Authorized reprint by author zhushigeng (Vinsoney)
2.2 SNMPv3
1. CLI-based Configuration
(1) (Optional) Enable the SNMP agent service.
[Sysname] snmp-agent
By default, the SNMP agent service is disabled. Running any command with the
parameter snmp-agent enables the SNMP agent service, so this step is
optional.
(2) (Optional) Configure the SNMP version.
[Sysname] snmp-agent sys-info version v3
By default, SNMPv3 is enabled. Therefore, this step is optional.
(3) (Optional) Configure the MIB view to specify the MIB objects that the
NMS can access or is not allowed to access.
[Sysname] snmp-agent mib-view {excluded | included} view-name oid-tree
The default MIB view is ViewDefault and its OID is {1.3.6.1}.
If there are only a few MIB objects that do not need to be managed by an NMS or
you want to remove some MIB objects from an existing MIB view, specify excludedin the command to exclude these MIB objects.
If there are only a few MIB objects that need to be managed by an NMS or you
want to add some MIB objects to an existing MIB view, specify includedin the command to add these MIB objects. After the configuration is complete,
only these MIB objects can be accessed.
(4) Configure an SNMP group.
[Sysname] snmp-agent group v3 group-name [authentication | privacy] [read-view read-view| write-view write-view | notify-view notify-view] * [acl acl-number]
The available authentication and encryption modes are as follows:
· Non-authentication and non-encryption: Do not specify the authentication and privacyparameters. This mode is applicable to secure networks managed by specified administrators.
· Authentication and non-encryption: Specify only the authentication parameter. This mode is applicable to secure networks managed by many administrators who may frequently perform operations on the same device. In this mode, only the authenticated administrators can access the managed device.
· Authentication and encryption: Specify the privacy parameter. This mode is applicable to insecure networks managed by administrators who may frequently perform operations on the same device. In this mode, only the authenticated administrators can access the managed device, and transmitted data is encrypted to prevent data from being tampered with.
If no MIB view is configured for or bound to a user group on the Eudemon, the NMS using the user group has the read and write permissions on the ViewDefault view (OID: 1.3.6.1).
(5) Configure an SNMP user.
[Sysname] snmp-agent usm-user v3 user-name group-name[authentication-mode {md5 | sha} password [privacy-mode {des56 | aes128}password]] [acl acl-number]
The user name, authentication mode, encryption mode, and password must be the
same as those set in the NMS software.
After the authentication and encryption functions are enabled for a user group,
select the authentication and encryption methods to authenticate and encrypt
the data transmitted over the network.
If authentication and encryption are not enabled for a user group but authentication
and encryption methods are specified in this command, no authentication or
encryption information needs to be entered when an administrator connects to
the Eudemon using an NMS.
(6) (Optional) Configure contact information of the administrator and the
device location.
[Sysname] snmp-agent sys-info {contact contact | location location}
2. Configuration
Examples
Example 1: Configure SNMPv3.
[Sysname] snmp-agent sys-info version v3
[Sysname] snmp-agent group v3 grouptest1
[Sysname] snmp-agent usm-user v3 usertest1 grouptest1
Example 2: Specify a user group by an ACL.
[Sysname] acl 2000
[Sysname-acl-basic-2000] rule permit source 1.1.1.0 0.0.0.255
[Sysname] snmp-agent sys-info version v3
[Sysname] snmp-agent group v3 grouptest1 acl 2000
[Sysname] snmp-agent usm-user v3 usertest1 grouptest1
Example 3: Specify a user group by an ACL.
[Sysname] acl 2000
[Sysname-acl-basic-2000] rule permit source 1.1.1.0 0.0.0.255
[Sysname-acl-basic-2000] quit
[Sysname] snmp-agent sys-info version v3
[Sysname] snmp-agent group v3 grouptest1
[Sysname] snmp-agent usm-user v3 usertest1 grouptest1 acl 2000
Example 4: Enable authentication for a user in a user group, use the SHA
algorithm, and set the password to huawei123.
[Sysname] snmp-agent sys-info version v3
[Sysname] snmp-agent group v3 grouptest2 authentication
[Sysname] snmp-agent usm-user v3 usertest2 grouptest2 authentication-mode sha
huawei@123
Example 5: Enable authentication and encryption for a user in a user group, and
use the SHA authentication algorithm and the DES encryption algorithm.
[Sysname] snmp-agent sys-info version v3
[Sysname] snmp-agent group v3 grouptest3 privacy
[Sysname] snmp-agent usm-user v3 usertest3 grouptest3 authentication-mode sha
huawei@123 privacy-mode des56 huawei@456
Example 6: Specify the MIB view that a user group can access.
[Sysname] snmp-agent mib-view included v3view iso
[Sysname] snmp-agent sys-info version v3
[Sysname] snmp-agent group v3 grouptest1 read-view v3view write-view v3view
notify-view v3view
[Sysname] snmp-agent usm-user v3 usertest1 grouptest1
MORE: