No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
SNMP Configuration Commands

SNMP Configuration Commands

clear configuration snmp-agent trap enable

Function

The clear configuration snmp-agent trap enable command deletes alarm configurations related to one function.

Format

clear configuration snmp-agent trap enable feature-name feature-name

Parameters

Parameter Description Value
feature-name feature-name Deletes configurations of the trap function of a feature.

The value is the name of a feature that has been supported by the device.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If you want to delete the alarm configurations related to one feature after the trap function is enabled or disabled for a feature using the snmp-agent trap enable feature-name feature-name [ trap-name trap-name ] command, run the clear configuration snmp-agent trap enable command.

Configuration Impact

  • When the trap function is enabled or disabled globally, running the clear configuration snmp-agent trap enable feature-name feature-name command deletes configurations of the trap function of the feature specified by feature-name and restores the status of the trap function to be the same as that of the global trap function.
  • When the global trap function is in the default state, running the clear configuration snmp-agent trap enable feature-name feature-name command deletes configurations of the trap function of the feature specified by feature-name and restores the status of the trap function to be the default status.

Example

# Delete alarm configurations related to the SNMP feature.

<HUAWEI> system-view
[~HUAWEI] clear configuration snmp-agent trap enable feature-name snmp

display snmp-agent

Function

The display snmp-agent command displays the engine ID of the local or remote SNMP agent.

Format

display snmp-agent local-engineid

Parameters

Parameter Description Value
local-engineid Displays the engine ID of the local SNMP agent. The engine ID of a local SNMP agent is specified in the snmp-agent local-engineid command. -

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the SNMP agent function is enabled, you can run the display snmp-agent local-engineidcommand to view the engine ID of the local SNMP agent.

The SNMP engine ID uniquely identifies an SNMP agent in a management domain. The SNMP engine ID is an important component of the SNMP agent. It schedules and processes SNMP messages, implements security authentication, access control and so on.

Prerequisites

Before running the display snmp-agent local-engineid command to view the engine ID of the local SNMP agent, you need to run the snmp-agent command to enable the SNMP agent function.

Precautions

To set an engine ID for the local SNMP agent, you can run the snmp-agent local-engineid command.

Example

# Display the engine ID of the local SNMP agent, with the prerequisite that the SNMP agent function is enabled.
<HUAWEI> display snmp-agent local-engineid
   SNMP local EngineID: 800007DB03360102101100
Table 18-1  Description of the display snmp-agent local-engineid command output

Item

Description

SNMP local EngineID

Indicates the engine ID of the local SNMP agent. The engine ID can be specified by the administrator through the snmp-agent local-engineid command or be automatically calculated through an algorithm.

display snmp-agent community

Function

The display snmp-agent community command displays the configured community name.

Format

display snmp-agent community [ read | write ]

Parameters

Parameter Description Value
read Displays the name of a read-only community. The parameter is specified using the snmp-agent community command. -
write Displays the name of a read-write community. The parameter is specified using the snmp-agent community command. -

Views

All views

Default Level

3: Management level

Usage Guidelines

When configuring a management entity, you can use the display snmp-agent community command to check the community name configured on the current agent.

If the parameter read or write is not specified, the names of all communities are displayed.

You have to configure the community name using the snmp-agent community command before you run the display snmp-agent community command.

Example

# Display the current community name.
<HUAWEI> display snmp-agent community
   Community name: %^%#K[&`Jc~_4H-~.>0:m%dK:*7s,{(3i02`R$>&n}+56Pb'@]rd}NT@o4.7RG'8ScPW0=d%O<1oU+7KHS[I%^%#
       Group name: %^%#K[&`Jc~_4H-~.>0:m%dK:*7s,{(3i02`R$>&n}+56Pb'@]rd}NT@o4.7RG'8ScPW0=d%O<1oU+7KHS[I%^%#
       Acl: 2001
       Storage-type: nonVolatile
Table 18-2  Description of the display snmp-agent community command output

Item

Description

Community name

Name of a community.

Group name

Name of a group.

Acl

Number of the ACL configured for the community. This parameter is displayed only when it is specified in thesnmp-agent community command.

Storage type

Standard type of saving a line to memory. The possible types are as follows:
  • volatile: Lines are saved in the volatile storage medium and are lost after the device restarts.
  • nonVolatile: Lines are saved in the nonvolatile storage medium such as Non Volatile Random Access Memory (NVRAM) and can be restored after the device restarts.
  • permanent: Permanent lines are saved in the nonvolatile storage medium such as Read-only Memory (ROM). They can be modified but cannot be deleted.
  • readOnly: Readonly lines are saved in the nonvolatile storage medium such as ROM. They cannot be modified or deleted.
  • other
NOTE:
At present, only nonVolatile is available.
Related Topics

display snmp-agent extend error-code status

Function

The display snmp-agent extend error-code status command allows you to check whether the function of sending extended error codes to the NMS is enabled on the device.

Format

display snmp-agent extend error-code status

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

If the NMS does not receive the extended error codes sent from the device, you can run the display snmp-agent extend error-code status command to check whether the function of sending extended error codes is enabled on the device.

Example

# Display whether the function of sending extended error codes is enabled on the device.

<HUAWEI> display snmp-agent extend error-code status
Extend error-code status: enabled
Table 18-3  Description of the display snmp-agent extend error-code status command output

Item

Description

Extend error-code status

Whether the function of sending extended error codes is enabled.
  • enabled: The function of sending extended error codes is enabled.
  • disabled: The function of sending extended error codes is disabled.

display snmp-agent group

Function

The display snmp-agent group command displays information about an SNMP agent group.

Format

display snmp-agent group [ group-name ]

Parameters

Parameter Description Value
group-name Displays the name of an SNMP agent group.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When configuring a management object according to the SNMPv3 group information, you can run the display snmp-agent group command to view information about the SNMP agent group.

If the command contains no parameter, information about all groups is displayed, such as the group name, security model, and storage type.

Precautions

You can run the display snmp-agent group command to view information about an SNMP agent group only after the SNMP agent group is created through the snmp-agent group command.

Example

# Display the name and security model of an SNMP agent group.
<HUAWEI> display snmp-agent group
   Group name: mygroup
       Security model: USM noAuthnoPriv
       Readview: ViewDefault
       Writeview: <no specified>
       Notifyview :<no specified>
       Storage-type: nonVolatile
       Acl:2000
Table 18-4  Table 1 Description of the display snmp-agent group command output

Item

Description

Group name

Indicates the name of an SNMP agent group.

Security model

Indicates the security model of the group.

  • USM noAuthnoPriv: SNMP messages are not authenticated or encrypted.

  • USM AuthnoPriv: authenticates SNMP messages without encryption.

  • USM AuthPriv: authenticates and encrypts SNMP messages.

Readview

Indicates the view of the read-only MIB of the group. This parameter can be set using the snmp-agent group command.

Writeview

Indicates the view of the read-write MIB of the group. This parameter can be set using the snmp-agent group command.

Notifyview

Indicates the view of the notify MIB of the group. This parameter can be set using the snmp-agent group command.

Storage-type

Indicates the standard type of saving a row to memory. The possible types are as follows:
  • other
  • volatile: indicates that a row is saved to volatile memory. The row will be lost once the device is restarted. If the storage type of a line is set to volatile, you cannot change it to permanent or readOnly.
  • nonVolatile: indicates that a row is saved to nonvolatile memory, such as Non Volatile Random Access Memory (NVRAM). The row can be restored after the device is restarted. If the storage type of a line is set to nonVolatile, you cannot change it to permanent or readOnly.
  • permanent: indicates that a permanent row is saved to nonvolatile memory, such as Read-only Memory (ROM). If the storage type of a line is permanent, you cannot change it to other storage types.
  • readOnly: indicates that a read-only row is saved to nonvolatile memory, such as ROM. If the storage type of a line is readOnly, you cannot change it to other storage types. In addition, you cannot delete the line.
NOTE:
At present, only nonVolatile is available.

Acl

Indicates the number of the ACL configured for the group.

Related Topics

display snmp-agent local-user

Function

The display snmp-agent local-user command displays information about SNMPv3 local users.

Format

display snmp-agent local-user [ username user-name ]

Parameters

Parameter Description Value
username user-name

Specifies the SNMPv3 local user name.

If no user name is specified, information about all SNMPv3 local users is displayed.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

All views

Default Level

3: Management level

Usage Guidelines

This command displays information about configured SNMPv3 local users, including user names, local engine IDs, authentication protocols, encryption protocols, and user status.

Example

# Display information about the user usersnmp.

<HUAWEI> display snmp-agent local-user username usersnmp
   User name: usersnmp
       Engine ID: 800007DB03AC948400DF01
       Authentication Protocol: md5
       Privacy Protocol: aes256
       State: Active
Table 18-5  Description of the display snmp-agent local-user command output

Item

Description

User name

Name of the local user.

To configure the local user name, run local-user password.

Engine ID

Engine ID of the local user.

To configure the local user engine ID, run snmp-agent local-engineid.

Authentication Protocol

Authentication protocol of the local user.

To configure the authentication protocol, run local-user password.

Privacy Protocol

Encryption protocol of the local user.

To configure the encryption protocol, run local-user password.

State

Status of the local user.

Related Topics

display snmp-agent inform

Function

The display snmp-agent inform command displays parameters configured for all or specified target hosts to send Inform messages.

Format

display snmp-agent inform [ host-name host-name | address udp-domain ip-address [ vpn-instance vpn-instance-name ] params securityname { security-name | cipher security-name } ]

Parameters

Parameter Description Value
host-name host-name Specifies the SNMP target host name. The SNMP target host name must already exist.
address udp-domain ip-address Specifies the IP address of the target host, with the transmission domain of the target host being based on the User Datagram Protocol (UDP).
NOTE:
The IP address specified by address and the security name specified by securityname together identify a host.
The value is in dotted decimal notation.
vpn-instance vpn-instance-name Specifies the name of a VPN instance.
NOTE:
vpn-instance is optional. To run the display snmp-agent inform command on a VPN network, you need to use the VPN instance specified by vpn-instance, IP address, and security name to identify a host.
The value is a string of 1 to 31 case-sensitive characters except spaces. When double quotation marks are used to include the string, spaces are allowed in the string. The value _public_ is reserved and cannot be used as the VPN instance name.
params Indicates information about the target host that generates SNMP messages. -
securityname security-name Specifies the user security name displayed on the NMS.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

cipher security-name

Indicates the unencrypted or encrypted string of security name.

The value is a string of 1 to 32, 32, 56, or 56 to 168 case-sensitive characters without spaces. When double quotation marks are used around the string, spaces are allowed in the string.
  • When the community name is a string of 1 to 32 characters, the string is processed as plain text by default and will be encrypted.
  • When the community name is a string of 32, 56, or 56 to 168 characters, the string is processed as cipher text by default, and the system will determine whether the string can be parsed.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The display snmp-agent inform command displays the configuration of sending Inform messages on all target hosts, including:

  • Retransmission times configured on all target hosts
  • Timeout period
  • Maximum number of Inform messages that can be pending in the inform buffer for acknowledgment from NMS
  • Current number of Inform messages pending in the inform buffer waiting for acknowledgment from NMS

The display snmp-agent inform command displays the configuration of sending Inform messages on a specified target host and message statistics, including:

  • Retransmission times configured on the specified target host
  • Timeout period in seconds after which an inform is retransmitted from inform buffer to the NMS.
  • Number of times that an Inform message has been retransmitted
  • Number of Inform messages to be confirmed
  • Number of Inform messages that have been sent
  • Number of Inform messages that are dropped because the inform buffer is full
  • Number of Inform messages that are dropped because no corresponding acknowledgement messages are returned
  • Number of received acknowledgement messages

When you run the display snmp-agent inform command without specifying any parameter, the alarm configuration is displayed in global inform mode, and inform configurations and packet statistics on all hosts are displayed.

Example

# Display the parameters configured for all to send Inform messages.

<HUAWEI> display snmp-agent inform
Global config: resend-times 3, timeout 15s, pending 39
Global status: current notification count 0
Target-host ID: Host name/VPN instance/IP-Address/Security name
targetHost_1_36305/-/10.2.1.2/%#%#ZIs;~^"<tRx=D1M}P};>j,p_:u2j8Jn(j5A"U{RH%#%#:
    Config: resend-times 3, timeout 15s
    Status: retries 0, pending 0, sent 0, dropped 0, failed 0, confirmed 0
Table 18-6  Description of the display snmp-agent inform command output

Item

Description

Global config

Global configuration. The possible types are:

  • resend-times: Indicates the number of times for retransmitting Inform messages.
  • timeout: Indicates the set timeout period.
  • pending: Indicates the maximum number of informs in the trap queue.

The global inform parameter can be set using the snmp-agent inform command.

Global status

Global packet statistics.

Target-host ID

ID of the target host, consisting of the VPN instance name, IP address of the target host, and security name.

Config

Configuration of the host where the SNMP agent resides. The possible types are:

  • resend-times: Indicates the number of times for retransmitting Inform messages.
  • timeout: Indicates the set timeout period.

The inform parameter can be set using the snmp-agent inform address command.

Status

Statistics about the Inform messages generated on the host where the SNMP agent resides. The possible types are:

  • retries: Indicates the number of Inform messages retransmitted to the target host.
  • pending: Indicates the number of informs waiting in the inform buffer for acknowledgment from NMS.
  • sent: Indicates the number of Inform messages that are successfully sent.
  • dropped: Indicates the number of Inform messages that are dropped because the inform buffer is full.
  • failed: Indicates the number of Inform messages that are not confirmed during the retransmission.
  • confirmed: Indicates the number of Acknowledgment messages returned from the target host.

display snmp-agent mib modules

Function

The display snmp-agent mib modules command displays the MIB file information.

Format

display snmp-agent mib modules

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The SNMP MIB resource files can be loaded and unloaded dynamically. The display snmp-agent mib modules command displays the loaded MIB files.

Precautions

Ensure that you have enabled the SNMP agent before you run the display snmp-agent mib modules command.

Example

# Display the loaded MIB file information.

<HUAWEI> display snmp-agent mib modules
BGP4-MIB:
    resource : allmibs_mib.bin
    mib      : bgp4-mib.mib
  ---- More ---- 
Table 18-7  Description of the display snmp-agent mib modules command output

Item

Description

BGP4-MIB

MIB module name.

Resource

Loaded MIB .bin file name.

MIB

MIB file name.

Related Topics

display snmp-agent mib-view

Function

The display snmp-agent mib-view command displays the current MIB view.

Format

display snmp-agent mib-view [ exclude | include | viewname view-name ]

Parameters

Parameter Description Value
exclude Excludes the displayed and set attributes of the SNMP MIB view. -
include Includes the displayed and set attributes of the SNMP MIB view. -
viewname view-name Specifies the view to be displayed. This parameter can be set using the snmp-agent mib-view command.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The snmp-agent mib-view command creates or updates a MIB view. To check the default and configured MIB view, you can run the display snmp-agent mib-view command.

By default, the view ViewDefault is adopted.

Precautions

Before running the display snmp-agent mib-view command, ensure that the SNMP agent has been enabled using the snmp-agent command..

Example

# Display the current MIB view.

<HUAWEI> display snmp-agent mib-view
   View name: ViewDefault                                                       
       MIB Subtree: internet                                                    
       Subtree mask: F0(Hex)                                                    
       Storage type: nonVolatile                                                
       View Type: included                                                      
       View status: active                                                      
                                                                                
   View name: ViewDefault                                                       
       MIB Subtree: snmpCommunityMIB                                            
       Subtree mask: FE(Hex)                                                    
       Storage type: nonVolatile                                                
       View Type: excluded                                                      
       View status: active                                                      
                                                                                
   View name: ViewDefault                                                       
       MIB Subtree: snmpUsmMIB                                                  
       Subtree mask: FE(Hex)                                                    
       Storage type: nonVolatile                                                
       View Type: excluded                                                      
       View status: active                                                      
                                                                                
   View name: ViewDefault                                                       
       MIB Subtree: snmpVacmMIB                                                 
       Subtree mask: FE(Hex)                                                    
       Storage type: nonVolatile                                                
       View Type: excluded                                                      
       View status: active 
Table 18-8  Description of the display snmp-agent mib-view command output

Item

Description

View name

View name.

MIB Subtree

MIB subtree.

Subtree mask

Subtree mask.

Storage type

Standard type of saving a line to memory. The possible types are as follows:
  • volatile: Lines are saved in the volatile storage medium and are lost after the device restarts. Objects with storage type volatile cannot be changed to readOnly or permanent.
  • nonVolatile: Lines are saved in the nonvolatile storage medium such as NVRAM and can be restored after the device restarts. If the storage type of a line is set to nonVolatile (3), you cannot change it to permanent (4) or readOnly (5).
  • permanent: Permanent lines are saved in the nonvolatile storage medium such as ROM. If the storage type of a line is permanent, you cannot change it to other storage types.
  • readOnly: Read-only lines are saved in the nonvolatile storage medium such as ROM. If the storage type of a line is readOnly, you cannot change it to other storage types. In addition, you cannot delete the line.
  • other
NOTE:
At present, only nonVolatile is available.

View Type

Whether the access to a MIB object is permitted or denied. This parameter can be set using the snmp-agent mib-view command.

View status

Indicates the status of the MIB view.

Related Topics

display snmp-agent notification-log

Function

The display snmp-agent notification-log command displays logs in the trap log buffer.

Format

display snmp-agent notification-log [ info | logtime starttime to endtime | size size ]

Parameters

Parameter Description Value
info Displays information about the trap log buffer, including the number of global trap logs in the trap log buffer, number of discarded trap logs, aging time of trap lops, limit on the number of trap logs, total number of current trap logs, and flag of the notification logging function. -
starttime Specifies the start time of trap logs. The value is in the HH:MM:SS YYYY/MM/DD format, where HH:MM:SS indicates the hour, minute, and second and YYYY/MM/DD indicates the year, month, and day. HH ranges from 0 to 23; MM and SS range from 0 to 59. YYYY ranges from 2000 to 2099; MM ranges from 1 to 12; DD ranges from 1 to 31.
endtime Specifies the end time of trap logs. The value is in the HH:MM:SS YYYY/MM/DD format, where HH:MM:SS indicates the hour, minute, and second and YYYY/MM/DD indicates the year, month, and day. HH ranges from 0 to 23; MM and SS range from 0 to 59. YYYY ranges from 2000 to 2099; MM ranges from 1 to 12; DD ranges from 1 to 31.
size size Number of latest trap logs to be displayed. The value is an integer that ranges from 1 to 15000.

