(Optional) Configuring the Trap Function

Procedure

1. Access the system view.

   system-view

2. Enable the trap functions of all modules.

   snmp-agent trap enable

3. Enable the trap function of a feature module.

   snmp-agent trap enable feature-name feature-name trap-name trap-name

   This means that a trap of a specific feature can be sent to the NMS.

   

   • To disable the trap functions of all modules, run the snmp-agent trap disable command.

   • To restore the trap functions of all modules to the default status, run the undo snmp-agent trap enable or undo snmp-agent trap disable command.

   • To disable the trap function of a specific module, run the undo snmp-agent trap enable feature-name command.

   • To delete trap configurations related to one or all functions in a batch, run the clear configuration snmp-agent trap enable feature-name feature-name command.

4. Create a MIB view and specify manageable MIB objects.

   snmp-agent mib-view { excluded | included } view-name oid-tree

   • If a few MIB objects on a device or some objects in the current MIB view do not or no longer need to be managed by the NMS, excluded needs to be specified in the related command to exclude these MIB objects.

   • If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NMS, included needs to be specified in the related command to include these MIB objects.

5. Configure trap function parameters.
   

   • If the NMS or devices are on an insecure network, you are advised to configure authentication-mode and privacy-mode in the command to enable data authentication and encryption.

   • 3DES and DES56 are less secure, and AES128 or higher is recommended.

   • To improve system security, you are advised to configure different authentication and encryption passwords for an SNMP user.

   The difference between alarms in trap and Inform modes is as follows:

   • A managed device does not need to receive a response from the NMS when sending an alarm in trap mode. Therefore, no remote engine ID needs to be configured on the managed device.

   • A managed device needs to receive a response from the NMS when sending an alarm in Inform mode. Therefore, specify the NMS engine ID on the managed device. The remote engine ID must be the same as the engine ID of the destination host that receives the alarm. If the managed device receives no response from the NMS within a timeout period, it resends the alarm until a response is returned or the number of alarms reaches the configured upper limit.

     The managed device sends the alarm in Inform mode and records an alarm log at the same time. If the NMS or a link fails, the NMS can synchronize alarms generated during this period after the fault is rectified.

   Therefore, the alarm in Inform mode is more reliable than that in trap mode. However, a device needs to cache massive alarm messages and consume a great number of memory resources due to the retransmission mechanism.

   If the network environment is stable, sending alarms in trap mode is recommended. If device resources are sufficient and the network environment is unstable, sending alarms in Inform mode is recommended.

   The same destination host cannot be configured for Inform and trap messages. If the Inform and trap messages share the same destination host, the latest configuration overrides the previous configuration.

   Configuring trap parameters:

   1. To configure a destination host to which the device sends alarms in trap mode and error codes.
      • IPv4

        snmp-agent target-host trap address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | [ public-net | vpn-instance vpn-instance-name ] ] ^* params securityname security-string [ v3 [ authentication | privacy ] | notify-filter-profile profile-name | private-netmanager | ext-vb ] ^*

      • IPv6

        snmp-agent target-host trap ipv6 address udp-domain ipv6-address [ udp-port port-number ] params securityname security-string [ v3 [ authentication | privacy ] | notify-filter-profile profile-name | private-netmanager | ext-vb ] ^*

      The descriptions of the command parameters are as follows:

      • The same destination host cannot be configured for Inform and trap messages. If the Inform and trap messages share the same destination host, the latest configuration overrides the previous configuration.

      • The default destination User Datagram Protocol (UDP) port number is 162. In some special cases (for example, port mirroring is configured to prevent a well-known port from being attacked), the parameter udp-port can be used to specify a non-well-known UDP port number. This ensures normal communication between the NMS and managed device.

      • If the alarms sent from the managed device to the NMS need to be transmitted over a public network, the parameter public-net needs to be configured. If the alarms sent from the managed device to the NMS need to be transmitted over a private network, the parameter vpn-instance vpn-instance-name needs to be used to specify a VPN that will take over the sending task.

      • The parameter securityname identifies the alarm sender, which will help you learn the alarm source. For SNMPv3, securityname must be configured as the user name. securityname configured on the host needs to be the same as that configured on the NMS, or the NMS cannot receive the trap messages sent from the host.

      • If the NMS and managed device are both Huawei products, the parameter private-netmanager can be configured to add more information to alarms, such as the alarm type, alarm sequence number, and alarm sending time. The information will help you locate and rectify faults more quickly.

      • An excess of alarms generated on the device may make fault location difficult. In this case, the notify-filter-profile parameter can be configured in the command to allow the device to filter out unwanted alarms and send only the needed alarms to the NMS. To make the filtering policy take effect, you also need to configure notify-view in the snmp-agent group command when configuring the user group.

   2. Run the snmp-agent notify-filter-profile { excluded | included } profile-name oid-tree command to specify or update the traps that can be sent to the NMS.

      At present, the snmp-agent notify-filter-profile command supports either the variable OID of a character string or an object name. If the entered parameter is a character string, the asterisk (*) can be used as the mask. The asterisk (*) can be placed only in the middle, not at the beginning or end of the string.

   3. Run the snmp-agent trap source interface-type interface-number command to specify the source interface for traps.

      After the source interface is specified, its IP address becomes the source IP address of trap messages. Configuring the IP address of the local loopback interface as the source interface is recommended, which can ensure device security.

      

      The source interface configured for the trap message on the FW must be the same as that configured on the NMS; otherwise, the NMS will discard the trap message.

   4. Run the snmp-agent trap source-port port-number command to specify the source port for traps.

      The source port is fixed, the packets can be filtered by FW to improve the security of the network.

   5. Run the snmp-agent trap queue-size size command to set the length of the queue storing traps to be sent to the destination host.

      The queue length depends on the number of generated trap messages. If the FW frequently generates trap messages, a longer queue length can be set to prevent trap messages from being lost.

   6. Run the snmp-agent trap life seconds command to set the lifetime of every trap.

      The lifetime of every trap message depends on the number of generated trap messages. If the FW frequently generates trap messages, a longer lifetime can be set for every trap message to prevent trap messages from being lost.

   7. Run the snmp-agent trap start-trap resend disable command to disable the function of resending device cold-start or warm-start traps.

      By default, the function of resending device cold-start or warm-start traps is enabled.

   Configuring inform parameters:

   1. To configure a destination host to which the device sends alarms in trap mode and error codes.

      snmp-agent target-host inform address udp-domain ip-address [ udp-port port-number | source interface-type interface-number | [ public-net | vpn-instance vpn-instance-name ] ] ^* params securityname security-string v3 [ authentication | privacy ] [ notify-filter-profile profile-name | ext-vb ] ^*

   2. Run the snmp-agent inform { timeout seconds | resend-times times | pending number }^* command to set the timeout period for waiting for Inform ACK messages, number of inform retransmissions, and allowable maximum number of informs to be acknowledged.

      If the network is unstable, you need to specify the number of inform retransmissions and allowable maximum number of informs to be acknowledged when you set a timeout period for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform ACK messages is 15 seconds; the number of inform retransmissions is 3; the allowable maximum number of informs waiting to be acknowledged is 39.

   3. Run the snmp-agent inform { timeout seconds | resend-times times } ^* address udp-domain ip-address [ vpn-instance vpn-instance-name ] params securityname [ cipher ] security-string command to set the timeout period for waiting for Inform ACK messages from a specified NMS and the number of inform retransmissions.

      If the network is unstable, you need to specify the number of inform retransmissions to be acknowledged when you set a timeout period for waiting for Inform ACK messages. By default, the timeout period for waiting for Inform ACK messages is 15 seconds, and the number of inform retransmissions is 3.

   4. Run the snmp-agent notification-log enable command to enable the alarm logging function.

      If the link between the managed device and the NMS fails, the managed device will stop sending informs to the NMS because the NMS is unroutable but the managed device will continue logging informs. If the link recovers, the NMS will learn the informs logged by the managed device during the link failure.

      After the alarm logging function is enabled, the system logs only informs, not traps.

      By default, the alarm logging function is disabled.

   5. Run the snmp-agent notification-log { global-ageout ageout | global-limit limit }^* command to set the aging time of alarm logs and maximum number of alarm logs allowed to be stored in the log buffer.

      By default, the aging time of alarm logs is 24 hours. If the aging time expires, alarms logs will be automatically deleted.

      By default, the log buffer can store a maximum of 500 alarm logs. If the number of alarm logs in the log buffer exceeds 500, the device will delete the alarm logs from the earliest one.