Note:
The security
levels from the highest to the lowest must be trap host security, user
security, and user group security.
The security level
description is as follows:
Level 1: privacy
(authentication and encryption)
Level 2:
authentication (only authentication)
Level 3: none (no
authentication and no encryption)
If the security
level of a user group is level 1, the security levels of user and trap host
must be level 1. If the security level of a user group is level 2, the security
levels of user and trap host can be level 1 or level 2.
Configure Basic SNMPv3 Functions on Huawei S5700.
Procedure
Step 1 Run:
system-view
The system view is
displayed.
Step 2 (Optional) Run:
snmp-agent
The SNMP agent
function is enabled.
By default, the
SNMP agent function is disabled. By executing the snmp-agent command with any
parameter enables the SNMP agent function.
Step 3 (Optional) Run:
snmp-agent
udp-port port-num
The listening port
number of the SNMP agent is changed.
The default
listening port number of the SNMP agent is 161.
To enhance device
security, run the snmp-agent udp-port command to change the listening port
number of the SNMP agent.
Step 4 (Optional) Run:
snmp-agent
sys-info version v3
The SNMP version
is configured.
SNMPv3 is enabled
by default; therefore, this step is optional.
Step 5 (Optional) Run:
snmp-agent
local-engineid engineid
An engine ID is
set for the local SNMP entity.
By default, the
device automatically generates an engine ID using the internal algorithm. The
engine ID is composed of enterprise ID+device information.
If the local
engine ID is set or changed, the existing SNMPv3 user will be deleted.
Step 6 Run:
snmp-agent group
v3 group-name [ authentication | privacy ]
An SNMPv3 user
group is configured.
If the network or
network devices are in an insecure environment (for example, the network is
vulnerable to attacks), authentication or privacy can be configured in the
command to enable data authentication or privacy. By default, the created SNMP
group is neither authenticated nor encrypted.
Step 7 Run:
snmp-agent
usm-user v3 user-name [ group group-name | acl acl-name ] *
A user is added to
the SNMPv3 user group.
Step 8 Run:
snmp-agent
usm-user v3 user-name authentication-mode { md5 | sha } [ cipher password ]
The authentication
password of the SNMPv3 user is added.
Step 9 Run:
snmp-agent
usm-user v3 user-name privacy-mode { des56 | aes128 | aes192 | aes256 | 3des }
[ cipher password ]
The password of
the SNMPv3 user is added.
AES128 and AES256
algorithm are recommended to improve data transmission security.
After a user is
added to the user group, the NMS that uses the name of the user can access the
objects in the ViewDefault view (OID: 1.3.6.1). If the local engine ID is set
or changed, the existing SNMPv3 user will be deleted.
If authentication
and privacy have been enabled for the user group, the following authentication
and privacy modes can be configured for the data transmitted on the network.
Step 10 Configure the destination IP address for receiving traps and error
codes.On an IPv4 network, run:
snmp-agent
target-host trap address udp-domain ip-address [ udp-port port-number | source
interface-type interface-number | [ public-net | vpn-instance
Issue 01
(2013-11-05) Huawei Proprietary and Confidential
Copyright © Huawei
Technologies Co., Ltd.
30 vpn-instance-name
] ] * params securityname security-name [ v3 [ authentication | privacy ] |
private-netmanager | notify-filter-profile profile-name | ext-vb ] * On an IPv6
network, run:
snmp-agent
target-host trap ipv6 address udp-domain ipv6-address [ udp-port port-number ]
params securityname security-name [ v3 [ authentication | privacy ] |
private-netmanager | notify-filter-profile profile-name | ext-vb ] *
Note the following
when running the command:
The default
destination UDP port number is 162. To ensure secure communication between the
NMS and managed devices, run the udp-port command to change the UDP port number
to a non-well-known port number. The parameter security-name identifies devices
that send traps on the NMS. If the NMS and managed device are both Huawei
products, the parameter private-netmanager can be configured to add more
information to trap messages, such as the alarm type, alarm serial number, and
alarm sending time. The information will help you locate and solve problems
more quickly.
The value of
security-name must be the same as the created user name. Otherwise, the NMS
cannot access the managed device.
Step 11 (Optional) Run:
snmp-agent
sys-info { contact contact | location location }
The equipment
administrators contact information or location is configured.
By default, the
vendor's contact information is "R&D Beijing, Huawei Technologies
co.,Ltd.". The default location is "Beijing China".
This step is
required for the NMS administrator to view contact information and locations of
the equipment administrator when the NMS manages many devices. This helps the
NMS administrator to contact the equipment administrators for fault location
and rectification.
Step 12 (Optional) Run:
snmp-agent packet
max-size byte-count
The maximum size
of SNMP messages that the device can receive and send is set.
By default, the
maximum size of SNMP messages is 12000 bytes.
When the size of
an SNMP message is larger than the configured value, the device discards the
SNMP message. To ensure that NMS can process SNMP packets properly, set the
parameter byte-count based on the maximum size of an SNMP packet that the NMS
can process.
----End
When I do this configuration, use the switch S3700-28TP-PWR-EI, work great.
没有评论:
发表评论