Configuring SNMPv3 basic parameters
Only users with the network-admin or level-15 user role can create SNMPv3 users or groups. Users with other user roles cannot create SNMPv3 users or groups even if these roles are granted access to related commands or commands of the SNMPv3 feature.
SNMPv3 users are managed in groups. All SNMPv3 users in a group share the same security model, but can use different authentication and privacy key settings. To implement a security model for a user and avoid SNMP communication failures, make sure the security model configuration for the group and the security key settings for the user are compliant with Table 7 and match the settings on the NMS.
Table 7: Basic security setting requirements for different security models
Security model | Security model keyword for the group | Security key settings for the user | Remarks |
---|---|---|---|
Authentication with privacy | privacy | Authentication key, privacy key | If the authentication key or the privacy key is not configured, SNMP communication will fail. |
Authentication without privacy | authentication | Authentication key | If no authentication key is configured, SNMP communication will fail. The privacy key (if any) for the user does not take effect. |
No authentication, no privacy | Neither authentication nor privacy | None | The authentication and privacy keys, if configured, do not take effect. |
To configure SNMPv3 basic parameters:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. (Optional.) Enable the SNMP agent. | snmp-agent | By default, the SNMP agent is disabled. The SNMP agent is enabled when you use any command that begins with snmp-agent except for the snmp-agent calculate-password command. |
3. (Optional.) Configure the system contact. | snmp-agent sys-info contact sys-contact | By default, the system contact is not configured. |
4. (Optional.) Configure the system location. | snmp-agent sys-info location sys-location | By default, the system location is not configured. |
5. Enable SNMPv3. | snmp-agent sys-info version { all | { v1 | v2c | v3 } * | By default, SNMPv3 is enabled. |
6. (Optional.) Set a local engine ID. | snmp-agent local-engineid engineid | By default, the local engine ID is the company ID plus the device ID. The device ID varies by device model. IMPORTANT: After you change the local engine ID, the existing SNMPv3 users and encrypted keys become invalid, and you must reconfigure them. |
7. (Optional.) Set an engine ID for a remote SNMP entity. | snmp-agent remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] engineid engineid | By default, no remote entity engine IDs exist. This step is required for the device to send SNMPv3 notifications to a host, typically NMS. |
8. (Optional.) Create or update a MIB view. | snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ] | By default, the MIB view ViewDefault is predefined. In this view, all the MIB objects in the iso subtree but the snmpUsmMIB, snmpVacmMIB, and snmpModules.18 subtrees are accessible. Each view-name oid-tree pair represents a view record. If you specify the same record with different MIB sub-tree masks multiple times, the most recent configuration takes effect. Except for the four sub-trees in the default MIB view, you can create up to 16 unique MIB view records. |
9. (Optional.) Create an SNMPv3 group. |
| By default, no SNMP groups exist. |
10. (Optional.) Calculate the encrypted form for a key in plaintext form. |
| N/A |
11. Create an SNMPv3 user. |
| If the cipher keyword is specified, the arguments auth-password and priv-password are used as encrypted keys. To send notifications to an SNMPv3 NMS, you must specify the remote keyword. |
12. (Optional.) Assign a user role to an SNMPv3 user created in RBAC mode. | snmp-agent usm-user v3 user-name user-role role-name | By default, an SNMPv3 user has the user role assigned to it at its creation. |
13. (Optional.) Create an SNMP context. | snmp-agent context context-name | By default, no SNMP contexts exist |
14. (Optional.) Configure the maximum SNMP packet size (in bytes) that the SNMP agent can handle. | snmp-agent packet max-size byte-count | By default, an SNMP agent can process SNMP packets with a maximum size of 1500 bytes. |
15. (Optional.) Specify the UDP port for receiving SNMP packets. | snmp-agent port port-num | By default, the device uses UDP port 161 for receiving SNMP packets. |
16. (Optional.) Configure SNMP agent alive notification sending and set the sending interval. | snmp-agent trap periodical-interval interval | By default, sending SNMP agent alive notifications is enabled and the sending interval is 60 seconds. |