmp-server group command. Also, no default passwords exist. For information about specifying a Message Digest 5 (MD5) password, see the documentation of the snmp-server user command.
Configuring Notify Views
The notify-view option is available for two reasons:
- If a group has a notify view that is set using SNMP, you may need to change the notify view.
- The snmp-server host command may have been configured before the snmp-server group command. In this case, you must either reconfigure the snmp-server host command, or specify the appropriate notify view.
Specifying a notify view when configuring an SNMP group is not recommended, for the following reasons:
- The snmp-server host command autogenerates a notify view for the user, and then adds it to the group associated with that user.
- Modifying the group’s notify view will affect all users associated with that group.
Instead of specifying the notify view for a group as part of the snmp-server group command, use the following commands in the order specified:
- snmp-server user --Configures an SNMP user.
- snmp-server group --Configures an SNMP group, without adding a notify view .
- snmp-server host --Autogenerates the notify view by specifying the recipient of a trap operation.
SNMP Contexts
SNMP contexts provide VPN users with a secure way of accessing MIB data. When a VPN is associated with a context, that VPN’s specific MIB data exists in that context. Associating a VPN with a context enables service providers to manage networks with multiple VPNs. Creating and associating a context with a VPN enables a provider to prevent the users of one VPN from accessing information about users of other VPNs on the same networking device.
Use this command with the context context-name keyword and argument to associate a read, write, or notify SNMP view with an SNMP context.
Examples
The following example shows how to create the SNMP server group “public,” allowing read-only access for all objects to members of the standard named access list “lmnop”:
Router(config)# snmp-server group public v2c access lmnopExamples
The following example shows how to remove the SNMP server group “public” from the configuration:
Router(config)# no snmp-server group public v2cExamples
The following example shows SNMP context “A” associated with the views in SNMPv2c group “GROUP1”:
Router(config)# snmp-server context A Router(config)# snmp mib community commA Router(config)# snmp mib community-map commA context A target-list commAVpn Router(config)# snmp-server group GROUP1 v2c context A read viewA write viewA notify viewBRelated Commands
Command
Description
show snmp group
Displays the names of groups on the router and the security model, the status of the different views, and the storage type of each group.
snmp mib community-map
Associates a SNMP community with an SNMP context, engine ID, security name, or VPN target list.
snmp-server host
Specifies the recipient of a SNMP notification operation.
snmp-server user
Configures a new user to a SNMP group.
snmp-server host
To specify the recipient of a Simple Network Management Protocol (SNMP) notification operation, use the snmp-server host command in global configuration mode. To remove the specified host from the configuration, use the no form of this command.
snmp-server host { hostname | ip-address } [ vrf vrf-name | informs | traps | version { 1 | 2c | 3 [ auth | noauth | priv ] } ] community-string [ udp-port port [notification-type] | notification-type ]
no snmp-server host { hostname | ip-address } [ vrf vrf-name | informs | traps | version { 1 | 2c | 3 [ auth | noauth | priv ] } ] community-string [ udp-port port [notification-type] | notification-type ]
Command Syntax on Cisco ME 3400, ME 3400E, and Catalyst 3750 Metro Switches
snmp-server host ip-address { community-string | informs | traps } { community-string | version { 1 | 2c | 3 { auth | noauth } } } { community-string | vrf vrf-name { informs | traps } } [ notification-type ]
no snmp-server host ip-address { community-string | informs | traps } { community-string | version { 1 | 2c | 3 { auth | noauth } } } { community-string | vrf vrf-name { informs | traps } } [ notification-type ]
Command Syntax on Cisco 7600 Series Router
snmp-server host ip-address { community-string | { informs | traps } { community-string | version { 1 | 2c | 3 { auth | noauth | priv } } community-string | version { 1 | 2c | 3 { auth | noauth | priv } } community-string | vrf vrf-name { informs | traps } { community-string | version { 1 | 2c | 3 { auth | noauth | priv } } community-string } } } [notification-type]
no snmp-server host ip-address { community-string | { informs | traps } { community-string | version { 1 | 2c | 3 { auth | noauth | priv } } community-string | version { 1 | 2c | 3 { auth | noauth | priv } } community-string | vrf vrf-name { informs | traps } { community-string | version { 1 | 2c | 3 { auth | noauth | priv } } community-string } } } [notification-type]
Syntax Description
Command Default
This command behavior is disabled by default. A recipient is not specified to receive notifications.
Command History
Release
Modification
10.0
This command was introduced.
12.0(3)T
This command was modified.
12.1(3)T
This command was modified. The calltracker notification-type keyword was added for the Cisco AS5300 and AS5800 platforms.
12.2(2)T
This command was modified.
12.2(4)T
This command was modified.
12.2(8)T
This command was modified.
12.2(13)T
This command was modified.
12.3(2)T
This command was modified.
12.3(4)T
This command was modified.
12.3(8)T
This command was modified. The iplocalpool notification-type keyword was added for the Cisco 7200 and 7301 series routers.
12.3(11)T
This command was modified. The vrrp keyword was added.
12.3(14)T
This command was modified.