Views

All views

Default Level

3: Management level

Usage Guidelines

You can use any of the following methods to view logs in the trap log buffer:

  • Specify the size size parameter to view the specified number of latest trap logs.

  • Specify logtime starttime to endtime to view the trap logs generated in a specified period.

  • Run the command without any optional parameters so that the system displays all trap logs by default.

Example

# Display trap logs in the trap log buffer.

<HUAWEI> display snmp-agent notification-log info
Notification log information :
Notification Admin Status: enable 
GlobalNotificationsLogged: 0
GlobalNotificationsBumped: 0
GlobalNotificationsLimit: 500
GlobalNotificationsAgeout: 24
Total number of notification log: 0
Table 18-9  Description of the display snmp-agent notification-log info command output

Item

Description

Notification Admin Status

Whether the notification logging function is enabled.

GlobalNotificationsLogged

Number of global trap logs.

GlobalNotificationsBumped

Number of discarded global trap logs.

GlobalNotificationsLimit

Limit on the number of trap logs.

GlobalNotificationsAgeout

Aging time of trap logs.

Total number of notification log

Total number of current trap logs.

display snmp-agent notify-filter-profile

Function

The display snmp-agent notify-filter-profile command displays information about a specified trap filter profile or all trap filter profiles.

Format

display snmp-agent notify-filter-profile [ profile-name ]

Parameters

Parameter Description Value
profile-name Specifies the name of a trap filter profile.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

All views

Default Level

3: Management level

Usage Guidelines

You can use the display snmp-agent notify-filter-profile command to view information about configured trap filter profiles. The command can display all the configured trap filter profiles or a specified trap file profile.

Example

# Display information about configured trap filter profiles.
<HUAWEI> display snmp-agent notify-filter-profile
  Notify-filter name:snmpv2   
  Notify-filter Subtree:snmpV2   
  Notify-filter Subtree mask:F8(Hex)   
  Notify-filter Storage-type:nonVolatile   
  Notify-filter Type:included   
  Notify-filter status:active  
Table 18-10  Description of the display snmp-agent notify-filter-profile command output

Item

Description

Notify-filter name

Name of a trap filter profile.

Notify-filter Subtree

Trap filter subtree.

Notify-filter Subtree mask

Mask of the trap filter subtree.

Notify-filter Storage-type

Storage mode of the trap filter profile.

Notify-filter Type

Whether to filter out the trap object.

Notify-filter status

Status of a row.

display snmp-agent proxy community

Function

The display snmp-agent proxy community command displays SNMP proxy community information.

Format

display snmp-agent proxy community [ community-name | cipher cipher-name ]

Parameters

Parameter Description Value
community-name Specifies the name of an SNMP proxy community. The parameter is specified using the snmp-agent proxy community command. -
cipher cipher-name Specifies SNMP proxy community information in ciphertext. The parameter is specified using the snmp-agent proxy community command. -

Views

All views

Default Level

3: Management level

Usage Guidelines

After you run the snmp-agent proxy community command to configure an SNMP proxy community, you can run the display snmp-agent proxy community command to check SNMP proxy community information.

Example

# Display SNMP proxy community information.

<HUAWEI> display snmp-agent proxy community
   Proxy Community name : %@%@wL*(SyY(';*Pvk7I.,9+"QebS>`2A7O,gK8\3{7^0a%,Qee"-k-LV}k:3C1N)c;jvG>.en"Q%@%@
       Remote engine ID : 800007DB03360607111100 active
       Acl              : 2000
       Storage-type     : nonVolatile
Table 18-11  Description of the display snmp-agent proxy community command output

Item

Description

Proxy Community name

SNMP proxy community name. You can run the snmp-agent proxy community command to create an SNMP proxy community name.

Remote engine ID

Engine ID of the managed device.

active indicates that an SNMP proxy community is in the active state.

Acl

ACL corresponding to an SNMP proxy community name.

If you do not configure an ACL when you run the snmp-agent proxy community command, the Acl field is not displayed.

Storage-type

Storage type of the community name in memory.
NOTE:

Only nonVolatile is supported. nonVolatile indicates that the community name will not be lost after system reboot.

display snmp-agent proxy rule

Function

The display snmp-agent proxy rule command displays proxy rules for SNMP packets.

Format

display snmp-agent proxy rule [ rule-name ]

Parameters

Parameter Description Value
rule-name Specifies the name of the proxy rule for SNMP packets.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

All views

Default Level

3: Management level

Usage Guidelines

After you run the snmp-agent proxy rule command to configure a proxy rule for SNMP packets, you can run the display snmp-agent proxy rule command to check proxy rule information.

Example

# Display proxy rules for SNMP packets.

<HUAWEI> display snmp-agent proxy rule
    Proxy Rule name : proxy_rule_write                                           
       Type             : write                                                 
       Remote engine ID : 800007DB0338EBD9210010                                
       Host name        : proxy_host                                            
       Security name    : snmpv3                                                
       Version          : v3                                                    
       Level            : Privacy       
Table 18-12  Description of the display snmp-agent proxy rule command output

Item

Description

Proxy Rule name

Name of a proxy rule for SNMP packets.

Type

SNMP packet type:
  • read: indicates to send GetRequest packets from the NMS to the managed device.
  • write: indicates to send SetRequest packets from the NMS to the managed device.
  • trap: indicates to send traps from the managed device to the NMS.
  • inform: indicates to send informs from the managed device to the NMS.

Remote engine ID

Engine ID of the managed device.

Host name

Target host name.

Security name

Security user.

Version

SNMP version number.

Level

Security level:
  • Authentication: authenticates SNMP packets without encryption.
  • Privacy: authenticates and encrypts SNMP packets.
  • No authentication and privacy: neither authenticates nor encrypts SNMP packets.
Related Topics

display snmp-agent proxy statistics

Function

The display snmp-agent proxy statistics command displays statistics about SNMP proxy packets.

Format

display snmp-agent proxy statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

The display snmp-agent proxy statistics command displays statistics about SNMP proxy packets. These statistics provide communication information between the NMS and device, helping you to locate faults.

Example

# Display statistics about SNMP proxy packets.

<HUAWEI> display snmp-agent proxy statistics
 2 Messages delivered to the SNMP proxy
 0 GetResponse-PDU accepted and processed
 3 Trap-PDU accepted and processed
 0 Inform-PDU accepted and processed
 8 GetRequest-PDU accepted and processed
 0 GetNextRequest-PDU accepted and processed
 0 GetBulkRequest-PDU accepted and processed
 0 SetRequest-PDU accepted and processed
 0 Proxy messages are dropped
Table 18-13  Description of the display snmp-agent proxy statistics command output

Item

Description

Messages delivered to the SNMP proxy

Total number of SNMP proxy packets received by the SNMP agent device.

GetResponse-PDU accepted and processed

Total number of GetResponse PDUs received and processed by the middle-point device.

Trap-PDU accepted and processed

Total number of traps received and processed by the middle-point device.

Inform-PDU accepted and processed

Total number of informs received and processed by the middle-point device.

GetRequest-PDU accepted and processed

Total number of GetRequest PDUs received and processed by the middle-point device.

GetNextRequest-PDU accepted and processed

Total number of GetNext PDUs received and processed by the middle-point device.

GetBulkRequest-PDU accepted and processed

Total number of GetBulkRequest PDUs received and processed by the middle-point device.

SetRequest-PDU accepted and processed

Total number of SetRequest PDUs received and processed by the middle-point device.

Proxy messages are dropped

Total number of SNMP proxy packets dropped by the middle-point device.

display snmp-agent proxy target-host

Function

The display snmp-agent proxy target-host command displays target host information on an SNMP proxy.

Format

display snmp-agent proxy target-host [ target-host-name ]

Parameters

Parameter Description Value
target-host-name Specifies the target host name.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

All views

Default Level

3: Management level

Usage Guidelines

After you run snmp-agent proxy target-host command, you can run the display snmp-agent proxy target-host command to check the configured target host information on the SNMP proxy.

At present, an SNMP proxy supports a maximum of 20 target hosts. Therefore, this command displays information about a maximum of 20 target hosts.

Example

# Display the configured target host information on an SNMP proxy.

<HUAWEI> display snmp-agent proxy target-host
Proxy target host NO. 1
-----------------------------------------------------------
  Host name        : proxy_host@NMS
  IP address       : 10.1.2.1
  Port             : 162
  Timeout          : 15
  Source interface : -
  VPN instance     : -
  Security name    : snmpv3
  Version          : v3
  Level            : Privacy
-----------------------------------------------------------
Table 18-14  Description of the display snmp-agent proxy target-host command output

Item

Description

Proxy target-host NO.

Number of the target host for an SNMP proxy.

Host-name

Name of the target host for an SNMP proxy.

IP-address

IP address of the target host for an SNMP proxy.

Port

Number of the UDP port used by a target host to send SNMP messages.

Timeout

Timeout period for a target host to send a response to an SNMP agent after receiving an inform from the SNMP agent.

Source interface

Source interface of the target host configured on the SNMP proxy.

VPN instance

VPN instance to which a target host belongs.

Security name

Security user.

Version

SNMP version number.

Level

Security level:
  • Authentication: authenticates SNMP packets without encryption.
  • Privacy: authenticates and encrypts SNMP packets.
  • No authentication and privacy: neither authenticates nor encrypts SNMP packets.

display snmp-agent statistics

Function

The display snmp-agent statistics command displays the SNMP messages statistics.

Format

display snmp-agent statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

The display snmp-agent statistics command analyzes the statistics about SNMP messages and obtains information about the communication between the SNMP agent and the NMS for fault location.

In an SNMP management system, the NMS and the SNMP agent exchange SNMP messages as follows:
  • The NMS acts as a manager to send an SNMP Request message to the SNMP agent.
  • The SNMP agent searches the MIB on the device for the required information and sends an SNMP Response message to the NMS.
  • When the trap triggering conditions are met, the SNMP agent sends a trap to the NMS to report the event occurring on the device. In this manner, the network administrator can process the event occurring on the network in time.
NOTE:

If large number of messages are received in short period, a great number of CPU resources are occupied. The number of received messages depends on the frequency at which the NMS sends the Request messages.

Example

# Display the statistics about the SNMP messages.

<HUAWEI> display snmp-agent statistics
 3158 Messages delivered to the SNMP entity
 0 Messages which were for an unsupported version
 0 Messages which used an SNMP community name not known
 0 Messages which represented an illegal operation for the community supplied
 0 ASN.1 or BER errors in the process of decoding
 3152 Messages passed from the SNMP entity
 0 SNMP PDUs which had badValue error status
 0 SNMP PDUs which had genErr error status
 0 SNMP PDUs which had noSuchName error status
 0 SNMP PDUs which had tooBig error status
 3135 MIB objects retrieved successfully
 0 MIB objects altered successfully
 0 GetRequest PDU accepted and processed
 3158 GetNextRequest PDU accepted and processed
 0 GetBulkRequest PDU accepted and processed
 3152 GetResponse PDU sent
 0 SetRequest PDU accepted and processed
 0 Trap PDU sent
 0 Inform PDU sent
 0 Inform PDU received with no acknowledgement
 0 Inform PDU received with acknowledgement
Table 18-15  Description of the display snmp-agent statistics command output

Item

Description

Messages delivered to the SNMP entity

Total number of received SNMP messages.

Messages which were for an unsupported version

Number of messages with incorrect version information.

Messages which used an SNMP community name not known

Number of messages with incorrect community names.

Messages which represented an illegal operation for the community supplied

Number of messages whose community names have incorrect access rights.

ASN.1 or BER errors in the process of decoding

Number of SNMP messages with incorrect codes.

Messages passed from the SNMP entity

Total number of sent SNMP messages.

SNMP PDUs which had a badValue error-status

Number of SNMP messages with badValue errors. A badValue error occurs when data carried in the Set-Request message sent to the SNMP agent is incorrect.

SNMP PDUs which had a genErr error-status

Number of SNMP messages with genErr errors. A genErr error indicates an unknown error.

SNMP PDUs which had a noSuchName error-status

Number of messages with noSuchName errors.

SNMP PDUs which had a tooBig error-status

Number of SNMP messages with a tooBig error. A tooBig error occurs when the length of the received Get Response message exceeds the processing capability of the local device.

MIB objects retrieved successfully

Number of variables requested by the NMS.

MIB objects altered successfully

Number of variables set by the NMS.

GetRequest-PDU accepted and processed

Number of received GetRequest messages.

GetNextRequest-PDU accepted and processed

Number of received GetNextRequest messages.

GetBulkRequest-PDU accepted and processed

Number of received GetBulkRequest messages.

GetResponse-PDU sent

Number of sent GetResponse messages.

SetRequest-PDU accepted and processed

Number of received SetRequest messages.

Trap-PDU accepted and processed

Number of sent traps.

Inform-PDU sent

Number of sent informs.

Inform-PDU received with no acknowledgement

Number of informs without acknowledgement.

Inform-PDU received with acknowledgement

Number of informs with acknowledgement.

display snmp-agent sys-info

Function

The display snmp-agent sys-info command displays the system information of the current SNMP device, including the contact information about the system maintenance, physical location of the device, and SNMP version.

Format

display snmp-agent sys-info [ contact | location | version ] *

Parameters

Parameter Description Value
contact Displays the contact information of the current SNMP device. -
location Displays the physical location information of the current SNMP device. -
version Displays the SNMP version running in the current system. -

Views

All views

Default Level

3: Management level

Usage Guidelines

You can use the display snmp-agent sys-info command to check the system maintenance information of the current SNMP device. The information includes:
  • Contact information of the device administrator
  • Physical location of the device
  • SNMP version

If the parameter is not specified, all information is displayed.

The snmp-agent sys-info command can be used to set the output of the display snmp-agent sys-info command

Example

# Display the system information of the SNMP agent.

<HUAWEI> display snmp-agent sys-info
  The contact person for this managed node:
           R&D Beijing, Huawei Technologies co.,Ltd.
   The physical location of this node:
           Beijing China
   SNMP version running in the system:
           SNMPv2c

# Display the SNMP version running in the current system.

<HUAWEI> display snmp-agent sys-info version
   SNMP version running in the system:
           SNMPv2c

# Display the contact information of the current SNMP device.

<HUAWEI> display snmp-agent sys-info contact
  The contact person for this managed node:
           R&D Beijing, Huawei Technologies co.,Ltd.

# Display the physical location information of the current SNMP device.

<HUAWEI> display snmp-agent sys-info location
  The physical location of this node:
           Beijing China
Table 18-16  Description of the display snmp-agent sys-info command output

Item

Description

The contact person for this managed node: Contact person of the managed device. By specifying this parameter, you can store the important information to the router for convenient query.
The physical location of this node: Location of the managed device.

SNMP version running in the system:

SNMP version running in the current system. The value can be:
  • SNMPv1
  • SNMPv2c
  • SNMPv3
Related Topics

display snmp-agent target-host

Function

The display snmp-agent target-host command displays information about all destination hosts, including the IP address of each destination host, VPN instance name, modes of sending traps, the security name used to send traps, protocol version, and security level.

Format

display snmp-agent target-host

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can use the display snmp-agent target-host command to view the configurations of all destination hosts. At present, the system can save the configuration of a maximum of 20 destination hosts. Therefore, the display snmp-agent target-host command can view the configuration of a maximum of 20 destination hosts.

Example

# Display the configurations of all destination hosts in the system.

<HUAWEI> display snmp-agent target-host
Target host NO. 1
---------------------------------------------------------------------------
  Host name                        : NMS2
  IP address                       : 10.1.1.2
  Source interface                 : -
  VPN instance                     : -
  Security name                    : %^%#.&h-$,1jCK-Vsk)}iAO'4oHASwPgq<2i^,6m7~IB%^%#
  Port                             : 162
  Type                             : trap
  Version                          : v1
  Level                            : No authentication and privacy
  NMS type                         : NMS
  With ext vb                      : No
  Notification filter profile name : -
  Heart beat required              : No    
---------------------------------------------------------------------------
Table 18-17  Description of the display snmp-agent target-host command output

Item

Description

Target-host NO

Index of a destination host.

Host-name

Name of a destination host.

IP-address

IP address of a destination host.

Source interface

Source IP address of the NMS.

VPN instance

VPN instance name.

Security name

Security user name.

Port

Number of the UDP port through which SNMP Request messages are sent. By default, the port number is 162.

Type

Types of SNMP notifications. It can be trap or inform.
  • Trap: SNMP notifications are sent in the form of traps.
  • Inform: SNMP notifications are sent in the form of Inform messages.

Version

SNMP version. It can be v1, v2c or v3.

Level

Security levels defined in the security mechanism.
  • Authentication: Messages are authenticated rather than encrypted.
  • Privacy: Messages are authenticated and encrypted.
  • No authentication and privacy: Messages are neither authenticated nor encrypted.

NMS type

Type of host NMS. The following are the types of NMS.

  • NMS: indicates the network management system, which can be a Huawei NMS or other vendors' NMS.
  • HW NMS: indicates the Huawei NMS. The trap sent to the HW NMS contains detailed information.

With ext-vb

Whether to carry extended proprietary VB in the traps sent to the device. The value can be:
  • No: The extended proprietary VB is not carried.
  • Yes: The extended proprietary VB is carried.

Notification filter profile name

Alarm filtering rule name.

display snmp-agent trap all

Function

The display snmp-agent trap all command checks current and default status of all traps in all features.

Format

display snmp-agent trap all

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display snmp-agent trap all command to check current and default status of all traps in all features. You can configure the trap status by running snmp-agent trap enable, snmp-agent trap enable feature-name, and snmp-agent trap disable.

Example

# Check the default status of all traps in all features.

<HUAWEI> display snmp-agent trap all 
-------------------------------------------------------------------------------  
Feature name: AAA                                                               
Trap number : 2                                                                 
------------------------------------------------------------------------------  
Trap name                      Default switch status   Current switch status    
hwAdminLoginFailed             on                      on                       
hwAdminLoginFailedClear        on                      on                       
------------------------------------------------------------------------------  
Feature name: LCS                                                               
Trap number : 6                                                                 
------------------------------------------------------------------------------  
Trap name                      Default switch status   Current switch status    
hwGtlDefaultValue              on                      on                       
hwGtlDefaultValueCleared       on                      on                       
hwGtlItemMismatch              on                      on                       
hwGtlItemMismatchCleared       on                      on                       
hwGtlNearDeadline              on                      on                       
hwGtlNearDeadlineCleared       on                      on                       
------------------------------------------------------------------------------  
  ---- More ---- 
Table 18-18  Description of the display snmp-agent trap all command output

Item

Description

Feature name

Module name.

Trap number

Number of traps corresponding to a module.

Trap name

Trap name.

Current switch status

Current enabling or disabling status of a trap.

This status can be configured using the snmp-agent trap enable feature-name command.

Default switch status

Default enabling or disabling status of a trap.

display snmp-agent trap feature-name all

Function

The display snmp-agent trap feature-name all command displays whether the router is enabled to send alarms of specified features to the NM station.

Format

display snmp-agent trap feature-name feature-name all

Parameters

Parameter Description Value
feature-name Specifies the feature that generates alarms. -

Views

All views

Default Level

3: Management level

Usage Guidelines

After the router is enabled to send alarms to the NM station, you can run the display snmp-agent trap feature-name all command to check whether the alarm function is enabled for specified features. You can use the snmp-agent trap enable feature-name command to enable the alarm function of specified features.

Example

# Display the status of the RMON alarms.

<HUAWEI> display snmp-agent trap feature-name rmon all
------------------------------------------------------------------------------  
Feature name: RMON                                                              
Trap number : 2                                                                 
------------------------------------------------------------------------------  
Trap name                      Default switch status   Current switch status    
fallingAlarm                   on                      on                       
risingAlarm                    on                      on    
Table 18-19  Description of the display snmp-agent trap feature-name all command output

Item

Description

Feature name

Name of the feature that generates alarms.

Trap number

Number of alarms generated by this feature.

Trap name

Name of the alarm.

Default switch status

Status of the default trap switch:
  • on: The trap function is enabled.
  • off: The trap function is disabled.

Current switch status

Status of the current trap switch:
  • on: The trap function is enabled.
  • off: The trap function is disabled.

This status can be configured using the snmp-agent trap enable feature-name command.

display snmp-agent trap feature-name snmp all

Function

The display snmp-agent trap feature-name snmp all command displays whether all SNMP traps are enabled.

Format

display snmp-agent trap feature-name snmp all

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display snmp-agent trap feature-name snmp all command to check status of all SNMP traps. This status can be configured using the snmp-agent trap enable feature-name snmp command.

Example

# View whether all SNMP traps are enabled.

<HUAWEI>display snmp-agent trap feature-name snmp all
------------------------------------------------------------------------------
Feature name: SNMP
Trap number : 4
------------------------------------------------------------------------------
Trap name                      Default switch status   Current switch status
authenticationFailure          off                     off
coldStart                      on                      on
hwNmsHeartBeat                 off                     on
hwNmsPingTrap                  off                     off
warmStart                      on                      on
Table 18-20  Description of the display snmp-agent trap feature-name snmp all command output

Item

Description

Feature name

Name of the module where the trap is generated

Trap number

Number of traps.

Trap name

Name of trap, including
  • authenticationFailure: This trap is generated when a user uses an incorrect community name and is unable to log in to the device.
  • coldStart: This trap is generated when the device is powered off and restarted.
  • hwNmsHeartBeat: This trap is generated when a heartbeat packet is successfully sent.
  • hwNmsPingTrap: This trap is generated when the device successfully connects to the NMS.
  • warmStart: This trap is generated when the status of SNMP agent is changed from disable to enable.

Default switch status

Default status of a trap

  • on: The trap function is enabled.
  • off: The trap function is disabled.

Current switch status

Current status of a trap

  • on: The trap function is enabled.
  • off: The trap function is disabled.

This status can be configured using the snmp-agent trap enable feature-name snmp command.

display snmp-agent usm-user

Function

The display snmp-agent usm-user command displays information about an SNMPv3 user.

Format

display snmp-agent usm-user [ engineid engineid | group group-name | username user-name ] *

Parameters

Parameter Description Value
engineid engineid

Displays information about an SNMPv3 user with a specified engine ID.

This parameter is specified using the snmp-agent local-engineid command.

-
group group-name

Displays the SNMPv3 user belonging to a specified group.

This parameter is specified using the snmp-agent group command.

-
username user-name

Displays information about a specified SNMPv3 user.

This parameter is specified using the snmp-agent usm-user command.

-

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To view the SNMP user information configured, run the display snmp-agent usm-user command. The SNMPv3 user here refers to the remote user that carries out SNMPv3 management.

The displayed information about an SNMPv3 user includes:
  • User name.
  • Local engine ID of the user. The SNMPv3 engine ID uniquely identifies an SNMPv3 agent in a management domain. The SNMPv3 engine ID is an important component of the SNMPv3 agent. It schedules and processes SNMPv3 messages, and implements security authentication and access control.

Precautions

The display snmp-agent usm-user command is applicable only to SNMPv3 users.

Example

# Display information about all current SNMPv3 users.

<HUAWEI> display snmp-agent usm-user
   User name: myuser
       Engine ID: 800007DB03360102101100 active
       Authentication Protocol: sha
       Privacy Protocol: aes256
       Group name: mygroup
       State: Active   
Table 18-21  Description of the display snmp-agent usm-user command output

Item

Description

User name

A string used to identify an SNMPv3 user.

Engine ID

Engine ID of an SNMPv3-enabled device. This parameter is specified using the snmp-agent local-engineid command.

active

Status of an SNMPv3 user.

Authentication Protocol

Type of the authentication protocol.

Privacy Protocol

Type of the privacy protocol.

Group name

Name of the SNMPv3 group.

User status

Status of the SNMPv3 user:
  • active
  • inactive

display snmp-agent vacmgroup

Function

The display snmp-agent vacmgroup command displays all the configured View-based Access Control Model (VACM) groups.

Format

display snmp-agent vacmgroup

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After configuring User-based Security Model (USM) user to various groups, you can run the display snmp-agent vacmgroup command to view the information about the group of the user.

Precautions

You can run the display snmp-agent vacmgroup command to view information about an SNMP agent group only after the SNMP agent group, users are created through the snmp-agent group v3 and snmp-agent usm-user v3 commands.

Example

# Display the configured VACM groups.

<HUAWEI> display snmp-agent vacmgroup
--------------------------------------------------                              
Security name  : u1                                                             
Group name     : g1                                                             
Security model : USM                                                            
                                                                                
Security name  : rmuser                                                         
Group name     : rmgroup                                                        
Security model : USM                                                            
--------------------------------------------------   
Table 18-22  Description of the display snmp-agent vacmgroup command output

Item

Description

Security name

Security name of vacm group.

Group name

Name of vacm group.

Security model

Security model of the vacm group.

enable snmp trap updown

Function

The enable snmp trap updown command enables an interface to send a trap to the NMS when the protocol status of the interface changes.

The undo enable snmp trap updown command disables an interface from sending a trap to the NMS when the protocol status of the interface changes.

By default, an interface sends a Trap message to the NMS when the protocol status of the interface changes.

Format

enable snmp trap updown

undo enable snmp trap updown

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The enable snmp trap updown command is used to enable an interface to send a Trap message to the NMS when the protocol status of the interface changes, which helps the NMS monitor the interface status in real time.

Precautions

By default, the function of sending a Trap message to the NMS when the protocol status of the interface changes is enabled. If an interface alternates between Up and Down, it will frequently send Trap messages to the NMS, causing the NMS to be busy processing these Trap messages. In this case, you can run the undo enable snmp trap updown command to disable the interface from sending trap messages to the NMS.

Example

# Disable an interface from sending a trap to the NMS when the protocol status of the interface changes.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo enable snmp trap updown

snmp-agent

Function

The snmp-agent command enables the SNMP agent function.

The undo snmp-agent command disables the SNMP agent function.

By default, the SNMP agent function is disabled.

Format

snmp-agent

undo snmp-agent

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Before configuring SNMP, you need to enable the SNMP agent function.

By executing the snmp-agent command with any parameter enables the SNMP agent function. For example, if you execute the snmp-agent community command, the community name gets created and also SNMP agent function is enabled.

Precautions

The undo snmp-agent command disables the SNMP Agent function, but it cannot delete the SNMP configurations. If you run the snmp-agent command after undo snmp-agent, you can see that the SNMP configurations still exist. To delete an SNMP configuration permanently, run the undo command with corresponding parameters.

Example

# Enable the SNMP agent function.

<HUAWEI> system-view
[~HUAWEI] snmp-agent

# Disable the SNMP agent function.

<HUAWEI> system-view
[~HUAWEI] undo snmp-agent

snmp-agent acl

Function

The snmp-agent acl command configures the ACL at SNMP protocol level.

The undo snmp-agent acl command cancels the ACL configuration at SNMP protocol level.

By default, no ACL is configured at SNMP protocol level.

Format

snmp-agent acl { acl-number | acl-name }

undo snmp-agent acl

Parameters

Parameter Description Value
acl-number Specifies the basic ACL number.

The value is an integer that ranges from 2000 to 3999.

acl-name Specifies the ACL name. The value is a string of 1 to 32 case-sensitive characters except spaces. The value must start with a letter (case-sensitive).

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

For security purposes, you can configure the snmp-agent acl command to allow only SNMP users included in ACL get access to devices.

NOTE:
Execute the snmp-agent acl command, before specify the acl to SNMP community or group or to the user.

Configuration Impact

The snmp-agent acl command configuration applies to both IPv4 and IPv6 configuration.

Example

# Set ACL rule 2000.

<HUAWEI> system-view
[~HUAWEI] snmp-agent acl 2000

snmp-agent activate usm-user

Function

The snmp-agent activate usm-user command activates locked users.

By default, a user account is in active state after being created.

Format

snmp-agent activate usm-user user-name [ remote-engineid remote-engineid ]

Parameters

Parameter Description Value
user-name

Specifies the user name.

The value must be an existing user name on the device.

remote-engineid remote-engineid

Specifies the managed device's engine ID to be bound to the SNMP agent rules.

The value is string of 10 to 64 hexadecimal digits. It cannot be all 0s or all Fs.

Views

User view

Default Level

3: Management level

Usage Guidelines

To defend against malicious attacks to crack user passwords, run the snmp-agent blacklist user-block failed-times command to configure the maximum number of consecutive authentication failures for users. If a user fails to be authenticated for a specified number of consecutive times, the user gets locked and added to the blacklist, and will not be authenticated again. To activate locked users, run the snmp-agent activate usm-user command.

Example

# Activate the locked user named John.

<HUAWEI> snmp-agent activate usm-user John

snmp-agent blacklist ip-block disable

Function

The snmp-agent blacklist ip-block disable command disables the IP address blacklist.

The undo snmp-agent blacklist ip-block disable command enables the IP address blacklist.

By default, the IP address blacklist is enabled.

Format

snmp-agent blacklist ip-block disable

undo snmp-agent blacklist ip-block disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

When an SNMP user fails to connect to the device, the IP address matching the community name or user name used by the user is recorded to the SNMP blacklist and locked. Within the locking period, the user with this IP address cannot connect to the device.

If a blacklisted IP address fails to establish a connection for the first time, the system locks the IP address for 8 seconds. If the connection attempt continuously fails, the locking period increases to 16 seconds and then 32 seconds. When the locking period reaches 32 seconds and the connection attempt still fails, the system locks the IP address for 5 minutes. The IP address is automatically unlocked when the 5-minute locking period expires.

Example

# Disable the IP address blacklist.

<HUAWEI> system-view
[~HUAWEI] snmp-agent blacklist ip-block disable

snmp-agent blacklist user-block disable

Function

The snmp-agent blacklist user-block disable command disables the SNMPv3 user blacklist.

The undo snmp-agent blacklist user-block disable command enables the SNMPv3 user blacklist.

By default, the SNMPv3 user blacklist is enabled.

Format

snmp-agent blacklist user-block disable

undo snmp-agent blacklist user-block disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When an SNMPv3 user consecutively fails in authentication and the number of authentication failures exceeds the limit, the user is added to the blacklist and cannot be authenticated within the locking period. This function effectively prevents malicious attacks to the network.

Precautions

By default, the system locks a user when the user fails in authentication 5 times consecutively within 5 minutes, and the user is locked for 5 minutes.

This command does not affect online SNMPv3 users.

This command is invalid for SNMPv3 AAA local users.

Example

# Disable the SNMPv3 user blacklist.

<HUAWEI> system-view
[~HUAWEI] snmp-agent blacklist user-block disable

snmp-agent blacklist user-block failed-times

Function

The snmp-agent blacklist user-block failed-times command sets the limit of authentication failures and period for SNMPv3 users.

The undo snmp-agent blacklist user-block failed-times command restores the default authentication failure limit and period.

By default, the system locks a user when the user fails in authentication 5 times consecutively within 5 minutes.

Format

snmp-agent blacklist user-block failed-times failed-times period period-time

undo snmp-agent blacklist user-block failed-times

Parameters

Parameter Description Value
failed-times

Specifies the maximum number of consecutive authentication failures.

The value ranges from 0 to 10. The default is 5.

NOTE:

The value 0 indicates that the number of authentication failures is not limited.

period period-time

Specifies the period of consecutive authentication failures.

The value is an integer that ranges from 1 to 120, in minutes. The default is 5.

Views

System view

Default Level

3: Management level

Usage Guidelines

Use Scenario

If a network environment is not secure, use the snmp-agent blacklist user-block failed-times command to reduce the limit of consecutive authentication failures and increase the period to prevent attacks. When the number of consecutive authentication failures of an unauthorized user exceeds the limit, the user is added to the blacklist and locked. The user cannot be authenticated in the locking period.

Follow-up Procedure

If an SNMPv3 user is locked due to misoperation, run the snmp-agent activate usm-user command to activate the SNMPv3 user.

Example

# Lock an SNMPv3 user when the user consecutively fails in authentication 3 times within 4 minutes.

<HUAWEI> system-view
[~HUAWEI] snmp-agent blacklist user-block failed-times 3 period 4

snmp-agent blacklist user-block reactive

Function

The snmp-agent blacklist user-block reactive command sets the locking period for SNMPv3 users in the blacklist.

The undo snmp-agent blacklist user-block reactive command restores the default locking period.

By default, an SNMPv3 user is locked for 5 minutes after the user is added to the blacklist.

Format

snmp-agent blacklist user-block reactive reactive-time

undo snmp-agent blacklist user-block reactive

Parameters

Parameter Description Value
reactive-time Specifies the locking time for SNMPv3 users. The value is an integer that ranges from 0 to 1000, in minutes.

Views

System view

Default Level

3: Management level

Usage Guidelines

If a user consecutively fails in authentication and the number of authentication failures exceeds the limit, the user is added to the blacklist and locked for a certain period. The user cannot be authenticated in the locking period. When the locking period expires, the user can be authenticated. This command sets the locking period.

Example

# Set the locking period for SNMPv3 users in the blacklist to 12 minutes.

<HUAWEI> system-view
[~HUAWEI] snmp-agent blacklist user-block reactive 12

snmp-agent community

Function

The snmp-agent community command configures the SNMPv1 or SNMPv2c read-write community name.

The undo snmp-agent community command is used to delete the configuration of the community name.

By default, the community name is not configured.

Format

snmp-agent community { read | write } { community-name | cipher community-name } [ mib-view view-name | acl { acl-number | acl-name } | alias alias-name ] *

undo snmp-agent community community-name

undo snmp-agent community { read | write } { community-name | cipher community-name }

Parameters

Parameter Description Value
read Indicates that the community with a specified name has the read-only rights in the specified view. -
write Indicates that the community with a specified name has the read-write rights in the specified view. -
community-name Specifies the name of a community.

The community name is displayed in cipher text in the configuration file.

The value is a string of 8 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

By default, the complexity check is enabled for a community name. If a community name fails the complexity check, the community name cannot be configured. To disable the complexity check for a community name, run the snmp-agent community complexity-check disable command.
NOTE:

The device has the following requirements for community name complexity:

  • The default minimum length of a community name is eight characters.

  • A community name includes at least two kinds of characters, which can be uppercase letters, lowercase letters, digits, and special characters except question marks (?).

If the complexity check of a community name is disabled by using the snmp-agent community complexity-check disable command, the length of community-name ranges from 1 to 32.

cipher community-name

Specifies the community name in plain text or in cipher text.

The value is a string of 8 to 32, 32, 44, 56, 80, 88, or 88 to 168 case-sensitive characters without spaces. When double quotation marks are used around the string, spaces are allowed in the string.
  • When the community name is a string of 8 to 32 characters, the string is processed as plain text by default and will be encrypted.
  • When the community name is a string of 32, 44, 56, 80, 88, or 88 to 168 characters, the string is processed as cipher text by default, and the system will determine whether the string can be parsed.
By default, the complexity check is enabled for a community name. If a community name fails the complexity check, the community name cannot be configured. To disable the complexity check for a community name, run the snmp-agent community complexity-check disable command.
NOTE:

The device has the following requirements for community name complexity:

  • The default minimum length of a community name is eight characters.

  • A community name includes at least two kinds of characters, which can be uppercase letters, lowercase letters, digits, and special characters except question marks (?).

If the complexity check of a community name is disabled by using the snmp-agent community complexity-check disable command, the length of cipher community-name is 32, 44, 56, 80, 88, 88 to 168 or ranges from 1 to 32.

mib-view view-name

Specifies a MIB view that the community name can access.

The value must be the name of an existing MIB view. By default, a community name can access the MIB view ViewDefault.

To create a MIB view, run the snmp-agent mib-view command.

acl { acl-number | acl-name }
Specifies the ACL of the community name.
  • acl-number specifies the number of the basic ACL.
  • acl-name specifies the basic ACL name.
  • The value of acl-number is an integer that ranges from 2000 to 2999.
  • The value is a string of 1 to 32 case-sensitive characters except spaces. The value must start with a letter (case-sensitive).
alias alias-name

Specifies the alias name for a community.

The alias names of communities are stored in plain text in the configuration file.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When running the snmp-agent community command, you can select parameters based on the networking requirements.
  • To grant the NMS read-only permission in the specified view, configure read.

  • To grant the NMS read-write permission in the specified view, configure write.

  • To allow specified NMSs using this community name have the rights of ViewDefault, omit mib-view view-name.

  • To allow all NMSs using this community name to manage specified objects on a managed device, omit acl { acl-number | acl-name }.

  • To allow specified NMSs using this community name to manage specified objects on a managed device, configure mib-view and acl.
  • The community name will be saved in encrypted format in the configuration file. To facilitate identification of community names, specify the alias alias-name parameter to set the alias names for the communities. The alias names are stored in plain text in the configuration file.
NOTE:

When both community name and ACL are configured, the NMS verifies the community name before accessing the device, and then checks the ACL rules. If the community name does not exist, the packet is discarded and a log indicating that the community name is wrong is printed. The ACL rule is not checked. That is, the ACL rule is checked only when the community name exists.

You can run the display snmp-agent community command to view the current community name.

Precautions

If you set different rights (read or write) for the same community name, the last configuration takes effect.

