No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
SNMP Configuration Commands

SNMP Configuration Commands

display snmp-agent community

Function

The display snmp-agent community command displays the configured community name.

Format

display snmp-agent community { read | write }

Parameters

Parameter Description Value
read Displays the name of a read-only community. The parameter is specified using the snmp-agent community command. -
write Displays the name of a read-write community. The parameter is specified using the snmp-agent community command. -

Views

All views

Default Level

3: Management level

Usage Guidelines

When configuring a management entity, you can use the display snmp-agent community command to check the community name configured on the current agent.

You have to configure the community name using the snmp-agent community command before you run the display snmp-agent community command.

Example

# Display the current community name.
<Huawei> display snmp-agent community read
   Community name: %@%@$X!5#d+t+OJOXL1[{O2!&Fe&0UZv'@a;R/`Y+kK$4BUGFe)&2YLuM/kMF!HPG5Mzz3DXe2&F%@%@
   Storage type: nonVolatile
   View name: ViewDefault
   Acl: 2001 

   Total number is 1
Table 16-1  Description of the display snmp-agent community read command output

Item

Description

Community name

Name of a community.

Storage type

Data storage type. The system supports the following five storage types:
  • volatile: Lines are saved in the volatile storage medium and are lost after the device restarts. Objects with storage type volatile cannot be changed to readOnly or permanent.
  • nonVolatile: Lines are saved in the nonvolatile storage medium such as Non Volatile Random Access Memory (NVRAM) and can be restored after the device restarts. Objects with storage type nonVolatile cannot be changed to readOnly or permanent.
  • permanent: Permanent lines are saved in the nonvolatile storage medium such as Read-only Memory (ROM). They can be modified but cannot be deleted. Rowstatus objects with storage type permanent cannot be modified.
  • readOnly: Read-only lines are saved in the nonvolatile storage medium such as ROM. They cannot be modified or deleted. Rowstatus objects with storage type readOnly cannot be modified.
  • other: other storage types.

In practice, the device generally uses only the nonVolatile type.

View name

Name of a view.

Acl

Number of the ACL configured for the community.

Related Topics

display snmp-agent extend error-code status

Function

The display snmp-agent extend error-code status command allows you to check whether the function of sending extended error codes to the NMS is enabled on the device.

Format

display snmp-agent extend error-code status

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

If the NMS does not receive the extended error codes sent from the device, you can run the display snmp-agent extend error-code status command to check whether the function of sending extended error codes is enabled on the device.

Example

# Display whether the function of sending extended error codes is enabled on the device.

<Huawei> display snmp-agent extend error-code status
Extend error-code status: enabled
Table 16-2  Description of the display snmp-agent extend error-code status command output

Item

Description

Extend error-code status

Whether the function of sending extended error codes is enabled.
  • enabled: The function of sending extended error codes is enabled.
  • disabled: The function of sending extended error codes is disabled.

display snmp-agent group

Function

The display snmp-agent group command displays information about an SNMP agent group.

Format

display snmp-agent group [ group-name ]

Parameters

Parameter Description Value
group-name Displays the name of an SNMP agent group.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When configuring a management object according to the SNMPv3 group information, you can run the display snmp-agent group command to view information about the SNMP agent group.

If the command contains no parameter, information about all groups is displayed, such as the group name, security model, and storage type.

Precautions

You can run the display snmp-agent group command to view information about an SNMP agent group only after the SNMP agent group is created through the snmp-agent group command.

Example

# Display information about all SNMPv3 working groups.
<Huawei> display snmp-agent group
                                                                                
   Group name: testgroup                                                        
   Security model: v3 AuthPriv                                                  
   Readview: ViewDefault                                                        
   Writeview: dnsmib                                                            
   Notifyview: dnsmib                                                           
   Storage type: nonVolatile                                                    
   Acl: 2001                                                                    
                                                                                
   Total number is 1                                                            
Table 16-3  Table 1 Description of the display snmp-agent group command output

Item

Description

Group name

Indicates the name of an SNMP agent group.

Security model

Security mode. The options are as follows:
  • v3 AuthPriv: authenticated and encrypted.
  • v3 noAuthPriv: encrypted but not authenticated.
  • v3 AuthnoPriv: authenticated but not encrypted.
  • v3 noAuthnoPriv: neither authenticated nor encrypted.

Readview

Indicates the view of the read-only MIB of the group. This parameter can be set using the snmp-agent group command.

Writeview

Indicates the view of the read-write MIB of the group. This parameter can be set using the snmp-agent group command.

Notifyview

Indicates the view of the notify MIB of the group. This parameter can be set using the snmp-agent group command.

Storage type

Data storage type. The system supports the following five storage types:
  • readOnly: Readonly lines are saved in the nonvolatile storage medium. They cannot be modified or deleted. Rowstatus objects with storage type readOnly cannot be modified.
  • permanent: Permanent lines are saved in the nonvolatile storage medium. They can be modified but cannot be deleted. Rowstatus objects with storage type permanent cannot be modified.
  • nonVolatile: Lines are saved in the nonvolatile storage medium and are restored after the device restarts. Objects with storage type nonVolatile cannot be changed to readOnly or permanent.
  • volatile: Lines are saved in the volatile storage medium and are lost after the device restarts. Objects with storage type volatile cannot be changed to readOnly or permanent.
  • other: other storage types.

In practice, the device generally uses only the nonVolatile type.

Acl

Indicates the number of the ACL configured for the group.

Related Topics

display snmp-agent local-engineid

Function

The display snmp-agent local-engineid command displays the engine ID of the local SNMP entity.

Format

display snmp-agent local-engineid

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

The engine ID of the SNMP is the unique identity of the SNMP management feature. The engine ID uniquely identifies an SNMP entity in a management domain. The engine ID of the SNMP is one of the important components of the SNMP entity, enabling multiple functions such as message scheduling, message processing, security authentication, and access control.

After the SNMP agent function is enabled, you can run the display snmp-agent local-engineid command to display the default or configured local SNMP entity.

Example

# Display the engine ID of the local SNMP entity.
<Huawei> display snmp-agent local-engineid
   SNMP local EngineID: 800007DB030819A6CDA894     
Table 16-4  Description of the display snmp-agent local-engineid command output

Item

Description

SNMP local EngineID

The engine ID of the local SNMP entity is manually specified by an administrator using the snmp-agent local-engineid command or automatically generated by the system using certain algorithms.

display snmp-agent mib-view

Function

The display snmp-agent mib-view command displays the current MIB view.

Format

display snmp-agent mib-view [ view-name ]

Parameters

Parameter Description Value
view-name Specifies the view to be displayed. This parameter can be set using the snmp-agent mib-view command.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The snmp-agent mib-view command creates or updates a MIB view. To check the default and configured MIB view, you can run the display snmp-agent mib-view command.

By default, the view ViewDefault is adopted.

Precautions

Before running the display snmp-agent mib-view command, ensure that the SNMP agent has been enabled.

Example

# Display the current MIB view.

<Huawei> display snmp-agent mib-view
   View name: ViewDefault 
   MIB subtree: internet 
   Subtree mask:  
   Storage type: nonVolatile 
   View type: included 
   View status: active 

   View name: ViewDefault 
   MIB subtree: lagMIB 
   Subtree mask:  
   Storage type: nonVolatile 
   View type: included 
   View status: active 

   View name: ViewDefault 
   MIB subtree: snmpUsmMIB 
   Subtree mask:  
   Storage type: nonVolatile 
   View type: excluded 
   View status: active 

   View name: ViewDefault 
   MIB subtree: snmpVacmMIB 
   Subtree mask:  
   Storage type: nonVolatile              
   View type: excluded 
   View status: active 

   Total number is 1 
Table 16-5  Description of the display snmp-agent mib-view command output

Item

Description

View name

View name.

MIB Subtree

MIB subtree.

Subtree mask

Subtree mask.

Storage type

Data storage type.
  • volatile: Lines are saved in the volatile storage medium and are lost after the device restarts.
  • nonVolatile: Lines are saved in the nonvolatile storage medium and are restored after the device restarts.
  • permanent: Permanent lines are saved in the nonvolatile storage medium. They can be modified but cannot be deleted.
  • readOnly: Readonly lines are saved in the nonvolatile storage medium. They cannot be modified or deleted.
  • other: other storage types.

View Type

Type of a view. The options are as follows:
  • included: The view includes the subtree.
  • excluded: The view excludes the subtree.

View status

Indicates the status of the MIB view.

Total number

Total number of views whose information is queried.

Related Topics

display snmp-agent notify-filter-profile

Function

The display snmp-agent notify-filter-profile command displays information about a specified trap filter profile or all trap filter profiles.

Format

display snmp-agent notify-filter-profile

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can use the display snmp-agent notify-filter-profile command to view information about configured trap filter profiles. The command can display all the configured trap filter profiles or a specified trap file profile.

Example

# Display information about configured trap filter profiles.
<Huawei> display snmp-agent notify-filter-profile
  Trap filter profile list:
  notify-filter name: 1   
  notify-filter type: included   
  notify-filter subtree: iso
  notify-filter storage-type: nonVolatile   
  notify-filter status: active  
Table 16-6  Description of the display snmp-agent notify-filter-profile command output

Item

Description

notify-filter name

Name of a trap filter profile.

notify-filter type

Whether to filter out the trap object.

notify-filter subtree

Trap filter subtree.

notify-filter storage-type

Storage mode of the trap filter profile.

notify-filter status

Status of a row.

display snmp-agent statistics

Function

The display snmp-agent statistics command displays the SNMP messages statistics.

Format

display snmp-agent statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

The display snmp-agent statistics command analyzes the statistics about SNMP messages and obtains information about the communication between the SNMP agent and the NMS for fault location.

In an SNMP management system, the NMS and the SNMP agent exchange SNMP messages as follows:
  • The NMS acts as a manager to send an SNMP Request message to the SNMP agent.
  • The SNMP agent searches the MIB on the device for the required information and sends an SNMP Response message to the NMS.
  • When the trap triggering conditions are met, the SNMP agent sends a trap to the NMS to report the event occurring on the device. In this manner, the network administrator can process the event occurring on the network in time.
NOTE:

If large number of messages are received in short period, a great number of CPU resources are occupied. The number of received messages depends on the frequency at which the NMS sends the Request messages.

Example

# Display the statistics about the SNMP messages.

<Huawei> display snmp-agent statistics
   The PDU process average time ( second ): 2                                   
  0 Messages delivered to the SNMP entity                                       
  0 Messages which were for an unsupported version                              
  0 Messages which used an unknown community name                               
  0 Messages which represented an illegal operation for the community supplied  
  0 ASN.1 or BER errors in the process of decoding                              
  0 MIB objects retrieved successfully                                          
  0 MIB objects altered successfully                                            
  0 Get-request PDUs accepted and processed                                     
  0 Get-next PDUs accepted and processed                                        
  0 Set-request PDUs accepted and processed                                     
  0 Messages passed from the SNMP entity                                        
  0 SNMP PDUs which had a tooBig error (Maximum packet size 12000)              
  0 SNMP PDUs which had a noSuchName error                                      
  0 SNMP PDUs which had a had badValue error                                    
  0 SNMP PDUs which had a general error                                         
  0 Response PDUs accepted and processed                                        
  0 Trap PDUs accepted and processed   
Table 16-7  Description of the display snmp-agent statistics command output

Item

Description

Messages delivered to the SNMP entity

Total number of received SNMP messages.

Messages which were for an unsupported version

Number of messages with incorrect version information.

Messages which used an unknown community name

Number of messages with incorrect community names.

Messages which represented an illegal operation for the community supplied

Number of messages whose community names have incorrect access rights.

ASN.1 or BER errors in the process of decoding

Number of SNMP messages with encoding errors.

MIB objects retrieved successfully

Number of variables requested by the NMS.

MIB objects altered successfully

Number of variables set by the NMS.

Get-request PDUs accepted and processed

Number of received GetRequest messages.

Get-next PDUs accepted and processed

Number of received GetNextRequest messages.

Set-request PDUs accepted and processed

Number of received SetRequest messages.

Messages passed from the SNMP entity

Total number of outgoing SNMP messages.

Messages which were discarded, because the message queue is full

Total number of discarded SNMP messages.

SNMP PDUs which had a tooBig error (Maximum packet size 12000)

Number of SNMP messages with Too_big errors.

SNMP PDUs which had a noSuchName error

Number of messages with noSuchName errors.

SNMP PDUs which had a had badValue error

Number of SNMP messages with Bad_values errors.

SNMP PDUs which had a general error

Number of SNMP messages with General_errors.

Response PDUs accepted and processed

Number of received response messages.

Trap PDUs accepted and processed

Number of sent traps.

display snmp-agent sys-info

Function

The display snmp-agent sys-info command displays the system information of the current SNMP device, including the contact information about the system maintenance, physical location of the device, and SNMP version.

Format

display snmp-agent sys-info [ contact | location | version ] *

Parameters

Parameter Description Value
contact Displays the contact information of the current SNMP device. -
location Displays the physical location information of the current SNMP device. -
version Displays the SNMP version running in the current system. -

Views

All views

Default Level

3: Management level

Usage Guidelines

You can use the display snmp-agent sys-info command to check the system maintenance information of the current SNMP device. The information includes:
  • Contact information of the device administrator
  • Physical location of the device
  • SNMP version

If the parameter is not specified, all information is displayed.

The snmp-agent sys-info command can be used to set the output of the display snmp-agent sys-info command

Example

# Display the system information of the SNMP agent.

<Huawei> display snmp-agent sys-info
  The contact person for this managed node:
           R&D Beijing, Huawei Technologies co.,Ltd.
   The physical location of this node:
           Beijing China
   SNMP version running in the system:
           SNMPv2c

# Display the SNMP version running in the current system.

<Huawei> display snmp-agent sys-info version
   SNMP version running in the system:
           SNMPv2c

# Display the contact information of the current SNMP device.

<Huawei> display snmp-agent sys-info contact
  The contact person for this managed node:
           R&D Beijing, Huawei Technologies co.,Ltd.

# Display the physical location information of the current SNMP device.

<Huawei> display snmp-agent sys-info location
  The physical location of this node:
           Beijing China
Table 16-8  Description of the display snmp-agent sys-info command output

Item

Description

The contact person for this managed node: Contact person of the managed device. By specifying this parameter, you can store the important information to the router for convenient query.
The physical location of this node: Location of the managed device.

SNMP version running in the system:

SNMP version running in the current system. The value can be:
  • SNMPv1
  • SNMPv2c
  • SNMPv3
Related Topics

display snmp-agent target-host

Function

The display snmp-agent target-host command displays the list of destination hosts that receive traps.

Format

display snmp-agent target-host

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario
You can use this command to query the IP addresses of all valid destination hosts that are configured to receive traps. The command output consists of the following two parts:
  • List of the destination hosts that receive traps.
  • Parameter list of the destination hosts and hosts that are not bound to the parameters.
Precautions

Host parameters must have been configured for the destination host. Otherwise, the destination host cannot receive traps, and parameters are not displayed.

Example

# Display the configurations of all destination hosts in the system.

<Huawei> display snmp-agent target-host
   Traphost list:                                                               
   Target host name: nms2                                                       
   Traphost address: 10.1.1.2                                                    
   Traphost portnumber: 162                                                     
   Target host parameter: trapnms2                                              
                                                                                
   Total number is 1                                                            
                                                                                
   Parameter list trap target host:                                             
   Parameter name of the target host: trapnms2                                  
   Message mode of the target host: SNMPV3                                      
   Trap version of the target host: v3                                          
   Security name of the target host:  %@%@_=XqAFC_94uCS,3'<gYC*ZU6%@%@  
   Security level of the target host: privacy                                   
                                                                                
   Total number is 1                           
Table 16-9  Description of the display snmp-agent target-host command output

Item

Description

Traphost list

List of the destination hosts that receive traps.

Target host name

Name of a destination host that receives traps.

Traphost address

IP address of a destination host that receives traps.

Traphost portnumber

Number of the port on a destination host for receiving traps.

Parameter list trap target host

Parameter list of destination hosts that receive traps.

Parameter name of the target host

Parameter name of destination hosts that receive traps.

Message mode of the target host

Protocol used by destination hosts that receive traps.

Trap version of the target host

Version of the protocol for transmitting traps.

Security name of the target host

Security name of destination hosts that receive traps.

Security level of the target host

Authentication mode of traps.

Total number

Total number of views whose information is queried.

display snmp-agent trap all

Function

The display snmp-agent trap all command checks current and default status of all traps in all features.

Format

display snmp-agent trap [ feature-name feature-name ] all

Parameters

Parameter Description Value
feature-name Specifies a feature that generates traps. -

Views

All views

Default Level

3: Management level

Usage Guidelines

After the device is enabled to send traps to the NMS:
  • You can run the display snmp-agent trap all command to check the status of all traps in all features.
  • You can run the display snmp-agent trap feature-name feature-name all command to check the status of all traps in a specified feature.

