No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Network Management and Monitoring

AR100, AR120, AR160, AR1200, AR2200, AR3200, and AR3600 V300R003

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Basic SNMPv3 Functions

Configuring Basic SNMPv3 Functions

Precaution

When configuring security levels, ensure that the target host has the highest security level, users have the middle security level, and user groups have the lowest security level.

SNMPv3 uses the following security levels, which are listed in a descending order:
  • privacy: authentication and encryption
  • authentication: only authentication
  • none: no authentication and no encryption

For example, if the security level of a user group is privacy, the security levels of users and trap host must be privacy; if the security level of a user group is authentication, the security levels of users and trap host can be privacy or authentication.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run snmp-agent server-source { -a [ ipv6 ] source-ip-address | -i [ ipv6 ] interface-type interface-number }

    The source IP address used by the SNMP server to send packets is specified.

    By default, the SNMP server uses source IP address 0.0.0.0 to send packets.

    If the default value 0.0.0.0 is not changed, the device selects a source IP address according to routing entries to send packets. When an ACL is configured to filter incoming and outgoing packets on a device, the ACL rules are configured based on interface IP addresses, and packet filtering is affected by interface status. You can select a stable interface as the source interface, for example, the loopback interface. Setting the source or destination address in an ACL rule as a stable interface's address can simplify the configurations of ACL rules and security policies. In addition, packet filtering will not be affected by interface IP addresses and interface status, and device security is improved.

  3. (Optional) Run snmp-agent

    The SNMP agent is enabled.

    By default, the SNMP agent is disabled. Executing the snmp-agent command can enable the SNMP Agent no matter whether a parameter is specified in the command.

  4. (Optional) Run snmp-agent sys-info version v3

    The SNMP version is set.

    By default, the device supports SNMPv3.

  5. (Optional) Run snmp-agent local-engineid { engineid | sysname }

    An engine ID is set for the local SNMP entity.

    By default, the device automatically generates an engine ID using the internal algorithm. The engine ID is composed of enterprise number and the device information.

    If you change an automatically generated engine ID to a manually set one, the SNMPv3 user matching the engine ID is deleted.

  6. Run snmp-agent group v3 group-name { authentication | noauth | privacy } [ notify-view notify-view ]

    An SNMPv3 user group is configured.

    If the NMS or network devices are in an insecure environment (for example, the network is vulnerable to attacks), authentication or privacy can be configured in the command to enable data authentication or privacy.

    NOTE:
    • Specify the parameter notify-view notify-view when the device needs to send a trap to the NMS.
    • Allow different user groups to use the same group name. The groups with the same name can use different authentication modes, for example, authentication + encryption and non-authentication + non-encryption. You can select authentication modes as required.
    • Configuring different modes for the groups with the same name may lead to misoperations or an unexpected authentication result. In addition, if one authentication mode is set to non-authentication + non-encryption, there will be a security risk.

  7. Run snmp-agent usm-user v3 user-name [ group group-name | acl acl-number ] *

    A user is added to the SNMPv3 user group.

  8. Run snmp-agent usm-user v3 user-name authentication-mode { md5 | sha }

    An authentication password is configured for the SNMPv3 user.

    MD5 encryption algorithm cannot ensure security, and SHA encryption algorithm is recommended.

  9. Run snmp-agent usm-user v3 user-name privacy-mode { aes128 | des56 }

    An encryption password is configured for the SNMPv3 user.

    After a user is added to the user group, the NMS that uses the name of the user can access the objects in the ViewDefault view (OID: 1.3.6.1 and OID: 1.2.840.10006.300.43). If you change an automatically generated engine ID to a manually set one, the SNMPv3 user matching the engine ID is deleted.

    If authentication and privacy have been enabled for the user group, the following authentication and privacy modes can be configured for the data transmitted on the network.

    AES128 algorithm is recommended as it improves data transmission security.

  10. Run snmp-agent target-host trap-paramsname paramsname v3 securityname securityname { authentication | noauthnopriv | privacy } [ binding-private-value ][ private-netmanager ]

    Parameters for sending traps are set.

  11. Run snmp-agent target-host trap-hostname hostname address { ipv4-addr [ udp-port udp-portid ] [ public-net | vpn-instance vpn-instance-name ] | ipv6 ipv6-addr [ udp-port udp-portid ] } trap-paramsname paramsname [ notify-filter-profile profile-name ]

    The target host for receiving traps and error codes is specified.

    NOTE:

    Before configuring a device to send traps, confirm that the information center has been enabled. To enable the information center, run the info-center enable command.

    Note the following points when running the commands:

    • The default destination UDP port number is 162. To ensure secure communication between the NMS and managed devices, change the UDP port number to a non-well-known port number by running the udp-port command.

    • If traps sent from the managed device to the NMS need to be transmitted over a public network, the public-net parameter needs to be configured. If traps sent from the managed device to the NMS need to be transmitted over a private network, the vpn-instance vpn-instance-name parameter needs to be configured to specify a VPN that will take over the transmission task.

  12. (Optional) Run snmp-agent sys-info { contact contact | location location }

    The equipment administrators contact information or location is configured.

    By default, the vendor's contact information is "R&D Shenzhen, Huawei Technologies Co.,Ltd." The default location is "Shenzhen China."

    This step is required for the NMS administrator to view contact information and locations of the equipment administrator when the NMS manages many devices. This helps the NMS administrator to contact the equipment administrators for fault location and rectification.

    To configure both the equipment administrators contact information and location, run the snmp-agent sys-info command twice.

Translation
Download
Updated: 2019-03-06

Document ID: EDOC1100069336

Views: 41147

Downloads: 211

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next