snmp
snmp Introduction
Arista Networks switches support many standard snmp MIBs, making it easier to integrate these platforms into existing network management infrastructures.
With only a few configurations, many public domain and commercially available network management tools can quickly manage Arista switches out of the box. Support of snmp V2 groups and views and V3 security allow network managers to tune switch monitoring to match the administration policy of the IT organization.
snmp Conceptual Overview
Simple Network Management Protocol (snmp) is a protocol that provides a standardized framework and a common language to monitor and manage network devices.
snmp Structure
- snmp manager: The snmp manager controls and monitors network host activities and is typically part of a Network Management System (NMS).
- snmp agent: The snmp agent is the managed device component that manages and reports device information to the manager.
- Management Information Base (MIB): The MIB stores network management information.
The agent and MIB reside on the switch. Enabling the snmp agent requires the definition of the manager-agent relationship. The agent contains MIB variables whose values the manager can request or change. The agent gathers data from the MIB and responds to requests for information. For a list of supported MIBs, refer to the release notes for the specific eos version.
This chapter discusses enabling the snmp agent on an Arista switch and controlling notification transmissions from the agent. Information on using snmp management systems is available in the appropriate documentation for the corresponding NMS application.
snmp Notifications
snmp notifications are messages, sent by the agent, informing of an event or a network condition. A trap is an unsolicited notification. An inform (or inform request) is a trap that includes a request for a confirmation that the message is received. Events that a notification can indicate include improper user authentication, restart, and connection losses.
For a list of supported traps, refer to the release notes for the specific eos version.
snmp Versions
- snmpv1: The Simple Network Management Protocol, defined in RFC 1157. Security is based on community strings.
- snmpv2c: Community-string based Administrative Framework for snmpv2, defined in RFC 1901, RFC 1905, and RFC 1906. Security is based on snmpv1.
- snmpv3: Version 3, as defined in RFC 2273 to RFC 2275.
snmp Authentication and Encryption Methods
- Authentication
- MD5
- SHA-1
- SHA-224
- SHA-256
- SHA-384
- SHA-512
- Encryption
- AES
- DES
- AES-192
- AES-256
- When using AES-192 for encryption/privacy, use a minimum of SHA-224 for authentication.
- When using AES-256 for encryption/privacy, use a minimum of SHA-256 for authentication.
configuring snmp
Enabling and Disabling snmp
snmp is enabled globally by issuing any snmp-server community or snmp-server user command. The no snmp-server command disables snmp agent operation by removing all non-default snmp-server commands from running-config.
Enabling snmp in a VRF
By default, snmp is enabled only in the default VRF. The switch can only send snmp traps and informs if the host that has been configured to receive them is accessible through an interface in a VRF in which snmp has been enabled.
To enable or disable snmp in a VRF, use the snmp-server vrf command.
configuring Community Access Control
snmp community strings serve as passwords that permit an snmp manager to access the agent on the switch. A Network Management System (NMS) can access the switch only if its community string matches at least one of the switch's community strings.
The snmp-server community command configures the community string.
Example
This command adds the community string ab_1 to provide read-only access to the switch agent.
switch(config)# snmp-server community ab_1 ro
switch(config)#
Community statements can reference views to limit MIB objects that are available to a manager. A view is a community string object that specifies a subset of MIB objects. The snmp-server view command configures the community string.
- These commands create a view that includes all objects in the
system group except for those in
system.2.
switch(config)# snmp-server view sys-view system include switch(config)# snmp-server view sys-view system.2 exclude switch(config)#
- This command adds the community string lab_1 to
provide read-only access to the switch agent for the previously defined
view.
switch(config)# snmp-server community lab_1 view sys-view switch(config)#
configuring snmp Parameters
configuring the Engine ID
Thesnmp-server engineID remotecommand configures the name of a Simple Network Management Protocol (snmp) engine located on a remote device. Use thesnmp-server engineID localcommand for the local engine.
A remote agent's engine ID must be configured before remote users for that agent are configured. User authentication and privacy digests are derived from the engine ID and user passwords. The configuration command fails if the remote engine ID is not configured first.
Example
This command configures DC945798CAB4 as the name of the remote snmp engine located at 12.23.104.25, UDP port 162
switch(config)# snmp-server engineID remote 10.23.104.25 udp-port DC945798CA
switch(config)#
configuring the Group
An snmp group grants specific levels of snmp access to group users. The snmp-server group command configures a new snmp group.
This command configures normal_one as an snmpv3 group (authentication and encryption) that provides access to the all-items read view.
switch(config)# snmp-server group normal_one v3 priv read all-items
switch(config)#
configuring the User
Members of snmp groups are called users. The snmp-server user command allows a new user to be added an snmp group and configures that user's parameters. Remote users are configured by specifying the IP address or port number that accesses the user's snmp agent.
- This command configures the local snmpv3 user tech-1
as a member of the snmp group
tech-sup.
switch(config)# snmp-server user tech-1 tech-sup v3 switch(config)#
- This command configures the remote snmpv3 user tech-2
as a member of the snmp group tech-sup. The remote
user is on the agent located at
13.1.1.4.
switch(config)# snmp-server user tech-2 tech-sup remote 13.1.1.4 v3 switch(config)#
configuring the Host
The snmp-server host command configures an snmp host (to which snmp traps will be sent). The snmp-server host command sets the community string if it was not previously configured.
Example
This command adds a v2c inform notification recipient at 12.15.2.3 using the community string comm-1.
switch(config)# snmp-server host 12.15.2.3 informs version 2c comm-1
switch(config)#
Enabling Link Trap Generation
The snmp trap link-change command enables snmp link trap generation on the configuration mode interface. snmp link trap generation is enabled by default. If snmp link trap generation was previously disabled, this command removes the corresponding no snmp link-status statement from the configuration. The show snmp notification command displays the snmp link trap generation information.
Example
This command disables snmp link trap generation on the interface ethernet 5.
switch(config-if-Et5)# no snmp trap link-change
switch(config-if-Et5)#
Specifying the Source Interface
The snmp-server local-interface command specifies the interface from where an snmp trap originates. The show snmp local-interface command displays the interface of the IP address for snmp traps.
Example
This command configures the ethernet 1 interface as the source of snmp traps and informs.
switch(config)# snmp-server local-interface ethernet 1
switch(config)#
configuring the Chassis-id String
The chassis ID string is typically set to the serial number of the switch. The snmp manager uses this string to associate all data retrieved from the switch with a unique identifying label. Under normal operating conditions, editing the chassis ID string contents is unnecessary.
The snmp-server chassis-id command configures the chassis ID string. The default chassis ID string is the serial number of the switch. The show snmp command displays the chassis ID.
Example
This command configures xyz-1234 as the chassis-ID string, then displays the result.
switch(config)# snmp-server chassis-id xyz-1234
switch(config)# show snmp
Chassis: xyz-1234 <---chassis ID
8 snmp packets input
0 Bad snmp version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
8 Number of requested variables
0 Number of altered variables
4 Get-request PDUs
4 Get-next PDUs
0 Set-request PDUs
21 snmp packets output
0 Too big errors
0 No such name errors
0 Bad value errors
0 General errors
8 Response PDUs
0 Trap PDUs
snmp logging: enabled
Logging to taccon.162
snmp agent enabled
switch(config)#
configuring the Contact String
The snmp contact string is information text that typically displays the name of a person or organization associated with the snmp agent.
The snmp-server contact command configures the system contact string. The contact string is displayed by the show snmp and show snmp v2-mib contact commands.
Example
These commands configure Bonnie H at 3-1470 as the contact string.
switch(config)# snmp-server contact Bonnie H at 3-1470
switch(config)#
configuring the Location String
The location string typically provides information about the physical location of the snmp agent. The snmp-server location command configures the system location string. By default, the system location string is not set.
Example
These commands configure lab-25 as the location string.
switch(config)# snmp-server location lab_25
switch(config)# show snmp v2-mib location
Location: lab_25
switch(config)#
configuring the Agent to Send Notifications
- Configure the remote engine ID.
- Configure the group.
- Configure the user.
- Configure the host.
- Enable link trap generation on the interfaces.
configuring snmp Parameters describes each of these tasks.
Extending the snmp Agent Through Runtime Scripts
The switch supports the execution of user supplied scripts to service portions of the OID space.
- Normal mode scripts run over an indefinite period to process subsequent objects after the initial request. Maintaining an executing script avoids startup and connection delay each time an object requires processing.
- One-shot mode scripts process a single object, then terminate execution; requires the one-shot keyword.
Startup and data collection overhead is required for each request. In both modes, the snmp server is blocked from serving other requests when waiting for script responses.
The snmp-server extension command configures the execution of user-supplied scripts to service portions of the OID space. Use the one-shot keyword to specify one-shot execution.
- This command specifies the file normal-example.sh,
located in flash as the script file that services the specified OID space in
normal
mode.
switch(config)# snmp-server extension .1.3.6.1.4.1.8072.2 flash:normal-example.sh switch(config)#
- Contents of the script
file:
#!/bin/bash while read cmd; do case $cmd in PING) printf "PONG\n" ;; get) read oid printf "$oid\n" printf "integer\n" printf "42\n" ;; *) printf "NONE\n" ;; esac done
- Testing the
script:
switch(config)# show snmp mib get .1.3.6.1.4.1.8072.2 NET-snmp-EXAMPLES-MIB::netsnmpExamples = INTEGER: 42 switch(config)#
- This command specifies the file one-shot-example.sh,
located in flash as the script file that services the specified OID space in
one-shot mode, executing once and then
exiting.
switch(config)# snmp-server extension .1.3.6.1.4.1.8072.2 flash:one-shot-example.sh one-shot switch(config)#
- Contents of the script
file:
#!/bin/bash oid="$2" printf "$oid\n" printf "integer\n" printf "42\n"
- Testing the
script:
switch(config)# show snmp mib get .1.3.6.1.4.1.8072.2 NET-snmp-EXAMPLES-MIB::netsnmpExamples = INTEGER: 42
Normal Script Behavior
The first time the snmp server requires a script result, it launches it with no arguments. The server communicates with the script through stdin/stdout. Before each request, the script is sent the string PING\n on stdin. The expected response from the script is printing PONG\n to stdout.
GET and GETNEXT Requests
For GET and GETNEXT requests, the script is passed two lines on stdin, the command (get or getnext) and the requested OID. The expected response from the script is the printing of three lines to stdout: the OID for the result varbind, the TYPE, and the VALUE itself.