Example

# Check the default status of all traps in all features.

<Huawei> display snmp-agent trap all
-------------------------------------------------------------------------------  
Feature name: SSH                                                               
Trap number : 1                                                                 
------------------------------------------------------------------------------  
Trap name                       Default switch status   Current switch status   
hwSSHSftpUserNumExceedMax       off                     off                     
------------------------------------------------------------------------------  
Feature name: VFS                                                               
Trap number : 3                                                                 
------------------------------------------------------------------------------  
Trap name                       Default switch status   Current switch status   
hwFlhOperNotification           off                     off                     
hwFlhSyncSuccessNotification    off                     off                     
hwFlhSyncFailNotification       off                     off                     
------------------------------------------------------------------------------  
  ---- More ----                                                                
Table 16-10  Description of the display snmp-agent trap all command output

Item

Description

Feature name

Name of the feature that generates traps.

Trap number

Number of traps generated by this feature.

Trap name

Trap name.

Default switch status

Default status of the trap function:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

Current switch status

Current status of the trap function:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

display snmp-agent trap feature-name snmp all

Function

The display snmp-agent trap feature-name snmp all command displays whether all SNMP traps are enabled.

Format

display snmp-agent trap feature-name snmp all

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display snmp-agent trap feature-name snmp all command to check status of all SNMP traps. This status can be configured using the snmp-agent trap enable feature-name snmp command.

Example

# View whether all SNMP traps are enabled.

<Huawei>display snmp-agent trap feature-name snmp all
------------------------------------------------------------------------------  
Feature name: SNMP                                                              
Trap number : 3                                                                 
------------------------------------------------------------------------------  
Trap name                       Default switch status   Current switch status   
coldStart                       on                      on                      
warmStart                       on                      on                      
authenticationFailure           off                     off            
Table 16-11  Description of the display snmp-agent trap feature-name snmp all command output

Item

Description

Feature name

Name of the module where the trap is generated

Trap number

Number of traps.

Trap name

Name of trap, including
  • authenticationFailure: This trap is generated when a user uses an incorrect community name and is unable to log in to the device.
  • coldStart: This trap is generated when the device is powered off and restarted.
  • warmStart: This trap is generated when the status of SNMP agent is changed from disable to enable.

Default switch status

Default status of a trap

  • on: The trap function is enabled.
  • off: The trap function is disabled.

Current switch status

Current status of a trap

  • on: The trap function is enabled.
  • off: The trap function is disabled.

This status can be configured using the snmp-agent trap enable feature-name snmp command.

display snmp-agent trap-source

Function

The display snmp-agent trap-source command displays the source interface that sends trap messages.

Format

display snmp-agent trap-source

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

After users run the snmp-agent trap source command to configure the source interface that sends trap messages, you can run the display snmp-agent trap-source command to display the configured source interface.

Example

# Display the source interface that sends trap messages.

<Huawei> display snmp-agent trap-source
   Trap source interface name: GigabitEthernet0/0/1  
Table 16-12  Description of the display snmp-agent trap-source output

Item

Description

Trap source interface name

Source interface that sends trap messages.

display snmp-agent usm-user

Function

The display snmp-agent usm-user command displays information about an SNMPv3 user.

Format

display snmp-agent usm-user [ user-name ]

Parameters

Parameter Description Value
user-name

Specifies an SNMPv3 user.

This parameter is specified using the snmp-agent usm-user command.

-

Views

All views

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The displayed information about an SNMPv3 user includes:
  • User name.
  • Local engine ID of the user. The SNMPv3 engine ID uniquely identifies an SNMPv3 agent in a management domain. The SNMPv3 engine ID is an important component of the SNMPv3 agent. It schedules and processes SNMPv3 messages, and implements security authentication and access control.

Precautions

The display snmp-agent usm-user command is applicable only to SNMPv3 users.

Example

# Display information about all current SNMPv3 users.

<Huawei> display snmp-agent usm-user
   User name: testuser                                                          
   Engine ID: 800007DB03548998F3A458                                            
   Group name: testgroup                                                        
   Authentication mode: md5, Privacy mode: des56                                
   Storage type: nonVolatile                                                    
   User status: active                                                          
                                                                                
   Total number is 1     
Table 16-13  Description of the display snmp-agent usm-user command output

Item

Description

User name

SNMPv3 user name, which identifies a user.

Engine ID

Engine ID corresponding to the SNMPv3 user.

Group name

SNMPv3 group name corresponding to the SNMPv3 user.

Authentication mode

Authentication mode for the SNMPv3 user:
  • md5
  • No authentication mode

Privacy mode

Encryption mode for the SNMPv3 user:
  • des56
  • aes128

Storage type

Data storage type.
  • volatile: Lines are saved in the volatile storage medium and are lost after the device restarts.
  • nonVolatile: Lines are saved in the nonvolatile storage medium and are restored after the device restarts.
  • permanent: Permanent lines are saved in the nonvolatile storage medium. They can be modified but cannot be deleted.
  • readOnly: Readonly lines are saved in the nonvolatile storage medium. They cannot be modified or deleted.
  • other: other storage types.

User status

Status of the SNMPv3 user:
  • active
  • inactive

Total number

Number of SNMPv3 users.

enable snmp trap updown

Function

The enable snmp trap updown command enables an interface to send a trap to the NMS when the protocol status of the interface changes.

The undo enable snmp trap updown command disables an interface from sending a trap to the NMS when the protocol status of the interface changes.

By default, an interface sends a Trap message to the NMS when the protocol status of the interface changes.

Format

enable snmp trap updown

undo enable snmp trap updown

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The enable snmp trap updown command is used to enable an interface to send a Trap message to the NMS when the protocol status of the interface changes, which helps the NMS monitor the interface status in real time.

Precautions

By default, the function of sending a Trap message to the NMS when the protocol status of the interface changes is enabled. If an interface alternates between Up and Down, it will frequently send Trap messages to the NMS, causing the NMS to be busy processing these Trap messages. In this case, you can run the undo enable snmp trap updown command to disable the interface from sending trap messages to the NMS.

Example

# Enable an interface to send a trap to the NMS when the protocol status of the interface changes.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] enable snmp trap updown

snmp-agent

Function

The snmp-agent command enables the SNMP agent function.

The undo snmp-agent command disables the SNMP agent function.

By default, the SNMP agent function is disabled.

Format

snmp-agent

undo snmp-agent

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By executing the snmp-agent command with any parameter enables the SNMP agent function. For example, if you execute the snmp-agent community command, the community name gets created and also SNMP agent function is enabled.

Precautions

  • To configure SNMP functions using the command, you do not need to run the snmp-agent command to enable the SNMP agent function.

  • To configure SNMP functions using the configuration file, you need to run the snmp-agent command in the configuration file; otherwise, you cannot enable SNMP functions.

Example

# Enable the SNMP agent function.

<Huawei> system-view
[Huawei] snmp-agent

# Disable the SNMP agent function.

<Huawei> system-view
[Huawei] undo snmp-agent

snmp-agent community

Function

The snmp-agent community command configures the SNMPv1 or SNMPv2c read-write community name.

The undo snmp-agent community command is used to delete the configuration of the community name.

By default, the community name is not configured.

Format

snmp-agent community { read | write } community-name [ mib-view view-name | acl acl-number ] *

undo snmp-agent community community-name

Parameters

Parameter Description Value
read Indicates that the community with a specified name has the read-only rights in the specified view. -
write Indicates that the community with a specified name has the read-write rights in the specified view. -
community-name Specifies the name of a community.

The community name is displayed in cipher text in the configuration file.

The value is a string of 6 to 32 characters or 80 characters case-sensitive characters without spaces. When double quotation marks are used around the string, spaces are allowed in the string.
  • When the community name is a string of 6 to 32 characters, the string is processed as plain text by default and will be encrypted.
  • When the community name is a string of 80 characters, the string is processed as cipher text by default, and the system will determine whether the string can be parsed.
By default, the complexity check is enabled for a community name. If a community name fails the complexity check, the community name cannot be configured.
NOTE:

The device has the following requirements for community name complexity:

  • The default minimum length of a community name is six characters.

