< Home

Configuring Basic SNMPv3 Functions

Context

When you configure a destination IP address for traps and error codes sent from the managed devices, configure the trap or inform function as required.

  • The traps sent by the managed device do not need to be acknowledged by the NMS.

  • The informs sent by the managed device need to be acknowledged by the NMS. If no acknowledgement message is received from the NMS within a specified time period, the managed device resends the inform until the number of retransmissions reaches the maximum.

    When sending an inform to the NMS, the managed device also records the inform in the log. If an inform is sent to the NMS when the NMS or the link between NMS and managed device is faulty, the NMS can still receive the inform after fault recovery.

Informs are more reliable than traps. However, the device may need to buffer many informs because of the inform retransmission mechanism. This buffering may consume a lot of memory resources. If the network is stable, using traps is recommended. If the network is unstable and the device's memory capacity is sufficient, using inform is recommended.

Precaution

When configuring security levels, ensure that the security level of the SNMP user ≥ the security level of the alarm host ≥ the security level of the SNMP user group. SNMPv3 uses the following security levels, which are listed in a descending order:
  • privacy: authentication and encryption
  • authentication: only authentication
  • none: no authentication and no encryption

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run snmp-agent

    The SNMP agent is enabled.

    By default, the SNMP agent is disabled. Executing the snmp-agent command can enable the SNMP agent, even if no parameter is specified in the command.

  3. (Optional) Run snmp-agent udp-port port-num

    The port number of the SNMP agent is changed.

    The default port number of the SNMP agent is 161.

    This command enhances device security. After this command is run on an SNMP agent connecting to the NMS, ensure that the port number on the NMS is the same as the changed port number. Otherwise, the SNMP agent cannot connect to the NMS.

  4. (Optional) Run snmp-agent sys-info version v3

    The SNMP version is set.

    By default, the device supports SNMPv3.

  5. (Optional) Run snmp-agent local-engineid engineid

    An engine ID is set for the local SNMP entity.

    By default, the device automatically generates an engine ID using the internal algorithm. An engine ID is composed of an enterprise number and device information.

    If you manually set the engine ID, the SNMPv3 user matching the default engine ID is deleted.

    To improve system security, configure the device to check consistency between the contextEngineID on the NMS and the local engine ID by running the snmp-agent packet contextengineid-check enable command.

  6. Run snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]* [ acl { acl-number | acl-name } ], snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]* acl-ipv4 { acl-number | acl-name } [ acl-ipv6 { acl-number | acl-name } ], or snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]* acl-ipv6 { acl-number | acl-name }

    An SNMPv3 user group is configured.

    If the NMS and device are in an insecure environment (for example, the network is vulnerable to attacks), authentication or privacy can be configured in the command to enable data authentication or privacy.

  7. Configure an SNMPv3 user.

    1. Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group group-name | acl { acl-number | acl-name } ] *, snmp-agent [ remote-engineid engineid ] usm-user v3 user-name group group-name acl-ipv4 { acl-number | acl-name } [ acl-ipv6 { acl-number | acl-name } ], or snmp-agent [ remote-engineid engineid ] usm-user v3 user-name group group-name acl-ipv6 { acl-number | acl-name } command to configure an SNMPv3 user.

    2. Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name authentication-mode { md5 | sha | sha2-256 } [ cipher password ] command to set an authentication password for the SNMPv3 user.

    3. Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name privacy-mode { des56 | aes128 |aes192 | aes256 | 3des } [ cipher password ] command to set an encryption password for the SNMPv3 user.

    By default, none authentication and none encryption is performed on SNMPv3 users. To improve system security, configure an authentication password and encryption password, and ensure that the two passwords are different.

    In addition, you are recommended not to use the MD5 algorithm for SNMPv3 authentication or use the DES56 or 3DES168 algorithm for SNMPv3 encryption.

