When eSight Uses SNMPv3 to Manage S7700 Switches, It Cannot Receive Port Alarms

Publication Date:  2015-11-20 Views:  1140 Downloads:  0
Issue Description
When eSight uses SNMPv3 to manage S7700 switches, it cannot receive port alarms. However, the SNMP test succeeds.



SNMP configuration on the switch:

snmp-agent sys-info version v3
snmp-agent group v3 huawei privacy read-view View_ALL write-view View_ALL notify-view View_ALL
snmp-agent target-host trap address udp-domain 172.28.21.131 params securityname huawei v3
snmp-agent mib-view included View_ALL iso
snmp-agent usm-user v3 huawei huawei authentication-mode md5 %$%$FsfeGKkw>PP.fXM>qar&e.%y%$%$ privacy-mode des56 %$%$FsfeGKkw>PP.fXM>qar&e.%y%$%$
snmp-agent trap enable
Handling Process
Test the SNMP configuration on the switch. The test succeeds.

Duplicate a fault, and confirm that a trap indicating port Down is generated on the switch.

#Jul 28 2014 09:55:56 FY-SVR-S7703-2 IFNET/1/IF_PVCDOWN:OID 1.3.6.1.6.3.1.1.5.3 Interface 77 turned into DOWN state.(AdminStatus 2,OperStatus 2,InterfaceName GigabitEthernet1/0/22)

Modify the SNMP configuration on the switch. After the modification, the switch can normally send the port alarm.

snmp-agent sys-info version v3
snmp-agent group v3 huawei privacy read-view View_ALL write-view View_ALL notify-view View_ALL
snmp-agent target-host trap address udp-domain 172.28.21.131 params securityname huawei v3 privacy //Configure the security option in this command to be the same as the SNMP group.
snmp-agent mib-view included View_ALL iso
snmp-agent usm-user v3 huawei huawei authentication-mode md5 %$%$FsfeGKkw>PP.fXM>qar&e.%y%$%$ privacy-mode des56 %$%$FsfeGKkw>PP.fXM>qar&e.%y%$%$
snmp-agent trap enable
Root Cause
The command for sending alarms using SNMPv3 is as follows:

[Huawei]snmp-agent target-host trap  address udp-domain 172.28.21.131 params securityname huawei v3 ?
   authentication      Specify the securityLevel of AuthNoPriv
   privacy             Specify the securityLevel of AuthPriv
   private-netmanager  Specify the target to huawei host
   <cr>

If a security option has been configured for the user group (snmp-agent group) of SNMPv3, the authentication or privacy parameter must be specified to authenticate or encrypt the traps.

If the authentication or privacy parameter is specified in the target-host command, traps need to be authenticated or encrypted. Otherwise, traps are not authenticated or encrypted. If the security option for the user group differs from that in the target-host command, the switch cannot report alarms.
Suggestions
The following configuration template is recommended for configuring SNMPv3 on S-series switches.

snmp-agent sys-info version all
snmp-agent mib-view include View_ALL iso //Configure a MIB view. SNMPv3 does not provide default views; therefore, you need to specify the MIB view manually. If you do not specify a MIB view, you cannot use SNMPv3 to access related MIB nodes.
snmp-agent trap source MEth0/0/1 ---------------------->>Specify the interface of the switch added to eSight. 
snmp-agent trap enable---------------------->>Enable trap reporting.
snmp-agent target-host trap address udp-domain 10.137.61.81 params securityname user v3 private(authentication)---------->>Specify the eSight IP address as the target host and set securityname to be the same as the value of usm-user. The SNMP version must be the same as that configured on the switch, and the security option must be the same as the SNMP group.
snmp-agent group v3 snmpgroup privacy(authentication) read-view View_ALL write-view View_ALL notify-view View_ALL---------->>Configure the MIB view rights of the SNMP group. privacy indicates authentication and encryption; authentication indicates authentication without encryption; read-view, write-view, and notify-view indicate the SNMP read, write, and alarm sending rights respectively.
snmp-agent usm-user v3 user snmpgroup authentication-mode md5 Admin_123 privacy-mode des56 Admin_123---------->>//Configure the encryption and authentication modes for the user group. You are advised to configure authentication and encryption passwords. If not, you can only query nodes under the MIB-2 sub-tree.

END