  • A community name includes at least two kinds of characters, which can be uppercase letters, lowercase letters, digits, and special characters.

mib-view view-name
Specifies a MIB view that the community name can access.
  • If no MIB view that the community name can access is specified, the community name can access only the default MIB view, that is, ViewDefault.
  • If a MIB view that the community name can access is specified, the community name can access the specified MIB view.
It is a string of 1 to 32 case-sensitive characters without spaces. When double quotation marks are used around the string, spaces are allowed in the string.
acl acl-number
Specifies the ACL corresponding to the community name.
NOTE:
Currently, SNMP supports only basic ACLs.
The value is an integer that ranges from 2000 to 2999.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When running the snmp-agent community command, you can select parameters based on the networking requirements.
  • To grant the NMS read-only permission in the specified view, configure read.

  • To grant the NMS read-write permission in the specified view, configure write.

  • To allow specified NMSs using this community name have the rights of ViewDefault, omit mib-view view-name.

  • To allow all NMSs using this community name to manage specified objects on a managed device, omit acl acl-number.

  • To allow specified NMSs using this community name to manage specified objects on a managed device, configure mib-view and acl.
NOTE:

When both community name and ACL are configured, the NMS verifies the community name before accessing the device, and then checks the ACL rules. If the community name does not exist, the pacekt is discarded and a log indicating that the community name is wrong is printed. The ACL rule is not checked. That is, the ACL rule is checked only when the community name exists.

You can run the display snmp-agent community command to view the current community name.

Precautions

When you configure a community name in cipher text that starts and ends with %@%@ (the community name can be decrypted by the device), the community name is displayed in the same manner as the configured one in the configuration file. Do not use this setting.

If you specify the parameter mib-view or acl when running the snmp-agent community command, configure the MIB view and ACL rule. If the default MIB view is deleted, the NMS using this community name cannot communicate with managed devices. To continue to use this community name, specify an existing MIB view.

Example

# Set the name of a community to comaccess1 and configure the read-only rights for the community.

<Huawei> system-view
[Huawei] snmp-agent community read comaccess1

# Set the name of a community to comaccess2 and configure the read-write rights for the community.

<Huawei> system-view
[Huawei] snmp-agent community write comaccess2

snmp-agent complexity-check disable

Function

The snmp-agent complexity-check disable command disables complexity check for community names and SNMPv3 authentication and encryption passwords.

The undo snmp-agent complexity-check disable command enables complexity check for community names and SNMPv3 authentication and encryption passwords.

By default, complexity check for community names and SNMPv3 authentication and encryption passwords is enabled.

Format

snmp-agent complexity-check disable

undo snmp-agent complexity-check disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

To improve maintenance efficiency in secure environment, disable complexity check for community names and SNMPv3 passwords by running the snmp-agent complexity-check disable command. After complexity check is disabled, the minimum length of a community name or SNMPv3 password is 1, and the community name or password must contain at least one type of characters.

If a community name or SNMPv3 password does not meet complexity requirements, the system is prone to attacks from malicious users, affecting system security. Therefore, you are advised to run the undo snmp-agent complexity-check disable command to enable complexity check for community names and SNMPv3 passwords. After complexity check is enabled, the community names or SNMPv3 authentication and encryption passwords must meet the following requirements:

  • A community name contains at least six characters. An SNMPv3 authentication or encryption password contains at least eight characters.

  • A community name or password must be a combination of at least two of the following: uppercase letters A to Z, lowercase letters a to z, digits, and special characters (excluding spaces).

  • An SNMPv3 authentication password cannot be the same as an SNMPv3 encryption password.

Example

# Disable complexity check for community names or SNMPv3 authentication and encryption passwords.

<Huawei> system-view
[Huawei] snmp-agent complexity-check disable
Related Topics

snmp-agent extend error-code enable

Function

The snmp-agent extend error-code enable command enables the function of sending extended error codes to the NMS on the device.

The undo snmp-agent extend error-code enable command disables the function of sending extended error codes to the NMS.

By default, the function of sending extended error codes to the NMS is disabled.

Format

snmp-agent extend error-code enable

undo snmp-agent extend error-code enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

If the NMS and managed device are Huawei devices, error codes are extended and more scenarios are defined after the function of sending extended error codes is enabled. As a result, users are enabled to locate and troubleshoot faults quickly and accurately.

Support of the MIB for the extended error code:

  • For the MIB that supports the extended error code, you can enable the SNMP extended error code function and use Huawei NMS to provide the NMS with various error codes.
  • For the MIB that does not support the extended error code, after the SNMP extended error code function is enabled, NMS of either Huawei or other vendors can obtain only the standard error code.

Example

# Enable the function of sending extended error codes to the NMS on the device.

<Huawei> system-view
[Huawei] snmp-agent extend error-code enable

snmp-agent group

Function

The snmp-agent group command creates an SNMP group by mapping SNMP users to SNMP views.

The undo snmp-agent group command deletes a specified SNMP user group.

By default, no SNMP group is configured.

Format

snmp-agent group v3 group-name { authentication | noauth | privacy } [ read-view read-view | write-view write-view | notify-view notify-view | acl acl-number ] *

undo snmp-agent group v3 group-name { authentication | noauth | privacy }

Parameters

Parameter Description Value
v3 Indicates that the SNMP group uses the security mode in SNMPv3. -
group-name Specifies the name of an SNMP group.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

authentication | noauth | privacy
Indicates the security level of the SNMP group.
  • authentication: indicates that SNMP messages are authenticated but not encrypted.
  • noauth: indicates that SNMP messages are neither authenticated nor encrypted.
  • privacy: indicates that SNMP messages are authenticated and encrypted.

To ensure security, it is recommended that you set the security level of the SNMP group to privacy.

read-view read-view

Specifies a read-only view.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

read-view specified by the snmp-agent mib-view command.
write-view write-view

Specifies a read-write view.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

write-view is specified by the snmp-agent mib-view command.
notify-view notify-view

Specifies a notify view.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

notify-view is specified by the snmp-agent mib-view command.
acl acl-number Specifies a basic ACL. The value is an integer that ranges from 2000 to 2999.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

SNMPv1 and SNMPv2c have serious defects in terms of security. The security authentication mechanism used by SNMPv1 and SNMPv2c is based on the community name. In this mechanism, the community name is transmitted in plain text. You are not advised to use SNMPv1 and SNMPv2c on untrusted networks.

By adopting the user-based security model, SNMPv3 eradicates the security defects in SNMPv1 and SNMPv2c and provides two services, authentication and privacy. The SNMP group name and security name determine an SNMP group. SNMPv3 defines the following security levels:

  • noAuthNoPriv
  • AuthNoPriv
  • AuthPriv
NOTE:

The security authentication level noAuthPriv does not exist. This is because the generation of a key is based on the authentication information and product information.

The snmp-agent group command can be used to configure the following:

  • Authentication
  • Privacy
  • Access rights for users of SNMP group
  • Bind the SNMP group to a MIB view
Parameters are selected based on the following rules:
  • To enhance security, configure the parameter authentication or privacy.
    • If neither authentication nor privacy are configured, SNMP messages are not authenticated or encrypted. This applies to the environment that is secure and has a fixed administrator.

    • To authenticate SNMP messages without encryption, configure the parameter authentication. This mode is applicable to secure networks managed by many administrators who may frequently perform operations on the same device. Authentication allows only the administrators with permission to access the device.

    • To authenticate and encrypt SNMP messages, configure the parameter privacy. This mode is applicable to insecure networks managed by many administrators who may frequently perform operations on the same device. Authentication and encryption allow only specified administrators to access the device and encrypts data before the transmission. This prevents data from being tampered or leaked.

  • To grant the NMS read-only permission in the specified view, configure read-view. To grant the NMS read-write permission in the specified view, configure write-view.

    To filter unnecessary alarms, configure notify-view. After this parameter is configured, only alarms generated on MIB objects specified by notify-view are delivered to the NMS.

    By default, the read-only view of an SNMP group is the ViewDefault view, and the names of the read-write view and inform view are not specified.

  • To allow specified NMSs in the same SNMPv3 group to access the device, configure acl.

Configuration Impact

When you run the undo snmp-agent group command to delete an SNMP user group, you delete all SNMP users in the SNMP user group.

Precautions

To receive trap messages specified in notify-view, you need to ensure the target host for receiving SNMP traps is specified through the snmp-agent target-host trap-hostname command.

User access can be encrypted and authenticated, authenticated but not encrypted, or neither authenticated nor encrypted. If the access level of a user is lower than the security level of the specified group, the access fails. When the groups that a user can access have multiple security levels, the user can select the group with the highest security level among the groups that can be accessed, and access the view of the group.