If you specify the parameter mib-view or acl when running the snmp-agent community command, configure the MIB view and ACL rule.

Example

# Set the name of a community to comaccess1 and configure the read-only rights for the community.

<HUAWEI> system-view
[~HUAWEI] snmp-agent community read comaccess1

# Set the name of a community to comaccess2 and configure the read-write rights for the community.

<HUAWEI> system-view
[~HUAWEI] snmp-agent community write comaccess2

snmp-agent community complexity-check disable

Function

The snmp-agent community complexity-check disable command disables the complexity check of a community name.

The undo snmp-agent community complexity-check disable command enables the complexity check of a community name.

By default, the complexity check is enabled for a community name.

Format

snmp-agent community complexity-check disable

undo snmp-agent community complexity-check disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

The device has the following requirements for community name complexity:

  • By default, the minimum length of a community name is eight characters.

  • The community name includes at least two kinds of characters: uppercase letters, lowercase letters, numbers, and special characters (excluding ? and spaces.)

To ensure the security of SNMP community names, enable the complexity check for community names. If a community name fails the complexity check, the community name cannot be configured. The complexity check can also be disabled for a community name. However, disabling the complexity check will weaken the security.

If complexity check of community names is not enabled, the system does not check the complexity of community names when they are configured. However, if a community name is simple and does not meet complexity requirements, it is prone to be attacked and cracked by unauthorized users, which affects device security. Therefore, enabling complexity check of community names is recommended.

Example

# Disable the complexity check for community names.

<HUAWEI> system-view
[~HUAWEI] snmp-agent community complexity-check disable
Related Topics

snmp-agent extend error-code enable

Function

The snmp-agent extend error-code enable command enables the device to send extended error codes to the NMS.

The undo snmp-agent extend error-code enable command disables the function of sending extended error codes to the NMS.

By default, the function of sending extended error codes to the NMS is disabled.

Format

snmp-agent extend error-code enable

undo snmp-agent extend error-code enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

If both the NMS and managed device are Huawei products, error codes are extended and more scenarios are defined after the function of sending extended error codes is enabled. As a result, users are enabled to locate and troubleshoot faults quickly and accurately.

Support of the MIB for the extended error code:

  • For the MIB that supports the extended error code, you can enable the SNMP extended error code function and use Huawei NMS to provide the NMS with various error codes.
  • For the MIB that does not support the extended error code, after the SNMP extended error code function is enabled, NMS of either Huawei or other vendors can obtain only the standard error code.

Example

# Enable the device to send extended error codes to the NMS.

<HUAWEI> system-view
[~HUAWEI] snmp-agent extend error-code enable

snmp-agent group

Function

The snmp-agent group command creates an SNMP group by mapping SNMP users to SNMP views and configures the SNMP group.

The undo snmp-agent group command deletes a specified SNMP user group.

By default, no SNMP group is configured.

Format

snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ] * [ acl { acl-number | acl-name } ]

undo snmp-agent group v3 group-name { authentication | privacy | noauthentication }

Parameters

Parameter Description Value
v3 Indicates that the SNMP group uses the security mode in SNMPv3. -
group-name Specifies the name of an SNMP group.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

authentication | privacy | noauthentication
Indicates the security level of the SNMP group.
  • authentication: authenticates SNMP messages without encryption.
  • privacy: authenticates and encrypts SNMP messages.
  • noauthentication: not authenticate or encrypt SNMP messages.
For security purposes, it is recommended that you set the security level of the SNMP group to privacy.
read-view read-view

Specifies a read-only view. In this view, the NMS has the read-only permission.

The value must be the name of an existing MIB view. By default, the read-only view of an SNMP group is ViewDefault.

read-view is specified by the snmp-agent mib-view command.

write-view write-view

Specifies a read-write view. In this view, the NMS has the read-write permission.

The value must be the name of an existing MIB view. By default, no read-write view name is specified for an SNMP group.

write-view is specified by the snmp-agent mib-view command.

notify-view notify-view

Specifies a notify view. Only the alarms matching the MIB objects in this view can be set to the NMS.

The value must be the name of an existing MIB view. By default, no notify view name is specified for an SNMP group.

notify-view is specified by the snmp-agent mib-view command.

acl { acl-number | acl-name }
Specifies the ACL.
  • acl-number specifies the number of the ACL.
  • acl-name specifies the ACL name.
  • The value of acl-number is an integer that ranges from 2000 to 2999.
  • The acl-name must already exist.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

SNMPv1 and SNMPv2c have serious defects in terms of security. The security authentication mechanism used by SNMPv1 and SNMPv2c is based on the community name. In this mechanism, the community name is transmitted in plain text. You are not advised to use SNMPv1 and SNMPv2c on untrusted networks.

By adopting the user-based security model, SNMPv3 eradicates the security defects in SNMPv1 and SNMPv2c and provides two services, authentication and privacy. The SNMP group name and security name determine an SNMP group. SNMPv3 defines the following security levels:

  • noAuthNoPriv
  • AuthNoPriv
  • AuthPriv
NOTE:

The security authentication level noAuthPriv does not exist. This is because the generation of a key is based on the authentication information.

The snmp-agent group command can be used to configure the following:

  • Authentication
  • Privacy
  • Access rights for users of SNMP group
  • Bind the SNMP group to a MIB view
Parameters are selected based on the following rules:
  • To enhance security, configure the parameter authentication or privacy.
    • If the noauthentication parameter is set, SNMP messages are not authenticated or encrypted. This applies to the environment that is secure and has a fixed administrator.

    • To authenticate SNMP messages without encryption, configure the parameter authentication. This mode is applicable to secure networks managed by many administrators who may frequently perform operations on the same device. Authentication allows only the administrators with permission to access the device.

    • To authenticate and encrypt SNMP messages, configure the parameter privacy. This mode is applicable to insecure networks managed by many administrators who may frequently perform operations on the same device. Authentication and encryption allow only specified administrators to access the device and encrypts data before the transmission. This prevents data from being tampered or leaked.

  • To grant the NMS read-only permission in the specified view, configure read-view. To grant the NMS read-write permission in the specified view, configure write-view.

    To filter unnecessary alarms, configure notify-view. After this parameter is configured, only alarms generated on MIB objects specified by notify-view are delivered to the NMS.

    By default, the read-only view of an SNMP group is the ViewDefault view, and the names of the read-write view and inform view are not specified.

  • To allow specified NMSs in the same SNMPv3 group to access the device, configure acl.

Configuration Impact

When you run the undo snmp-agent group command to delete an SNMP user group, you delete all SNMP users in the SNMP user group.

Precautions

To receive trap or Inform messages specified in notify-view, you need to ensure that the following configurations are complete:
To configure security levels of a user and an alarm host after the security level for an SNMP group is configured, the following two requirements must be met:
  • The security level of a user must not be lower than that of an SNMP group. Otherwise, communication will fail.
  • The alarm host security level must not be lower than the security level of the SNMP group. Otherwise, alarms will fail to be sent.

If non authentication and non encryption, or authentication and non encryption is configured for an SNMPv3 group, these modes bring security risks. To improve system security, delete the group and create a group with authentication and encryption.

Example

# Create an SNMPv3 group named Johngroup to authenticate and encrypt SNMP messages, and set the read-only view of the SNMPv3 group to public.

<HUAWEI> system-view
[~HUAWEI] snmp-agent
[*HUAWEI] snmp-agent mib-view excluded public 1.3.6.1.2.1
[*HUAWEI] snmp-agent group v3 Johngroup privacy read-view public

# Create an SNMPv3 group named Johngroup to authenticate and encrypt SNMP messages, and set the read-write view of the SNMPv3 group to private.

<HUAWEI> system-view
[~HUAWEI] snmp-agent
[*HUAWEI] snmp-agent mib-view included private 1.3.6.1.2.1
[*HUAWEI] snmp-agent group v3 Johngroup privacy write-view private

snmp-agent inform

Function

The snmp-agent inform command sets global parameters of informs, including the timeout period for waiting for inform ACK messages, number of times to retransmit informs, and maximum number of informs to be confirmed in the inform buffer.

The undo snmp-agent inform command restores the default setting.

By default, the timeout waiting period for inform ACK messages is 15 seconds, the number of times to retransmit informs is 3, and the maximum number of informs in the inform buffer is 39.

Format

snmp-agent inform { timeout seconds | resend-times times | pending number } *

undo snmp-agent inform { timeout | resend-times | pending } *

Parameters

Parameter Description Value
timeout seconds Specifies the timeout period for waiting for inform ACK messages from the NMS. The value is an integer ranging from 1 to 1800, in seconds. The default value is 15 seconds.
resend-times times Specifies the times to retransmit informs in the case that no inform ACK message is returned from the NMS. The value is an integer ranging from 0 to 10. The default value is 3.
pending number Specifies the maximum number of informs to be confirmed in the inform buffer. The value is an integer ranging from 1 to 2048. The default value is 39.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After sending an inform, the SNMP agent waits for an inform ACK message from the NMS. You can run the snmp-agent inform command to set parameters timeout, resend-times, and pending of the inform.

These three parameters mutually affect each other. For example, if the timeout period for waiting for inform ACK messages prolongs or the times to retransmit informs increase, but the maximum number of informs to be confirmed is not changed, the number of informs to be confirmed is increased, causing the inform buffer to be quickly filled up.

Once the inform buffer is filled up, the earliest inform in the inform buffer is deleted each time a new inform enters the queue. The deleted informs are not retransmitted to the NMS. To avoid this problem, you can increase the maximum number of informs to be confirmed in the inform buffer.

You can configure the snmp-agent inform command to contain the parameter timeout, resend-times, or pending according to the network condition.

  • When a large number of informs are dropped on the network, you can run the snmp-agent inform pending number command to increase the inform buffer.
  • When the transmission speed on the network is low, you can increase the timeout period. Increasing the timeout period will increase the waiting time of informs in the inform buffer. You can also run the snmp-agent inform { timeout seconds | pending number } * command to increase the inform.
  • When the transmission speed on the network is high, you can run the snmp-agent inform timeout seconds command to reduce the timeout period.
  • When informs are transmitted on an unreliable network, you can increase the retransmission times. In this case, the informs in the inform buffer need to wait for a longer time to be confirmed. You can run the snmp-agent inform { resend-times times | pending number } * command to increase the inform buffer.

Prerequisites

Parameters for sending informs take effect only after the IP address of the target host for receiving informs is configured using the snmp-agent target-host inform command.

Precautions

You need to configure only parameters for sending informs using the snmp-agent inform command; you do not need to configure parameters for sending traps.

You must set the parameters timeout, resend-times, and pending according to the network condition. Otherwise, the SNMP working efficiency is greatly affected.

Example

# Set the times to retransmit an inform to 5 and the maximum number of informs waiting to be confirmed in the inform buffer to 100.

<HUAWEI> system-view
[~HUAWEI] snmp-agent inform resend-times 5 pending 100

snmp-agent inform { host-name | address }

Function

The snmp-agent inform address command sets parameters for sending informs, including the timeout period for waiting for inform ACK messages from the NMS and times to retransmit an inform.

The undo snmp-agent inform address command restores the default setting for a particular inform host.

By default, the timeout waiting period for inform ACK messages is 15 seconds and the number of times to retransmit informs is 3.

Format

snmp-agent inform { timeout seconds | resend-times times } * { host-name host-name | address udp-domain ip-address [ vpn-instance vpn-instance-name ] params securityname { security-name | cipher security-name } }

undo snmp-agent inform { timeout [ seconds ] | resend-times [ times ] } * { host-name host-name | address udp-domain ip-address [ vpn-instance vpn-instance-name ] params securityname { security-name | cipher security-name } }

Parameters

Parameter Description Value
timeout seconds Specifies the timeout period for waiting for inform ACK messages from the NMS. The value is an integer ranging from 1 to 1800, in seconds. The default value is 15, which is equal to the global timeout period configured using the snmp-agent inform command.
resend-times times Specifies the number of times that informs are retransmitted when no inform ACK message is returned from the NMS. The value is an integer ranging from 0 to 10. The default value is 3, which is equal to the global retransmission times configured using the snmp-agent inform command.
host-name host-name Specifies the SNMP target host name The SNMP target host name must already exist.
address Indicates the address of the target host for receiving SNMP traps.
NOTE:
The IP address specified by address and the security name specified by securityname together identify a host.
The value is in dotted decimal notation.
udp-domain ip-address Specifies the IP address of a specified target host, with the transmission domain based on UDP. The value is in dotted decimal notation.
vpn-instance vpn-instance-name Specifies the name of a VPN instance. The value is a string of 1 to 31 case-sensitive characters except spaces. When double quotation marks are used to include the string, spaces are allowed in the string. The value _public_ is reserved and cannot be used as the VPN instance name. The parameter vpn-instance is optional. On a VPN network, you need to use the VPN instance specified by vpn-instance, IP address, and security name to identify a target host.
params Indicates information about the target host that generates SNMP notifications. -
securityname security-name Displays the name of the target host for receiving informs on the NMS.

For SNMPv3, securityname must be configured as the user name. securityname configured on the host needs to be the same as that configured on the NMS, or the NMS cannot receive the trap messages sent from the host.

For SNMPv1 and SNMPv2c, the NMS can receive trap messages from all hosts without having securityname configured. securityname is used to distinguish multiple hosts that generate trap messages.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

cipher cipher-name

Indicates the unencrypted or encrypted string of security name. The plaintext password or the ciphertext password can be entered. The password in the configuration file is displayed in ciphertext.

The value is a string of 1 to 32, 32, 48, 56, 68, or 68 to 168 case-sensitive characters without spaces. When double quotation marks are used around the string, spaces are allowed in the string.
  • When the community name is a string of 1 to 32 characters, the string is processed as plain text by default and will be encrypted.
  • When the community name is a string of 32, 48, 56, 68, or 68 to 168 characters, the string is processed as cipher text by default, and the system will determine whether the string can be parsed.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

For example, if the snmp-agent inform address command is executed on the target host after the global inform parameters are configured, only the parameter configured using the snmp-agent inform address command takes effect.

You can use both the snmp-agent inform address command and the snmp-agent inform command to set parameters according to the network condition.

  • When a large number of Inform messages are dropped on the network, you are recommended to run the snmp-agent inform pending number command to lengthen the trap queue and then the snmp-agent inform address command to specify the destination IP address and name of the target host.
  • When the transmission speed on the network is low, you are recommended to increase the timeout period. Increasing the timeout period will surely increase the waiting time of informs in the trap queue for confirmation. In this case, you are also recommended to run the snmp-agent inform { timeout seconds | pending number } * command to lengthen the trap queue and then the snmp-agent inform address command to specify the destination address and the displayed user name.
  • When the transmission speed on the network is high, you are recommended to run the snmp-agent inform timeout seconds address udp-domain ip-address params securityname security-name command to reduce the timeout period.
  • When informs are transmitted on an unreliable network, you are recommended to increase the retransmission times. In this case, the informs in the trap queue need to wait for a longer time to be confirmed. This requires you to run the snmp-agent inform { resend-times times | pending number } * command to lengthen the trap queue and then the snmp-agent inform address command to specify the destination address and the displayed user name.

Prerequisites

Parameters for sending informs take effect only after the IP address of the target host for receiving informs is configured using the snmp-agent target-host inform command.

Precautions

You must set the parameters timeout and resend-times according to the network condition. Otherwise, the SNMP working efficiency is greatly affected.

NOTE:

You need to configure only parameters for sending informs using the snmp-agent inform address command; you do not need to configure parameters for sending traps.

Example

# Set the times to retransmit an inform to the target host (with the IP address of 10.1.1.1 and the security name of ABC) to 10.

<HUAWEI> system-view
[~HUAWEI] snmp-agent inform resend-times 10 address udp-domain 10.1.1.1 params securityname ABC

snmp-agent local-engineid

Function

The snmp-agent local-engineid command sets an engine ID for the local SNMP agent.

The undo snmp-agent local-engineid command restores the engine ID of the local SNMP agent to the default value.

By default, the device uses an internal algorithm to automatically generate an engine ID for a device. The engine ID consists of the enterprise number and the device information.

Format

snmp-agent local-engineid engineid

undo snmp-agent local-engineid

Parameters

Parameter Description Value
engineid Specifies the engine ID of the local SNMP agent. The value is string of 10 to 64 hexadecimal digits. It cannot be all 0s or all Fs.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run the snmp-agent local-engineid command to set an engine ID for the local SNMP agent for identification.

The SNMP engine ID uniquely identifies an SNMP agent in a management domain. The SNMP engine ID is an important component of the SNMP agent. It schedules and processes SNMP messages, and implements security authentication and access control. You can use the display snmp-agent local-engineid command to check the engine ID of the local SNMP entity.

When setting an engine ID, you need to comply with the following rules:

  • The length of the octet strings varies. The first four octets are set to the binary equivalent of the agent, which is SNMP management private enterprise number and is assigned by the Internet Assigned Numbers Authority (IANA). The engine ID of Huawei devices is 2011 in decimal notation. The first digit is in binary format, and has a fixed value 1. Therefore, the engine ID in hexadecimal format is 800007DB.

  • The device information can be configured manually. It is recommended that the IP address or MAC address of the device be used as the device information to uniquely identify the device.

Precautions

If the local engine ID is set or changed, the existing SNMPv3 user with this engine ID is deleted. If the original engine ID is restored, the corresponding user configuration is restored.

After the SNMP agent function is enabled using the snmp-agent command, the system automatically adopts the default engine ID for the local SNMP agent.

The password summary used by SNMPv3 users is calculated using MD5 or SHA based on the user password and engine ID of the local SNMP agent. If the engine ID of the local SNMP agent is changed, the generated password summary becomes invalid. As a result, a new password summary needs to be generated for SNMPv3 users.

Example

# Set the engine ID of the local SNMP agent to 800007DB03360102101100.

<HUAWEI> system-view
[~HUAWEI] snmp-agent local-engineid 800007DB03360102101100   
Warning: All SNMP users will be reset. Continue? [Y/N]: y

snmp-agent local-user

Function

The snmp-agent local-user command creates an SNMPv3 local user.

The undo snmp-agent local-user command deletes an SNMPv3 local user.

By default, no SNMPv3 local user exists in the system.

Format

snmp-agent local-user v3 user-name { authentication-mode { md5 | sha } privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } | authentication-mode { md5 | sha } cipher password privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } cipher password }

undo snmp-agent local-user v3 user-name

Parameters

Parameter Description Value
v3

Specifies the version of SNMP protocol.

-
user-name

Specifies the SNMPv3 local user name.

To configure the SNMPv3 local user name, run local-user password.