12.4(20)T
This command was modified. The license notification-type keyword was added.
15.0(1)M
This command was modified.
12.0(17)ST
This command was modified. The mpls-traffic-eng notification-type keyword was added.
12.0(21)ST
This command was modified. The mpls-ldp notification-type keyword was added.
12.0(22)S
This command was modified.
12.0(23)S
This command was modified. The l2tun-session notification-type keyword was added.
12.0(26)S
This command was modified. The memory notification-type keyword was added.
12.0(27)S
This command was modified.
12.0(31)S
This command was modified. The l2tun-pseudowire-status notification-type keyword was added.
12.2(18)S
This command was integrated into Cisco IOS Release 12.2(18)S.
12.2(25)S
This command was modified.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(31)SB2
The cef notification-type keyword was added.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
12.2(33)SXI5
This command was modified.
12.2(54)SE
This command was modified. See the snmp-server host for the command syntax for these switches.
12.2(33)SXJ
This command was integrated into Cisco IOS Release 12.2(33)SXJ. The public storm-control notification-type keyword was added.
15.0(1)S
This command was modified. The flowmon notification-type keyword was added.
Cisco IOS XE Release 2.1
This command was integrated into Cisco IOS XE Release 2.1.
15.2(1)S
This command was modified. The p2mp-traffic-eng notification-type keyword was added.
Cisco IOS XE Release 3.2SE
This command was implemented in Cisco IOS XE Release 3.2SE.
Cisco IOS XE Release 3.3SE
This command was implemented in Cisco IOS XE Release 3.3SE.
Usage Guidelines
If you enter this command with no optional keywords, the default is to send all notification-type traps to the host. No informs will be sent to the host.
The no snmp-server host command with no keywords disables traps, but not informs, to the host. To disable informs, use the no snmp-server host informs command.
Note
If a community string is not defined using the snmp-server community command prior to using this command, the default form of the snmp-server community command will automatically be inserted into the configuration. The password (community string) used for this automatic configuration of the snmp-server community command will be the same as that specified in the snmp-server host command. This automatic command insertion and use of passwords is the default behavior for Cisco IOS Release 12.0(3) and later releases. However, in Cisco IOS Release 12.2(33)SRE and later releases, you must manually configure the snmp-server community command. That is, the snmp-server community command will not be seen in the configuration.
SNMP notifications can be sent as traps or inform requests. Traps are unreliable because the receiver does not send acknowledgments when it receives traps. The sender cannot determine if the traps were received. However, an SNMP entity that receives an inform request acknowledges the message with an SNMP response protocol data unit (PDU). If the sender never receives the response, the inform request can be sent again. Thus, informs are more likely to reach their intended destination than traps.
Compared to traps, informs consume more resources in the agent and in the network. Unlike a trap, which is discarded as soon as it is sent, an inform request must be held in memory until a response is received or the request times out. Also, traps are sent only once; an inform may be tried several times. The retries increase traffic and contribute to a higher overhead on the network.
If you do not enter an snmp-server host command, no notifications are sent. To configure the router to send SNMP notifications, you must enter at least one snmp-server host command. If you enter the command with no optional keywords, all trap types are enabled for the host.
To enable multiple hosts, you must issue a separate snmp-server host command for each host. You can specify multiple notification types in the command for each host.
When multiple snmp-server host commands are given for the same host and kind of notification (trap or inform), each succeeding command overwrites the previous command. Only the last snmp-server host command will be in effect. For example, if you enter an snmp-server host inform command for a host and then enter another snmp-server host inform command for the same host, the second command will replace the first.
The snmp-server host command is used in conjunction with the snmp-server enable command. Use the snmp-server enable command to specify which SNMP notifications are sent globally. For a host to receive most notifications, at least one snmp-server enable command and the snmp-server host command for that host must be enabled.
Some notification types cannot be controlled with the snmp-server enable command. Some notification types are always enabled, and others are enabled by a different command. For example, the linkUpDown notifications are controlled by the snmp trap link-status command. These notification types do not require an snmp-server enable command.
The availability of notification-type options depends on the router type and the Cisco IOS software features supported on the router. For example, the envmon notification type is available only if the environmental monitor is part of the system. To see what notification types are available on your system, use the command help ? at the end of the snmp-server host command.
The vrf keyword allows you to specify the notifications being sent to a specified IP address over a specific VRF VPN. The VRF defines a VPN membership of a user so that data is stored using the VPN.
In the case of the NMS sending the query having a correct SNMP community but not having a read or a write view, the SNMP agent returns the following error values:
- For a get or a getnext query, returns GEN_ERROR for SNMPv1 and AUTHORIZATION_ERROR for SNMPv2C.
- For a set query, returns NO_ACCESS_ERROR.
Notification-Type Keywords
The notification type can be one or more of the following keywords.
Note
The available notification types differ based on the platform and Cisco IOS release. For a complete list of available notification types, use the question mark (?) online help function.
- aaa server --Sends SNMP authentication, authorization, and accounting (AAA) traps.
- adslline --Sends Asymmetric Digital Subscriber Line (ADSL) LINE-MIB traps.
- atm --Sends ATM notifications.
- authenticate-fail --Sends an SNMP 802.11 Authentication Fail trap.
- auth-framework --Sends SNMP CISCO-AUTH-FRAMEWORK-MIB notifications.
- bgp --Sends Border Gateway Protocol (BGP) state change notifications.
- bridge --Sends SNMP STP Bridge MIB notifications.
- bstun --Sends Block Serial Tunneling (BSTUN) event notifications.
- bulkstat --Sends Data-Collection-MIB notifications.
- c6kxbar --Sends SNMP crossbar notifications.
- callhome --Sends Call Home MIB notifications.
- calltracker -- Sends Call Tracker call-start/call-end notifications.
- casa --Sends Cisco Appliances Services Architecture (CASA) event notifications.
- ccme --Sends SNMP Cisco netManager Event (CCME) traps.
- cef --Sends notifications related to Cisco Express Forwarding.
- chassis --Sends SNMP chassis notifications.
- cnpd --Sends Cisco Network-based Application Recognition (NBAR) Protocol Discovery (CNPD) traps.
- config --Sends configuration change notifications.
- config-copy --Sends SNMP config-copy notifications.
- config-ctid --Sends SNMP config-ctid notifications.
- cpu --Sends CPU-related notifications.
- csg --Sends SNMP Content Services Gateway (CSG) notifications.
- deauthenticate --Sends an SNMP 802.11 Deauthentication trap.
- dhcp-snooping --Sends DHCP snooping MIB notifications.
- director --Sends notifications related to DistributedDirector.
- disassociate --Sends an SNMP 802.11 Disassociation trap.
- dlsw --Sends data-link switching (DLSW) notifications.
- dnis --Sends SNMP Dialed Number Identification Service (DNIS) traps.
- dot1x --Sends 802.1X notifications.
- dot11-mibs --Sends dot11 traps.
- dot11-qos --Sends SNMP 802.11 QoS Change trap.
- ds1 --Sends SNMP digital signaling 1 (DS1) notifications.
- ds1-loopback --Sends ds1-loopback traps.
- dspu --Sends downstream physical unit (DSPU) notifications.
- eigrp --Sends Enhanced Interior Gateway Routing Protocol (EIGRP) stuck-in-active (SIA) and neighbor authentication failure notifications.
- energywise --Sends SNMP energywise notifications.
- entity --Sends Entity MIB modification notifications.
- entity-diag --Sends SNMP entity diagnostic MIB notifications.
- envmon --Sends Cisco enterprise-specific environmental monitor notifications when an environmental threshold is exceeded.
- errdisable --Sends error disable notifications.
- ethernet-cfm --Sends SNMP Ethernet Connectivity Fault Management (CFM) notifications.
- event-manager --Sends SNMP Embedded Event Manager notifications.
- firewall --Sends SNMP Firewall traps.
- flash --Sends flash media insertion and removal notifications.
- flexlinks --Sends FLEX links notifications.
- flowmon --Sends flow monitoring notifications.
- frame-relay --Sends Frame Relay notifications.
- fru-ctrl --Sends entity field-replaceable unit (FRU) control notifications.
- hsrp --Sends Hot Standby Routing Protocol (HSRP) notifications.
- icsudsu --Sends SNMP ICSUDSU traps.
- iplocalpool --Sends IP local pool notifications.
- ipmobile --Sends Mobile IP notifications.
- ipmulticast --Sends IP multicast notifications.
- ipsec --Sends IP Security (IPsec) notifications.
- isakmp --Sends SNMP ISAKMP notifications.
- isdn --Sends ISDN notifications.
- l2tc --Sends SNMP L2 tunnel configuration notifications.
- l2tun-pseudowire-status --Sends pseudowire state change notifications.
- l2tun-session --Sends Layer 2 tunneling session notifications.
- license --Sends licensing notifications as traps or informs.
- llc2 --Sends Logical Link Control, type 2 (LLC2) notifications.
- mac-notification --Sends SNMP MAC notifications.
- memory --Sends memory pool and memory buffer pool notifications.
- module --Sends SNMP module notifications.
- module-auto-shutdown --Sends SNMP module autoshutdown MIB notifications.
- mpls-fast-reroute --Sends SNMP Multiprotocol Label Switching (MPLS) traffic engineering fast reroute notifications.
- mpls-ldp --Sends MPLS Label Distribution Protocol (LDP) notifications indicating status changes in LDP sessions.
- mpls-traffic-eng --Sends MPLS traffic engineering notifications, indicating changes in the status of MPLS traffic engineering tunnels.
- mpls-vpn --Sends MPLS VPN notifications.
- msdp --Sends SNMP Multicast Source Discovery Protocol (MSDP) notifications.
- mvpn --Sends multicast VPN notifications.
- nhrp --Sends Next Hop Resolution Protocol (NHRP) notifications.
- ospf --Sends Open Shortest Path First (OSPF) sham-link notifications.
- pim --Sends Protocol Independent Multicast (PIM) notifications.
- port-security --Sends SNMP port-security notifications.
- power-ethernet --Sends SNMP power Ethernet notifications.