    By default, the complexity check is enabled for SNMPv3 user passwords. If the password fails the check, the configuration fails. To ensure device security, you are advised to refrain from using the snmp-agent usm-user password complexity-check disable command to disable the complexity check for SNMPv3 user passwords, and change the password periodically.

  8. Configure the destination IP address for receiving traps and error codes.

    Before configuring a device to send traps, confirm that the information center has been enabled. The information center can be enabled by running the info-center enable command.

    • When the managed device and NMS reside on an IPv4 network, configure the device to send either traps or informs to the NMS as follows:

      • To configure a destination IP address for the traps and error codes sent from the device, run the snmp-agent target-host trap address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | [ public-net | vpn-instance vpn-instance-name ] ] * params securityname security-name v3 [ authentication | privacy ] [ private-netmanager | notify-filter-profile profile-name | ext-vb ] * command.

      • To configure a destination IP address for the informs and error codes sent from the device, run the snmp-agent target-host inform address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | [ vpn-instance vpn-instance-name | public-net ] ]* params securityname security-name v3 [ authentication | privacy ] [ notify-filter-profile profile-name | ext-vb ] * command.

    • When the managed device and NMS reside on an IPv6 network, run the snmp-agent target-host trap ipv6 address udp-domain ipv6-address [ udp-port port-number | vpn-instance vpn-instance-name ] * params securityname security-name [ v3 [ authentication | privacy ] | private-netmanager | notify-filter-profile profile-name | ext-vb ] * command to set the target host that receives traps and error codes.

      An IPv6 network supports only traps, but does not support informs.

    Note the following before running the command:

    • The default destination UDP port number is 162. To ensure secure communication between the NMS and managed devices, change the UDP port number to a lesser-known port number by running the udp-port command.
    • The security-name parameter identifies the devices that send traps to the NMS.
    • If the NMS and managed device are both Huawei products, the private-netmanager parameter can be configured to add more information to trap messages to help you locate and solve problems more quickly. The additional information includes trap type, serial number, and sending time.

    The value of security-name must be the same as the created user name. Otherwise, the NMS cannot access the managed device.

  9. (Optional) Run snmp-agent sys-info { contact contact | location location }

    The device administrator's contact information or location is configured.

    By default, the device administrator's contact information is "R&D Beijing, Huawei Technologies Co., Ltd." and location is "Beijing China."

    This step is required for the NMS administrator to view contact information and locations of the device administrator when the NMS manages many devices. This helps the NMS administrator to contact the device administrator for fault location and rectification.

  10. (Optional) Run snmp-agent packet max-size byte-count

    The maximum size of an SNMP packet that the device can receive and send is set.

    By default, the maximum size of an SNMP packet is 12000 bytes.

    When the size of an SNMP packet is larger than the configured value, the device discards the SNMP packet. To ensure that the NMS can process SNMP packets properly, set the byte-count parameter to the maximum size of an SNMP packet that the NMS can process.

  11. (Optional) Run snmp-agent protocol source-interface interface-type interface-number

    A source interface is configured for receiving and responding to NMS's requests.

    By default, a source interface is randomly selected for receiving and responding to NMS's requests.

  12. (Optional) Run snmp-agent protocol ipv6 source-ip ipv6-address

    A source IPv6 address is configured for receiving and responding to NMS's requests.

    By default, a source IPv6 address is randomly selected for receiving and responding to NMS's requests.

  13. (Optional) Run snmp-agent protocol server [ ipv4 | ipv6 ] disable

    The SNMP IPv4 or IPv6 listening port is disabled.

    By default, the SNMP IPv4 or IPv6 listening port is disabled.

    If ipv4 or ipv6 is not selected, both SNMP IPv4 and IPv6 listening ports are disabled.

    If the managed device only needs to send traps to the NMS but does not need to perform Get/Set operation, SNMP port listening is not required. In this case, run this command so that SNMP no longer processes SNMP packets. Exercise caution when running this command.

Parent Topic: Configuring a Device to Communicate with an NMS Through SNMPv3
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >