No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - System Management 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - System Management
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Local SNMPv3 User on a Device to Communicate with an NMS

Configuring a Local SNMPv3 User on a Device to Communicate with an NMS

After SNMPv3 is configured, a managed device and an NMS can run SNMPv3 to communicate with each other. To ensure communication, you need to configure the agent and NMS. This section only describes the configuration on a managed device (the agent side). For details about configurations on an NMS, see the NMS operation guide.

Applicable Environment

AAA is an authentication, authorization, and accounting technique. AAA local users can be configured to log in to a device through FTP, Telnet, or SSH. However, SNMPv3 supports only SNMP users, which can be an inconvenience in unified network device management.

To resolve this issue, configure SNMP to support AAA users. AAA users can then access the NMS, and MIB node operation authorization can be performed based on tasks. The NMS does not distinguish AAA users and SNMP users.

Figure 16-7 shows the process of an AAA user logging in to the NMS through SNMP.

Figure 16-7 Process of an AAA user logging in to the NMS through SNMP

After completing the following configuration task, an NMS can communicate with a device to be managed. To perform refined management, refer to the follow-up configuration procedure.

Pre-configuration Tasks

Before configuring a device to communicate with an NMS using SNMPv3, configure a routing protocol to ensure that at least one route exist between the router and NMS.

Configuration Procedure

Figure 16-8 Flowchart for configuring a local SNMPv3 user on a device to communicate with an NMS

Configuring Basic SNMPv3 Functions

Basic SNMPv3 functions can be configured to allow an NMS to monitor and operate a managed device.

Context

Before a local SNMPv3 user is configured on a device to communicate with an NMS, the user must be added to a user group at the AAA side, and the user group is associated with a specific task group. The task group consists of multiple tasks, and each task is mapped to a MIB object that is granted reading and writing permissions. Users assigned a specific task obtain the specified reading and writing permissions on MIB objects.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    AAA is enabled, and the AAA view is displayed.

  3. Run task-group task-group-name

    A task group is created, and the task group view is displayed.

  4. Run task snmp { debug | execute | read | write } *

    A task is added to the task group and granted permissions.

    Each MIB object is associated with a specific task. Performing this step grants users permissions to MIB objects.

  5. Run quit

    The AAA view is displayed.

  6. Run user-group user-group-name

    A user group is created, and the user group view is displayed.

  7. Run task-group task-group-name

    The user group is associated with a task group.

  8. Run quit

    The AAA view is displayed.

  9. Run local-user user-name password [ cipher password | irreversible-cipher irreversible-cipher-password ]

    A local user is created, and a password is set for the user to log in a device.

    If an AAA user is configured as a local SNMP user, the user-name value is a string of 1 to 32 characters.

  10. Run local-user user-name user-group user-group-name

    The local user is added to a user group.

    A user group can be used by multiple local users. A local user belongs only to one user group.

  11. Run local-user user-name service-type snmp

    The access type of the local user is set to SNMP.

  12. Run quit

    The system view is displayed.

  13. (Optional) Run snmp-agent

    The SNMP agent function is enabled.

    This step is optional because the SNMP agent function is enabled by running any snmp-agent command, irrespective of whether any parameter is specified.

  14. Run snmp-agent password min-length min-length

    The minimum SNMP password length is configured.

    After this command is run, the length of a configured SNMP password must be longer than or equal to the minimum SNMP password length.

  15. (Optional) Run snmp-agent udp-port port-number

    The port number monitored by the SNMP agent is changed.

  16. (Optional) Run snmp-agent sys-info version v3

    The SNMP version is set.

  17. Run snmp-agent local-user v3 user-name authentication-mode { md5 | sha } { privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } | cipher encrypt-password privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } cipher encrypt-password }

    Local SNMPv3 user information is configured.

    The authentication password configured for an AAA user can be different from that for a local SNMP user. Deleting a local AAA user causes the local SNMP user to be also deleted. Deleting a local SNMP user, however, does not affect the local AAA user.

    The priority of an SNMP USM user is higher than that of a local SNMP user. If an SNMP USM user name is the same as a local SNMP user name, the SNMP USM user configurations, including authentication and encryption passwords, are used during a login.

    By default, a device checks the complexity of the local users' authentication and encryption passwords. The configured passwords must meet the password complexity requirements. To disable the password complexity check, run the snmp-agent local-user password complexity-check disable command. Enabling the password complexity check is recommended, which improves system security.

