Configuring Basic SNMPv3 Functions

Procedure

1. Run system-view

   The system view is displayed.

2. Run snmp-agent password min-length min-length

   The minimum SNMP password length is configured.

   After this command is run, the length of a configured SNMP password must be longer than or equal to the minimum SNMP password length.

3. (Optional) Run snmp-agent

   The SNMP agent function is enabled.

   This step is optional because the SNMP agent function is enabled by running any snmp-agent command, irrespective of whether any parameter is specified.

4. (Optional) Run snmp-agent udp-port port-number

   The port number monitored by the SNMP agent is changed.

5. (Optional) Run snmp-agent sys-info version v3

   The SNMP version is configured.

6. Run snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ] ^* [ acl { acl-number | acl-name } ]

   An SNMPv3 user group is configured.

   If the NMS and network devices are in an insecure environment (for example, the network is vulnerable to attacks), authentication or privacy can be configured in the command to enable data authentication or privacy.

   The available authentication and privacy modes are as follows:

   • No authentication and no privacy: Neither authentication nor privacy or noauthentication is configured in the command. This mode is applicable to secure networks managed by a specified administrator.

   • Authentication without privacy: Only authentication is configured in the command. This mode is applicable to secure networks managed by many administrators who may frequently perform operations on the same device. In this mode, only the authenticated administrators can access the managed device.

   • Authentication and privacy: privacy is configured in the command. This mode is applicable to insecure networks managed by many administrators who may frequently perform operations on the same device. In this mode, only the authenticated administrators can access the managed device, and transmitted data is encrypted to guard against tampering and data leaking.

   read-view needs to be configured in the command if the NMS administrator needs the read permission in a specified view in some cases. For example, a low-level administrator needs to read certain data.

   write-view needs to be configured in the command if the NMS administrator needs the read and write permissions in a specified view in some cases. For example, a high-level administrator needs to read and write certain data.

   notify-view needs to be configured in the command if you want to filter out irrelevant alarms and configure the managed device to send only the alarms of specified MIB objects to the NMS. If the parameter is configured, only the alarms of the MIB objects specified by notify-view is sent to the NMS.

7. (Optional) Run snmp-agent local-engineid engineid

   An engine ID for the local SNMP entity is set.

   The MAC address of the management interface on the main control board is used as device information.

   

   To improve system security, run the snmp-agent packet contextengineid-check enable command to check whether the contextEngineID is consistent with the local engine ID.

8. Run the following commands as needed:

   • On an IPv4 network, a managed device can send alarms in Inform or trap mode.

     

     The difference between alarms in trap and Inform modes is as follows:

     • A managed device does not need to receive a response from the NMS when sending an alarm in trap mode. Therefore, no remote engine ID needs to be configured on the managed device.

     • A managed device needs to receive a response from the NMS when sending an alarm in Inform mode. Therefore, specify the NMS engine ID on the managed device. The remote engine ID must be the same as the engine ID of the destination host that receives the alarm. If the managed device receives no response from the NMS within a timeout period, it resends the alarm until a response is returned or the number of alarms reaches the configured upper limit.

       The managed device sends the alarm in Inform mode and records an alarm log at the same time. If the NMS or a link fails, the NMS can synchronize alarms generated during this period after the fault is rectified.

     Therefore, the alarm in Inform mode is more reliable than that in trap mode. However, a device needs to cache massive alarm messages and consume a great number of memory resources due to the retransmission mechanism.

     If the network environment is stable, sending alarms in trap mode is recommended. If device resources are sufficient and the network environment is unstable, sending alarms in Inform mode is recommended.

     The same destination host cannot be configured for Inform and trap messages. If the Inform and trap messages share the same destination host, the latest configuration overrides the previous configuration.

     Configure an alarm in trap mode.

     1. Run snmp-agent usm-user v3 user-name group-name [ authentication-mode authen-protocol authKey [ privacy-mode privacy-protocol privKey ] ] [ acl { acl-number | aclName } ]

        An SNMP USM user is configured, and the authentication mode, encryption mode, and password are configured for the user.

     2. Run snmp-agent target-host [ host-name host-name ] trap address udp-domain ip-address [ [ udp-port port-number ] | [ source interface-type interface-number ] | [ public-net | vpn-instance vpn-instance-name ] ] ^* params securityname { security-name [ v3 [ authentication | privacy ] ] | private-netmanager | ext-vb | notify-filter-profile profile-name } ]^*

        A destination host to which a device sends traps and error codes is specified.

     Configure an alarm in Inform mode.

     1. Run snmp-agent [ remote-engineid engine-Id ] usm-user v3 user-name group-name [ authentication-mode authen-protocol authKey [ privacy-mode privacy-protocol privKey ] ] [ acl { acl-number | aclName } ]

        An SNMP USM user is configured, and the authentication mode, encryption mode, and password are configured for the user.

     2. Run snmp-agent target-host [ host-name host-name ] inform address udp-domain ip-address [ [ udp-port port-number ] | [ source interface-type interface-number ] | [ public-net | vpn-instance vpn-instance-name ] ] ^* params securityname { security-name { v3 [ authentication | privacy ] } } [ ext-vb | notify-filter-profile profile-name | private-netmanager ] ^*

        A destination host to which a device sends Inform alarms and error codes is specified.

   • On an IPv6 network, only trap alarms can be configured.
     1. Run snmp-agent usm-user v3 user-name group-name [ authentication-mode authen-protocol authKey [ privacy-mode privacy-protocol privKey ] ] [ acl { acl-number | acl-name } ]

        An SNMP USM user is configured, and the authentication mode, encryption mode, and password are configured for the user.

