Local User Policy

Password Policy

Password Expire Days(d)

Password validity period. The value ranges from 0 to 999. The default value is 90.

If the value is 0, the password is permanently valid.

Password History Record Number

Maximum number of historical passwords that can be recorded for each user. The value ranges from 0 to 12. The default value is 5.

SNMP

Global configuration

Version

SNMP version to use:

• v2c: indicates SNMPv2c. SNMPv2c is not secure enough. You are advised to use SNMPv3.
• v3: indicates SNMPv3.

Trap enable

The value is an enumerated type and case-sensitive. The options include:

• enable-all: enables the router to send trap messages.
• disable-all: disables the router to send trap messages.

Trap queue size

Specifies the length of the queue for sending trap messages.

Complexity check

Enables or disables password complexity check.

Source interface

Type and number of the source interface that sends trap messages.

• GigabitEthernet interface, for example, GigabitEthernet0/0/1
• GigabitEthernet sub-interface, for example, GigabitEthernet0/0/1.10
• XGigabitEthernet interface, for example, XGigabitEthernet0/0/2
• XGigabitEthernet sub-interface, for example, XGigabitEthernet0/0/2.10
• Ethernet interface, for example, Ethernet1/0/1
• Ethernet sub-interface, for example, Ethernet1/0/1.10
• Loopback interface, for example, LoopBack10
• Tunnel interface, for example, Tunnel0/0/10
• VLANIF interface, for example, Vlanif10
• Eth-Trunk interface, for example, Eth-Trunk3

Server source

Specifies the source IP address for sending trap messages.

SNMPv2c Version

Community

Index

Index of an SNMP community name. The value is case sensitive.

Security name

SNMP community name. The value is a string of case-sensitive characters and cannot contain spaces.

Authority

• read-only: indicates that the community with a specified name has the read-only permission in the specified MIB view.
• read-write: indicates that the community with a specified name has the read-write permission in the specified MIB view.

Basic ACL Identify

Number of the ACL matching the community name.

Trap target params

Name

Name of a parameter list for sending trap messages.

Community index

SNMP community name.

Target host

Target params

Specifies the name of the parameter list for sending trap messages to the target host.

Name

Specifies the name of the target host.

IP

Specifies the IP address of the target host.

Port

Port number used by the target host to receive trap messages.

VPN

Name of a VPN instance.

SNMPv3 Version

Group

Name

Specifies a name of an SNMP group.

Security level

Specifies the security level of an SNMP group. The options are as follows:

• no authentication,no privacy(There are safety risks, so it is not recommended to choose): indicates that packets are neither authenticated nor encrypted.
• authentication,no privacy(There are safety risks, so it is not recommended to choose): indicates that packets are authenticated but not encrypted.
• authentication and privacy: Packets are authenticated and encrypted.

Basic ACL Identify

ACL corresponding to the user group.

Readview

MIB view on which users in the group have the read-only permission.

Writeview

MIB view on which users in the group have the read-write permission.

Notifyview

MIB view on which users in the group have the notification permission.

MIB view

Name

MIB view name. If both the whitelist A and the blacklist B are configured in the MIB view, subtrees that are included in the whitelist A but not included in the blacklist B take effect in the MIB view.

WhiteList

MIB subtree included in the MIB view.

BlackList

MIB subtree excluded from the MIB view.

User

User

Group name

Specifies the group name of the user.

Name

SNMPv3 user name.

Authentication

Password

Password for HMAC-SHA-96 authentication.

Privacy

Algorithm

Algorithm for encrypting the PDU in a packet. The options include:

• aes128: indicates the AES-128 encryption algorithm.
• aes256: indicates the AES-258 encryption algorithm.

Password

Password for the AES-128 or AES-256 encryption algorithm.

Target params

Name

Name of a parameter list for sending trap messages.

User name

SNMP user name.

Security level

Indicates the security level of a trap message when the protocol for transmitting the trap message is SNMPv3. The options are as follows:

• no authentication,no privacy(There are safety risks, so it is not recommended to choose): indicates that packets are neither authenticated nor encrypted.
• authentication,no privacy(There are safety risks, so it is not recommended to choose): indicates that packets are authenticated but not encrypted.
• authentication and privacy: Packets are authenticated and encrypted.

Target host

Target params name

Specifies the name of the parameter list for sending trap messages to the target host.

Name

Specifies the name of the target host.

IP

Specifies the IP address of the target host.

Port

Specifies the port number used by the target host to receive trap messages.

VPN

Specifies the name of a VPN instance.

NQA

Global

Test instance name

Name of an NQA test instance. The value is a string of 1 to 32 case-sensitive characters, excluding question marks (?), hyphens (-), and double quotation marks (").

Test instance type

Type of an NQA test instance. Only ICMP is supported.

ICMP

Destination IP address type

Destination address type of the NQA test instance. The value can be IPv4 or IPv6.

Destination IPv4/IPv6 address

Destination address for the NQA test instance.

Source interface

Source interface of the NQA test instance.

Test instance VPN

VPN instance for the NQA test instance. The value is a string of 1 to 31 case-sensitive characters without spaces. If spaces are used, the string must be enclosed in double quotation marks (").

Number of sent packets

Number of probe packets to be sent each time in the NQA test instance. The value is an integer from 1 to 15. The default value is 5.

Packet sending interval (s)

Interval at which an NQA test instance sends a probe packet. The value ranges from 1 to 60. The default value is 4.

Timeout interval (s)

Timeout period for a probe of the NQA test instance. The value is an integer from 1 to 60, in seconds. The default value is 3.

The timeout period refers to the time for waiting for a response packet after a probe is sent. If no response packet is received within the timeout period, the probe is considered failed. You need to set the timeout period based on the actual networking. If a small timeout period is set, the NQA test instance may fail.

