No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Network Management and Monitoring

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of Network Management and Monitoring, including SNMP, RMON, LLDP, NQA, Service Diagnosis, Mirroring, Packet Capture, sFlow, and NETCONF.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Basic SNMPv3 Functions

Configuring Basic SNMPv3 Functions

Context

When you configure a destination IP address for traps and error codes sent from the managed devices, configure the trap or inform function as required.
  • The traps sent by the managed device do not need to be acknowledged by the NMS.

  • The informs sent by the managed device need to be acknowledged by the NMS. If no acknowledgement message is received from the NMS within a specified time period, the managed device resends the inform until the number of retransmissions reaches the maximum.

    When sending an inform to the NMS, the managed device also records the inform in the log. If an inform is sent to the NMS when the NMS or the link between NMS and managed device, the NMS can still receive the inform after fault recovery.

In this regard, informs are more reliable than traps, but the device may need to buffer a lot of informs because of the inform retransmission mechanism and this consumes many memory resources. If the network is stable, using traps is recommended. If the network is unstable and the device's memory capacity is sufficient, using inform is recommended.
NOTE:

The security name, authentication and encryption parameters, and port number on the network management side must be the same as the user name, authentication and encryption parameters, and port number on the device side, and the SNMP version on the network management side must be enabled on the device; otherwise, the NMS cannot connect to the device.

Precaution

When configuring security levels, ensure that the target host has the highest security level, users have the second highest security level, and user groups have the lowest security level.

SNMPv3 uses the following security levels (listed from most to least secure):
  • privacy: authentication and encryption
  • authentication: only authentication
  • none: no authentication and no encryption

For example, if the security level of a user group is privacy, the security levels of users and trap host must be privacy; if the security level of a user group is authentication, the security levels of users and trap host can be privacy or authentication.

NOTE:

If the user security level is set to neither authentication nor encryption, the user only has the read-only permission within MIB-2 (OID: 1.3.6.1.2.1).

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run snmp-agent

    The SNMP agent is enabled.

    By default, the SNMP agent is disabled. Executing the snmp-agent command can enable the SNMP agent, even if no parameter is specified in the command.

  3. (Optional) Run snmp-agent udp-port port-num

    The port number of the SNMP agent is changed.

    The default port number of the SNMP agent is 161.

    This command enhances device security. After the number of the port on SNMP agent connecting to the NMS is changed, ensure that the port number on the NMS is the same as the changed port number; otherwise, the SNMP agent cannot connect to the NMS.

  4. (Optional) Run snmp-agent sys-info version v3

    The SNMP version is set.

    By default, the device supports SNMPv3.

  5. (Optional) Run snmp-agent local-engineid engineid

    An engine ID is set for the local SNMP entity.

    By default, the device automatically generates an engine ID using the internal algorithm. An engine ID is composed of an enterprise number and device information.

    If you manually set the engine ID, the SNMPv3 user matching the default engine ID is deleted.

    NOTE:

    To improve system security, configure the device to check consistency between the contextEngineID on the NMS and the local engine ID by running the snmp-agent packet contextengineid-check enable command.

  6. (Optional) Run snmp-agent password min-length min-length

    The minimum length of SNMP password is set.

    By default, the minimum length of SNMP password is 8.

    After this command is run, the authentication or encryption password of the SNMPv3 user cannot be shorter than the minimum length of SNMP password.

  7. Run snmp-agent group v3 group-name { authentication | privacy | noauthentication }

    An SNMPv3 user group is configured.

    If the NMS and device are in an insecure environment (for example, the network is vulnerable to attacks), authentication or privacy can be configured in the command to enable data authentication or privacy.

  8. Select one of the following methods to configure SNMPv3 users:

    • Method 1:

      Run the snmp-agent [ remote-engineid engineid ] usm-userv3 user-name group-name [ authentication-mode { md5 | sha } password [ privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } password ] ] [ acl { acl-number | acl-name } ] command to configure SNMPv3 user information.

      By default, no SNMPv3 user is configured.

    • Method 2:

      1. Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group group-name | acl { acl-number | acl-name } ] * command to configure an SNMPv3 user.
      2. Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name authentication-mode { md5 | sha } [ [ localized-configuration ] cipher password ] command to set an authentication password for the SNMPv3 user.
      3. Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name privacy-mode { 3des168 | aes128 | aes192 | aes256 | des56 } [ [ localized-configuration ] cipher password ] command to set an encryption password for the SNMPv3 user.

      By default, no SNMPv3 user is configured.

    By default, complexity check is performed for the authentication and encryption passwords of SNMPv3 users. If the check fails, the password configuration does not take effect. To ensure security for SNMPv3 users, you are not advised to run the snmp-agent usm-user password complexity-check disable command to disable complexity check for the authentication and encryption passwords of SNMPv3 users.

    The complexity requirements for the authentication and encryption passwords of SNMPv3 users are as follows:

    • The password contains at least eight characters.

    • The password cannot be the same as the user name or user name in an inverse order.

    • The password must be a combination of at least two of the following: uppercase letters A to Z, lowercase letters a to z, digits, and special characters (question marks and spaces are not supported). If the string is enclosed in double quotation marks (" "), the string can contain spaces.

    NOTE:

    By default, none authentication and none encryption are performed on SNMPv3 users. To improve system security, configure an authentication password and encryption password, and ensure that the two passwords are different.

    After a user is added to the user group, the NMS that uses the name of the user can access the objects in the ViewDefault view (OID: 1.3.6.1).

    If you manually set the engine ID, the SNMPv3 user matching the default engine ID is deleted.

    Do not use the MD5 algorithm for SNMPv3 authentication or use the DES56 or 3DES168 algorithm for SNMPv3 encryption, because these algorithms are not secure.

    When a device is configured to send informs, the trap host needs to return reply packets; therefore, the NMS-side engine ID must be configured on the device. In this situation, the remote-engineid engineid parameter must be set to the engine ID of the trap host.

  9. Choose one of the following commands according to your network requirements to configure a destination IP address of the traps and error codes sent from the device.

    NOTE:

    Before configuring a device to send traps, confirm that the information center has been enabled. The information center can be enabled by running the info-center enable command.

    • When the managed device and NMS reside on an IPv4 network, configure the device to send either traps or informs to the NMS as follows:
      • To configure a destination IP address for the traps and error codes sent from the device.

        Run snmp-agent target-host [ host-name host-name ] trap address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net } ] * params securityname security-name [ v3 [ authentication | privacy ] | private-netmanager | ext-vb | notify-filter-profile profile-name | heart-beat enable ] *

      • To configure a destination IP address for the informs and error codes sent from the device.

        Run snmp-agent target-host [ host-name host-name ] inform address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | { vpn-instance vpn-instance-name | public-net } ] * params securityname security-name v3 [ authentication | privacy ] [ private-netmanager | ext-vb | notify-filter-profile profile-name | heart-beat enable ] *

    • When the managed device and NMS reside on an IPv6 network, run the following command to set the target host that receives traps and error codes:

      snmp-agent target-host [ host-name host-name ] trap ipv6 address udp-domain ipv6-address [ udp-port port-number | [ vpn-instance vpn-instance-name | public-net ] ] * params securityname security-name [ v3 [ authentication | privacy ] | private-netmanager | ext-vb | notify-filter-profile profile-name ] *

      NOTE:

      An IPv6 network supports only traps, but does not support informs.

    Note the following before running the commands:
    • The default destination UDP port number is 162. To ensure secure communication between the NMS and managed devices, change the UDP port number to a lesser-known port number by running the udp-port command.

    • The securityname parameter identifies the devices that send traps to the NMS.

  10. (Optional) Configure the switch to listen on the source interface or source IPv6 address of SNMP request packets sent from the NMS.

    • On an IPv4 network, run the snmp-agent protocol source-interface interface-type interface-number command to configure the interface used to receive SNMP packets from and send SNMP packets to the NMS.

      By default, the interface used to receive SNMP packets from and send SNMP packets to the NMS is not configured.

      After SNMP is bound to the source interface, SNMP listens only this interface, through which the NMS communicates with the device. If the source interface or its IP address is deleted, SNMP will stop receiving IP packets, and therefore communication between the NMS and devices will interrupt. After the source interface's IP address is changed, the NMS can communicate with devices only through the new IP address.

    • On an IPv6 network, run the snmp-agent protocol ipv6 source-ip ipv6-address command to configure the device to listen on the IPv6 addresses of SNMP request packets from the NMS.

      By default, no source IPv6 address is configured. A switch can use any reachable IPv6 address in communication with other devices.

  11. (Optional) Run snmp-agent protocol [ ipv6 ] { vpn-instance vpn-instance-name | public-net }

    A switch is configured to receive and respond to the SNMP request packets from VPN or public network.

    By default, a switch receives and responds to the SNMP request packets from the global VPN instances and public network.

  12. (Optional) Run snmp-agent protocol server [ ipv4 | ipv6 ] disable

    The SNMP IPv4 or IPv6 listening port is disabled.

    By default, the SNMP IPv4 or IPv6 listening port is disabled.

    After you disable the SNMP IPv4 or IPv6 listening port using this command, SNMP no longer processes SNMP packets. Exercise caution when running this command.

  13. (Optional) Run snmp-agent protocol get-bulk timeout time

    The delay after which the device returns information in response to the get-bulk operation of the NMS is set.

    By default, the device returns information 2s after the NMS performs a get-bulk operation.

    The default delay 2s is recommended. If you need to change the value, ensure that the value must be smaller than the timeout interval set on the NMS.

  14. (Optional) Run snmp-agent sys-info { contact contact | location location }

    The device administrator's contact information or location is configured.

    By default, the device administrator's contact information is "R&D Beijing, Huawei Technologies Co.,Ltd." and location is "Beijing China."

    This step is required for the NMS administrator to view contact information and locations of the device administrator when the NMS manages many devices. This helps the NMS administrator to contact the device administrator for fault location and rectification.

  15. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100075344

Views: 29858

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next