Table 1 lists legal TYPE values and resulting VALUE encodings. If the command does not return an appropriate varbind, it should print NONE\n to stdout and continue running; this results in an snmp noSuchName error or a noSuchInstance exception.
Type string | snmp type | Encoding for script |
integer | Integer32 | integer |
unsigned | Unsigned32 | integer |
gauge | Gauge32 | integer |
counter | Counter32 | integer |
counter64 | Counter64 | integer |
timetick | TimeTicks | integer |
ipaddress | IpAddress | a.b.c.d |
objectid | ObjectID | 1.3.6.1.42.99.2468 |
octet | OctetString | hexadecimal string |
opaque | Opaque | hexadecimal string |
string | OctetString | ascii string |
SET Requests
For SET requests, script is passed three lines on stdin: the command (set), and the requested OID, and the TYPE and VALUE, both on the same line. If the assignment is successful, the expected script response is to print DONE\n to stdout. Indicated errors by writing one of the error strings described in Set Request Error Strings In each case, the command should continue running.
authorization-error | no-access | too-big |
bad-value | no-creation | undo-failed |
commit-failed | no-such-name | wrong-type |
gen-error | not-writable | wrong-length |
inconsistent-name | read-only | wrong-encoding |
inconsistent-value | resource-unavailable | wrong-value |
One-Shot Script Behavior
The command should exit after it finishes processing a single object.
GET and GETNEXT
For each GET or GETNEXT request, the script is invoked once for each OID in the space that it serves. It receives two arguments: -g for GET or -n for GETNEXT, and the requested OID.
The expected script response is the response varbind as three separate lines printed to stdout: the result OID, the type, and the value.
If the command does not return an appropriate varbind, then the script should exit without producing any output. This results in an snmp noSuchName error, or a noSuchInstance exception.
- The specified OID didn't correspond to a valid instance for a GET request.
- There were no following instances for a GETNEXT.
SET
A SET request results in the command being called with the arguments: -s, OID, TYPE and VALUE, where TYPE is a listed token. Normal Script Behavior indicates the type of the value passed as the third parameter.
When the assignment is successful, the script exits without producing any output. Errors are indicated by writing just the error name (Normal Script Behavior); the agent generates the appropriate error response.
snmp IP Address ACL Support
snmp IP address ACL support provides the ability to add access-lists to limit the source addresses that can be used to query the snmp server. The access-lists are reachable on the switch through the access snmp data (port 161). The access-lists contain standard permit and deny commands.
Configuration
Use the following command to add snmp IP address ACL support:
[no | default] snmp-server [[ ipv4 access-list IP4_ACL] | [ ipv6 access-list IP6_ACL ]][ vrf VRF ]
When the VRF is not specified, default is assumed.
Show Commands
Use the show snmp ipv4 access-list summary command to display an abreviated output of an IPv4 access-list.
switch# show snmp ipv4 access-list summary
IPv4 ACL Permit169
Total rules configured: 2
Configured on VRFs: red VRF
IPv4 ACL Permit168
Total rules configured: 2
Configured on VRFs: default VRF
Active on VRFs: default VRF
Use the show snmp ipv4 access-list detail command to display a detailed output of an IPv4 access-list.
switch# show snmp ipv4 access-list detail
IP Access List Permit169
10 permit ip 192.169.199.0/24 any [match 7 packets, 0:19:56 ago]
20 deny ip any any [match 13 packets, 0:03:56 ago]
Total rules configured: 2
Configured on VRFs: red VRF
IP Access List Permit168
10 permit ip 192.168.199.0/24 any [match 7 packets, 0:27:00 ago]
20 deny ip any any [match 13 packets, 0:04:30 ago]
Total rules configured: 2
Configured on VRFs: default VRF
Active on VRFs: default VRF
Use the show snmp ipv4 access-list IPv4ACL command to display a configured access-list. In this example, the configured access-list is Permit169.
switch# show snmp ipv4 access-list Permit169
IP Access List Permit169
10 permit ip 192.169.199.0/24 any [match 7 packets, 0:20:12 ago]
20 deny ip any any [match 13 packets, 0:04:12 ago]
Total rules configured: 2
Configured on VRFs: red VRF
Use the show snmp ipv4 access-list summary command to display a summary of an active access-list.
switch# show snmp ipv4 access-list summary
! Same ACL configured in multiple VRFs. Both VRFs are listed in both the configured
! and the active sessions
IPv4 ACL Permit169
Total rules configured: 2
Configured on VRFs: default VRF
red VRF
Active on VRFs: default VRF
red VRF
Use the show snmp ip access-list summary command to display a short output of the active access-lists.
switch# show snmp ip access-list summary
IPv4 ACL Permit169
Total rules configured: 2
Configured on VRFs: default VRF
red VRF
Active on VRFs: default VRF
snmp Commands
Global Configuration Commands
- no snmp-server
- snmp-server chassis-id
- snmp-server community
- snmp-server contact
- snmp-server enable traps
- snmp-server engineID local
- snmp-server engineID remote
- snmp-server extension
- snmp-server group
- snmp-server host
- snmp-server local-interface
- snmp-server location
- snmp-server qosmib counter-interval
- snmp-server user
- snmp-server view
- snmp-server vrf
Interface Configuration Commands
Display Commands
no snmp-server
The no snmp-server and default snmp-server commands disable Simple Network Management Protocol (snmp) agent operation by removing all snmp-server commands from running-config.
snmp is enabled with any snmp-server community or snmp-server user command.
