Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure SNMPv3

Configuration Conditions

Before configuring SNMPv3, first complete the following task:

  • Configure the link-layer protocol, ensuring the normal communication of the link layer
  • Configure the IP address of the interface, making the network layer of the neighboring nodes reachable

Create SNMP User Group

During controlling, we can associate some user with one group. The users of one group have the same access authority.

  • We can configure one group to associate with the view. There are three kinds of views, that is, read-only view, write view and notify view.
  • We can configure the security level of the group, configuring whether to need the authentication and encryption.

Table 8–8 Create the SNMP user group

Step

Command

Description

Enter the global configuration mode

config terminal

-

Create the SNMP user group

snmp-server group group-name v3 { authnopriv | authpriv | noauth } [ notify notify-view | read read-view | write write-view ]

Mandatory

Authnopriv: authenticate, but not encrypt

Authpriv: authenticate and encrypt

Noauth: not authenticate or encrypt

Create SNMP User

Perform the security management via the user-based security model. The network work station can communicate with the SNMP proxy only after using the valid user. The valid user needs to be configured.

For SNMPv3, we also can specify the security level, authentication algorithm (MD5 or SHA), authentication password, encryption algorithm (DES), and encryption password.

Table 8–9 Configure the user

Step

Command

Description

Enter the global configuration mode

config terminal

-

Create the SNMP user

snmp-server user user-name group-name [ remote ip-address port-num ] v3 [ auth { md5 | sha | SM3 } password [ encrypt {des | aes | SM4 } password ] ] [access access-list-number | access-list-name | Ipv6 access-list-number]

Mandatory

note


  • Configure the SNMPv3 user based on the user security model (USM), save the authentication and encryption information of each user. Note that only after configuring the authentication protocol, we can configure the encryption protocol.
  • For the remote user (the so-called remote is relative to the local SNMPv3 entity. If the local SNMPv3 entity needs to communicate with other SNMPv3 entity, the other SNMPv3 entity is called remote SNMPv3 entity. This is mentioned in notify and proxy), we also need to specify the IP address and UDP port number of the remote user. When configuring the remote user, we should configure the engineID of the remote SNMP entity of the user first. Besides, each user should correspond with one group so that we can map one security model and security name to one group name via the view-based access control.
  • When configuring the auto proxy forwarding and we may not know the IP address of the delegated device, we only need to input 0.0.0.0 at ip-address. Besides, the auto proxy forwarding should be combined with the keepalive mechanism.

Configure SNMP Notify

SNMPv3 notify configuration contains the following several kinds:

  • SNMPv3 notify configuration: Configure the SNMPv3 notify and specify the type of the notify message as inform;
  • SNMPv3 notify filter configuration: Notify filter means the filter used to determine whether one notify message should be sent to one destination address.
  • SNMPv3 notify address map table configuration: Associate the notify address with one filter table.

Table 8–10 Configure the notify

Step

Command

Description

Enter the global configuration mode

config terminal

-

 

Configure the SNMP notify

snmp-server notify notify-name taglist inform

Mandatory

Configure the SNMP notify filter

snmp-server notify filter filter-name oid-subtree { exclude | include }

Mandatory

Exclude: Filter out the notifications of all objects in the MIB sub tree.

Include: Inform all objects in the MIB sub tree.

Configure the SNMP address parameters

snmp-server AddressParam { address-name | paramIn } v3 user-name { noauth | authpriv | authnopriv }

Mandatory

Configure the SNMP notify filter map table

snmp-server notify profile filter-name address-param

Mandatory

filter-name: Specify the notify filter name to be mapped

address-param: Specify the address parameter name to be mapped.

Configure SNMP Proxy Forwarding

If the network work station cannot directly access the managed SNMP proxy, the intermediate device needs to support the proxy forwarding. Currently, only SNMPv3 supports the proxy forwarding.

Table 8–11 Configure the proxy forwarding

Step

Command

Description

Enter the global configuration mode

config terminal

-

Configure the SNMP remote engine ID

snmp-server engineID remote ip-address port-num [ vrf vrf-name ] engine-id [ group-name ]

Mandatory

Configure the engine ID of the SNMP entity needing the proxy forwarding

Configure the SNMP address parameters

snmp-server AddressParam [ address-name | paramIn ] v3 user-name { noauth | authpriv | authnopriv }

Mandatory

Configure the SNMP notify address

snmp-server TargetAddress target-name ip-address port-num address-param taglist time-out retry-num

Mandatory

Configure the SNMP proxy forwarding

snmp-server proxy proxy-name { inform | trap | read | write } { engineId | auto } engineId address-param target-addr [ context-name ]

Mandatory