Example

# Create an SNMPv3 group named Johngroup, authenticate and encrypt SNMP messages, and configure the view that the SNMPv3 group can read only to public.

<Huawei> system-view
[Huawei] snmp-agent
[Huawei] snmp-agent mib-view excluded public 1.3.6.1.2.1
[Huawei] snmp-agent group v3 Johngroup privacy read-view public

# Create an SNMPv3 group named Johngroup, authenticate and encrypt SNMP messages, and configure the view that the SNMPv3 group write-view to private.

<Huawei> system-view
[Huawei] snmp-agent
[Huawei] snmp-agent mib-view included private 1.3.6.1.2.1
[Huawei] snmp-agent group v3 Johngroup privacy write-view private

snmp-agent local-engineid

Function

The snmp-agent local-engineid command sets an engine ID for the local SNMP agent.

The undo snmp-agent local-engineid command restores the engine ID of the local SNMP agent to the default value.

By default, the device uses an internal algorithm to automatically generate an engine ID for a device. The engine ID consists of the enterprise number and the device information.

Format

snmp-agent local-engineid { engineid | sysname }

undo snmp-agent local-engineid

Parameters

Parameter Description Value
engineid Specifies the engine ID of the local SNMP agent. The value is string of 10 to 64 hexadecimal digits.
sysname Indicates the engine ID generated based on the system name. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run the snmp-agent local-engineid command to set an engine ID for the local SNMP agent for identification.

The SNMP engine ID uniquely identifies an SNMP agent in a management domain. The SNMP engine ID is an important component of the SNMP agent. It schedules and processes SNMP messages, and implements security authentication and access control. You can use the display snmp-agent local-engineid command to check the engine ID of the local SNMP entity.

When setting an engine ID, you need to comply with the following rules:

  • The length of the octet strings varies. The first four octets are set to the binary equivalent of the agent, which is SNMP management private enterprise number and is assigned by the Internet Assigned Numbers Authority (IANA).The engine ID of Huawei devices is 2011 in decimal notation. The first digit is in binary format, and has a fixed value 1. Therefore, the engine ID in hexadecimal format is 800007DB.

  • The device information can be configured manually. It is recommended that the IP address or MAC address of the device be used as the device information to uniquely identify the device.

Precautions

If the local engine ID is set or changed, the existing SNMPv3 user with this engine ID is deleted. If the original engine ID is restored, the corresponding user configuration is restored.

After the SNMP agent function is enabled using the snmp-agent command, the system automatically adopts the default engine ID for the local SNMP agent.

The password summary used by SNMPv3 users is calculated using MD5 or SHA based on the user password and engine ID of the local SNMP agent. If the engine ID of the local SNMP agent is changed, the generated password summary becomes invalid. As a result, a new password summary needs to be generated for SNMPv3 users.

Example

# Set the engine ID of the local SNMP agent to 800007DB03360102101100.

<Huawei> system-view
[Huawei] snmp-agent local-engineid 800007DB03360102101100   
Info: Modify the local-engineid will disable the configured SNMPv3 user, all 
users must be reconfigured, proceed? (y/n)[n]:y

snmp-agent mib-view

Function

The snmp-agent mib-view command creates or updates a MIB view.

The undo snmp-agent mib-view command cancels the configuration of the current MIB view.

By default, the MIB view name is ViewDefault, and the MIB subtree includes lagMIB nodes and all internet subnodes except for snmpVacmMIB and snmpUsmMIB.

Format

snmp-agent mib-view view-name { exclude | include } subtree-name [ mask mask ]

undo snmp-agent mib-view view-name [ subtree-name ]

Parameters

Parameter Description Value
view-name Specifies the MIB view name.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

exclude Excludes the MIB subtree. -
include Includes the MIB subtree. -
subtree-name Specifies the name of the subtree, which identifies a subtree uniquely. subtree-name can be the OID (such as 1.4.5.3.1) or the name (such as system) of the subtree.

It is a string of 1 to 128 characters, which are case sensitive and cannot be blank spaces.

NOTE:

It must be a valid MIB subtree.

mask Indicates the subtree mask, which specifies the access range of the view. -
mask Specifies the value of the subtree mask. This parameter specifies the mode and length of the matching between the user operation node and the subtree included by the view. The value is a hexadecimal string of 1 to 32 characters.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A MIB view is an abstract set of all managed objects. The NMS manages the device by reading and writing the managed objects in the MIB. A MIB view defines management information included and excluded in this MIB view.

If you forget which information you have configured for a MIB view, you can run the display snmp-agent mib-view command to check it.

Precautions

If both the include and exclude parameters are configured for MIB objects that have an inclusion relationship, whether to include or exclude the lowest MIB object will be determined by the parameter configured for the lowest MIB object. For example, the snmpV2, snmpModules, and snmpUsmMIB objects are from top down in the MIB table. If the exclude parameter is configured for snmpUsmMIB objects and include is configured for snmpV2, snmpUsmMIB objects will still be excluded.

When using the snmp-agent mib-view command, note the following:
  • A view name uniquely identifies a view. Configuring the same view name repeatedly is equivalent to adding the subtree to the view. The system displays prompt information when a subtree is overwritten due to the repeated subtree configuration. The default view cannot be deleted.
  • The system checks the subtree name. The configured subtree must be the one existing in the MIB tree. The subtree name is configurable.
  • The rule of smallest range is adopted for the access rights of the leaf node. That is, the MIB subtree configured with the include/exclude rights at the most internal layer determines the authority of the leaves inside the subtree.
  • Only an existing view can be deleted regardless of whether the view is referenced or not.
  • The total number of subtrees in all views cannot exceed 20.
  • A leaf node of the MIB tree defines the managed object of the device, such as the routing table. The leaf node with a unique value is called a scalar, and the leaf node with multiple values is called a variable.
An input mask must meet the following requirements:
  • The mask is a hexadecimal string.
  • The bit converted to 1 (a binary number) indicates that the subtree matches the corresponding sub IDs exactly. The bit converted to 0 (a binary number) indicates that the subtree matches the sub IDs universally.
  • After the mask is converted to a binary string, the length of the string should not less than the number of the sub IDs of the subtree. In addition, 0 must exist before 1.
  • A view record without a mask indicates that the view matches the subtrees completely.

Example

# Configure MIB view a1 that includes the internet subtree.

<Huawei> system-view
[Huawei] snmp-agent mib-view a1 include internet

snmp-agent notify-filter-profile

Function

The snmp-agent notify-filter-profile command creates or updates a trap filter profile.

The undo snmp-agent notify-filter-profile command deletes a trap filter profile.

By default, no trap is filtered.

Format

snmp-agent notify-filter-profile { include | exclude } profile-name oid-tree

undo snmp-agent notify-filter-profile profile-name [ oid-tree ]

Parameters

Parameter Description Value
include Includes the specified MIB subtree.
NOTE:
The include parameter is configured to filter traps of a certain type that are sent to the destination host. In addition to configuring the trap object, you need to configure all the objects of the parameter bound to the trap object.
-
exclude Excludes the specified MIB subtree.
NOTE:
The exclude parameter is configured to filter traps of a certain type that are not sent to the destination host.
-
profile-name Specifies the name of a trap filter profile.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

oid-tree Specifies the OID for the MIB subtree. oid-tree can be the OID (such as 1.4.5.3.1) or the name (such as system) of the subtree. The value is a string of 1 to 128 case-sensitive characters without spaces.
NOTE:

It must be a valid MIB subtree.

Views

System view

Default Level

3: Management level

Usage Guidelines

To filter the traps sent to a destination host, run the snmp-agent notify-filter-profile command to configure a trap filter profile and specify the MIB object to be filtered in the profile.

Before sending a trap message to a target host, the device checks whether the alarm object and parameter binding object are within the filtering range of the target host. If this trap is within the filtering range, the device does not send the trap message; otherwise, the device sends the trap message.

NOTE:
If no trap filter profile is configured, all traps are sent to the destination host.

Example

# Configure a trap filter profile named tmp.
<Huawei> system-view
[Huawei] snmp-agent notify-filter-profile include tmp linkDown

snmp-agent permit interface

Function

The snmp-agent permit interface command specifies physical interfaces on the device to which the NMS can connect.

The undo snmp-agent permit interface command restores the default physical interfaces on the device to which the NMS can connect.

By default, the NMS can connect to all the physical interfaces on the device.

