Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment (eg. routers), computer equipment and even devices like UPSs. Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6.

SNMP is an application-layer protocol that provides a message format for communication between managers and agents. The SNMP system consists of an SNMP manager, an SNMP agent, and a management information base (MIB). The SNMP manager can be part of a network management system (NMS) such as CiscoWorks. The agent and MIB reside on the switch. To configure SNMP on the switch, you define the relationship between the manager and the agent.

It is suggested to disable the SNMP function (the function of SNMP is disabled by default on Huawei devices). Or do not define local users, use RADIUS or HWTACACS.

Query the status of SNMP and SNMP agent is not enabled.

[HUAWEI]display snmp-agent sys-info

2.      When Huawei devices enable SNMP, the default version to be used is V3. It is not suggested to use V1 and V2.

l  Query the status of SNMP:

[HUAWEI]display snmp-agent sys-info

l  If the query result is displayed as:  

SNMP version running in the system: 

SNMPv1 SNMPv2c SNMPv3

l  Disable SNMP V1/V2:

[HUAWEI]undo snmp-agent sys-info version v1 v2c

3.      If SNMP V1/V2 protocol is applied, it is needed to block SNMP V1/V2 by using access controls or firewalls;

The configuration example:

[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 permit source 1.1.1.2 0.0.0.0
[HUAWEI-acl-basic-2001] rule 6 deny source 1.1.1.1 0.0.0.0
[HUAWEI-acl-basic-2001] quit
[HUAWEI] snmp-agent community read cipher security-read mib-view userinfo acl 2001
[HUAWEI] snmp-agent community write cipher security-write mib-view userinfo acl 2001

4. If SNMP V1/V2 protocol is applied, it is suggested to disable the SNMP V1/V2 mib entries for querying user account;
The configuration example:
[HUAWEI] snmp-agent mib-view include userinfo internet
[HUAWEI] snmp-agent mib-view excluded userinfo snmpUsmMIB
[HUAWEI] snmp-agent mib-view excluded userinfo snmpVacmMIB
[HUAWEI] snmp-agent mib-view excluded userinfo hwLocalUserTable
[HUAWEI] snmp-agent mib-view excluded userinfo hwCfgOperateTable
[HUAWEI] snmp-agent mib-view excluded userinfo hwCollectTable
[HUAWEI] snmp-agent community read cipher security-read mib-view userinfo
[HUAWEI] snmp-agent community write cipher security-write mib-view userinfo

Note: Before performing step 4, confirm with the NMS (Network Management Station) provider that disabling MIB nodes does not affect the NMS services. If disabling a MIB node affects the NMS services, do not run the snmp-agent mib-view excluded userinfo xxx command for this node.

The temporary fix 3&4 applies to the following versions:

1)      S2300&S3300&S2700&S3700  V100R005, V100R006C00

2)      S5300&S5700 V100R005, V100R006

3)      S6300&S6700 V100R006

4)         S7700 V100R003, V100R006

5)         S9300 V100R003, V100R006

Now I will show you how to enable snmp in the huawei switch S5700-28C-EI.

1.Configure the ip address of vlan 1

system-view
[S5700]interface vlanif 1
[S5700-vlanif1] ip address 192.168.0.11 255.255.255.0
[S5700-vlanif]quit

display current-configuration 

SNMP by itself is simply a protocol for collecting and organizing information. Most toolsets implementing SNMP offer some form of discovery mechanism, a standardized collection of data common to most platforms and devices, to get a new user or implementor started. One of these features is often a form of automatic discovery, where new devices discovered in the network are polled automatically. For SNMPv1 and SNMPv2c, this presents a security risk, in that your SNMP read communities will be broadcast in cleartext to the target device. While security requirements and risk profiles vary from organization to organization, care should be taken when using a feature like this, with special regard to common environments such as mixed-tenant datacenters, server hosting and colocation facilities, and similar environments.

It's a nicely documented article!

Does S5700 has a fixed VLAN management architecture?

Posted by user_2789677 at 2016-08-27 13:49 Does S5700 has a fixed VLAN management architecture?

Yes. S5700 is a L3 high end very good switch.
It has the VLAN management capabilities as well.

That day is not so far away, when Huawei NE's will be in each & every places instead of expensive Cisco devices.

Would you like to share the update firmware versions of S5700?