The snmp-agent group command creates an SNMP user group by mapping SNMP users to the SNMP view.
The undo snmp-agent group command deletes a specified SNMP user group.
By default, the snmp-agent group v3 group-name command does not contain the authentication or privacy parameter.
| Parameter | Description | Value |
|---|---|---|
| group-name |
Specifies the name of an SNMP user group. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When quotation marks are used around the string, spaces are allowed in the string. |
| authentication |
Indicates that messages are authenticated without being encrypted. |
- |
| privacy |
Indicates that messages are authenticated and encrypted. |
- |
| noauthentication |
Indicates that no encryption or authentication is performed for an SNMP group to be configured. |
- |
| read-view read-view |
Specifies a read-only view. The view must have been created using the snmp-agent mib-view { excluded | included } view-name oid-tree command. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. read-view is specified using the snmp-agent mib-view command. The NMS can read a MIB node in the read-view. If read-view is not configured, the NMS will read the ViewDefault by default. You can run display snmp-agent mib-view to view the default view. When quotation marks are used around the string, spaces are allowed in the string. |
| write-view write-view |
Specifies a read-write view. The view must have been created using the snmp-agent mib-view { excluded | included } view-name oid-tree command. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. write-view is specified using the snmp-agent mib-view command. The NMS can write and read a MIB node in the write-view. When quotation marks are used around the string, spaces are allowed in the string. |
| notify-view notify-view |
Specifies a notify view. The view must have been created using the snmp-agent mib-view { excluded | included } view-name oid-tree command. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. notify-view is specified using the snmp-agent mib-view command. The MIB node information in the notify-view can be carried in alarms and sent to an NMS. When quotation marks are used around the string, spaces are allowed in the string. |
| acl acl-number |
Specifies the number of a basic ACL, which can be an ACL4 or ACL6 number. |
The value is an integer ranging from 2000 to 2999. |
| acl acl-name |
Specifies the name of a named basic ACL. If no matching rule is configured for the referenced ACL, the matching rule is permit by default. |
The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive). |
| v3 |
Indicates that the SNMP user group uses the security mode in SNMPv3. |
- |
Usage Scenario
SNMPv1 and SNMPv2c have serious security defects. A security authentication mechanism used by SNMPv1 and SNMPv2c is based on a community name. In this mechanism, the community name is transmitted in simple text, which is easy to be obtained. Do not to use SNMPv1 or SNMPv2c on untrusted networks.
In the user-based security model, SNMPv3 eradicates security defects in SNMPv1 and SNMPv2c and provides authentication and privacy services. The user-based security model defines the following three security authentication levels:
The security authentication level noAuthPriv does not exist. This is because the generation of a key is based on the authentication information and product information.
The snmp-agent group command can be used to configure the following information:
To configure the AuthNoPriv authentication level and read permission for an SNMP group, run the snmp-agent group authentication read-view command.
To configure the AuthPriv authentication level and read-write permission for an SNMP group, run the snmp-agent group privacy write-view command. You can set the authentication mode of SNMP users to Message-Digest Algorithm 5 (MD5) or Secure Hash Algorithm (SHA) and the privacy mode to Data Encryption Standard 56 (DES56), Triple Data Encryption Standard 168 (3DES168), Advanced Encryption Standard 128 (AES128), Advanced Encryption Standard 192 (AES192), or Advanced Encryption Standard 256 (AES256).
Configuration Impact
After you run the undo snmp-agent group command to delete an SNMP user group, information about all SNMP users in the SNMP user group is deleted.
You can run the snmp-agent usm-user command to configure an authentication mode and an encrypted string for users in an SNMP user group only after the authentication and encryption functions are enabled for the SNMP user group.
Follow-up Procedure
After configuring the SNMP user group, run the snmp-agent mib-view command to create a MIB view and the access control for the view. You can run the snmp-agent usm-user command to add a user to SNMP user group and configure MIB-view-based access permission for the SNMP user. This is performed to ensure that SNMP users in an SNMP user group have the same security level and access control list.
Precautions
To enable the device to receive trap or Inform messages specified in , ensure that the following configurations are complete:
<HUAWEI> system-view [~HUAWEI] snmp-agent group v3 Johngroup authentication
<HUAWEI> system-view [~HUAWEI] snmp-agent group v3 Johngroup privacy
<HUAWEI> system-view [~HUAWEI] snmp-agent mib-view included mib2view 1.3.6.1.2.1 [*HUAWEI] snmp-agent group v3 Johngroup privacy read-view mib2view
<HUAWEI> system-view [~HUAWEI] snmp-agent mib-view included mib2view 1.3.6.1.2.1 [*HUAWEI] snmp-agent group v3 Johngroup privacy write-view mib2view