Configure SNMPv3
Configuration Conditions
Before configuring SNMPv3, first complete the following task:
- Configure the link-layer protocol, ensuring the normal communication of the link layer
- Configure the IP address of the interface, making the network layer of the neighboring nodes reachable
Create SNMP User Group
During controlling, we can associate some user with one group. The users of one group have the same access authority.
- We can configure one group to associate with the view. There are three kinds of views, that is, read-only view, write view and notify view.
- We can configure the security level of the group, configuring whether to need the authentication and encryption.
Table 8–8 Create the SNMP user group
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
config terminal
|
-
|
|
Create the SNMP user group
|
snmp-server group group-name v3 { authnopriv | authpriv | noauth } [ notify notify-view | read read-view | write write-view ]
|
Mandatory
Authnopriv: authenticate, but not encrypt
Authpriv: authenticate and encrypt
Noauth: not authenticate or encrypt
|
Create SNMP User
Perform the security management via the user-based security model. The network work station can communicate with the SNMP proxy only after using the valid user. The valid user needs to be configured.
For SNMPv3, we also can specify the security level, authentication algorithm (MD5 or SHA), authentication password, encryption algorithm (DES), and encryption password.
Table 8–9 Configure the user
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
config terminal
|
-
|
|
Create the SNMP user
|
snmp-server user user-name group-name [ remote ip-address port-num ] v3 [ auth { md5 | sha | SM3 } password [ encrypt {des | aes | SM4 } password ] ] [access access-list-number | access-list-name | Ipv6 access-list-number]
|
Mandatory
|
-
Configure the SNMPv3 user based on the user security model (USM), save the authentication and encryption information of each user. Note that only after configuring the authentication protocol, we can configure the encryption protocol.
- For the remote user (the so-called remote is relative to the local SNMPv3 entity. If the local SNMPv3 entity needs to communicate with other SNMPv3 entity, the other SNMPv3 entity is called remote SNMPv3 entity. This is mentioned in notify and proxy), we also need to specify the IP address and UDP port number of the remote user. When configuring the remote user, we should configure the engineID of the remote SNMP entity of the user first. Besides, each user should correspond with one group so that we can map one security model and security name to one group name via the view-based access control.
- When configuring the auto proxy forwarding and we may not know the IP address of the delegated device, we only need to input 0.0.0.0 at ip-address. Besides, the auto proxy forwarding should be combined with the keepalive mechanism.
Configure SNMP Notify
SNMPv3 notify configuration contains the following several kinds:
- SNMPv3 notify configuration: Configure the SNMPv3 notify and specify the type of the notify message as inform;
- SNMPv3 notify filter configuration: Notify filter means the filter used to determine whether one notify message should be sent to one destination address.
- SNMPv3 notify address map table configuration: Associate the notify address with one filter table.
Table 8–10 Configure the notify
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
config terminal
|
-
|
|
Configure the SNMP notify
|
snmp-server notify notify-name taglist inform
|
Mandatory
|
|
Configure the SNMP notify filter
|
snmp-server notify filter filter-name oid-subtree { exclude | include }
|
Mandatory
Exclude: Filter out the notifications of all objects in the MIB sub tree.
Include: Inform all objects in the MIB sub tree.
|
|
Configure the SNMP address parameters
|
snmp-server AddressParam { address-name | paramIn } v3 user-name { noauth | authpriv | authnopriv }
|
Mandatory
|
|
Configure the SNMP notify filter map table
|
snmp-server notify profile filter-name address-param
|
Mandatory
filter-name: Specify the notify filter name to be mapped
address-param: Specify the address parameter name to be mapped.
|
Configure SNMP Proxy Forwarding
If the network work station cannot directly access the managed SNMP proxy, the intermediate device needs to support the proxy forwarding. Currently, only SNMPv3 supports the proxy forwarding.
Table 8–11 Configure the proxy forwarding
|
Step
|
Command
|
Description
|
|
Enter the global configuration mode
|
config terminal
|
-
|
|
Configure the SNMP remote engine ID
|
snmp-server engineID remote ip-address port-num [ vrf vrf-name ] engine-id [ group-name ]
|
Mandatory
Configure the engine ID of the SNMP entity needing the proxy forwarding
|
|
Configure the SNMP address parameters
|
snmp-server AddressParam [ address-name | paramIn ] v3 user-name { noauth | authpriv | authnopriv }
|
Mandatory
|
|
Configure the SNMP notify address
|
snmp-server TargetAddress target-name ip-address port-num address-param taglist time-out retry-num
|
Mandatory
|
|
Configure the SNMP proxy forwarding
|
snmp-server proxy proxy-name { inform | trap | read | write } { engineId | auto } engineId address-param target-addr [ context-name ]
|
Mandatory
|
Switch
.png){kind=icon}
.png){kind=logo}
.jpg)
.png){kind=logo}
