No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E-M2 V800R010C10SPC500 Configuration Guide - System Management 01

This is NE40E-M2 V800R010C10SPC500 Configuration Guide - System Management
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Device to Communicate with an NMS Using SNMPv1

Configuring a Device to Communicate with an NMS Using SNMPv1

After SNMPv1 is configured, a managed device and an NMS can run SNMPv1 to communicate with each other. To ensure communication, you need to configure the agent and NMS. This section only describes the configuration on a managed device (the agent side). For details about configurations on an NMS, see the NMS operation guide.

Usage Scenario

To allow the NMS to manage network devices, configure SNMP.

If the network is secure and has few devices (for example, a campus network or a small enterprise network), SNMPv1 can be deployed to ensure communication between the NMS and managed devices.

SNMPv1 has a security risk. Using SNMPv3 is recommended.

Pre-configuration Tasks

Before configuring a device to communicate with an NMS using SNMPv1, configure a routing protocol to ensure that the Router and NMS are reachable.

Configuration Procedures

Figure 16-4 Flowchart for configuring a device to communicate with an NMS using SNMPv1

Configuring Basic SNMPv1 Functions

After basic SNMP functions are configured, the NMS can perform basic operations such as Get and Set operations on a managed device, and the managed device can send alarms to the NMS.

Context

The NMS can communicate with managed devices after basic SNMPv1 functions have been configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run snmp-agent password min-length min-length

    The minimum SNMP password length is configured.

    After this command is run, the length of a configured SNMP password must be longer than or equal to the minimum SNMP password length.

  3. (Optional) Run snmp-agent

    The SNMP agent function is enabled.

    This step is optional because the SNMP agent function is enabled by running any snmp-agent command, irrespective of whether any parameter is specified.

  4. (Optional) Run snmp-agent udp-port port-number

    The port number monitored by the SNMP agent is changed.

  5. Run snmp-agent sys-info version v1

    The SNMP version is set.

    After SNMPv1 is enabled on the managed device, the device supports both SNMPv1 and SNMPv3. This means that the device can be monitored and managed by NMSs running SNMPv1 or SNMPv3.

  6. Run snmp-agent community { read | write } { community-name | cipher cipher-name } [ mib-view view-name | acl { acl-number | acl-name } | alias alias-name ] *

    The community name is set.

    The community name will be saved in encrypted format in the configuration file. The community alias will be saved in simple text format in the configuration file.

    If a community name fails the complexity check, the community name cannot be configured. To disable the complexity check for community names, run the snmp-agent community complexity-check disable command. To improve system security, enabling the complexity check for community names is recommended.

    NOTE:

    HUAWEI has the following requirements on the complexity of community names:

    • The minimum length of a community name is eight characters.

    • A community name contains at least two types of characters: uppercase characters, lowercase characters, digits, and special characters, excluding question marks (?) and spaces.

    After the community name is set, if no MIB view is configured, the NMS that uses the community name has permission to access objects in the Viewdefault view (1.3.6.1).

    • read: If the NMS administrator needs the read permission in a specified view, configure read in this command. For example, a low-level administrator needs to read certain data.

    • write: If the NMS administrator needs the read and write permissions in a specified view, configure write in this command. For example, a high-level administrator needs to read and write certain data.

  7. Run either of the following commands:

    • To configure a destination IPv4 address for the alarms and error codes sent from the device, run snmp-agent target-host [ host-name host-name ] trap address udp-domain ip-address [ [ udp-port port-number ] | [ source interface-type interface-number ] | [ public-net | vpn-instance vpn-instance-name ] ] * params securityname { security-name [ v1 | private-netmanager | ext-vb | notify-filter-profile profile-name ] * | cipher cipher-name [ v1 | private-netmanager | ext-vb | notify-filter-profile profile-name ] * }

    • To configure a destination IPv6 address for the alarms and error codes sent from the device, run snmp-agent target-host[ host-name host-name ] trap ipv6 address udp-domain ipv6-address [ udp-port port-number | source interface-type interface-number ] * params securityname { security-name [ v1 | private-netmanager | ext-vb | notify-filter-profile profile-name ] * | cipher cipher-name [ v1 | private-netmanager | ext-vb | notify-filter-profile profile-name ] * }

  8. (Optional) Run snmp-agent sys-info { contact contact | location location }

    The device administrator contact information or location is configured.