Cyclic Scheduling Period (s)

Interval at which the NQA test instance is automatically executed. The value range is from 1 to 604800. The default value is 22.

If a test instance needs to be performed periodically during the period between the start time and end time, you can set the interval at which the NQA test instance is performed automatically.

Data size (byte)

Size of an NQA probe packet. The value is an integer from 0 to 8100, in bytes. The default value is 0. If the configured packet size is smaller than the default packet size, the default packet size is used for packet processing.

TTL

Time To Live (TTL) value for NQA probe packets. The value is an integer from 1 to 255. The default value is 30.

To prevent probe packets from being transmitted endlessly, the test instance must be performed within a specified number of hops.

ToS

Service type of an NQA probe packet. The value is an integer from 0 to 255. The default value is 0.

You can set the priority of probe packets by setting the ToS value. When a large number of packets are received, packets of high priorities are processed preferentially.

Conditions for sending traps

Condition for sending trap messages. Only the value testresult-change is supported, indicating that a trap message is sent upon a probe result change.

Start-up Switch

Status of the NQA test instance.

• Open: The NQA test instance starts immediately.
• Close

Basic ACL

Packets need to be filtered based only on the source IPv4 address.

Defines packet filtering rules based on information such as the source IPv4 address, action, and VPN instance.

Global

Identify

Identifier of an ACL. It can contain digits and letters.

• Basic ACL: The value is an integer from 2000 to 2999.

Basic rule

ID

ID of an ACL rule. All ACL rules are sorted in ascending order of rule IDs.

Source ip network type

Type of the IP addresses to be matched.

IPv4 address/Mask

Source IP address and mask to be matched.

Action

Whether to configure the device to accept or discard the data packets that match the ACL rule:

• permit: configures the device to accept the packets that match the rule.
• deny: configures the device to discard the packets that match the rule.

Creating an interface

Interface name

Name of an interface.

• Tunnel: Interfaces of this type are virtual tunnel interfaces. The interface name must be in the format of Tunnel0/0/A, where A ranges from 300 to 399. Such interfaces support all interface configurations available on the web UI.
• EthernetCsmacd: Interfaces of this type are universal interfaces. The Enable status can only be set to Open (undo shutdown) or Close (shutdown). Set a name in any of the following formats:
  • GigabitEthernet0/0/1
  • XGigabitEthernet0/0/1
  • Loopback10
  • Eth-trunk10
  • Vlanif10

Interface type

• Tunnel: indicates the tunnel interface type.
• EthernetCsmacd: indicates the universal interface type.

VPN

VPN instance to be bound to the interface.

Description

Description of the tunnel interface. The value is a string of 1 to 242 case-sensitive characters, spaces supported.

Enable status

Whether to enable or disable the interface.

IPv4

DSCP priority

DSCP priority of control packets.

8021P priority

802.1p priority of control packets generated by the device.

IPv4 address

IPv4 address for the tunnel interface.

Mask

IPv4 mask for the tunnel interface.

IPv6

IPv6 address

IPv6 address for the tunnel interface.

Mask

IPv6 mask for the tunnel interface.

Tunnel

Tunnel type

Tunneling protocol used by the tunnel interface. Currently, only GRE tunneling is supported.

VPN

Name of the VPN instance to which the destination address of the tunnel belongs. The VPN instance must already exist.

Source IPv4 address

Source address of a tunnel interface.

Destination IPv4 address

Destination address of a tunnel interface.

OSPF

Cost

Cost of an OSPF-enabled interface. In multicast implementation using GRE over SD-WAN EVPN tunnels, if the peer site is a dual-gateway site, a GRE tunnel needs to be established between the local device and each of the two gateways at the peer site. You can set this parameter for each tunnel interface to determine the active and standby tunnels. The tunnel with the tunnel interface that has a smaller OSPF cost value assumes the active role.

Basic Information

Process ID

ID of an OSPF process.

Router ID

The router ID must be a unique IPv4 address on the network. By default, the router ID of the route management module is 0.0.0.0 when no IP address is configured on the device.

VPN

Name of a VPN instance.

Area

Area ID

ID of an OSPF area. Area 0 is the backbone area.

Area type

Type of an OSPF area, which can be normal, stub, or NSSA.

normal: indicates that the OSPF area is a common area. Common areas include standard areas and backbone areas.

stub: A stub area allows only intra-area and inter-area routes to be advertised within this area.

nssa: An NSSA allows AS external routes to be imported.

Network

OSPF route.

Destination Prefix

Destination IPv4 address and mask length of a static route.

The format is X.X.X.X/Y, where Y is an integer in the range from 0 to 32.

VPN

Name of a VPN instance. If default-routing-instance is specified, no VPN instance is bound.

-

Next-Hop Type

• Destination VPN: The static route will search the routing table of the VPN instance for the outgoing interface.
• Destination VPN + IP address: The static route will search for the outgoing interface in the routing table of the VPN instance based on the configured destination IP address.
• IP address + Outbound interface: Traffic is forwarded through the outgoing interface specified in the static route.
• IP address: The static route will search for the outgoing interface based on the next-hop IP address.
• Outbound interface: Traffic is forwarded through the outgoing interface specified in the static route.

-

Destination VPN

Name of a next-hop VPN instance.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported. The character string can contain spaces if it is enclosed in double quotation marks (""). The value default-routing-instance indicates the next-hop public network.

Preference

Priority of a static route. A smaller value indicates a higher priority.

The value is an integer in the range from 1 to 255.

IPv4 Address

Next-hop IP address of a route.

The value is in dotted decimal notation.

Outgoing Interface Name

Name of the next-hop outgoing interface.

The value is an existing interface on the network devices, for example, Tunnel0/0/300.

Destination VPN

Name of a next-hop VPN instance.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported. The character string can contain spaces if it is enclosed in double quotation marks (""). The value default-routing-instance indicates the next-hop public network.

Enable DHCP

Whether to associate DHCP with the static route. A static route can be used for traffic forwarding only when a next-hop IP address is available. If the next hop manually specified for a static route changes, the device on which the static route is configured is unaware of the change. As a result, traffic fails to be forwarded along the static route. To prevent this problem, you can associate a static route with DHCP, through which the next hop is dynamically obtained.

• Open: The outgoing interface is associated with DHCP.
• Close: The outgoing interface is not associated with DHCP.
• Unconfigured: DHCP is not associated.

-

Description

Description of the IPv4 static route.

The value is a string of 1 to 80 case-sensitive characters, which can contain spaces but not the question mark (?).

Tag

Tag of a static route. By configuring different tag values, you can classify static routes to implement different route management policies. For example, other protocols can import static routes with specified tag values through routing policies.

The value is an integer in the range from 1 to 4294967295. The default value is 0.

Site ID

ID of the site where the destination network segment is located.

-

Global Configuration

Address family

ipv4multicast: enables IPv4 multicast routing globally.

Routing enable

Whether to enable the multicast routing function globally.

Binding VPN

VPN

VPN instance where multicast routing is to be enabled.

Routing enable

Whether to enable the multicast routing function in the specified VPN instance.

Apply multicast

Interface name

Interface on which the multicast function is to be configured.

PIM

Type

Enable PIM-DM or PIM-SM on the interface. Enabling PIM on an interface is the prerequisite for the interface to set up PIM neighbor relationships with other routers and to process PIM messages from its neighbors.

• pim-dm: applies to small-scale networks with densely distributed multicast group members. Currently, the controller supports multicast configuration on a PIM-DM network.
• pim-sm: applies to networks with a large number of sparsely distributed group members. Currently, the controller can only enable PIM-SM on interfaces. To configure a PIM-SM network, commands need to be run on the target devices to complete other required configurations.

Address family

IPv4 family: Enable PIM in the IPv4 address family.

IGMP

Enable IGMP

Whether to enable IGMP on the interface. A multicast device can process IGMP messages sent from multicast packet receivers only after IGMP is enabled on the interfaces connected to the receivers.

ID

ID of a BD.

The value is an integer. The value range varies according to devices. For details, see the description of the id parameter in the huawei-bd.yang file in the product documentation of the corresponding device model.

vlan ID

VLAN associated with a BD.

The value is an integer in the range from 1 to 4094.

Interface Name

Layer 2 interface associated with a BD.

The value must be an existing Layer 2 interface on the device, for example, GigabitEthernet0/0/1.

Nve ID

Number of an NVE interface.

The value is fixed at 1.

Local Address

Source VTEP IP address of a VXLAN tunnel.

The value is in dotted decimal notation.

Vni ID

VNI. Similar to a VLAN ID, a VNI identifies a VXLAN segment. Tenants on different VXLAN segments cannot communicate at Layer 2.

The value is an integer in the range from 0 to 16777215.

VNI Attachment

• layer2: configures a Layer 2 VXLAN gateway to provide Layer 2 services for the tenants at the site.
• layer3: configures a Layer 3 VXLAN gateway to provide Layer 3 services for the tenants at the site. Tenants at the site can communicate with tenants on external networks or on other VXLAN networks at Layer 3 through the Layer 3 VXLAN gateway.

-

BridgeDomain ID

This parameter needs to be set when VNI Attachment is set to layer2. A BD has a one-to-one mapping with a VNI. After a VTEP receives packets, it selects the suitable VXLAN tunnel to forward the packets based on the mapping between BDs and VNIs.

The value must be the ID of a created BD.

VPN

Name of a VPN instance. This parameter needs to be set when VNI Attachment is set to layer3.

The value is an integer from 1 to 31.

Peer Address

Remote VTEP IPv4 address of a VXLAN tunnel.

The value is in dotted decimal notation.

Controller name

Name of the controller with which the device is to be registered. The value must be the same as the actual controller name.

End point name

Name of the device after it is registered with the controller.

Southbound IPv4 or IPv6 address of the controller.

Southbound IPv4 or IPv6 address of the controller, which is used by the device to communicate with the controller.

Southbound port of the controller

Southbound port of the controller used by devices for registration.

ecdhe_rsa_aes256_gcm_sha384

Indicates the ecdhe_rsa_aes256_gcm_sha384 cipher suite. The ecdhe_rsa_aes256_gcm_sha384 cipher suite uses the ECDHE RSA algorithm to compute the key, the 256-bit AES_GCM to encrypt data, and the SHA2-384 algorithm to compute the MAC.

ecdhe_rsa_aes128_gcm_sha256

Indicates the ecdhe_rsa_aes128_gcm_sha256 cipher suite. The ecdhe_rsa_aes128_gcm_sha256 cipher suite uses the ECDHE RSA algorithm to compute the key, the 128-bit AES_GCM to encrypt data, and the SHA2-256 algorithm to compute the MAC.

rsa-with-aes-128-sha (Insecure encryption algorithm. You are advised to use a more secure encryption algorithm)

Indicates the rsa_aes_128_sha256 cipher suite. The rsa_aes_128_sha256 cipher suite uses the RSA algorithm to compute the key, the 128-bit AES_CBC to encrypt data, and the SHA2-256 algorithm to compute the MAC. This encryption suite uses an insecure encryption algorithm. You are advised to use a more secure encryption algorithm.

HMAC Settings

• SHA1 96 (Insecure algorithm, please operate with caution.)
• SHA2 256
• SHA2 256 96 (Insecure algorithm, please operate with caution.)

HMAC algorithm list of an SSH server.

After an SSH server receives a packet from an SSH client, the server matches the algorithm list of the client against its local list and uses the first matching algorithm. If no matching algorithm exists, the negotiation fails.

Key Exchange Algorithm

• Diffie Hellman Group14 SHA1 Algorithm (Insecure algorithm, please operate with caution.)
• Diffie Hellman Group1 SHA1 Algorithm (Insecure algorithm, please operate with caution.)
• Diffie Hellman Group exchange SHA1 Algorithm (Insecure algorithm, please operate with caution.)

Key exchange algorithm list of an SSH server.

After an SSH server receives a packet from an SSH client, the server matches the key exchange algorithm list of the client against its local list and uses the first matching key exchange algorithm. If no matching key exchange algorithms exist, the negotiation fails.

SSH Server Enable

• STelnet IPv6 service enable
• STelnet IPv4 server enable

Whether to enable the IPv4 or IPv6 STelnet service on the SSH server. Clients can set up STelnet connections with the SSH server only after the STelnet service is enabled on the SSH server.

Source Interface Configuration

• All IPv6 interfaces enable
• All IPv4 interfaces enable

Whether to configure all IPv4 or IPv6 interfaces as source interfaces.

Configure SSH server port

User can change the number of the port monitored by the IPv4 SSH server

Port used by the SSH server to connect to clients through the IPv4 STelnet service.

Telnet Server Configuration

Telnet Service Enable (Telnet is an insecure protocol, please operate with caution.)

Whether to enable the Telnet service. A Telnet server can be connected by clients through Telnet only when it has the Telnet service enabled.

• enable: enables the IPv4 Telnet service on the server.
• disable: After the Telnet service is disabled on the server, all clients that log in to the server through Telnet are disconnected.

Telnet IPv6 Service Enable (Telnet is an insecure protocol, please operate with caution.)

Whether to enable the Telnet service. A Telnet server can be connected by clients through Telnet only when it has the Telnet service enabled. After the Telnet service is disabled on the server, all clients that log in to the server through Telnet are disconnected.

• enable: enables the IPv6 Telnet service.
• disable: disables the IPv6 Telnet service.

Source Interface Configuration

Source Interface

Source interface for a Telnet server. Authorized users are allowed to log in to the Telnet server only through this interface.

Before setting this parameter, ensure that you have created an interface and configured an IP address for the interface.

VTY user interface

Manages and controls users who log in to the device using SSH, Telnet, or STelnet.

34–54

The first VTY user interface is VTY 0, the second VTY user interface is VTY 1, and so on. By default, VTY 0 to VTY 4 are available.

Absolute numbers 34 to 54 correspond to relative numbers VTY 0 to VTY 20, respectively, on AR devices.

VTY ID

Absolute number of a VTY user interface. Absolute numbers 34 to 54 map relative numbers VTY 0 to VTY 20, respectively. When configuring VTY 0 to VTY 4, you can only select SSH as the inbound protocol. To configure VTY 5 to VTY 20, you need to manually change the maximum number of VTY user interfaces on the device.

34–54

Authentication Mode

Authentication mode for user interface login.

aaa

ACL Inbound Identity for IPv4

ACL-based login control for a VTY user interface.

• ACL Inbound Identity for IPv4 restricts users with a specified address or within an address segment from logging in to the device.
• ACL Outbound Identity for IPv4 restricts users who have logged in to the device from logging in to other devices.

-

ACL Outbound Identity for IPv4

ACL Inbound Identity for IPv6

ACL-based login control for a VTY user interface.

• ACL Inbound Identity for IPv6 restricts users with a specified address or within an address segment from logging in to the device.
• ACL Outbound Identity for IPv6 restricts users who have logged in to the device from logging in to other devices.

-

ACL Outbound Identity for IPv6

VTY Protocol Inbound Name

Access type of local users.

The value can be set to all, ssh, or telnet.

Auth mode

• None
• Password
• AAA
• Init

Authentication mode for TTY login users:

• None: indicates that no authentication is performed.
• Password: indicates that password authentication is performed.
• AAA: indicates that AAA authentication is used.
• Init: indicates that the authentication mode is revoked.

Global LLDP enable

After LLDP is enabled globally, LLDP is enabled on all interfaces by default. An interface can send and receive LLDP frames only when LLDP is enabled globally and on the interface.

LLDP is disabled on all interfaces after LLDP is disabled globally. The operation of enabling or disabling LLDP on an interface does not take effect when LLDP is disabled globally.

Interface name

Name of a physical interface on which LLDP is to be enabled.

LLDP Enable

Whether to enable LLDP on an interface.

CDP Enable

Operating mode of an LLDP-enabled interface. After this function is enabled, an LLDP-enabled interface works in TxRx mode, that is, it can send and receive LLDP frames.

MED Enable

Whether to configure the interface to advertise MED TLVs. By default, an interface does not advertise the MED Network Policy TLV, but the MED Network Policy TLV is enabled.

Address family

Family type

Set this parameter to IPv4 or IPv6 based on the actual situation.

Auth config

Auth enable

Whether to enable the authentication function. If NTP authentication is enabled on the NTP server, the authentication function must also be enabled on NTP clients. Otherwise, clock synchronization cannot be performed.

NTP authentication keyID

Key ID used for NTP authentication.

NTP authentication mode

Authentication mode, which can be MD5 or HMAC-SHA256. The authentication mode selected here must be the same as that enabled on the NTP server. HMAC-SHA256 is recommended, because it is more secure than MD5.

NTP authentication key value

Key used for NTP authentication.

NTP client

NTP server address

IP address of the NTP server.

Type

Type of the NTP server. The value can be Peer or Server.

Vpn name

VPN instance bound to the NTP server.

Address family

Select IPv4 or IPv6 based on the server type.

Interface

Source interface used by the device to send NTP packets.

Preferred

Whether to set this NTP server as the preferred one.

Authentication ID

Key ID used for NTP authentication.

clock

local-addr

IP address of the local clock, in the format of 127.127.1.u. The value of u ranges from 0 to 3, indicating the NTP process ID. When no IP address is assigned, the local clock at 127.127.1.0 is set as the default NTP master clock.

The IP address must be a local address and cannot be a loopback address, host address, multicast address, or broadcast address.

stratum

Stratum of the NTP master clock. The value is an integer in the range from 1 to 15. The default value is 8. A smaller value indicates higher clock accuracy.

access-control

access-level

Peer

Maximum access authority. The remote end can perform time requests and control queries for the local NTP service. The local clock can also be synchronized with the clock of the remote server.

If the action in the ACL for a source IP address is set to permit:

• The local clock can be synchronized with the peer clock.
• The peer clock can be synchronized with the local clock.

Query

Minimum access authority. The remote end can perform only control queries for the local NTP service.

Server

Allowed server access and query. The remote end can perform time requests and control queries for the local NTP service. The local clock cannot be synchronized with the clock of the remote server.

If the action in the ACL for a source IP address is set to permit:

• The local clock cannot be synchronized with the peer clock.
• The peer clock can be synchronized with the local clock.

Synchronization

Allowed server access. The remote end can perform time requests for the local NTP service. The local clock cannot be synchronized with the clock of the remote server.

If the action in the ACL for a source IP address is set to permit:

• The local clock cannot be synchronized with the peer clock.
• The peer clock can be synchronized with the local clock.

Limited

Controlled incoming packet rate. A kiss code is sent when Kiss-o'-Death (KoD) is enabled.

acl4-identity

Number of an IPv4 ACL.

acl6-identity

Number of an IPv6 ACL.

Time zone

Time zone where the device is located.

Daylight Saving Time

Name

Name of the DST zone.

Type

DST type:

• OneYear: indicates that the DST takes effect within one year.
• Repeat-date and Repeat-week: indicate that the DST takes effect at a regular basis.

Start year

Year when the DST starts to take effect.

Start month

Month when the DST starts to take effect.

Start time

Time when the DST starts to take effect.

End year

End year of the DST.

End month

End month of the DST.

End time

End time of the DST.

Offset

DST offset.

SNMP Configuration

SNMP Agent Switch

Whether to enable the SNMP agent function. An SNMP agent is a process running on a managed device. It maintains data on the managed device, responds to requests from the NMS, and reports management data to the NMS. To configure SNMP on a device, the SNMP agent must be enabled.

• Open: enables the SNMP agent function.
• Close: disables the SNMP agent function.

Supported Versions

SNMP version to be used.

• v2c: enables SNMPv2c which supports access control based on community names and based on MIB views.
• v3: enables SNMPv3. In addition to access control based on community names and based on MIB views, SNMPv3 supports user groups, access control based on user groups or users, and authentication and encryption.
• v2c and v3: Features in SNMPv2c and SNMPv3 are supported.

Bind all IPv4 interface

• Open: enables the device to listen on all IPv4 interfaces.
• Close: disables the device from listening on all IPv4 interfaces.

Password minimum length

Minimum length of a user password.

Enable user password complexity check

After the password complexity check function is enabled, the configured user password must meet the complexity check requirements. If this function is disabled, the device does not check whether the password meets the complexity requirements. For security purposes, you are advised to enable password complexity check.

• Open: The password complexity check is enabled.
• Close: The password complexity check is disabled.

Enable community name complexity check

After the community name complexity check is enabled, a configured community name must meet complexity requirements. If this function is disabled, the device does not check whether the password meets the complexity requirements. If the configured community name is simple and does not meet complexity requirements, the device is vulnerable to attacks and cracking by unauthorized users, affecting device security. Therefore, you are advised to enable community name complexity check.

• Open: enables community name complexity check.
• Close: disables community name complexity check.

System contact information

Contact information about the SNMP device.

System location information

Physical location of the SNMP device.

SNMPv3 group

Group name

Name of an SNMP group.

Security level

SNMPv3 provides authentication and encryption through the USM. SNMPv3 defines the following three security levels:

• authentication,no privacy(There are safety risks, so it is not recommended to choose): indicates that packets are authenticated but not encrypted.
• noAuthNoPriv: indicates that packets are neither authenticated nor encrypted.
• Authentication and privacy: Packets are authenticated and encrypted.
  NOTE:

  For security purposes, you are advised to set the security level of an SNMP group to authentication and privacy.

Readview

MIB view on which users in the group have the read-only permission.

Writeview

MIB view on which users in the group have the read-write permission.

Notifyview

MIB view on which users in the group have the notification permission.

Basic ACL Identify

ACL corresponding to the user group.

MIB view

View name

MIB view name. If both the whitelist A and the blacklist B are configured in the MIB view, subtrees that are included in the whitelist A but not included in the blacklist B take effect in the MIB view.

WhiteList

Included MIB subtrees.

BlackList

Excluded MIB subtrees.

USM user

USM user name

Name of an SNMPv3 user.

Group name

Name of the group to which a user belongs. The value must be the name of an existing SNMPv3 group.

Authentication protocol

Authentication algorithm used by an SNMPv3 user. The options are as follows:

• NOAUTH(You are advised to use a secure authentication mode.): No authentication is performed.
• MD5(Insecure protocol. You are advised to use a secure authentication mode.): Hashed Message Authentication Code for Message Digest 5-96 (HMAC-MD5-96) is used.
• sha(Insecure protocol. You are advised to use a secure authentication mode.): HMAC-SHA-96 is used.
• sha2-224: HMAC-SHA2-224 is used.
• sha2-256: HMAC-SHA2-256 is used.
• sha2-384: HMAC-SHA2-384 is used.
• sha2-512: HMAC-SHA2-512 is used.

Authentication password

Authentication password.

Encryption protocol

Encryption algorithm used by an SNMPv3 user.

• NOPRIV(You are advised to use a secure authentication mode.): indicates that no encryption is performed.
• DES56(Insecure protocols. AES128 and higher encryption algorithms are recommended.): indicates that the Data Encryption Standard 56 (DES56) encryption algorithm is used.
• 3DES168(Insecure protocols. AES128 and higher encryption algorithms are recommended.): indicates that the Triple Data Encryption Standard 168 (3DES168) encryption algorithm is used.
• aes128: indicates that the Advanced Encryption Standard 128 (AES128) encryption algorithm is used.
• aes192: indicates that the Advanced Encryption Standard 192 (AES192) encryption algorithm is used.
• aes256: indicates that the Advanced Encryption Standard 256 (AES256) encryption algorithm is used.

Encryption password

Encryption password. When the user password complexity check is disabled, the password can contain 1 to 432 characters. When the user password complexity check is enabled or not configured, the password length must be greater than or equal to the minimum SNMP password length. The default minimum SNMP password length is 8.

Community Configuration

Alias name

Alias of a community name. It is saved in simple text in the configuration file. The alias of a community name must be unique and differs from the community name. Only one alias can be configured for a community name.

Community security name

Community name.

Access right

• read: indicates that the community with the specified name has the read-only permission in the specified MIB view.
• write: indicates that the community with the specified name has the read-write permission in the specified MIB view.

Basic ACL Identify

Number of the ACL matching the community name.

SNMP Trap Configuration

Supported versions

The SNMP version used by a device must be the same as that used by the trap host.

Trap source interface name

Type and number of the source interface on a server that sends SNMP traps.

SNMP protocol level ACL

ACL for SNMP that takes effect globally. The value is a string of 1 to 64 characters.

Enable all feature alarm switch

Enable: enables the trap function for all modules.

To configure a device to send traps for all features, the target host for receiving SNMP traps must be configured on the device at the same time, so that the device knows where to send traps.

Target host

Target host name

Name of an SNMP target host. The value is a string of 1 to 32 characters without spaces.

Address domain

Whether to use UDP to transmit trap messages.

Network address

Address of the target host that receives SNMP messages.

Notify type

Notification type. The options are as follows:

• Trap: trap messages
• Inform: inform messages

VPN Instance name

Name of a VPN instance. The value is a string of 1 to 31 case-sensitive characters without spaces. The value must be the name of an existing VPN instance.

Enable Public Net-manager

Whether to connect to the trap host on the public network.

UDP port number

Port number used by the target host to receive trap messages.

Interface name

Source interface that sends trap messages.

Security model parameters

SNMP protocol version.

Security model SNMPv3: configures SNMPv3.

Security model v2c: configures SNMPv2c. SNMPv3 is recommended, because it is more secure than SNMPv2c.

Security name

SNMPv2c security name.

Usm name

Security name for an SNMPv3 user.

Security level

Authentication and encryption mode.

no authentication,no privacy(There are safety risks, so it is not recommended to choose.): This mode applies to secure networks with fixed administrators.

authentication,no privacy(There are safety risks, so it is not recommended to choose.): Only authenticated administrators can access the device. This mode is applicable to secure networks managed by many administrators who may frequently perform operations on the same device.

authentication and privacy: In this mode, only the authenticated administrators can access the device, and transmitted data is encrypted. This mode is applicable to insecure networks managed by many administrators who may frequently perform operations on the same device.

Interface name

Interface of the target host.

Feature alarm message configuration

Feature name

Name of a feature that generates traps.

The value is a string of 1 to 32 uppercase letters.

Run the display snmp-agent trap all command using the entry query function to check the trap information. For details about how to specify parameters for query after a feature (for example, BGP) is selected, see Viewing Entries on an AR.

Alam name

Name of an alarm module.

The value must be a string of 1 to 63 characters.

Run the display snmp-agent trap all command using the entry query function to check the trap information. For details about how to specify parameters for query after a trap (for example, bgpBackwardTransNotification) is selected, see Viewing Entries on an AR.

status

Whether to enable the trap function for the module.

Global parameter

Interface name

Source interface used by the device to output information to the log host.

Log buffer size

Number of logs that can be buffered.

Log timestamp

Timestamp format of the output logs.

• Boot: indicates that the timestamp is the period of time elapsed since the system startup.
• Date: indicate that the timestamp is the current system date and time.
• Short-date: indicates that the timestamp uses the short date format.
• Format-date: indicates that the timestamp uses the YYYY-MM-DD hh:mm:ss format.

Debug timestamp

Timestamp format for debugging messages.

Server

Ip address

Address type and IP address of the log host.

VPN name

VPN instance to which the log host belongs.

Transport mode

Transmission protocol of the log host.

• udp: UDP is used.
• tcp: TCP is used.

Channel id

Channel ID of the log host.

Info center source

Module name

Module on which the filtering rule takes effect, for filtering information that does not need to be output to the log host through the specified channel.

default: indicates that the filtering rule takes effect on all modules for the specified channel.

For details about other module names, see Log Reference in the corresponding device documentation.

Channel id

ID of the channel used by the device to output logs to the log host.

Enable log level

Level of the logs to be output to the log host. You can select a level as required to output logs of this level or higher.

• emergencies: A fault that makes the device unable to run normally unless it is restarted.
• alert: A major fault that needs to be rectified immediately.
• critical: A fault that needs to be analyzed and processed.
• error: An improper operation that is performed or exceptions that occur during service processing. The fault does not affect services but needs to be analyzed.
• warning: An anomaly that occurs when the device is operating and requires attention because it may cause service processing faults.
• notification: A key operation that is performed to ensure normal operation of the device.
• informational: A common operation that is performed to ensure normal operation of the device.
• debugging: General information generated when the device is running properly, which is mainly the internal running status of the device.

Local user

User name

Username of a local user account. After the security policy function is enabled for a local user account, the username must meet the following requirement:

Username of a local user.

Password type

• irreversible-cipher: uses an irreversible secure encryption algorithm to encrypt the user password. When this parameter is set, unauthorized users cannot decrypt the passwords of authorized users, ensuring user security.

Password

Password of a local user.

Login timeout period(s)

Idle timeout period of a local user account, that is, time period after which a local user account is logged out of the UI. If the local user account has been idle for longer than the specified idle period, the user automatically goes offline.

Login level

User level of a local user account. A larger value indicates a higher user level. After logging in to the device, a user can run only the commands of the same level or lower levels.

• Level 0 (visit level): Users at this level can run diagnosis commands such as ping and tracert commands and commands that are used to access a remote device (such as using STelnet). They have no permission to save configuration files.
• Level 1 (monitoring level): Users at this level can run commands for system maintenance, including display commands. They have no permission to save configuration files.
• Level 2 (configuration level): Users at this level can run commands used for service configuration, including routing commands and commands at each network layer to provide network services for users.
• Level 3 (management level): Users at this level can run commands used for basic system operations to support services, including commands concerned with file systems, FTP, Trivial File Transfer Protocol (TFTP), configuration file switching, slave board control, user management, and command level configuration. In addition, users at this level can also run commands for service fault diagnosis, such as debugging commands.

HTTP service(Insecure protocol. You are advised to use a more secure service type.)

After you specify the access type of a user, the user can successfully log in only when the user uses the configured access type for login. To allow the local user account to log in to devices through HTTP, enable the HTTP service.

SSH service

After you specify the access type of a user, the user can successfully log in only when the user uses the configured access type for login. To allow the local user account to log in to devices through SSH, enable the SSH service.

Telnet service(Insecure protocol. You are advised to use a more secure service type.)

After you specify the access type of a user, the user can successfully log in only when the user uses the configured access type for login. To allow the local user account to log in to devices through Telnet, enable the Telnet service.

Terminal service

After you specify the access type of a user, the user can successfully log in only when the user uses the configured access type for login. To allow the local user account to log in to devices through terminals, enable this service.

Password policy

Password expire days(d)

Password validity period.

If the value is 0, the password is permanently valid.

Password history record number

Maximum number of historical passwords that can be recorded for each user. For example, if the value is 5, the new password cannot be the same as the previous five passwords (including the current one).

S8700 series

S8700-10/S8700-4/S8700-6

Only the LSG7M24VX1E1, LSG7X48PX1E0, LSG7M48VX1E1, LSG7G48VX1E0 and LSG7M48VX1E0 support this function.

Global

Position

Slot ID of the device.

Port

Power enable

Whether to enable PoE on a port.

Power off time range

Port power-off time range.

Legacy enable

Whether to enable the power sourcing equipment (PSE) to check the compatibility of power devices (PDs). If the device is enabled to check the compatibility of PDs, the ports can provide power to non-standard PDs, allowing high inrush current during power-on.

Power on delay

Power supply delay on a port.

Interface name

Device port selected for PoE management.

Global

Name

Name of a time range.

Absolute range

Start time

Start time of a time range.

End time

End time of a time range.

Period range

Day of week

Day on which a configured time range is valid.

Start time

Start time of the time range.

End time

End time of the time range.

Option

Whether an offset is added or subtracted.

• add: indicates adding an offset. The default value is add.
• mius: indicates subtracting an offset.

Timezone offset

Offset between the specified time zone value and UTC time value.

Physical interface

Management interface

Interface used for configuration and management, but not for service transmission.

Service interface

Interface used for service transmission.

Layer 2 Ethernet interface: an interface working at the data link layer and processes Layer 2 protocol packets, implementing rapid Layer 2 forwarding.

Layer 3 Ethernet interface: an interface working at the network layer. It processes Layer 3 protocol packets and implements the routing function. It can be configured with an IPv4 or IPv6 address.

Logical interface

Logical interfaces are manually configured and do not physically exist. They are responsible for transmitting service data.

Logical interfaces include VLANIF interfaces, Eth-Trunk interfaces, Ethernet sub-interfaces, and Eth-Trunk sub-interfaces.

AR5710-H8T2TS1, AR5710-H8T2TS1-T

0-7

AR6710-L50T2X4, AR6710-L26T2X4, AR6710-L8T3TS1X2, AR6710-L50T2X4-T, AR6710-L26T2X4-T, AR6710-L8T3TS1X2-T

0-15

AR8140-12G10XG, AR8140-T-12G10XG, AR8700-8

0-63

NetEngine 8000 M6, NetEngine 8000 M8, NetEngine 8000 M14, NE40E-X8A, NE40E-X3A, NetEngine 8000E M8, NetEngine 8000E M14, NetEngine 8000 M1A, NetEngine 8000 M1C, NetEngine A821 E

NetEngine A813, NetEngine A813 E, NetEngine A822 E, NetEngine A831 E, NetEngine 8000 M1D-B, NetEngine 8000 F1A-8H20Q, NetEngine 8000 M4, NetEngine 8000 M8K, NetEngine 8000 M14K, NetEngine 8000E M14-Z, NetEngine 8000 F8, NetEngine 8000E F8, NetEngine 8000E F8-Z

0-65535

S16700-4, S16700-8, S8700-6, S8700-10, S6730-H-V2, S5732-H-V2

0-127

Global

Interface name

Name of an interface, which is automatically generated based on Physical type and Interface number.

Interface category

Type of an interface. The value can be Main interface or Sub-interface.

Main interface name

Name of a main interface. When Interface category is set to Sub-interface, you need to configure a main interface.

Physical type

Type of an interface. It can be a physical or logical interface.

Interface number

Number of an interface, which must be consistent with that on the device.

Interface type

Working mode of an interface. The value can be L3 or L2.

VPN instance

VPN instance to which the interface belongs. If the interface belonging to a VPN instance is not bound to the VPN instance, the interface functions as a public network interface and cannot forward VPN data.

Admin status

Interface administrative status. It can be up or down.

Description

Description of an interface.

Bandwidth

Bandwidth Type

Bandwidth unit, kbit/s or Mbit/s.

Bandwidth

Interface bandwidth.

Interface physical attributes

Negotiation mode

• Auto-negotiation: The Ethernet interface works in auto-negotiation mode.
• Non-auto-negotiation: The Ethernet interface works in non-auto-negotiation mode.

Combo mode

Whether an interface works as an optical or electrical interface. Only combo interfaces support both optical and electrical interface modes. You can select either of the two modes for combo interfaces based on networking requirements. For interfaces of other types, set this parameter based on the working mode supported by the interfaces.

Duplex

Duplex mode of the interface. Interfaces on both ends of a link must have the same duplex mode. For optical interfaces, the duplex mode is fixed at the full duplex mode. For electrical interfaces, you can select the full-duplex or half-duplex mode according to the actual situation.

Speed

Interface rate. If the negotiation mode is set to non-auto-negotiation, you need to manually set the interface rate. Interfaces on both ends of a link must have the same rate.

Eth-Trunk members

Interface name

Eth-Trunk member interface.

Global

Start port name

Start port of a port group.

End port name

End port of a port group.

Activated license

License type

Type of the activated license. The value can be:

• 10G
• 25G
• 50G
• 100G
• 200G
• 400G
• 2.5G
• 5G

Card attribute

Card position

Subcard number.

Slot granularity

Sub-timeslot granularity of a subcard. The default value is 5 Gbit/s.

The sub-timeslot granularity of a FlexE client restricts the FlexE client's bandwidth configuration. If the bandwidth lower than 5 Gbit/s needs to be configured for a FlexE client, configure a sub-timeslot granularity for the subcard as required. The configuration rules are as follows:

• If the default sub-timeslot granularity (5 Gbit/s) is used, the bandwidth value of a FlexE client can be set to an integer multiple of 5 Gbit/s, such as 5 Gbit/s, 10 Gbit/s, or 15 Gbit/s.
• If the sub-timeslot granularity is set to 1 Gbit/s, the bandwidth value of a FlexE client can be set to 1 Gbit/s, 2 Gbit/s, 3 Gbit/s, 4 Gbit/s, or an integer multiple of 5 Gbit/s.
• If the sub-timeslot granularity is 1.25 Gbit/s, the bandwidth value of a FlexE client can be set to 1.25 Gbit/s, 2.5 Gbit/s, 3.75 Gbit/s, or integer multiple of 5 Gbit/s.
  NOTE:

  When the sub-timeslot granularity is 1.25 Gbit/s, only NE40Es are supported.

Enable port

Enable port

Port position

Interface number.

Enable

Whether to configure the physical interface to work in FlexE mode.

Attribute

Phy-Number

Number of the FlexE physical interface in a FlexE group. This parameter is used to identify packets. This parameter value for FlexE clients on interconnected devices must be the same.

FlexE group

FlexE group

Index

Index of a FlexE group.

Number

Number of the FlexE group. To ensure normal communication between the interconnected devices, configure the same number for FlexE groups on the two devices.

Interface

Port position

Interface number. The specified FlexE physical interface is added to the created FlexE group.

FlexE client

FlexE client

Index

Index of a FlexE client.

Group Index

FlexE group to which the client is to be bound.

FlexE port ID

ID of a FlexE interface.

You are advised to set a number beyond the range of 1000 to 3000 (this range is reserved for network slicing services). The port ID range varies according to the board model. For details about the port ID range supported by boards of different models, see section Configuration > Interface and Data Link > Interface Management Configuration > FlexE Interface Configuration > Creating a FlexE Client and Configuring an ID and Bandwidth for It in the NE product documentation.

Client ID

Service ID of the FlexE client in the FlexE group. This parameter is used to identify packets. This parameter value for FlexE clients on interconnected devices must be the same.

binding-type

If bandwidth is selected, the bandwidth of a FlexE client can be configured as needed.

Bandwidth

Bandwidth

Bandwidth for the FlexE client, in Gbit/s.

Configuration rules are as follows:

• If the default sub-timeslot granularity (5 Gbit/s) is used, the bandwidth value of a FlexE client can be set to an integer multiple of 5 Gbit/s, such as 5 Gbit/s, 10 Gbit/s, or 15 Gbit/s.
• If the sub-timeslot granularity is set to 1 Gbit/s, the bandwidth value of a FlexE client can be set to 1 Gbit/s, 2 Gbit/s, 3 Gbit/s, 4 Gbit/s, or an integer multiple of 5 Gbit/s.
• If the sub-timeslot granularity is 1.25 Gbit/s, the bandwidth value of a FlexE client can be set to 1.25 Gbit/s, 2.5 Gbit/s, 3.75 Gbit/s, or integer multiple of 5 Gbit/s.
  NOTE:

  When the sub-timeslot granularity is 1.25 Gbit/s, only NE40Es are supported.

The bandwidth specified by this parameter must be less than the remaining bandwidth of the FlexE group to which the FlexE client is bound. Remaining bandwidth = FlexE interface bandwidth – Bandwidth sum of all FlexE clients.

Interface name

Layer 2 port.

Port isolate enable

Whether to enable the port isolation group function and add a port to the port isolation group. The port isolation group ID is 1 by default.

Global

L3 sub interface name

Name of a sub-interface.

Flow type

Flow attributes of the Layer 3 sub-interface. The value can only be Dot1q termination.

Dot1q vlans

VLAN range

List of inner VLANs for dot1q termination sub-interfaces.