No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E-M2 V800R010C10SPC500 Configuration Guide - System Management 01

This is NE40E-M2 V800R010C10SPC500 Configuration Guide - System Management
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Device to Communicate with an NMS Using SNMPv2c

Configuring a Device to Communicate with an NMS Using SNMPv2c

After SNMPv2c is configured, a managed device and an NMS can run SNMPv2c to communicate with each other. To ensure communication, you need to configure the agent and NMS. This section only describes the configuration on a managed device (the agent side). For details about configurations on an NMS, see the pertaining NMS operation guide.

Usage Scenario

SNMP has to be deployed in a network to allow the NMS to manage network devices.

If your network is of a large scale with many devices and its security requirements are not strict or the network is secure (for example, a VPN network) but services on the network are so busy that traffic congestion may occur, then the SNMPv2c can be deployed to ensure communication between the NMS and managed devices.

SNMPv2c has a security risk. Using SNMPv3 is recommended.

Pre-configuration Tasks

Before configuring a device to communicate with an NMS using SNMPv2c, configure a routing protocol to ensure that at least one route exist between Router and NMS.

Configuration Procedures

Figure 16-5 Flowchart for configuring a device to communicate with an NMS using SNMPv2c

Configuring Basic SNMPv2c Functions

After basic SNMP functions are configured, the NMS can perform basic operations such as Get and Set operations on a managed device, and the managed device can send alarms to the NMS.

Context

The NMS can communicate with managed devices after basic SNMPv2c functions have been configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run snmp-agent password min-length min-length

    The minimum SNMP password length is configured.

    After this command is run, the length of a configured SNMP password must be longer than or equal to the minimum SNMP password length.

  3. (Optional) Run snmp-agent

    The SNMP agent function is enabled.

    This step is optional because the SNMP agent function is enabled by running any snmp-agent command, irrespective of whether any parameter is specified.

  4. (Optional) Run snmp-agent udp-port port-number

    The port number monitored by the SNMP agent is changed.

  5. Run snmp-agent sys-info version v2c

    The SNMP version is set.

    After SNMPv2c is enabled on the managed device, the device supports both SNMPv2c and SNMPv3. This means that the device can be monitored and managed by NMSs running SNMPv2c and SNMPv3.

  6. Run snmp-agent community { read | write } { community-name | cipher cipher-name } [ mib-view view-name | acl { acl-number | acl-name } | alias alias-name ] *

    The community name is set.

    The community name will be saved in encrypted format in the configuration file. The community alias will be saved in simple text format in the configuration file.

    If a community name fails the complexity check, the community name cannot be configured. To disable the complexity check for community names, run the snmp-agent community complexity-check disable command. To improve system security, enabling the complexity check for community names is recommended.

    NOTE:

    HUAWEI has the following requirements on the complexity of community names:

    • The minimum length of a community name is eight characters.

    • A community name contains at least two types of characters: uppercase characters, lowercase characters, digits, and special characters, excluding question marks (?) and spaces.

    After the community name is set, if no MIB view is configured, the NMS that uses the community name has permission to access objects in the Viewdefault view (1.3.6.1).

    • read: If the NMS administrator needs the read permission in a specified view, configure read in this command. For example, a low-level administrator needs to read certain data.

    • write: If the NMS administrator needs the read and write permissions in a specified view, configure write in this command. For example, a high-level administrator needs to read and write certain data.

  7. Choose one of the following commands as needed to configure the destination IP address for the alarms and error codes sent from the device.

    • If the network is an IPv4 network, configure the device to send either traps or informs to the NMS.
      NOTE:

      The differences between traps and informs are as follows:

      • The traps sent by the managed device do not need to be acknowledged by the NMS.

      • The informs sent by the managed device need to be acknowledged by the NMS. If no acknowledgement message from the NMS is received within a specified time period, the managed device resends the inform until the number of retransmissions reaches the maximum that is configured.

        When the managed device sends an inform, it records the inform in the log. If the NMS and link between the NMS and managed device recovers from a fault, the NMS can still learn the inform sent during the fault occurrence and rectification.

      In this regard, informs are more reliable than traps, but the device may need to buffer a lot of informs because of the inform retransmission mechanism and this may consume many memory resources.

      If the network is stable, using traps is recommended. If the network is unstable and the device's memory capacity is sufficient, using informs is recommended.

      • To configure a destination IP address for the traps and error codes sent from the device, run snmp-agent target-host [ host-name host-name ] trap address udp-domain ip-address [ [ udp-port port-number ] | [ source interface-type interface-number ] | [ public-net | vpn-instance vpn-instance-name ] ] * params securityname { security-name [ v2c | private-netmanager | ext-vb | notify-filter-profile profile-name ] * | cipher cipher-name [ v2c | private-netmanager | ext-vb | notify-filter-profile profile-name ] * }

      • To configure a destination IP address for the informs and error codes sent from the device, run snmp-agent target-host [ host-name host-name ] inform address udp-domain ip-address [ [ udp-port port-number ] | [ source interface-type interface-number ] | [ public-net | vpn-instance vpn-instance-name ] ] * params securityname { security-name v2c | cipher cipher-name v2c } [ ext-vb | notify-filter-profile profile-name | private-netmanager ] *

      The descriptions of the command parameters are as follows:
      • udp-port: The default destination UDP port number is 162. In some special cases, the parameter udp-port can be used to specify a non-well-known UDP port number. This ensures communication between the NMS and managed device.

      • vpn-instance: If the alarms sent from the managed device to the NMS need to be transmitted over a private network, the parameter vpn-instance vpn-instance-name needs to be used to specify a VPN that takes over the sending task.

      • public-net: If the alarms sent from the managed device to the NMS need to be transmitted over a public network, the parameter public-net needs to be used to specified.

      • securityname: Identifies the alarm sender, which helps you learn the alarm source.

    • To configure a destination IPv6 address for the alarms and error codes sent from the device, run snmp-agent target-host [ host-name host-name ] trap ipv6 address udp-domain ipv6-address [ udp-port port-number | source interface-type interface-number ] * params securityname { security-name [ v2c | private-netmanager | ext-vb | notify-filter-profile profile-name ] * | cipher cipher-name [ v2c | private-netmanager | ext-vb | notify-filter-profile profile-name ] * }

    NOTE:

    An IPv6 network supports only traps, not informs.

  8. (Optional) Run snmp-agent sys-info { contact contact | location location }

    The device administrator contact information or location is configured.

    This step is required for the NMS administrator to view contact information and locations of the device administrator when the NMS manages many devices. This helps the NMS administrator contact the device administrators for fault location and rectification.

  9. (Optional) Run snmp-agent packet max-size byte-count

    The maximum size of an SNMP packet that the device can receive or send is set.

    After the maximum size is set, the device discards any SNMP packet that is larger than the set size.

  10. (Optional) Run snmp-agent extend error-code enable

    The extended error code function is enabled.

  11. Run snmp-agent set-cache enable

    The SET Response message caching function is enabled.

  12. (Optional) Run snmp-agent get-cache disable

    The GET response message caching function is disabled.

  13. (Optional) Run snmp-agent get-cache age-out age-out

    An aging period is configured for the GET response message caching function.

  14. (Optional) Configure SNMP to receive and respond to NMS request packets. To achieve this, run one or more of the following commands as needed:

    • Run snmp-agent protocol source-interface interface-type interface-number

      A source interface is configured for SNMP to receive and respond to NMS request packets.

    • Run snmp-agent protocol ipv6 source-ip ip-address

      A source IPv6 address is configured for SNMP to receive and respond to NMS request packets.

    • Configure SNMP to receive and respond to NMS request packets through a VPN instance or public network.
      • For an IPv4 network, run the snmp-agent protocol { vpn-instance vpn-instance-name | public-net } command.
      • For an IPv6 network, run the snmp-agent protocol ipv6 { vpn-instance vpn-instance-name | public-net } command.

  15. (Optional) Run snmp-agent local-engineid engineid

    An engine ID for the local SNMP entity is seted.

    The MAC address of the management interface on the main control board is used as device information.

  16. (Optional) Run snmp-agent protocol get-bulk timeout time

    The get-bulk operation timeout period is configured.

    You are not advised to change the get-bulk operation timeout period. The default get-bulk operation timeout period is recommended. To reconfigure a get-bulk operation timeout period, you must ensure that the configured period is less than an NMS's timeout period.

  17. (Optional) Run snmp-agent protocol server [ ipv4 | ipv6 ] disable

    The SNMP IPv4 or IPv6 listening port is disabled.

    After you disable the SNMP IPv4 or IPv6 listening port using the snmp-agent protocol server disable command, SNMP no longer processes SNMP packets. Exercise caution when you disable the SNMP IPv4 or IPv6 listening port.

  18. Run commit

    The configuration is committed.

Follow-up Procedure

After the configuration is complete, basic communication can be conducted between the NMS and managed device.
  • Access control allows any NMS that uses the community name to monitor and manage all the objects on the managed device.

  • The managed device sends alarms generated by the modules that are enabled by default to the NMS.

If finer device management is required, follow directions below to configure the managed device:

(Optional) Controlling the NMS's Access to the Device

This section describes how to specify an NMS and manageable MIB objects for SNMP based communication between the NMS and managed device to improve communication security.

Context

If a device is managed by multiple NMSs that use the same community name, note the following points:
  • If all the NMSs need to have rights to access the objects in the Viewdefault view, skip the following steps.

  • If some of the NMSs need to have rights to access the objects in the Viewdefault view, skip 7 and 8.

  • If all the NMSs are required to manage specified objects on the device, skip 2, 3, 4, and 5.

  • If some of the NMSs are required to manage specified objects on the device, perform all the following steps.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]

    A basic ACL is created to filter the NMS users to manage the device.

  3. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

    A rule is configured for the basic ACL.

    • If the address of a login user matches an ACL rule in which the specified action is permit, the user is allowed to log in to the device.

    • If the address of a login user matches an ACL rule in which the specified action is deny, the user is not allowed to log in to the device.

    • If the address of a login user is not within the address range specified in an ACL rule, the login of the user is denied.

    • If the ACL does not contain any rules or does not exist, the login of users is not subject to the ACL, and users can log in to the device.

  4. Run commit

    The configuration is committed.

  5. Run quit

    Return to the system view.

  6. (Optional) Run snmp-agent acl

    SNMP protocol level ACL is configured.

    By executing the snmp-agent acl command, you can control the user access.

  7. Run snmp-agent mib-view { excluded | included } view-name oid-tree

    A MIB view is created, and manageable MIB objects are specified.

    • excluded: If a few MIB objects on the device or some objects in the current MIB view do not or no longer need to be managed by the NMS, excluded needs to be specified in the command to exclude these MIB objects.

    • included: If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NMS, included needs to be specified in the command to include these MIB objects.

  8. Run snmp-agent community { read | write } { community-name | cipher cipher-name } [ mib-view view-name | acl { acl-number | acl-name } | alias alias-name ] *

    The NMS's access rights are specified.

    • read: NMS administrator configures the read parameter to provide read access to the low level administrator for a specified view.

    • write: NMS administrator configures the write parameter to provide read and write access to the low level administrator for a specified view.

    • mib-view: If some of the NMSs that use the community name need to have rights to access the objects in the Viewdefault view, mib-view view-name does not need to be configured in the command.

    • acl: If all the NMSs that use the community name need to manage specified objects on the device, acl acl-number does not need to be configured in the command.

      If some of the NMSs that use the community name need to manage specified objects on the device, both mib-view and acl need to be configured in the command.

  9. Run commit

    The configuration is committed.

Follow-up Procedure

After the access rights are configured, especially after the IP address of the NMS is specified, if the IP address changes (for example, the NMS changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address of the NMS in the ACL. Otherwise, the NMS cannot access the device.

