No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the SNMP

Configuring the SNMP

Context

NOTE:
Using SNMPv1&v2c has potential security risks. SNMPv3 is recommended.

Configuring a Device to Communicate with an NMS by Running SNMPv1

After SNMPv1 is configured, a managed device and an NMS can run SNMPv1 to communicate with each other. To ensure communication, you need to configure the agent and NMS. This section describes the configuration on a managed device (the agent side). For details about configuration on an NMS, see the pertaining NMS operation guide.

Context

Using SNMPv1&v2c has potential security risks. SNMPv3 is recommended.
Pre-configuration Tasks

Before configuring a device to communicate with an NMS by running SNMPv1, configure a routing protocol to ensure that at least one route exist between switch modules and NMS.

Procedure

When you configure the device to communicate with the NMS using SNMPv1, Configuring Basic SNMPv1 Functions is mandatory and optional steps can be performed in any sequence.

After the SNMP basic functions are configured, the NMS can communicate with managed devices.
  • The access permission of the NMS that uses the configured community name is Viewdefault view. The internet MIB (OID: 1.3.6.1) can be operated in this view.

  • The managed device sends traps generated by the modules that are enabled by default to the NMS.

If finer device management is required, follow directions below to configure a managed device:
Configuring Basic SNMPv1 Functions

Context

For the configuration of basic SNMP functions, 1, 4, 5, 6 and 8 are mandatory steps. After the configuration is complete, basic SNMP communication can be established between the NMS and managed device.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Run:

    snmp-agent

    The SNMP agent function is enabled.

    By default, the SNMP agent function is disabled. Executing the snmp-agent command can enable the SNMP agent function no matter whether parameters are specified in the command.

  3. (Optional) Run:

    snmp-agent udp-port port-num

    The port number of the SNMP agent is changed.

    The default port number of the SNMP agent is 161.

    To enhance device security, run the snmp-agent udp-port command to change the port number of the SNMP agent. After the number of the port on SNMP Agent connecting to the NMS is changed, ensure that the port number on the NMS is the same as the changed port number; otherwise, the SNMP Agent cannot connect to the NMS.

  4. Run:

    snmp-agent sys-info version v1

    The SNMP version is set to SNMPv1.

    By default, the device supports SNMPv3. After you set the SNMP version to SNMPv1, the device supports both SNMPv1 and SNMPv3, and can be managed by network management systems running SNMPv1 and SNMPv3.

  5. Run:

    snmp-agent community { read | write } { community-name | cipher community-name } [ alias alias-name ]

    The community name is set.

    By default, no community name exists in the system. The community name will be saved in encrypted format in the configuration file.To facilitate identification of community names, set the alias names for the communities. The alias names are stored in plain text in the configuration file.

    By default, the device checks complexity of community names. If the check fails, the community name is failed to be configured. To ensure the security of SNMP community names, you are not advised to disable community name complexity check by using the snmp-agent community complexity-check disable command.

    The device has the following requirements for community name complexity:

    • The default minimum length of a community name is eight characters.

    • A community name includes at least two kinds of characters, which can be uppercase letters, lowercase letters, digits, and special characters (excluding question marks and spaces).

    To change the access right of the NMS, see Restricting Management Rights of the NMS. Ensure that the community name of the NMS is the same as that set on the agent. If the NMS and the agent have different community names, the NMS cannot access the agent.

  6. Choose one of the following commands as needed to configure a destination IP address of the traps and error codes sent from the device.

    • To configure a destination IPv4 address for the traps and error codes sent from the device, run:

      snmp-agent target-host [ host-name host-name ] trap address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net } ] * params securityname { security-name | cipher security-name } [ v1 | private-netmanager | ext-vb | notify-filter-profile profile-name ] *
    • To configure a destination IPv6 address for the traps and error codes sent from the device, run:

      snmp-agent target-host [ host-name host-name ] trap  ipv6 address udp-domain ipv6-address [ udp-port port-number ] params securityname { security-name | cipher security-name } [ v1 | private-netmanager | ext-vb | notify-filter-profile profile-name ] *
    Note the following when running the command:
    • The default destination UDP port number is 162. To ensure secure communication between the NMS and managed devices, run the udp-port command to change the UDP port number to a non-well-known port number.

    • The parameter securityname indicates the devices that send traps. The NMS identifies these devices according to this parameter.

  7. (Optional) Run:

    snmp-agent sys-info { contact contact | location location }

    The equipment administrators contact information or location is configured.

    By default, the vendor's contact information is "R&D Beijing, Huawei Technologies co.,Ltd.". The default location is "Beijing China".

    This step is required for the NMS administrator to view contact information and locations of the equipment administrator when the NMS manages many devices. This helps the NMS administrator to contact the equipment administrators for fault location and rectification.

  8. Run:

    commit

    The configuration is committed.

(Optional) Restricting Management Rights of the NMS

Context

When multiple NMSs using the same community name manage one device, perform this configuration based on the site requirements.

Scenario

Steps

The NMS accesses the ViewDefault view of the managed device.

All NMSs access the Viewdefault view of the managed device.

No action required

1, 2, 5 (based on SNMP agent)

1, 4, 5 (based on community name)

1, 2, 4, 5 (based on SNMP agent and community name)

The NMS accesses the specified node on the managed device.

All NMSs access the specified node on the managed device: 1, 3, 5

1, 2, 3, 5 (based on SNMP agent)

1, 3, 4, 5 (based on community name)

1, 2, 3, 4, 5 (based on SNMP agent and community name)

NOTE:

The ViewDefault view is the 1.3.6.1 view.

When an ACL is used to control the NMS access rights, the constraints are as follows:
  • When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device.

  • When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.

  • If a packet matches no ACL rule, the NMS that sends the packet cannot access the local device.

  • When no ACL rule is configured, all NMSs can access the local device.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure NMS filtering based on SNMP agent.
    1. Configure the basic ACL.

      Before configuring the access control rights, you must create a basic ACL. For the creation procedure, see "ACL Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide-Security.

    2. Run:

      snmp-agent acl { acl-number | acl-name }

      An ACL is configured for SNMP.

      By default, no ACL is configured for SNMP.

  3. Run:

    snmp-agent mib-view { excluded | included } view-name oid-tree

    A MIB view is created, and manageable MIB objects are specified.

    By default, an NMS has right to access the objects in the ViewDefault view.

    The excluded and included paramters are applicable to the following scenarios:

    • excluded: If a few MIB objects on the device or some objects in the current MIB view do not or no longer need to be managed by the NMS, configure excluded in the command to exclude these MIB objects.

    • included: If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NMS, configure included in the command to include these MIB objects.

    You run this command for multiple times, the new configuration overwrites the original configuration if the values of view-name and oid-tree are the same; the new and original configurations both take effect if the values of view-name and oid-tree are different.

    If both the included and excluded parameters are configured for MIB objects that have an inclusion relationship, whether to include or exclude the lowest MIB object will be determined by the parameter configured for the lowest MIB object. For example, the snmpV2, snmpModules, and snmpUsmMIB objects are from top down in the MIB table. If the excluded parameter is configured for snmpUsmMIB objects and included is configured for snmpV2, snmpUsmMIB objects will still be excluded.

  4. Configure NMS filtering based on community name.
    1. (Optional) Configure the basic ACL.

      Before configuring the access control rights, you must create a basic ACL. For the creation procedure, see "ACL Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide-Security.

    2. Run:

      snmp-agent community { read | write } { community-name | cipher community-name } [ mib-view view-name | acl { acl-number | acl-name } ] *

      The NMS's access right are specified.

      By default, the community name has the right of the ViewDefault view.

  5. Run:

    commit

    The configuration is committed.