    This step is required for the NMS administrator to view contact information and locations of the device administrator when the NMS manages many devices. This helps the NMS administrator contact the device administrators for fault location and rectification.

  9. (Optional) Run snmp-agent packet max-size byte-count

    The maximum size of an SNMP packet that the device can receive or send is set.

    After the maximum size is set, the device discards any SNMP packet that is larger than the set size.

  10. (Optional) Run snmp-agent extend error-code enable

    The extended error code function is enabled.

  11. Run snmp-agent set-cache enable

    The SET Response message caching function is enabled.

  12. (Optional) Run snmp-agent get-cache disable

    The GET response message caching function is disabled.

  13. (Optional) Run snmp-agent get-cache age-out age-out

    An aging period is configured for the GET response message caching function.

  14. (Optional) Configure SNMP to receive and respond to NMS request packets. To achieve this, run one or more of the following commands as needed:

    • Run snmp-agent protocol source-interface interface-type interface-number

      A source interface is configured for SNMP to receive and respond to NMS request packets.

    • Run snmp-agent protocol ipv6 source-ip ip-address

      A source IPv6 address is configured for SNMP to receive and respond to NMS request packets.

    • Configure SNMP to receive and respond to NMS request packets through a VPN instance or public network.
      • For an IPv4 network, run the snmp-agent protocol { vpn-instance vpn-instance-name | public-net } command.
      • For an IPv6 network, run the snmp-agent protocol ipv6 { vpn-instance vpn-instance-name | public-net } command.

  15. (Optional) Run snmp-agent local-engineid engineid

    An engine ID for the local SNMP entity is seted.

    The MAC address of the management interface on the main control board is used as device information.

  16. (Optional) Run snmp-agent protocol server [ ipv4 | ipv6 ] disable

    The SNMP IPv4 or IPv6 listening port is disabled.

    After you disable the SNMP IPv4 or IPv6 listening port using the snmp-agent protocol server disable command, SNMP no longer processes SNMP packets. Exercise caution when you disable the SNMP IPv4 or IPv6 listening port.

  17. Run commit

    The configuration is committed.

Follow-up Procedure

After the configuration is complete, the NMS and managed device can communicate.
  • Access control allows any NMS that uses the community name to monitor and manage all the objects on the managed device.

  • The managed device sends alarms generated by the modules that are enabled by default to the NMS.

If finer device management is required, follow directions below to configure the managed device:

(Optional) Controlling the NMS's Access to the Device

To enhance SNMP communication security, restrict the NMSs that are allowed to access the device and restrict the MIB objects to be managed.

Context

If a device is managed by multiple NMSs that use the same community name, note the following points:
  • If all the NMSs are required to access the objects in the Viewdefault view (1.3.6.1), skip the following steps.

  • If some of the NMSs are required to access the objects in the Viewdefault view (1.3.6.1), skip 7 and 8.

  • If all the NMSs are required to manage specified objects on the device, skip 2, 3, 4, and 5.

  • If some of the NMSs are required to manage specified objects on the device, perform all the following steps.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]

    A basic ACL is created to filter the NMS users to manage the device.

  3. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

    A rule is configured for the basic ACL.

    • If the address of a login user matches an ACL rule in which the specified action is permit, the user is allowed to log in to the device.

    • If the address of a login user matches an ACL rule in which the specified action is deny, the user is not allowed to log in to the device.

    • If the address of a login user is not within the address range specified in an ACL rule, the login of the user is denied.

    • If the ACL does not contain any rules or does not exist, the login of users is not subject to the ACL, and users can log in to the device.

  4. Run commit

    The configuration is committed.

  5. Run quit

    Return to the system view.

  6. (Optional) Run snmp-agent acl { acl-number | acl-name }

    SNMP protocol level ACL is configured.

    By executing the snmp-agent acl command, you can control the user access.

  7. Run snmp-agent mib-view { excluded | included } view-name oid-tree

    A MIB view is created, and manageable MIB objects are specified.

    • excluded: If a few MIB objects on the device or some objects in the current MIB view do not or no longer need to be managed by the NMS, configure excluded in the command to exclude these MIB objects.

    • included: If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NMS, configure included in the command to include these MIB objects.

  8. Run snmp-agent community { read | write } { community-name | cipher cipher-name } [ mib-view view-name | acl { acl-number | acl-name } | alias alias-name ] *

    The NMS's access rights are specified.

    • read: If the NMS administrator needs the read permission in a specified view, configure read in this command. For example, a low-level administrator needs to read certain data.

    • write: If the NMS administrator needs the read and write permissions in a specified view, configure write in this command. For example, a high-level administrator needs to read and write certain data.

    • mib-view: If some of the NMSs that use the community name need to have rights to access the objects in the Viewdefault view (1.3.6.1), you do not need to configure mib-view view-name in the command.

    • acl: If all the NMSs that use the community name need to manage specified objects on the device, you do not need to configure acl acl-number in the command.

      If some of the NMSs that use the community name need to manage specified objects on the device, configure both mib-view and acl in the command.

  9. Run commit

    The configuration is committed.

Follow-up Procedure

After the access rights are configured, and the NMS's IP address is specified in the ACL rule, if the IP address changes (for example, the network management station changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address in the ACL. Otherwise, the NMS cannot access the device.

(Optional) Configuring the Trap Function

The device can be configured to send specified traps to the NMS, which facilitates fault locating. To enhance the trap transmission security, specify parameters for sending traps.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run snmp-agent trap enable

    The device is enabled to send traps to the NMS.

  3. Run snmp-agent trap enable feature-name feature-name trap-name trap-name

    The device is enabled to send a specified trap of a feature to the NMS.

    NOTE:
    If the snmp-agent trap enable command has been run to enable the trap functions of all modules, or the snmp-agent trap enable feature-name command has been run to enable three or more trap functions of a module, note the following points:
    • To disable the trap functions of all modules, run the snmp-agent trap disable command.

    • To restore the trap functions of all modules to the default status, run the undo snmp-agent trap enable or undo snmp-agent trap disable command.

    • To disable one trap function of a module, run the undo snmp-agent trap enable feature-name command.

    • To delete all the trap function configurations of a feature in a one-click manner, run the clear configuration snmp-agent trap enable command.

  4. Run snmp-agent trap source interface-type interface-number

    The source interface for sending traps is specified.

    After a source interface is specified, its IP address is used as the source IP address of traps. Configuring the IP address of the local loopback interface as the source interface is recommended, which can ensure device security.

    The source interface of traps specified on the Router must be the same as that specified on the NMS. Otherwise, the NMS does not accept the traps sent from the Router.

  5. Run snmp-agent trap source-port port-number

    The number of the source port that sends trap messages has been specified.

    To improve network security, configure a specific source port to send trap messages. Therefore, the user terminal's firewall filters packets based on the port number.

  6. Run snmp-agent trap type { base-trap | entity-trap }

    The format of traps sent to the NMS is set.

    This command is supported only on the Admin-VS.

  7. Run commit

    The configuration is committed.

(Optional) Configuring SNMP anti-attact

To defense against a user's attack on other users' passwords, configuring the SNMP blacklist function to improve security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run undo snmp-agent blacklist ip-block disable

    The blacklist function for an IP address is enabled.

  3. Run commit

    The configuration is committed.

Verifying the Configuration for a Device to Communicate with an NMS Using SNMPv1

After configuring basic SNMPv1 functions, verify the configuration.

Prerequisites

Basic SNMPv1 functions have been configured.

Procedure

  • Run the display snmp-agent community command to check the configured community name.
  • Run the display snmp-agent sys-info version command to check the enabled SNMP version.
  • Run the display acl acl-number command to check the rules in the specified ACL.
  • Run the display snmp-agent mib-view command to check the MIB view.
  • Run the display snmp-agent mib modules command to check information about a loaded MIB file.
  • Run the display snmp-agent sys-info contact command to check the device administrator's contact information.
  • Run the display snmp-agent sys-info location command to check the location of the Router.
  • Run the display current-configuration configuration snmp command to view the current configuration of SNMP.
  • Run the display snmp-agent vacmgroup command to check all the configured View-based Access Control Model (VACM) groups.
  • Run the display snmp-agent target-host command to check information about the target host.