NOTE:
When you create an SNMPv3 local user by running the local-user password command, the user name cannot contain more than 32 characters.
authentication-mode { md5 | sha }

Specifies the authentication method of the SNMPv3 local user.

SNMPv3 local users support the following authentication methods:
  • MD5
  • SHA
NOTE:

SHA provides a higher security than MD5, so SHA is recommended.

privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 }

Specifies the encryption method of the SNMPv3 local user.

SNMPv3 local users support the following encryption methods:
  • 3DES168
  • AES128
  • AES192
  • AES256
  • DES56
NOTE:

AES128 provides a higher security than DES56 and 3DES168, so AES128 or an encryption protocol providing a higher security than AES128 is recommended.

cipher password

Specifies the encryption or authentication password in cipher text.

Only cipher text is supported. The value is a string of 32 to 432 characters without spaces or question marks (?).

NOTE:
  • When the cipher parameter is not specified, the password is entered in an interaction manner. In this situation, the plain text is supported.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

SNMPv3 supports authentication using authentication, authorization, and accounting (AAA) user names. The network administrator can use the AAA local user name in the SNMPv3, FTP, Telnet, and SSH features in order to manage the device by using a uniform user name.

After an AAA local user is created, you can run the snmp-agent local-user command to configure the AAA local user as an SNMPv3 local user.

When you run the snmp-agent local-user command, you can enter the authentication and encryption passwords in an interaction manner or non-interaction manner. To ensure the password security and facilitate memorization, the interaction manner is recommended.

Prerequisite

The AAA local user has been created by using the local-user password command.

The service type of the AAA local user has been set to SNMP by using the local-user service-type snmp command.

Precautions

After an SNMPv3 local user is configured, you can configure the authentication password and encryption password for the user, which can be different from the passwords of AAA local user. When an AAA local user is deleted, the corresponding SNMPv3 user is also deleted; however, the deletion of an SNMPv3 local user does not affect the corresponding AAA local user.

An SNMPv3 local user and an SNMPv3 USM user can use the same name. The name of an SNMPv3 USM user has a higher priority than an SNMPv3 local user. That is, when an SNMPv3 user and an SNMPv3 UMS user have the same name but different authentication or encryption password, the authentication and encryption passwords of the SNMPv3 USM user are used for login.

The user name and passwords configured during user creation will be used when you access the device through the NMS.

Pay attention to the following points when you adopt the interaction manner:

  • The password range depends on whether the password complexity check is enabled:
  • A password entered in an interaction manner is not displayed on the screen.

To ensure high security, do not use the MD5 algorithm for SNMPv3 authentication or use the DES-56 or 3DES168 algorithm for SNMPv3 encryption.

Example

# Create the local user usersnmp, set the authentication mode to SHA, and select AES256 as the encryption mode.

<HUAWEI> system-view
[~HUAWEI] snmp-agent local-user v3 usersnmp authentication-mode sha privacy-mode aes256
Please configure the authentication password (8-255)
Enter Password:
Confirm Password:
Please configure the privacy password (8-255)
Enter Password:
Confirm Password: 

snmp-agent local-user password complexity-check disable

Function

The snmp-agent local-user password complexity-check disable command disables complexity check on the authentication and encryption passwords of local users.

The undo snmp-agent local-user password complexity-check disable command enables complexity check on the authentication and encryption passwords of local users.

By default, the device checks password complexity for local users.

Format

snmp-agent local-user password complexity-check disable

undo snmp-agent local-user password complexity-check disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When you configure the authentication and encryption passwords in an interaction manner, the passwords must meet the following requirements:

  • Contain at least eight characters.

  • Contain at least two of the following: uppercase letters, lowercase letters, numerals, and special characters, excluding question marks (?) and spaces.

Disable the password complexity check function by running the snmp-agent local-user password complexity-check disable command only when you confirm that the network is secure. After this function is disabled, the device does not have complexity requirements on authentication and encryption passwords.

Precautions

It is recommended that you enable complexity check on the authentication and encryption passwords for SNMPv3 local users.

Example

# Disable complexity check on authentication and encryption passwords for SNMPv3 local users.

<HUAWEI> system-view
[~HUAWEI] snmp-agent local-user password complexity-check disable

snmp-agent mib-view

Function

The snmp-agent mib-view command creates or updates a MIB view.

The undo snmp-agent mib-view command cancels the configuration of the current MIB view.

By default, the MIB view name is ViewDefault, and the MIB subtree includes all internet subnodes except for snmpVacmMIB, snmpUsmMIB, and snmpCommunityMIB.

Format

snmp-agent mib-view { excluded | included } view-name oid-tree

undo snmp-agent mib-view [ excluded | included ] view-name [ oid-tree ]

Parameters

Parameter Description Value
excluded Excludes the MIB subtree. -
included Includes the MIB subtree. -
view-name Specifies the view name.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

oid-tree Specifies the OID for the MIB subtree. oid-tree can be the OID (such as 1.4.5.3.1) or the name (such as system) of the subtree.

It is a string of 1 to 255 case-sensitive characters without spaces.

NOTE:

It must be a valid MIB subtree.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Most SNMP configuration commands contain the parameter view-name. The snmp-agent mib-view command is used to create or update a view. You cannot modify or delete the default ViewDefault MIB view.

In the snmp-agent mib-view command, the parameter view-name can be displayed as an OID or an object name.
  • Displaying the parameter view-name as an OID: snmp-agent mib-view included myview 1.3.6.1.2.1.
  • Displaying the parameter view-name as an object name: snmp-agent mib-view excluded myview system.7.
NOTE:
To uniquely identify object identifiers in SNMP messages, SNMP uses a hierarchical naming structure to distinguish object identifiers from each other. This is a tree-like structure, with the nodes (such as {1.3.6.1.2.1}) representing object identifiers. The MIB is a collection of standard variables on monitored network devices.
You can select parameters based on the following rules:
  • excluded: If a few MIB objects on the device or some objects in the current MIB view do not or no longer need to be managed by the NM station, excluded needs to be specified in the command to exclude these MIB objects.

  • included: If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NM station, included needs to be specified in the command to include these MIB objects.

If you forget which information you have configured for a MIB view, you can run the display snmp-agent mib-view command to check it.

Precautions

The default MIB view ViewDefault cannot be deleted using the undo snmp-agent mib-view command or modified using the snmp-agent mib-view command.

When you run the snmp-agent mib-view command for multiple times to define the MIB view, the new configuration overwrites the original configuration if the values of view-name and oid-tree are the same; the new and original configurations both take effect if the values of view-name and oid-tree are different. The system can store a maximum of 256 MIB view configurations, among which there are four default views.

If both the include and exclude parameters are configured for MIB objects that have an inclusion relationship, whether to include or exclude the lowest MIB object will be determined by the parameter configured for the lowest MIB object. For example, the snmpV2, snmpModules, and snmpUsmMIB objects are from top down in the MIB tree. If the exclude parameter is configured for snmpUsmMIB objects and include is configured for snmpV2, snmpUsmMIB objects will still be excluded.

If a MIB view is referenced by a community name or SNMP group, the view can be deleted using the undo snmp-agent mib-view command only after you delete the view reference relationship.

Example

# Create MIB view mib2view that includes all mib-2 objects and the subtree with the OID as 1.3.6.1.2.1.

<HUAWEI> system-view
[~HUAWEI] snmp-agent mib-view included mib2view 1.3.6.1.2.1

snmp-agent notification-log

Function

The snmp-agent notification-log command sets the aging time of trap logs and the maximum number of trap logs that can be saved in the trap log buffer.

The undo snmp-agent notification-log command restores the default configuration.

By default, the aging time of trap logs is 24 hours, and a maximum of 500 trap logs can be saved in the trap log buffer.

Format

snmp-agent notification-log { global-ageout ageout [ minute minute ] | global-limit limit } *

undo snmp-agent notification-log { global-ageout | global-limit } *

Parameters

Parameter Description Value
global-ageout ageout Specifies the aging time of trap logs. The value can be 0 or an integer that ranges from 12 to 36, in hours. The default value is 24. The value 0 indicates that trap logs are never aged out.
minute minute Specifies the aging time of alarm logs in minutes. The value is 1 to 59, in minutes.
global-limit limit Specifies the maximum number of trap logs that can be saved in the trap log buffer. The value is an integer that ranges from 1 to 15000.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If notification logs in the log buffer do not need to be aged, you can set the aging time of these notification logs to 0.

If the number of notification logs saved to the log buffer within the aging time exceeds the limit, new notification logs can still be saved but overwrites the earlier logs in the log buffer.

An Inform message is logged when either of the following conditions are met:
  • The retransmission times of an Inform message in the trap message queue reaches the limit but no Inform ACK message is returned from the NMS.
  • The number of Inform messages waiting to be confirmed in the trap message queue exceeds the limit and Inform messages are discarded.

Precautions

If the size of the log buffer is excessively large, more network resources are consumed. You are therefore recommended to set the size of the log buffer to a reasonable value.

NOTE:

Only Inform logs are saved to the log buffer; trap logs are not saved to the log buffer.

Example

# Set the aging time of trap logs to 36 hours.

<HUAWEI> system-view
[~HUAWEI] snmp-agent notification-log global-ageout 36

# Set the maximum number of trap logs that can be saved in the trap log buffer to 1000.

<HUAWEI> system-view
[~HUAWEI] snmp-agent notification-log global-limit 1000

snmp-agent notification-log enable

Function

The snmp-agent notification-log enable command enables the notification logging function.

The undo snmp-agent notification-log enable command disables the notification logging function.

By default, the notification logging function is disabled.

Format

snmp-agent notification-log enable

undo snmp-agent notification-log enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

When the route from a network element to the NMS is unreachable because of a link failure between the network element and NMS, the network element does not send any SNMP notifications to the NMS. If the notification logging function is enabled, the network element records trap logs. When the link between the network element and NMS recovers, the NMS can obtain the trap logs recorded when the link was faulty.

Only informs are recorded in trap logs, and traps are not recorded.

After the notification logging function is enabled, the system records informs in trap logs in either of the following conditions:

  • No ACK message is received after an inform in the notification queue is retransmitted the specified number of times.

  • Earliest informs are discarded because the number of notifications in the notification queue exceeds the limit. The system records the discarded informs in trap logs.

Example

# Enable the notification logging function.

<HUAWEI> system-view
[~HUAWEI] snmp-agent notification-log enable

snmp-agent notify-filter-profile

Function

The snmp-agent notify-filter-profile command creates or updates a trap filter profile.

The undo snmp-agent notify-filter-profile command deletes a trap filter profile.

By default, no trap is filtered.

Format

snmp-agent notify-filter-profile { included | excluded } profile-name oid-tree

undo snmp-agent notify-filter-profile [ included | excluded ] profile-name [ oid-tree ]

Parameters

Parameter Description Value
included Includes the specified MIB subtree. -
excluded Excludes the specified MIB subtree. -
profile-name Specifies the name of a trap filter profile.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

oid-tree Specifies the OID for the MIB subtree. oid-tree can be the OID (such as 1.4.5.3.1) or the name (such as system) of the subtree. The value is a string of 1 to 255 case-sensitive characters without spaces.
NOTE:

It must be a valid MIB subtree.

Views

System view

Default Level

3: Management level

Usage Guidelines

To filter the traps sent to a destination host, run the snmp-agent notify-filter-profile command to configure a trap filter profile and specify the MIB object to be filtered in the profile.

The snmp-agent notify-filter-profile command creates or updates a trap filter profile. The value of oid-tree can be an OID or a subtree name. An OID can contain asterisks (*) as wildcards. An asterisk (*) cannot be placed at the beginning or end of the OID string.

NOTE:
If no trap filter profile is configured, all traps are sent to the destination host.

Example

# Configure a trap filter profile named tmp.
<HUAWEI> system-view
[~HUAWEI] snmp-agent notify-filter-profile included tmp 1.3.6.1.*.4

snmp-agent packet contextengineid-check enable

Function

The snmp-agent packet contextengineid-check enable command enables the device to check consistency between the contextEngineID on the NMS and the local engine ID.

The snmp-agent packet contextengineid-check disable command disables the device from checking consistency between the contextEngineID on the NMS and the local engine ID.

undo snmp-agent packet contextengineid-check enable command disables the device from checking consistency between the contextEngineID on the NMS and the local engine ID.

By default, the device does not check consistency between the contextEngineID on the NMS and the local engine ID.

Format

snmp-agent packet contextengineid-check enable

snmp-agent packet contextengineid-check disable

undo snmp-agent packet contextengineid-check enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the device does not check consistency between the contextEngineID on the NMS and the local engine ID, the NMS can connect to the device even if the contextEngineID is different from the local engine ID.

To improve system security, run the snmp-agent packet contextengineid-check enable command to enable the device to check consistency between the contextEngineID on the NMS and the local engine ID.

Configuration Impact

After this function is enabled, an NMS cannot connect to the device if the contextEngineID on the NMS is different from the local engine ID.

Precautions

This consistency check function applies only to SNMPv3.

Example

# Enable the consistency check between the contextEngineID and local engine ID.

<HUAWEI> system-view
[~HUAWEI] snmp-agent packet contextengineid-check enable

snmp-agent packet max-size

Function

The snmp-agent packet max-size command sets the maximum size of an SNMP message.

The undo snmp-agent packet max-size command restores the default setting.

By default, the maximum size of an SNMP message is 12000 bytes.

Format

snmp-agent packet max-size byte-count

undo snmp-agent packet max-size

Parameters

Parameter Description Value
byte-count Specifies the maximum size of an SNMP message that the SNMP agent can receive and send. The value is an integer that ranges from 484 to 17940, in bytes. The default value is 12000.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You are recommended to run the snmp-agent packet max-size command to set the maximum size of an SNMP message that the SNMP agent receives or sends according to the network condition.

By increasing the maximum size of an SNMP message, you can prevent the NMS from obtaining the incomplete information about the device status.

By decreasing the maximum size of an SNMP message, you can prevent the NMS or device from discarding an SNMP message because its size exceeds the processing capability of the NMS or device.

Precautions

You need to increase the size of an SNMP message according to the network condition. Otherwise, the transmission efficiency of SNMP messages is affected.

Generally, the default value is recommended.

The maximum size set through the snmp-agent packet max-size command takes effect for the SNMP messages of all SNMP versions.

Example

# Set the maximum size of an SNMP message that the SNMP agent can receive or send to 1042 bytes.

<HUAWEI> system-view
[~HUAWEI] snmp-agent packet max-size 1042

snmp-agent packet-priority

Function

The snmp-agent packet-priority command sets the priority of SNMP messages.

The undo snmp-agent packet-priority command restores the default priority of SNMP messages.

By default, the priority of SNMP messages is 6.

Format

snmp-agent packet-priority { snmp | trap } priority-level

undo snmp-agent packet-priority { snmp | trap }

Parameters

Parameter Description Value
snmp Sets the priority of common SNMP messages (excluding trap messages), including:
  • Get-Response packets
  • Set-Response packets
-
trap Sets the priority of SNMP trap messages, including:
  • Trap packets
  • Inform packets
-
priority-level Specifies the priority of SNMP messages. The value is an integer that ranges from 0 to 7. The default value is 6. The value 0 indicates the lowest priority, and the value 7 indicates the highest priority.

Views

System view

Default Level

3: Management level

Usage Guidelines

This command sets the priority of SNMP messages in transmission. The priority determines the priority of IP packets in which SNMP messages are encapsulated. This command can be used in the following situations:
  • To prevent traps from being discarded, increase the priority of SNMP trap messages so that traps can be successfully sent to the NMS.

  • To improve reliability of MIB operations performed on the device by the NMS, increase the priority of common SNMP messages, excluding SNMP trap messages.

  • When the network is severely congested and traps are generated frequently, reduce the priority of all SNMP messages, including SNMP trap messages.

Example

# Set the priority of common SNMP messages to 5.
<HUAWEI> system-view
[~HUAWEI] snmp-agent packet-priority snmp 5

snmp-agent password min-length

Function

The snmp-agent password min-length command configures the minimum SNMP password length.

The undo snmp-agent password min-length command restores the default minimum SNMP password length.

By default, the minimum SNMP password length is 8 bytes.

Format

snmp-agent password min-length min-length

undo snmp-agent password min-length

Parameters

Parameter Description Value
min-length Specifies the minimum SNMP password length. The value is an integer ranging from 8 to 16.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To improve system security and prevent password theft, run the snmp-agent password min-length command to configure the minimum SNMP password length. After this command is run, the length of a configured SNMP password must be longer than or equal to the minimum SNMP password length.

SNMP passwords consist of the authentication and encryption passwords of local and SNMP users as well as communities.

Prerequisites

The snmp-agent password min-length command takes effect only when password complexity check is enabled. By default, password complexity check is enabled.

Precautions

Configuring the minimum length of an SNMP password does not affect existing SNMP passwords because the device does not check the password length during configuration restoration. However, the device checks the password length during password configuration.

Example

# Set the minimum SNMP password length to 10.

<HUAWEI> system-view
[~HUAWEI] snmp-agent password min-length 10

snmp-agent protocol

Function

The snmp-agent protocol command configures SNMP to receive and respond to NMS request packets through a VPN instance or public network.

The undo snmp-agent protocol command restores the default configuration.

By default, SNMP receives and responds to NMS IPv4 and IPv6 request packets through all VPN instances or the public network.

Format

snmp-agent protocol [ ipv6 ] { vpn-instance vpn-instance-name | public-net }

undo snmp-agent protocol [ ipv6 ] { vpn-instance | public-net }

Parameters

Parameter Description Value
ipv6 Configures SNMP to receive and respond to NMS IPv6 request packets through a VPN instance or the public network. If ipv6 is not specified, SNMP receives and responds to NMS IPv4 packets through a VPN instance or the public network. -
vpn-instance vpn-instance-name Specifies the name of a VPN instance through which SNMP receives and responds to NMS request packets. The value is a string of 1 to 31 case-sensitive characters except spaces. When double quotation marks are used to include the string, spaces are allowed in the string. The value _public_ is reserved and cannot be used as the VPN instance name.
public-net Configures SNMP to receive and respond to NMS request packets through a public network. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, SNMP receives and responds to NMS request packets through all VPN instances or the public network, security risks exist. To reduce the risks and narrow down the attack scope, run the snmp-agent protocol [ ipv6 ] vpn-instance vpn-instance-name command to bind SNMP to a specified VPN instance so that only this VPN instance is listened to. If network management through the public network is required, run the snmp-agent protocol [ ipv6 ] public-net command to enable SNMP to listen to the public network to prevent security risks.