- public storm-control --Sends SNMP public storm-control notifications.
- pw-vc --Sends SNMP pseudowire virtual circuit (VC) notifications.
- p2mp-traffic-eng--Sends SNMP MPLS Point to Multi-Point MPLS-TE notifications.
- repeater --Sends standard repeater (hub) notifications.
- resource-policy --Sends CISCO-ERM-MIB notifications.
- rf --Sends SNMP RF MIB notifications.
- rogue-ap --Sends an SNMP 802.11 Rogue AP trap.
- rsrb --Sends remote source-route bridging (RSRB) notifications.
- rsvp --Sends Resource Reservation Protocol (RSVP) notifications.
- rtr --Sends Response Time Reporter (RTR) notifications.
- sdlc --Sends Synchronous Data Link Control (SDLC) notifications.
- sdllc --Sends SDLC Logical Link Control (SDLLC) notifications.
- slb --Sends SNMP server load balancer (SLB) notifications.
- sonet --Sends SNMP SONET notifications.
- srp --Sends Spatial Reuse Protocol (SRP) notifications.
- stpx --Sends SNMP STPX MIB notifications.
- srst --Sends SNMP Survivable Remote Site Telephony (SRST) traps.
- stun --Sends serial tunnel (STUN) notifications.
- switch-over --Sends an SNMP 802.11 Standby Switchover trap.
- syslog --Sends error message notifications (Cisco Syslog MIB). Use the logging history level command to specify the level of messages to be sent.
- syslog --Sends error message notifications (Cisco Syslog MIB). Use the logging history level command to specify the level of messages to be sent.
- tty --Sends Cisco enterprise-specific notifications when a TCP connection closes.
- udp-port --Sends the notification host’s UDP port number.
- vlan-mac-limit --Sends SNMP L2 control VLAN MAC limit notifications.
- vlancreate --Sends SNMP VLAN created notifications.
- vlandelete --Sends SNMP VLAN deleted notifications.
- voice --Sends SNMP voice traps.
- vrrp --Sends Virtual Router Redundancy Protocol (VRRP) notifications.
- vsimaster --Sends Virtual Switch Interface (VSI) Master notifications.
- vswitch --Sends SNMP virtual switch notifications.
- vtp --Sends SNMP VLAN Trunking Protocol (VTP) notifications.
- wlan-wep --Sends an SNMP 802.11 Wireless LAN (WLAN) Wired Equivalent Privacy (WEP) trap.
- x25 --Sends X.25 event notifications.
- xgcp --Sends External Media Gateway Control Protocol (XGCP) traps.
SNMP-Related Notification-Type Keywords
The notification-type argument used in the snmp-server host command do not always match the keywords used in the corresponding snmp-server enable traps command. For example, the notification-type argument applicable to Multiprotocol Label Switching Protocol (MPLS) traffic engineering tunnels is specified as mpls-traffic-eng (containing two hyphens and no embedded spaces). The corresponding parameter in the snmp-server enable traps command is specified as mpls traffic-eng (containing an embedded space and a hyphen).
This syntax difference is necessary to ensure that the CLI interprets the notification-type keyword of the snmp-server host command as a unified, single-word construct, which preserves the capability of the snmp-server host command to accept multiple notification-type keywords in the command line. The snmp-server enable traps commands, however, often use two-word constructs to provide hierarchical configuration options and to maintain consistency with the command syntax of related commands. The table below maps some examples of snmp-server enable traps commands to the keywords used in the snmp-server host command.
Table 1 snmp-server enable traps Commands and Corresponding Notification Keywords snmp-server enable traps Command
snmp-server host Command Keyword
snmp-server enable traps l2tun session
l2tun-session
snmp-server enable traps mpls ldp
mpls-ldp
snmp-server enable traps mpls traffic-eng 1
mpls-traffic-eng
snmp-server enable traps mpls vpn
mpls-vpn
snmp-server host host-address community-string udp-port port p2mp-traffic-eng
snmp-server enable traps mpls p2mp-traffic-eng [down | up]
1 See the Cisco IOS Multiprotocol Label Switching Command Reference for documentation of this command.Examples
If you want to configure a unique SNMP community string for traps but prevent SNMP polling access with this string, the configuration should include an access list. The following example shows how to name a community string comaccess and number an access list 10:
Router(config)# snmp-server community comaccess ro 10 Router(config)# snmp-server host 10.0.0.0 comaccess Router(config)# access-list 10 deny any
Note
The “at” sign (@) is used as a delimiter between the community string and the context in which it is used. For example, specific VLAN information in BRIDGE-MIB may be polled using community @VLAN-ID (for example, public@100), where 100 is the VLAN number.
The following example shows how to send RFC 1157 SNMP traps to a specified host named myhost.cisco.com. Other traps are enabled, but only SNMP traps are sent because only snmp is specified in the snmp-server host command. The community string is defined as comaccess.
Router(config)# snmp-server enable traps Router(config)# snmp-server host myhost.cisco.com comaccess snmpThe following example shows how to send the SNMP and Cisco environmental monitor enterprise-specific traps to address 10.0.0.0 using the community string public:
Router(config)# snmp-server enable traps snmp Router(config)# snmp-server enable traps envmon Router(config)# snmp-server host 10.0.0.0 public snmp envmonThe following example shows how to enable the router to send all traps to the host myhost.cisco.com using the community string public:
Router(config)# snmp-server enable traps Router(config)# snmp-server host myhost.cisco.com publicThe following example will not send traps to any host. The BGP traps are enabled for all hosts, but only the ISDN traps are enabled to be sent to a host. The community string is defined as public.
Router(config)# snmp-server enable traps bgp Router(config)# snmp-server host myhost.cisco.com public isdnThe following example shows how to enable the router to send all inform requests to the host myhost.cisco.com using the community string public:
Router(config)# snmp-server enable traps Router(config)# snmp-server host myhost.cisco.com informs version 2c publicThe following example shows how to send HSRP MIB informs to the host specified by the name myhost.cisco.com. The community string is defined as public.
Router(config)# snmp-server enable traps hsrp Router(config)# snmp-server host myhost.cisco.com informs version 2c public hsrpThe following example shows how to send all SNMP notifications to example.com over the VRF named trap-vrf using the community string public:
Router(config)# snmp-server host example.com vrf trap-vrf publicThe following example shows how to configure an IPv6 SNMP notification server with the IPv6 address 2001:0DB8:0000:ABCD:1 using the community string public:
Router(config)# snmp-server host 2001:0DB8:0000:ABCD:1 version 2c public udp-port 2012The following example shows how to specify VRRP as the protocol using the community string public:
Router(config)# snmp-server enable traps vrrp Router(config)# snmp-server host myhost.cisco.com traps version 2c public vrrpThe following example shows how to send all Cisco Express Forwarding informs to the notification receiver with the IP address 10.0.1.1 using the community string public:
Router(config)# snmp-server enable traps cef Router(config)# snmp-server host 10.0.1.1 informs version 2c public cefThe following example shows how to enable all NHRP traps, and how to send all NHRP traps to the notification receiver with the IP address 10.0.0.0 using the community string public:
Router(config)# snmp-server enable traps nhrp Router(config)# snmp-server host 10.0.0.0 traps version 2c public nhrpThe following example shows how to enable all P2MP MPLS-TE SNMP traps, and send them to the notification receiver with the IP address 172.20.2.160 using the community string "comp2mppublic":
Router(config)# snmp-server enable traps mpls p2mp-traffic-eng Router(config)# snmp-server host 172.20.2.160 comp2mppublic udp-port 162 p2mp-traffic-engRelated Commands
Command
Description
show snmp host
Displays recipient details configured for SNMP notifications.
snmp-server enable peer-trap poor qov
Enables poor quality of voice notifications for applicable calls associated with a specific voice dial peer.
snmp-server enable traps
Enables SNMP notifications (traps and informs).
snmp-server enable traps nhrp
Enables SNMP notifications (traps) for NHRP.
snmp-server informs
Specifies inform request options.
snmp-server link trap
Enables linkUp/linkDown SNMP traps that are compliant with RFC 2233.
snmp-server trap-source
Specifies the interface from which an SNMP trap should originate.
snmp-server trap-timeout
Defines how often to try resending trap messages on the retransmission queue.
test snmp trap storm-control event-rev1
Tests SNMP storm-control traps.
snmp-server inform
To specify inform request options, use the snmp-server informcommand in global configuration mode. To return settings to their default values, use the no form of this command.
snmp-server inform [ pending pending ] [ retries retries ] [ timeout seconds ]
no snmp-server inform [ pending pending ] [ retries retries ] [ timeout seconds ]
Syntax Description
pending
(Optional) Specifies a maximum number of informs waiting for acknowledgment at any one time. When the maximum is reached, older pending informs are discarded.
pending
(Optional) Number of unacknowledged informs to hold. The range is from 1 to 4294967295. The default is 25.
retries
(Optional) Specifies a maximum number of times to resend an inform request.
retries
(Optional) Number of retries. The range is from 1 to 100. The default value is 3.
timeout
(Optional) Specifies a number of seconds to wait for an acknowledgment before resending.
seconds
(Optional) Time in seconds. The range is from 0 to 42949671. The default is 30.
Command Default
Inform requests are resent three times. Informs are resent after 30 seconds if no response is received. The maximum number of informs waiting for acknowledgment at any one time is 25.
Command History
Release
Modification
11.3T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 3.2SE
This command was implemented in Cisco IOS XE Release 3.2SE.
Cisco IOS XE Release 3.3SE
This command was implemented in Cisco IOS XE Release 3.3SE.
Examples
The following example shows how to increase the pending queue size when several informs drop:
Router(config)# snmp-server inform pending 50The following example shows how to increase the default timeout when you send informs over slow network links. Because informs will remain in the queue longer than other types of messages, you also may need to increase the pending queue size.
snmp-server inform timeout 60 pending 40The following example shows how to decrease the default timeout when you send informs over very fast links:
Router(config)# snmp-server inform timeout 5The following example shows how to increase the retry count when you send informs over unreliable links. Because informs will remain in the queue longer than other types of messages, you may need to increase the pending queue size.
