Configuring Basic SNMPv3 Functions

After basic SNMPv3 functions are configured, an NMS can perform basic operations on a managed device, and the managed device can send alarms to the NMS.

Context

The NMS manages a device in the following manners:

Sends requests to the managed device to perform the GetRequest, GetNextRequest, GetResponse, GetBulk, or SetRequest operation, obtaining data and setting values.

SNMPv1 or SNMPv2c has a security risk. Using SNMPv3 is recommended.
Receives alarms from the managed device and locates and rectify device faults based on the alarm information.

Ensure that the security level of the alarm host is higher than or equal to the user security level, and the user security level is higher than or equal to the security level of the SNMP user group.

The security level can be (in descending order):

Level 1: privacy (authentication and encryption)
Level 2: authentication (without encryption)
Level 3: noauthentication (neither authentication nor encryption)

For example:

If the security level of the SNMP user group is level 1, the security level of both the user and the alarm host must be level 1.
If the security level of the SNMP user group is level 2, the security level of the user and the alarm host can be both level 1 or level 2.

Procedure

Access the system view.
```
system-view
```
Enable the information center.
```
info-center enable
```
By default, the information center is enabled.
Optional: Enable the SNMP agent function.
```
snmp-agent
```
By default, the SNMP agent function is disabled. Running any command with the parameter snmp-agent can enable the SNMP agent function, so this step is optional.
Optional: Set the port number monitored by the SNMP agent.
```
snmp-agent udp-port port-num
```
By default, port 161 is monitored by the SNMP agent.

The snmp-agent udp-port command can be used to change the number of the port monitored by the SNMP agent, to improve the security of the device.
Optional: Set the SNMP version.
```
snmp-agent sys-info version v3
```
By default, SNMPv3 is enabled. So, this step is optional.
Configure an SNMPv3 user group.
```
snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]^* [ acl acl-number ] 
```
If user groups configured on the device have the same name but different authentication and encryption modes, users will be added to three user groups with the same name. Therefore, If the network or network devices are in an insecure environment (for example, the network is vulnerable to attacks), privacy can be configured in the command to enable data authentication or encryption.
The available authentication and encryption modes are as follows:
- No authentication and no encryption: noauthentication is configured in the command. This mode is applicable to secure networks managed by a specified administrator.
- Authentication without encryption: Only authentication is configured in the command. This mode is applicable to secure networks managed by many administrators who may frequently perform operations on the same device. In this mode, only the authenticated administrators can access the managed device.
- Authentication and encryption: privacy is configured in the command. This mode is applicable to insecure networks managed by many administrators who may frequently perform operations on the same device. In this mode, only the authenticated administrators can access the managed device, and transmitted data is encrypted to guard against tampering and data leaking.
By default, the NMS can read SNMPv3 MIB nodes in 1.3.6.1.2.1 To access other nodes, you must run the snmp-agent mib-view command to set the nodes. After the configuration is complete, the NMS can operate all the MIB nodes in the view.
- To grant the read-only permission (for a low-level administrator) to the NMS in the specified view, use parameter read-view. To grant the read-write permission (for a high-level administrator) to the NMS in the specified view, use parameter write-view.
- To filter out useless alarms, use parameter notify-view notify-view to limit the MIB nodes that send alarms to the NMS. Then the FW sends the alarms from only the MIB nodes that are specified by parameter notify-view to the NMS.
After you configure the user group, run the snmp-agent usm-user command to add a user to the user group. Then the NMS can access the FW with the user name after authentication and authorization.
Configure an SNMPv3 users.
- Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group group-name | acl acl-number ] ^* command to configure an SNMPv3 user.
- Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name authentication-mode { md5 | sha | sha-256 } [ cipher password ] command to configure an authentication password for the SNMPv3 user.
- Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name privacy-mode { des56 | aes128 | aes192 | aes256 | 3des } [ cipher password ] command to configure an encryption password for the SNMPv3 user.
To improve system security, it is recommended that different authentication and encryption passwords be configured for an SNMPv3 user.

By default, the complexity check is performed on the authentication or encryption password configured for a USM user. If the password fails in the check, the configuration fails. You can run the snmp-agent usm-user password complexity-check disable command to disable the password complexity check. It is recommended that the complexity check be enabled to ensure system security.
Optional: Set the equipment administrator's contact information or location.
```
snmp-agent sys-info { contact contact | location location }
```
This step is required when the NMS administrator must know equipment administrators' contact information and locations when the NMS manages many devices. This allows the NMS administrator to contact the equipment administrators quickly for fault location and rectification.

To configure both the equipment administrator's contact information and location, you must run the command twice to configure them separately.
Optional: Set the maximum size of an SNMP packet that the device can receive or send.
```
snmp-agent packet max-size byte-count
```
By default, the maximum size of an SNMP packet that the device can receive or send is 12000 bytes.

After the maximum size is set, the device will discard any SNMP packet that is larger than the set size. The allowable maximum size of an SNMP packet for a device depends on the size of a packet that the NMS can process; otherwise, the NMS cannot process the SNMP packets sent from the device.
Optional: Set the source interface that receives and responds to NMS requests.
```
snmp-agent protocol source-interface interface-type interface-number
```
Currently, the source interface can be set only to a loopback interface.
Optional: Set an engine ID for the local SNMP entity.
```
snmp-agent local-engineid engineid
```
By default, the system uses an internal algorithm to automatically generate an engine ID that consists of an enterprise number and device information. The MAC address of the management interface on the main control board is used as device information.

To improve system security, run the snmp-agent packet contextengineid-check enable command to check whether the contextEngineID is consistent with the local engine ID.
Optional: Disable the SNMP IPv4 or IPv6 listening port.
```
snmp-agent protocol server [ ipv4 | ipv6 ] disable
```
By default, the SNMP IPv4 or IPv6 listening port is disabled.

If ipv4 or ipv6 is not selected, both SNMP IPv4 and IPv6 listening ports are disabled.

After you disable the SNMP IPv4 or IPv6 listening port using the snmp-agent protocol server disable command, SNMP no longer processes SNMP packets. Exercise caution when you disable the SNMP IPv4 or IPv6 listening port.

Follow-up Procedure

After the configurations are complete, basic communication can be conducted between the NMS and managed device.

Access control allows any NMS that uses the community name to monitor and manage all the objects on the managed device.
The managed device sends alarms generated by the modules that are enabled by default to the NMS.

If finer device management is required, follow directions below to configure a managed device:

To allow a specified NMS that uses the community name to manage specified objects on the device, follow the procedure described in Controlling the NM Station's Access to the Device.
To allow a specified module on the managed device to report alarms to the NMS, follow the procedure described in Configuring the Trap Function.
If the NMS and managed device are both Huawei products, follow the procedure described in Enabling the SNMP Extended Error Code Function to allow the device to send more types of error codes. This allows more specific error identification and facilitates your fault location and rectification.
To improve Simple Network Management Protocol (SNMP) packet transmission reliability, follow the procedure described in Improving SNMP Packet Transmission Reliability.