Format

snmp-agent permit interface { interface-type interface-number } &<1-5>

undo snmp-agent permit interface

Parameters

Parameter Description Value
interface-type interface-number

interface-type: specifies the interface type.

interface-number: specifies the interface number. interface-number and interface-type specify an interface.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To prevent the NMS from connecting to the device through an unauthorized physical interface, you can run the snmp-agent permit interface command to specify physical interfaces on the device to which the NMS can connect.

Precautions

  • By default, the NMS can connect to all the physical interfaces on the device. When you run this command to specify one physical interface on the device, the NMS cannot connect to the other physical interfaces on the device.
  • You can specify a maximum of five interfaces each time you run the snmp-agent permit interface command. The latest configuration overrides the previous one. For example, before you run the command, the NMS can connect to three physical interfaces GigabitEthernet 1/0/0, GigabitEthernet 2/0/0, and GigabitEthernet 3/0/0 on the device. After you run the command to specify the interface GigabitEthernet 1/0/0, the NMS can only connect to the interface GigabitEthernet 1/0/0.

Example

# Specify physical interfaces on the device to which the NMS can connect.

<Huawei> system-view
[Huawei] snmp-agent permit interface gigabitethernet 1/0/0 gigabitethernet 2/0/0
   Info: Succeeded in setting snmp permit interface.

# Restore the default physical interfaces on the device to which the NMS can connect.

<Huawei> system-view
[Huawei] undo snmp-agent permit interface

snmp-agent sys-info

Function

The snmp-agent sys-info command sets the SNMP system information.

The undo snmp-agent sys-info command restores the default setting.

By default, the system maintenance information is " R&D Shenzhen, Huawei Technologies co.,Ltd.": the system location is Shenzhen China" and the version is SNMPv3.

Format

snmp-agent sys-info { contact contact | location location | version { { v1 | v2c | v3 } * | all } }

undo snmp-agent sys-info { contact | location | version { { v1 | v2c | v3 } * | all } }

Parameters

Parameter Description Value
contact contact Indicates contact information of system maintenance. The value is a string of 1 to 225 case-sensitive characters that can contain spaces.
location location Indicates the location of a device. The value is a string of 1 to 255 case-sensitive characters that can contain spaces.
version { { v1 | v2c | v3 } * | all } Indicates the SNMP version.
  • v1: SNMPv1 is enabled.
  • v2c: SNMPv2c is enabled.
  • v3: SNMPv3 is enabled.
  • all: SNMPv1, SNMPv2c, and SNMPv3 are enabled.
-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To configure the contact information for the managed node, you can run the snmp-agent sys-info contact command in the system. If a device fails, maintenance personnel can contact the vendor for device maintenance.

To configure the physical location of the node, you can run the snmp-agent sys-info location command in the system.

To configure features in a specified version, you can run the snmp-agent sys-info version command to set the corresponding SNMP version in the system. SNMPv1 or SNMPv2c is not secure enough. Using SNMPv3 is recommended.

SNMPv1:
  • Community-name-based access control
  • MIB-view-based access control
SNMPv2c:
  • Community-name-based access control
  • MIB-view-based access control
Besides inheriting basic SNMPv2c operations, SNMPv3 defines a management architecture, which introduces a User-based Security Model (USM) to provide users with a more secure access mechanism.
  • User group
  • Group-based access control
  • User-based access control
  • Authentication and encryption mechanisms
NOTE:

Use display snmp-agent sys-info command to view the information of the system maintenance, the physical location of the node and the SNMP version.

Precautions

A lack of authentication capabilities in SNMPv1 and SNMPv2c results in vulnerability to security threats, so SNMPv3 is recommended.

Example

# Set the contact information of the system maintenance as "call Operator at 010-12345678".

<Huawei> system-view
[Huawei] snmp-agent sys-info contact call Operator at 010-12345678

# Set the location of a device as "shanghai China".

<Huawei> system-view
[Huawei] snmp-agent sys-info location shanghai China

# Set the current SNMP version used by the system to SNMP v2c.

<Huawei> system-view
[Huawei] snmp-agent sys-info version v2c

snmp-agent target-host trap-hostname

Function

The snmp-agent target-host trap-hostname configures the target host of trap messages.

The undo snmp-agent target-host trap-hostname deletes the target host of trap messages.

By default, no target host of trap messages is configured.

Format

snmp-agent target-host trap-hostname hostname address { ipv4-addr [ udp-port udp-portid ] [ public-net | vpn-instance vpn-instance-name ] | ipv6 ipv6-addr [ udp-port udp-portid ] } trap-paramsname paramsname [ notify-filter-profile profile-name ]

undo snmp-agent target-host trap-hostname hostname

Parameters

Parameter

Description

Value

hostname

Specifies the name of the target host.

The name a string of 1 to 32 case-sensitive characters without spaces.

address ipv4-addr

Indicates the IP address of the target host.

The value is in dotted decimal notation.

udp-port udp-portid

Indicates the ID of the port on the target host for receiving trap messages.

The value is an integer that ranges from 1 to 65535. The default value is 162.

public-net

Indicates that the target host connects the alarm host on the public network.

-

vpn-instance vpn-instance-name

Indicates the name of a VPN instance.

The name a string of 1 to 31 case-sensitive characters without spaces.

ipv6-address ipv6-address

Specifies the IPv6 address of the target host.

The value is a hexadecimal number that ranges from 0 to FFFF (0::0 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, "::" indicates that the value of the field between the two colons is 0).

udp-port udp-portid

Indicates that the target host receives port numbers of trap messages.

The value is an integer that ranges from 1 to 65535.

trap-paramsname paramsname

Indicates the name of the trap sending parameter list used by the target host.

The name a string of 1 to 32 case-sensitive characters without spaces.

notify-filter-profile profile-name

Specifies the name of a trap filter profile.

The name a string of 1 to 32 case-sensitive characters without spaces.

Views

System view

Default Level

3: Management level

Usage Guidelines

Only the terminal configured as the target host of trap messages can receive traps. The NMS is generally configured as the target host of trap messages.Currently, the system supports a maximum of 20 target hosts.

Example

# Set the IP address of the target host to 10.1.1.1, the host name to aaa, and the trap sending parameter list name to abc.

<Huawei> system-view
Enter system view, return user view with Ctrl+Z.
[Huawei] snmp-agent target-host trap-hostname aaa address 10.1.1.1 trap-paramsnam abc

snmp-agent target-host trap-paramsname

Function

The snmp-agent target-host trap-paramsname command configures parameters for sending trap messages. The trap sending parameter list is composed of these parameters.

The undo snmp-agent target-host trap-paramsname command deletes a trap sending parameter list.

Format

snmp-agent target-host trap-paramsname paramsname { { v1 | v2c } securityname securityname | v3 securityname securityname { authentication | noauthnopriv | privacy } } [ binding-private-value ] [ private-netmanager ]

undo snmp-agent target-host trap-paramsname paramsname

Parameters

Parameter

Description

Value

paramsname

Specifies the name of a trap sending parameter list.

The value is a string of 1 to 32 characters.

v1

Indicates SNMPv1. This parameter specifies SNMPv1 as the trap message sending protocol.

-

v2c

Indicates SNMPv2c. This parameter specifies SNMPv2c as the trap message sending protocol.

-

v3

Indicates SNMPv3. SNMPv3 protocol contains the basic functions of SNMPv1 and SNMPv2 and defines a series of management functions for network security and access control. This parameter specifies SNMPv3 as the trap message sending protocol.

-

securityname securityname

Indicates the host name in the trap message.When the trap sending protocol is the SNMPv3 protocol, this parameter is the user name in the SNMPv3 group.

The value is a string of 1 to 32 characters.

authentication

Authenticates but not encrypts trap messages. When the trap sending protocol is SNMPv3, this parameter can authenticate (the receiver) but not encrypt (the sender) trap messages.

-

noauthnopriv

Authenticates and encrypts no trap message. When the trap sending protocol is SNMPv3, this parameter is used as if no trap message needs to be authenticated (the receiver) or encrypted (the sender).

-

privacy

Authenticates and encrypts trap messages. When the trap sending protocol is SNMPv3, this parameter can authenticate (the receiver) and encrypt (the sender) trap messages.

-

binding-private-value

Indicates that trap messages sent to a target host carry extended bound variables.

If alarm objects defined in public MIBs are extended on a Huawei data communication device, you can use the binding-private-value parameter to determine whether the corresponding trap messages sent from the device to an NMS carry extended bound variables.
  • If the binding-private-value parameter is not specified, the trap message does not carry extended bound variables.

    The binding-private-value parameter is not recommended when the NMS is a third-party NMS. This ensures that the third-party NMS can receive trap messages from Huawei data communication devices.

    By default, a trap message sent from a Huawei data communication device does not carry extended bound variables.

  • If the binding-private-value parameter is specified, the trap message carries extended bound variables.

    The binding-private-value parameter is recommended when the NMS is a Huawei NMS. This allows more abundant information in trap messages.

-

private-netmanager

# Configure the Huawei NMS as the target host to receive trap messages. After the Huawei NMS is used, the alarm message sent to the Huawei NMS can contain more detailed information, such as the alarm type, alarm ID, and send time of the alarm message.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Currently, the system supports a maximum of 20 trap sending parameter lists.

Example

# Configure the trap sending parameter list: set the list name to aaa, set SNMPv3 as the trap sending protocol, set the host name in the SNMP trap as bbb, and authenticate but do not encrypt the trap messages.

<Huawei> system-view
Enter system view, return user view with Ctrl+Z.
[Huawei] snmp-agent target-host trap-paramsname aaa v3 securityname bbb authentication

snmp-agent trap disable

Function

The snmp-agent trap disable command disables the trap function for all features.

The undo snmp-agent trap disable command restores the trap function for all features to the default status.

By default, the display snmp-agent trap all command can be used to view the status of the trap function for all features.

Format

snmp-agent trap disable

undo snmp-agent trap disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

To enable the trap function for all modules, run the snmp-agent trap enable command. To enable the trap function for a specified module, run the snmp-agent trap enable feature-name command.
  • To disable the trap function for all modules, run the snmp-agent trap disable command.

  • To restore the trap function for all features to the default status, run the undo snmp-agent trap disable or undo snmp-agent trap enable command.

NOTE:

To disable the trap function for a specified module, run the undo snmp-agent trap enable feature-name command.

Example

# Disable the trap function for all features.

<Huawei> system-view
[Huawei] snmp-agent trap disable

snmp-agent trap enable

Function

The snmp-agent trap enable command enables the industrial switch router to send traps.

The undo snmp-agent trap enable command restores the default setting.

The default configuration of the snmp-agent trap enable command can be checked by the display snmp-agent trap all command.

Format

snmp-agent trap enable

undo snmp-agent trap enable

Parameters

None.

Views

System view

Default Level

3: Management level

Usage Guidelines

To enable the trap function for all modules, run the snmp-agent trap enable command.

Example

# Enable the industrial switch router to send traps.

<Huawei> system-view
[Huawei] snmp-agent trap enable

snmp-agent trap enable feature-name

Function

The snmp-agent trap enable feature-name command enables a specified trap for a specified feature.

The undo snmp-agent trap enable feature-name command disables a specified trap for a specified feature.

The default configuration of the snmp-agent trap enable feature-name command can be checked using the display snmp-agent trap all command.

Format

snmp-agent trap enable feature-name feature-name [ trap-name trap-name ]

undo snmp-agent trap enable feature-name feature-name [ trap-name trap-name ]

Parameters

Parameter Description Value
feature-name Specifies the name of the feature that generates traps. -
trap-name trap-name Specifies the name of a trap. -

Views

System view

Default Level

3: Management level

Usage Guidelines

If trap-name trap-name is not specified, the industrial switch router enables all traps about a specified feature after the snmp-agent trap enable feature-name feature-name command is used.

You can run the display snmp-agent trap all command to check the configuration result.

Example

# Enable the industrial switch router to send the vrrptrapauthfailure trap about VRRP to the NMS.

<Huawei> system-view
[Huawei] snmp-agent trap enable feature-name vrrp trap-name vrrptrapauthfailure

snmp-agent trap enable feature-name snmp

Function

The snmp-agent trap enable feature-name snmp command enables an SNMP trap.

The undo snmp-agent trap enable feature-name snmp command disables an SNMP trap.

By default, the coldStart and warmStart traps are enabled and the authenticationFailure trap is disabled.

Format

snmp-agent trap enable feature-name snmp [ trap-name trap-name ]

undo snmp-agent trap enable feature-name snmp [ trap-name trap-name ]

Parameters

Parameter Description Value
trap-name trap-name Specifies the name of a trap.
The traps are as follows:
  • authenticationFailure
  • coldstart
  • warmstart

Views

System view

Default Level

3: Management level

Usage Guidelines

The snmp-agent trap enable feature-name snmp command is used to enable an SNMP trap. After that, the trap generated during the device running will be sent to the NMS. At present, the following SNMP traps are supported:
  • coldStart: This trap is generated when the device is powered off and restarted.
  • warmStart: This trap is generated when the status of SNMP agent is changed from disable to enable.
  • authenticationFailure: This trap is generated when a user uses an incorrect community name and is unable to log in to the device.

You can run the display snmp-agent trap feature-name snmp all command to check the configuration result.

Example

# Enable the SNMP authenticationFailure trap.

<Huawei> system-view
[Huawei] snmp-agent trap enable feature-name snmp trap-name authenticationFailure

snmp-agent trap life

Function

The snmp-agent trap life command sets the lifetime of trap messages. When the lifetime expires, the trap messages are discarded.

The undo snmp-agent trap life command cancels the current settings.

By default, the lifetime of trap messages is 120 seconds.

Format

snmp-agent trap life seconds

undo snmp-agent trap life

Parameters

Parameter Description Value
seconds Specifies the lifetime of trap messages. The value is an integer that ranges from 1 to 2592000, in seconds. The default value is 120.

Views

System view

Default Level

3: Management level

Usage Guidelines

When the lifetime expires, the trap messages are discarded.

Example

# Set the lifetime of trap messages to 60 seconds.

<Huawei> system-view
[Huawei] snmp-agent trap life 60

snmp-agent trap queue-size

Function

The snmp-agent trap queue-size command sets the queue length of the trap messages sent to a target host.

The undo snmp-agent trap queue-size command cancels the current settings.

The default value is 100.

Format

snmp-agent trap queue-size size

undo snmp-agent trap queue-size

Parameters

Parameter Description Value
size Specifies the queue length of trap messages. The value is an integer that ranges from 1 to 1000. The default value is 100.

Views

System view

Default Level

3: Management level

Usage Guidelines

When a large number of trap messages need to be sent in a certain period of time, packets will be lost if the queue length of trap messages is insufficient. The queue length can be adjusted to reduce the packet loss ratio.

When the lifetime of trap messages is long, the queue length of trap messages needs to be lengthened. If the queue length is not lengthened, packet loss will occur.

Example

# Set the queue length of the trap messages sent to the target host to 200.

<Huawei> system-view
[Huawei] snmp-agent trap queue-size 200

snmp-agent trap source

Function

The snmp-agent trap source command sets the source interface from which traps are sent.

The undo snmp-agent trap source command removes the set source interface configuration.

By default, source interface is not set.

Format

snmp-agent trap source interface-type interface-number

undo snmp-agent trap source

Parameters

Parameter Description Value
interface-type interface-number Specifies the type and number of the source interface that sends traps. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run the snmp-agent trap source command to specify the type and number of the interface on the device from which traps are sent. The system specifies the IP address of this interface as the source IP address of traps. In this way, the trap source can be identified on the NMS.

Precautions

The source interface that sends traps must have an IP address; otherwise, the commands will fail to take effect. To ensure device security, it is recommended that you set the source IP address to the local loopback address.

The source interface in traps on the device must be the same as the source interface specified on the NM station. Otherwise, the NM station cannot receive traps.

Example

# Specify the IP address of GE0/0/1 as the source address of traps.

<Huawei> system-view
[Huawei] snmp-agent trap source gigabitethernet 0/0/1

snmp-agent usm-user

Function

The snmp-agent usm-user command adds a user to an SNMP user group.

The undo snmp-agent usm-user command deletes a user from an SNMP user group.

By default, the SNMP user group has no users added.