Follow-up Procedure

After the access right are configured, especially after the IP address of the NMS is specified, if the IP address changes (for example, the NMS changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address of the NMS in the ACL. Otherwise, the NMS cannot access the device.

(Optional) Configuring the Trap Function

Context

Users can enable the trap function for a specified module. The interface status trap is generated when the interface status changes. You need to enable the trap function for the standard module globally and enable the trap function on the specified interface.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Enable the trap function.

    Enable the trap function for a module.

    • To enable the trap function of all modules, run the snmp-agent trap enable command.

    • To enable the trap function of a specified module, run the snmp-agent trap enable feature-name command.

    • To restore the trap functions of all modules to the default status, run the undo snmp-agent trap enable or undo snmp-agent trap disable command.

    Enable the trap function for an interface.

    Run:

    snmp-agent trap enable feature-name ifnet [ trap-name { linkdown | linkup } ]

    The trap function is enabled on all interfaces.

    By default, the trap function is disabled on all interfaces. When parameters linkdown and linkup are configured, the device sends a trap to the NMS upon an interface status change. When an interface frequently sends traps to the NMS because of frequent status changes, you can disable the interface status trap function on the interface to reduce the NMS loads. The procedure is as follows:

    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      undo enable snmp trap updown

      The interface status trap function is disabled.

    3. Run:

      quit

      The system view is displayed.

  3. Run:

    snmp-agent notify-filter-profile { excluded | included } profile-name oid-tree

    A trap filtering rule is created or updated.

    By default, no trap is filtered.

  4. Run:

    snmp-agent trap source interface-type interface-number

    The source interface for traps is specified.

    By default, source interface is not set. After the source interface is specified, the IP address of the source interface is used as the source IP address for sending traps. This helps the NMS identify the trap source. The source interface that sends traps must have an IP address; otherwise, the commands will fail to take effect. To ensure device security, it is recommended that you set the source IP address to the local loopback address.

    The source interface specified on the switch modules for traps must be consistent with that specified on the NMS. Otherwise, the NMS does not accept the traps sent from the switch modules.

  5. Run:

    snmp-agent trap source-port port-number

    The source port to send trap is set.

    The source port is fixed, the packets can be filtered by firewall to improve the security of the network.

  6. Run:

    commit

    The configuration is committed.

(Optional) Enhancing the Reliability for Transmitting SNMP Packets

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    snmp-agent packet max-size byte-count

    The maximum size of an SNMP packet that the device can receive or send is set.

    By default, the size of an SNMP packet that the device can receive or send is 12000 bytes.

    After the maximum size is set, the device discards any SNMP packet that is larger than the set size. You are advised to use the default value.

  3. Run:

    snmp-agent packet-priority { snmp | trap } priority-level

    The transmission level of SNMP packets is set.

    The default transmission level of SNMP packets is 6.

  4. Run:

    snmp-agent set-cache enable

    The SET response packet caching function is enabled.

    By default, the SET response packet caching function is disabled.

  5. Run:

    commit

    The configuration is committed.

Checking the Configuration

Prerequisites

The configurations of basic SNMPv1 functions are complete.

Procedure

  • Run the display snmp-agent community [ read | write ] command to check the configured community name.
  • Run the display snmp-agent sys-info version command to check the enabled SNMP version.
  • Run the display acl { acl-number | name acl-name | all } command to check the ACL rules.
  • Run the display snmp-agent mib-view [ exclude | include | viewname view-name ] command to check the MIB view.
  • Run the display snmp-agent mib modules command to check information about loaded MIB files.
  • Run the display snmp-agent sys-info contact command to check the equipment administrator's contact information.
  • Run the display snmp-agent sys-info location command to check the location of the switch modules.
  • Run the display current-configuration | include max-size command to check the maximum size of an SNMP packet.
  • Run the display current-configuration | include trap command to check the configuration of the trap function.
  • Run the display snmp-agent trap all command to check current and default status of all traps in all features.
  • Run the display snmp-agent vacmgroup command to check all the configured View-based Access Control Model (VACM) groups.
  • Run the display snmp-agent target-host command to check information about the target host.
  • Run the display snmp-agent notify-filter-profile profile-name command to check the configurations of the filtered traps.

Configuring a Device to Communicate with an NMS by Running SNMPv2c

After SNMPv2c is configured, a managed device and an NMS can run SNMPv2c to communicate with each other. To ensure communication, you need to configure the agent and NMS. This section describes the configuration on a managed device (the agent side). For details about configuration on an NMS, see the pertaining NMS operation guide.

Context

Using SNMPv1&v2c has potential security risks. SNMPv3 is recommended.
Pre-configuration Tasks

Before configuring a device to communicate with an NMS by running SNMPv2c, configure a routing protocol to ensure that at least one route exist between switch modules and NMS.

Procedure

When you configure the device to communicate with the NMS using SNMPv2c, Configuring Basic SNMPv2c Functions is mandatory and optional steps can be performed in any sequence.

After the SNMP basic functions are configured, the NMS can communicate with managed devices.
  • The access permission of the NMS that uses the configured community name is Viewdefault view. The internet MIB (OID: 1.3.6.1) can be operated in this view.

  • The managed device sends traps generated by the modules that are enabled by default to the NMS.

If finer device management is required, follow directions below to configure a managed device:
Configuring Basic SNMPv2c Functions

Context

For the configuration of basic SNMP functions, 1, 4, 5, 6 and 8, are mandatory steps. After the configuration is complete, basic SNMP communication can be established between the NMS and managed device.

When you configure a destination IP address for traps and error codes sent from the managed devices, configure the trap or inform function as required.
  • The traps sent by the managed device do not need to be acknowledged by the NMS.

  • The informs sent by the managed device need to be acknowledged by the NMS. If no acknowledgement message from the NMS is received within a specified time period, the managed device resends the inform until the number of retransmissions reaches the maximum.

    When the managed device sends an inform, it records the inform in the log. If the NMS and link between the NMS and managed device recovers from a fault, the NMS can still learn the inform sent during the fault occurrence and rectification.

In this regard, informs are more reliable than traps, but the device may need to buffer a lot of informs because of the inform retransmission mechanism and this may consume many memory resources. If the network is stable, using traps is recommended. If the network is unstable and the device's memory capacity is sufficient, using inform is recommended.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Run:

    snmp-agent

    The SNMP agent function is enabled.

    By default, the SNMP agent function is disabled. Executing the snmp-agent command can enable the SNMP agent function no matter whether parameters are specified in the command.

  3. (Optional) Run:

    snmp-agent udp-port port-num

    The port number of the SNMP agent is changed.

    The default port number of the SNMP agent is 161.

    To enhance device security, run the snmp-agent udp-port command to change the port number of the SNMP agent. After the number of the port on SNMP Agent connecting to the NMS is changed, ensure that the port number on the NMS is the same as the changed port number; otherwise, the SNMP Agent cannot connect to the NMS.

  4. Run:

    snmp-agent sys-info version v2c

    The SNMP version is set to SNMPv2c.

    By default, the device supports SNMPv3. After you set the SNMP version to SNMPv2c, the device supports both SNMPv2c and SNMPv3, and can be managed by network management systems running SNMPv2c and SNMPv3.

  5. Run:

    snmp-agent community { read | write } { community-name | cipher community-name } [ alias alias-name ]

    The community name is set.

    By default, no community name exists in the system. The community name will be saved in encrypted format in the configuration file.To facilitate identification of community names, set the alias names for the communities. The alias names are stored in plain text in the configuration file.

    By default, the device checks complexity of community names. If the check fails, the community name is failed to be configured. To ensure the security of SNMP community names, you are not advised to disable community name complexity check by using the snmp-agent community complexity-check disable command.

    The device has the following requirements for community name complexity:

    • The default minimum length of a community name is eight characters.

    • A community name includes at least two kinds of characters, which can be uppercase letters, lowercase letters, digits, and special characters (excluding question marks and spaces).

    To change the access right of the NMS, see Restricting Management Rights of the NMS. Ensure that the community name of the NMS is the same as that set on the agent. If the NMS and the agent have different community names, the NMS cannot access the agent.

  6. Choose one of the following commands as needed to configure a destination IP address of the traps and error codes sent from the device.

    • If the network is an IPv4 network, configure the device to send either traps or informs to the NMS.
      • To configure a destination IP address for the traps and error codes sent from the device, run:

        snmp-agent target-host [ host-name host-name ] trap address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | vpn-instance vpn-instance-name ] * params securityname { security-name | cipher security-name } [ v2c | private-netmanager | ext-vb | notify-filter-profile profile-name ]*
      • To configure a destination IP address for the informs and error codes sent from the device, run:

        snmp-agent target-host [ host-name host-name ] inform address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net } ] * params securityname { security-name | cipher security-name } v2c [ private-netmanager | ext-vb | notify-filter-profile profile-name ] *
    • To configure a destination IPv6 address for the traps and error codes sent from the device, run:

      snmp-agent target-host [ host-name host-name ] trap ipv6 address udp-domain ipv6-address [ udp-port port-number ] params securityname { security-name | cipher security-name } [ v2c | private-netmanager | ext-vb | notify-filter-profile profile-name ] *
      NOTE:

      An IPv6 network supports only traps.

    Note the following when running the command:
    • The default destination UDP port number is 161. To ensure secure communication between the NMS and managed devices, run the udp-port command to change the UDP port number to a non-well-known port number.

    • The parameter securityname identifies devices that send traps on the NMS.

  7. (Optional) Run:

    snmp-agent sys-info { contact contact | location location }

    The equipment administrators contact information or location is configured.

    By default, the vendor's contact information is "R&D Beijing, Huawei Technologies co.,Ltd.". The default location is "Beijing China".

    This step is required for the NMS administrator to view contact information and locations of the equipment administrator when the NMS manages many devices. This helps the NMS administrator to contact the equipment administrators for fault location and rectification.

  8. Run:

    commit

    The configuration is committed.

(Optional) Restricting Management Rights of the NMS

Context

When multiple NMSs using the same community name manage one device, perform this configuration based on the site requirements.

Scenario

Steps

The NMS accesses the ViewDefault view of the managed device.

All NMSs access the Viewdefault view of the managed device.

No action required

1, 2, 5 (based on SNMP agent)

1, 4, 5 (based on community name)

1, 2, 4, 5 (based on SNMP agent and community name)

The NMS accesses the specified node on the managed device.

All NMSs access the specified node on the managed device: 1, 3, 5

1, 2, 3, 5 (based on SNMP agent)

1, 3, 4, 5 (based on community name)

1, 2, 3, 4, 5 (based on SNMP agent and community name)

NOTE:

The ViewDefault view is the 1.3.6.1 view.

When an ACL is used to control the NMS access rights, the constraints are as follows:
  • When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device.

  • When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.

  • If a packet matches no ACL rule, the NMS that sends the packet cannot access the local device.

  • When no ACL rule is configured, all NMSs can access the local device.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure NMS filtering based on SNMP agent.
    1. Configure the basic ACL.

      Before configuring the access control rights, you must create a basic ACL. For the creation procedure, see "ACL Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide-Security.

    2. Run:

      snmp-agent acl { acl-number | acl-name }

      An ACL is configured for SNMP.

      By default, no ACL is configured for SNMP.

  3. Run:

    snmp-agent mib-view { excluded | included } view-name oid-tree

    A MIB view is created, and manageable MIB objects are specified.

    By default, an NMS has right to access the objects in the ViewDefault view.

    The excluded and included paramters are applicable to the following scenarios:

    • excluded: If a few MIB objects on the device or some objects in the current MIB view do not or no longer need to be managed by the NMS, configure excluded in the command to exclude these MIB objects.

    • included: If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NMS, configure included in the command to include these MIB objects.

    You run this command for multiple times, the new configuration overwrites the original configuration if the values of view-name and oid-tree are the same; the new and original configurations both take effect if the values of view-name and oid-tree are different.

    If both the included and excluded parameters are configured for MIB objects that have an inclusion relationship, whether to include or exclude the lowest MIB object will be determined by the parameter configured for the lowest MIB object. For example, the snmpV2, snmpModules, and snmpUsmMIB objects are from top down in the MIB table. If the excluded parameter is configured for snmpUsmMIB objects and included is configured for snmpV2, snmpUsmMIB objects will still be excluded.

  4. Configure NMS filtering based on community name.
    1. (Optional) Configure the basic ACL.

      Before configuring the access control rights, you must create a basic ACL. For the creation procedure, see "ACL Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide-Security.

    2. Run:

      snmp-agent community { read | write } { community-name | cipher community-name } [ mib-view view-name | acl { acl-number | acl-name } ] *

      The NMS's access right are specified.

      By default, the community name has the right of the ViewDefault view.

  5. Run:

    commit

    The configuration is committed.

Follow-up Procedure

After the access right are configured, especially after the IP address of the NMS is specified, if the IP address changes (for example, the NMS changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address of the NMS in the ACL. Otherwise, the NMS cannot access the device.

(Optional) Configuring the Trap/Inform Function

Context

Users can enable the trap function for a specified module. The interface status trap is generated when the interface status changes. You need to enable the trap function for the standard module globally and enable the trap function on the specified interface.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Enable the trap function.

    Enable the trap function for a module.

    • To enable the trap function of all modules, run the snmp-agent trap enable command.

    • To enable the trap function of a specified module, run the snmp-agent trap enable feature-name command.

    • To restore the trap functions of all modules to the default status, run the undo snmp-agent trap enable or undo snmp-agent trap disable command.

    Enable the trap function for an interface.

    Run:

    snmp-agent trap enable feature-name ifnet [ trap-name { linkdown | linkup } ]

    The trap function is enabled on all interfaces.

    By default, the trap function is disabled on all interfaces. When parameters linkdown and linkup are configured, the device sends a trap to the NMS upon an interface status change. When an interface frequently sends traps to the NMS because of frequent status changes, you can disable the interface status trap function on the interface to reduce the NMS loads. The procedure is as follows:

    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      undo enable snmp trap updown

      The interface status trap function is disabled.

    3. Run:

      quit

      The system view is displayed.

  3. Run:

    snmp-agent notify-filter-profile { excluded  | included } profile-name oid-tree

    A trap filtering rule is created or updated.

    By default, no trap is filtered.

  4. Configure trap function parameters based on the trap usage or inform usage selected during the configuration of basic SNMPv2c functions.

    Set trap parameters.

    1. Run:

      snmp-agent trap source interface-type interface-number

      The source interface for traps is specified.

      After the source interface is specified, its IP address becomes the source IP address of traps. The source interface that sends traps must have an IP address; otherwise, the commands will fail to take effect. Configuring the IP address of the local loopback interface as the source interface is recommended, which can ensure device security.

      The source interface specified on the switch modules for traps must be consistent with that specified on the NMS; otherwise, the NMS does not accept the traps sent from the switch modules.

    2. Run:

      snmp-agent trap source-port port-number

      The source port to send trap is set.

      The source port is fixed, the packets can be filtered by firewall to improve the security of the network.

    Set inform parameters.

    1. Run:

      snmp-agent inform { timeout seconds | resend-times times | pending number }*

      The global inform parameters are set. The parameters include the timeout period for waiting for ACK messages, number of times to retransmit informs, and maximum number of informs to be confirmed in the inform buffer.