     2. Run snmp-agent target-host [ host-name host-name ] trap ipv6 address udp-domain ipv6-address [ udp-port port-number | source interface-type interface-number ] ^* params securityname { security-name [ v3 [ authentication | privacy ] | private-netmanager | ext-vb | notify-filter-profile profile-name ] ^* }

        A destination host to which a device sends traps and error codes is specified.

   The following parameters can be configured as needed:

   • udp-port needs to be configured to change the default UDP port number of 162 to a non-well-known port number to meet special requirements.

   • public-net needs to be configured to allow a device that an NMS manages to send traps through a public network to the NMS. Alternatively, vpn-instance vpn-instance-name needs to be configured to allow the device that an NMS manages to send traps through a private network to the NMS.

   • securityname needs to be configured to identify a source device that sends traps.

   • private-netmanager needs to be configured to allow alarm messages to carry more information when the NMS and a device that the NMS manages are both Huawei devices. Alarm messages can carry alarm types, sequence number, and time when a message was sent. The information helps rectify faults.

   • notify-filter-profile needs to be configured to allow a device to send desired alarms to the NMS host, which reduces irrelevant alarms and speeds up fault identification. notify-view needs to be configured to allow the alarm filter policy to take effect when you configure a user group.

   If the password fails the check, the user configuration fails. You can run the snmp-agent usm-user password complexity-check disable command to disable the password complexity check function. Do not disable the password complexity check because the function improves system security.

   To improve system security, it is recommended that you configure different authentication and encryption passwords for an SNMP USM user.

9. (Optional) Run snmp-agent sys-info { contact contact | location location }

   The device administrator contact information or location is configured.

   This step is required for the NMS administrator to view contact information and locations of the device administrator when the NMS manages many devices. This helps the NMS administrator contact the device administrators for fault location and rectification.

10. (Optional) Run snmp-agent packet max-size byte-count

    The maximum size of an SNMP packet that the device can receive or send is set.

    After the maximum size is set, the device discards any SNMP packet that is larger than the set size.

11. Configure SNMP to receive and respond to NMS request packets. To achieve this, run one or more of the following commands as needed.
    • Run snmp-agent protocol source-interface interface-type interface-number

      A source interface is configured for SNMP to receive and respond to NMS request packets.

    • Run snmp-agent protocol source all-interface

      All interfaces on the device are configured for SNMP to receive and respond to NMS request packets.

    • Run snmp-agent protocol physic-isolate source-interface protocol-interface-name source-ip ip-address
      An isolated source address is specified for SNMP to receive and respond to NMS request packets.

      

      After the interface isolation attribute is set successfully, packets can be sent to the server only through the specified physical interface, and those sent through other interfaces are discarded.

    • Run snmp-agent protocol ipv6 source-ip ip-address

      An IPv6 source address is configured for SNMP to receive and respond to NMS request packets.

    • Run snmp-agent protocol ipv6 physic-isolate source-interface protocol-interface-name source-ip ip-address

      An isolated IPv6 source address is specified for the SNMP proxy to receive and respond to requests from the CCU.

    • Run snmp-agent protocol source ipv6 all-interface

      All IPv6 addresses on the device are configured for SNMP to receive and respond to NMS request packets.

    • Configure SNMP to receive and respond to NMS request packets through a VPN instance or public network.
      • For an IPv4 network, run the snmp-agent protocol { vpn-instance vpn-instance-name | public-net } command.
      • For an IPv6 network, run the snmp-agent protocol ipv6 { vpn-instance vpn-instance-name | public-net } command.
    

    In scenarios such as interface unnumbered, if an isolated source interface and a common source interface (non-isolated source interface) are configured to listen to the same IP address and VPN instance, the common source interface takes effect. When the TCP listening mode is set to all-interface and an isolated source interface is configured, the isolated source interface takes effect if it is matched based on the 5-tuple matching rule; the all-interface configuration takes effect if the isolated source interface is not matched based on the 5-tuple matching rule. The source IP address specified for the isolated source interface does not need to be the interface's IP address.

12. (Optional) Run snmp-agent extend error-code enable

    The extended error code function is enabled.

13. Run snmp-agent set-cache enable

    The SET Response message caching function is enabled.

14. (Optional) Run snmp-agent protocol get-bulk timeout time

    The get-bulk operation timeout period is configured.

    You are not advised to change the get-bulk operation timeout period. The default get-bulk operation timeout period is recommended. To reconfigure a get-bulk operation timeout period, you must ensure that the configured period is less than an NMS's timeout period.

15. (Optional) Run snmp-agent protocol server [ ipv4 | ipv6 ] disable

    The SNMP IPv4 or IPv6 listening port is disabled.

    After you disable the SNMP IPv4 or IPv6 listening port using the snmp-agent protocol server disable command, SNMP no longer processes SNMP packets. Exercise caution when you disable the SNMP IPv4 or IPv6 listening port.

16. (Optional) Configure SNMP proxy for receiving and responding to requests from the CCU.
    • IPv4 network
      • To specify a source interface for the SNMP proxy to receive and respond to requests from the CCU, run the snmp-agent proxy protocol source-interface { protocol-interface-type protocol-interface-number | protocol-interface-name } command.
      • To allow all interfaces to be used by the SNMP proxy to receive and respond to requests from the CCU, run the snmp-agent proxy protocol source all-interface command.
    • IPv6 network
      • To specify an IPv6 source address for the SNMP proxy to receive and respond to requests from the CCU, run the snmp-agent proxy protocol ipv6 source-ip ipv6-address [ vpn-instance vpn-instance-name ] command.
      • To allow all IPv6 addresses to be used by the SNMP proxy to receive and respond to requests from the CCU, run the snmp-agent proxy protocol source ipv6 all-interface command.

17. Run commit

    The configuration is committed.