(Optional) Configuring the Trap Function

The device can be configured to send specified traps to the NMS, which facilitates fault locating. To enhance the trap transmission security, specify parameters for sending traps.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run snmp-agent trap enable

    The device is enabled to send traps to the NMS.

  3. Run snmp-agent trap enable feature-name feature-name trap-name trap-name

    The device is enabled to send a specified trap of a feature to the NMS.

    NOTE:
    If the snmp-agent trap enable command has been run to enable the trap functions of all modules, or the snmp-agent trap enable feature-name command has been run to enable three or more trap functions of a module, note the following points:
    • To disable the trap functions of all modules, run the snmp-agent trap disable command.

    • To restore the trap functions of all modules to the default status, run the undo snmp-agent trap enable or undo snmp-agent trap disable command.

    • To disable one trap function of a module, run the undo snmp-agent trap enable feature-name command.

    • To delete all the trap function configurations of a feature in a one-click manner, run the clear configuration snmp-agent trap enable command.

  4. Run snmp-agent trap source interface-type interface-number

    The source interface for sending traps is specified.

    After a source interface is specified, its IP address is used as the source IP address of traps. Configuring the IP address of the local loopback interface as the source interface is recommended, which can ensure device security.

    The source interface of traps specified on the Router must be the same as that specified on the NMS. Otherwise, the NMS does not accept the traps sent from the Router.

  5. Run snmp-agent trap source-port port-number

    The number of the source port that sends trap messages has been specified.

    To improve network security, configure a specific source port to send trap messages. Therefore, the user terminal's firewall filters packets based on the port number.

  6. Run snmp-agent trap type { base-trap | entity-trap }

    The format of traps sent to the NMS is set.

    This command is supported only on the Admin-VS.

  7. Run commit

    The configuration is committed.

(Optional) Configuring the Informs Function

The Router enabled with the SNMP agent function can generate two types of notifications: trap messages and Inform messages. Trap messages are messages alerting the NMS to a condition on the network. Inform messages are trap messages that include a request for confirmation of receipt from the NMS (Inform messages are resent until a reply is received). Inform messages are more reliable than trap messages.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run snmp-agent trap enable

    Alarm sending is enabled.

  3. Run snmp-agent trap enable feature-name feature-name trap-name trap-name

    A trap function of a feature module is enabled. This means that an alarm of a specified feature can be sent to the NMS.

    NOTE:
    If the snmp-agent trap enable command has been run to enable the trap functions of all modules, or the snmp-agent trap enable feature-name command has been run to enable three or more trap functions of a module, note the following points:
    • To disable the trap functions of all modules, run the snmp-agent trap disable command.

    • To restore the trap functions of all modules to the default status, run the undo snmp-agent trap enable or undo snmp-agent trap disable command.

    • To disable one trap function of a module, run the undo snmp-agent trap enable feature-name command.

  4. (Optional) Run snmp-agent inform { timeout seconds | resend-times times | pending number } *

    The timeout period for waiting for inform Ack messages, number of times to resend Inform messages, and the maximum pieces of pending Inform messages (Inform messages need to be acknowledged) are set.

    NOTE:

    If the network is unstable, you need to increase the timeout period. At the same time, you need to increase the number of times to resend Inform messages and the maximum count of pending Inform messages.

  5. Run snmp-agent inform { timeout seconds | resend-times times } * [ host-name host-name | address udp-domain ip-address [ vpn-instance vpn-instance-name ] params securityname { security-name | cipher cipher-name } ]

    The timeout period for waiting for inform Ack messages and the number of times to resend Inform messages are set.

  6. Run snmp-agent notification-log enable

    The alarm logging function is enabled.

    If the link between a managed device and the NMS is faulty, the managed device stops sending Inform messages to the NMS but continues recording alarm logs. After the link recovers, the NMS obtains alarm logs generated during the fault period from the managed device.

    The alarm logging function logs only Inform messages.

  7. Run snmp-agent notification-log { global-ageout ageout | global-limit limit } *

    The aging time of alarm logs and maximum number of inform logs that can be stored in the log buffer are set.

