The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

display snmp-agent community

Syntax

display snmp-agent community [ read | write ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

read: Displays information about SNMP read-only communities.

write: Displays information about SNMP read and write communities.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display snmp-agent community in non-FIPS mode to display SNMPv1 and SNMPv2c community information.

This command is not supported in FIPS mode.

This command displays the SNMPv1 and SNMPv2c communities that you have created using the snmp-agent community command or the snmp-agent usm-user { v1 | v2c } command.

Related commands: snmp-agent community and snmp-agent usm-user { v1 | v2c }.

Examples

# Display information about all SNMPv1 and SNMPv2c communities.

<Sysname> display snmp-agent community

Community name: aa

Group name: aa

Acl:2001

Storage-type: nonVolatile

Community name: bb

Group name: bb

Storage-type: nonVolatile

Community name: userv1

Group name: testv1

Storage-type: nonVolatile

Table 1 Command output

Field	Description
Community name	Displays the community name created by using the snmp-agent community command or the username created by using the snmp-agent usm-user { v1 \| v2c } command.
Group name	SNMP group name: · If the community is created by using the snmp-agent community command, the group name is the same as the community name. · If a community name is created by using the snmp-agent usm-user { v1 \| v2c } command, the name of the group to which the user belongs is displayed.
Acl	Number of ACL that controls the access of the NMSs in the community to the device. Only the NMSs with the IP addresses permitted in the ACL can access the device with the community name.
Storage-type	Storage type: · volatile—Settings are lost when the system reboots. · nonVolatile—Settings remain after the system reboots. · permanent—Settings remain after the system reboots and can be modified but not deleted. · readOnly—Settings remain after the system reboots and cannot be modified or deleted. · other—Any other storage type.

display snmp-agent group

Syntax

display snmp-agent group [ group-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

group-name: Specifies the SNMP group name, a case-sensitive string of 1 to 32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display snmp-agent group to display information about an SNMP group, including group name, security model, MIB view and storage type. If no group is specified, the command displays information about all SNMP groups.

Related commands: snmp-agent group.

Examples

# Display information about all SNMP agent groups.

<Sysname> display snmp-agent group

Group name: groupv1

Security model: v1 noAuthnoPriv

Readview: ViewDefault

Writeview: <no specified>

Notifyview: <no specified>

Storage-type: nonvolatile

Group name: groupv3

Security model: v3 noAuthnoPriv

Readview: ViewDefault

Writeview: <no specified>

Notifyview: <no specified>

Storage-type: nonVolatile

Table 2 Command output

Field	Description
Group name	SNMP group name.
Security model	Security model of the SNMP group: · authPriv—authentication with privacy. · authNoPriv—authentication without privacy. · noAuthNoPriv—no authentication, no privacy. For an SNMPv1 or SNMPv2c group, the security model can only be noAuthNoPriv.
Readview	Read-only MIB view accessible to the SNMP group.
Writeview	Write MIB view accessible to the SNMP group.
Notifyview	Notify MIB view for the SNMP group. The SNMP users in the group can send traps only for the nodes in the notify MIB view.
Storage-type	Storage type, including volatile, nonVolatile, permanent, readOnly, and other (see Table 1).

display snmp-agent local-engineid

Syntax

display snmp-agent local-engineid [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display snmp-agent local-engineid to display the local SNMP agent engine ID.

The local SNMP engine ID uniquely identifies the SNMP engine of the SNMP agent in an SNMP domain.

Every SNMP agent has one SNMP engine to provide services for sending and receiving messages, authenticating and encrypting messages, and controlling access to managed objects.

Examples

# Display the local SNMP agent engine ID.

<Sysname> display snmp-agent local-engineid

SNMP local EngineID: 800007DB7F0000013859

display snmp-agent mib-view

Syntax

display snmp-agent mib-view [ exclude | include | viewname view-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

include: Displays the subtrees included in any MIB view.

viewname view-name: Displays information about the specified MIB view.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display snmp-agent mib-view to display MIB view information.

If you do not specify any parameter, the command displays all MIB views.

Examples

# Display all SNMP MIB views.

<Sysname> display snmp-agent mib-view

View name:ViewDefault

MIB Subtree:iso

Subtree mask:

Storage-type: nonVolatile

View Type:included

View status:active

View name:ViewDefault

MIB Subtree:snmpUsmMIB

Subtree mask:

Storage-type: nonVolatile

View Type:excluded

View status:active

View name:ViewDefault

MIB Subtree:snmpVacmMIB

Subtree mask:

Storage-type: nonVolatile

View Type:excluded

View status:active

View name:ViewDefault

MIB Subtree:snmpModules.18

Subtree mask:

Storage-type: nonVolatile

View Type:excluded

View status:active

ViewDefault is the default MIB view. The output shows that all the MIB objects in the iso subtree are accessible except for the MIB objects in the snmpUsmMIB, snmpVacmMIB, and snmpModules.18 subtrees.

Table 3 Command output

Field	Description
View name	MIB view name.
MIB Subtree	MIB subtree covered by the MIB view.
Subtree mask	MIB subtree mask.
Storage-type	Type of the medium (see Table 1) where the subtree view is stored.
View Type	Access privilege for the MIB subtree in the MIB view: · Included—All objects in the MIB subtree are accessible in the MIB view. · Excluded—None of the objects in the MIB subtree is accessible in the MIB view.
View status	Status of the MIB view: active or inactive.

display snmp-agent statistics

Syntax

display snmp-agent statistics [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display snmp-agent statistics to display SNMP statistics.

Examples

# Display SNMP message statistics.

<Sysname> display snmp-agent statistics

1684 Messages delivered to the SNMP entity

5 Messages which were for an unsupported version

0 Messages which used a SNMP community name not known

0 Messages which represented an illegal operation for the community supplied

0 ASN.1 or BER errors in the process of decoding

1679 Messages passed from the SNMP entity

0 SNMP PDUs which had badValue error-status

0 SNMP PDUs which had genErr error-status

0 SNMP PDUs which had noSuchName error-status

0 SNMP PDUs which had tooBig error-status (Maximum packet size 1500)

16544 MIB objects retrieved successfully

2 MIB objects altered successfully

7 GetRequest-PDU accepted and processed

7 GetNextRequest-PDU accepted and processed

1653 GetBulkRequest-PDU accepted and processed

1669 GetResponse-PDU accepted and processed

2 SetRequest-PDU accepted and processed

0 Trap PDUs accepted and processed

0 Alternate Response Class PDUs dropped silently

0 Forwarded Confirmed Class PDUs dropped silently

Table 4 Command output

Field	Description
Messages delivered to the SNMP entity	Number of messages that the SNMP agent has received.
Messages which were for an unsupported version	Number of messages that had an SNMP version not configured on the SNMP agent.
Messages which used a SNMP community name not known	Number of messages that used an unknown SNMP community name.
Messages which represented an illegal operation for the community supplied	Number of messages carrying an operation that the community has no right to perform.
ASN.1 or BER errors in the process of decoding	Number of messages that had ASN.1 or BER errors during decoding.
Messages passed from the SNMP entity	Number of messages sent by the SNMP agent.
SNMP PDUs which had badValue error-status	Number of SNMP PDUs with a badValue error.
SNMP PDUs which had genErr error-status	Number of PDUs with a General error.
SNMP PDUs which had noSuchName error-status	Number of PDUs with a noSuchName error.
SNMP PDUs which had tooBig error-status (Maximum packet size 1500)	Number of PDUs with a tooBig error (the maximum packet size is 1,500 bytes).
MIB objects retrieved successfully	Number of MIB objects that have been successfully retrieved.
MIB objects altered successfully	Number of MIB objects that have been successfully modified.
GetRequest-PDU accepted and processed	Number of get requests that have been received and processed.
GetNextRequest-PDU accepted and processed	Number of getNext requests that have been received and processed.
GetBulkRequest-PDU accepted and processed	Number of getBulk requests that have been received and processed.
GetResponse-PDU accepted and processed	Number of get responses that have been received and processed.
SetRequest-PDU accepted and processed	Number of set requests that have been received and processed.
Trap PDUs accepted and processed	Number of traps that have been received and processed.
Alternate Response Class PDUs dropped silently	Number of dropped response packets.
Forwarded Confirmed Class PDUs dropped silently	Number of forwarded packets that have been dropped.

display snmp-agent sys-info

Syntax

display snmp-agent sys-info [ contact | location | version ] * [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

contact: Displays the system contact.

location: Displays the physical location of the device.

version: Displays the SNMP agent version.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display snmp-agent sys-info to display the current SNMP system information.

If none of the parameters is specified, this command displays all SNMP agent system information.

Examples

# Display all SNMP agent system information.

<Sysname> display snmp-agent sys-info

The contact person for this managed node:

Hangzhou H3C Tech. Co., Ltd.

The physical location of this node:

Hangzhou, China

SNMP version running in the system:

SNMPv3

display snmp-agent trap queue

Syntax

display snmp-agent trap queue [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display snmp-agent trap queue to display basic information about the trap queue, including the trap queue name, queue size, and the number of traps in the queue.

Related commands: snmp-agent trap life and snmp-agent trap queue-size.

Examples

# Display the trap queue configuration and usage status.

<Sysname> display snmp-agent trap queue

Queue name: SNTP

Queue size: 100

Message number: 6

Table 5 Command output

Field	Description
Queue name	Trap queue name.
Queue size	Trap queue size.
Message number	Number of traps in the current trap queue.

display snmp-agent trap-list

Syntax

display snmp-agent trap-list [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display snmp-agent trap-list to display modules that can generate traps and their trap status (enable or disable).

You can use snmp-agent trap enable to enable or disable the trap function of a module. For a module that has multiple sub-modules, the trap status is enable if the trap function of any of its sub-modules is enabled.

Related commands: snmp-agent trap enable.

Examples

# Display the modules that can generate traps and their trap status.

<Sysname> display snmp-agent trap-list

acfp trap enable

bfd trap enable

bgp trap enable

configuration trap enable

flash trap enable

mpls trap enable

ospf trap enable

standard trap enable

system trap enable

vrrp trap enable

Enable traps: 10; Disable traps: 0

display snmp-agent usm-user

Syntax

display snmp-agent usm-user [ engineid engineid | username user-name | group group-name ] * [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

engineid engineid: Displays SNMPv3 user information for the SNMP engine ID identified by engineid. When an SNMPv3 user is created, the system records the local SNMP entity engine ID. The user becomes invalid when the engine ID changes and becomes valid again when the recorded engine ID is restored.

username user-name: Displays information about the specified SNMPv3 user. The username is case-sensitive.

group group-name: Displays SNMPv3 user information for the specified SNMP group name. The group name is case-sensitive.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display snmp-agent usm-user to display SNMPv3 user information.

This command displays only SNMPv3 users that you have created by using the snmp-agent usm-user v3 command. To display SNMPv1 or SNMPv2c users created by using the snmp-agent usm-user { v1 | v2c } command, use the display snmp-agent community command.

Related commands: snmp-agent usm-user v3.

Examples

# Display information about all SNMPv3 users.

<Sysname> display snmp-agent usm-user

User name: userv3

Group name: mygroupv3

Engine ID: 800063A203000FE240A1A6

Storage-type: nonVolatile

UserStatus: active

User name: userv3code

Group name: groupv3code

Engine ID: 800063A203000FE240A1A6

Storage-type: nonVolatile

UserStatus: active

Table 6 Command output

Field	Description
User name	SNMP username.
Group name	SNMP group name.
Engine ID	Engine ID that the SNMP agent used when the SNMP user was created.
Storage-type	Storage type: · volatile. · nonvolatile. · permanent. · readOnly. · other. For more information about these storage types, see Table 1.
UserStatus	SNMP user status.

enable snmp trap updown

Syntax

enable snmp trap updown

undo enable snmp trap updown

View

Interface view

Default level

2: System level

Parameters

None

Description

Use enable snmp trap updown to enable the link state trap function on an interface.

Use undo enable snmp trap updown to disable the link state trap function on an interface.

By default, the trap function for interface state changes is enabled.

For an interface to generate LinkUp/LinkDown traps when its state changes, you must also enable the Linkup/Linkdown trap function globally by using the snmp-agent trap enable [ standard [ linkdown | linkup ] * ] command.

Related commands: snmp-agent target-host and snmp-agent trap enable.

Examples

# Enable linkUp/linkDown SNMP traps on VLAN-interface 100 and use the community name public.

<Sysname> system-view

[Sysname] snmp-agent trap enable

[Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public

[Sysname] interface Vlan-interface 100

[Sysname-Vlan-interface100] enable snmp trap updown

snmp-agent

Syntax

snmp-agent

undo snmp-agent

View

System view

Default level

3: Manage level

Parameters

None

Description

Use snmp-agent to enable the SNMP agent.