Router(config)# snmp-server inform retries 10 pending 45snmp-server location
To set the system location string, use the snmp-server location command in global configuration mode. To remove the location string, use the no form of this command.
Command History
Release
Modification
10.0
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 3.2SE
This command was implemented in Cisco IOS XE Release 3.2SE.
Cisco IOS XE Release 3.3SE
This command was implemented in Cisco IOS XE Release 3.3SE.
snmp-server packetsize
To establish control over the largest Simple Network Management Protocol (SNMP) packet size permitted when the SNMP server is receiving a request or generating a reply, use the snmp-server packetsize command in global configuration mode. To restore the default value, use the no form of this command.
Command History
Release
Modification
10.0
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 3.2SE
This command was implemented in Cisco IOS XE Release 3.2SE.
Cisco IOS XE Release 3.3SE
This command was implemented in Cisco IOS XE Release 3.3SE.
snmp-server system-shutdown
To use the Simple Network Management Protocol (SNMP) message reload feature, the router configuration must include the snmp-server system-shutdown command in global configuration mode. To prevent an SNMP system-shutdown request (from an SNMP manager) from resetting the Cisco agent, use the noform of this command.
Command History
Release
Modification
10.0
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 3.2SE
This command was implemented in Cisco IOS XE Release 3.2SE.
Cisco IOS XE Release 3.3SE
This command was implemented in Cisco IOS XE Release 3.3SE.
snmp-server tftp-server-list
Note
This command was replaced with the snmp-server file-transfer access-groupcommand in Cisco IOS Release 12.4(12). Use the snmp-server file-transfer access-group command in Cisco IOS Release 12.4(12) and in later releases.
To limit the TFTP servers used via Simple Network Management Protocol (SNMP) controlled TFTP operations (saving and loading configuration files) to the servers specified in an access list, use the snmp-server tftp-server-list command in global configuration mode. To disable this function, use the no form of this command.
snmp-server tftp-server-list { acl-number | acl-name }
no snmp-server tftp-server-list { acl-number | acl-name }
Command History
Release
Modification
10.2
This command was introduced.
12.3(2)T
Support for standard named access lists was added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 3.2SE
This command was implemented in Cisco IOS XE Release 3.2SE.
Cisco IOS XE Release 3.3SE
This command was implemented in Cisco IOS XE Release 3.3SE.
Examples
The following example shows how to limit the TFTP servers that can be used for saving and loading configuration files via SNMP to the servers specified in the standard named access list lmnop:
Router(config)# snmp-server tftp-server-list lmnop
The following example shows how to limit the TFTP servers that can be used for copying configuration files via SNMP to the servers in access list 44:
Router(config)# snmp-server tftp-server-list 44snmp-server trap-source
Note
Effective with Cisco IOS Release 12.2(18)SXB6, the snmp-server trap-source command is replaced by the snmp-server source-interfacecommand. See the snmp-server source-interfacecommand for more information.
To specify the interface (and hence the corresponding IP address) from which a Simple Network Management Protocol (SNMP) trap should originate, use the snmp-server trap-source command in global configuration mode. To remove the source designation, use the no form of the command.
Command History
Release
Modification
10.0
This command was introduced.
12.2(33)SRA
This command was integrated in to Cisco IOS Release 12.2(33)SRA.
12.2(18)SXB6
This command was replaced by the snmp-server source-interfacecommandin Cisco IOS Release 12.2(18)SXB6.
Cisco IOS XE Release 3.2SE
This command was implemented in Cisco IOS XE Release 3.2SE.
Cisco IOS XE Release 3.3SE
This command was implemented in Cisco IOS XE Release 3.3SE.
Usage Guidelines
An SNMP trap or inform sent from a Cisco SNMP server has a notification address of the interface it went out of at that time. Use this command to monitor notifications from a particular interface.
Examples
The following example shows how to set the IP address for Ethernet interface 0 as the source for all SNMP notifications:
Router(config)# snmp-server trap-source ethernet 0The following example shows how to set the IP address for the Ethernet interface in slot 2, port 1 as the source for all SNMP notifications:
Router(config)# snmp-server trap-source ethernet 2/1snmp-server user
To configure a new user to a Simple Network Management Protocol (SNMP) group, use the snmp-server user command in global configuration mode. To remove a user from an SNMP group, use the no form of this command.
snmp-server user username group-name [ remote host [ udp-port port ] [ vrf vrf-name ] ] { v1 | v2c | v3 [encrypted] [ auth { md5 | sha } auth-password ] } [ access [ ipv6 nacl ] [ priv { des | 3des | aes { 128 | 192 | 256 } } privpassword ] { acl-number | acl-name } ]
no snmp-server user username group-name [ remote host [ udp-port port ] [ vrf vrf-name ] ] { v1 | v2c | v3 [encrypted] [ auth { md5 | sha } auth-password ] } [ access [ ipv6 nacl ] [ priv { des | 3des | aes { 128 | 192 | 256 } } privpassword ] { acl-number | acl-name } ]
Syntax Description
username
Name of the user on the host that connects to the agent.