      If the network is unstable, you need to specify the number of inform retransmissions and allowable maximum number of informs to be acknowledged when you set a timeout period for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform ACK messages is 15 seconds; the number of inform retransmissions is 3; the allowable maximum number of informs waiting to be acknowledged is 39.

    2. Run:

      snmp-agent inform { timeout seconds | resend-times times } * [ host-name host-name | address udp-domain ip-address [ vpn-instance vpn-instance-name ] params securityname { security-name | cipher security-name } ]

      The timeout period for waiting for Inform ACK messages from a specified NMS and the number of inform retransmissions are set.

      If the network is unstable, you need to specify the number of inform retransmissions when you set a timeout period for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform ACK messages is 15 seconds, and the number of inform retransmissions is 3.

    3. Run:

      snmp-agent notification-log enable

      The alarm log function is enabled.

      If the NMS and managed device cannot communicate because of a link failure, the managed device no longer sends Inform messages but keeps recording alarm logs. When the link recovers, the destination host synchronizes the recorded alarm logs with the managed device.

      After the alarm log function is enabled, only Inform messages are recorded, and Trap messages are not recorded.

      By default, the alarm log function is disabled.

    4. Run:

      snmp-agent notification-log { global-ageout ageout | global-limit limit }*

      The aging time of alarm logs and the maximum pieces of alarm logs in the log buffer are set.

      By default, the aging time of the alarm logs is 24 hours. If the aging time expires, the alarm logs are automatically deleted.

      By default, the log buffer can store a maximum of 500 alarm logs. If the number of alarm logs exceeds 500, the NMS deletes alarm logs from the earliest one.

  5. Run:

    commit

    The configuration is committed.

(Optional) Enhancing the Reliability for Transmitting SNMP Packets

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    snmp-agent packet max-size byte-count

    The maximum size of an SNMP packet that the device can receive or send is set.

    By default, the size of an SNMP packet that the device can receive or send is 12000 bytes.

    After the maximum size is set, the device discards any SNMP packet that is larger than the set size. You are advised to use the default value.

  3. Run:

    snmp-agent packet-priority { snmp | trap } priority-level

    The transmission level of SNMP packets is set.

    The default transmission level of SNMP packets is 6.

  4. Run:

    snmp-agent set-cache enable

    The SET response packet caching function is enabled.

    By default, the SET response packet caching function is disabled.

  5. Run:

    commit

    The configuration is committed.

Checking the Configuration

Prerequisites

The configurations of basic SNMPv2c functions are complete.

Procedure

  • Run the display snmp-agent community [ read | write ] command to check the configured community name.
  • Run the display snmp-agent sys-info version command to check the enabled SNMP version.
  • Run the display acl { acl-number | name acl-name | all } command to check the ACL rules.
  • Run the display snmp-agent mib-view [ exclude | include | viewname view-name ] command to check the MIB view.
  • Run the display snmp-agent mib modules command to check information about loaded MIB files.
  • Run the display snmp-agent sys-info contact command to check the equipment administrator's contact information.
  • Run the display snmp-agent sys-info location command to check the location of the switch modules.
  • Run the display current-configuration | include max-size command to check the maximum size of an SNMP packet.
  • Run the display current-configuration | include trap command to check trap configuration.
  • Run the display snmp-agent trap all command to check current and default status of all traps in all features.
  • Run the display snmp-agent target-host command to check information about the target host.
  • Run the display snmp-agent inform [ host-name host-name | address udp-domain ip-address [ vpn-instance vpn-instance-name ] params securityname { security-name | cipher security-name } ] command to check inform parameters of all target hosts.
  • Run the display snmp-agent vacmgroup command to check all the configured View-based Access Control Model (VACM) groups.
  • Run the display snmp-agent notify-filter-profile [ profile-name ] command to check the configurations of the filtered traps.
  • Run the display snmp-agent notification-log [ info | logtime starttime to endtime | size size ] command to view trap logs saved in the trap log buffer.

Configuring a Device to Communicate with an NMS by Running SNMPv3 (USM User)

After the SNMPv3 is configured, the NMS and device communicate with each other through SNMPv3. To ensure smooth communication between the NMS and the device, you need to configure the related parameters on both the NMS and device. This section describes only the configurations on device. For details about the NMS configuration, see the relevant NMS configuration manual.

Context

A user security model (USM) provides identify authentication and data encryption services. SNMPv3 improves security of identity authentication, data transmission, and access control through USM and View-based Access Control Model (VACM). In addition, the SNMPv3 USM user can be configured to implement the connection between the device and NMS.

Pre-configuration Tasks

Before configuring a device to communicate with an NMS by running SNMPv3, configure a routing protocol to ensure that at least one route exist between switch modules and NMS.

Procedure

When you configure the device to communicate with the NMS using SNMPv3, Configuring Basic SNMPv3 Functions is mandatory and optional steps can be performed in any sequence.

After the SNMP basic functions are configured, the NMS can communicate with managed devices.
  • The access permission of the NMS that uses the configured user name is Viewdefault view. The internet MIB (OID: 1.3.6.1) can be operated in this view.

  • The managed device sends traps generated by the modules that are enabled by default to the NMS.

The following lists the enhanced management functions:
Configuring Basic SNMPv3 Functions

Context

When you configure a destination IP address for traps and error codes sent from the managed devices, configure the trap or inform function as required.
  • The traps sent by the managed device do not need to be acknowledged by the NMS.

  • The informs sent by the managed device need to be acknowledged by the NMS. If no acknowledgement message from the NMS is received within a specified time period, the managed device resends the inform until the number of retransmissions reaches the maximum.

    When the managed device sends an inform, it records the inform in the log. If the NMS and link between the NMS and managed device recovers from a fault, the NMS can still learn the inform sent during the fault occurrence and rectification.

In this regard, informs are more reliable than traps, but the device may need to buffer a lot of informs because of the inform retransmission mechanism and this may consume many memory resources. If the network is stable, using traps is recommended. If the network is unstable and the device's memory capacity is sufficient, using inform is recommended.
Precaution

The security levels from the highest to the lowest must be trap host security, user security, and user group security.

Among the security levels, privacy has the highest level and none has the lowest level. The security level description is as follows:
  • privacy: authentication and encryption
  • authentication: only authentication
  • none: no authentication and no encryption

If the security level of a user group is privacy, the security levels of user and trap host must be privacy. If the security level of a user group is authentication, the security levels of user and trap host can be privacy or authentication.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Run:

    snmp-agent

    The SNMP agent function is enabled.

    By default, the SNMP agent function is disabled. Executing the snmp-agent command can enable the SNMP agent function no matter whether parameters are specified in the command.

  3. (Optional) Run:

    snmp-agent udp-port port-num

    The port number of the SNMP agent is changed.

    The default port number of the SNMP agent is 161.

    To enhance device security, run the snmp-agent udp-port command to change the port number of the SNMP agent. After the number of the port on SNMP Agent connecting to the NMS is changed, ensure that the port number on the NMS is the same as the changed port number; otherwise, the SNMP Agent cannot connect to the NMS.

  4. (Optional) Run:

    snmp-agent sys-info version v3

    The SNMP version is configured.

    By default, the device supports SNMPv3.

  5. Run:

    snmp-agent local-engineid engineid

    An engine ID is set for the local SNMP entity.

    By default, the device automatically generates an engine ID using the internal algorithm. The engine ID is composed of enterprise number and the device information. When you modify the engine id of device, the first four octets in hexadecimal format is 800007DB. The device information can be configured manually. It is recommended that the IP address or MAC address of the device be used as the device information to uniquely identify the device. The detailed configuration is described in command reference.