Use undo snmp-agent to disable the SNMP agent.

By default, the SNMP agent is disabled.

You can enable the SNMP agent by using any command that begins with snmp-agent except the snmp-agent calculate-password command.

Examples

# Enable the SNMP agent.

<Sysname> system-view

[Sysname] snmp-agent

snmp-agent calculate-password

Syntax

snmp-agent calculate-password plain-password mode { 3desmd5 | 3dessha | md5 | sha } { local-engineid | specified-engineid engineid }

View

System view

Default level

3: Manage level

Parameters

plain-password: Specifies a plaintext authentication or privacy key.

mode: Specifies authentication and privacy algorithms. Select a mode option, depending on the authentication and privacy algorithm you are configuring with the snmp-agent usm-user v3 command. The three privacy algorithms Advanced Encryption Standard (AES), Triple Data Encryption Standard (3DES), and Data Encryption Standard (DES) are in descending order of security strength. Higher security means more complex implementation mechanism and lower speed. DES is enough to meet general requirements. The Message-Digest Algorithm 5 (MD5) and Secure Hash Algorithm (SHA-1) are the two authentication algorithms. MD5 is faster than SHA-1, while SHA-1 provides higher security than MD5.

· 3desmd5: Converts the plaintext privacy key to a plaintext (encrypted) key for 3DES encryption used together with MD5 authentication. For more information about MD5 and 3DES, see Security Configuration Guide. This keyword is not supported in FIPS mode.

· 3dessha: Converts the plaintext privacy key to a ciphertext key for 3DES used together with SHA-1 authentication. For more information about SHA-1 and 3DES, see Security Configuration Guide. This keyword is not supported in FIPS mode.

· md5: Converts the plaintext authentication key to a ciphertext key for MD5 authentication, or converts the plaintext privacy key to a ciphertext key for AES or DES encryption used in conjunction with MD5. For more information about AES and DES, see Security Configuration Guide. This keyword is not supported in FIPS mode.

· sha: Converts the plaintext authentication key to a ciphertext key for SHA-1 authentication, or converts the plaintext privacy key to a ciphertext key for AES or DES encryption used in conjunction with SHA-1 authentication.

local-engineid: Uses the local engine ID to calculate the ciphertext key. You can configure the local engine ID by using the snmp-agent local-engineid command.

specified-engineid: Specifies an SNMP engine for processing the ciphertext key.

engineid: Specifies an SNMP engine ID, a hexadecimal string. It must comprise an even number of hexadecimal characters, in the range of 10 to 64. All-zero and all-F strings are invalid.

Description

Use snmp-agent calculate-password to convert a plaintext key to a ciphertext key for authentication or encryption in SNMPv3.

This command helps you calculate ciphertext authentication and privacy keys for SNMPv3 users that use ciphertext authentication and privacy keys. To create an SNMPv3 user, see the snmp-agent usm-user v3 command.

Enable SNMP before you execute the snmp-agent calculate-password command.

The ciphertext key converted for SHA authentication is a string of 40 hexadecimal characters. For an authentication key, all of the 40 hexadecimal characters are valid. For a privacy key, only the first 32 hexadecimal characters are valid.

The converted key is valid only under the specified engine ID.

Related commands: snmp-agent usm-user v3.

Examples

# Use local engine ID to convert the plaintext key authkey to a ciphertext key for MD5 authentication.

<Sysname> system-view

[Sysname] snmp-agent calculate-password authkey mode md5 local-engineid

The secret key is: 09659EC5A9AE91BA189E5845E1DDE0CC

snmp-agent community

Syntax

snmp-agent community { read | write } community-name [ mib-view view-name ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent community { read | write } community-name

View

System view

Default level

3: Manage level

Parameters

read: Assigns the specified community the read-only access to MIB objects. A read-only community can only inquire MIB information.

write: Assigns the specified community the read and write access to MIB objects. A read and write community can configure MIB information.

mib-view view-name: Specifies the MIB view available for the community. The view-name argument represents a MIB view name, a string of 1 to 32 characters. A MIB view represents a set of accessible MIB objects. If no MIB view is specified, the specified community can access the MIB objects in the default MIB view ViewDefault. To create a MIB view, use the snmp-agent mib-view command.

acl acl-number: Specifies a basic ACL to filter NMSs by source IP address. The acl-number argument represents a basic ACL number in the range of 2000 to 2999. In the specified community, only the NMSs with the IP addresses permitted in the ACL can access the SNMP agent.

acl ipv6 ipv6-acl-number: Specifies a basic ACL to filter NMSs by source IPv6 address. The ipv6-acl-number argument represents a basic ACL number in the range of 2000 to 2999. In the specified community, only the NMSs with the IPv6 addresses permitted in the ACL can access the SNMP agent.

Description

Use snmp-agent community in non-FIPS mode to configure an SNMP community.

Use undo snmp-agent community to delete an SNMP community.

This command is for SNMPv1 and SNMPv2c. It is not supported in FIPS mode.

An SNMPv1 or SNMPv2c community comprises a set of NMSs and SNMP agents, and is identified by a community name. An NMS and an SNMP agent must use the same community name to authenticate to each other.

Typically, public is used as the read-only community name and private is used as the read and write community name. To improve security, assign your SNMP communities a name other than public and private.

Related commands: snmp-agent mib-view.

Examples

# Create the read-only community readaccess so an NMS can use the protocol SNMPv1 or SNMPv2c and community name readaccess to read the MIB objects in the default view ViewDefault.

<Sysname> system-view

[Sysname] snmp-agent sys-info version v1 v2c

[Sysname] snmp-agent community read readaccess

# Create the read and write community writeaccess so only the host at 1.1.1.1 can use the protocol SNMPv2c and community name writeaccess to read and set the MIB objects in the default view ViewDefault.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 1.1.1.1 0.0.0.0

[Sysname-acl-basic-2001] rule deny source any

[Sysname-acl-basic-2001] quit

[Sysname] snmp-agent sys-info version v2c

[Sysname] snmp-agent community write writeaccess acl 2001

# Create the read and write community wr-sys-acc so an NMS can use the protocol SNMPv1 or SNMPv2c, community name wr-sys-acc to read and set the MIB objects in the system subtree (OID 1.3.6.1.2.1.1).

<Sysname> system-view

[Sysname] snmp-agent sys-info version v1 v2c

[Sysname] undo snmp-agent mib-view ViewDefault

[Sysname] snmp-agent mib-view included test system

[Sysname] snmp-agent community write wr-sys-acc mib-view test

snmp-agent group

Syntax

SNMPv1 and SNMP v2c (in non-FIPS mode):

snmp-agent group { v1 | v2c } group-name [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent group { v1 | v2c } group-name

SNMPv3 (in FIPS mode or non-FIPS mode):

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent group v3 group-name [ authentication | privacy ]

View

System view

Default level

3: Manage level

Parameters

v1: Specifies SNMPv1.

v2c: Specifies SNMPv2c.

v3: Specifies SNMPv3.

group-name: Specifies a group name, a string of 1 to 32 case-sensitive characters.

authentication: Specifies the authentication without privacy security model for the SNMPv3 group.

privacy: Specifies the authentication with privacy security model for the SNMPv3 group.

read-view view-name: Specifies a read-only MIB view. The view-name represents a MIB view name, a string of 1 to 32 characters. If no read-only MIB view is specified, the SNMP group has read access to the default view ViewDefault.

write-view view-name: Specifies a read and write MIB view. The view-name represents a MIB view name, a string of 1 to 32 characters. If no read and write view is specified, the SNMP group cannot set any MIB object on the SNMP agent.

notify-view view-name: Specifies a notify MIB view. The view-name represents a MIB view name, a string of 1 to 32 characters. The SNMP agent sends traps to the users in the specified group only for the MIB objects included in the notify view. If no notify view is specified, the SNMP agent does not send any trap to the users in the specified group.

acl acl-number: Specifies a basic ACL to filter NMSs by source IPv4 address. The acl-number argument represents a basic ACL number in the range of 2000 to 2999. Only the NMSs with the IPv4 addresses permitted in the ACL can use the specified username (community name) to access the SNMP agent.

acl ipv6 ipv6-acl-number: Specifies a basic ACL to filter NMSs by source IPv6 address. The ipv6-acl-number argument represents a basic ACL number in the range of 2000 to 2999. In the specified SNMP group, only the NMSs with the IPv6 addresses permitted in the ACL can access the SNMP agent.

Description

Use snmp-agent group to configure an SNMP group and specify its access right.

Use undo snmp-agent group to delete an SNMP group.

By default, no SNMP group exists. SNMPv3 groups use the no authentication, no privacy security model if neither authentication nor privacy is specified.

All the users in an SNMP group share the security model and access right assigned to the group.

Related commands: snmp-agent mib-view and snmp-agent usm-user.

Examples

# Create an SNMP group group1 on an SNMPv3 enabled device, no authentication, no privacy.

<Sysname> system-view

[Sysname] snmp-agent group v3 group1

snmp-agent local-engineid

Syntax

snmp-agent local-engineid engineid

undo snmp-agent local-engineid

View

System view

Default level

3: Manage level

Parameters

engineid: Specifies an SNMP engine ID as a hexadecimal string. It must comprise an even number of hexadecimal characters, in the range of 10 to 64. All-zero and all-F strings are invalid.

Description

Use snmp-agent local-engineid to change the SNMP engine ID of the local SNMP agent.

Use undo snmp-agent local-engineid to restore the default local SNMP engine ID.

By default, the local engine ID is the combination of the company ID and the device ID. Device ID varies by product and might be an IP address, a MAC address, or a user-defined hexadecimal string.

An SNMP engine ID uniquely identifies an SNMP entity in an SNMP managed network. Make sure the local SNMP engine ID is unique within your SNMP managed network to avoid communication problems.

If you have configured SNMPv3 users, change the local SNMP engine ID only when necessary. The change can void the SNMPv3 usernames and encrypted keys you have configured.

Related commands: snmp-agent usm-user.

Examples

# Change the local engine ID to 123456789A.

<Sysname> system-view

[Sysname] snmp-agent local-engineid 123456789A

snmp-agent log

Syntax

snmp-agent log { all | get-operation | set-operation }

undo snmp-agent log { all | get-operation | set-operation }

View

System view

Default level

3: Manage level

Parameters

all: Enables logging SNMP Get and Set operations.

get-operation: Enables logging SNMP Get operations.

set-operation: Enables logging SNMP Set operations.

Description

Use snmp-agent log to enable SNMP logging.

Use undo snmp-agent log to restore the default.

By default, SNMP logging is disabled.

Use SNMP logging to record the SNMP operations performed on the SNMP agent for auditing NMS behaviors. The SNMP agent sends log data to the information center. You can configure the information center to output the data to a specific destination as needed.

Examples

# Enable logging SNMP GET operations.

<Sysname> system-view

[Sysname] snmp-agent log get-operation

# Enable logging SNMP SET operations.

<Sysname> system-view

[Sysname] snmp-agent log set-operation

snmp-agent mib-view

Syntax

snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ]

undo snmp-agent mib-view view-name

View

System view

Default level

3: Manage level

Parameters

excluded: Defines access to any nodes in the specified MIB subtree.

included: Permits access to the nodes in the specified MIB subtree.

view-name: Specify a view name, a string of 1 to 32 characters.

oid-tree: Specifies a MIB subtree by its root node's OID (for example 1.4.5.3.1) or object name (for example, system). An OID is a dotted numeric string that uniquely identifies an object in the MIB tree.

mask mask-value: Sets a MIB subtree mask, a hexadecimal string. Its length must be an even number in the range of 2 to 32.

Description

Use snmp-agent mib-view to create or update a MIB view.

Use undo snmp-agent mib-view to delete a MIB view.

By default, the system creates the ViewDefault view when the SNMP agent is enabled. In the default MIB view, all MIB objects in the iso subtree but the snmpUsmMIB, snmpVacmMIB, and snmpModules.18 subtrees are accessible.

A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privilege. The MIB objects included in the MIB view are accessible while those excluded from the MIB view are inaccessible.

Each view-name oid-tree pair represents a view record. If you specify the same record with different MIB subtree masks multiple times, the most recent configuration takes effect.

The system can store entries for up to 20 unique MIB view records. In addition to the four default MIB view records, you can create up to 16 unique MIB view records. After you delete the default view with the undo snmp-agent mib-view command, you can create up to 20 unique MIB view records.

Be cautious with deleting the default MIB view. The operation blocks access to any MIB object on the device from NMSs that use the default view.

Related commands: snmp-agent community and snmp-agent group.

