Configuring SNMPv3 basic parameters

Only users with the network-admin or level-15 user role can create SNMPv3 users or groups. Users with other user roles cannot create SNMPv3 users or groups even if these roles are granted access to related commands or commands of the SNMPv3 feature.

SNMPv3 users are managed in groups. All SNMPv3 users in a group share the same security model, but can use different authentication and privacy key settings. To implement a security model for a user and avoid SNMP communication failures, make sure the security model configuration for the group and the security key settings for the user are compliant with Table 7 and match the settings on the NMS.

Table 7: Basic security setting requirements for different security models

Security model

Security model keyword for the group

Security key settings for the user

Remarks

Authentication with privacy

privacy

Authentication key, privacy key

If the authentication key or the privacy key is not configured, SNMP communication will fail.

Authentication without privacy

authentication

Authentication key

If no authentication key is configured, SNMP communication will fail.

The privacy key (if any) for the user does not take effect.

No authentication, no privacy

Neither authentication nor privacy

None

The authentication and privacy keys, if configured, do not take effect.

To configure SNMPv3 basic parameters:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. (Optional.) Enable the SNMP agent.

snmp-agent

By default, the SNMP agent is disabled.

The SNMP agent is enabled when you use any command that begins with snmp-agent except for the snmp-agent calculate-password command.

3. (Optional.) Configure the system contact.

snmp-agent sys-info contact sys-contact

By default, the system contact is not configured.

4. (Optional.) Configure the system location.

snmp-agent sys-info location sys-location

By default, the system location is not configured.

5. Enable SNMPv3.

snmp-agent sys-info version { all | { v1 | v2c | v3 } *

By default, SNMPv3 is enabled.

6. (Optional.) Set a local engine ID.

snmp-agent local-engineid engineid

By default, the local engine ID is the company ID plus the device ID. The device ID varies by device model.

IMPORTANT:

After you change the local engine ID, the existing SNMPv3 users and encrypted keys become invalid, and you must reconfigure them.

7. (Optional.) Set an engine ID for a remote SNMP entity.

snmp-agent remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] engineid engineid

By default, no remote entity engine IDs exist.

This step is required for the device to send SNMPv3 notifications to a host, typically NMS.

8. (Optional.) Create or update a MIB view.

snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ]

By default, the MIB view ViewDefault is predefined. In this view, all the MIB objects in the iso subtree but the snmpUsmMIB, snmpVacmMIB, and snmpModules.18 subtrees are accessible.

Each view-name oid-tree pair represents a view record. If you specify the same record with different MIB sub-tree masks multiple times, the most recent configuration takes effect. Except for the four sub-trees in the default MIB view, you can create up to 16 unique MIB view records.

9. (Optional.) Create an SNMPv3 group.

  • In non-FIPS mode:snmp-agent group v3 group-name [ authentication | privacy ] [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

  • In FIPS mode:snmp-agent group v3 group-name { authentication | privacy } [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

By default, no SNMP groups exist.

10. (Optional.) Calculate the encrypted form for a key in plaintext form.

  • In non-FIPS mode:snmp-agent calculate-password plain-password mode { 3desmd5 | 3dessha | aes192md5 | aes192sha | aes256md5 | aes256sha | md5 | sha } { local-engineid | specified-engineid engineid }

  • In FIPS mode:snmp-agent calculate-password plain-password mode { aes192sha | aes256sha | sha } { local-engineid | specified-engineid engineid }

N/A

11. Create an SNMPv3 user.

  • In non-FIPS mode (in VACM mode):snmp-agent usm-user v3 user-name group-name [ remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode { 3des | aes128 | aes192 | aes256 | des56 } priv-password ] ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

  • In non-FIPS mode (in RBAC mode):snmp-agent usm-user v3 user-name user-role role-name [ remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode { 3des | aes128 | aes192 | aes256 | des56 } priv-password ] ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

  • In FIPS mode (in VACM mode):snmp-agent usm-user v3 user-name group-name [ remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] { cipher | simple } authentication-mode sha auth-password [ privacy-mode { aes128 | aes192 | aes256 } priv-password ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

  • In FIPS mode (in RBAC mode):snmp-agent usm-user v3 user-name user-role role-name [ remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] { cipher | simple } authentication-mode sha auth-password [ privacy-mode { aes128 | aes192 | aes256 } priv-password ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

If the cipher keyword is specified, the arguments auth-password and priv-password are used as encrypted keys.

To send notifications to an SNMPv3 NMS, you must specify the remote keyword.

12. (Optional.) Assign a user role to an SNMPv3 user created in RBAC mode.

snmp-agent usm-user v3 user-name user-role role-name

By default, an SNMPv3 user has the user role assigned to it at its creation.

13. (Optional.) Create an SNMP context.

snmp-agent context context-name

By default, no SNMP contexts exist

14. (Optional.) Configure the maximum SNMP packet size (in bytes) that the SNMP agent can handle.

snmp-agent packet max-size byte-count

By default, an SNMP agent can process SNMP packets with a maximum size of 1500 bytes.

15. (Optional.) Specify the UDP port for receiving SNMP packets.

snmp-agent port port-num

By default, the device uses UDP port 161 for receiving SNMP packets.

16. (Optional.) Configure SNMP agent alive notification sending and set the sending interval.

snmp-agent trap periodical-interval interval

By default, sending SNMP agent alive notifications is enabled and the sending interval is 60 seconds.