ACL ipv6 SNMP Ne20

Created: Oct 19, 2019 11:56:36Latest reply: Oct 21, 2019 01:33:36 136 3 0 0
  Rewarded Hi-coins: 0 (problem resolved)

Hi,


I have a Ne20 router with SNMPv2c enabled and v3 disabled. However, it is responding SNMPv2c to IPv6 address. How to configure IPv6 ACL for SNMPv2c?


cerqueira:snmpwalk -v2c -c XXXXXXX udp6:[2804:xxx:F000:4009::1]

SNMPv2-MIB::sysDescr.0 = STRING: Huawei Versatile Routing Platform Software

VRP (R) software, Version 8.150 (NE20E V800R009C10SPC200)

Copyright (C) 2012-2017 Huawei Technologies Co., Ltd.

HUAWEINE20E-S2F


SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2011.2.88.8

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (92537102) 10 days, 17:02:51.02

SNMPv2-MIB::sysName.0 = STRING: HUAWEI-PTT-TOLEDO

SNMPv2-MIB::sysLocation.0 = STRING: Beijing China

SNMPv2-MIB::sysServices.0 = INTEGER: 78

SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00


  • x
  • convention:

Featured Answers
chenhui
Admin Created Oct 21, 2019 01:33:36 Helpful(0) Helpful(0)

@user_3324639 hello,
it's similar to configure the ipv6 acl compared with aconfiguring the ipv4 acl, only a extra parameter ipv6 is required.
for example, to create a ipv6 acl 3001,
acl ipv6 3001
rule 5 permit ipv6 source 2001::1/64

for more commands and details, please visit https://support.huawei.com/hedex/hdx.do?docid=EDOC1100075578&id=acl6_configuration_commands&text=ACL6%252520Configuration%252520Commands&lang=en
  • x
  • convention:

All Answers
ster
ster Created Oct 19, 2019 12:47:36 Helpful(0) Helpful(0)

  • x
  • convention:

wissal
wissal MVE Created Oct 19, 2019 13:32:36 Helpful(0) Helpful(0)

Hello,


Please find below how to configure IPv6 ACL for SNMPv2c

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run snmp-agent password min-length min-length

    The minimum SNMP password length is configured.

    After this command is run, the length of a configured SNMP password must be longer than or equal to the minimum SNMP password length.

  3. Configure SNMP proxy, as shown in Table 1. The configuration tasks listed in Table 1 do not need to be performed in sequence.

    Table 1 SNMP proxy configuration tasks

    Configuration Task

    Command

    Description

    Configure proxy rules for SNMP packets.

    • For GetRequest protocol data units (PDUs), SetRequest PDUs, and traps: snmp-agent proxy rule rule-name { read | trap | write } remote-engineid remote-engineid target-host target-host-name params-in securityname { security-name { v1 | v2c | v3 [ authentication | privacy ] } | cipher cipher-text v1 | v2c } }
    • For informs: snmp-agent proxy rule rule-name inform remote-engineid remote-engineid target-host target-host-name params-in securityname { security-name { v2c | v3 [ authentication | privacy ] } | cipher cipher-text v2c }

    To enable an NMS to effectively manage a managed device, perform this operation to configure attributes of the target hosts for receiving SNMP proxy packets so that the middle-point device can filter out SNMP packets that do not match the specified attributes, you must correctly configure proxy rules for SNMP packets and ensure that these proxy rules are unique on the middle-point device.

    If you specify neither authentication nor privacy, SNMPv3 packets are neither authenticated nor encrypted.

    Create an SNMP proxy community.

    snmp-agent proxy community { community-name | cipher cipher-name } remote-engineid remote-engineid [ acl { acl-number | acl-name } alias alias-name *

    An SNMP proxy community defines administrative relationships between NMSs and managed devices. The community name acts like a password to regulate access to a managed device. An NMS can access a managed device only if the community name carried in the SNMP request sent by the NMS is the same as the community name configured on the managed device.

    This operation applies only to SNMPv1 and SNMPv2c.

    Configure attributes of the target hosts for receiving SNMP proxy packets.

    • For an IPv4 network: snmp-agent proxy target-host target-host-name address udp-domain ip-address udp-port port-number [ source interface-type interface-number | { vpn-instance vpn-instance-name public-net } | timeout timeout-interval ]* params securityname { security-name { v1 | v2c | v3 [ authentication | privacy ] } | cipher cipher-text { v1 | v2c } }
    • For an IPv6 network: snmp-agent proxy target-host target-host-name ipv6 address udp-domain ipv6-address udp-port port-number [ timeout timeout-interval ] params securityname { security-name { v1 | v2c | v3 [ authentication | privacy ] } | cipher cipher-text { v1 | v2c } }

    To enable the middle-point device to forward SNMP requests from the network management system (NMS) to the managed device and forward responses from the managed device to the NMS.

    • The target host may be either the NMS or the managed device.
    • You can run this command multiple times with different parameters set to configure a middle-point device to send SNMP proxy packets to multiple NMSs.
    • The default number of the destination User Datagram Protocol (UDP) port is 162, a well-known port number. If you want to change this number to a non-well-known port number, ensure that the new UDP port number is the same as that on the NMS.
    • If you specify neither authentication nor privacy, SNMPv3 packets are neither authenticated nor encrypted.
    • If the NMS and managed device need to communicate over a virtual private network (VPN), use the vpn-instance vpn-instance-name parameter.

    Create an SNMP proxy user.

    snmp-agent remote-engineid remote-engineid-name usm-user v3 user-name group-name authentication-mode { md5 | sha | sha2 } password privacy-mode { des56 | 3des168 | aes128 | aes192 | aes256 } password acl { acl-number | acl-name } ]

    SNMPv1 and SNMPv2c use community names for authentication, whereas SNMPv3 uses user names for authentication.

    Unlike SNMPv1 or SNMPv2c, SNMPv3 can implement access control, identity authentication, and data encryption using the local processing model and user-based security model (USM).

    SNMPv3 provides better security and encryption mechanisms than SNMPv1 and SNMPv2c, and is therefore widely used.

    This operation applies only to SNMPv3.

    (Optional) Configure the priority of SNMP packets.

    snmp-agent packet-priority { snmp | trap } priority-level

    Change the priority of SNMP packets in the following scenarios if necessary:
    • Increase the priority of notifications to ensure that the NMS receives them.
    • Increase the priority of GetResponse and SetResponse PDUs to facilitate management operations performed in the management information base (MIB) of a managed device by the NMS.
    • Reduce the priority of GetResponse PDUs, SetResponse PDUs, and notifications to prevent frequent packet sending when network congestion occurs.

  4. Run commit

    The configuration is committed.

For more details refer to the link below


Thanks
  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.
chenhui
chenhui Admin Created Oct 21, 2019 01:33:36 Helpful(0) Helpful(0)

@user_3324639 hello,
it's similar to configure the ipv6 acl compared with aconfiguring the ipv4 acl, only a extra parameter ipv6 is required.
for example, to create a ipv6 acl 3001,
acl ipv6 3001
rule 5 permit ipv6 source 2001::1/64

for more commands and details, please visit https://support.huawei.com/hedex/hdx.do?docid=EDOC1100075578&id=acl6_configuration_commands&text=ACL6%252520Configuration%252520Commands&lang=en
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login