Examples

# Include the mib-2 (OID 1.3.6.1) subtree in the mibtest view and exclude the ip subtree from the mibtest view.

<Sysname> system-view

[Sysname] snmp-agent mib-view included mibtest 1.3.6.1

[Sysname] snmp-agent mib-view excluded mibtest ip

[Sysname] snmp-agent community read public mib-view mibtest

An SNMPv1 NMS in the public community can query the objects in the mib-2 subtree, but not any object (for example, the ipForwarding or ipDefaultTTL node) in the ip subtree.

snmp-agent packet max-size

Syntax

snmp-agent packet max-size byte-count

undo snmp-agent packet max-size

View

System view

Default level

3: Manage level

Parameters

byte-count: Sets the maximum size (in bytes) of SNMP packets that the SNMP agent can receive or send. The value range is 484 to 17940.

Description

Use snmp-agent packet max-size to set the maximum size (in bytes) of SNMP packets that the SNMP agent can receive or send.

Use undo snmp-agent packet max-size to restore the default packet size.

By default, the maximum size of SNMP packets is 1500 bytes.

If any device on the path to the NMS does not support packet fragmentation, limit the SNMP packet size to prevent large-sized packets from being discarded. For most networks, the default value is sufficient.

Examples

# Set the maximum SNMP packet size to 1024 bytes.

<Sysname> system-view

[Sysname] snmp-agent packet max-size 1024

snmp-agent sys-info

Syntax

In non-FIPS mode:

snmp-agent sys-info { contact sys-contact | location sys-location | version { all | { v1 | v2c | v3 }* } }

undo snmp-agent sys-info { contact | location | version { all | { v1 | v2c | v3 }* } }

In FIPS mode:

snmp-agent sys-info { contact sys-contact | location sys-location | version v3 }

undo snmp-agent sys-info { contact | location | version v3 }

View

System view

Default level

3: Manage level

Parameters

contact sys-contact: Specifies the system contact, a string of 1 to 200 characters.

location sys-location: Specifies the system location, a string of 1 to 200 characters. The system location is a management node under the system branch as defined in RFC1213-MIB.

version: Specifies SNMP versions.

· all: Specifies SNMPv1, SNMPv2c, and SNMPv3. This keyword is not supported in FIPS mode.

· v1: Specifies SNMPv1. This keyword is not supported in FIPS mode.

· v2c: Specifies SNMPv2c. This keyword is not supported in FIPS mode.

· v3: Specifies SNMPv3.

Description

Use snmp-agent sys-info to configure system information for the SNMP agent, including the contact, location, and SNMP versions.

Use undo snmp-agent sys-info contact or undo snmp-agent sys-info location to restore the default contact or location.

Use undo snmp-agent sys-info version to disable an SNMP versions.

By default, the location is Hangzhou China, SNMP version is SNMPv3, and contact is Hangzhou H3C Technologies Co., Ltd.

Configure the SNMP agent with the same SNMP version as the NMS for successful communications between them.

Related commands: display snmp-agent sys-info.

Examples

# Configure the system contact as Dial System Operator at beeper # 27345.

<Sysname> system-view

[Sysname] snmp-agent sys-info contact Dial System Operator at beeper # 27345

snmp-agent target-host

Syntax

In non-FIPS mode:

snmp-agent target-host trap address udp-domain { ip-address | ipv6 ipv6-address } [ udp-port port-number ] [ vpn-instance vpn-instance-name ] params securityname security-string [ v1 | v2c | v3 [ authentication | privacy ] ]

undo snmp-agent target-host trap address udp-domain { ip-address | ipv6 ipv6-address } params securityname security-string [ vpn-instance vpn-instance-name ]

In FIPS mode:

undo snmp-agent target-host trap address udp-domain { ip-address | ipv6 ipv6-address } params securityname security-string [ vpn-instance vpn-instance-name ]

View

System view

Default level

3: Manage level

Parameters

trap: Specifies a target host for receiving the traps sent by the device.

address: Specifies the IP address of the target host.

udp-domain: Specifies UDP as the transport protocol.

ip-address: Specifies the IPv4 address or name of the trap target host. The host name is a string of 1 to 255 characters.

ipv6 ipv6-address: Specifies the IPv6 address of the trap host.

udp-port port-number: Specifies the UDP port for SNMP traps. If no UDP port is specified, UDP port 162 is used.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the target host belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the target host is on the public network, do not specify this option. This option is applicable only to IPv4 networks.

params securityname security-string: Specifies the authentication parameter. The security-string argument specifies an SNMPv1 or SNMPv2c community name or an SNMPv3 username, a string of 1 to 32 characters.

v1: Specifies SNMPv1. This keyword is not supported in FIPS mode.

v2c: Specifies SNMPv2c. This keyword is not supported in FIPS mode.

v3: Specifies SNMPv3.

· authentication: Specifies the security model to be authentication without privacy. You must specify the authentication key when you create the SNMPv3 user.

· privacy: Specifies the security model to be authentication with privacy. You must specify the authentication key and privacy key when you create the SNMPv3 user.

Description

Use snmp-agent target-host to configure the SNMP agent to send SNMP traps to a host.

Use undo snmp-agent target-host to remove an SNMP trap target host.

You can configure up to 20 target hosts.

Make sure the SNMP agent uses the same UDP port number as the target host for traps. If udp-port port-number is not specified, UDP port 162 is used by default. Port 162 is the SNMP-specified port used for receiving traps, and is used by most NMSs, including IMC and MIB Browser.

Make sure the SNMP agent uses the same SNMP version as the trap host so the host can receive traps.

In non-FIPS mode, if none of the keywords v1, v2c and v3 is specified, SNMPv1 is used.

In FIPS mode, v3 must be specified.

If neither authentication nor privacy is specified, the authentication mode is no authentication, no privacy.

Related commands: enable snmp trap updown, snmp-agent trap enable, snmp-agent trap life, and snmp-agent trap source.

Examples

# Configure the SNMP agent to send SNMPv1 traps to 10.1.1.1 in the community public.

<Sysname> system-view

[Sysname] snmp-agent trap enable standard

[Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public

# Configure the SNMP agent to send SNMPv3 traps to 10.1.1.1 and set the username to v3test.

<Sysname> system-view

[Sysname] snmp-agent trap enable standard

[Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 vpn-instance vpn1 params securityname v3test v3

snmp-agent trap enable

Syntax

View

System view

Default level

3: Manage level

Parameters

acfp: Enables SNMP traps for the ACFP module.

· client: ACFP client traps.

· policy: ACFP policy traps.

· rule: ACFP rule traps.