    To improve system security, it is recommended to configure different authentication and encryption passwords for an SNMP user.

  18. (Optional) Run snmp-agent sys-info { contact contact | location location }

    The device administrator contact information or location is configured.

    This step is required for the NMS administrator to view contact information and locations of the device administrator when the NMS manages many devices. This helps the NMS administrator contact the device administrators for fault location and rectification.

  19. (Optional) Run snmp-agent packet max-size byte-count

    The maximum size of an SNMP packet that the device can receive or send is set.

    After the maximum size is set, the device discards any SNMP packet that is larger than the set size.

  20. (Optional) Configure SNMP to receive and respond to NMS request packets. To achieve this, run one or more of the following commands as needed:

    • Run snmp-agent protocol source-interface interface-type interface-number

      A source interface is configured for SNMP to receive and respond to NMS request packets.

    • Run snmp-agent protocol ipv6 source-ip ip-address

      A source IPv6 address is configured for SNMP to receive and respond to NMS request packets.

    • Configure SNMP to receive and respond to NMS request packets through a VPN instance or public network.
      • For an IPv4 network, run the snmp-agent protocol { vpn-instance vpn-instance-name | public-net } command.
      • For an IPv6 network, run the snmp-agent protocol ipv6 { vpn-instance vpn-instance-name | public-net } command.

  21. (Optional) Run snmp-agent local-engineid engineid

    An engine ID for the local SNMP entity is seted.

    The MAC address of the management interface on the main control board is used as device information.

    NOTE:
    To improve system security, run the snmp-agent packet contextengineid-check enable command to check whether the contextEngineID is consistent with the local engine ID.

  22. Run snmp-agent set-cache enable

    The SET Response message caching function is enabled.

  23. (Optional) Run snmp-agent get-cache disable

    The GET response message caching function is disabled.

  24. (Optional) Run snmp-agent get-cache age-out age-out

    An aging period is configured for the GET response message caching function.

  25. (Optional) Run snmp-agent protocol server [ ipv4 | ipv6 ] disable

    The SNMP IPv4 or IPv6 listening port is disabled.

    After you disable the SNMP IPv4 or IPv6 listening port using the snmp-agent protocol server disable command, SNMP no longer processes SNMP packets. Exercise caution when you disable the SNMP IPv4 or IPv6 listening port.

  26. Run commit

    The configuration is committed.

(Optional) Configuring SNMP Anti-Attack

To defense against a user's attack on other users' passwords, configuring the SNMPv3 blacklist function to improve security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run undo snmp-agent blacklist ip-block disable

    The blacklist function for an IP address is enabled.

  3. Run undo snmp-agent blacklist user-block disable

    The blacklist function for an SNMPv3 user is enabled.

  4. Run commit

    The configuration is committed.

Verifying the Configuration for a Local SNMPv3 User on a Device to Communicate with an NMS

After configuring basic SNMPv3 functions, verify the configuration.

Prerequisites

Basic SNMPv3 functions have been configured.

Procedure

  • Run the display snmp-agent sys-info version command to check the enabled SNMP version.
  • Run the display snmp-agent sys-info contact command to check the device administrator's contact information.
  • Run the display snmp-agent sys-info location command to check the location of the router.
  • Run the display current-configuration | include max-size command to check the allowable maximum size of an SNMP packet.
  • Run the display snmp-agent local-user [ username user-name ] command to check local SNMP user information.

Example

Run the display snmp-agent sys-info version command. The command output shows the SNMP version running on the agent.
<HUAWEI> display snmp-agent sys-info version
 SNMP version running in the system:
           SNMPv3
Run the display snmp-agent sys-info contact command. The command output shows the device administrator's contact information.
<HUAWEI> display snmp-agent sys-info contact
   The contact person for this managed node:
           R&D Beijing, Huawei Technologies co.,Ltd.
Run the display snmp-agent sys-info location command. The command output shows the location of the device.
<HUAWEI> display snmp-agent sys-info location
   The physical location of this node:
           Beijing China  

Run the display current-configuration | include max-size command. The command output shows the allowable maximum size of an SNMP packet.

<HUAWEI> display current-configuration | include max-size
 snmp-agent packet max-size 1800
Run the display snmp-agent local-user command. The command output shows SNMP local user information.
<HUAWEI> display snmp-agent local-user
   User name: myuser
       Engine ID: 800007DB0338BA5B718601
       Authentication Protocol: md5
       Privacy Protocol: des56
       State: Active
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055400

Views: 15951

Downloads: 26

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next