    If the aging time expires, inform logs are automatically deleted.

    Newer inform logs replace the oldest ones.

  8. Run commit

    The configuration is committed.

(Optional) Configuring SNMP Anti-Attack

To defense against a user's attack on other users' passwords, configuring the SNMP blacklist function to improve security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run undo snmp-agent blacklist ip-block disable

    The blacklist function for an IP address is enabled.

  3. Run commit

    The configuration is committed.

Verifying the Configuration for a Device to Communicate with an NMS Using SNMPv2c

After configuring basic SNMPv2c functions, verify the configuration.

Prerequisites

The configuration of basic SNMPv2c function is complete.

Procedure

  • Run the display snmp-agent community command to check the configured community name.
  • Run the display snmp-agent sys-info version command to check the enabled SNMP version.
  • Run the display acl acl-number command to check the rules in the specified ACL.
  • Run the display snmp-agent mib-view command to check the MIB view.
  • Run the display snmp-agent mib modules command to check information about a loaded MIB file.
  • Run the display snmp-agent sys-info contact command to check the device administrator's contact information.
  • Run the display snmp-agent sys-info location command to check the location of the Router.
  • Run the display current-configuration | include max-size command to check the allowable maximum size of an SNMP packet.
  • Run the display current-configuration | include trap command to check trap configuration.
  • Run the display snmp-agent target-host command to check information about the target host.
  • Run the display snmp-agent inform command to check inform parameters of all target hosts.
  • Run the display snmp-agent notification-log command to check inform logs stored in the log buffer.
  • Run the display snmp-agent vacmgroup command to check all the configured View-based Access Control Model (VACM) groups.

Example

When the configuration is complete, run the display snmp-agent community command. The command output shows the configured community name.
<HUAWEI> display snmp-agent community
   Community name: Community name: %#%#qTp*MccD#Z[sHw4"pbzVHzAfO]gWN;h#30K=)%}X1jIHNF<QdMskYG$9xj:9k\EZN6Mi!Hrt@\Oa8tqP%#%#
       Group name: %#%#qTp*MccD#Z[sHw4"pbzVHzAfO]gWN;h#30K=)%}X1jIHNF<QdMskYG$9xj:9k\EZN6Mi!Hrt@\Oa8tqP%#%#
       Alias name:huawei
       Acl: 2000
       Storage-type: nonVolatile
Run the display snmp-agent sys-info version command. The command output shows the SNMP version running on the agent.
<HUAWEI> display snmp-agent sys-info version
 SNMP version running in the system:
           SNMPv1 SNMPv3
Run the display acl acl-number command. The command output shows the rules in the specified ACL.
<HUAWEI> display acl 2000
Basic ACL  2000, 1 rule
Acl's step is 5
rule 5 permit source 1.1.1.1 0 (0 times matched)
Run the display snmp-agent mib-view command. The MIB view is displayed.
<HUAWEI> display snmp-agent mib-view
View name: ViewDefault
       MIB Subtree: internet
       Subtree mask: F0(Hex)
       Storage-type: nonVolatile
       View Type: included
       View status: active

   View name: ViewDefault
       MIB Subtree: snmpCommunityMIB
       Subtree mask: FE(Hex)
       Storage-type: nonVolatile
       View Type: excluded
       View status: active

   View name: ViewDefault
       MIB Subtree: snmpUsmMIB
       Subtree mask: FE(Hex)
       Storage-type: nonVolatile
       View Type: excluded
       View status: active

   View name: ViewDefault
       MIB Subtree: snmpVacmMIB
       Subtree mask: FE(Hex)
       Storage-type: nonVolatile
       View Type: excluded
       View status: active

Run the display snmp-agent mib modules command. The command output shows the information about a loaded MIB file.

<HUAWEI> display snmp-agent mib modules
BGP4-MIB:
    resource : allmibs_mib.bin
    mib      : bgp4-mib.mib

DISMAN-PING-MIB:
    resource : allmibs_mib.bin
    mib      : disman-ping-mib.mib

DISMAN-TRACEROUTE-MIB:
    resource : allmibs_mib.bin
    mib      : disman-traceroute-mib.mib
Run the display snmp-agent sys-info contact command. The command output shows the device administrator's contact information.
<HUAWEI> display snmp-agent sys-info contact
   The contact person for this managed node:
           R&D Beijing, Huawei Technologies co.,Ltd.
Run the display snmp-agent sys-info location command. The command output shows the location of the device.
<HUAWEI> display snmp-agent sys-info location
   The physical location of this node:
           Beijing China  

Run the display current-configuration | include max-size command. The command output shows the allowable maximum size of an SNMP packet.

<HUAWEI> display current-configuration | include max-size
 snmp-agent packet max-size 1800

Run the display current-configuration | include trap command. The command output shows trap configuration.

<HUAWEI> display current-configuration | include trap
 snmp-agent trap source GigabitEthernet0/1/1snmp-agent target-host host-name targetHost_1_25846 trap ipv6 address udp-domain
 1:1::1:1 udp-port 111 params securityname %#%#yowoL2.\8~LKL5*|k[h'3`Nv:DX;Y-$tU=SWNu[*%#%# 
snmp-agent target-host host-name targetHost_2_51321 trap address udp-domain 1.1.
1.1 params securityname htipl
snmp-agent trap enable
Run the display snmp-agent target-host command. The command output shows information about the target host.
<HUAWEI> display snmp-agent target-host
Target-host NO. 1
---------------------------------------------------------------------------
  Host-name                        : targetHost_1_55062
  IP-address                       : 10.18.27.183
  Source interface                 : -
  VPN instance                     : -
  Security name                    : %#%#yowoL2.\8~LKL5*|k[h'3`Nv:DX;Y-$tU=SWNu[*%#%#
  Port                             : 162
  Type                             : inform
  Version                          : v2c
  Level                            : No authentication and privacy
  NMS type                         : NMS
  With ext-vb                      : No
  Notification filter profile name : -
---------------------------------------------------------------------------

Target-host NO. 2
---------------------------------------------------------------------------
  Host-name                        : targetHost_2_25846
  IP-address                       : 10.18.27.184
  Source interface                 : -
  VPN instance                     : -
  Security name                    : %#%#[7SCH}$<HX.vZ8%7YS3L:IsCPA^LbRRK-`/6"i"$%#%#
  Port                             : 162
  Type                             : trap
  Version                          : v2c
  Level                            : No authentication and privacy
  NMS type                         : NMS
  With ext-vb                      : No
  Notification filter profile name : -
---------------------------------------------------------------------------

Run the display snmp-agent inform command. The command output shows the configuration of inform notifications.

<HUAWEI> display snmp-agent inform
Global config: resend-times 3, timeout 15s, pending 39
Global status: current notification count 0
Target-host ID: Host name/VPN instance/IP-Address/Security name
-/-/1.2.1.2/%#%#yowoL2.\8~LKL5*|k[h'3`Nv:DX;Y-$tU=SWNu[*%#%#:
    Config: resend-times 3, timeout 15s
    Status: retries 0, pending 0, sent 0, dropped 0, failed 0, confirmed 0

Run the display snmp-agent notification-log command. The command output shows information about inform logs stored in the log buffer.

<HUAWEI> display snmp-agent notification-log info
 Notification log information: 
 Notification Admin Status : enable
 GlobalNotificationsLogged : 0
 GlobalNotificationsBumped : 0
 GlobalNotificationsLimit  : 1000
 GlobalNotificationsAgeout : 36
 Total number of notification log(s): 0

Run the display snmp-agent vacmgroup command. The command output shows information about VACM groups.

<HUAWEI> display snmp-agent vacmgroup
--------------------------------------------------
Security name  : john
Group name     : johngroup
Security model : USM
--------------------------------------------------
Download
Updated: 2019-01-02

Document ID: EDOC1100058392

Views: 14653

Downloads: 24

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next