Command Mode
Global Configuration
Command Syntax
no snmp-server
default snmp-server
Example
This command disables snmp agent operation on the switch.
switch(config)# no snmp-server
switch(config)#
show snmp
The show snmp command displays snmp information including the snmp counter status and the chassis ID string.
Command Mode
EXEC
Command Syntax
show snmp
Example
switch> show snmp
Chassis: JFL08320162
Location: 5470ga.dc
2329135 snmp packets input
0 Bad snmp version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
38132599 Number of requested variables
0 Number of altered variables
563934 Get-request PDUs
148236 Get-next PDUs
0 Set-request PDUs
2329437 snmp packets output
0 Too big errors
0 No such name errors
0 Bad value errors
0 General errors
2329135 Response PDUs
0 Trap PDUs
snmp logging: enabled
Logging to 172.22.22.20.162
snmp agent configured in VRFs: default
snmp agent enabled in default VRF
switch>
show snmp community
The show snmp community command displays the Simple Network Management Protocol (snmp) community access strings configured by the snmp-server community command.
Command Mode
EXEC
Command Syntax
show snmp community
Example
This command displays the list of community access strings configured on the switch.
switch> show snmp community
Community name: public
switch>
show snmp engineID
The show snmp engineID command displays the local snmp engine information configured on the switch.
Command Mode
EXEC
Command Syntax
show snmp engineID
Example
This command displays the ID of the local snmp engine.
switch> show snmp engineid
Local snmp EngineID: f5717f001c730436d700
switch>
show snmp group
The show snmp group command shows the names of configured snmp groups along with the security model, and view status of each group.
Command Mode
EXEC
Command Syntax
show snmp group [GROUP_LIST]
Parameters
- no parameter displays information about all groups.
- group_name the name of the group.
- groupname name of the snmp group.
- security model security model used by the group: v1, v2c, orv3.
- readview string identifying the group's read view. Refer to the show snmp view comaand.
- writeview string identifying the group's write view.
- notifyview string identifying the group's notify view. This command displays the groups configured on the switch.
Example
switch> show snmp group
groupname : normal security model:v3 priv
readview : all writeview: <no writeview specified>
notifyview: <no notifyview specified>
switch>
show snmp local-interface
The show snmp local-interface command displays the interface whose IP address is the source address for snmp traps.
Command Mode
EXEC
Command Syntax
show snmp local-interface
Example
This command displays the source interface for the snmp notifications.
switch> show snmp local-interface
snmp source interface: Ethernet1
switch>
show snmp mib
The show snmp mib command displays values associated with specified MIB object identifiers (OIDs) that are registered on the switch.
Command Mode
EXEC
Command Syntax
show snmp mib OBJECTS
Parameters
- get oid_1 [oid_2 ... oid_x] values associated with each listed OID.
- get-next oid_1 [oid_2 ... oid_x] values associated with subsequent OIDs relative to listed OIDs.
- table oid table associated with specified OID.
- translate oid object name associated with specified OID.
- walk oid objects below the specified subtree.
-
This command uses the get option to retrieve information about the sysORID.1 OID.
switch# show snmp mib get sysORID.1 snmpv2-MIB::sysORID[1] = OID: TCP-MIB::tcpMIB
-
This command uses the get-next option to retrieve information about the OID that is after sysORID.8.
switch# show snmp mib get-next sysORID.8 snmpv2-MIB::sysORDescr[1] = STRING: The MIB module for managing TCP implementations
show snmp notification
The show snmp notification command displays the snmp trap generation information.
Command Mode
EXEC
Command Syntax
show snmp notification
Example
This command displays the snmp traps configured on the switch.
switch> show snmp notification
Type Name Enabled
--------------------------- ------------------------------------- -------------
entity entConfigChange Yes (default)
entity entStateOperDisabled Yes (default)
entity entStateOperEnabled Yes (default)
lldp lldpRemTablesChange Yes (default)
msdpBackwardTransition msdpBackwardTransition Yes
msdpEstablished msdpEstablished Yes
snmp linkDown Yes
snmp linkUp Yes
snmpConfigManEvent aristaConfigManEvent Yes (default)
switchover aristaRedundancySwitchOverNotif Yes
test aristaTestNotification Yes
switch>
show snmp notification host
The show snmp notification host command displays information for Simple Network Management Protocol notification. Details include IP address and port number of the Network Management System, notification type, and snmp version.
Command Mode
EXEC
Command Syntax
show snmp notification host
- Notification host IP address of the host.
- udp-port port number.
- type notification type.
- user access type of the user.
- security model snmp version used.
- traps details of the notification.
Example
This command displays the hosts configured on the switch.
switch> show snmp notification host
Notification host: 172.22.22.20 udp-port: 162 type: trap
user: public security model: v2c
switch>
show snmp notification | grep bridge
Use the show snmp notification | grep bridge command to display the enabled or disabled status of each trap type.
Command Mode
EXEC
Command Syntax
show snmp notification | grep bridge
switch(config)# show snmp notification | grep bridge
bridge arista-mac-age Yes
bridge arista-mac-learn No
bridge arista-mac-move No (aristaMacMove default disabled)
show snmp user
The show snmp user command shows information about Simple Network Management Protocol (snmp) users. Information that the command displays about each user includes their snmp version, the engine ID of the host where they reside, and security information
Command Mode
EXEC
Command Syntax
show snmp user [USER_LIST]
Parameters
- no parameter displays information about all users.