group-name
Name of the group to which the user belongs.
remote
(Optional) Specifies a remote SNMP entity to which the user belongs, and the hostname or IPv6 address or IPv4 IP address of that entity. If both an IPv6 address and IPv4 IP address are being specified, the IPv6 host must be listed first.
host
(Optional) Name or IP address of the remote SNMP host.
udp-port
(Optional) Specifies the User Datagram Protocol (UDP) port number of the remote host.
port
(Optional) Integer value that identifies the UDP port. The default is 162.
vrf
(Optional) Specifies an instance of a routing table.
vrf-name
(Optional) Name of the Virtual Private Network (VPN) routing and forwarding (VRF) table to use for storing data.
v1
Specifies that SNMPv1 should be used.
v2c
Specifies that SNMPv2c should be used.
v3
Specifies that the SNMPv3 security model should be used. Allows the use of the encrypted keyword or auth keyword or both.
encrypted
(Optional) Specifies whether the password appears in encrypted format.
auth
(Optional) Specifies which authentication level should be used.
md5
(Optional) Specifies the HMAC-MD5-96 authentication level.
sha
(Optional) Specifies the HMAC-SHA-96 authentication level.
auth-password
(Optional) String (not to exceed 64 characters) that enables the agent to receive packets from the host.
access
(Optional) Specifies an Access Control List (ACL) to be associated with this SNMP user.
ipv6
(Optional) Specifies an IPv6 named access list to be associated with this SNMP user.
nacl
(Optional) Name of the ACL. IPv4, IPv6, or both IPv4 and IPv6 access lists may be specified. If both are specified, the IPv6 named access list must appear first in the statement.
priv
(Optional) Specifies the use of the User-based Security Model (USM) for SNMP version 3 for SNMP message level security.
des
(Optional) Specifies the use of the 56-bit Digital Encryption Standard (DES) algorithm for encryption.
3des
(Optional) Specifies the use of the 168-bit 3DES algorithm for encryption.
aes
(Optional) Specifies the use of the Advanced Encryption Standard (AES) algorithm for encryption.
128
(Optional) Specifies the use of a 128-bit AES algorithm for encryption.
192
(Optional) Specifies the use of a 192-bit AES algorithm for encryption.
256
(Optional) Specifies the use of a 256-bit AES algorithm for encryption.
privpassword
(Optional) String (not to exceed 64 characters) that specifies the privacy user password.
acl-number
(Optional) Integer in the range from 1 to 99 that specifies a standard access list of IP addresses.
acl-name
(Optional) String (not to exceed 64 characters) that is the name of a standard access list of IP addresses.
Command Default
See the table in the “Usage Guidelines” section for default behaviors for encryption, passwords, and access lists.
Command History
Release
Modification
12.0(3)T
This command was introduced.
12.3(2)T
Support for named standard access lists was added.
12.0(27)S
The ipv6 keyword and naclargument were added to allow for configuration of IPv6 named access lists and IPv6 remote hosts.
12.3(14)T
The ipv6 keyword and naclargument were integrated into Cisco IOS Release 12.3(14)T.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(11)T
The priv keyword and associated arguments were added to enable the use of the USM for SNMP version 3 for SNMP message level security.
12.2(33)SRB
This command was integrated into Cisco IOS Release 12.2(33)SRB.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Cisco IOS XE Release 2.1
This command was introduced on Cisco ASR 1000 Series Aggregation Services Routers.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Cisco IOS XE Release 3.2SE
This command was implemented in Cisco IOS XE Release 3.2SE.
Cisco IOS XE Release 3.3SE
This command was implemented in Cisco IOS XE Release 3.3SE.
Usage Guidelines
To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device where the user resides. Also, before you configure remote users for a particular agent, configure the SNMP engine ID, using the snmp-server engineID command with the remote keyword. The remote agent’s SNMP engine ID is needed when computing the authentication and privacy digests from the password. If the remote engine ID is not configured first, the configuration command will fail.
For the privpassword and auth-passwordarguments, the minimum length is one character; the recommended length is at least eight characters, and should include both letters and numbers.
The table below describes the default user characteristics for encryption, passwords, and access lists.
Table 2 snmp-server user Default Descriptions Characteristic
Default
Access lists
Access from all IP access lists is permitted.
Encryption
Not present by default. The encrypted keyword is used to specify that the passwords are message digest algorithm 5 (MD5)digests and not text passwords.
Passwords
Assumed to be text strings.
Remote users
All users are assumed to be local to this SNMP engine unless you specify they are remote with the remote keyword.
SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For informs, the authoritative SNMP agent is the remote agent. You need to configure the remote agent’s SNMP engine ID in the SNMP database before you can send proxy requests or informs to it.
Note
Changing the engine ID after configuring the SNMP user, does not allow to remove the user. To remove the user, you need to first reconfigure the SNMP user.
Working with Passwords and Digests
No default values exist for authentication or privacy algorithms when you configure the command. Also, no default passwords exist. The minimum length for a password is one character, although Cisco recommends using at least eight characters for security. If you forget a password, you cannot recover it and will need to reconfigure the user. You can specify either a plain-text password or a localized MD5 digest.
If you have the localized MD5 or Secure Hash Algorithm (SHA) digest, you can specify that string instead of the plain-text password. The digest should be formatted as aa:bb:cc:dd where aa, bb, and cc are hexadecimal values. Also, the digest should be exactly 16 octets long.
Examples
The following example shows how to add the user abcd to the SNMP server group named public. In this example, no access list is specified for the user, so the standard named access list applied to the group applies to the user.
Router(config)# snmp-server user abcd public v2cThe following example shows how to add the user abcd to the SNMP server group named public. In this example, access rules from the standard named access list qrst apply to the user.
Router(config)# snmp-server user abcd public v2c access qrstIn the following example, the plain-text password cisco123 is configured for the user abcd in the SNMP server group named public:
Router(config)# snmp-server user abcd public v3 auth md5 cisco123When you enter a show running-config command, a line for this user will be displayed. To learn if this user has been added to the configuration, use the show snmp user command.
Note
The show running-config command does not display any of the active SNMP users created in authPriv or authNoPriv mode, though it does display the users created in noAuthNoPriv mode. To display any active SNMPv3 users created in authPriv, authNoPrv, or noAuthNoPriv mode, use the show snmp user command.
If you have the localized MD5 or SHA digest, you can specify that string instead of the plain-text password. The digest should be formatted as aa:bb:cc:dd where aa, bb, and cc are hexadecimal values. Also, the digest should be exactly 16 octets long.
In the following example, the MD5 digest string is used instead of the plain-text password:
Router(config)# snmp-server user abcd public v3 encrypted auth md5 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FFIn the following example, the user abcd is removed from the SNMP server group named public:
Router(config)# no snmp-server user abcd public v2cIn the following example, the user abcd from the SNMP server group named public specifies the use of the 168-bit 3DES algorithm for privacy encryption with secure3des as the password.
Router(config)# snmp-server user abcd public priv v2c 3des secure3desRelated Commands
Command
Description
show running-config
Displays the contents of the currently running configuration file or the configuration for a specific interface, or map class information.
show snmp user
Displays information on each SNMP username in the group username table.
snmp-server engineID
Displays the identification of the local SNMP engine and all remote engines that have been configured on the router.
snmp-server view
To create or update a view entry, use the snmp-server view command in global configuration mode. To remove the specified Simple Network Management Protocol (SNMP) server view entry, use the noform of this command.
Syntax Description
view-name
Label for the view record that you are updating or creating. The name is used to reference the record.
oid-tree
Object identifier of the ASN.1 subtree to be included or excluded from the view. To identify the subtree, specify a text string consisting of numbers, such as 1.3.6.2.4, or a word, such as system. Replace a single subidentifier with the asterisk (*) wildcard to specify a subtree family; for example 1.3.*.4.
included
Configures the OID (and subtree OIDs) specified in oid-tree argument to be included in the SNMP view.
excluded
Configures the OID (and subtree OIDs) specified in oid-tree argument to be explicitly excluded from the SNMP view.
Command History
Release
Modification
10.0
This command was introduced.
12.3(4)T
This command was modified to exclude USM, VACM, and Community MIBs from any parent OIDs in a configured view by default.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 3.2SE
This command was implemented in Cisco IOS XE Release 3.2SE.
Cisco IOS XE Release 3.3SE
This command was implemented in Cisco IOS XE Release 3.3SE.
Usage Guidelines
Other SNMP commands require an SMP view as an argument. You use this command to create a view to be used as arguments for other commands.
Two standard predefined views can be used when a view is required, instead of defining a view. One is everything, which indicates that the user can see all objects. The other is restricted,which indicates that the user can see three groups: system, snmpStats, and snmpParties. The predefined views are described in RFC 1447.
Note
Beginning in Release 12.0(26)S and 12.2(2)T, the USM, VACM, and Community MIBs are excluded from any parent OIDs in a configured view by default. If you wish to include these MIBs in a view, you must now explicitly include them.
The first snmp-server command that you enter enables SNMP on your routing device.
Examples
The following example creates a view that includes all objects in the MIB-II subtree:
snmp-server view mib2 mib-2 includedThe following example creates a view that includes all objects in the MIB-II system group and all objects in the Cisco enterprise MIB:
snmp-server view root_view system included snmp-server view root_view cisco includedThe following example creates a view that includes all objects in the MIB-II system group except for sysServices (System 7) and all objects for interface 1 in the MIB-II interfaces group:
snmp-server view agon system included snmp-server view agon system.7 excluded snmp-server view agon ifEntry.*.1 includedIn the following example, the USM, VACM, and Community MIBs are explicitly included in the view “test” with all other MIBs under the root parent “internet”:
! -- include all MIBs under the parent tree “internet” snmp-server view test internet included ! -- include snmpUsmMIB snmp-server view test 1.3.6.1.6.3.15 included ! -- include snmpVacmMIB snmp-server view test 1.3.6.1.6.3.16 included ! -- exclude snmpCommunityMIB snmp-server view test 1.3.6.1.6.3.18 excluded
