No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Applying Basic ACLs to SNMP to Filter NMSs

Example for Applying Basic ACLs to SNMP to Filter NMSs

Networking Requirements

As shown in Figure 5-14, two NMSs are available on the network to monitor network devices. The network size is small and the network has a high security level. Therefore, the administrator requires that only the trusted NMS (NMS2) manage network devices and the Router use SNMPv1 to communicate with the NMS. Invalid NMSs cannot manage the Router. According to service requirements, the administrator allows the NMS to manage only the objects DNS, and the administrator should be able to locate and rectify faults quickly through the NMS.

Figure 5-14  Applying basic ACLs to SNMP to filter NMSs

Configuration Roadmap

The following configurations are performed on the Router. The configuration roadmap is as follows:

  1. Configure SNMPv1 on the router.

  2. Configure ACLs, MIB view, and community name to control the access rights of NMSs. The NMS2 can only manage the objects on Router except RMON, and NMS1 cannot manage the Router.

  3. Configure the trap function on the router to send alarms generated on the router to NMS2. Only modules that are enabled by default can send alarms, which helps locate alarms and prevent unwanted alarms.

  4. Configure contact information about the router administrator to quickly troubleshoot faults when the router fails.

  5. Configure the NM station (only NMS2).

Procedure

  1. Configure the IP address and route on the router and ensure the route between the device and the NMS is reachable.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] interface gigabitethernet 1/0/0
    [Router-GigabitEthernet1/0/0] ip address 10.1.2.1 24
    [Router-GigabitEthernet1/0/0] quit
    [Router] ospf
    [Router-ospf-1] area 0
    [Router-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
    [Router-ospf-1-area-0.0.0.0] quit
    [Router-ospf-1] quit
    

  2. Enable the SNMP agent.

    [Router] snmp-agent
    

  3. Configure SNMPv1 on the Router.

    [Router] snmp-agent sys-info version v1
    

  4. Configure access rights of the NM station.

    # Configure ACLs, enable NMS2 to manage the Router, and disable NMS1 from managing the Router.

    [Router] acl 2001
    [Router-acl-basic-2001] rule 5 permit source 10.1.1.2 0.0.0.0
    [Router-acl-basic-2001] rule 6 deny source 10.1.1.1 0.0.0.0
    [Router-acl-basic-2001] quit

    # Configure a MIB view.

    [Router] snmp-agent mib-view dnsmib include 1.3.6.1.4.1.2011.5.25.194

    # Configure the source interface from which traps are sent.

    [Router] snmp-agent trap source gigabitethernet 1/0/0

    # Configure an SNMP community name and reference the configured ACLs and the MIB view.

    [Router] snmp-agent community write adminnms2 mib-view dnsmib acl 2001

  5. Configure the trap function.

    [Router] snmp-agent target-host trap-paramsname trapnms2 v1 securityname adminnms2
    [Router] snmp-agent target-host trap-hostname nms2 address 10.1.1.2 trap-paramsname trapnms2
    [Router] snmp-agent trap queue-size 200
    [Router] snmp-agent trap life 60
    [Router] snmp-agent trap enable

  6. Configure contact information about the device administrator.

    [Router] snmp-agent sys-info contact call Operator at 010-12345678

  7. Configure the NM station (NMS2).

    Set read and write community names on the NMS that uses SNMPv1. For configurations of the NMS, refer to related configuration guides.

    NOTE:

    Authentication parameter configuration of the NMS must be the same as that of the device. If the authentication parameter configuration of the NMS is different from that of the device, the NMS cannot manage the device. If only the write community name is configured on the device, the read and write community names on the NMS must be the same as the write community name configured on the device.

  8. Verify the configuration.

    After the configuration is complete, run the following commands to verify that the configurations have taken effect.

    # Check the configured SNMP version.

    <Router> display snmp-agent sys-info version
       SNMP version running in the system:
               SNMPv1 

    # View the community names.

    <Router> display snmp-agent community write  
       Community name: %^%#$X!5#d+t+OJOXL1[{O2!&Fe&0UZv'@a;R/`Y+kK$4BUGFe)&2YLuM/kMF!HPG5Mzz3DXe2&F%^%#
    
       Storage type: nonVolatile
       View name: dnsmib
       Acl: 2001
    
       Total number is 1

    # Check the configuration of ACLs.

    <Router> display acl 2001
    Basic ACL 2001, 2 rules
    Acl's step is 5
     rule 5 permit source 10.1.1.2 0 
     rule 6 deny source 10.1.1.1 0        

    # Display the MIB view.

    <Router> display snmp-agent mib-view dnsmib
       View name: dnsmib
       MIB subtree: hwDnsMIB
       Subtree mask:
       Storage type: nonVolatile
       View type: included
       View status: active                                                          

    # Check the target host for alarms.

    <Router> display snmp-agent target-host
       Traphost list:
       Target host name: nms2
       Traphost address: 10.1.1.2
       Traphost portnumber: 162
       Target host parameter: trapnms2
    
       Total number is 1
    
       Parameter list trap target host:
       Parameter name of the target host: trapnms2
       Message mode of the target host: SNMPV1
       Trap version of the target host: v1
       Security name of the target host: %^%#_=XqAFC_94uCS,3'<gYC*ZU6%^%#
    
       Total number is 1                     

    # Check contact information about the device administrator.

    <Router> display snmp-agent sys-info contact
       The contact person for this managed node:
               call Operator at 010-12345678  

Configuration Files

Configuration file of the Router

#
 sysname Router
#
acl number 2001
 rule 5 permit source 10.1.1.2 0
 rule 6 deny source 10.1.1.1 0
#
interface GigabitEthernet1/0/0
 ip address 10.1.2.1 255.255.255.0
#
ospf 1
 area 0.0.0.0
  network 10.1.2.0 0.0.0.255
#
 snmp-agent local-engineid 800007DB03548998F3A458
 snmp-agent community write %^%#$X!5#d+t+OJOXL1[{O2!&Fe&0UZv'@a;R/`Y+kK$4BUGFe)&2YLuM/kMF!HPG5Mzz3DXe2&F%^%# mib-view dnsmib acl 2001
 snmp-agent sys-info contact call Operator at 010-12345678
 snmp-agent sys-info version v1
 snmp-agent target-host trap-hostname nms2 address 10.1.1.2 udp-port 162 trap-paramsname trapnms2
 snmp-agent target-host trap-paramsname trapnms2 v1 securityname %^%#_=XqAFC_94uCS,3'<gYC*ZU6%^%#
 snmp-agent mib-view dnsmib include hwDnsMIB
 snmp-agent trap source gigabitethernet 1/0/0
 snmp-agent trap enable
 snmp-agent trap queue-size 200
 snmp-agent trap life 60
 snmp-agent
#
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 119851

Downloads: 221

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next