Configuration Impact

After the snmp-agent protocol [ ipv6 ] vpn-instance vpn-instance-name command is run, the device can communicate with the NMS only through the SNMP Agent protocol bound to the specified VPN instance.

Example

# Configure SNMP to receive and respond to NMS request packets through the VPN instance named abc.

<HUAWEI> system-view
[~HUAWEI] snmp-agent protocol vpn-instance abc

# Configure SNMP to receive and respond to NMS request packets through the public network.

<HUAWEI> system-view
[~HUAWEI] snmp-agent protocol public-net

# Configure SNMP to receive and respond to NMS IPv6 request packets through the public network.

<HUAWEI> system-view
[~HUAWEI] snmp-agent protocol ipv6 public-net

snmp-agent protocol get-bulk timeout

Function

The snmp-agent protocol get-bulk timeout command sets the delay after which the device returns information in response to the get-bulk operation of the NMS.

The undo snmp-agent protocol get-bulk timeout command restores the default delay after which the device returns information in response to the get-bulk operation of the NMS.

By default, the device returns information 2s after the NMS performs a get-bulk operation.

Format

snmp-agent protocol get-bulk timeout time

undo snmp-agent protocol get-bulk timeout

Parameters

Parameter Description Value
time Specifies delay after which the device returns information in response to the get-bulk operation of the NMS.

The value is an integer ranging from 0 to 600, in seconds.

NOTE:

The value 0 indicates that a get-bulk operation never expires.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A get-bulk operation allows an NMS to query information about multiple managed devices at a time, equaling multiple get-next operations.

If an NMS requests much data using a get-bulk operation, a long time is required to obtain the data. You can run the snmp-agent protocol get-bulk timeout command to change the delay after which the device returns information in response to the get-bulk operation of the NMS.

Precautions

You are not advised to change the delay of response to the get-bulk operation. The default delay is recommended. If you need to change the value, ensure that the value must be smaller than the timeout interval set on the NMS.

Example

# Set the delay of response to the get-bulk operation to 10 seconds.

<HUAWEI> system-view
[HUAWEI] snmp-agent protocol get-bulk timeout 10

snmp-agent protocol ipv6 source-ip

Function

The snmp-agent protocol ipv6 source-ip command configures a source IPv6 address for the device to listen to the SNMP request packets of an NMS.

The undo snmp-agent protocol ipv6 source-ip command restores the default configuration.

By default, no source IPv6 address is configured, and the device communicates with an NMS through any reachable IPv6 address.

Format

snmp-agent protocol ipv6 source-ip ipv6-address

undo snmp-agent protocol ipv6 source-ip

Parameters

Parameter Description Value
ipv6-address Specifies a source IPv6 address for the device to listen to the SNMP request packets of an NMS. The value is a 32-bit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, the SNMP Agent communicates with an NMS through any reachable IPv6 address, security risks exist. To address this issue, run the snmp-agent protocol ipv6 source-ip command to configure a source IPv6 address for the SNMP Agent to listen to the SNMP request packets of an NMS, so that the SNMP Agent communicates with the NMS through this address.

Precautions

The snmp-agent protocol ipv6 source-ip command does not support interface association. That is, if the configured source IPv6 address is deleted or changed, SNMP is not aware of the change and keeps the related configurations unchanged.

Example

# Configure FC00::1 as the source IPv6 address for the device to listen to the SNMP request packets of an NMS.

<HUAWEI> system-view
[~HUAWEI] snmp-agent protocol ipv6 source-ip FC00::1

snmp-agent protocol source-interface

Function

The snmp-agent protocol source-interface command configures a source interface for receiving and responding to NM station requests.

The undo snmp-agent protocol source-interface command restores the default configuration.

By default, the source interface is not configured for receiving and responding to NM station requests.

Format

snmp-agent protocol source-interface interface-type interface-number

undo snmp-agent protocol source-interface

Parameters

Parameter Description Value
interface-type interface-number Specifies an interface type and number. Currently, only loopback interfaces are supported.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, a source interface is randomly selected for receiving and responding to NM station requests, which is inconvenient for unified data management. To resolve this problem, run the snmp-agent protocol source-interface command to configure a source interface for receiving and responding to NM station requests.

Prerequisites

The interface to be configured as the source interface must have been created, and a valid IP address must have been assigned to this interface. If the interface to be configured as the source interface is not created or a valid IP address is not assigned to the interface, the snmp-agent protocol source-interface command will not take effect. If a valid IP address is assigned to the interface, the snmp-agent protocol source-interface command will take effect automatically.

Precautions

If the interface on which the snmp-agent protocol source-interface command is configured is deleted, or an address is changed or deleted on the interface, SNMP configurations will not be affected.

After SNMP is bound to the source interface, SNMP listens only this interface, through which the NMS communicates with the device. After the source interface's IP address is changed, the NMS can communicate with devices only through the new IP address.

Example

# Configure loopback 1 as a source interface for receiving and responding to NM station requests.

<HUAWEI> system-view
[~HUAWEI] snmp-agent protocol source-interface loopback 1

snmp-agent proxy community

Function

The snmp-agent proxy community command creates an SNMP proxy community.

The undo snmp-agent proxy community command deletes an SNMP proxy community.

By default, no SNMP proxy community is configured.

Format

snmp-agent proxy community { community-name | cipher cipher-name } remote-engineid remote-engineid [ acl { acl-number | acl-name } | alias alias-name ] *

undo snmp-agent proxy community { community-name | cipher cipher-name }

Parameters

Parameter Description Value
community-name

Specifies the name of an SNMP proxy community.

The value is a string of 8 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

By default, the complexity check is enabled for a community name. If a community name fails the complexity check, the community name cannot be configured. To disable the complexity check for a community name, run the snmp-agent community complexity-check disable command.
NOTE:

The device has the following requirements for community name complexity:

  • The default minimum length of a community name is eight characters.

  • A community name includes at least two kinds of characters, which can be uppercase letters, lowercase letters, digits, and special characters except question marks (?) and spaces.

If the complexity check of a community name is disabled by using the snmp-agent community complexity-check disable command, the length of community-name ranges from 1 to 32.

cipher cipher-name Specifies the name of an SNMP proxy community to be stored in ciphertext.

The cipher-name value is displayed in ciphertext whether you specify it in ciphertext or plaintext.

The value is a string of 8 to 32, or 88 to 168 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

  • If you specify cipher-name in plaintext, the value is a string of 8 to 32 case-sensitive characters, spaces not supported.
  • If you specify cipher-name in ciphertext, the value is a string of 88 to 168 characters, spaces not supported.
By default, the complexity check is enabled for a community name. If a community name fails the complexity check, the community name cannot be configured. To disable the complexity check for a community name, run the snmp-agent community complexity-check disable command.
NOTE:

The device has the following requirements for community name complexity:

  • The default minimum length of a community name is eight characters.

  • A community name includes at least two kinds of characters, which can be uppercase letters, lowercase letters, digits, and special characters except question marks (?).

If the complexity check of a community name is disabled by using the snmp-agent community complexity-check disable command, the length of cipher-name ranges from 1 to 32, or 88 to 168.

remote-engineid remote-engineid

Specifies the engine ID of the managed device.

The engine ID of the managed device must be different from the engine ID of the SNMP proxy.

The value is string of 10 to 64 hexadecimal digits. It cannot be all 0s or all Fs.
acl

Specifies the created community to be bound to a basic ACL.

The basic ACL defines whether NMSs with specified source IP addresses can access SNMP agents.

-
acl-number Specifies the number of a basic ACL. The value is an integer ranging from 2000 to 2999.
acl-name Specifies the name of a named basic ACL. The name of a named basic ACL must already exist.
alias alias-name

Specifies the alias name for an SNMP proxy community.

The alias names of SNMP proxy communities are stored in plain text in the configuration file.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An SNMP community is used to define the relationships between multiple NMSs and a managed device. The community name acts like a password to regulate access to the managed device. An NMS can access a managed device only if the community name carried in the SNMP request sent by the NMS matches the community name configured on the managed device. The snmp-agent proxy community command creates an SNMP community on an SNMP proxy, enabling communication between the NMS and managed device.

The community name will be saved in encrypted format in the configuration file. To facilitate identification of SNMP proxy community names, specify the alias alias-name parameter to set the alias names for the SNMP proxy communities. The alias names are stored in plain text in the configuration file.

Configuration Impact

If a device receives a packet with a null community name, the device directly drops the packet without filtering the packet based on ACL rules. In addition, the community name error is logged. A device filters a received packet based on ACL rules only if the packet has a valid community name.

Precautions

The snmp-agent proxy community command applies only to SNMPv1 and SNMPv2c.

Follow-up Procedure

After you run the snmp-agent proxy community command, you can run the display snmp-agent proxy community command to check SNMPv1 or SNMPv2c proxy community information.

Example

# Create an SNMP proxy community, set the community name to proxy_public, and bind the community to a basic ACL numbered 2000.

<HUAWEI> system-view
[~HUAWEI] snmp-agent proxy community proxy_public remote-engineid 800007DB03360607111100 acl 2000

snmp-agent proxy rule

Function

The snmp-agent proxy rule command configures proxy rules for SNMP packets.

The undo snmp-agent proxy rule command deletes proxy rules for SNMP packets.

By default, no proxy rules are configured for SNMP packets.

Format

snmp-agent proxy rule rule-name { read | trap | write } remote-engineid remote-engineid target-host target-host-name params-in { securityname security-name { v1 | v2c | v3 [ authentication | privacy ] } | securityname cipher cipher-text { v1 | v2c } }

snmp-agent proxy rule rule-name inform remote-engineid remote-engineid target-host target-host-name params-in { securityname security-name { v2c | v3 [ authentication | privacy ] } | securityname cipher cipher-text v2c }

undo snmp-agent proxy rule rule-name

Parameters

Parameter Description Value
rule-name Specifies the name of a proxy rule for SNMP packets.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

read Specifies to send GetRequest packets from the NMS to the managed device. -
trap Specifies to send traps from the managed device to the NMS. -
write Specifies to send SetRequest packets from the NMS to the managed device. -
inform Specifies to send informs from the managed device to the NMS. -
remote-engineid remote-engineid Binds an SNMP proxy rule to the engine ID of the managed device. The value is string of 10 to 64 hexadecimal digits. It cannot be all 0s or all Fs.
target-host target-host-name

Specifies the name of the target host for receiving SNMP proxy packets.

The target host may be either the managed device or the NMS.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

params-in Specifies the parameters to forward the received SNMP messages. -
securityname security-name Specifies the security user/community name, on whose behalf SNMP message gets forwarded.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

In SNMPv1 or SNMPv2c, the value is the name of the SNMP proxy community. In SNMPv3, the value is the name of the SNMP user.

cipher cipher-text Specifies the security name in cipher text. You can type in the plain text or the cipher text, and it is displayed as the cipher text when the configuration file is viewed. The value is a string of case-sensitive characters, spaces not supported. The password ranges from 1 to 32 characters in plaintext. The password ranges from 32, 48, 56, or 68 characters in cipher text. When double quotation marks are used around the string, spaces are allowed in the string.
v1 Specifies SNMPv1. -
v2c Specifies SNMPv2c. -
v3 Specifies SNMPv3. -
authentication

Specifies to authenticate SNMPv3 packets without encryption.

The authentication function is used to check the integrity and legitimacy of SNMP packets. The authentication password is set using the snmp-agent usm-user command.

-
privacy

Specifies to authenticate and encrypt SNMPv3 packets.

The encryption function is used to protect packet data against theft. The authentication and encryption passwords are set using the snmp-agent usm-user command.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The SNMP proxy connects to a managed device. The SNMP proxy enables communication between the NMS and managed device and allows you to manage the configurations and system software version of the managed device. The NMS manages the SNMP proxy and managed device as an independent network element, reducing the number of managed network elements and management costs. The NMS monitors the performance of managed devices in real time, helping to improve service quality. After you run the snmp-agent proxy rule command to configure proxy rules, the SNMP proxy can automatically forward SNMP requests from the NMS to the managed device and forward responses from the managed device to the NMS.

Prerequisites

The proxy rules configured on an SNMP proxy must be unique.

Precautions

  • If trap or inform is specified, the proxy rule uniquely identifies a target host for receiving notifications.
  • If read or write is specified, the proxy rule uniquely identifies a target host for receiving GetRequest or SetRequest PDUs.
  • If you specify neither authentication nor privacy, SNMPv3 packets are neither authenticated nor encrypted.

Example

# Configure a proxy rule for SNMP packets and specify the rule name as proxy_rule_write, target host name as 10.1.1.1, and remote engine ID as 01120025602101.

<HUAWEI> system-view
[~HUAWEI] snmp-agent proxy rule proxy_rule_write write remote-engineId 01120025602101 target-host 10.1.1.1 params-in securityname hello v3

snmp-agent proxy target-host

Function

The snmp-agent proxy target-host command configures target host information on an SNMP proxy.

The undo snmp-agent proxy target-host command deletes target host information.

By default, no target host information is configured.

Format

snmp-agent proxy target-host target-host-name address udp-domain ip-address udp-port port-number [ { source interface-type interface-number | vpn-instance vpn-instance-name | public-net } | timeout timeout-interval ] * params { securityname security-name { v1 | v2c | v3 [ authentication | privacy ] } | securityname cipher cipher-text { v1 | v2c } }

snmp-agent proxy target-host target-host-name ipv6 address udp-domain ipv6-address udp-port port-number [ timeout timeout-interval ] params { securityname security-name { v1 | v2c | v3 [ authentication | privacy ] } | securityname cipher cipher-text { v1 | v2c } }

undo snmp-agent proxy target-host target-host-name

Parameters

Parameter Description Value
target-host-name

Specifies the name of the target host.

The target host may be either the managed device or the NMS.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

address/ipv6 address Specifies the destination address carried in SNMP proxy packets. The address and securityname parameters together identify a target host.
udp-domain ip-address

Specifies to use UDP to transmit SNMP proxy packets.

The ip-address parameter specifies the destination IPv4 address carried in SNMP proxy packets.

-
udp-port port-number

Specifies number of the port used by the target host to receive SNMP proxy packets.

The value is an integer ranging from 1 to 65535.
source interface-type interface-number Specifies the source interface used by the SNMP proxy to send SNMP proxy packets. -
vpn-instance vpn-instance-name

Specifies the name of the VPN instance to which the target host belongs.

If the NMS and managed device need to communicate over a private network, use this parameter.

The VPN instance must already exist.

On a VPN, the VPN instance name, IP address, and security name form a triplet to uniquely identify a host.

public-net Connects the NMS host on the public network. -
timeout timeout-interval Specifies the timeout period for a target host to send a response to an SNMP agent after receiving an inform from the SNMP agent. The value is an integer that ranges from 1 to 1800, in seconds.
params Specifies information about the target host that generates SNMP messages. -
securityname security-name Specifies the security name to be displayed on the NMS.

For SNMPv3, securityname must be configured as the user name. securityname configured on the host needs to be the same as that configured on the NMS, or the NMS cannot receive the trap messages sent from the host.

For SNMPv1 and SNMPv2c, the NMS can receive trap messages from all hosts without having securityname configured. securityname is used to distinguish multiple hosts that generate trap messages.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

cipher cipher-text Specifies the security name in cipher text. You can type in the plain text or the cipher text, and it is displayed as the cipher text when the configuration file is viewed.
The value is a string of 1 to 32, 32, 48, 56, 68, or 68 to 168 case-sensitive characters without spaces. When double quotation marks are used around the string, spaces are allowed in the string.
  • When the community name is a string of 1 to 32 characters, the string is processed as plain text by default and will be encrypted.
  • When the community name is a string of 32, 48, 56, 68, or 68 to 168 characters, the string is processed as cipher text by default, and the system will determine whether the string can be parsed.
v1 Specifies SNMPv1. -
v2c Specifies SNMPv2c. -
v3 Specifies SNMPv3. -
authentication

Specifies to authenticate SNMPv3 packets without encryption.

The authentication function is used to check the integrity and legitimacy of SNMP packets. The authentication password is set using the snmp-agent usm-user command.

-
privacy

Specifies to authenticate and encrypt SNMPv3 packets.

The encryption function is used to protect packet data against theft. The authentication and encryption passwords are set using the snmp-agent usm-user command.

-
ipv6-address Specifies the IPv6 address of the target host. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To enable an NMS to effectively manage a managed device, run the snmp-agent proxy target-host command to configure target host information. You can also configure the SNMP proxy to filter undesired SNMP packets.

Precautions

  • You can run this command multiple times with different parameters set to configure an SNMP proxy to send packets to multiple NMSs or the managed device. An SNMP proxy supports a maximum of 20 target hosts.
  • If you specify neither authentication nor privacy, SNMPv3 packets are neither authenticated nor encrypted.
  • When you configure target host information, ensure that the VPN instance name configured for the target host is the same as the name of the VPN instance to which to the source port of the target host is bound. Otherwise, the target host may fail to receive SNMP proxy packets.

Example

# Configure an SNMP proxy to send packets to a target host with name as 10.1.1.1.

<HUAWEI> system-view
[~HUAWEI] snmp-agent proxy target-host snmp-proxy address udp-domain 10.1.1.1 udp-port 165 timeout 45 params securityname public1 v3

snmp-agent set-cache enable

Function

The snmp-agent set-cache enable command enables the SET response packet caching function.

The undo snmp-agent set-cache enable command disables the SET response packet caching function.

By default, the SET response packet caching function is disabled.

Format

snmp-agent set-cache enable

undo snmp-agent set-cache enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

The SNMP protocol stack is enabled automatically when you run the snmp-agent set-cache enable command to enable the SET response packet caching function. Therefore, you do not need to enable the SNMP protocol stack before running this command. The SET response packet caching function is disabled automatically when you run the undo snmp-agent command to disable the SNMP protocol stack.

Example

# Enable the SET response packet caching function.

<HUAWEI> system-view
[~HUAWEI] snmp-agent set-cache enable
Related Topics

snmp-agent sys-info

Function

The snmp-agent sys-info command sets the SNMP system information.

The undo snmp-agent sys-info command restores the default setting.

By default, the system maintenance information is " R&D Beijing, Huawei Technologies co.,Ltd.": the system location is Beijing China" and the version is SNMPv3.

Format

snmp-agent sys-info { contact contact | location location | version { { v1 | v2c | v3 } * | all } [ disable ] }

undo snmp-agent sys-info { contact | location }

Parameters

Parameter Description Value
contact contact Indicates contact information of system maintenance. The value is a string of 1 to 255 case-sensitive characters that can contain spaces.
location location Indicates the location of a device. The value is a string of 1 to 255 case-sensitive characters that can contain spaces.
version { { v1 | v2c | v3 } * | all } Indicates the SNMP version.
  • v1: SNMPv1 is enabled.
  • v2c: SNMPv2c is enabled.
  • v3: SNMPv3 is enabled.
  • all: SNMPv1, SNMPv2c, and SNMPv3 are enabled.
-
disable Disables SNMP version. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To configure the contact information for the managed node, you can run the snmp-agent sys-info contact command in the system. If a device fails, maintenance personnel can contact the vendor for device maintenance.

To configure the physical location of the node, you can run the snmp-agent sys-info location command in the system.

To configure features in a specified version, you can run the snmp-agent sys-info version command to set the corresponding SNMP version in the system. SNMPv1 or SNMPv2c is not secure enough. Using SNMPv3 is recommended.

SNMPv1:
  • Community-name-based access control
  • MIB-view-based access control
SNMPv2c:
  • Community-name-based access control
  • MIB-view-based access control
  • Supporting Inform messages
Besides inheriting basic SNMPv2c operations, SNMPv3 defines a management architecture, which introduces a User-based Security Model (USM) to provide users with a more secure access mechanism.
  • User group
  • Group-based access control
  • User-based access control
  • Authentication and encryption mechanisms
  • Supporting Inform messages
NOTE:

Use display snmp-agent sys-info command to view the information of the system maintenance, the physical location of the node and the SNMP version.

Precautions

A lack of authentication capabilities in SNMPv1 and SNMPv2c results in vulnerability to security threats, so SNMPv3 is recommended.

Example

# Set the contact information of the system maintenance as "call Operator at 010-12345678".

<HUAWEI> system-view
[~HUAWEI] snmp-agent sys-info contact call Operator at 010-12345678

# Set the location of a device as "shanghai China".

<HUAWEI> system-view
[~HUAWEI] snmp-agent sys-info location shanghai China

# Set the current SNMP version used by the system to v2c.

<HUAWEI> system-view
[~HUAWEI] snmp-agent sys-info version v2c

snmp-agent target-host inform

Function

The snmp-agent target-host inform command sets the target host for receiving Inform messages.

The undo snmp-agent target-host command cancels the target host set to receive Inform messages.

By default, the target host for receiving Inform messages is not set.

Format

snmp-agent target-host [ host-name host-name ] inform address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net } ] * params securityname security-name { v2c | v3 [ authentication | privacy ] } [ private-netmanager | ext-vb | notify-filter-profile profile-name | heart-beat enable ] *

snmp-agent target-host [ host-name host-name ] inform address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net } ] * params securityname cipher security-name v2c [ private-netmanager | ext-vb | notify-filter-profile profile-name | heart-beat enable ] *

undo snmp-agent target-host { host-name host-name | ip-address securityname { security-name | cipher security-name } [ vpn-instance vpn-instance-name | public-net ] }

undo snmp-agent target-host inform address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net } ] * params securityname { security-name | cipher security-name }

Parameters

Parameter Description Value
host-name host-name Specifies the SNMP target host name.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

address Indicates the address of the target host for receiving SNMP Inform messages.
NOTE:
The IP address specified by address and the security name specified by securityname together identify a target host.
-
udp-domain ip-address Specifies the IP address of a specified target host, with the transmission domain being based on UDP. It is dotted decimal notation.
udp-port port-number Specifies the number of the UDP port for receiving Inform messages. The value is an integer ranging from 0 to 65535. The default value is 162.
source interface-type interface-number

Specifies the source interface for sending Inform messages.

-
vpn-instance vpn-instance-name Specifies the name of a VPN instance.
NOTE:
On a VPN network, you need to use the VPN instance specified by vpn-instance, IP address, and security name to identify a target host.
The VPN must already exist.
public-net Connects the NMS host on the public network. -
params Indicates information about the target host that generates SNMP notifications. -
securityname security-name Specifies the user security name displayed on the NMS.

For SNMPv3, securityname must be configured as the user name. securityname configured on the host needs to be the same as that configured on the NMS, or the NMS cannot receive the trap messages sent from the host.

For SNMPv1 and SNMPv2c, the NMS can receive trap messages from all hosts without having securityname configured. securityname is used to distinguish multiple hosts that generate trap messages.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

cipher security-name

Indicates the unencrypted or encrypted string of security name.

The value is a string of 1 to 32, 32, 48, 56, 68, or 68 to 168 case-sensitive characters without spaces. When double quotation marks are used around the string, spaces are allowed in the string.
  • When the community name is a string of 1 to 32 characters, the string is processed as plain text by default and will be encrypted.
  • When the community name is a string of 32, 48, 56, 68, or 68 to 168 characters, the string is processed as cipher text by default, and the system will determine whether the string can be parsed.
v2c | v3 Indicates the SNMP version.
  • v2c: SNMPv2c.
  • v3: SNMPv3.
-
authentication | privacy
Specifies the security mode.
  • authentication: authenticates SNMP messages without encryption.
  • privacy: authenticates and encrypts SNMP messages.
This parameter takes effect only in SNMPv3.
-
private-netmanager Indicates the Huawei NMS as the target host receiving a trap. When a Huawei NMS is deployed and this parameter is configured, a trap sent to the NMS contains more information, such as the trap type, sequence of the trap, and sending time. -
notify-filter-profile profile-name Specifies the filtering view name.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

ext-vb

Indicates that traps sent to a target host carry extended bound variables.

If a Huawei data communication device extends the trap objects defined in the public MIB, you can configure this parameter to determine whether traps sent to the NMS carry extended bound variables.

  • If this parameter is not configured, the traps sent from the Huawei data communication device do not carry extended bound variables.

    If you are using a third-party NMS tool, you are not advised to configure this parameter, which ensures that the NMS tool can receive alarms sent from the Huawei device.

    By default, a trap sent from a Huawei data communication device does not carry extended bound variables.

  • If this parameter is configured, the traps sent from the Huawei data communication device carry extended bound variables.

    If you are using a Huawei NMS tool, you are advised to configure this parameter, which allows you to view more information carried in a trap.

-
heart-beat enable

Indicates the heartbeat mechanism.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To set the target host to receive SNMP notifications, you can run the snmp-agent target-host inform command. When informs are sent to notify the NMS of the network status, you can configure the engine ID for the NMS to ensure that the NMS can receive informs. The NMS receives an inform and returns an ACK message to the SNMP agent only if the engine ID contained in the Inform message and actual engine ID are the same. If the IDs are inconsistent, the NMS discards the inform.

If there are multiple target hosts, you need to run the snmp-agent target-host inform command on each target host. If the snmp-agent target-host inform command is executed for multiple times on the target host, only the last successful operation takes effect. For example, if you run the snmp-agent target-host inform command twice on a target host, the second operation overwrites the previous one.

The system supports the configurations of 20 hosts for receiving traps and informs.

The descriptions of the command parameters are as follows:
  • udp-port: The default UDP port number is 162. In some special cases (for example, port mirroring is configured to prevent a well-known port from being attacked), the parameter udp-port can be used to specify a non-well-known UDP port number. This ensures communication between the NMS and managed device.

  • vpn-instance: If the alarms sent from the managed device to the NMS need to be transmitted over a private network, the parameter vpn-instance vpn-instance-name needs to be configured to specify a VPN that takes over the sending task.

  • securityname: Identifies the alarm sender, which helps you learn the alarm source.

    NOTE:

    Ensure that the security-name value is the same as the created user name; otherwise, the NMS cannot access the device.

Configuration Impact

After the snmp-agent target-host trap command is executed, no matter whether a trap sent from the SNMP agent reaches the NMS, the SNMP agent deletes the trap to reduce the resource consumption.

After the snmp-agent target-host inform command is executed, the SNMP agent, after sending an Inform message, waits for an Inform ACK message from the NMS and will retransmit the same Inform message only when no Inform ACK message is received from the NMS within the specified period. If the SNMP agent does not receive the inform ACK message from the NMS during the retransmission period, the SNMP agent deletes this inform message from the trap queue. This ensures that the NMS can receive the SNMP Inform messages to the maximum extent. The transmission of Inform messages, however, consumes more resources than that of traps.

Precautions

The snmp-agent target-host inform command must be used together with the snmp-agent trap enable command. The snmp-agent trap enable command is used to enable the SNMP trap function.

To enable a switch to propagate Inform messages, you need to run at least one of the two commands, namely, snmp-agent target-host inform on the switch.

If the same SNMP target host name and IP address are configured using the snmp-agent target-host trap and snmp-agent target-host inform commands, only the latest configuration takes effect.

Example

# Configure alarms to be sent in inform mode, set the security name of the host to 123, set the protocol version to SNMPv3, authenticate and encrypt SNMP messages, and send alarms to the NMS with the IP address of 192.168.0.1.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap enable
[*HUAWEI] snmp-agent target-host inform address udp-domain 192.168.0.1 params securityname 123 v3 privacy

snmp-agent target-host trap

Function

The snmp-agent target-host trap command configures the target host for receiving SNMP traps.

The undo snmp-agent target-host command deletes the target host configuration for receiving SNMP traps.

By default, the target host is not set.

Format

snmp-agent target-host [ host-name host-name ] trap address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net }] * params securityname security-name [ [ v1 | v2c | v3 [ authentication | privacy ] ] | private-netmanager | ext-vb | notify-filter-profile profile-name | heart-beat enable ] *

snmp-agent target-host [ host-name host-name ] trap address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net } ] * params securityname cipher security-name [ [ v1 | v2c ] | private-netmanager | ext-vb | notify-filter-profile profile-name | heart-beat enable ] *

undo snmp-agent target-host { host-name host-name | ip-address securityname { security-name | cipher security-name } [ { vpn-instance vpn-instance-name | public-net } ] }

undo snmp-agent target-host trap address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net } ] * params securityname { security-name | cipher security-name }

Parameters

Parameter Description Value
host-name host-name Specifies the SNMP target host name.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

trap Specifies the target host for receiving SNMP notifications in the form of traps. -
address Specifies the address of the target host that receives SNMP traps.
NOTE:
The IP address specified by address and the security name specified by securityname together identify a target host.
-
udp-domain ip-address Specifies the IP address of a specified target host, with the transmission domain being based on UDP. -
udp-port port-number Specifies the number of ports that receive SNMP traps. The value is an integer ranging from 0 to 65535. The default value is 162.
source interface-type interface-number Specifies the source interface for sending traps. -
public-net Connects the NMS host on the public network. -
vpn-instance vpn-instance-name Specifies the name of a VPN instance.
NOTE:
On a VPN network, you need to use the VPN instance specified by vpn-instance, IP address, and security name to identify a target host.
The VPN instance must already exist.
params securityname security-name Specifies the user security name displayed on the NMS.

For SNMPv3, securityname must be configured as the user name. securityname configured on the host needs to be the same as that configured on the NMS, or the NMS cannot receive the trap messages sent from the host.

For SNMPv1 and SNMPv2c, the NMS can receive trap messages from all hosts without having securityname configured. securityname is used to distinguish multiple hosts that generate trap messages.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

cipher security-name

Indicates the unencrypted or encrypted string of security name.

The value is a string of 1 to 32, 32, 48, 56, 68, or 68 to 168 case-sensitive characters without spaces. When double quotation marks are used around the string, spaces are allowed in the string.
  • When the community name is a string of 1 to 32 characters, the string is processed as plain text by default and will be encrypted.
  • When the community name is a string of 32, 48, 56, 68, or 68 to 168 characters, the string is processed as cipher text by default, and the system will determine whether the string can be parsed.
v1 | v2c | v3 Indicates the SNMP version.
  • v1: SNMPv1.
  • v2c: SNMPv2c.
  • v3: SNMPv3.
If this parameter is not specified, the default version is SNMPv1.
-
authentication | privacy
Specifies the security mode.
  • authentication: authenticates packets without encryption.
  • privacy: authenticates and encrypts SNMP messages.
This parameter takes effect only in SNMPv3.
-
private-netmanager Indicates the Huawei NMS as the target host receiving a trap. When a Huawei NMS is deployed and this parameter is configured, a trap sent to the NMS contains more information, such as the trap type, sequence of the trap, and sending time. -
notify-filter-profile profile-name Specifies the filtering view name.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

ext-vb

Indicates that traps sent to a target host carry extended bound variables.

If a Huawei data communication device extends the trap objects defined in the public MIB, you can configure this parameter to determine whether traps sent to the NMS carry extended bound variables.

  • If this parameter is not configured, the traps sent from the Huawei data communication device do not carry extended bound variables.

    If you are using a third-party NMS tool, you are not advised to configure this parameter, which ensures that the NMS tool can receive alarms sent from the Huawei device.

    By default, a trap sent from a Huawei data communication device does not carry extended bound variables.

  • If this parameter is configured, the traps sent from the Huawei data communication device carry extended bound variables.

    If you are using a Huawei NMS tool, you are advised to configure this parameter, which allows you to view more information carried in a trap.

-
heart-beat enable

Indicates the heartbeat mechanism.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

SNMP notifications can be classified into traps and inform messages. Trap messages are less reliable than inform messages because the NMS does not send any acknowledgment when it receives a trap. In this case, the sender cannot verify whether the trap has been received. Informs are configured with an acknowledgment mechanism and therefore are reliable.

You can select parameters based on the following rules:
  • The default destination UDP port number is 162. Upon special needs such as preventing well-known ports from being attacked, configure the parameter udp-port to change the UDP port number to a non-well-known port number. This ensures secure communication between the NMS and managed devices.

  • If you want the managed devices to send traps to the NMS through the VPN network, configure the parameter vpn-instance vpn-instance-name and specify a VPN instance.

  • The parameter securityname identifies devices that send traps on the NMS.

    NOTE:

    Ensure that the security-name value is the same as the created user name; otherwise, the NMS cannot access the device.

Configuration Impact

After the snmp-agent target-host trap command is executed, no matter whether a trap sent from the SNMP agent reaches the NMS, the SNMP agent deletes the trap to reduce the resource consumption.

After the snmp-agent target-host inform command is executed, the SNMP agent, after sending an inform, waits for an inform ACK message from the NMS and the same inform is retransmitted only when no inform ACK message is received from the NMS within the specified period. If the SNMP agent does not receive the inform ACK message from the NMS during the retransmission period, the SNMP agent deletes this inform from the trap queue. This ensures that the NMS can receive the SNMP traps to the maximum extent. The transmission of traps, however, consumes fewer resources than that of informs.

Precautions

  • The system supports the configurations of 20 hosts for receiving traps and informs.

  • Before configuring a device to send traps, confirm that the information center has been enabled. To enable the information center, run the info-center enable command.

  • To enable a switch to propagate traps, you need to run at least one of the two commands, namely, snmp-agent target-hosttrap and snmp-agent trap enable on the switch.

  • If the same SNMP target host name and IP address are configured using the snmp-agent target-host trap and snmp-agent target-host inform commands, only the latest configuration takes effect.

  • A device supports a maximum of 20 target hosts.

Example

# Allow the SNMP agent to send SNMP traps to the target host with the IP address of 10.1.1.1.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap enable
[*HUAWEI] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname comaccess

# Allow the SNMP agent to send SNMP traps to the Huawei NMS with the IP address of 10.1.1.1.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap enable
[*HUAWEI] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname comaccess private-netmanager

snmp-agent target-host trap ipv6

Function

The snmp-agent target-host trap ipv6 command configures a target host to receive SNMP trap messages.

The undo snmp-agent target-host ipv6 command deletes the configuration of a target host to receive SNMP trap messages.

By default, the target host that receives SNMP trap messages is not set.

Format

snmp-agent target-host [ host-name host-name ] trap ipv6 address udp-domain ipv6-address [ udp-port port-number | [ vpn-instance vpn-instance-name | public-net ] ] * params securityname security-name [ [ v1 | v2c | v3 [ authentication | privacy ] ] | private-netmanager | ext-vb | notify-filter-profile profile-name ] *

snmp-agent target-host [ host-name host-name ] trap ipv6 address udp-domain ipv6-address [ udp-port port-number | [ vpn-instance vpn-instance-name | public-net ] ] * params securityname cipher security-name [ [ v1 | v2c ] | private-netmanager | ext-vb | notify-filter-profile profile-name ] *

undo snmp-agent target-host ipv6 ipv6-address securityname { security-name | cipher security-name }

undo snmp-agent target-host trap ipv6 address udp-domain ipv6-address [ udp-port port-number | [ vpn-instance vpn-instance-name | public-net ] ] * params securityname { security-name | cipher security-name }

undo snmp-agent target-host host-name host-name

Parameters

Parameter Description Value
host-name host-name Specifies the SNMP target host name.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

ipv6 address Sets the IPv6 address of the target host used to receive SNMP trap messages. -
udp-domain Indicates that trap messages are sent to the target host through the User Datagram Protocol (UDP). -
ipv6-address Specifies the IPv6 address of the target host. -
udp-port port-number Specifies the port number used to receive trap messages. The value is an integer that ranges from 0 to 65535. The default value is 162.
vpn-instance vpn-instance-name Specifies the name of a VPN instance.
NOTE:
On a VPN network, you need to use the VPN instance specified by vpn-instance, IP address, and security name to identify a target host.
The VPN instance must already exist.
public-net Connects the NMS host on the public network. -
params securityname security-name Specifies the SNMP security name that is displayed as the user name on the NMS.

For SNMPv3, securityname must be configured as the user name. securityname configured on the host needs to be the same as that configured on the NMS, or the NMS cannot receive the trap messages sent from the host.

For SNMPv1 and SNMPv2c, the NMS can receive trap messages from all hosts without having securityname configured. securityname is used to distinguish multiple hosts that generate trap messages.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

cipher security-name

Indicates the unencrypted or encrypted string of security name.

The value is a string of 1 to 32, 32, 48, 56, 68, or 68 to 168 case-sensitive characters without spaces. When double quotation marks are used around the string, spaces are allowed in the string.
  • When the community name is a string of 1 to 32 characters, the string is processed as plain text by default and will be encrypted.
  • When the community name is a string of 32, 48, 56, 68, or 68 to 168 characters, the string is processed as cipher text by default, and the system will determine whether the string can be parsed.
v1 | v2c | v3 Specifies the SNMP version.
  • v1: indicates SNMPv1.
  • v2c: indicates SNMPv2c.
  • v3: indicates SNMPv3.
If no SNMP version is specified, SNMPv1 is used by default.
-
authentication | privacy
Specifies the security mode for SNMP trap messages.
  • authentication: indicates that the SNMP trap messages are authenticated but not encrypted.
  • privacy: indicates that SNMP trap messages are authenticated and encrypted.
-
private-netmanager Indicates that the target host is a Huawei NMS. Specify this parameter when a Huawei NMS is used. This parameter enables trap messages sent to the NMS to contain more information, including types, sequence numbers, and transmission time of trap messages. -
notify-filter-profile profile-name Specifies the name of a trap filter profile.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

ext-vb

Indicates that trap messages sent to a target host carry extended bound variables.