Example

When the configuration is complete, run the display snmp-agent community command. The command output shows the configured community name.
<HUAWEI> display snmp-agent community
   Community name: Community name: %#%#qTp*MccD#Z[sHw4"pbzVHzAfO]gWN;h#30K=)%}X1jIHNF<QdMskYG$9xj:9k\EZN6Mi!Hrt@\Oa8tqP%#%#
       Group name: %#%#qTp*MccD#Z[sHw4"pbzVHzAfO]gWN;h#30K=)%}X1jIHNF<QdMskYG$9xj:9k\EZN6Mi!Hrt@\Oa8tqP%#%#
       Alias name:huawei
       Acl: 2000
       Storage-type: nonVolatile
Run the display snmp-agent sys-info version command. The command output shows the SNMP version running on the agent.
<HUAWEI> display snmp-agent sys-info version
 SNMP version running in the system:
           SNMPv1
Run the display acl acl-number command. The command output shows the rules in the specified ACL.
<HUAWEI> display acl 2000
Basic ACL  2000, 1 rule
Acl's step is 5
rule 5 permit source 1.1.1.1 0 (0 times matched)
Run the display snmp-agent mib-view command. The command output shows the MIB view.
<HUAWEI> display snmp-agent mib-view
View name: ViewDefault
       MIB Subtree: internet
       Subtree mask: F0(Hex)
       Storage-type: nonVolatile
       View Type: included
       View status: active

   View name: ViewDefault
       MIB Subtree: snmpCommunityMIB
       Subtree mask: FE(Hex)
       Storage-type: nonVolatile
       View Type: excluded
       View status: active

   View name: ViewDefault
       MIB Subtree: snmpUsmMIB
       Subtree mask: FE(Hex)
       Storage-type: nonVolatile
       View Type: excluded
       View status: active

   View name: ViewDefault
       MIB Subtree: snmpVacmMIB
       Subtree mask: FE(Hex)
       Storage-type: nonVolatile
       View Type: excluded
       View status: active

Run the display snmp-agent mib modules command. The command output shows the information about a loaded MIB file.

<HUAWEI> display snmp-agent mib modules
BGP4-MIB:
    resource : allmibs_mib.bin
    mib      : bgp4-mib.mib

DISMAN-PING-MIB:
    resource : allmibs_mib.bin
    mib      : disman-ping-mib.mib
Run the display snmp-agent sys-info contact command. The command output shows the device administrator's contact information.
<HUAWEI> display snmp-agent sys-info contact
   The contact person for this managed node:
           R&D Beijing, Huawei Technologies co.,Ltd.
Run the display snmp-agent sys-info location command. The command output shows the location of the device.
<HUAWEI> display snmp-agent sys-info location
   The physical location of this node:
           Beijing China  

Run the display current-configuration configuration snmp command. The command output shows the current configuration of SNMP.

<HUAWEI> display current-configuration configuration snmp
#
snmp-agent
snmp-agent local-engineid 800007DB03360D0A111110
#
snmp-agent sys-info version v1                                                  
undo snmp-agent sys-info version v3
snmp-agent target-host trap address udp-domain 1.1.1.1 params securityname cipher %#%#p,[';vISF&eOO7AF2%oAA[p`U\b6wIipjB,:x^EJ%#%#
#
snmp-agent trap source GigabitEthernet0/1/1
snmp-agent packet max-size 2000
return

Run the display snmp-agent vacmgroup command to view VACM groups.

<HUAWEI> display snmp-agent vacmgroup
--------------------------------------------------
Security name  : john
Group name     : johngroup
Security model : USM
--------------------------------------------------
Run the display snmp-agent target-host command. The command output shows information about the target host.
<HUAWEI> display snmp-agent target-host
Target-host NO. 1
---------------------------------------------------------------------------
  Host-name                        : -
  IP-address                       : 10.18.27.183
  Source interface                 : -
  VPN instance                     : -
  Security name                    : %#%#yowoL2.\8~LKL5*|k[h'3`Nv:DX;Y-$tU=SWNu[*%#%#
  Port                             : 162
  Type                             : trap
  Version                          : v1
  Level                            : No authentication and privacy
  NMS type                         : NMS
  With ext-vb                      : No
  Notification filter profile name : -
---------------------------------------------------------------------------

Target-host NO. 2
---------------------------------------------------------------------------
  Host-name                        : -
  IP-address                       : 10.18.27.184
  Source interface                 : -
  VPN instance                     : -
  Security name                    : %#%#[7SCH}$<HX.vZ8%7YS3L:IsCPA^LbRRK-`/6"i"$%#%#
  Port                             : 162
  Type                             : trap
  Version                          : v1
  Level                            : No authentication and privacy
  NMS type                         : NMS
  With ext-vb                      : No
  Notification filter profile name : -
---------------------------------------------------------------------------
Download
Updated: 2019-01-02

Document ID: EDOC1100058392

Views: 14767

Downloads: 24

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next