- user_name specifies name of displayed user.
Example
This command displays information about the users configured on the switch.
switch> show snmp user
User name: test
Security model: v3
Engine ID: f5717f001c73010e0900
Authentication protocol: SHA
Privacy protocol: AES-128
Group name: normal
switch>
show snmp v2-mib chassis
The show snmp v2-mib chassis command displays the Simple Network Management Protocol (snmp) server serial number or the chassis ID string configured by the snmp-server chassis-id command.
Command Mode
EXEC
Command Syntax
show snmp v2-mib chassis
Example
This command displays the chassis ID string.
switch> show snmp v2-mib chassis
Chassis: JFL08320162
switch>
show snmp v2-mib contact
The show snmp v2-mib contact command displays the Simple Network Management Protocol (snmp) system contact string configured by the snmp-server contact command. The command has no effect if a contact string was not previously configured.
Command Mode
EXEC
Command Syntax
show snmp v2-mib contact
Example
This command displays the contact string contents.
switch> show snmp v2-mib contact
Contact: John Smith
switch>
show snmp v2-mib location
The show snmp v2-mib location command displays the Simple Network Management Protocol (snmp) system location string. The snmp-server location command configures system location details. The command has no effect if a location string was not previously configured.
Command Mode
EXEC
Command Syntax
show snmp v2-mib location
Example
This command displays the location string contents.
switch> show snmp v2-mib location
Location: santa clara
switch>
show snmp view
The show snmp view command displays the information of a Simple Network Management Protocol configuration and the associated MIB. snmp views are configured with the snmp-server view command.
Command Mode
EXEC
Command Syntax
show snmp view [VIEW_LIST]
Parameters
- no parameter displays information about all views.
- view_name the name of the view.
- First column view name.
- Second column name of the MIB object or family.
- Third column inclusion level of the specified family within the view.
Example
switch(config)# snmp-server view sys-view system include
switch(config)# snmp-server view sys-view system.2 exclude
switch(config)# show snmp view
sys-view system - included
sys-view system.2 - excluded
snmp trap link-change
The snmp trap link-change command enables Simple Network Management Protocol (snmp) link-status trap generation on the configuration mode interface. The generation of link-status traps is enabled by default. If snmp link-trap generation was previously disabled, this command removes the corresponding no snmp link-status statement from the configuration to re-enable link-trap generation.
The no snmp trap link-change command disables snmp link trap generation on the configuration mode interface.
The snmp trap link-change and default snmp trap link-change commands restore the default behavior by removing the no snmp trap link-change command from running-config.
Command Mode
Interface-Ethernet Configuration Interface-Loopback Configuration Interface-Management Configuration Interface-Port-channel Configuration Interface-VLAN Configuration Interface-VXLAN Configuration
Command Syntax
snmp trap link-change
no snmp trap link-change
default snmp trap link-change
Guidelines
The switch can only send snmp traps and informs if the host that has been configured to receive them is accessible through an interface in a VRF in which snmp has been enabled. snmp is enabled by default only in the default VRF. Enable or disable snmp in a VRF with the snmp-server vrf command.
Example
This command disables snmp link trap generation on the interface ethernet 5.
switch(config-if-Et5)# no snmp trap link-change
switch(config-if-Et5)#
snmp-server chassis-id
The snmp-server chassis-id command configures the chassis ID string. The default chassis ID string is the serial number of the switch. The show snmp command displays the chassis ID.
The no snmp-server chassis-id and default snmp-server chassis-id commands restore the default chassis ID string by removing the snmp-server chassis-id command from the configuration.
Command Mode
Global Configuration
Command Syntax
snmp-server chassis-id id_text
no snmp-server chassis-id
default snmp-server chassis-id
Parameters
id_text chassis ID string
Example
switch(config)# snmp-server chassis-id xyz-1234
switch(config)# show snmp
Chassis: xyz-1234<---chassis ID
8 snmp packets input
0 Bad snmp version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
8 Number of requested variables
0 Number of altered variables
4 Get-request PDUs
4 Get-next PDUs
0 Set-request PDUs
21 snmp packets output
0 Too big errors
0 No such name errors
0 Bad value errors
0 General errors
8 Response PDUs
0 Trap PDUs
snmp logging: enabled
Logging to taccon.162
snmp agent enabled
switch(config)#
snmp-server community
The snmp-server community command configures the community string. snmp community strings serve as passwords that permit an snmp manager to access the agent on the switch. The Network Management System (NMS) must define a community string that matches at least one of the switch community strings to access the switch.
The no snmp-server community and default snmp-server community commands remove the community access string from the configuration.
Command Mode
Global Configuration
Command Syntax
snmp-server community string_text [MIB_VIEW][ACCESS][ACL_NAMES]
no snmp-server community string_text
default snmp-server community string_text
- string_text community access string.
- MIB_VIEW community access availability. Options
include:
- no parameter community string allows access to all objects.
- view view_name community string allows access only to objects in the view_name view.
- ACCESS community access availability. Options
include:
- no parameter read-only access (default setting).
- ro read-only access.
- rw read-write access.
- ACL_NAMES community access availability. Options
include:
- no parameter community string allows access to all objects.
- list_v4 IPv4 ACL list.
- ipv6 list_v6 IPv6 ACL list.
- ipv6 list_v6 list_v4 IPv4 and IPv6 ACL list.
Example
switch(config)# snmp-server community lab_1 ro
switch(config)#
snmp-server contact
The snmp-server contact command configures the system contact string. The contact is displayed by the show snmp and show snmp v2-mib contact commands.
The no snmp-server contact and default snmp-server contact commands remove the snmp-server contact command from the running-config.
Command Mode
Global Configuration
Command Syntax
snmp-server contact contact_string
no snmp-server contact
default snmp-server contact
Parameters
contact_string system contact string.
Example
switch(config)# snmp-server contact Bonnie H
switch(config)# show snmp
Chassis: xyz-1234
Contact: Bonnie H.
8 snmp packets input
0 Bad snmp version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
8 Number of requested variables
0 Number of altered variables
4 Get-request PDUs
4 Get-next PDUs
0 Set-request PDUs
24 snmp packets output
0 Too big errors
0 No such name errors
0 Bad value errors
0 General errors
8 Response PDUs
0 Trap PDUs
snmp logging: enabled
Logging to taccon.162
snmp agent enabled
switch(config)#
snmp-server enable traps
The snmp-server enable traps command enables Simple Network Management Protocol (snmp) traps. The same command also enables snmp inform requests. To specify the recipient for notifications, use the snmp-server host command. Sending notifications requires the configuration of at least one host using the snmp-server host command.
The snmp-server enable traps and no snmp-server enable traps commands, without a trap-type parameter, specify the default notification setting for all trap types. These commands, when specifying a trap type, control notification generation for the specified trap type. The default snmp-server enable traps command resets notification generation to the default setting for the specified trap type.
Command Mode
Global Configuration
Command Syntax
snmp-server enable traps [trap_type]
no snmp-server enable traps [trap_type]
default snmp-server enable trap [trap_type]
Parameters
- no parameter controls notifications for traps not covered by specific commands.
- entity controls entity modification notifications.
- lldp controls LLDP notifications.
- msdpBackwardTransition controls msdpBackwardTransition notifications.
- msdpEstablished controls msdpEstablished notifications.
- snmp controls snmp-v2 notifications.
- switchover controls switchover notifications.
- snmpConfigManEvent controls snmpConfigManEvent notifications.
- test controls test trap notifications.
- These commands enables notification generation for all trap types except
entity traps.
switch(config)# snmp-server enable traps switch(config)# no snmp-server enable traps entity switch(config)#
- This command enables notification generation for all five entity traps,
regardless of the default
setting.
switch(config)# snmp-server enable traps entity switch(config)#
- This command resets the entity trap notification generation to follow the
default
setting.
switch(config)# default snmp-server enable traps entity switch(config)#
snmp-server engineID local
The snmp-server engineID local command configures the name for the local Simple Network Management Protocol (snmp) engine. The default snmp engineID is generated by the switch and is used when an engineID is not configured with this command. The show snmp engineID command displays the default or configured engine ID.
snmpv3 authenticates users through security digests (MD5 or SHA) that are based on user passwords and the local engine ID. Passwords entered on the CLI are similarly converted, then compared to the user's security digest to authenticate the user.
The no snmp-server engineID and default snmp-server engineID commands restore the default engineID by removing the snmp-server engineID command from the running-config
Command Mode
Global Configuration
Command Syntax
snmp-server engineID local engine_hex
no snmp-server engineID local
default snmp-server engineID
Parameter
engine_hex the switch name for the local snmp engine (hex string).
The string must consist of at least ten characters with a maximum of 64 characters.
Example
switch(config)# snmp-server engineID local DC945798CAB4
switch(config)#
snmp-server engineID remote
The snmp-server engineID remote command configures the name of a Simple Network Management Protocol (snmp) engine located on a remote device. The switch generates a default engineID; use the show snmp engineID command to view the configured or default engineID.
An snmpv3 inform requires a remote engine ID to compute the security digest that authenticates and encrypts data transmitted to remote users. snmpv3 authenticates users with MD5 or SHA through the engine ID and user passwords. CLI passwords are similarly authenticated.
The no snmp-server engineID remote and default snmp-server engineID remote commands remove the snmp-server engineID remote command from the configuration.
Command Mode
Global Configuration
Command Syntax
snmp-server engineID remote engine_addr [PORT] engine_hex
no snmp-server engineID remote engine_addr [PORT]
default snmp-server engineID remote engine_addr [PORT]
- engine_addr location of remote engine (IP address or host name).
- PORT udp port location of the remote engine. Options
include:
- no parameter port number 161 (default).
- udp-port port_num port number. Ranges from 0 to 65535.
- engine_hex the switch's name for the remote snmp
engine (hex string).
The string must have at least ten characters and can contain a maximum of 64 characters.
Example
switch(config)# snmp-server engineID remote 10.23.10.25 udp-port 162 DC945798CA
switch(config)#
snmp-server extension
The snmp-server extension command configures the execution of user supplied scripts to service portions of the OID space.
The no snmp-server extension and default snmp-server extension commands deletes the snmp-server extension command from the running-config.
Command Mode
Global Configuration
Command Syntax
snmp-server extension OID_space FILE_PATH [DURATION]
- OID_space OID branch serviced by the script, in numerical format.
- FILE_PATH path and name of the script file. Options
include:
- file: file is located in the switch file directory.
- flash: file is located in flash memory.
