snmp-agent group
Function
The snmp-agent group command creates an SNMP group by mapping SNMP users to SNMP views.
The undo snmp-agent group command deletes a specified SNMP user group.
By default, no SNMP group is configured.
Format
snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]* [ acl { acl-number | acl-name } ]
snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]* acl-ipv4 { acl-number | acl-name } [ acl-ipv6 { acl-number | acl-name } ]
snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]* acl-ipv6 { acl-number | acl-name }
undo snmp-agent group v3 group-name { authentication | privacy | noauthentication }
Parameters
| Parameter | Description | Value |
|---|---|---|
v3 |
Indicates that the SNMP group uses the security mode in SNMPv3. |
- |
group-name |
Specifies the name of an SNMP group. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
authentication | privacy | noauthentication |
Indicates the security level of the SNMP group.
|
To ensure security, it is recommended that you set the security level of the SNMP group to privacy. |
read-view read-view |
Specifies a read-only view. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. read-view specified by the snmp-agent mib-view command. |
write-view write-view |
Specifies a read-write view. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. write-view is specified by the snmp-agent mib-view command. |
notify-view notify-view |
Specifies a notify view. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. notify-view is specified by the snmp-agent mib-view command. |
acl |
Specifies an ACL that takes effect on both IPv4 and IPv6 networks. |
- |
acl-ipv4 |
Specifies an ACL that takes effect on only IPv4 network. |
- |
acl-ipv6 |
Specifies an ACL that takes effect on only IPv6 network. |
- |
acl-number |
Specifies the number of an ACL. |
The value is an integer ranging from 2000 to 3999. |
acl-name |
Specifies the name of a basic or an advanced Named ACL. |
The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter. |
Usage Guidelines
Usage Scenario
SNMPv1 and SNMPv2c have serious defects in terms of security. The security authentication mechanism used by SNMPv1 and SNMPv2c is based on the community name. In this mechanism, the community name is transmitted in plain text. You are not advised to use SNMPv1 and SNMPv2c on untrusted networks.
By adopting the user-based security model, SNMPv3 eradicates the security defects in SNMPv1 and SNMPv2c and provides two services, authentication and privacy. The SNMP group name and security name determine an SNMP group. SNMPv3 defines the following security levels:
- noAuthNoPriv
- AuthNoPriv
- AuthPriv
The security authentication level noAuthPriv does not exist. This is because the generation of a key is based on the authentication information and product information.
The snmp-agent group command can be used to configure the following:
- Authentication
- Privacy
- Access rights for users of SNMP group
- Bind the SNMP group to a MIB view
- To enhance security, configure the parameter authentication or privacy.
If the noauthentication parameter is set, SNMP messages are not authenticated or encrypted. This applies to the environment that is secure and has a fixed administrator.
To authenticate SNMP messages without encryption, configure the parameter authentication. This mode is applicable to secure networks managed by many administrators who may frequently perform operations on the same device. Authentication allows only the administrators with permission to access the device.
To authenticate and encrypt SNMP messages, configure the parameter privacy. This mode is applicable to insecure networks managed by many administrators who may frequently perform operations on the same device. Authentication and encryption allow only specified administrators to access the device and encrypts data before the transmission. This prevents data from being tampered or leaked.
To grant the NMS read-only permission in the specified view, configure read-view. To grant the NMS read-write permission in the specified view, configure write-view. To filter unnecessary alarms, configure notify-view. After this parameter is configured, only alarms generated on MIB objects specified by notify-view are delivered to the NMS.
By default, the read-only view of an SNMP group is the ViewDefault view, and the names of the read-write view and inform view are not specified.
To allow specified NMSs in the same SNMPv3 group to access the device, configure acl.
Configuration Impact
When you run the undo snmp-agent group command to delete an SNMP user group, you delete all SNMP users in the SNMP user group.
Precautions
To receive trap messages specified in notify-view, you need to ensure the target host for receiving SNMP traps is specified through the snmp-agent target-host trap command.
If non authentication and non encryption, or authentication and non encryption is configured for an SNMPv3 group, these modes bring security risks. To improve system security, delete the group and create a group with authentication and encryption.
To specify the same ACL on both IPv4 and IPv6 networks, you can only run the snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]* acl { acl-number | acl-name } command.
If the snmp-agent group command is run more than once to specify an ACL for the same SNMP user group, the latest configuration overrides the previous one.
Example
# Create an SNMPv3 group named Johngroup to authenticate and encrypt SNMP messages, and set the read-only view of the SNMPv3 group to public.
<HUAWEI> system-view [HUAWEI] snmp-agent [HUAWEI] snmp-agent mib-view excluded public 1.3.6.1.2.1 [HUAWEI] snmp-agent group v3 Johngroup privacy read-view public
# Create an SNMPv3 group named Johngroup to authenticate and encrypt SNMP messages, and set the write-only view of the SNMPv3 group to private.
<HUAWEI> system-view [HUAWEI] snmp-agent [HUAWEI] snmp-agent mib-view included private 1.3.6.1.2.1 [HUAWEI] snmp-agent group v3 Johngroup privacy write-view private