Example for Configuring a Switch to Communicate with an NMS Through SNMPv3

Networking Requirements

In the network shown in Figure 1, NMS1 and NMS2 manage devices on the network. The network is large and insecure. Therefore, devices on the network use SNMPv3 to communicate with the NMSs, and authentication and encryption are configured to enhance security. A new switch is deployed on the network and needs to be managed by NMS2.

Users want to manage the switch using existing network resources and hope that faults on the switch can be quickly identified and rectified.

Figure 1 The switch communicates with NMS through SNMPv3

Configuration Roadmap

Because the network is large and insecure, the new switch still uses SNMPv3. To reduce loads on the NMSs, configure NMS2 to manage the switch and NMS1 not to manage the switch.

The configuration roadmap is as follows:

Configure the SNMP version on the switch to SNMPv3.
Configure the access right to enable NMS2 to manage ISO objects on the switch.
Configure the trap host for the switch to deliver traps generated on the switch to NMS2. To help quickly identify faults according to trap messages and reduce useless traps, configure the switch to send only the traps of the modules enabled by default.
Configure administrator contact information on the switch so that users can contact the administrator quickly when a fault occurs on the switch.
Configure NMS2.

Procedure

Configure an IP address for an interface of the switch to provide a reachable route between the NMS and the Switch.

# Configure an IP address for an interface of the switch according to Figure 1.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.2.1 24
[Switch-Vlanif100] quit

Set the SNMP version on the switch to SNMPv3.
```
[Switch] snmp-agent sys-info version v3
```

Configure the access rights.

# Configure an ACL that allows NMS2 to manage the switch and prevents NMS1 from managing the switch.

[Switch] acl 2001
[Switch-acl-basic-2001] rule 5 permit source 10.1.1.2 0.0.0.0
[Switch-acl-basic-2001] rule 6 deny source 10.1.1.1 0.0.0.0
[Switch-acl-basic-2001] quit

# Configure the MIB view.

[Switch] snmp-agent mib-view included isoview iso

# Configure the user group.

[Switch] snmp-agent group v3 admin privacy read-view isoview write-view isoview notify-view isoview acl 2001

# Configure the user.

[Switch] snmp-agent usm-user v3 nms2-admin group admin

# Configure user packets authentication and set the authentication password to Authe@1234.

[Switch] snmp-agent usm-user v3 nms2-admin authentication-mode sha2-256
Please configure the authentication password (8-64)                             
Enter Password:                  //Enter the authentication password. It is Authe@1234 in this example.                                  
Confirm Password:                //Confirm the password. It is Authe@1234 in this example.

# Configure user packets encryption and set the encryption password to Priva@1234.

[Switch] snmp-agent usm-user v3 nms2-admin privacy-mode aes128
Please configure the privacy password (8-64)                                    
Enter Password:                 //Enter the encryption password. It is Priva@1234 in this example.                                                 
Confirm Password:               //Confirm the password. It is Priva@1234 in this example.

Configure the trap host.

[Switch] snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname nms2-admin v3 privacy

Configure the administrator contact information.

[Switch] snmp-agent sys-info contact call Operator at 010-12345678

Configure NMS2.
On an NMS running SNMPv3, you must set a user name and select a security level. Then set the authentication mode, authentication password, encryption mode, and encryption password according to the security level you select. For details about the NMS configuration, see the manual of the NMS.

The authentication parameter configuration on the NMS must be the same as that on the switch. Otherwise, the NMS cannot manage the switch.

Verify the configuration.

After completing the configuration, run the following commands to verify that the configurations have taken effect.

# View the SNMP version.

[Switch] display snmp-agent sys-info version
   SNMP version running in the system:                                                                                              
           Polling: SNMPv1:disable, SNMPv2c:disable, SNMPv3:enable                                                                  
           Trap   : SNMPv1:disable, SNMPv2c:disable, SNMPv3:enable

# View user group information.

[Switch] display snmp-agent group admin
   Group name: admin
       Security model: v3 AuthPriv
       Readview: ViewDefault
       Writeview: isoview
       Notifyview :<no specified>
       Storage-type: nonVolatile
       Acl:2001

# View the MIB view.

[Switch] display snmp-agent mib-view viewname isoview
   View name:isoview                                                         
       MIB Subtree:iso                                              
       Subtree mask:FC(Hex)                                                            
       Storage-type: nonVolatile                                                
       View Type:included                                                       
       View status:active

# View the configuration of the target host used to receive traps.

[Switch] display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
  IP-address    : 10.1.1.2
  Domain        : -
  Source interface : - 
  VPN instance  : -
  Security name : nms2-admin
  Port          : 162
  Type          : trap
  Version       : v3
  Level         : Privacy
  NMS type      : NMS
  With ext-vb   : No
-----------------------------------------------------------

# View the administrator contact information.

[Switch] display snmp-agent sys-info contact
   The contact person for this managed node:                                    
           call Operator at 010-12345678

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 100
#
acl number 2001
 rule 5 permit source 10.1.1.2 0
 rule 6 deny source 10.1.1.1 0
#
interface Vlanif100
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type hybrid
 port hybrid pvid vlan 100
 port hybrid untagged vlan 100
#
snmp-agent
snmp-agent local-engineid 800007DB0300259E0370C3
snmp-agent sys-info contact call Operator at 010-12345678
snmp-agent sys-info version v3
snmp-agent group v3 admin privacy read-view isoview write-view isoview notify-view isoview acl 2001 
snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname nms2-admin v3 privacy
snmp-agent mib-view included isoview iso 
snmp-agent usm-user v3 nms2-admin
snmp-agent usm-user v3 nms2-admin group admin 
snmp-agent usm-user v3 nms2-admin authentication-mode sha2-256 cipher %^%#odaJ7R)/O7k$pwQx0qfD0\`u*'GI1(|;ZQXHtzrN%^%# 
snmp-agent usm-user v3 nms2-admin privacy-mode aes128 cipher %^%#f*K3/|E6d"SJes9)5naXPIqCTpR"}BUC=yW;!(f9%^%#
#
return