- DURATION the execution scope of the script.
- no parameter script runs after initial request to process subsequent requests.
- one-shot script processes a single object (runs once), then terminates.
Example
This command specifies the file example.sh, located in flash, as the script file that services the listed OID space.
switch(config)# snmp-server extension .1.3.6.1.4.1.8072.2 flash:example.sh
snmp-server group
The snmp-server group command configures a new Simple Network Management Protocol (snmp) group or modifies an existing group. An snmp group is a data structure that user statements reference to map snmp users to snmp contexts and views, providing a common access policy to the specified users.
An snmp context is a collection of management information items accessible by an snmp entity. Each item of may exist in multiple contexts. Each snmp entity can access multiple contexts. A context is identified by the EngineID of the hosting device and a context name.
The no snmp-server group and default snmp-server group commands delete the specified group by removing the corresponding snmp-server group command from the configuration.
Command Mode
Global Configuration
Command Syntax
snmp-server group group_name VERSION [CNTX][READ][WRITE][NOTIFY]
no snmp-server group group_name VERSION
default snmp-server group group_name VERSION
- group_name the name of the group.
- VERSION the security model utilized by the group.
- v1 snmpv1. Uses a community string match for authentication.
- v2c snmpv2c. Uses a community string match for authentication.
- v3 no auth snmpv3. Uses a username match for authentication.
- v3 auth snmpv3. HMAC-MD5 or HMAC-SHA authentication.
- v3 priv snmpv3. HMAC-MD5 or HMAC-SHA authentication. AES or DES encryption.
- CNTX associates the snmp group to an snmp
context.
- no parameter command does not associate group with an snmp context.
- context context_name associates group with context specified by context_name.
- READ specifies read view for snmp group.
- no parameter command does not specify read view.
- read read_name read view specified by read_name (string maximum 64 characters).
- WRITE specifies write view for snmp group.
- no parameter command does not specify write view.
- write write_name write view specified by write_name (string maximum 64 characters).
- NOTIFY specifies notify view for snmp group.
- no parameter command does not specify notify view.
- notify notify_name notify view specified by notify_name (string maximum 64 characters).
Example
switch(config)# snmp-server group normal_one v3 priv read all-items
switch(config)#
snmp-server host
The snmp-server host command configures an snmp host (to which snmp traps will be sent) and sets the community string if it was not previously configured. The host is denoted by host location and community string. The command also specifies the type of snmp notifications that are sent: a trap is an unsolicited notification; an inform is a trap that includes a request for a confirmation that the message is received
- snmp-server host host-1 version 2c comm-1
- snmp-server host host-1 informs version 2c comm-2
- snmp-server host host-1 version 2c comm-3 udp-port 666
- snmp-server host host-1 version 3 auth comm-3
The no snmp-server host and default snmp-server host commands remove the specified host by deleting the corresponding snmp-server host statement from the configuration. When removing a statement, the host (address and port) and community string must be specified.
Command Mode
Global Configuration
Command Syntax
snmp-server host host_id [VRF_INST][MESSAGE][VERSION] comm_str [PORT]
no snmp-server host host_id [VRF_INST][MESSAGE][VERSION] comm_str [PORT]
default snmp-server host host_id [VRF_INST][MESSAGE][VERSION] comm_str [PORT]
Parameters- host_id hostname or IP address of the snmp host.
- VRF_INST specifies the VRF instance being modified.
- no parameter changes are made to the default VRF.
- vrf vrf_name changes are made to the specified user-defined VRF.
- MESSAGE message type that is sent to the host.
- no parameter sends snmp traps to host (default).
- informs sends snmp informs to host.
- traps sends snmp traps to host.
- VERSION snmp version. Options include:
- no parameter snmpv2c (default).
- version 1 snmpv1; option not available with informs.
- version 2c snmpv2c.
- version 3 noauth snmpv3; enables user-name match authentication.
- version 3 auth snmpv3; enables MD5 and SHA packet authentication.
- version 3 priv snmpv3. HMAC-MD5 or HMAC-SHA authentication. AES or DES encryption.
- comm_str community string to be sent with the
notification as a password.
Arista recommends setting this string separately before issuing the snmp-server host command. To set the community string separately, use the snmp-server community command.
- PORT port number of the host.
- no parameter socket number set to 162 (default).
- udp-port p-name socket number specified by p-name.
Guidelines
The switch can only send snmp traps and informs if the host that has been configured to receive them is accessible through an interface in a VRF in which snmp has been enabled. snmp is enabled by default only in the default VRF. Enable or disable snmp in a VRF with the snmp-server vrf command.
Example
This command adds a version 2c inform notification recipient.
switch(config)# snmp-server host 10.15.2.3 informs version 2c comm-1
switch(config)#
snmp-server local-interface
The snmp-server local-interface command specifies the interface where snmp originates informs and traps.
The no snmp-server local-interface and default snmp-server local-interface commands remove the inform or trap source assignment by removing the snmp-server local-interface command from running-config.
Command Mode
Global Configuration
Command Syntax
snmp-server local-interface INTERFACE
no snmp-server local-interface
default snmp-server local-interface
Parameters- ethernet e_num Ethernet interface specified by e_num.
- loopback l_num Loopback interface specified by l_num.
- management m_num Management interface specified by m_num.
- port-channel p_num Port-Channel Interface specified by p_num.