Format

snmp-agent usm-user v3 user-name [ group group-name | acl acl-number ] *

snmp-agent usm-user v3 user-name authentication-mode { md5 | sha }

snmp-agent usm-user v3 user-name privacy-mode { aes128 | des56 }

undo snmp-agent usm-user v3 user-name [ acl | authentication-mode | group | privacy-mode ]

Parameters

Parameter Description Value
v3 Indicates that the SNMP user group uses the SNMPv3 security mode. -
user-name Specifies a user name. The value is a string of 1 to 32 case-sensitive characters without spaces.
group group-name Specifies the name of the SNMP group that the user belongs to. The value is a string of 1 to 32 case-sensitive characters without spaces.
authentication-mode Sets the authentication mode.
NOTE:
Authentication is a process in which the SNMP agent (or the NMS) confirms that the message is received from an authorized NMS (or SNMP agent) and the message is not changed during transmission. RFC 2104 defines Keyed-Hashing for Message Authentication Code (HMAC), an effective tool that uses the security hash function and key to generate the message authentication code. This tool is widely used in the Internet. HMAC used in SNMP includes HMAC-MD5-96 and HMAC-SHA-96. The hash function of HMAC-MD5-96 is MD5 that uses 128-bit authKey to generate the key. The hash function of HMAC-SHA-96 is SHA-1 that uses 160-bit authKey to generate the key.
-
md5 Uses the HMAC MD5 algorithm for user authentication. Two communication parties share a private key. The sending party uses this key to create a message authentication code (MAC), and the receiving party uses this key to calculate the MAC. If the calculated MAC matches the MAC created by the sending party, the authentication succeeds. -
sha Uses the HMAC SHA algorithm for user authentication. The working principle of the HMAC SHA algorithm is similar to that of the HMAC MD5 algorithm. The only difference lies in the methods for generating the MAC.
NOTE:
The calculation speed of the HMAC-MD5-96 algorithm is faster than that of the HMAC-SHA-96 algorithm; the HMAC-SHA-96 algorithm is more secure than the HMAC-MD5-96 algorithm. To ensure high security, please use the HMAC-SHA-96 algorithm.
-
privacy-mode Specifies the authentication with encryption.

The system adopts the cipher block chaining (CBC) code of the data encryption standard (DES) and uses 128-bit privKey to generate the key. The NMS uses the key to calculate the CBC code and then adds the CBC code to the message while the SNMP agent fetches the authentication code through the same key and then obtains the actual information. Like the identification authentication, the encryption requires the NMS and the SNMP agent to share the same key to encrypt and decrypt the message.

NOTE:

When the SNMPv3 module uses DES mode and the password contains repeated strings (for example, test123test123), there is a security risk.

-
aes128 The 128-bit AES encryption algorithm is used to encrypt the PDU of packets. Each user has a key and uses this key to encrypt data using the AES algorithm and sends the encrypted data together with user information to the receiving party. After receiving the data, the receiving party obtains the key from the user information, and calculates the encrypted data based on the AES algorithm to obtain the plain text. -
des56 The 56-bit DES encryption algorithm is used to encrypt the PDU of packets. Each user has a key and uses this key to encrypt data using the DES algorithm and sends the encrypted data together with user information to the receiving party. After receiving the data, the receiving party obtains the key from the user information, and calculates the encrypted data based on the DES algorithm to obtain the plain text. -
acl acl-number Specifies the ACL number. The value is an integer that ranges from 2000 to 2999.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

SNMPv1 and SNMPv2c have serious defects in terms of security. The security authentication mechanism used by SNMPv1 and SNMPv2c is based on the community name. In this mechanism, the community name is transmitted in plain text. You are not advised to use SNMPv1 and SNMPv2c on untrusted networks.

By adopting the user-based security model, SNMPv3 eradicates the security defects in SNMPv1 and SNMPv2c and provides two services, authentication and encryption. The user-based security model defines three security authentication levels: noAuthNoPriv, AuthNoPriv, and AuthPriv.
NOTE:
The security authentication level noAuthPriv does not exist. This is because the generation of a key is based on the authentication information and product information.
Different from SNMPv1 and SNMPv2c, SNMPv3 can implement access control, identity authentication, and data encryption through the local processing model and user security model. SNMPv3 can provide higher security and confidentiality than SNMPv1 and SNMPv2c. The following table lists the difference between SNMPv1, SNMPv2c, and SNMPv3:
Table 16-14  Comparison in the security of SNMP of different versions
Protocol version User Checksum Encryption Authentication
v1 Adopts the community name. None None
v2c Adopts the community name. None None
v3 Adopts user name-based encryption/decryption. Yes Yes

The snmp-agent group command can be used to configure the authentication, encryption, and access rights for an SNMP group. The snmp-agent group command can be used to configure the rights for users in a specified SNMP group and bind the SNMP group to a MIB view. The MIB view is created through the snmp-agent mib-view command. For details, see the usage guideline of this command. After an SNMP user group is configured, the MIB-view-based access control is configured for the SNMP user group. Users cannot access objects in the MIB view through the SNMP user group. The purpose of adding SNMP users to an SNMP user group is to ensure that SNMP users in an SNMP user group have the same security level and access control list. When you run the snmp-agent usm-user command to configure a user in an SNMP user group, you configure the MIB-view-based access rights for the user. If an SNMP user group is configured with the AuthPriv access rights, you can configure the authentication mode and encryption mode when configuring SNMP users. Note that the authentication keys and encryption passwords configured on the NMS and the SNMP agent should be the same; otherwise, authentication fails.

When the NMS and device are in an insecure network environment, for example, a network prone to attacks, it is recommended that you configure different authentication password and encryption password to improve security.

Configuration Impact

If an SNMP agent is configured with a remote user, the engine ID is required during the authentication. If the engine ID changes after the remote user is configured, the remote user becomes invalid.

Precautions

The user security level must be higher than or equal to the security level of the SNMP user group to which the user is added.

The security level of an SNMP user group can be (in descending order):
  • Level 1: privacy (authentication and encryption)
  • Level 2: authentication (without encryption)
  • Level 3: none (neither authentication nor encryption)

The user security level must be higher than the user group level. For example, if the security level of an SNMP user group is level 1, the security level of the user that is added to the group must be level 1; if the security level of an SNMP user group is level 2, the security level of the user that is added to the group can be level 1 or level 2.

To add an SNMP user to an SNMP group, ensure that the SNMP user group is valid.

If you run the snmp-agent usm-user command multiple times, only the latest configuration takes effect.

Keep your user name and plain-text password well when creating the user. The plain-text password is required when the NMS accesses the device.

Note that MD5 and DES56 encryption algorithm cannot ensure security. SHA and AES128 encryption algorithm is recommended.

Example

# Configure an SNMPv3 user with user name u1, group name g1, authentication mode SHA, authentication password 8937561bc, encryption mode AES128, and encryption password 68283asd

<Huawei> system-view
[Huawei] snmp-agent usm-user v3 u1 group g1
[Huawei] snmp-agent usm-user v3 u1 authentication-mode sha
Please configure the authentication password (<8-64>)                              
Enter Password:                                                                 
Confirm Password: 
[Huawei] snmp-agent usm-user v3 u1 privacy-mode aes128
Please configure the privacy password (<8-64>)                                      
Enter Password:                                                                 
Confirm Password:
[Huawei]
Related Topics

snmp-agent server-source

Function

The snmp-agent server-source command sets the source IP address used by an SNMP server to send packets.

The undo snmp-agent server-source command restores the default source IP address used by an SNMP server to send packets.

By default, the SNMP server uses source IP address 0.0.0.0 to send packets.

Format

snmp-agent server-source { -a [ ipv6 ] source-ip-address | -i [ ipv6 ] interface-type interface-number }

undo snmp-agent [ ipv6 ] server-source

Parameters

Parameter Description Value
ipv6

Specifies that the source IP address used by an SNMP server to send packets is an IPv6 address.

-
-a source-ip-address

Specifies the source IP address on the local device. A loopback interface address is recommended.

-
-i interface-type interface-number

Sets the loopback interface on the local device as the source interface.

If no loopback interface exists on the device or the loopback interface does not have an IP address, the command fails.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the default source IP address 0.0.0.0 is not changed, the device selects a source IP address according to routing entries to send packets. When an ACL is configured to filter incoming and outgoing packets on a device, the ACL rules are configured based on interface IP addresses, and packet filtering is affected by interface status. You can select a stable interface as the source interface, for example, the loopback interface. Setting the source or destination address in an ACL rule as a stable interface's address can simplify the configurations of ACL rules and security policies. In addition, packet filtering will not be affected by interface IP addresses and interface status, and device security is improved.

Precautions

  • After the source IP address is specified for the SNMP server, the server address you entered when logging in to the server must be the same as that specified in this command; otherwise, you cannot log in to the server.
  • If the SNMP service has been started, running this command will restart the SNMP service.

Example

# Set LoopBack0 as the source interface of an SNMP server.

<Huawei> system-view
[Huawei] snmp-agent server-source -i loopback 0
Info: Succeeded in setting the source interface of the snmp-agent to LoopBack0
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 36568

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next