    If the local engine ID is set or changed, the existing SNMPv3 user will be deleted.

  6. Run:

    snmp-agent group v3 group-name { authentication | privacy | noauthentication } 

    An SNMPv3 user group is configured.

    If the NMS or network devices are in an insecure environment (for example, the network is vulnerable to attacks), authentication or privacy can be configured in the command to enable data authentication or privacy.

  7. Select one of the following methods to configure SNMPv3 users:

    • Method 1:

      snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } password [ privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } password ] ] [ acl { acl-number | acl-name } ]

      A user is added to the SNMPv3 user group.

      By default, no SNMPv3 user is configured.

    • Method 2:

      1. snmp-agent usm-user v3 user-name [ group group-name | acl { acl-number | acl-name } ] *

        A user is added to the SNMPv3 user group.

      2. snmp-agent usm-user v3 user-name authentication-mode { md5 | sha } [ cipher password ]

        The authentication password of the SNMPv3 user is configured.

      3. snmp-agent usm-user v3 user-name privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } [ cipher password ]

        The privacy password of the SNMPv3 user is configured.

      By default, no SNMP user is configured.

    NOTE:

    When the NMS and device are in an insecure network environment, for example, a network prone to attacks, it is recommended that you configure different authentication password and encryption password to improve security. By default, none authentication and none encryption is performed on SNMPv3 users.

    After a user is added to the user group, the NMS that uses the name of the user can access the objects in the ViewDefault view (OID: 1.3.6.1).

    If the local engine ID is set or changed, the existing SNMPv3 user will be deleted.

    To ensure high security, do not use the MD5 algorithm for SNMPv3 authentication or use the DES56 or 3DES168 algorithm for SNMPv3 encryption.

  8. Choose one of the following commands as needed to configure a destination IP address of the traps and error codes sent from the device.

    • If the network is an IPv4 network, configure the device to send either traps or informs to the NMS.
      • To configure a destination IP address for the traps and error codes sent from the device, run:

        snmp-agent target-host [ host-name host-name ] trap address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net } ] * params securityname security-name [ v3 [ authentication | privacy ] | private-netmanager | ext-vb | notify-filter-profile profile-name ] *
      • To configure a destination IP address for the informs and error codes sent from the device, run:

        snmp-agent target-host [ host-name host-name ] inform address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net } ] * params securityname security-name  v3 [ authentication | privacy ] [ private-netmanager | ext-vb | notify-filter-profile profile-name ] *
    • To configure a destination IPv6 address for the traps and error codes sent from the device, run:

      snmp-agent target-host [ host-name host-name ] trap ipv6 address udp-domain ipv6-address [ udp-port port-number ] params securityname security-name  [ v3 [ authentication | privacy ] | private-netmanager | ext-vb | notify-filter-profile profile-name ] *
      NOTE:

      An IPv6 network supports only traps.

    Note the following when running the command:
    • The default destination UDP port number is 162. To ensure secure communication between the NMS and managed devices, run the udp-port command to change the UDP port number to a non-well-known port number.

    • The parameter securityname identifies devices that send traps to the NMS.

  9. (Optional) Run:

    snmp-agent sys-info { contact contact | location location }

    The equipment administrators contact information or location is configured.

    By default, the vendor's contact information is "R&D Beijing, Huawei Technologies co.,Ltd.". The default location is "Beijing China".

    This step is required for the NMS administrator to view contact information and locations of the equipment administrator when the NMS manages many devices. This helps the NMS administrator to contact the equipment administrators for fault location and rectification.

  10. Run:

    commit

    The configuration is committed.

(Optional) Restricting Management Rights of the NMS

Context

When multiple NMSs in the same SNMPv3 user group manage one device, perform this configuration based on the site requirements.

Scenario

Steps

NMSs having the right of the ViewDefault view

No action required

1, 2, 8 (based on SNMP agent)

1, 3, 5, 8 (based on user group)

1, 6, 7, 8 (based on user)

1, 3, 5, 6, 7, 8 (based on user group and user)

1, 2, 3, 5, 8 (based on SNMP agent and user group)

1, 2, 6, 7, 8 (based on SNMP agent and user)

1, 2, 3, 5, 6, 7, 8 (based on SNMP agent, user group, and user)

NMSs having the right of access to specified nodes on the managed device

1, 4, 5, 8

1, 2, 4, 5, 8 (based on SNMP agent)

1, 3, 4, 5, 8 (based on user group)

1, 4, 5, 6, 7, 8 (based on user)

1, 3, 4, 5, 6, 7, 8 (based on user group and user)

1, 2, 3, 4, 5, 8 (based on SNMP agent and user group)

1, 2, 4, 5, 6, 7, 8 (based on SNMP agent and user)

1, 2, 3, 4, 5, 6, 7, 8 (based on SNMP agent, user group, and user)

When an ACL is used to control the NMS access rights, the constraints are as follows:
  • When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device.

  • When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.

  • If a packet matches no ACL rule, the NMS that sends the packet cannot access the local device.

  • When no ACL rule is configured, all NMSs can access the local device.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure NMS filtering based on SNMP agent.
    1. Configure the basic ACL.

      Before configuring the access control rights, you must create a basic ACL. For the creation procedure, see "ACL Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide-Security.

    2. Run:

      snmp-agent acl { acl-number | acl-name }

      An ACL is configured for SNMP.

      By default, no ACL is configured for SNMP.

  3. Configure a basic ACL for an SNMP user group to filter the NMS that does not match the ACL.

    For the creation procedure, see "ACL Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide-Security.

  4. Run:

    snmp-agent mib-view { excluded | included } view-name oid-tree

    A MIB view is created, and manageable MIB objects are specified.

    By default, an NMS has right to access the objects in the ViewDefault view.

    The excluded and included paramters are applicable to the following scenarios:

    • excluded: If a few MIB objects on the device or some objects in the current MIB view do not or no longer need to be managed by the NMS, configure excluded in the command to exclude these MIB objects.

    • included: If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NMS, configure included in the command to include these MIB objects.

    You run this command for multiple times, the new configuration overwrites the original configuration if the values of view-name and oid-tree are the same; the new and original configurations both take effect if the values of view-name and oid-tree are different.

    If both the included and excluded parameters are configured for MIB objects that have an inclusion relationship, whether to include or exclude the lowest MIB object will be determined by the parameter configured for the lowest MIB object. For example, the snmpV2, snmpModules, and snmpUsmMIB objects are from top down in the MIB table. If the excluded parameter is configured for snmpUsmMIB objects and included is configured for snmpV2, snmpUsmMIB objects will still be excluded.

  5. Run:

    snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ] * [ acl { acl-number | acl-name } ]

    The write-read right is configured for a user group.

    By default, the read-only view of an SNMP group is the ViewDefault view, and the names of the read-write view and inform view are not specified.

    To configure the NMS to receive traps or informs specified by notify-view, you must first configure the destination host for receiving traps.

  6. Configure a basic ACL for an SNMP user to filter the NMS that does not match the ACL.

    For the creation procedure, see "ACL Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide-Security.

  7. Run:

    snmp-agent usm-user v3 user-name [ group group-name | acl { acl-number | acl-name } ] *

    Authentication and encryption are configured for SNMPv3 users in the specified user group.

    • To allow all NMSs using the same SNMPv3 user name to access the agent, omit the parameter acl.

    • To allow specified NMSs to use this user name to access the agent, configure the parameter acl.

  8. Run:

    commit

    The configuration is committed.

Follow-up Procedure

After the access right are configured, especially after the IP address of the NMS is specified, if the IP address changes (for example, the NMS changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address of the NMS in the ACL. Otherwise, the NMS cannot access the device.

(Optional) Configuring the Trap/Inform Function

Context

Users can enable the trap function for a specified module. The interface status trap is generated when the interface status changes. You need to enable the trap function for the standard module globally and enable the trap function on the specified interface.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Enable the trap function.

    Enable the trap function for a module.

    • To enable the trap function of all modules, run the snmp-agent trap enable command.

    • To enable the trap function of a specified module, run the snmp-agent trap enable feature-name command.

    • To restore the trap functions of all modules to the default status, run the undo snmp-agent trap enable or undo snmp-agent trap disable command.

    Enable the trap function for an interface.

    Run:

    snmp-agent trap enable feature-name ifnet [ trap-name { linkdown | linkup } ]

    The trap function is enabled on all interfaces.

    By default, the trap function is disabled on all interfaces. When parameters linkdown and linkup are configured, the device sends a trap to the NMS upon an interface status change. When an interface frequently sends traps to the NMS because of frequent status changes, you can disable the interface status trap function on the interface to reduce the NMS loads. The procedure is as follows:

    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      undo enable snmp trap updown

      The interface status trap function is disabled.

    3. Run:

      quit

      The system view is displayed.

  3. Run:

    snmp-agent notify-filter-profile { excluded  | included } profile-name oid-tree

    A trap filtering rule is created or updated.

    By default, no trap is filtered.

  4. Configure trap function parameters based on the trap usage or inform usage selected during the configuration of basic SNMPv3 functions.

    Set trap parameters.

    1. Run:

      snmp-agent trap source interface-type interface-number

      The source interface for traps is specified.

      After the source interface is specified, its IP address becomes the source IP address of traps. The source interface that sends traps must have an IP address; otherwise, the commands will fail to take effect. Configuring the IP address of the local loopback interface as the source interface is recommended, which can ensure device security.

      The source interface specified on the switch modules for traps must be consistent with that specified on the NMS; otherwise, the NMS does not accept the traps sent from the switch modules.

    2. Run:

      snmp-agent trap source-port port-number

      The source port to send trap is set.

      The source port is fixed, the packets can be filtered by firewall to improve the security of the network.

    Set inform parameters.

    1. Run:

      snmp-agent inform { timeout seconds | resend-times times | pending number }*

      The global inform parameters are set. The parameters include the timeout period for waiting for ACK messages, number of times to retransmit informs, and maximum number of informs to be confirmed in the inform buffer.

      If the network is unstable, you need to specify the number of inform retransmissions and allowable maximum number of informs to be acknowledged when you set a timeout period for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform ACK messages is 15 seconds; the number of inform retransmissions is 3; the allowable maximum number of informs waiting to be acknowledged is 39.

    2. Run:

      snmp-agent inform { timeout seconds | resend-times times } * [ host-name host-name | address udp-domain ip-address [ vpn-instance vpn-instance-name ] params securityname { security-name | cipher security-name } ]

      The timeout period for waiting for Inform ACK messages from a specified NMS and the number of inform retransmissions are set.

      If the network is unstable, you need to specify the number of inform retransmissions when you set a timeout period for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform ACK messages is 15 seconds, and the number of inform retransmissions is 3.

    3. Run:

      snmp-agent notification-log enable

      The alarm log function is enabled.

      If the NMS and managed device cannot communicate because of a link failure, the managed device no longer sends Inform messages but keeps recording alarm logs. When the link recovers, the destination host synchronizes the recorded alarm logs with the managed device.

      After the alarm log function is enabled, only Inform messages are recorded, and Trap messages are not recorded.

      By default, the alarm log function is disabled.

    4. Run:

      snmp-agent notification-log { global-ageout ageout | global-limit limit }*

      The aging time of alarm logs and the maximum pieces of alarm logs in the log buffer are set.

      By default, the aging time of the alarm logs is 24 hours. If the aging time expires, the alarm logs are automatically deleted.

      By default, the log buffer can store a maximum of 500 alarm logs. If the number of alarm logs exceeds 500, the NMS deletes alarm logs from the earliest one.

  5. Run:

    commit

    The configuration is committed.

(Optional) Enhancing the Reliability for Transmitting SNMP Packets

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    snmp-agent packet max-size byte-count

    The maximum size of an SNMP packet that the device can receive or send is set.

    By default, the size of an SNMP packet that the device can receive or send is 12000 bytes.

    After the maximum size is set, the device discards any SNMP packet that is larger than the set size. You are advised to use the default value.

  3. Run:

    snmp-agent packet-priority { snmp | trap } priority-level

    The transmission level of SNMP packets is set.

    The default transmission level of SNMP packets is 6.

  4. Run:

    snmp-agent set-cache enable

    The SET response packet caching function is enabled.

    By default, the SET response packet caching function is disabled.

  5. Run:

    commit

    The configuration is committed.

(Optional) Configuring SNMPv3 Attack Defense

Context

To improve SNMPv3 connection security, the device supports the blacklist function. The following two types of blacklists are available. You can choose one or configure both of them.

  • IP address blacklist: If an SNMPv3 user fails to access the network, the IP address of this user is added to the blacklist and locked for one second. The user is not allowed to connect to the network using this IP address within the locking period.
  • User blacklist: When a user fails in authentication consecutively and the number of authentication failures exceeds a limit, the user is added to the blacklist and locked for a certain period. The user will not be authenticated within this period.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure the attack defense method.

    • Lock an IP address.

      Run the undo snmp-agent blacklist ip-block disable command to enable the IP address blacklist.

      By default, the IP address blacklist is enabled.

    • Lock a user.
      1. Run:

        undo snmp-agent blacklist user-block disable

        The SNMPv3 user blacklist is enabled.

        By default, the SNMPv3 user blacklist is enabled.

      2. (Optional) Run:

        snmp-agent blacklist user-block failed-times failed-times period period-time

        The limit of consecutive authentication failures and period are set for SNMPv3 users.

        By default, the system locks a user when the user fails in authentication 5 times consecutively within 5 minutes.

      3. (Optional) Run:

        snmp-agent blacklist user-block reactive reactive-time

        The locking period for SNMPv3 users that are added to the blacklist is set.

        By default,an SNMPv3 user is locked for 5 minutes after the user is added to the blacklist. When the locking period expires, the user can be authenticated.

      NOTE:

      When a user fails in authentication consecutively and the number of authentication failures exceeds a limit, the user is added to the blacklist and locked for a certain period. The user will not be authenticated within this period. If you want to authenticate this user during this period, run the snmp-agent activate usm-user command to activate the user.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration

Prerequisites

The configurations of basic SNMPv3 functions are complete.

Procedure

  • Run the display snmp-agent usm-user [ engineid engineid | group group-name | username user-name ] * command to check user information.
  • Run the display snmp-agent sys-info version command to check the enabled SNMP version.
  • Run the display acl { acl-number | name acl-name | all } command to check the ACL rules.
  • Run the display snmp-agent mib-view [ exclude | include | viewname view-name ] command to check the MIB view.
  • Run the display snmp-agent mib modules command to check information about loaded MIB files.
  • Run the display snmp-agent sys-info contact command to check the equipment administrator's contact information.
  • Run the display snmp-agent sys-info location command to check the location of the switch modules.
  • Run the display current-configuration | include max-size command to check the maximum size of an SNMP packet.
  • Run the display current-configuration | include trap command to check trap configuration.
  • Run the display snmp-agent trap all command to check current and default status of all traps in all features.
  • Run the display snmp-agent target-host command to check information about the target host.
  • Run the display snmp-agent inform [ host-name host-name | address udp-domain ip-address [ vpn-instance vpn-instance-name ] params securityname { security-name | cipher security-name } ] command to check inform parameters of all target hosts or a specified target host and information about host statistics.
  • Run the display snmp-agent vacmgroup command to check all the configured View-based Access Control Model (VACM) groups.
  • Run the display snmp-agent notify-filter-profile profile-name command to check the configurations of the filtered traps.
  • Run the display snmp-agent notification-log [ info | logtime starttime to endtime | size size ] command to view trap logs saved in the trap log buffer.

Configuring a Device to Communicate with an NMS by Running SNMPv3 (AAA Local User)

After the SNMPv3 is configured, the NMS and device communicate with each other through SNMPv3. To ensure smooth communication between the NMS and the device, you need to configure the related parameters on both the NMS and device. This section describes only the configurations on device. For details about the NMS configuration, see the relevant NMS configuration manual.

Context

SNMPv3 supports authentication using authentication, authorization, and accounting (AAA) user names. The network administrator can use the AAA local user name in the SNMPv3, FTP, Telnet, and SSH features in order to manage the device by using a uniform user name.

Pre-configuration Tasks

Configuring a routing protocol to generate a reachable route between the device and NMS

Configuration Process

Among the following configuration tasks, the tasks of Configuring AAA Local User and Configuring Basic SNMPv3 Functions are mandatory, and the other tasks are optional and can be performed at any sequence.

To implement advanced management, the following operations are required:
Configuring AAA Local User

Context

SNMPv3 supports authentication using AAA local users. Before configuring an SNMPv3 local user, ensure that the AAA local user exists and the user has been added to a user group.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure an AAA local user.
    1. Run:

      aaa

      The AAA view is displayed.

    2. Run:

      local-user user-name password [ irreversible-cipher irreversible-cipher-password ]

      A local user is created and a login password is configured for the user.

      By default, no local user exists in the system.

      NOTE:

      The value of user-name must be smaller than or equivalent to 32; otherwise, the user cannot be configured as an SNMPv3 local user.

    3. Run:

      local-user user-name service-type snmp

      The access type of the local user is set to SNMP.

      By default, the access type of a local user is not set.

  3. Configure an AAA user group and add the local user to the user group.
    1. Run:

      user-group user-group-name

      A user group is created and the user group view is displayed.

      By default, no local user group exists in the system.

      You can run the task-group command to configure a task group and add the task group to the user group. In this situation, the MIB objects can associate with different tasks, and MIB objects can be authorized. For the configuration of task groups and AAA local authorization, see AAA Configuration > Configuring AAA > Configuring Local Authentication and Authorization > Configuring AAA Scheme in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - Security.

    2. Run:

      quit

      Return to the AAA view.

    3. Run:

      local-user user-name user-group user-group-name

      The local user is added to a user group.

      A user group can be referenced by multiple local users, but a local user only belongs to one user group.

    4. Run:

      quit

      Return to the system view.

  4. Run:

    commit

    The configuration is committed.

Configuring Basic SNMPv3 Functions

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Run:

    snmp-agent

    The SNMP agent function is enabled.

    By default, the SNMP agent function is disabled. Executing the snmp-agent command can enable the SNMP agent function no matter whether parameters are specified in the command.

  3. (Optional) Run:

    snmp-agent udp-port port-num

    The port number of the SNMP agent is changed.

    The default port number of the SNMP agent is 161.

    To enhance device security, run the snmp-agent udp-port command to change the port number of the SNMP agent. After the number of the port on SNMP Agent connecting to the NMS is changed, ensure that the port number on the NMS is the same as the changed port number; otherwise, the SNMP Agent cannot connect to the NMS.

  4. (Optional) Configure NMS filtering based on SNMP agent.
    1. Configure the basic ACL.

      For the creation procedure, see "ACL Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide-Security.

    2. Run:

      snmp-agent acl { acl-number | acl-name }

      An ACL is configured for SNMP.

      By default, no ACL is configured for SNMP.

  5. (Optional) Run:

    snmp-agent sys-info version v3

    The SNMP version is configured.

    By default, the device supports SNMPv3.

  6. (Optional) Run:

    undo snmp-agent local-user password complexity-check disable

    The device is configured to check the complexity of user authentication password and encryption password.

    By default, the device checks the complexity of user authentication password and encryption password. If the check fails, the password cannot be configured. To ensure system security, you are advised to enable password complexity check.

  7. Run:

    snmp-agent local-user v3 user-name { authentication-mode { md5 | sha } privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } | authentication-mode { md5 | sha } cipher password privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } cipher password }

    The information about an SNMPv3 user is configured.

    By default, no SNMPv3 local user is configured.

    When the NMS and device are in an insecure network environment, for example, a network prone to attacks, it is recommended that you configure different authentication password and encryption password to improve security.

    After an SNMPv3 local user is configured, configure the authentication password and encryption password for the user, which can be different from the passwords of AAA local user. When an AAA local user is deleted, the corresponding SNMPv3 user is also deleted; however, the deletion of an SNMPv3 local user does not affect the corresponding AAA local user.

    An SNMPv3 local user and an SNMPv3 USM user can use the same name. The name of an SNMPv3 USM user has a higher priority than an SNMPv3 local user. That is, when an SNMPv3 user and an SNMPv3 UMS user have the same name but different authentication or encryption password, the authentication and encryption passwords of the SNMPv3 USM user are used for login.

    To ensure high security, do not use the MD5 algorithm for SNMPv3 authentication or use the DES56 or 3DES168 algorithm for SNMPv3 encryption.

  8. (Optional) Run:

    snmp-agent sys-info { contact contact | location location }

    The equipment administrators contact information or location is configured.

    By default, the vendor's contact information is "R&D Beijing, Huawei Technologies co.,Ltd.". The default location is "Beijing China".

    This step is required for the NMS administrator to view contact information and locations of the equipment administrator when the NMS manages many devices. This helps the NMS administrator to contact the equipment administrators for fault location and rectification.

  9. Run:

    commit

    The configuration is committed.

(Optional) Enhancing the Reliability for Transmitting SNMP Packets

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    snmp-agent packet max-size byte-count

    The maximum size of an SNMP packet that the device can receive or send is set.

    By default, the size of an SNMP packet that the device can receive or send is 12000 bytes.

    After the maximum size is set, the device discards any SNMP packet that is larger than the set size. You are advised to use the default value.

  3. Run:

    snmp-agent packet-priority { snmp | trap } priority-level

    The transmission level of SNMP packets is set.

    The default transmission level of SNMP packets is 6.

  4. Run:

    snmp-agent set-cache enable

    The SET response packet caching function is enabled.

    By default, the SET response packet caching function is disabled.

  5. Run:

    commit

    The configuration is committed.

(Optional) Configuring SNMPv3 Attack Defense

Context

To improve SNMPv3 connection security, the device supports the blacklist function. The following two types of blacklists are available. You can choose one or configure both of them.

  • IP address blacklist: If an SNMPv3 user fails to access the network, the IP address of this user is added to the blacklist and locked for one second. The user is not allowed to connect to the network using this IP address within the locking period.
  • User blacklist: When a user fails in authentication consecutively and the number of authentication failures exceeds a limit, the user is added to the blacklist and locked for a certain period. The user will not be authenticated within this period.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure the attack defense method.

    • Lock an IP address.

      Run the undo snmp-agent blacklist ip-block disable command to enable the IP address blacklist.

      By default, the IP address blacklist is enabled.

    • Lock a user.
      1. Run:

        undo snmp-agent blacklist user-block disable

        The SNMPv3 user blacklist is enabled.

        By default, the SNMPv3 user blacklist is enabled.

      2. (Optional) Run:

        snmp-agent blacklist user-block failed-times failed-times period period-time

        The limit of consecutive authentication failures and period are set for SNMPv3 users.

        By default, the system locks a user when the user fails in authentication 5 times consecutively within 5 minutes.

      3. (Optional) Run:

        snmp-agent blacklist user-block reactive reactive-time

        The locking period for SNMPv3 users that are added to the blacklist is set.

        By default,an SNMPv3 user is locked for 5 minutes after the user is added to the blacklist. When the locking period expires, the user can be authenticated.

      NOTE:

      When a user fails in authentication consecutively and the number of authentication failures exceeds a limit, the user is added to the blacklist and locked for a certain period. The user will not be authenticated within this period. If you want to authenticate this user during this period, run the snmp-agent activate usm-user command to activate the user.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display snmp-agent local-user [ username user-name ] command to view information about an SNMPv3 local user.
  • Run the display snmp-agent sys-info version command to view the SNMP version.
  • Run the display snmp-agent sys-info contact command to view the contact method of the administrator.
  • Run the display snmp-agent sys-info location command to view the location of the switch modules.

Configuring the Device to Communicate with an NMS Through SNMP Proxy

The SNMP proxy can be configured on a middle-point device to manage other devices. The NMS considers the middle-point device and managed devices as an independent network element; therefore, the NMS does not need to manage too many network elements. This function reduces network management costs, improves performance of the monitoring devices, and increases service quality.

Context

As shown in Figure 14-9, the middle-point device connects to a managed device to perform access management, configuration, and system software version management for the managed device.
Figure 14-9 Configuring the device to communicate with NMS through SNMP proxy
Pre-configuration Tasks

Before configure SNMP proxy, configure a routing protocol so that reachable routes can be created between the NMS and middle-point device, and between the middle-point device and managed device.

Configuration Procedures

The tasks in this section need to be performed in sequence.

Configuring the Middle-Point Device

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure SNMP proxy, as shown in Table 14-6. The configuration tasks listed in Table 14-6 do not need to be performed in sequence.

    Table 14-6 SNMP proxy configuration tasks

    Configuration Task

    Command

    Description

    Configure proxy rules for SNMP packets.

    • For GetRequest, SetRequest, or Trap packets:

      snmp-agent proxy rule rule-name { read | trap | write } remote-engineid remote-engineid target-host target-host-name params-in { securityname security-name { v1 | v2c | v3 [ authentication | privacy ] } | securityname cipher cipher-text { v1 | v2c } }

    • For Inform packets:

      snmp-agent proxy rule rule-name inform remote-engineid remote-engineid target-host target-host-name params-in { securityname security-name { v2c | v3 [ authentication | privacy ] } | securityname cipher cipher-text v2c }

    To enable an NMS to effectively manage a managed device, perform this operation to configure attributes of the target hosts for receiving SNMP proxy packets so that the middle-point device can filter out SNMP packets that do not match the specified attributes, you must correctly configure proxy rules for SNMP packets and ensure that these proxy rules are unique on the middle-point device.

    If you specify neither authentication nor privacy, SNMPv3 packets are neither authenticated nor encrypted.

    Create an SNMP proxy community.

    snmp-agent proxy community { community-name | cipher cipher-name } remote-engineid remote-engineid [ acl { acl-number | acl-name } | alias alias-name ] *

    An SNMP proxy community defines administrative relationships between NMSs and managed devices. The community name acts like a password to regulate access to a managed device. An NMS can access a managed device only if the community name carried in the SNMP request sent by the NMS is the same as the community name configured on the managed device.

    By default, no SNMP proxy community name is configured in the system. The SNMP proxy community name will be saved in encrypted format in the configuration file. To facilitate identification of SNMP proxy community names, set the alias names for the SNMP proxy communities. The alias names are stored in plain text in the configuration file.

    This operation applies only to SNMPv1 and SNMPv2c.

    Configure attributes of the target hosts for receiving SNMP proxy packets.

    • For an IPv4 network:

      snmp-agent proxy target-host target-host-name address udp-domain ip-address udp-port port-number [ { source interface-type interface-number | vpn-instance vpn-instance-name | public-net } | timeout timeout-interval ] * params { securityname security-name { v1 | v2c | v3 [ authentication | privacy ] } | securityname cipher cipher-text { v1 | v2c } }

    • For an IPv6 network:

      snmp-agent proxy target-host target-host-name ipv6 address udp-domain ipv6-address udp-port port-number [ timeout timeout-interval ] params { securityname security-name { v1 | v2c | v3 [ authentication | privacy ] } | securityname cipher cipher-text { v1 | v2c } }

    To enable the middle-point device to forward SNMP requests from the network management system (NMS) to the managed device and forward responses from the managed device to the NMS.

    • The target host may be either the NMS or the managed device.
    • You can run this command multiple times with different parameters set to configure a middle-point device to send SNMP proxy packets to multiple target hosts. An SNMP proxy supports a maximum of 20 target hosts.
    • The default number of the destination User Datagram Protocol (UDP) port is 161, a well-known port number. If you want to change this number to a non-well-known port number, ensure that the new UDP port number is the same as that on the NMS.
    • If you specify neither authentication nor privacy, SNMPv3 packets are neither authenticated nor encrypted.
    • If the NMS and managed device need to communicate over a virtual private network (VPN), use the vpn-instance vpn-instance-name parameter.

    Configure an SNMP proxy user.

    • Add a user (method 1)

      snmp-agent [ remote-engineid engineid ] usm-user v3 user-name group-name [ authentication-mode { md5 | sha } password [ privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } password ] ] [ acl { acl-number | acl-name } ]

    • Add a user (method 2)

      snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group group-name | acl { acl-number | acl-name } ] *

      snmp-agent [ remote-engineid engineid ] usm-user v3 user-name authentication-mode { md5 | sha } [ cipher password ]

      snmp-agent [ remote-engineid engineid ] usm-user v3 user-name privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } [ cipher password ]

    SNMPv1 and SNMPv2c use community names for authentication, whereas SNMPv3 uses user names for authentication.

    Unlike SNMPv1 or SNMPv2c, SNMPv3 can implement access control, identity authentication, and data encryption using the local processing model and user-based security model (USM).

    SNMPv3 provides better security and encryption mechanisms than SNMPv1 and SNMPv2c, and is therefore widely used.

    When the NMS and device are in an insecure network environment, for example, a network prone to attacks, it is recommended that you configure different authentication password and encryption password to improve security. By default, none authentication and none encryption is performed on SNMPv3 users.

    This operation applies only to SNMPv3.

    To ensure high security, do not use the MD5 algorithm for SNMPv3 authentication or use the DES56 or 3DES168 algorithm for SNMPv3 encryption.

    (Optional) Configure the priority of SNMP packets.

    snmp-agent packet-priority { snmp | trap } priority-level

    Change the priority of SNMP packets in the following scenarios if necessary:
    • Increase the priority of notifications to ensure that the NMS receives them.
    • Increase the priority of GetResponse and SetResponse PDUs to facilitate management operations performed in the management information base (MIB) of a managed device by the NMS.
    • Reduce the priority of GetResponse PDUs, SetResponse PDUs, trap messages, and inform messages to prevent frequent packet sending when network congestion occurs.

  3. Run:

    commit

    The configuration is committed.

Configuring the Managed Device
Procedure
Checking the Configuration

Procedure

  • Check SNMP proxy configurations on the middle-point device:

    • Run the display snmp-agent proxy community command to check SNMP proxy community information.
    • Run the display snmp-agent proxy rule command to check proxy rules for SNMP packets.
    • Run the display snmp-agent proxy target-host command to check target host information.
    • Run the display snmp-agent usm-user command to check SNMPv3 proxy user information.
    • Run the display snmp-agent proxy statistics command to check statistics about SNMP proxy packets.

  • Check SNMP configurations on the managed device:

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58734

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next