If alarm objects defined in public MIBs are extended on a Huawei data communication device, you can use ext-vb to determine whether the trap messages sent to the NMS carry extended bound variables.

  • If ext-vb is not specified, trap messages sent from the device do not carry extended bound variables.

    When a third-party NMS is used, you are advised not to specify the ext-vb parameter so that the third-party NMS can receive trap messages from Huawei data communication devices.

    By default, trap messages sent from a Huawei data communication device do not carry extended bound variables.

  • If ext-vb is specified, trap messages sent from the device carry extended bound variables.

    This parameter is recommended when a Huawei NMS is used so that more information can be transmitted in trap messages.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command is used to configure an IPv6 NMS host so that traps can be sent to the host using the IPv6 protocol.

The system supports the configurations of 20 hosts for receiving traps and informs.

Precautions

After configuring a security level for an NMS host, ensure that the security level for the NMS host is equal to or higher than the security level of the SNMP user to which securityname corresponds. Otherwise, the NMS host cannot send traps properly.

The user security level can be (in descending order):
  • Level 1: privacy (authentication and encryption)
  • Level 2: authentication (without encryption)
  • Level 3: none (neither authentication nor encryption)

The security level of an alarm host must be higher than or equal to the user security level. For example, if the user security level is level 1, the security level of the alarm host must be level 1; if the user security level is level 2, the security level of the alarm host can be level 1 or level 2.

Example

# Configure an IPv6 NMS host that uses SNMP v3. Set the security name to Huawei and configure traps to be authenticated and encrypted.

<HUAWEI> system-view
[~HUAWEI] snmp-agent target-host trap ipv6 address udp-domain FC00::1 params securityname Huawei v3 privacy

snmp-agent trap disable

Function

The snmp-agent trap disable command disables the trap function for all features.

The undo snmp-agent trap disable command restores the trap function for all features to the default status.

By default, the display snmp-agent trap all command can be used to view the status of the trap function for all features.

Format

snmp-agent trap disable

undo snmp-agent trap disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

To enable the trap function for all modules, run the snmp-agent trap enable command. To enable the trap function for a specified module, run the snmp-agent trap enable feature-name command.
  • To disable the trap function for all modules, run the snmp-agent trap disable command.

  • To restore the trap function for all features to the default status, run the undo snmp-agent trap disable or undo snmp-agent trap enable command.

NOTE:

To disable the trap function for a specified module, run the undo snmp-agent trap enable feature-name command.

Example

# Disable the trap function for all features.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap disable

snmp-agent trap enable

Function

The snmp-agent trap enable command enables the switch to send traps.

The undo snmp-agent trap enable command restores the default setting.

The default configuration of the snmp-agent trap enable command can be checked by the display snmp-agent trap all command.

Format

snmp-agent trap enable

undo snmp-agent trap enable

Parameters

None.

Views

System view

Default Level

3: Management level

Usage Guidelines

The snmp-agent trap enable command must be used together with the snmp-agent target-host inform command or snmp-agent target-host trap command.

To enable a device to send traps, you need to run at least the snmp-agent target-host inform command or snmp-agent target-host trap command on the device to specify the destination address of the traps.

Example

# Enable the switch to send traps.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap enable

snmp-agent trap enable feature-name

Function

The snmp-agent trap enable feature-name command enables a specified trap for a specified feature.

The undo snmp-agent trap enable feature-name command disables a specified trap for a specified feature.

The default configuration of the snmp-agent trap enable feature-name command can be checked using the display snmp-agent trap all command.

Format

snmp-agent trap enable feature-name feature-name [ trap-name trap-name ]

undo snmp-agent trap enable feature-name feature-name [ trap-name trap-name ]

Parameters

Parameter Description Value
feature-name Specifies the name of the feature that generates traps. -
trap-name trap-name Specifies the name of a trap. -

Views

System view

Default Level

3: Management level

Usage Guidelines

If trap-name trap-name is not specified, the switch enables all traps about a specified feature after the snmp-agent trap enable feature-name feature-name command is used.

You can run the display snmp-agent trap feature-name all command to check the configuration result.

Example

# Enable the switch to send the fallingalarm trap about RMON to the NMS.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap enable feature-name rmon trap-name fallingalarm

snmp-agent trap enable feature-name snmp

Function

The snmp-agent trap enable feature-name snmp command enables an SNMP trap.

The undo snmp-agent trap enable feature-name snmp command disables an SNMP trap.

To view the default status of SNMP traps, run the display snmp-agent trap feature-name snmp all command.

Format

snmp-agent trap enable feature-name snmp [ trap-name trap-name ]

undo snmp-agent trap enable feature-name snmp [ trap-name trap-name ]

Parameters

Parameter Description Value
trap-name trap-name Specifies the name of a trap.
The traps are as follows:
  • authenticationFailure
  • coldStart
  • hwNmsHeartBeat
  • hwNmsPingTrap
  • warmStart

Views

System view

Default Level

3: Management level

Usage Guidelines

The snmp-agent trap enable feature-name snmp command is used to enable an SNMP trap. The trap generated during the device running will be sent to the NMS. At present, the following SNMP traps are supported:
  • coldStart: This trap is generated when the device is powered off and restarted.
  • warmStart: This trap is generated when the status of SNMP agent is changed from disable to enable.
  • hwNmsPingTrap: This trap is generated when the device successfully connects to the NMS.
  • authenticationFailure: This trap is generated when a user uses an incorrect community name and is unable to log in to the device.
  • hwNmsHeartBeat: This trap is generated when a heartbeat packet is successfully sent.

You can run the display snmp-agent trap feature-name snmp all command to check the configuration result.

Example

# Enable the SNMP authenticationFailure trap.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap enable feature-name snmp trap-name authenticationFailure

snmp-agent trap source

Function

The snmp-agent trap source command sets the source interface from which traps are sent.

The undo snmp-agent trap source command removes the set source interface configuration.

By default, source interface is not set.

Format

snmp-agent trap source interface-type interface-number

undo snmp-agent trap source

Parameters

Parameter Description Value
interface-type interface-number Specifies the type and number of the source interface that sends traps. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run the snmp-agent trap source command to specify the type and number of the interface on the device from which traps are sent. The system specifies the IP address of this interface as the source IP address of traps. In this way, the trap source can be identified on the NMS.

Precautions

The source interface that sends traps must have an IP address; otherwise, the command will fail to take effect. To ensure device security, it is recommended that you set the source IP address to the local loopback address.

The source interface in traps on the device must be the same as the source interface specified on the NM station. Otherwise, the NM station cannot receive traps.

Example

# Specify the IP address of VLANIF100 as the source address of traps.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap source vlanif 100

snmp-agent trap source-port

Function

The snmp-agent trap source-port command configures the number of the source port that sends trap messages.

The undo snmp-agent trap source-port command restores the default number of the source port that sends trap messages.

By default, the source port that sends trap messages is a random port.

Format

snmp-agent trap source-port port-num

undo snmp-agent trap source-port

Parameters

Parameter Description Value
port-num Specifies the number of the source port that sends trap messages. The value is an integer ranging from 1025 to 65535.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To improve security of network packets, run the snmp-agent trap source-port command to configure the source port that sends trap messages. Therefore, the user firewall filters packets based on the port number.

Precautions

By default, a random port is used to send trap messages, and no configuration file is generated. After you configure a specific source port, the corresponding configuration file is generated. If you delete the specified source port, no configuration file is generated.

If a device sends packets to the NMS in Inform mode and the snmp-agent trap source-port command is run to change the source port number, SNMP uses the new source port instead of the original port to receive response packets from the NMS. As a result, packets are retransmitted.

Example

# Set the number of the source port that sends SNMP agent trap messages to 1057.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap source-port 1057

snmp-agent udp-port

Function

The snmp-agent udp-port command sets the listening port of the SNMP agent.

The undo snmp-agent udp-port command restores the default listening port of the SNMP agent.

By default, the listening port of the SNMP agent is 161.

Format

snmp-agent udp-port port-num

undo snmp-agent udp-port

Parameters

Parameter Description Value
port-num Specifies the listening port of the SNMP agent. The value is 161 or an integer that ranges from 1025 to 65535.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The SNMP agent is a proxy process running on a network device. By default, the SNMP agent listens on port 161 to respond to instructions sent from the NMS. In this manner, the NMS can manage the network device. Fixing the listing port may threaten network security. For example, if all attack packets are sent to this listening port, the network is congested.

To improve device security, run the snmp-agent udp-port command to change the listening port of the SNMP agent.

Configuration Impact

After you run this command, the SNMP agent listens on the new port number. The original SNMP connection with the NMS is torn down, and the NMS must use the new port number to connect to the device.

Precautions

The listening port configured on the NMS must be the same as that specified by the snmp-agent udp-port command. Otherwise, the NMS cannot connect to the device.

Example

# Set the listening port of the SNMP agent to 1057.

<HUAWEI> system-view
[~HUAWEI] snmp-agent udp-port 1057

snmp-agent usm-user

Function

The snmp-agent usm-user command adds a user to an SNMP user group.

The undo snmp-agent usm-user command deletes a user from an SNMP user group.

By default, the SNMP user group has no users added.

Format

# Add a user (method 1)

snmp-agent [ remote-engineid engineid ] usm-user v3 user-name group-name [ authentication-mode { md5 | sha } password [ privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } password ] ] [ acl { acl-number | acl-name } ]

# Add a user (method 2)

snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group group-name | acl { acl-number | acl-name } ] *

snmp-agent [ remote-engineid engineid ] usm-user v3 user-name authentication-mode { md5 | sha } [ cipher password ]

snmp-agent [ remote-engineid engineid ] usm-user v3 user-name privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } [ cipher password ]

# Delete a user

undo snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group | acl | authentication-mode | privacy-mode ]

Parameters

Parameter Description Value
remote-engineid engineid

Specifies the ID of the engine associated with a user.

NOTE:

When a device is configured to send informs, the trap host needs to return reply packets; therefore, the NMS-side engine ID must be configured on the device. In this situation, the remote-engineid engineid parameter must be set to the engine ID of the trap host.

The value is string of 10 to 64 hexadecimal digits. It cannot be all 0s or all Fs.
v3 Indicates that the security mode in v3 is adopted. -
user-name Specifies the name of a user.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

group-name Specifies the name of the group to which a user belongs.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

group group-name Specifies the name of the group to which a user belongs.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

authentication-mode Sets the authentication mode. -
md5 | sha
Indicates the authentication protocol.
  • md5: Specifies HMAC-MD5-96 as the authentication protocol.
  • sha: Specifies HMAC-SHA-96 as the authentication protocol.
NOTE:
The calculation speed of the HMAC-MD5-96 algorithm is faster than that of the HMAC-SHA-96 algorithm; the HMAC-SHA-96 algorithm is more secure than the HMAC-MD5-96 algorithm. To ensure high security, please the HMAC-SHA-96 algorithm.
-
password Specifies the password.

If the password is displayed in plain text, it is a string of 8 to 255 characters. If the password is displayed in cipher text, it is a string of 32 to 432 characters. When double quotation marks are used around the string, spaces are allowed in the string.

By default, the device performs complexity check for the SNMPv3 authentication or encryption password. In this case, the plain-text password length ranges from 8 to 255. To disable password complexity check, run the snmp-agent usm-user password complexity-check disable command. In this case, the plain-text password length ranges from 1 to 255.

NOTE:
After the password complexity check is enabled, the password cannot be the same as the user name or reverse of the user name. The password must contain at least two types of characters, including uppercase and lowercase letters, digits, and special characters. The special characters cannot be question mark (?) or space.
cipher password Specifies the password. The value is a case-senstive string without spaces. It must be in cipher text format with 32 to 432 characters. When double quotation marks are used around the string, spaces are allowed in the string.
NOTE:
The password cannot be the same as the user name or reverse of the user name. The password must contain at least two types of characters, including uppercase and lowercase letters, digits, and special characters. The special characters cannot be question mark (?) or space.
privacy-mode Specifies the authentication with encryption.

The system adopts the cipher block chaining (CBC) code of the data encryption standard (DES) and uses 128-bit privKey to generate the key. The NMS uses the key to calculate the CBC code and then adds the CBC code to the message while the SNMP agent fetches the authentication code through the same key and then obtains the actual information. Like the identification authentication, the encryption requires the NMS and the SNMP agent to share the same key to encrypt and decrypt the message.

-
{ 3des168 | aes128 | aes192 | aes256 | des56 } Indicates 3DES–168, AES–128, AES–192, AES–256, or DES–56 as the encryption protocol.

-

acl { acl-number | acl-name }
Specifies the ACL.
  • acl-number specifies the number of the basic ACL.
  • acl-name specifies the ACL name.
  • acl-number: The value of acl-number is an integer that ranges from 2000 to 2999.
  • acl-name: The value is a string of 1 to 32 case-sensitive characters except spaces. The value must start with a letter (case-sensitive).

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Two commands are available to add a user. The effects of the two commands are the same. You can select any of them.

SNMPv1 and SNMPv2c have serious defects in terms of security. The security authentication mechanism used by SNMPv1 and SNMPv2c is based on the community name. In this mechanism, the community name is transmitted in plain text. You are not advised to use SNMPv1 and SNMPv2c on untrusted networks.

By adopting the user-based security model, SNMPv3 eradicates the security defects in SNMPv1 and SNMPv2c and provides two services, authentication and encryption. The user-based security model defines three security authentication levels: noAuthNoPriv, AuthNoPriv, and AuthPriv.
NOTE:
The security authentication level noAuthPriv does not exist. This is because the generation of a key is based on the authentication information and product information.
Different from SNMPv1 and SNMPv2c, SNMPv3 can implement access control, identity authentication, and data encryption through the local processing model and user security model. SNMPv3 can provide higher security and confidentiality than SNMPv1 and SNMPv2c. The following table lists the difference between SNMPv1, SNMPv2c, and SNMPv3:
Table 18-23  Comparison in the security of SNMP of different versions
Protocol version User Checksum Encryption Authentication
v1 Adopts the community name. None None
v2c Adopts the community name. None None
v3 Adopts user name-based encryption/decryption. Yes Yes

The snmp-agent group command can be used to configure the authentication, encryption, and access rights for an SNMP group. The snmp-agent group command can be used to configure the rights for users in a specified SNMP group and bind the SNMP group to a MIB view. The MIB view is created through the snmp-agent mib-view command. For details, see the usage guideline of this command. After an SNMP user group is configured, the MIB-view-based access control is configured for the SNMP user group. Users cannot access objects in the MIB view through the SNMP user group. The purpose of adding SNMP users to an SNMP user group is to ensure that SNMP users in an SNMP user group have the same security level and access control list. When you run the snmp-agent usm-user command to configure a user in an SNMP user group, you configure the MIB-view-based access rights for the user. If an SNMP user group is configured with the AuthPriv access rights, you can configure the authentication mode and encryption mode when configuring SNMP users. Note that the authentication keys and encryption passwords configured on the NMS and the SNMP agent should be the same; otherwise, authentication fails.

When the NMS and device are in an insecure network environment, for example, a network prone to attacks, it is recommended that you configure different authentication password and encryption password to improve security.

Configuration Impact

If an SNMP agent is configured with a remote user, the engine ID is required during the authentication. If the engine ID changes after the remote user is configured, the remote user becomes invalid.

Precautions

The user security level must be higher than or equal to the security level of the SNMP user group to which the user is added.

The security level of an SNMP user group can be (in descending order):
  • Level 1: privacy (authentication and encryption)
  • Level 2: authentication (without encryption)
  • Level 3: none (neither authentication nor encryption)

The user security level must be higher than the user group level. For example, if the security level of an SNMP user group is level 1, the security level of the user that is added to the group must be level 1; if the security level of an SNMP user group is level 2, the security level of the user that is added to the group can be level 1 or level 2.

If the user security level is set to neither authentication nor encryption, the user only has the read-only permission within MIB-2 (OID: 1.3.6.1.2.1).

To add an SNMP user to an SNMP group, ensure that the SNMP user group is valid.

If you run the snmp-agent usm-user command multiple times, only the latest configuration takes effect.

Keep your user name and plain-text password well when creating the user. The plain-text password is required when the NMS accesses the device.

The passwords have the following characteristics:
  • The password is a string of 8 to 255 case-sensitive characters.

  • The password must contain at least two of the following characters: upper-case character, lower-case character, digit, and special character.

    Special characters do not include the question mark (?) and space.

  • The password should not contain repeated character strings such as abc123abc123abc123 and **123abc**123abc.

  • The password entered in interactive mode is not displayed on the screen.

NOTE:

By default, the device checks the complexity of SNMPv3 authentication passwords or encryption passwords. If the check fails, the password configuration fails. Run the snmp-agent usm-user password complexity-check disable command to disable the device from checking password complexity.

To ensure high security, do not use the MD5 algorithm for SNMPv3 authentication or use the DES56 or 3DES168 algorithm for SNMPv3 encryption.

Example

# Configure an SNMPv3 user with user name u1, group name g1, authentication mode sha, authentication password 8937561bc, encryption mode aes128, and encryption password 68283asd.

<HUAWEI> system-view
[~HUAWEI] snmp-agent usm-user v3 u1 group g1
[*HUAWEI] snmp-agent usm-user v3 u1 authentication-mode sha
Please configure the authentication password (8-255)                             
Enter Password:                                                                 
Confirm Password: 
[*HUAWEI] snmp-agent usm-user v3 u1 privacy-mode aes128
Please configure the privacy password (8-255)                                     
Enter Password:                                                                 
Confirm Password:
[*HUAWEI]

snmp-agent usm-user password complexity-check disable

Function

The snmp-agent usm-user password complexity-check disable command disables complexity check for the authentication or encryption password.

The undo snmp-agent usm-user password complexity-check disable command enables complexity check for the authentication or encryption password.

By default, the device performs complexity check for the authentication or encryption password.

Format

snmp-agent usm-user password complexity-check disable

undo snmp-agent usm-user password complexity-check disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

On a secure network, run the snmp-agent usm-user password complexity-check disable command to disable complexity check for the authentication or encryption password.

Precautions

For security purposes, do not disable complexity check for the authentication or encryption password.

Example

# Disable complexity check for the authentication or encryption password.

<HUAWEI> system-view
[~HUAWEI] snmp-agent usm-user password complexity-check disable
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 68704

Downloads: 374

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next