· server: ACFP server traps.

bfd: Enables SNMP traps for the BFD module.

bgp: Enables SNMP traps for the BGP module.

configuration: Enables configuration traps.

default-route: Enables default route removal traps.

flash: Enables Flash-related SNMP traps.

mpls: Enables SNMP traps for the MPLS module.

ospf: Enables SNMP traps for the OSPF module.

· process-id: OSPF process ID in the range of 1 to 65535.

· ifauthfail: Interface authentication failure traps.

· ifcfgerror: Interface configuration error traps.

· ifrxbadpkt: Traps for receiving incorrect packets.

· ifstatechange: Interface state change traps.

· iftxretransmit: Traps for the interface to receive and forward packets.

· lsdbapproachoverflow: Traps for LSDB to be overflowed.

· lsdboverflow: Traps for LSDB overflow.

· maxagelsa: Traps for LSA max age.

· nbrstatechange: Traps for neighbor state change.

· originatelsa: Traps for local LSA generation.

· vifcfgerror: Traps for virtual interface configuration error.

· virifauthfail: Traps for virtual interface authentication failure.

· virifrxbadpkt: Traps for virtual interface receiving error packets.

· virifstatechange: Traps for virtual interface state changes.

· viriftxretransmit: Traps for virtual interface receiving and forwarding packets.

· virnbrstatechange: Traps for neighbor state change of the virtual interface.

pim: Enables SNMP traps for the PIM module.

· candidatebsrwinelection: Traps for the winning of a candidate-bootstrap router (C-BSR) in bootstrap router (BSR) election.

· electedbsrlostelection: Traps for losing the BSR election.

· interfaceelection: Traps for the election of a new DR or DF on an interface.

· invalidjoinprune: Traps for receiving invalid join or prune packets.

· invalidregister: Traps for receiving invalid registration packets.

· neighborloss: Traps for the lost of a neighbor.

· rpmappingchange: Traps for the change of the current RP-set.

standard: Specifies SNMP standard traps.

· authentication: Specifies the authentication failure traps.

· coldstart: Specifies the coldstart traps when the device restarts.

· linkdown: Specifies the linkDown traps sent when the link of a port goes down.

· linkup: Specifies the linkUp traps sent when the link of a port comes up.

· warmstart: Specifies the warmstart traps sent when the SNMP agent restarts.

system: Enables system event (private MIB) traps.

vrrp: Enables traps for the VRRP module.

· authfailure: VRRP authentication failure traps.

· newmaster: VRRP newmaster traps , which are sent when the device becomes the master.

Description

Use snmp-agent trap enable to enable the traps globally.

Use undo snmp-agent trap enable to disable traps globally.

By default, traps are enabled for all modules except the voice and policy-based routing modules.

After you globally enable a trap function for a module, whether the module generates traps also depends on the configuration of the module. For more information, see the sections for each module.

To generate and send linkUp or linkDown traps when the link state of an interface changes, you must configure both the snmp-agent trap enable [ standard [ linkdown | linkup ] command in system view and the enable snmp trap updown command in interface view.

Related commands: enable snmp trap updown and snmp-agent target-host.

Examples

# Enable the SNMP agent to send SNMP authentication failure traps to 10.1.1.1 in the community public.

<Sysname> system-view

[Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public

[Sysname] snmp-agent trap enable standard authentication

snmp-agent trap if-mib link extended

Syntax

snmp-agent trap if-mib link extended

undo snmp-agent trap if-mib link extended

View

System view

Default level

3: Manage level

Parameters

None

Description

Use snmp-agent trap if-mib link extended to configure the SNMP agent to send extended linkUp/linkDown traps.

Use undo snmp-agent trap if-mib link extended to restore the default.

By default, the SNMP agent sends standard linkUp/linkDown traps.

The extended linkUp and linkDown traps add interface description and interface type to the standard linkUp and linkDown traps for fast failure point identification. When you configure the snmp-agent trap if-mib link extended command, make sure the NMS supports the extended linkUp and linkDown traps. If not, the NMS will be unable to parse the traps.

· A standard linkUp trap is in the following format:

#Apr 24 11:48:04:896 2008 Sysname IFNET/4/INTERFACE UPDOWN:

Trap 1.3.6.1.6.3.1.1.5.4<linkUp>: Interface 983555 is Up, ifAdminStatus is 1, ifOperStatus is 1

· An extended linkUp trap is in the following format:

#Apr 24 11:43:09:896 2008 Sysname IFNET/4/INTERFACE UPDOWN:

Trap 1.3.6.1.6.3.1.1.5.4<linkUp>: Interface 983555 is Up, ifAdminStatus is 1, ifOperStatus is 1, ifDescr is GigabitEthernet 3/0/1, ifType is 6

· A standard linkDown trap is in the following format:

#Apr 24 11:47:35:224 2008 Sysname IFNET/4/INTERFACE UPDOWN:

Trap 1.3.6.1.6.3.1.1.5.3<linkDown>: Interface 983555 is Down, ifAdminStatus is 2, ifOperStatus is 2

· An extended linkDown trap is in the following format:

#Apr 24 11:42:54:314 2008 AR29.46 IFNET/4/INTERFACE UPDOWN:

Trap 1.3.6.1.6.3.1.1.5.3<linkDown>: Interface 983555 is Down, ifAdminStatus is 2, ifOperStatus is 2, ifDescr is GigabitEthernet 3/0/1, ifType is 6

Examples

# Extend standard linkUp/linkDown traps.

<Sysname> system-view

[Sysname] snmp-agent trap if-mib link extended

snmp-agent trap life

Syntax

snmp-agent trap life seconds

undo snmp-agent trap life

View

System view

Default level

3: Manage level

Parameters

seconds: Timeout time in the range of 1 to 2592000 seconds.

Description

Use snmp-agent trap life to configure the lifetime of the traps in the SNMP trap queue.

Use undo snmp-agent trap life to restore the default trap lifetime.

By default, the holding time of SNMP traps in the queue is 120 seconds.

When congestion occurs, the SNMP agent buffers traps in a queue. The trap lifetime sets how long a trap can stay in the queue. A trap is deleted when its lifetime expires.

Related commands: snmp-agent target-host and snmp-agent trap enable.

Examples

# Configure the holding time of traps in the queue as 60 seconds.

<Sysname> system-view

[Sysname] snmp-agent trap life 60

snmp-agent trap queue-size

Syntax

snmp-agent trap queue-size size

undo snmp-agent trap queue-size

View

System view

Default level

3: Manage level

Parameters

size: Sets the maximum number of traps that the SNMP trap queue can hold. The value range is 1 to 1000.

Description

Use snmp-agent trap queue-size to set the SNMP trap queue size.

Use undo snmp-agent trap queue-size to restore the default queue size.

By default, the SNMP trap queue can store up to 100 traps.

When congestion occurs, the SNMP agent buffers traps in a queue. SNMP trap queue size sets the maximum number of traps that this queue can hold. When the queue size is reached, the oldest traps are dropped for new traps.

Related commands: snmp-agent target-host, snmp-agent trap enable, and snmp-agent trap life.

Examples

# Set the maximum number of traps that can be stored in the trap sending queue to 200.

<Sysname> system-view

[Sysname] snmp-agent trap queue-size 200

snmp-agent trap source

Syntax

snmp-agent trap source interface-type interface-number

undo snmp-agent trap source

View

System view

Default level

3: Manage level

Parameters

interface-type interface-number: Specifies an interface by its type and number. The interface-number argument specifies a main interface number in the range of 1 to 4094.

Description

Use snmp-agent trap source to specify the source IP address contained in the trap.

Use undo snmp-agent trap source to restore the default.

By default, the SNMP agent automatically chooses the IP address of an interface as the source IP address of traps.

The snmp-agent trap source command enables the SNMP agent to use the primary IP address of an interface or subinterface as the source IP address in all its SNMP traps, regardless of their outgoing interfaces. An NMS can use this IP address to filter all the traps sent by the SNMP agent.

Make sure the specified interface has been created and assigned a valid IP address. The configuration will fail if the interface has not been created and will take effect only after a valid IP address is assigned to the specified interface.

Related commands: snmp-agent target-host and snmp-agent trap enable.

Examples

# Configure the IP address for VLAN-interface 100 as the source address for traps.

<Sysname> system-view

[Sysname] snmp-agent trap source Vlan-interface 100

snmp-agent usm-user { v1 | v2c }

Syntax

snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]

undo snmp-agent usm-user { v1 | v2c } user-name group-name

View

System view

Default level

3: Manage level

Parameters

v1: Specifies SNMPv1.

v2c: Specifies SNMPv2c.

user-name: Specifies an SNMP username, a case-sensitive string of 1 to 32 characters.

group-name: Specifies an SNMPv1 or SNMPv2c group name, a case-sensitive string of 1 to 32 characters.

Description

Use snmp-agent usm-user { v1 | v2c } in non-FIPS mode to add a user to an SNMPv1 or SNMPv2c group.

Use undo snmp-agent usm-user { v1 | v2c } to delete a user from an SNMPv1 or SNMPv2c group.

This command is not supported in FIPS mode.

Make sure you have created the SNMPv1 or SNMPv2c group.

When you create an SNMPv1 or SNMPv2c user, the system automatically creates a read-only community that has the same name as the SNMPv1 or SNMPv2c username. To change the access right of this community to write access, use the snmp-agent community command. To display the SNMPv1 and SNMPv2c communities created in this way, use the display snmp-agent community command.

The snmp-agent usm-user { v1 | v2c } command enables managing SNMPv1 and SNMPv2c users in the same way as managing SNMPv3 users. It does not affect the way of configuring SNMPv1 and SNMPv2c communities on the NMS.

Related commands: snmp-agent group and display snmp-agent community.

Examples

# Add the v2c user userv2c to group readCom.

<Sysname> system-view

[Sysname] snmp-agent sys-info version v2c

[Sysname] snmp-agent group v2c readCom

[Sysname] snmp-agent usm-user v2c userv2c readCom

To access the SNMP agent, the NMS must use SNMPv2c and the read-only community name userv2c.

# Add the v2c user userv2c to group readCom, and block access of any NMS in the userv2c community but the NMS at 1.1.1.1 to the SNMP agent.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 1.1.1.1 0.0.0.0

[Sysname-acl-basic-2001] rule deny source any

[Sysname-acl-basic-2001] quit

[Sysname] snmp-agent sys-info version v2c

[Sysname] snmp-agent group v2c readCom

[Sysname] snmp-agent usm-user v2c userv2c readCom acl 2001

To access the SNMP agent, the NMS must use the IP address 1.1.1.1, SNMPv2c, and the read-only and write community name userv2c.

snmp-agent usm-user v3

Syntax

snmp-agent usm-user v3 user-name group-name [ cipher ] [ authentication-mode { md5 | sha } auth-password [ privacy-mode { 3des | aes128 | des56 } priv-password ] ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent usm-user v3 user-name group-name { local | engineid engineid-string }

View

System view

Default level

3: Manage level

Parameters

user-name: Specifies an SNMPv3 username, a case-sensitive string of 1 to 32 characters.

group-name: Specifies an SNMPv3 group name, a case-sensitive string of 1 to 32 characters.

cipher: Specifies that auth-password and priv-password are ciphertext keys. To set the authentication or privacy key as a hexadecimal string, you can use the snmp-agent calculate-password command to convert its plaintext form to the hexadecimal form. To set auth-password and priv-password in plaintext, do not specify this keyword.

authentication-mode: Specifies an authentication algorithm. MD5 is faster but less secure than SHA.

· md5: Specifies the MD5 authentication algorithm. For more information about MD5, see Security Configuration Guide. This keyword is not supported in FIPS mode.

· sha: Specifies the SHA-1 authentication protocol algorithm. For more information about SHA, see Security Configuration Guide.

auth-password: Specifies a case-sensitive plaintext or encrypted authentication key. A plaintext key is a string of 1 to 64 visible characters. If the cipher and md5 keywords are specified, auth-password represents a hexadecimal string of 32 characters or a non-hexadecimal string of 53 characters. If the cipher and sha keywords are specified, auth-password is a hexadecimal string of 40 characters or a non-hexadecimal string of 57 characters.

privacy-mode: Specifies an encryption algorithm for privacy. The three encryption algorithms AES, 3DES, and DES are in descending order of security. Higher security means more complex implementation mechanism and lower speed. DES is enough to meet general requirements. For more information about these encryption algorithms, see Security Configuration Guide.

· 3des: Specifies the 3DES algorithm. This keyword is not supported in FIPS mode.

· des56: Specifies the DES algorithm. This keyword is not supported in FIPS mode.

· aes128: Specifies the AES algorithm.

priv-password: Specifies a case-sensitive plaintext or encrypted privacy key. A plaintext key is a string of 1 to 64 characters. If the cipher keyword is specified, the encrypted privacy key length requirements differ by authentication algorithm and key string format, as shown in Table 7.

Table 7 Encrypted privacy key length requirements

Authentication algorithm	Encryption algorithm	Hexadecimal string	Non-hexadecimal string
MD5	3DES	64 characters	73 characters
MD5	AES128 or DES-56	32 characters	53 characters
SHA	3DES	64 characters	73 characters
SHA	AES128 or DES-56	40 characters	53 characters

acl ipv6 ipv6-acl-number: Specifies a basic ACL to filter NMSs by source IPv6 address. The ipv6-acl-number argument represents a basic ACL number in the range of 2000 to 2999. Only the NMSs with the IPv6 addresses permitted in the ACL can use the specified username to access the SNMP agent.

local: Specifies the local SNMP engine.

engineid engineid-string: Specifies an SNMP engine. The engineid-string argument represents the engine ID and must comprise an even number of hexadecimal characters, in the range of 10 to 64. All-zero and all-F strings are invalid.

Description

Use snmp-agent usm-user v3 to add a user to an SNMPv3 group.

Use undo snmp-agent usm-user v3 to delete a user from an SNMPv3 group.

You must create an SNMPv3 user for the agent and the NMS to use SNMPv3.

You must create an SNMPv3 group before you assign an SNMPv3 user to the group. Otherwise, the user cannot take effect after it is created. An SNMP group contains one or multiple users and specifies the MIB views and security model for the group of users. The authentication and encryption algorithms for each user is specified when they are created.

· If you specify the cipher keyword, the system considers the keys as having been encrypted, and displays them as they are.

· If you do not specify the cipher keyword, the system considers the keys as in plain text and encrypts them.

Specify the cipher keyword when you roll back, copy or paste the running configuration. For example, assume that you have created SNMPv3 user A and configured both authentication and privacy keys of this user as xyz. To make the configuration of user A still effective after the configuration is copied, pasted, and re-executed, specify the cipher keyword when you create user A with this command. Otherwise, after you copy, paste, or re-execute the configuration, the device creates user A, but the corresponding keys are not xyz.

When you use the snmp-agent usm-user v3 cipher command, the pri-password argument in this command can be obtained by the snmp-agent calculate-password command. To make the calculated ciphertext key applicable to the snmp-agent usm-user v3 cipher command and have the same effect as that in the snmp-agent usm-user v3 cipher command, make sure the same encryption algorithm is specified for the two commands and the local engine ID specified in the snmp-agent usm-user v3 cipher command is consistent with the SNMP entity engine ID specified in the snmp-agent calculate-password command.

If you configure an SNMPv3 user multiple times, the most recent configuration takes effect.

Remember the username and the plaintext password when you create a user. A plaintext password is required when the NMS accesses the device.

Related commands: snmp-agent calculate-password, snmp-agent group, and display snmp-agent usm-user.

Examples

# Add the user testUser to the SNMPv3 group testGroup. Configure the security model as authentication without privacy, the authentication algorithm as MD5, the plain-text key as authkey.

<Sysname> system-view

[Sysname] snmp-agent group v3 testGroup authentication

[Sysname] snmp-agent usm-user v3 testUser testGroup authentication-mode md5 authkey

To access the SNMP agent, specifically, the default view (ViewDefault) in this example, the NMS can use the protocol SNMPv3, username testUser, authentication algorithm MD5, and authentication key authkey.

# Add the user testUser to the SNMPv3 group testGroup. Configure the security model as authentication and privacy, the authentication algorithm as MD5, the privacy algorithm as DES56, the plain-text authentication key as authkey, and the plain-text privacy key as prikey.

<Sysname> system-view

[Sysname] snmp-agent group v3 testGroup privacy

[Sysname] snmp-agent usm-user v3 testUser testGroup authentication-mode md5 authkey privacy-mode des56 prikey

To access the SNMP agent, specifically, the default view (ViewDefault) in this example, the NMS must use the protocol SNMPv3, username testUser, authentication algorithm MD5, authentication key authkey, privacy algorithm DES, and privacy key prikey.

# Add the user testUser to the SNMPv3 group testGroup with the cipher keyword specified. Configure the security model as authentication and privacy, the authentication algorithm as MD5, the privacy algorithm as DES56, and specify the authentication key authkey and the privacy key prikey in their encrypted forms.

<Sysname> system-view

[Sysname] snmp-agent group v3 testGroup privacy

[Sysname] snmp-agent calculate-password authkey mode md5 local-engineid

The secret key is: 09659EC5A9AE91BA189E5845E1DDE0CC

[Sysname] snmp-agent calculate-password prikey mode md5 local-engineid

The secret key is: 800D7F26E786C4BECE61BF01E0A22705

[Sysname] snmp-agent usm-user v3 testUser testGroup cipher authentication-mode md5 09659EC5A9AE91BA189E5845E1DDE0CC privacy-mode des56 800D7F26E786C4BECE61BF01E0A22705

MIB style configuration commands

display mib-style

Syntax

display mib-style [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

3: Manage level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display mib-style to display the MIB style of the device.

Two MIB styles are available on the device: new and compatible. After obtaining the MIB style, you can select matched H3C network management software based on the MIB style.

Related commands: mib-style.

Examples

# Display the current MIB style of the H3C device and the MIB style to use after the next startup.

<Sysname> display mib-style

Current MIB style: new

Next reboot MIB style: new

mib-style

Syntax

mib-style [compatible | new ]

View

System view

Default level

3: Manage level

Parameters

compatible: Specifies the MIB style of the device as H3C compatible. In this style, sysOID is located under the H3C enterprise ID 25506, and the private MIB is located under the enterprise ID 2011.

new: Specifies the MIB style of the device as H3C new. In this style, both sysOID and private MIB are located under the H3C enterprise ID 25506.

Description

Use mib-style to set the MIB style of the device.

The default MIB style of the device is new.

The configuration takes effect after the device reboots.

Examples

# Change the MIB style of the device to compatible.

<Sysname> system-view

[Sysname] mib-style compatible

[Sysname] quit

<Sysname> display mib-style

Current MIB style: new

Next reboot MIB style: compatible

<Sysname> reboot

13-Network Management and Monitoring Command Reference

display snmp-agent community

display snmp-agent local-engineid

display snmp-agent sys-info

display snmp-agent trap queue

snmp-agent calculate-password

snmp-agent group

snmp-agent local-engineid

snmp-agent log

snmp-agent sys-info

snmp-agent target-host

snmp-agent trap enable

snmp-agent trap if-mib link extended

snmp-agent trap life

snmp-agent trap source

snmp-agent usm-user { v1 | v2c }

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us