- vlan v_num VLAN interface specified by v_num.
-
vrf vrf_name The VRF in which snmp is enabled. The keyword default specifies the default VRF.
Example
This command configures interface ethernet 1 as the source of snmp traps and informs.
switch(config)# snmp-server local-interface ethernet 1
switch(config)#
snmp-server location
The snmp-server location command configures the system location string. By default, no system location string is set.
The no snmp-server location and default snmp-server location commands delete the location string by removing the snmp-server location command from the configuration.
Command Mode
Global Configuration
Command Syntax
snmp-server location node_locate
no snmp-server location
default snmp-server location
Parametersnode_locate system location information (string).
Example
switch(config)# snmp-server location lab_east
switch(config)#
snmp-server qosmib counter-interval
The snmp-server qosmib counter-interval command configures the interval (in seconds) after which the QoS counters are updated periodically. By default the counter updates are disabled.
Command Mode
Global Configuration
Command Syntax
snmp-server qosmib counter-interval timer_interval
no snmp-server qosmib counter-interval
default snmp-server qosmib counter-interval
Parameter
timer_interval Update interval for refreshing QoS counters (in seconds) between (10-600).
Example
switch(config)# snmp-server qosmib counter-interval 50
snmp-server user
The snmp-server user command adds a user to a Simple Network Management Protocol (snmp) group or modifies an existing user's parameters.
To configure a user, the IP address or port number of the device where the user's remote snmp agent resides must be specified. A user's authentication come from the engine ID and the user's password. Remote user configuration commands fail if the remote engine ID is not configured first.
The no snmp-server user and default snmp-server user commands remove the user from an snmp group by removing the user command from running-config.
- When using AES-192 for encryption/privacy, use a minimum of SHA-224 for authentication.
- When using AES-256 for encryption/privacy, use a minimum of SHA-256 for authentication.
Command Mode
Global Configuration
Command Syntax
snmp-server user user_name group_name [AGENT] VERSION [ENGINE][SECURITY]
no snmp-server user user_name group_name [AGENT] VERSION
default snmp-server user user_name group_name [AGENT] VERSION
- user_name name of user.
- group_name name of group to which user is being added.
- AGENT Options include:
- no parameter local snmp agent.
- remote addr [udp-port p_num] remote snmp agent location.
- addr denotes the IP address; p_num denotes the udp port socket (default port is 162).
- VERSION snmp version; options include:
- v1 snmpv1.
- v2c snmpv2c.
- v3 snmpv3.
- ENGINE engine ID used to localize passwords.
Available only if VERSION is
v3.
- no parameter Passwords localized by snmp copy specified by agent.
- localized engineID octet string of engineID.
- SECURITY Specifies authentication and encryption
levels. Available only if VERSION is
v3. Encryption is available only when
authentication is configured.
- no parameter no authentication or encryption.
- auth a_meth a_pass [priv e_meth e_pass] authentication parameters.
- a_meth authentication method: options are md5 (HMAC-MD5-96) and sha (HMAC-SHA-96).
- a-pass authentication string for users receiving packets.
- e-meth encryption method: Options are aes (AES-128) and des (CBC-DES).
- e-pass encryption string for the users sending packets.
Example
This command configures the remote snmp user tech-1 to the tech-sup snmp group.
switch(config)# snmp-server user tech-1 tech-sup remote 10.1.1.2 v3
snmp-server view
The snmp-server view command defines a view.
An snmp view defines a subset of objects from an MIB. Every snmp access group specifies views, each associated with read or write access rights, to allow or limit the group's access to MIB objects.
The no snmp-server view command deletes a view entry by removing the corresponding snmp-server view command from the running-config.
Command Mode
Global Configuration
Command Syntax
snmp-server view view_name [family_name] INCLUSION
no snmp-server view view_name [family_name]
default snmp-server view view_name [family_name]
- view_name Label for the view record that the command updates. Other commands reference the view with this label.
- family_name name of the MIB object or
family.
MIB objects and MIB subtrees can be identified by name or by the numbers representing the position of the object or subtree in the MIB hierarchy.
- INCLUSION inclusion level of the specified family
within the view. Options include:
- include view includes the specified subtree.
- exclude view excludes the specified subtree.
Example
switch(config)# snmp-server view sys-view system include
switch(config)# snmp-server view sys-view system.2 exclude
snmp-server vrf
- User-defined VRFs: The no snmp-server vrf command disables snmp in the specified VRF by removing the corresponding snmp-server vrf command from the running-config.
- Default VRF: The no snmp-server vrf command disables snmp in the VRF by adding a no snmp-server vrf default statement to the running-config.
Command Mode
Global Configuration
Command Syntax
snmp-server vrf vrf_name
no snmp-server vrf vrf_name
default snmp-server vrf vrf_name
Parameters
vrf_name The VRF in which snmp is enabled. The keyword default specifies the default VRF.
Guidelines
The switch can only send snmp traps and informs if the host that has been configured to receive them is accessible through an interface in a VRF in which snmp has been enabled. snmp is enabled by default only in the default VRF. Enable or disable snmp in a VRF with thesnmp-server vrf command.
Example
These commands disable snmp in the default VRF, then enable it in the user-defined VRFs named magenta and columbia.
switch(config)# no snmp-server vrf default
switch(config)# snmp-server vrf magenta
switch(config)# snmp-server vrf columbia
switch(config)#