The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

By default, the device provides low encryption. To obtain high encryption, you must install the Strong Cryptography feature license. This feature provides stronger cryptography, additional IPsec tunnels, and higher encryption performance. For more information about obtaining the Strong Cryptography feature license, see the release notes or contact your H3C sales representative.

Support for features, commands, and parameters differs with the cryptography capability.

The SNMP agent sends notifications (traps and informs) to inform the NMS of significant events, such as link state changes and user logins or logouts. Unless otherwise stated, the trap keyword in the command line includes both traps and informs.

display snmp-agent community

Use display snmp-agent community to display SNMPv1 or SNMPv2c community information.

Syntax

display snmp-agent community [ read | write ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

read: Displays information about SNMP read-only communities.

write: Displays information about SNMP read and write communities.

Usage guidelines

This command is supported only for high encryption in non-FIPS mode.

If no keyword is specified, this command displays information about all SNMPv1 and SNMPv2c communities that have been created.

The communities include:

· Those configured with the snmp-agent community command.

· Those automatically created by the system for SNMPv1 and SNMPv2c users that have been assigned to an existing SNMP group.

Examples

# Display information about all SNMPv1 and SNMPv2c communities.

<Sysname> display snmp-agent community

Community name: aa

Group name: aa

ACL:2001

Storage-type: nonVolatile

Context name: con1

Community name: bb

Role name: bb

Storage-type: nonVolatile

Community name: userv1

Group name: testv1

Storage type: nonVolatile

Table 1 Command output

Field	Description
Community name	Community name created by using the snmp-agent community command or username created by using the snmp-agent usm-user { v1 \| v2c } command.
Group name	SNMP group name. · If the community is created by using the snmp-agent community command in VACM mode, the group name is the same as the community name. · If the community is created by using the snmp-agent usm-user { v1 \| v2c } command, the name of the group that has the user is displayed.
Role name	User role name for the community. If the community is created by using the snmp-agent community command in RBAC mode, a user role can be bound to the community name.
ACL	Number of the ACL that controls the access of the NMSs in the community to the device. Only the NMSs with the IP addresses permitted in the ACL can access the device with the community name. This field appears only when an SNMPv1 or SNMPv2c user is associated with an ACL rule.
Storage type	Storage type: · volatile—Settings are lost when the system reboots. · nonVolatile—Settings remain after the system reboots. · permanent—Settings remain after the system reboots and can be modified but not deleted. · readOnly—Settings remain after the system reboots and cannot be modified or deleted. · other—Any other storage type.
Context name	SNMP context: · If a mapping between an SNMP community and an SNMP context is configured, the SNMP context is displayed. · If no mapping between an SNMP community and an SNMP context exists, this field is not displayed.

Related commands

· snmp-agent community

· snmp-agent usm-user { v1 | v2c }

display snmp-agent context

Use display snmp-agent context to display an SNMP context.

Syntax

display snmp-agent context [ context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

context-name: Specifies an SNMP context by its name, a case-sensitive string of 1 to 32 characters. If no SNMP context is specified, this command displays all SNMP contexts created on the device.

Examples

# Display all SNMP contexts created on the device.

<Sysname> display snmp-agent context

ospfcontext

isiscontext

Related commands

snmp-agent context

display snmp-agent group

Use display snmp-agent group to display SNMP group information, including the group name, security model, MIB view, and storage-type.

Syntax

display snmp-agent group [ group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-name: Specifies an SNMPv1, SNMPv2c, or SNMPv3 group name for high encryption in non-FIPS mode, and an SNMPv3 group name for high encryption in FIPS mode. It is a case-sensitive string of 1 to 32 characters. If no group is specified, this command displays information about all SNMP groups.

Examples

# Display information about all SNMP groups.

<Sysname> display snmp-agent group

Group name: groupv3

Security model: v3 noAuthnoPriv

Readview: ViewDefault

Writeview: <no specified>

Notifyview: <no specified>

Storage-type: nonVolatile

Table 2 Command output

Field	Description
Group name	SNMP group name.
Security model	Security model of the SNMP group: · authPriv—authentication with privacy. · authNoPriv—authentication without privacy. · noAuthNoPriv—no authentication, no privacy. Security model of an SNMPv1 or SNMPv2c group can only be noAuthNoPriv.
Readview	Read-only MIB view accessible to the SNMP group.
Writeview	Write MIB view accessible to the SNMP group.
Notifyview	Notify MIB view for the SNMP group. The SNMP users in the group can send notifications only for the nodes in the notify MIB view.
Storage-type	Storage type, including volatile, nonvolatile, permanent, readOnly, and other (see Table 1).
ACL	Number of the ACL that controls the access of the NMSs in the SNMP group to the device. This field appears only when an ACL is assigned to the SNMP group.

Related commands

snmp-agent group

display snmp-agent local-engineid

Use display snmp-agent local-engineid to display the local SNMP engine ID.

Syntax

display snmp-agent local-engineid

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

Every SNMP agent has one SNMP engine to provide services for sending and receiving messages, authenticating and encrypting messages, and controlling access to managed objects.

The local SNMP engine ID uniquely identifies the SNMP engine of the SNMP agent in an SNMP domain.

Examples

# Display the local engine ID.

<Sysname> display snmp-agent local-engineid

SNMP local engine ID: 800007DB7F0000013859

Related commands

snmp-agent local-engineid

display snmp-agent mib-node

Use display snmp-agent mib-node to display SNMP MIB node information.

Syntax

display snmp-agent mib-node [ details | index-node | trap-node | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

details: Specifies detailed MIB node information, including node name, last octet of an OID string, and name of the next leaf node.

index-node: Specifies SNMP MIB tables, and node names and OIDs of MIB index nodes.

trap-node: Specifies node names and OIDs of MIB notification nodes, and node names and OIDs of notification objects.

verbose: Specifies detailed information about SNMP MIB nodes, including node names, OIDs, node types, permissions to MIB nodes, data types, MORs, and parent, child, and sibling nodes.

Usage guidelines

If no keywords are specified, this command displays information about all SNMP MIB nodes, including node name, OID, and permissions to MIB nodes.

The SNMP software package includes different MIB files. Support for MIBs varies by SNMP software versions.

Examples

# Display SNMP MIB node information.

<Sysname> display snmp-agent mib-node

iso<1>(NA)

|-std<1.0>(NA)

|-iso8802<1.0.8802>(NA)

|-ieee802dot1<1.0.8802.1>(NA)

|-ieee802dot1mibs<1.0.8802.1.1>(NA)

|-lldpMIB<1.0.8802.1.1.2>(NA)

|-lldpNotifications<1.0.8802.1.1.2.0>(NA)

|-lldpNotificationPrefix<1.0.8802.1.1.2.0.0>(NA)

|-lldpRemTablesChange<1.0.8802.1.1.2.0.0.1>(NA)

|-lldpObjects<1.0.8802.1.1.2.1>(NA)

|-lldpConfiguration<1.0.8802.1.1.2.1.1>(NA)

|-*lldpMessageTxInterval<1.0.8802.1.1.2.1.1.1>(RW)

|-*lldpMessageTxHoldMultiplier<1.0.8802.1.1.2.1.1.2>(RW)

|-*lldpReinitDelay<1.0.8802.1.1.2.1.1.3>(RW)

Table 3 Command output

Field	Description
-std	MIB node name.
<1.0>	OID of a MIB node.
(NA)	Permissions to MIB nodes: · NA—Not accessible. · NF—Supports notifications. · RO—Supports read-only access. · RW—Supports read and write access. · RC—Supports read-write-create access. · WO—Supports write-only access.
*	Leaf node or MIB table node.

# Display detailed MIB node information.

<Sysname> display snmp-agent mib-node details

iso(1)(lldpMessageTxInterval)

|-std(0)(lldpMessageTxInterval)

|-iso8802(8802)(lldpMessageTxInterval)

|-ieee802dot1(1)(lldpMessageTxInterval)

|-ieee802dot1mibs(1)(lldpMessageTxInterval)

|-lldpMIB(2)(lldpMessageTxInterval)

|-lldpNotifications(0)(lldpMessageTxInterval)

|-lldpNotificationPrefix(0)(lldpMessageTxInterval)

|-lldpRemTablesChange(1)(NULL)

|-lldpObjects(1)(lldpMessageTxInterval)

|-lldpConfiguration(1)(lldpMessageTxInterval)

|-*lldpMessageTxInterval(1)(lldpMessageTxHoldMultiplier)

|-*lldpMessageTxHoldMultiplier(2)(lldpReinitDelay)

|-*lldpReinitDelay(3)(lldpTxDelay)

|-*lldpTxDelay(4)(lldpNotificationInterval)

|-*lldpNotificationInterval(5)(lldpPortConfigPortNum)

|-lldpPortConfigTable(6)(lldpPortConfigPortNum)

|-lldpPortConfigEntry(1)(lldpPortConfigPortNum)

|-*lldpPortConfigPortNum(1)(lldpPortConfigAdminStatus)

|-*lldpPortConfigAdminStatus(2)(lldpPortConfigNotificationEnable)

|-*lldpPortConfigNotificationEnable(3)(lldpPortConfigTLVsTxEnable)

|-*lldpPortConfigTLVsTxEnable(4)(lldpConfigManAddrPortsTxEnable)

Table 4 Command output

Field	Description
-std	MIB node name.
(0)	Last bit of a MIB OID string.
(lldpMessageTxInterval)	Name of a leaf node.
*	Leaf node or MIB table node.

# Display MIB table names, and node names and OIDs of MIB index nodes.

<Sysname> display snmp-agent mib-node index-node

Table |lldpPortConfigTable

Index ||lldpPortConfigPortNum

OID ||| 1.0.8802.1.1.2.1.1.6.1.1

Table |lldpConfigManAddrTable

Index ||lldpLocManAddrSubtype

OID ||| 1.0.8802.1.1.2.1.3.8.1.1

Index ||lldpLocManAddr

OID ||| 1.0.8802.1.1.2.1.3.8.1.2

Table |lldpStatsTxPortTable

Index ||lldpStatsTxPortNum

OID ||| 1.0.8802.1.1.2.1.2.6.1.1

Table |lldpStatsRxPortTable

Index ||lldpStatsRxPortNum

OID ||| 1.0.8802.1.1.2.1.2.7.1.1

Table |lldpLocPortTable

Index ||lldpLocPortNum

OID ||| 1.0.8802.1.1.2.1.3.7.1.1

Table 5 Command output

Field	Description
Table	MIB table name.
Index	Name of a MIB index node.
OID	OID of a MIB index node.

# Display names and OIDs of MIB notification nodes, and names and OIDs of notification objects.

<Sysname> display snmp-agent mib-node trap-node

Name |lldpRemTablesChange

OID ||1.0.8802.1.1.2.0.0.1

Trap Object

Name |||lldpStatsRemTablesInserts

OID ||||1.0.8802.1.1.2.1.2.2

Name |||lldpStatsRemTablesDeletes

OID ||||1.0.8802.1.1.2.1.2.3

Name |||lldpStatsRemTablesDrops

OID ||||1.0.8802.1.1.2.1.2.4

Name |||lldpStatsRemTablesAgeouts

OID ||||1.0.8802.1.1.2.1.2.5

Name |mplsL3VpnVrfUp

OID ||1.3.6.1.2.1.10.166.11.0.1

Trap Object

Name |||mplsL3VpnIfConfRowStatus

OID ||||1.3.6.1.2.1.10.166.11.1.2.1.1.5

Name |||mplsL3VpnVrfOperStatus

OID ||||1.3.6.1.2.1.10.166.11.1.2.2.1.6

Table 6 Command output

Field	Description
Name	Name of a MIB notification node.
OID	OID of a MIB notification node.
Trap Object	Name and OID of a notification object.

# Display detailed information about SNMP MIB nodes, including node names, OIDs, node types, permissions to MIB nodes, data types, MORs, and parent, child, and sibling nodes.

<Sysname> display snmp-agent mib-node verbose

Name |lldpNotificationInterval

OID ||1.0.8802.1.1.2.1.1.5

Properties ||NodeType: Leaf

||AccessType: RW

||DataType: Integer32

||MOR: 0x020c1105

Parent ||lldpConfiguration

First child ||

Next leaf ||lldpPortConfigPortNum

Next sibling ||lldpPortConfigTable

Allow ||get/set/getnext

Value range || [5..3600]

Name |lldpPortConfigTable

OID ||1.0.8802.1.1.2.1.1.6

Properties ||NodeType: Table

||AccessType: NA

||DataType: NA

||MOR: 0x00000000

Parent ||lldpConfiguration

First child ||lldpPortConfigEntry

Next leaf ||lldpPortConfigPortNum

Next sibling ||lldpConfigManAddrTable

Name |lldpPortConfigEntry

OID ||1.0.8802.1.1.2.1.1.6.1

Properties ||NodeType: Row

||AccessType: NA

||DataType: NA

||MOR: 0x00000000

Parent ||lldpPortConfigTable

First child ||lldpPortConfigPortNum

Next leaf ||lldpPortConfigPortNum

Next sibling ||

Index ||[indexImplied:0, indexLength:1]:

Name |lldpPortConfigPortNum

OID ||1.0.8802.1.1.2.1.1.6.1.1

Properties ||NodeType: Column

||AccessType: NA

||DataType: Integer32

||MOR: 0x020c1201

Parent ||lldpPortConfigEntry

First child ||

Next leaf ||lldpPortConfigAdminStatus

Next sibling ||lldpPortConfigAdminStatus

Allow ||get/set/getnext

Index ||[indexImplied:0, indexLength:1]:

Value range || [1..4096]

Name |lldpPortConfigAdminStatus

OID ||1.0.8802.1.1.2.1.1.6.1.2

Properties ||NodeType: Column

||AccessType: RW

||DataType: Integer

||MOR: 0x020c1202

Parent ||lldpPortConfigEntry

First child ||

Next leaf ||lldpPortConfigNotificationEnable

Next sibling ||lldpPortConfigNotificationEnable

Allow ||get/set/getnext

Index ||[indexImplied:0, indexLength:1]:

Value range ||

|| ['txOnly', 1]

|| ['rxOnly', 2]

|| ['txAndRx', 3]

|| ['disabled', 4]

Table 7 Command output

Field	Description
Name	MIB node name.
OID	OID of a MIB node.
NodeType	MIB node types: · Table—Table node. · Row—Row node in a MIB table. · Column—Column node in a MIB table. · Leaf—Leaf node. · Group—Group node (parent node of a leaf node). · Trapnode—Notification node. · Other—Other node types.
AccessType	Permissions to MIB nodes: · NA—Not accessible. · NF—Supports notifications. · RO—Supports read-only access. · RW—Supports read and write access. · RC—Supports read-write-create access. · WO—Supports write-only access.
DataType	Data types of MIB nodes: · Integer—An integer. · Integer32—A 32-bit integer. · Unsigned32—A 32-bit integer with no mathematical sign. · Gauge—A non-negative integer that might increase or decrease. · Gauge32—A 32-bit non-negative integer that might increase or decrease. · Counter—A non-negative integer that might increase but not decrease. · Counter32—A 32-bit non-negative integer that might increase but not decrease. · Counter64—A 64-bit non-negative integer that might increase but not decrease. · Timeticks—A non-negative integer for time keeping. · Octstring—An octal string. · OID—Object identifier. · IPaddress—A 32-bit IP address. · Networkaddress—A network IP address. · Opaque—Any data. · Userdefined—User-defined data. · BITS—Bit enumeration.
MOR	MOR for a MIB node.
Parent	Name of a parent node.
First child	Name of the first leaf node.
Next leaf	Name of the next leaf node.
Next sibling	Name of the next sibling node.
Allow	Operation types allowed: · get/set/getnext—All operations. · get—Get operation. · set—Set operation. · getnext—GetNext operation.
Value range	Value range of a MIB node.
Index	Table index. This field appears only for a table node.

display snmp-agent mib-view

Use display snmp-agent mib-view to display MIB views.

Syntax

display snmp-agent mib-view [ exclude | include | viewname view-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

exclude: Displays the subtrees excluded from any MIB view.

include: Displays the subtrees included in any MIB view.

viewname view-name: Displays information about the specified MIB view.

Usage guidelines

If you do not specify any parameters, this command displays all MIB views.

Examples

# Display all MIB views.

<Sysname> display snmp-agent mib-view

View name: ViewDefault

MIB Subtree: iso

Subtree mask:

Storage-type: nonVolatile

View Type: included

View status: active

View name: ViewDefault

MIB Subtree: snmpUsmMIB

Subtree mask:

Storage-type: nonVolatile

View Type: excluded

View status: active

View name: ViewDefault

MIB Subtree: snmpVacmMIB

Subtree mask:

Storage-type: nonVolatile

View Type: excluded

View status: active

View name: ViewDefault

MIB Subtree: snmpModules.18

Subtree mask:

Storage-type: nonVolatile

View Type: excluded

View status: active

ViewDefault is the default MIB view. The output shows that except for the MIB objects in the snmpUsmMIB, snmpVacmMIB, and snmpModules.18 subtrees, all the MIB objects in the iso subtree are accessible.

Table 8 Command output

Field	Description
View name	MIB view name.
MIB Subtree	MIB subtree covered by the MIB view.
Subtree mask	MIB subtree mask.
Storage-type	Type of the medium (see Table 1) where the subtree view is stored.
View Type	Access privilege for the MIB subtree in the MIB view: · Included—All objects in the MIB subtree are accessible in the MIB view. · Excluded—None of the objects in the MIB subtree is accessible in the MIB view.
View status	Status of the MIB view: · active—MIB view is effective. · inactive—MIB view is ineffective. MIB views are active upon their creation at the CLI. To temporarily disable a MIB view without deleting it, you can perform an SNMP set operation to set its status to inactive.

Related commands

snmp-agent mib-view

display snmp-agent remote

Use display snmp-agent remote to display remote SNMP engine IDs configured by using the snmp-agent remote command.

Syntax

display snmp-agent remote [ ip-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address [ vpn-instance vpn-instance-name ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip-address: Specifies the IP address of a remote SNMP entity to display its SNMP engine ID.

ipv6 ipv6-address: Specifies the IPv6 address of a remote SNMP entity to display its SNMP engine ID.

vpn-instance vpn-instance-name: Specifies the VPN for a remote SNMP entity. The vpn-instance-name argument specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters. If this parameter is not specified, the remote SNMP entity is in the public network.

Usage guidelines

Every SNMP agent has one SNMP engine to provide services for sending and receiving messages, authenticating and encrypting messages, and controlling access to managed objects.

If no IP address is specified, this command displays all remote SNMP engine IDs you have configured.

Examples

# Display all remote SNMP engine IDs.

<Sysname> display snmp-agent remote

Remote engineID: 800063A28000A0FC00580400000001

IPv4 address: 1.1.1.1

VPN instance: vpn1

Table 9 Command output

Field	Description
Remote engineID	Remote SNMP engine ID you have configured using the snmp-agent remote command.
IPv4 address	IPv4 address of the remote SNMP entity. For remote SNMP entities that are configured with an IPv6 address, the field name is "IPv6 address."
VPN instance	This field is available only if a VPN has been specified for the remote SNMP entity in the snmp-agent remote command.

Related commands

snmp-agent remote

display snmp-agent statistics

Use display snmp-agent statistics to display SNMP message statistics.

Syntax

display snmp-agent statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display SNMP message statistics.

<Sysname> display snmp-agent statistics

1684 messages delivered to the SNMP entity.

5 messages were for an unsupported version.

0 messages used an unknown SNMP community name.

0 messages represented an illegal operation for the community supplied.

0 ASN.1 or BER errors in the process of decoding.

1679 messages passed from the SNMP entity.

0 SNMP PDUs had badValue error-status.

0 SNMP PDUs had genErr error-status.

0 SNMP PDUs had noSuchName error-status.

0 SNMP PDUs had tooBig error-status (Maximum packet size 1500).

16544 MIB objects retrieved successfully.

2 MIB objects altered successfully.

7 GetRequest-PDU accepted and processed.

7 GetNextRequest-PDU accepted and processed.

1653 GetBulkRequest-PDU accepted and processed.

1669 GetResponse-PDU accepted and processed.

2 SetRequest-PDU accepted and processed.

0 Trap PDUs accepted and processed.

0 alternate Response Class PDUs dropped silently.

0 forwarded Confirmed Class PDUs dropped silently.

Table 10 Command output

Field	Description
messages delivered to the SNMP entity	Number of messages that the SNMP agent has received.
messages were for an unsupported version	Number of messages that had an SNMP version not configured on the SNMP agent.
messages used an unknown SNMP community name	Number of messages that used an unknown SNMP community name.
messages represented an illegal operation for the community supplied	Number of messages carrying an operation that the community has no right to perform.
ASN.1 or BER errors in the process of decoding	Number of messages that had ASN.1 or BER errors during decoding.
messages passed from the SNMP entity	Number of messages sent by the SNMP agent.
SNMP PDUs had badValue error-status	Number of PDUs with a BadValue error.
SNMP PDUs had genErr error-status	Number of PDUs with a genErr error.
SNMP PDUs had noSuchName error-status	Number of PDUs with a NoSuchName error.
SNMP PDUs had tooBig error-status	Number of PDUs with a TooBig error (the maximum packet size is 1500 bytes).
MIB objects retrieved successfully	Number of MIB objects that have been successfully retrieved.
MIB objects altered successfully	Number of MIB objects that have been successfully modified.
GetRequest-PDU accepted and processed	Number of GetRequest requests that have been received and processed.
GetNextRequest-PDU accepted and processed	Number of getNext requests that have been received and processed.
GetBulkRequest-PDU accepted and processed	Number of getBulk requests that have been received and processed.
GetResponse-PDU accepted and processed	Number of get responses that have been received and processed.
SetRequest-PDU accepted and processed	Number of set requests that have been received and processed.
Trap PDUs accepted and processed	Number of notifications that have been received and processed.
alternate Response Class PDUs dropped silently	Number of dropped response packets.
forwarded Confirmed Class PDUs dropped silently	Number of forwarded packets that have been dropped.

display snmp-agent sys-info

Use display snmp-agent sys-info to display SNMP agent system information.

Syntax

display snmp-agent sys-info [ contact | location | version ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

contact: Displays the system contact.

location: Displays the physical location of the device.

version: Displays the SNMP agent version.

Usage guidelines

If none of the parameters is specified, this command displays all SNMP agent system information.

Examples

# Display all SNMP agent system information.

<Sysname> display snmp-agent sys-info

The contact information of the agent:

Hangzhou H3C Technologies Co., Ltd.

The location information of the agent:

Hangzhou, China

The SNMP version of the agent:

SNMPv3

Related commands

snmp-agent sys-info

display snmp-agent trap queue

Use display snmp-agent trap queue to display basic information about the trap queue, including the queue size and number of traps in the queue.

Syntax

display snmp-agent trap queue

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the trap queue configuration and usage status.

<Sysname> display snmp-agent trap queue

Queue size: 100

Message number: 6

Related commands

· snmp-agent trap life

· snmp-agent trap queue-size

display snmp-agent trap-list

Use display snmp-agent trap-list to display modules that can generate SNMP notifications and their notification function status (enable or disable).

Syntax

display snmp-agent trap-list

Views

Any view

Usage guidelines

You can use the snmp-agent trap enable command to enable or disable the notification function of a module. For a module that has sub-modules, the notification function status is enable if the trap function of any of its sub-modules is enabled.

Examples

# Display the modules that can generate notification and their notification function status.

<Sysname> display snmp-agent trap-list

arp notification is disabled.

configuration notification is enabled.

isis notification is enabled.

l3vpn notification is enabled.

mac-address notification is enabled.

mpls notification is disabled.

ospf notification is enabled.

radius notification is disabled.

standard notification is enabled.

system notification is enabled.

Enabled notifications: 7; Disabled notifications: 3

Related commands

snmp-agent trap enable

display snmp-agent usm-user

Use display snmp-agent usm-user to display SNMPv3 user information.

Syntax

display snmp-agent usm-user [ engineid engineid | group group-name | username user-name ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

engineid engineid: Displays SNMPv3 user information for the SNMP engine ID identified by engineid. When an SNMPv3 user is created, the system records the local SNMP entity engine ID. The user becomes invalid when the engine ID changes, and it becomes valid again when the recorded engine ID is restored.

group group-name: Displays SNMPv3 user information for a specified SNMP group name. The group name is case sensitive.

username user-name: Displays information about the specified SNMPv3 user. The username is case sensitive.

Usage guidelines

This command displays only SNMPv3 users that you have created by using the snmp-agent usm-user v3 command. To display SNMPv1 or SNMPv2c users created by using the snmp-agent usm-user { v1 | v2c } command, use the display snmp-agent community command.

Examples

# Display information about all SNMPv3 users.

<Sysname> display snmp-agent usm-user

Username: userv3

Group name: mygroupv3

Engine ID: 800063A203000FE240A1A6

Storage type: nonVolatile

User status: active

Username: userv3

Group name: mygroupv3

Engine ID: 8000259503000BB3100A508

Storage type: nonVolatile

User status: active

Username: userv3code

Role name: groupv3code

network-operator

Engine ID: 800063A203000FE240A1A6

Storage type: nonVolatile

User status: active

Username: userv3code

Role name: snmprole

network-operator

Engine ID: 800063A280000002BB0001

Storage type: nonVolatile

User status: active

Table 11 Command output

Field	Description
Username	SNMP username.
Group name	SNMP group name.
Role name	SNMP user role name.
Engine ID	Engine ID that the SNMP agent used when the SNMP user was created.
Storage type	Storage type: · volatile. · nonvolatile. · permanent. · readOnly. · other. For more information about these storage types, see Table 1.
User status	SNMP user status: · active—The SNMP user is effective. · notInService—The SNMP user is correctly configured but not activated. · notReady—The SNMP user configuration is incomplete. · other—Any other status. SNMP users are active upon their creation at the CLI. To temporarily disable an SNMP user without deleting it, you can perform an SNMP set operation to change its status.
ACL	Number of the ACL that controls the access of the SNMP user (the NMS) to the device. To access the device, the IP address of the NMS must be permitted in the ACL. This field appears only when an SNMPv3 user is associated with an ACL rule.

Related commands

snmp-agent usm-user v3

enable snmp trap updown

Use enable snmp trap updown to enable link state notifications on an interface.

Use undo enable snmp trap updown to disable link state notifications on an interface.

Syntax

enable snmp trap updown

undo enable snmp trap updown

Default

Link state notifications are enabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

For an interface to generate linkUp/linkDown notifications when its state changes, you must also enable the linkUp/linkDown notification function globally by using the snmp-agent trap enable standard [ linkdown | linkup ] * command.

Examples

# Enable Ten-GigabitEthernet 1/1/1 to send linkUp/linkDown SNMP traps to 10.1.1.1 in the community public.

<Sysname> system-view

[Sysname] snmp-agent trap enable

[Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] enable snmp trap updown

Related commands

· snmp-agent target-host

· snmp-agent trap enable

snmp-agent

Use snmp-agent to enable the SNMP agent.

Use undo snmp-agent to disable the SNMP agent.

Syntax

snmp-agent

undo snmp-agent

Default

SNMP agent is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The snmp-agent command is optional for an SNMP configuration task. The SNMP agent is automatically enabled when you execute any command that begins with snmp-agent except for the snmp-agent calculate-password command.

Examples

# Enable the SNMP agent.

<Sysname> system-view

[Sysname] snmp-agent

snmp-agent calculate-password

Use snmp-agent calculate-password to calculate a digest for the ciphertext authentication or privacy key converted from a plaintext key in SNMPv3.

Syntax

High encryption in non-FIPS mode:

snmp-agent calculate-password plain-password mode { 3desmd5 | 3dessha | md5 | sha } { local-engineid | specified-engineid engineid }

High encryption in FIPS mode:

snmp-agent calculate-password plain-password mode sha { local-engineid | specified-engineid engineid }

Views

System view

Predefined user roles

network-admin

Parameters

plain-password: Specifies a plaintext authentication or privacy key.

mode: Specifies the same authentication mode and privacy mode as configured in the snmp-agent usm-user v3 command. The encryption algorithms AES, 3DES, and DES are in descending order of security strength. DES is enough to meet general security requirements. The MD5 authentication algorithm is faster than SHA-1, while SHA-1 provides higher security than MD5.

· 3desmd5: Converts the plaintext privacy key to an encrypted key for 3DES encryption used in conjunction with MD5 authentication.

· 3dessha: Converts the plaintext privacy key to an encrypted key for 3DES encryption used in conjunction with SHA-1 authentication.

· md5: Converts the plaintext authentication key to a ciphertext key for MD5 authentication, or converts the plaintext privacy key to a ciphertext key for AES or DES encryption used in conjunction with MD5.

· sha: Converts the plaintext authentication key to a ciphertext key for SHA-1 authentication, or converts the plaintext privacy key to a ciphertext key for AES or DES encryption used in conjunction with SHA-1 authentication.

local-engineid: Uses the local engine ID to calculate the ciphertext key. You can configure the local engine ID by using the snmp-agent local-engineid command.

specified-engineid engineid: Uses a user-defined engine ID to calculate the ciphertext key. The engineid argument specifies an SNMP engine ID as a hexadecimal string. It must contain an even number of hexadecimal characters, in the range of 10 to 64. All-zero and all-F strings are invalid.

Usage guidelines

Make sure the SNMP agent is enabled before you execute the snmp-agent calculate-password command.

For security purposes, use this command to calculate digests for ciphertext authentication and privacy keys when you create SNMPv3 users by using the snmp-agent usm-user v3 command.

The converted key is valid only under the engine ID specified for key conversion.

Examples

# Use the local engine and the SHA-1 algorithm to calculate a digest for the ciphertext key converted from the plaintext key authkey.

<Sysname> system-view

[Sysname] snmp-agent calculate-password authkey mode sha local-engineid

The encrypted key is: 09659EC5A9AE91BA189E5845E1DDE0CC

Related commands

· snmp-agent local-engineid

· snmp-agent usm-user v3

snmp-agent community

Use snmp-agent community to configure an SNMP community.

Use undo snmp-agent community to delete an SNMP community.

Syntax

In VACM mode:

snmp-agent community { read | write } [ simple | cipher ] community-name [ mib-view view-name ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent community { read | write } [ cipher ] community-name

In RBAC mode:

snmp-agent community [ simple | cipher ] community-name user-role role-name [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent community [ cipher ] community-name

Default

No SNMP community exists.

Views

System view

Predefined user roles

network-admin

Parameters

read: Assigns the specified community read-only access to MIB objects. A read-only community can only inquire MIB information.

write: Assigns the specified community read and write access to MIB objects. A read and write community can configure MIB information.

simple: Sets a community name in plain text. For security purposes, this community name is saved in cipher text.

cipher: Sets and saves the community name in cipher text.

community-name: Sets a case-sensitive community name. In plain text, the community name must be a string of 1 to 32 characters. In cipher text, the community name must be a string of 33 to 73 characters. Input a string as escape characters after a backslash (\).

mib-view view-name: Specifies the MIB view available for the community. The view-name argument represents a MIB view name, a string of 1 to 32 characters. A MIB view represents a set of accessible MIB objects. If no MIB view is specified, the specified community can access the MIB objects in the default MIB view ViewDefault.

user-role role-name: Specifies a user role name for the community, a case-sensitive string of 1 to 63 characters.

acl acl-number: Specifies a basic IPv4 ACL to filter NMSs by source IPv4 address. The acl-number argument represents an ACL number in the range of 2000 to 2999. In the specified community, only NMSs with an IPv4 address permitted in the ACL can access the SNMP agent. If no ACL is specified, or the specified ACL does not exist, all NMSs in the SNMP community can access the SNMP agent. If the specified ACL does not have any rules, no NMS in the SNMP community can access the SNMP agent. For detailed information about ACL, see ACL and QoS Configuration Guide.

acl ipv6 ipv6-acl-number: Specifies a basic IPv6 ACL to filter NMSs by source IPv6 address. The ipv6-acl-number argument represents an ACL number in the range of 2000 to 2999. In the specified community, only NMSs with an IPv6 address permitted in the IPv6 ACL can access the SNMP agent. If no ACL is specified, or the specified ACL does not exist, all NMSs in the SNMP community can access the SNMP agent. If the specified ACL does not have any rules, no NMS in the SNMP community can access the SNMP agent.

Usage guidelines

This command is for SNMPv1 and SNMPv2c, and is supported only for high encryption in non-FIPS mode.

To set and save a community name in plain text, do not specify the simple or cipher keyword.

You can create up to 10 SNMP communities by using the snmp-agent community command. To create more SNMP communities, use the snmp-agent usm-user { v1 | v2c } command.

An SNMPv1 or SNMPv2c community contains a set of NMSs and SNMP agents, and is identified by a community name. An NMS and an SNMP agent must use the same community name to authenticate each other.

Typically, public is used as the read-only community name and private is used as the read and write community name. To improve security, assign your SNMP communities a name other than public and private.

You can use the following modes to control access to MIB objects for an SNMP community:

· View-based Access Control Model—The VACM mode controls access to MIB objects by assigning MIB views to SNMP communities.

· Role based access control—The RBAC mode controls access to MIB objects by assigning user roles to SNMP communities.

¡ An SNMP community with a predefined user role network-admin or level-15 has the read and write access to all MIB objects.

¡ An SNMP community with a predefined user role network-operator has the read-only access to all MIB objects.

¡ An SNMP community with a user role specified by the role command accesses MIB objects through the user role rules specified by the rule command.

For more information about user roles, see Fundamentals Configuration Guide.

If you create the same SNMP community with both modes multiple times, the most recent configuration takes effect.

For an NMS to access an agent:

· The RBAC mode requires the user role bound to the community name to have the same access right to MIB objects as the NMS.

· The VACM mode requires only the access right from the NMS to MIB objects.

The RBAC mode is more secure. As a best practice, use the RBAC mode to create an SNMP community.

Examples

# Create the read-only community readaccess in plain text so an SNMPv1 or SNMPv2c NMS can use the community name readaccess to read the MIB objects in the default view ViewDefault.

<Sysname> system-view

[Sysname] snmp-agent sys-info version v1 v2c

[Sysname] snmp-agent community read simple readaccess

# Create the read and write community writeaccess in plain text so only the SNMPv2c NMS at 1.1.1.1 can use the community name writeaccess to read or set the MIB objects in the default view ViewDefault.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 1.1.1.1 0.0.0.0

[Sysname-acl-basic-2001] rule deny source any

[Sysname-acl-basic-2001] quit

[Sysname] snmp-agent sys-info version v2c

[Sysname] snmp-agent community write simple writeaccess acl 2001

# Create the read and write community wr-sys-acc in plain text so an SNMPv1 or SNMPv2c NMS can use the community name wr-sys-acc to read or set the MIB objects in the system subtree (OID 1.3.6.1.2.1.1).

<Sysname> system-view

[Sysname] snmp-agent sys-info version v1 v2c

[Sysname] undo snmp-agent mib-view ViewDefault

[Sysname] snmp-agent mib-view included test system

[Sysname] snmp-agent community write simple wr-sys-acc mib-view test

Related commands

· display snmp-agent community

· snmp-agent mib-view

snmp-agent community-map

Use snmp-agent community-map to map an SNMP community to an SNMP context.

Use undo snmp-agent community-map to delete the mapping between an SNMP community and an SNMP context.

Syntax

snmp-agent community-map community-name context context-name

undo snmp-agent community-map community-name context context-name

Default

No mapping between an SNMP community and an SNMP context exists on the device.

Views

System view

Predefined user roles

network-admin

Parameters

community-name: Specifies an SNMP community, a case-sensitive string of 1 to 32 characters.

context-name: Specifies an SNMP context, a case-sensitive string of 1 to 32 characters.

Usage guidelines

This command enables a module on an agent to obtain the context mapped to a community name when an NMS accesses the agent by using SNMPv1 or SNMPv2c.

You can configure a maximum of 10 community-context mappings on the device.

Examples

# Map SNMP community private to SNMP context trillcontext.

<Sysname> system-view

[Sysname] snmp-agent community-map private context ospfcontext

Related commands

display snmp-agent community

snmp-agent context

Use snmp-agent context to create an SNMP context.

Use undo snmp-agent context to delete an SNMP context.

Syntax

snmp-agent context context-name

undo snmp-agent context context-name

Default

No SNMP context is configured on the device.

Views

System view

Predefined use roles

network-admin

Parameters

context-name: Specifies an SNMP context, a case-sensitive string of 1 to 32 characters.

Usage guidelines

An NMS and an SNMP agent can communicate with each other if the following conditions exist:

· No SNMP context is configured on the NMS and the SNMP agent.

· The NMS and the SNMP agent use the same SNMP context.

Otherwise, a timeout message appears, indicating a communication failure between the NMS and SNMP agent.

You can create a maximum of 20 SNMP contexts.

Examples

# Create SNMP context trillcontext.

<Sysname> system-view

[Sysname] snmp-agent context ospfcontext

Related commands

display snmp-agent context

snmp-agent group

Use snmp-agent group to create an SNMP group and specify its access right.

Use undo snmp-agent group to delete an SNMP group.

Syntax

SNMPv1 and SNMP v2c:

snmp-agent group { v1 | v2c } group-name [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent group { v1 | v2c } group-name

SNMPv3 (high encryption in non-FIPS mode):

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

SNMPv3 (high encryption in FIPS mode):

snmp-agent group v3 group-name { authentication | privacy } [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent group v3 group-name [ authentication | privacy ]

Default

No SNMP group exists.

Views

System view

Predefined use roles

network-admin

Parameters

v1: Specifies SNMPv1.

v2c: Specifies SNMPv2c.

v3: Specifies SNMPv3.

group-name: Specifies an SNMP group name, a string of 1 to 32 case-sensitive characters.

authentication: Specifies the authentication without privacy security model for the SNMPv3 group.

privacy: Specifies the authentication with privacy security model for the SNMPv3 group.

read-view view-name: Specifies a read-only MIB view. The view-name represents a MIB view name, a string of 1 to 32 characters. If no read-only MIB view is specified, the SNMP group has read access to the default view ViewDefault.

write-view view-name: Specifies a read and write MIB view. The view-name represents a MIB view name, a string of 1 to 32 characters. If no read and write view is specified, the SNMP group cannot set any MIB object on the SNMP agent.

notify-view view-name: Specifies a notify MIB view. The view-name represents a MIB view name, a string of 1 to 32 characters. The SNMP agent sends notifications to the users in the specified group only for the MIB objects included in the notify view. If no notify view is specified, the SNMP agent does not send any notification to the users in the specified group.

acl acl-number: Specifies a basic IPv4 ACL to filter NMSs by source IPv4 address. The acl-number argument represents an ACL number in the range of 2000 to 2999. In the specified SNMP group, only NMSs with an IPv4 address permitted in the ACL can access the SNMP agent. If no ACL is specified, or the specified ACL does not exist, all NMSs in the SNMP group can access the SNMP agent. If the specified ACL does not have any rules, no NMS in the SNMP community can access the SNMP agent.

acl ipv6 ipv6-acl-number: Specifies a basic IPv6 ACL to filter NMSs by source IPv6 address. The ipv6-acl-number argument represents an ACL number in the range of 2000 to 2999. In the specified SNMP group, only NMSs with an IPv6 address permitted in the IPv6 ACL can access the SNMP agent. If no ACL is specified, or the specified ACL does not exist, all NMSs in the SNMP group can access the SNMP agent. If the specified ACL does not have any rules, no NMS in the SNMP community can access the SNMP agent.

Usage guidelines

SNMPv1 and SNMPv2c settings in this command are supported only for high encryption in non-FIPS mode.

All users in an SNMP group share the security model and access rights of the group.

You can create up to 20 SNMP groups, including SNMPv1, SNMPv2c, and SNMPv3 groups.

All SNMPv3 users in a group share the same security model, but can use different authentication and privacy key settings. To implement a security model for a user and avoid SNMP communication failures, make sure the security model configuration for the group and the security key settings for the user are compliant with Table 12 and match the settings on the NMS.

Table 12 Basic security setting requirements for different security models

Security model	Security model keyword for the group	Security key settings for the user	Remarks
Authentication with privacy	privacy	Authentication key, privacy key	If the authentication key or the privacy key is not configured, SNMP communication will fail.
Authentication without privacy	authentication	Authentication key	If no authentication key is configured, SNMP communication will fail. The privacy key (if any) for the user does not take effect.
No authentication, no privacy	Neither authentication nor privacy	None	The authentication and privacy keys, if configured, do not take effect.

Examples

# Create the SNMPv3 group group1, and assign the no authentication, no privacy security model to the group.

<Sysname> system-view

[Sysname] snmp-agent group v3 group1

Related commands

· display snmp-agent group

· snmp-agent mib-view

· snmp-agent usm-user

snmp-agent local-engineid

Use snmp-agent local-engineid to change the SNMP engine ID of the local SNMP agent.

Use undo snmp-agent local-engineid to restore the default local SNMP engine ID.

Syntax

snmp-agent local-engineid engineid

undo snmp-agent local-engineid

Default

The local engine ID is the combination of the company ID and the device ID. Device ID varies by product and might be an IP address, a MAC address, or any user-defined hexadecimal string.

Views

System view

Predefined user roles

network-admin

Parameters

engineid: Specifies an SNMP engine ID as a hexadecimal string. It must contain an even number of hexadecimal characters, in the range of 10 to 64. All-zero and all-F strings are invalid.

Usage guidelines

An SNMP engine ID uniquely identifies an SNMP entity in an SNMP managed network. Make sure the local SNMP engine ID is unique within your SNMP managed network to avoid communication problems.

If you have configured SNMPv3 users, change the local SNMP engine ID only when necessary. The change can void the SNMPv3 usernames and encrypted keys you have configured.

Examples

# Change the local engine ID to 123456789A.

<Sysname> system-view

[Sysname] snmp-agent local-engineid 123456789A

Related commands

· display snmp-agent local-engineid

· snmp-agent usm-user

snmp-agent log

Use snmp-agent log to enable logging SNMP operations.

Use undo snmp-agent log to disable logging SNMP operations.

Syntax

snmp-agent log { all | get-operation | set-operation | authfail }

undo snmp-agent log { all | get-operation | set-operation | authfail }

Default

SNMP logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

all: Enables logging SNMP authentication failures, Get operations, and Set operations.

authfail: Enables logging SNMP authentication failures.

get-operation: Enables logging SNMP Get operations.

set-operation: Enables logging SNMP Set operations.

Usage guidelines

Use SNMP logging to record the SNMP operations performed on the SNMP agent or authentication failures from the NMS to the agent for auditing NMS behaviors. The SNMP agent sends log data to the information center. You can configure the information center to output the data to a destination as needed.

Examples

# Enable logging SNMP Get operations.

<Sysname> system-view

[Sysname] snmp-agent log get-operation

# Enable logging SNMP Set operations.

<Sysname> system-view

[Sysname] snmp-agent log set-operation

# Enable logging SNMP authentication failures.

<Sysname> system-view

[Sysname] snmp-agent log authfail

snmp-agent mib-view

Use snmp-agent mib-view to create or update a MIB view.

Use undo snmp-agent mib-view to delete a MIB view.

Syntax

snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ]

undo snmp-agent mib-view view-name

Default

The system creates the ViewDefault view when the SNMP agent is enabled. In this default MIB view, all MIB objects in the iso subtree but the snmpUsmMIB, snmpVacmMIB, and snmpModules.18 subtrees are accessible.

Views

System view

Predefined user roles

network-admin

Parameters

excluded: Denies access to any node in the specified MIB subtree.

included: Permits access to all the nodes in the specified MIB subtree.

view-name: Specifies a view name, a string of 1 to 32 characters.

oid-tree: Specifies a MIB subtree by its root node's OID (for example, 1.3.6.1.2.1.1) or object name (for example, system). An OID is a dotted numeric string that uniquely identifies an object in the MIB tree.

mask mask-value: Sets a MIB subtree mask, a hexadecimal string. Its length must be an even number in the range of 2 to 32.

Usage guidelines

A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privilege. The MIB objects included in the MIB view are accessible while those excluded from the MIB view are inaccessible.

Each view-name oid-tree pair represents a view record. If you specify the same record with different MIB subtree masks multiple times, the most recent configuration takes effect.

The system can store entries for up to 20 unique MIB view records. In addition to the four default MIB view records, you can create up to 16 unique MIB view records. After you delete the default view with the undo snmp-agent mib-view command, you can create up to 20 unique MIB view records.

Be cautious with deleting the default MIB view. The operation blocks the access to any MIB object on the device from NMSs that use the default view.

Examples

# Include the mib-2 (OID 1.3.6.1) subtree in the mibtest view and exclude the system subtree from this view.

<Sysname> system-view

[Sysname] snmp-agent sys-info version v1

[Sysname] snmp-agent mib-view included mibtest 1.3.6.1

[Sysname] snmp-agent mib-view excluded mibtest system

[Sysname] snmp-agent community read public mib-view mibtest

An SNMPv1 NMS in the public community can query the objects in the mib-2 subtree but not any object (for example, the sysDescr or sysObjectID node) in the system subtree.

Related commands

· display snmp-agent mib-view

· snmp-agent group

snmp-agent packet max-size

Use snmp-agent packet max-size to set the maximum size (in bytes) of SNMP packets that the SNMP agent can receive or send.

Use undo snmp-agent packet max-size to restore the default packet size.

Syntax

snmp-agent packet max-size byte-count

undo snmp-agent packet max-size

Default

The maximum size of SNMP packets that the SNMP agent can receive or send is 1500 bytes.

Views

System view

Predefined user roles

network-admin

Parameters

byte-count: Sets the maximum size (in bytes) of SNMP packets that the SNMP agent can receive or send. The value range is 484 to 17940.

Usage guidelines

If any device on the path to the NMS does not support packet fragmentation, limit the SNMP packet size to prevent large-sized packets from being discarded. For most networks, the default value is sufficient.

Examples

# Set the maximum SNMP packet size to 1024 bytes.

<Sysname> system-view

[Sysname] snmp-agent packet max-size 1024

snmp-agent port

Use snmp-agent port to specify the UDP port for receiving SNMP packets.

Use undo snmp-agent port to restore the default.

Syntax

snmp-agent port port-num

undo snmp-agent port

Default

The device uses UDP port 161 for receiving SNMP packets.

Views

System view

Predefined user roles

network-admin

Parameters

port-num: Specifies the UDP port for receiving SNMP packets, in the range of 1 to 65535. The default is 161.

Usage guidelines

After changing the port number for receiving SNMP packets, reconnect the device by using the port number for SNMP get and set operations.

To display UDP port information, use the display current-configuration command.

Examples

# Specify the UDP port for receiving SNMP packets as 5555.

<Sysname> system-view

[Sysname] snmp-agent port 5555

# Restore the default UDP port.

<Sysname> system-view

[Sysname] undo snmp-agent port

snmp-agent remote

Use snmp-agent remote to configure the SNMP engine ID of a remote SNMP entity.

Use undo snmp-agent remote to delete a remote SNMP engine ID.

Syntax

snmp-agent remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] engineid engineid

undo snmp-agent remote ip-address

Default

No remote SNMP engine ID has been configured.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of a remote SNMP entity.

ipv6 ipv6-address: Specifies the IPv6 address of a remote SNMP entity.

vpn-instance vpn-instance-name: Specifies the VPN for a remote SNMP entity. The vpn-instance-name argument specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters. If this option is not specified, the remote SNMP entity is in the public network.

engineid: Specifies the SNMP engine ID of the remote SNMP entity. This argument must be a hexadecimal string that contains an even number of characters, in the range of 10 to 64. All-zero and all-F strings are invalid.

Usage guidelines

To send informs to an NMS, you must configure the SNMP engine ID of the NMS on the SNMP agent.

The NMS accepts the SNMPv3 informs from the SNMP agent only if the engine ID in the informs is the same as its local engine ID.

You can configure up to 20 remote SNMP engine IDs.

Examples

# Configure the SNMP engine ID (123456789A) of the SNMP manager (10.1.1.1).

<Sysname> system-view

[Sysname] snmp-agent remote 10.1.1.1 engineid 123456789A

Related commands

display snmp-agent remote

snmp-agent { inform | trap } source

Use snmp-agent { inform | trap } source to specify a source IP address for the informs or traps sent by the SNMP agent.

Use undo snmp-agent { inform | trap } source to restore the default.

Syntax

snmp-agent { inform | trap } source interface-type interface-number

undo snmp-agent { inform | trap } source

Default

The SNMP agent uses the IP address of the outgoing routed interface as the source IP address of notifications.

Views

System view

Predefined user roles

network-admin

Parameters

inform: Specifies informs.

trap: Specifies traps.

interface-type interface-number: Specifies an interface by its type and number. The interface-number argument specifies a main interface number.

Usage guidelines

The snmp-agent source command enables the SNMP agent to use the primary IP address of an interface or subinterface as the source IP address in all its SNMP informs or traps, regardless of their outgoing interfaces. An NMS can use this IP address to filter all the informs or traps sent by the SNMP agent.

Make sure the specified interface has been created and assigned a valid IP address. The configuration will fail if the interface has not been created and will take effect only after a valid IP address is assigned to the specified interface.

Examples

# Configure the primary IP address of Ten-GigabitEthernet 1/1/1 as the source address of SNMP traps.

<Sysname> system-view

[Sysname] snmp-agent trap source ten-gigabitethernet 1/1/1

# Configure the primary IP address of Ten-GigabitEthernet 1/1/2 as the source address of SNMP informs.

<Sysname> system-view

[Sysname] snmp-agent inform source ten-gigabitethernet 1/1/2

Related commands

· snmp-agent target-host

· snmp-agent trap enable

snmp-agent sys-info contact

Use snmp-agent sys-info contact to configure the system contact.

Use undo snmp-agent sys-info contact to restore the default contact.

Syntax

snmp-agent sys-info contact sys-contact

undo snmp-agent sys-info contact

Default

The system contact is Hangzhou H3C Tech. Co., Ltd.

Views

System view

Predefined user roles

network-admin

Parameters

sys-contact: Specifies the system contact, a string of 1 to 255 characters.

Usage guidelines

Configure the system contact for system maintenance and management.

Examples

# Configure the system contact as Dial System Operator # 27345.

<Sysname> system-view

[Sysname] snmp-agent sys-info contact Dial System Operator # 27345

Related commands

display snmp-agent sys-info

snmp-agent sys-info location

Use snmp-agent sys-info location to configure the system location.

Use undo snmp-agent sys-info location to restore the default location.

Syntax

snmp-agent sys-info location sys-location

undo snmp-agent sys-info location

Default

The system location is Hangzhou, China.

Views

System view

Predefined user roles

network-admin

Parameters

sys-location: Specifies the system location, a string of 1 to 255 characters.

Usage guidelines

Configure the location of the device for system maintenance and management.

Examples

# Configure the system location as Room524-row1-3.

<Sysname> system-view

[Sysname] snmp-agent sys-info location Room524-row1-3

Related commands

display snmp-agent sys-info

snmp-agent sys-info version

Use snmp-agent sys-info version to enable SNMP versions.

Use undo snmp-agent sys-info version to disable SNMP versions.

Syntax

High encryption in non-FIPS mode:

snmp-agent sys-info contact version { all | { v1 | v2c | v3 } * }

undo snmp-agent sys-info version { all | { v1 | v2c | v3 } * }

High encryption in FIPS mode:

snmp-agent sys-info version v3

undo snmp-agent sys-info version v3

Default

No SNMP version is enabled.

Views

System view

Predefined user roles

network-admin

Parameters

all: Specifies SNMPv1, SNMPv2c, and SNMPv3.

v1: Specifies SNMPv1.

v2c: Specifies SNMPv2c.

v3: Specifies SNMPv3.

Usage guidelines

SNMPv1 and SNMPv2c settings in this command are supported only for high encryption in non-FIPS mode.

Configure the SNMP agent with the same SNMP version as the NMS for successful communications between them.

Examples

# Enable SNMPv3.

<Sysname> system-view

[Sysname] snmp-agent sys-info version v3

Related commands

display snmp-agent sys-info

snmp-agent target-host

Use snmp-agent target-host to configure the SNMP agent to send SNMP notifications (informs or traps) to a host.

Use undo snmp-agent target-host to remove an SNMP notification target host.

Syntax

High encryption in non-FIPS mode:

snmp-agent target-host inform address udp-domain { ip-address | ipv6 ipv6-address } [ udp-port port-number ] [ vpn-instance vpn-instance-name ] params securityname security-string { v2c | v3 [ authentication | privacy ] }

snmp-agent target-host trap address udp-domain { ip-address | ipv6 ipv6-address } [ udp-port port-number ] [ vpn-instance vpn-instance-name ] params securityname security-string [ v1 | v2c | v3 [ authentication | privacy ] ]

undo snmp-agent target-host { trap | inform } address udp-domain { ip-address | ipv6 ipv6-address } params securityname security-string [ vpn-instance vpn-instance-name ]

High encryption in FIPS mode:

undo snmp-agent target-host { trap | inform } address udp-domain { ip-address | ipv6 ipv6-address } params securityname security-string [ vpn-instance vpn-instance-name ]

Default

No SNMP notification target host has been configured.

Views

System view

Predefined user roles

network-admin

Parameters

inform: Sends notifications as informs.

trap: Sends notifications as traps.

address: Specifies the destination address of SNMP notifications.

udp-domain: Specifies UDP as the transport protocol.

ip-address: Specifies the IPv4 address or host name of the target host as the destination of SNMP notifications. The host name is a case-insensitive string of 1 to 253 characters. The string can only contain letters, numbers, hyphens (-), underscores (_), and dots (.). If you specify a host name, the IPv4 address of the target host can be obtained.

ipv6 ipv6-address: Specifies the IPv6 address or host name of the target host as the destination of SNMP notifications. The host name is a case-insensitive string of 1 to 253 characters, which only contains letters, numbers, hyphens (-), underscores (_), and dots (.). If you specify a host name, the IPv6 address of the target host can be obtained.

udp-port port-number: Specifies the UDP port for SNMP notifications. If no UDP port is specified, UDP port 162 is used.

vpn-instance vpn-instance-name: Specifies the VPN for the target host. The vpn-instance-name argument specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters. If this parameter is not specified, the target host is in the public network.

params securityname security-string: Specifies the authentication parameter. The security-string argument specifies an SNMPv1 or SNMPv2c community name or an SNMPv3 username, a string of 1 to 32 characters.

v1: Specifies SNMPv1.

v2c: Specifies SNMPv2c.

v3: Specifies SNMPv3.

· authentication: Specifies the security model to be authentication without privacy. You must specify the authentication key when you create the SNMPv3 user.

· privacy: Specifies the security model to be authentication with privacy. You must specify the authentication key and privacy key when you create the SNMPv3 user.

Usage guidelines

You can specify multiple SNMP notification target hosts.

Make sure the SNMP agent uses the same UDP port for SNMP notifications as the target host. Typically, NMSs, for example, IMC and MIB Browser, use port 162 for SNMP notifications as defined in the SNMP protocols.

If none of the keywords v1, v2c, or v3 is specified, SNMPv1 is used. Make sure the SNMP agent uses the same SNMP version as the target host so the host can receive the notification.

If neither authentication nor privacy is specified, the security model is no authentication, no privacy.

Examples

# Configure the SNMP agent to send SNMPv3 traps to 10.1.1.1 in the user public.

<Sysname> system-view

[Sysname] snmp-agent trap enable standard

[Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public v3

Related commands

· snmp-agent { inform | trap } source

· snmp-agent trap enable

· snmp-agent trap life

snmp-agent trap enable

Use snmp-agent trap enable to enable SNMP notifications globally.

Use undo snmp-agent trap enable to disable SNMP notifications globally.

Syntax

Default

SNMP configuration notifications, standard notifications, and system notifications are enabled. Whether other SNMP notifications are enabled varies by modules.

Views

System view

Predefined user roles

network-admin

Parameters

configuration: Specifies configuration notifications. If configuration notifications are enabled, the system checks the running configuration and the startup configuration every 10 minutes for any change and generates a notification for the most recent change.

protocol: Specifies a module for enabling SNMP notifications. For more information about this argument, see the command reference for each module.

standard: Specifies SNMP standard notifications.

Table 13 Standard SNMP notifications

Keyword	Definition
authentication	Authentication failure notification sent when an NMS fails to authenticate to the SNMP agent.
coldstart	Notification sent when the device restarts.
linkdown	Notification sent when the link of a port goes down.
linkup	Notification sent when the link of a port comes up.
warmstart	Notification sent when the SNMP agent restarts.

system: Specifies system notifications sent when the system time is modified, the system reboots, or the main system software image is not available.

Usage guidelines

The snmp-agent trap enable command enables the device to generate notifications, including both informs and traps, even though the keyword trap is used in this command.

You can use the snmp-agent target-host command to enable the device to send the notifications as informs or traps to a host.

If no optional parameters are specified, this command or its undo form enables or disables all SNMP notifications supported by the device.

Examples

# Enable the SNMP agent to send SNMP authentication failure traps to 10.1.1.1 in the community public.

<Sysname> system-view

[Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public

[Sysname] snmp-agent trap enable standard authentication

Related commands

snmp-agent target-host

snmp-agent trap if-mib link extended

Use snmp-agent trap if-mib link extended to configure the SNMP agent to send extended linkUp/linkDown notifications.

Use undo snmp-agent trap if-mib link extended to restore the default.

Syntax

snmp-agent trap if-mib link extended

undo snmp-agent trap if-mib link extended

Default

The SNMP agent sends standard linkUp/linkDown notifications.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Extended linkUp and linkDown notifications add interface description and interface type to the standard linkUp/linkDown notifications for fast failure point identification.

When you use this command, make sure the NMS supports the extended linkup and linkDown notifications.

Examples

# Enable extended linkUp/linkDown notifications.

<Sysname> system-view

[Sysname] snmp-agent trap if-mib link extended

snmp-agent trap life

Use snmp-agent trap life to configure the lifetime of notifications in the SNMP notification queue.

Use undo snmp-agent trap life to restore the default notification lifetime.

Syntax

snmp-agent trap life seconds

undo snmp-agent trap life

Default

The SNMP notification lifetime is 120 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Sets a lifetime in seconds, in the range of 1 to 2592000.

Usage guidelines

When congestion occurs, the SNMP agent buffers notifications in a queue. The notification lifetime sets how long a notification can stay in the queue. A notification is deleted when its lifetime expires.

Examples

# Set the SNMP notification lifetime to 60 seconds.

<Sysname> system-view

[Sysname] snmp-agent trap life 60

Related commands

· snmp-agent target-host

· snmp-agent trap enable

· snmp-agent trap queue-size

snmp-agent trap log

Use snmp-agent trap log to enable SNMP notification logging.

Use undo snmp-agent trap log to disable SNMP notification logging.

Syntax

snmp-agent trap log

undo snmp-agent trap log

Default

SNMP notification logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use SNMP notification logging to record SNMP notifications sent by the SNMP agent for notification tracking. The SNMP agent sends logs to the information center. You can configure the information center to output the logs to a destination as needed.

Examples

# Enable SNMP notification logging.

<Sysname> system-view

[Sysname] snmp-agent trap log

snmp-agent trap queue-size

Use snmp-agent trap queue-size to set the SNMP notification queue size.

Use undo snmp-agent trap queue-size to restore the default queue size.

Syntax

snmp-agent trap queue-size size

undo snmp-agent trap queue-size

Default

The SNMP notification queue can store up to 100 notifications.

Views

System view

Predefined user roles

network-admin

Parameters

size: Sets the maximum number of notifications that the SNMP notification queue can hold. The value range is 1 to 1000.

Usage guidelines

When congestion occurs, the SNMP agent buffers notifications in a queue. SNMP notification queue size sets the maximum number of notifications that this queue can hold. When the queue size is reached, the oldest notifications are dropped for new notifications.

Examples

# Set the SNMP notification queue size to 200.

<Sysname> system-view

[Sysname] snmp-agent trap queue-size 200

Related commands

· snmp-agent target-host

· snmp-agent trap enable

· snmp-agent trap life

snmp-agent usm-user { v1 | v2c }

Use snmp-agent usm-user { v1 | v2c } to add a user to an SNMPv1 or SNMPv2c group.

Use undo snmp-agent usm-user { v1 | v2c } to delete a user from an SNMPv1 or SNMPv2c group.

Syntax

snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent usm-user { v1 | v2c } user-name

Default

No SNMP users have been configured.

Views

System view

Predefined user roles

network-admin

Parameters

v1: Specifies SNMPv1.

v2c: Specifies SNMPv2c.

user-name: Specifies an SNMP username, a case-sensitive string of 1 to 32 characters.

group-name: Specifies an SNMPv1 or SNMPv2c group name, a case-sensitive string of 1 to 32 characters. The group can be one that has been created or not. If the group has not been created, the user takes effect after you create the group.

acl acl-number: Specifies a basic IPv4 ACL to filter NMSs by source IPv4 address. The acl-number argument represents an ACL number in the range of 2000 to 2999. Only NMSs with an IPv4 address permitted in the ACL can use the specified username (community name) to access the SNMP agent. If no ACL is specified, or the specified ACL does not exist, any NMS can use the specified username to access the SNMP agent. If the specified ACL does not have any rules, no NMS in the SNMP community can access the SNMP agent.

acl ipv6 ipv6-acl-number: Specifies a basic IPv6 ACL to filter NMSs by source IPv6 address. The ipv6-acl-number argument represents an ACL number in the range of 2000 to 2999. Only NMSs with an IPv6 address permitted in the IPv6 ACL can access the SNMP agent. If no ACL is specified, or the specified ACL does not exist, any NMS can use the specified username to access the SNMP agent. If the specified ACL does not have any rules, no NMS in the SNMP community can access the SNMP agent.

Usage guidelines

This command is supported only for high encryption in non-FIPS mode.

When you create an SNMPv1 or SNMPv2c user, the system automatically creates a community that has the same name as the SNMPv1 or SNMPv2c username. This community has the same access right as the SNMPv1 or SNMPv2c group. To display the SNMPv1 and SNMPv2c communities created in this way, use the display snmp-agent community command.

To change the access right of the SNMPv1 or SNMPv2c user, use the snmp-agent community command or the snmp-agent group { v1 | v2c } command. If the snmp-agent community command is used, the SNMPv1 or SNMPv2c is removed from the SNMP group.

The snmp-agent usm-user { v1 | v2c } command enables managing SNMPv1 and SNMPv2c communities in the same way as managing SNMPv3 users. It does not affect the way of configuring SNMPv1 and SNMPv2c communities on the NMS.

Examples

# Add the user userv2c to the SNMPv2c group readCom so an NMS can use the protocol SNMPv2c and the read-only community name userv2c to access the device.

<Sysname> system-view

[Sysname] snmp-agent sys-info version v2c

[Sysname] snmp-agent group v2c readCom

[Sysname] snmp-agent usm-user v2c userv2c readCom

# Add the user userv2c in the SNMPv2c group readCom so only the NMS at 1.1.1.1 can use the protocol SNMPv2c and read-only community name userv2c to access the device.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 1.1.1.1 0.0.0.0

[Sysname-acl-basic-2001] rule deny source any

[Sysname-acl-basic-2001] quit

[Sysname] snmp-agent sys-info version v2c

[Sysname] snmp-agent group v2c readCom

[Sysname] snmp-agent usm-user v2c userv2c readCom acl 2001

Related commands

· display snmp-agent community

· snmp-agent community

· snmp-agent group

snmp-agent usm-user v3

Use snmp-agent usm-user v3 to add a user to an SNMPv3 group or create an SNMPv3 user.

Use undo snmp-agent usm-user v3 to delete a user from an SNMPv3 group or remove an SNMPv3 user.

Syntax

High encryption in non-FIPS mode (in VACM mode):

snmp-agent usm-user v3 user-name group-name [ remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode { aes128 | 3des | des56 } priv-password ] ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent usm-user v3 user-name { local | engineid engineid-string | remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

High encryption in non-FIPS mode (in RBAC mode):

snmp-agent usm-user v3 user-name user-role role-name [ remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode { aes128 | 3des | des56 } priv-password ] ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent usm-user v3 user-name { local | engineid engineid-string | remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

High encryption in FIPS mode (in VACM mode):

snmp-agent usm-user v3 user-name group-name [ remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] { cipher | simple } authentication-mode sha auth-password [ privacy-mode aes128 priv-password ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent usm-user v3 user-name { local | engineid engineid-string | remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

High encryption in FIPS mode (in RBAC mode):

snmp-agent usm-user v3 user-name user-role role-name [ remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode sha auth-password [ privacy-mode aes128 priv-password ] ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent usm-user v3 user-name { local | engineid engineid-string | remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

Low encryption (in VACM mode):

snmp-agent usm-user v3 user-name group-name [ remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode des56 priv-password ] ] [ acl acl-number | acl ipv6 ipv6-acl-number ] *

undo snmp-agent usm-user v3 user-name { local | engineid engineid-string | remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

Low encryption (in RBAC mode):

snmp-agent usm-user v3 user-name user-role role-name [ remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode des56 priv-password ] ] [ acl acl-number | acl ipv6 ipv6-acl-number ]

undo snmp-agent usm-user v3 user-name { local | engineid engineid-string | remote { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

Default

No SNMPv3 users have been configured.

Views

System view

Predefined user roles

network-admin

Parameters

user-name: Specifies an SNMPv3 username, a case-sensitive string of 1 to 32 characters.

group-name: Specifies an SNMPv3 group name, a case-sensitive string of 1 to 32 characters.

user-role role-name: Specifies a user role name, a case-sensitive string of 1 to 63 characters.

remote { ip-address | ipv6 ipv6-address }: Specifies the IPv4 or IPv6 address of the remote SNMP entity. vpn-instance vpn-instance-name: Specifies the VPN for the target host receiving SNMP notifications. The vpn-instance-name argument specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters. If this parameter is not specified, the target host is in the public network.

cipher: Specifies auth-password and priv-password as encrypted keys, which can be calculated to a hexadecimal string by using the snmp-agent calculate-password command.

simple: Specifies auth-password and priv-password as plaintext keys.

authentication-mode: Specifies an authentication algorithm. MD5 is faster but less secure than SHA. For more information about these algorithms, see Security Configuration Guide.

· md5: Specifies the MD5 authentication algorithm.

· sha: Specifies the SHA-1 authentication algorithm.

auth-password: Specifies a case-sensitive plaintext or encrypted authentication key. For high encryption in non-FIPS mode, a plaintext key is a string of 1 to 64 visible characters. For high encryption in FIPS mode, a plaintext key is a string of 15 to 64 visible characters, which must contain numbers, uppercase letters, lowercase letters, and special characters. If the cipher keyword is specified, the encrypted authentication key length requirements differ by authentication algorithm and key string format, as shown in Table 14.

Table 14 Encrypted authentication key length requirements

Authentication algorithm	Hexadecimal string	Non-hexadecimal string
MD5	32 characters	53 characters
SHA	40 characters	57 characters

privacy-mode: Specifies an encryption algorithm for privacy. The encryption algorithms AES, 3DES, and DES are in descending order of security strength. DES is enough to meet general security requirements.

· aes128: Specifies the AES algorithm.

· 3des: Specifies the 3DES algorithm.

· des56: Specifies the DES algorithm.

priv-password: Specifies a case-sensitive plaintext or encrypted privacy key. For high encryption in non-FIPS mode, a plaintext key is a string of 1 to 64 characters. For high encryption in FIPS mode, a plaintext key is a string of 15 to 64 visible characters, which must contain numbers, uppercase letters, lowercase letters, and special characters. If the cipher keyword is specified, the encrypted privacy key length requirements differ by authentication algorithm and key string format, as shown in Table 15.

Table 15 Encrypted privacy key length requirements

Authentication algorithm	Encryption algorithm	Hexadecimal string	Non-hexadecimal string
MD5	3DES	64 characters	73 characters
MD5	AES128 or DES-56	32 characters	53 characters
SHA	3DES	80 characters	73 characters
SHA	AES128 or DES-56	40 characters	53 characters

acl acl-number: Specifies a basic IPv4 ACL to filter NMSs by source IPv4 address. The acl-number argument represents an ACL number in the range of 2000 to 2999. Only NMSs with an IPv4 address permitted in the ACL can use the specified username to access the SNMP agent. If no ACL is specified, or the specified ACL does not exist, any NMS can use the specified username to access the SNMP agent. If the specified ACL does not have any rules, no NMS in the SNMP community can access the SNMP agent.

acl ipv6 ipv6-acl-number: Specifies a basic IPv6 ACL to filter NMSs by source IPv6 address. The ipv6-acl-number argument represents an ACL number in the range of 2000 to 2999. Only NMSs with an IPv6 address permitted in the IPv6 ACL can use the specified username to access the SNMP agent. If no ACL is specified, or the specified ACL does not exist, any NMS can use the specified username to access the SNMP agent. If the specified ACL does not have any rules, no NMS in the SNMP community can access the SNMP agent.

local: Specifies the local SNMP engine.

engineid engineid-string: Specifies an SNMP engine. The engineid-string argument represents the engine ID and must contain an even number of hexadecimal characters, in the range of 10 to 64. All-zero and all-F strings are invalid. After you change the local engine ID, the existing SNMPv3 users and encrypted keys become invalid, and you must reconfigure them.

Usage guidelines

SNMPv3 users are valid only on the SNMP engine that creates them. By default, SNMPv3 users are created on the local SNMP engine. When you create an SNMPv3 user for sending SNMP inform messages, you must associate it with the remote SNMP engine.

To send SNMPv3 informs to an NMS, perform the following tasks:

· Specify the IPv4 or IPv6 address of the NMS in the snmp-agent usm-user v3 command.

· Map the IPv4 or IPv6 address to the SNMP engine ID of the NMS by using the snmp-agent remote command.

You can use the following modes to control access to MIB objects for an SNMPv3 user:

· View-based Access Control Model—In VACM mode, you must create an SNMPv3 group before you assign an SNMPv3 user to the group. Otherwise, the user cannot take effect after it is created. An SNMP group contains one or multiple users and specifies the MIB views and security model for the group of users. The authentication and encryption algorithms for each user are specified when they are created.

· Role based access control—The RBAC mode controls access to MIB objects by assigning user roles to SNMP users.

¡ An SNMP user with a predefined user role network-admin or level-15 has the read and write access to all MIB objects.

¡ An SNMP user with a predefined user role network-operator has the read-only access to all MIB objects.

¡ An SNMP user with a user role specified by the role command accesses MIB objects through the user role rules specified by the rule command.

After creating an SNMPv3 user in this mode, you can use the snmp-agent usm-user v3 user-role command to assign a maximum of 64 user roles to the SNMPv3 user.

In VACM mode, if you configure an SNMPv3 user multiple times, the most recent configuration takes effect.

In RBAC mode, you can assign different user roles to an SNMPv3 user:

· If you specify only user roles but do not change any other settings, the snmp-agent usm-user v3 command assigns different user roles to the user. Other settings remain unchanged.

· If you specify user roles and also change other settings, the snmp-agent usm-user v3 command assigns different user roles to the user. The most recent configuration for other settings takes effect.

For an NMS to access an agent:

· The RBAC mode requires the user role bound to the username to have the same access right to MIB objects as the NMS.

· The VACM mode requires only the access right from the NMS to MIB objects.

The RBAC mode is more secure. As a best practice, use the RBAC mode to create an SNMPv3 user.

For security purposes, all keys, including keys configured in plain text, are saved in cipher text.

Make sure you remember the username and the plain text of the keys. When you access the device from an NMS, you must provide this information.

Examples

In VACM mode:

# Add the user testUser to the SNMPv3 group testGroup, and enable the authentication without privacy security model for the group. Specify the authentication algorithm SHA-1 and the authentication key 123456TESTplat&! in plain text for the user.

<Sysname> system-view

[Sysname] snmp-agent group v3 testGroup authentication

[Sysname] snmp-agent usm-user v3 testUser testGroup simple authentication-mode sha 123456TESTplat&!

# For an NMS to access the MIB objects in the default view ViewDefault, make sure the following configurations on the NMS are the same as the SNMP agent:

· SNMPv3 username.

· SNMP protocol version.

· Authentication algorithm and key.

# Add the user testUser to the SNMPv3 group testGroup, and enable the authentication and privacy security model for the group. Specify the authentication algorithm SHA-1, the privacy algorithm AES, the plaintext authentication key 123456TESTauth&!, and the plaintext privacy key 123456TESTencr&! for the user.

<Sysname> system-view

[Sysname] snmp-agent group v3 testGroup privacy

[Sysname] snmp-agent usm-user v3 testUser testGroup simple authentication-mode sha 123456TESTauth&! privacy-mode aes128 123456TESTencr&!

# For an NMS to access the MIB objects in the default view ViewDefault, make sure the following configurations on the NMS are the same as the SNMP agent:

· SNMPv3 username.

· SNMP protocol version.

· Authentication algorithm.

· Privacy algorithm.

· Plaintext authentication and privacy keys.

# Add the user remoteUser for the SNMP remote engine at 10.1.1.1 to the SNMPv3 group testGroup, and enable the authentication and privacy security model for the group. Specify the authentication algorithm SHA-1, the privacy algorithm AES, the plaintext authentication key 123456TESTauth&!, and the plaintext privacy key 123456TESTencr&! for the user.

<Sysname> system-view

[Sysname] snmp-agent remote 10.1.1.1 engineid 123456789A

[Sysname] snmp-agent group v3 testGroup privacy

[Sysname] snmp-agent usm-user v3 remoteUser testGroup remote 10.1.1.1 simple authentication-mode sha 123456TESTauth&! privacy-mode aes128 123456TESTencr&!

In RBAC mode:

# Create the SNMPv3 user testUser with the user role network-operator and enable the authentication without privacy security model for the user. Specify the authentication algorithm SHA-1 and the authentication key 123456TESTplat&! in plain text for the user.

<Sysname> system-view

[Sysname] snmp-agent usm-user v3 testUser user-role network-operator simple authentication-mode sha 123456TESTplat&!

# For an NMS to have read-only access to all MIB objects, make sure the following configurations on the NMS are the same as the SNMP agent:

· SNMPv3 username.

· SNMP protocol version.

· Authentication algorithm and key.

Related commands

· display snmp-agent usm-user

· snmp-agent calculate-password

· snmp-agent group

· snmp-agent remote

· snmp-agent usm-user v3 user-role