The snmp-agent group command configures a new SNMP group.
The undo snmp-agent group command deletes a specified SNMP group.
By default, no SNMP group is created.
snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ] * [ acl acl-number ]
snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ] * acl-ipv4 acl-number [ acl-ipv6 acl-number ]
snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ] * acl-ipv6 acl-number
undo snmp-agent group v3 group-name { authentication | privacy | noauthentication }
| Parameter | Description | Value |
|---|---|---|
v3 |
Specifies the V3 security mode the user uses. |
- |
group-name |
Specifies the group name. |
It is a string of 1 to 32 characters, which are case sensitive and cannot be blank spaces. NOTE:
When double quotation marks are used around the string, spaces are allowed in the string. |
authentication |
Authenticates but does not encrypt the packet. |
- |
privacy |
Authenticates and encrypts the packet. |
If user groups configured on the device have the same name but different authentication and encryption modes, users will be added to three user groups with the same name. Therefore, If the network or network devices are in an insecure environment (for example, the network is vulnerable to attacks), privacy can be configured in the command to enable data authentication or encryption. |
noauthentication |
Indicates no encryption and authentication for the SNMP group to be configured. |
- |
noauth |
Does not authenticate or encrypt the packet. |
- |
read-view read-view |
Specifies the name of the read view. The read view has the read authority. |
The value is a string of 1 to 32 case-sensitive characters, with spaces not supported. The value of read-view is specified in the snmp-agent mib-view command. The NMS can read the MIB node in the read-view. NOTE:
uotation marks are used around the string, spaces are allowed in the string. |
write-view write-view |
Specifies the name of the write view. The write view has the read and write authority. |
The value is a string of 1 to 32 case-sensitive characters, with spaces not supported. The value of write-view is specified in the snmp-agent mib-view command. The NMS can write and read the MIB node in the write-view. NOTE:
When double quotation marks are used around the string, spaces are allowed in the string. |
notify-view notify-view |
Specifies the name of the notify view. The notify view has the authority to send trap messages. |
The value is a string of 1 to 32 case-sensitive characters, with spaces not supported. The value of notify-view is specified in the snmp-agent mib-view command. The MIB node in the notify-view can be sent to NMS by alarm. NOTE:
When double quotation marks are used around the string, spaces are allowed in the string. |
acl acl-number |
Specifies the basic or advanced standard access list. NOTE:
If acl-ipv4 or acl-ipv6 is not specified, the ACL configured by the acl acl-number parameter takes effect on both IPv4 and IPv6 networks. |
The value is in the range of 2000 to 3999. |
acl-ipv4 |
Indicates a basic or advanced IPv4 ACL. |
- |
acl-ipv6 |
Indicates a basic or advanced IPv6 ACL. |
- |
Usage Scenario
SNMPv1 and SNMPv2c are poor in security. SNMPv1 and SNMPv2c adopt a limited security mechanism based on the community name in the plain text. An attacker can easily obtain a community name by packet catchers. Moreover, packet encryption is not supported. It is not recommended that SNMPv1 or SNMPv2c be used in untrusted networks.
Security is improved in SNMPv3. Authentication and encryption are provided in user-based security model.
authentication
encryption
access control on SNMP group users
SNMP group permission configuration in a MIB view
Precautions
By default, the NMS can read SNMPv3 MIB nodes in 1.3.6.1.2.1. To access other nodes, you must run the snmp-agent mib-view command to set the nodes. After the configuration is complete, the NMS can operate all the MIB nodes in the view.
If non authentication and non encryption, or authentication and non encryption is configured for an SNMPv3 group, these modes bring security risks. To improve system security, delete the group and create a group with authentication and encryption.
To specify the same ACL on IPv4 and IPv6 networks, you can only run the snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]* [ acl acl-number ] command.
If the snmp-agent group command is run more than once to specify ACLs for the same SNMP user group, the latest configuration overrides the previous one.
# Create an SNMPv3 group Johngroup and a MIB view mib2view, set Johngroup authentication or encryption mode to privacy, and provide the read permission in the mib2view.
<sysname> system-view [sysname] snmp-agent mib-view included mib2view 1.3.6.1.2.1 [sysname] snmp-agent group v3 Johngroup privacy read-view mib2view