Configuring SNMP (CLI)
Procedure
-
Create an SNMP community name by entering this command:
config snmp community create name -
Delete an SNMP community name by entering this command:
config snmp community delete name -
Configure an SNMP community name with read-only privileges by entering this command:
config snmp community accessmode ro name -
Configure an SNMP community name with read-write privileges by entering this command:
config snmp community accessmode rw name -
For IPv4 configuration—Configure an IPv4 address and subnet mask for an SNMP community by entering this command:
config snmp community ipaddr ip-address ip-mask name
Note
This command behaves like an SNMP access list. It specifies the IP address from which the device accepts SNMP packets with the associated community. An AND operation is performed between the requesting entity’s IP address and the subnet mask before being compared to the IP address. If the subnet mask is set to 0.0.0.0, an IP address of 0.0.0.0 matches to all IP addresses. The default value is 0.0.0.0.
Note
The controller can use only one IP address range to manage an SNMP community.
-
For IPv6 configuration—Configure an IPv6 address and prefix-length for an SNMP community by entering this command:
config snmp community ipaddr ipv6-address ip-mask name -
Enable or disable a community name by entering this command:
config snmp community mode {enable | disable}
-
Enable or disable a community name by entering this command:
config snmp community ipsec {enable | disable}
-
Configure the IKE authentication methods by entering this command:
config snmp community ipsec ike auth-mode {certificate | pre-shared-key ascii/hex secret}
Authentication mode can be configured per trap receiver. By default, the authentication mode is set to certificate.
-
Configure a destination for a trap by entering this command:
config snmp trapreceiver create name ip-address
-
Delete a trap by entering this command:
config snmp trapreceiver delete name
-
Change the destination for a trap by entering this command:
config snmp trapreceiver ipaddr old-ip-address name new-ip-address
-
Configure the trap receiver IPSec session entering this command:
config snmp trapreceiver ipsec {enable | disable} community-name
Trap receiver IPSec must be in the disabled state to change the authentication mode.
-
Configure the IKE authentication methods by entering this command:
config snmp trapreceiver ipsec ike auth-mode {certificate | pre-shared-key ascii/hex secret community-name}
Authentication mode can be configured per trap receiver. By default, the authentication mode is set to certificate.
-
Enable or disable the traps by entering this command:
config snmp trapreceiver mode {enable | disable}
-
Configure the name of the SNMP contact by entering this command:
config snmp syscontact syscontact-name
Enter up to 31 alphanumeric characters for the contact name.
-
Configure the SNMP system location by entering this command:
config snmp syslocation syslocation-name
Enter up to 31 alphanumeric characters for the location.
-
Verify that the SNMP traps and communities are correctly configured by entering these commands:
show snmpcommunity
show snmptrap
Note
Related issue: CSCvr33858.
Read-only community does not get snmpEngineID. As per RFC 2575, the recommendation is such that, some of the OIDs are to be restricted and one of them is SnmpEngineId(engineId). For more information, see https://tools.ietf.org/html/rfc2575.
-
See the enabled and disabled trap flags by entering this command:
show trapflags
If necessary, use the config trapflags command to enable or disable trap flags.
-
Configure when the warning message should be displayed after the number of clients or RFID tags associated with the controller hover around the threshold level by entering this command:
config trapflags {client | rfid} max-warning-threshold {threshold-between-80-to-100 | enable | disable}
The warning message is displayed at an interval of 600 seconds (10 minutes).
-
Configure the SNMP engine ID by entering this command:
config snmp engineID engine-id-string
Note
The engine ID string can be a maximum of 24 characters.
-
View the engine ID by entering this command:
show snmpengineID
-
Configure the SNMP version by entering this command:
config snmp version {v1 | v2c | v3} {enable | disable}