Configuring Basic SNMPv3 Functions

Basic SNMPv3 functions can be configured to allow an NMS to monitor and operate a managed device.

Context

Before a local SNMPv3 user is configured on a device to communicate with an NMS, the user must be added to a user group at the AAA side, and the user group is associated with a specific task group. The task group consists of multiple tasks, and each task is mapped to a MIB object that is granted reading and writing permissions. Users assigned a specific task obtain the specified reading and writing permissions on MIB objects.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    AAA is enabled, and the AAA view is displayed.

  3. Run task-group task-group-name

    A task group is created, and the task group view is displayed.

  4. Run task snmp { debug | execute | read | write } *

    A task is added to the task group and granted permissions.

    Each MIB object is associated with a specific task. Performing this step grants users permissions to MIB objects.

  5. Run quit

    The AAA view is displayed.

  6. Run user-group user-group-name

    A user group is created, and the user group view is displayed.

  7. Run task-group task-group-name

    The user group is associated with a task group.

  8. Run quit

    The AAA view is displayed.

  9. Run local-user user-name password [ cipher password | irreversible-cipher irreversible-cipher-password ]

    A local user is created, and a password is set for the user to log in a device.

    If an AAA user is configured as a local SNMP user, the user-name value is a string of 1 to 32 characters.

  10. Run local-user user-name user-group user-group-name

    The local user is added to a user group.

    A user group can be used by multiple local users. A local user belongs only to one user group.

  11. Run local-user user-name service-type snmp

    The access type of the local user is set to SNMP.

  12. Run quit

    The system view is displayed.

  13. (Optional) Run snmp-agent

    The SNMP agent function is enabled.

    This step is optional because the SNMP agent function is enabled by running any snmp-agent command, irrespective of whether any parameter is specified.

  14. Run snmp-agent password min-length min-length

    The minimum SNMP password length is configured.

    After this command is run, the length of a configured SNMP password must be longer than or equal to the minimum SNMP password length.

  15. (Optional) Run snmp-agent udp-port port-number

    The port number monitored by the SNMP agent is changed.

  16. (Optional) Run snmp-agent sys-info version v3

    The SNMP version is configured.

  17. Run snmp-agent local-user v3 user-name authentication-mode authen-protocol { privacy-mode privacy-protocol | cipher authKey privacy-mode privacy-protocol cipher privKey }

    Local SNMP user information is configured.

    The authentication password configured for an AAA user can be different from that for a local SNMP user. Deleting a local AAA user causes the local SNMP user to be also deleted. Deleting a local SNMP user, however, does not affect the local AAA user.

    The priority of an SNMP USM user is higher than that of a local SNMP user. If an SNMP USM username is the same as a local SNMP username but different authentication and encryption passwords are configured for the users, the authentication and encryption passwords configured for the SNMP USM user are used for login.

    By default, a device checks the complexity of the local users' authentication and encryption passwords. If the passwords fail the check, the user configuration fails. To disable the password complexity check, run the snmp-agent local-user password complexity-check disable command. It is recommended that the complexity check be enabled to ensure system security.

    To improve system security, you are advised to configure different authentication and encryption passwords for a local SNMP user.

  18. (Optional) Configure SNMP proxy for receiving and responding to requests from the CCU.

  19. (Optional) Run snmp-agent sys-info { contact contact | location location }

    The device administrator contact information or location is configured.

    This step is required for the NMS administrator to view contact information and locations of the device administrator when the NMS manages many devices. This helps the NMS administrator contact the device administrators for fault location and rectification.

  20. (Optional) Run snmp-agent packet max-size byte-count

    The maximum size of an SNMP packet that the device can receive or send is set.

    After the maximum size is set, the device discards any SNMP packet that is larger than the set size.

  21. Configure SNMP to receive and respond to NMS request packets. To achieve this, run one or more of the following commands as needed.

    • Run snmp-agent protocol source-interface interface-type interface-number

      A source interface is configured for SNMP to receive and respond to NMS request packets.

    • Run snmp-agent protocol source all-interface

      All interfaces on the device are configured for SNMP to receive and respond to NMS request packets.

    • Run snmp-agent protocol physic-isolate source-interface protocol-interface-name source-ip ip-address
      An isolated source address is specified for SNMP to receive and respond to NMS request packets.

      After the interface isolation attribute is set successfully, packets can be sent to the server only through the specified physical interface, and those sent through other interfaces are discarded.

    • Run snmp-agent protocol ipv6 source-ip ip-address

      An IPv6 source address is configured for SNMP to receive and respond to NMS request packets.

    • Run snmp-agent protocol ipv6 physic-isolate source-interface protocol-interface-name source-ip ip-address

      An isolated IPv6 source address is specified for the SNMP proxy to receive and respond to requests from the CCU.

    • Run snmp-agent protocol source ipv6 all-interface

      All IPv6 addresses on the device are configured for SNMP to receive and respond to NMS request packets.

    • Configure SNMP to receive and respond to NMS request packets through a VPN instance or public network.
      • For an IPv4 network, run the snmp-agent protocol { vpn-instance vpn-instance-name | public-net } command.
      • For an IPv6 network, run the snmp-agent protocol ipv6 { vpn-instance vpn-instance-name | public-net } command.

    In scenarios such as interface unnumbered, if an isolated source interface and a common source interface (non-isolated source interface) are configured to listen to the same IP address and VPN instance, the common source interface takes effect. When the TCP listening mode is set to all-interface and an isolated source interface is configured, the isolated source interface takes effect if it is matched based on the 5-tuple matching rule; the all-interface configuration takes effect if the isolated source interface is not matched based on the 5-tuple matching rule. The source IP address specified for the isolated source interface does not need to be the interface's IP address.

  22. (Optional) Run snmp-agent local-engineid engineid

    An engine ID for the local SNMP entity is set.

    The MAC address of the management interface on the main control board is used as device information.

    To improve system security, run the snmp-agent packet contextengineid-check enable command to check whether the contextEngineID is consistent with the local engine ID.

  23. Run snmp-agent set-cache enable

    The SET Response message caching function is enabled.

  24. (Optional) Run snmp-agent protocol server [ ipv4 | ipv6 ] disable

    The SNMP IPv4 or IPv6 listening port is disabled.

    After you disable the SNMP IPv4 or IPv6 listening port using the snmp-agent protocol server disable command, SNMP no longer processes SNMP packets. Exercise caution when you disable the SNMP IPv4 or IPv6 listening port.

  25. Run commit

    The configuration is committed.

Parent Topic: Configuring a Local SNMPv3 User on a Device to Communicate with an NMS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >