2013年12月19日星期四

How to Configure Basic SNMPv3 Functions on Huawei S5700


Note:
The security levels from the highest to the lowest must be trap host security, user security, and user group security.

The security level description is as follows:
Level 1: privacy (authentication and encryption)
Level 2: authentication (only authentication)
Level 3: none (no authentication and no encryption)

If the security level of a user group is level 1, the security levels of user and trap host must be level 1. If the security level of a user group is level 2, the security levels of user and trap host can be level 1 or level 2.

Configure Basic SNMPv3 Functions on Huawei S5700.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 (Optional) Run:
snmp-agent
The SNMP agent function is enabled.
By default, the SNMP agent function is disabled. By executing the snmp-agent command with any parameter enables the SNMP agent function.

Step 3 (Optional) Run:
snmp-agent udp-port port-num
The listening port number of the SNMP agent is changed.
The default listening port number of the SNMP agent is 161.
To enhance device security, run the snmp-agent udp-port command to change the listening port number of the SNMP agent.

Step 4 (Optional) Run:
snmp-agent sys-info version v3
The SNMP version is configured.
SNMPv3 is enabled by default; therefore, this step is optional.

Step 5 (Optional) Run:
snmp-agent local-engineid engineid
An engine ID is set for the local SNMP entity.
By default, the device automatically generates an engine ID using the internal algorithm. The engine ID is composed of enterprise ID+device information.
If the local engine ID is set or changed, the existing SNMPv3 user will be deleted.

Step 6 Run:
snmp-agent group v3 group-name [ authentication | privacy ]
An SNMPv3 user group is configured.
If the network or network devices are in an insecure environment (for example, the network is vulnerable to attacks), authentication or privacy can be configured in the command to enable data authentication or privacy. By default, the created SNMP group is neither authenticated nor encrypted.

Step 7 Run:
snmp-agent usm-user v3 user-name [ group group-name | acl acl-name ] *
A user is added to the SNMPv3 user group.

Step 8 Run:
snmp-agent usm-user v3 user-name authentication-mode { md5 | sha } [ cipher password ]
The authentication password of the SNMPv3 user is added.

Step 9 Run:
snmp-agent usm-user v3 user-name privacy-mode { des56 | aes128 | aes192 | aes256 | 3des } [ cipher password ]
The password of the SNMPv3 user is added.
AES128 and AES256 algorithm are recommended to improve data transmission security.
After a user is added to the user group, the NMS that uses the name of the user can access the objects in the ViewDefault view (OID: 1.3.6.1). If the local engine ID is set or changed, the existing SNMPv3 user will be deleted.
If authentication and privacy have been enabled for the user group, the following authentication and privacy modes can be configured for the data transmitted on the network.

Step 10 Configure the destination IP address for receiving traps and error codes.On an IPv4 network, run:
snmp-agent target-host trap address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | [ public-net | vpn-instance
Issue 01 (2013-11-05) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
30 vpn-instance-name ] ] * params securityname security-name [ v3 [ authentication | privacy ] | private-netmanager | notify-filter-profile profile-name | ext-vb ] * On an IPv6 network, run:
snmp-agent target-host trap ipv6 address udp-domain ipv6-address [ udp-port port-number ] params securityname security-name [ v3 [ authentication | privacy ] | private-netmanager | notify-filter-profile profile-name | ext-vb ] *
Note the following when running the command:
The default destination UDP port number is 162. To ensure secure communication between the NMS and managed devices, run the udp-port command to change the UDP port number to a non-well-known port number. The parameter security-name identifies devices that send traps on the NMS. If the NMS and managed device are both Huawei products, the parameter private-netmanager can be configured to add more information to trap messages, such as the alarm type, alarm serial number, and alarm sending time. The information will help you locate and solve problems more quickly.
The value of security-name must be the same as the created user name. Otherwise, the NMS cannot access the managed device.

Step 11 (Optional) Run:
snmp-agent sys-info { contact contact | location location }
The equipment administrators contact information or location is configured.
By default, the vendor's contact information is "R&D Beijing, Huawei Technologies co.,Ltd.". The default location is "Beijing China".
This step is required for the NMS administrator to view contact information and locations of the equipment administrator when the NMS manages many devices. This helps the NMS administrator to contact the equipment administrators for fault location and rectification.

Step 12 (Optional) Run:
snmp-agent packet max-size byte-count
The maximum size of SNMP messages that the device can receive and send is set.
By default, the maximum size of SNMP messages is 12000 bytes.
When the size of an SNMP message is larger than the configured value, the device discards the SNMP message. To ensure that NMS can process SNMP packets properly, set the parameter byte-count based on the maximum size of an SNMP packet that the NMS can process.
----End



没有评论:

发表评论