SNMPv3 on Huawei
Simple Network Management Protocol is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.
SNMP is widely used in network management for network monitoring. SNMP exposes management data in the form of variables on the managed systems organized in a management information base (MIB) which describe the system status and configuration. These variables can then be remotely queried (and, in some circumstances, manipulated) by managing applications.
Three significant versions of SNMP have been developed and deployed. SNMPv1 is the original version of the protocol. More recent versions, SNMPv2c and SNMPv3, feature improvements in performance, flexibility and security.
Although SNMPv3 makes no changes to the protocol aside from the addition of cryptographic security, it looks much different due to new textual conventions, concepts, and terminology. The most visible change was to define a secure version of SNMP, by adding security and remote configuration enhancements to SNMP - due to lack of security in earlier versions, network administrators often used other means such as telnet and SSH for configuration, accounting, and fault management. SNMPv3 focuses on two main aspects, namely security and administration. The security aspect is addressed by offering both strong authentication and data encryption for privacy. For the administration aspect, SNMPv3 focuses on two parts, namely notification originators and proxy forwarders. The changes also facilitated remote configuration and administration of the SNMP entities, as well as addressing issues related to the large-scale deployment, accounting, and fault management.
A summarised example configuration applied to a Huawei CX-600 Router in V600R008C10SPC300 version:
NOTE: SNMP supports only basic ACLs whose numbers range from 2000 to 2999.
To improve security, configuring privacy is recommended. If noauthentication is configured, neither authentication nor encryption is performed. The security cannot be guaranteed. If authentication is configured, only authentication is performed. If privacy is configured, both authentication and encryption are performed.
SNMP Walk version 3:
SNMP Get version 3:
After SNMPv3 is configured, a managed device and an NM station can run SNMPv3 to communicate with each other. To ensure normal communication, you need to configure both sides. This section describes only the configurations on a managed device (the agent side).
Ensure that the security level of the alarm host is higher than or equal to the user security level, and the user security level is higher than or equal to the security level of the SNMP user group and to improve system security, it is recommended to configure different authentication and encryption passwords for an SNMP user.
The security level can be (in descending order):
• Level 1: privacy (authentication and encryption)
• Level 2: authentication (without encryption)
• Level 3: noauthentication (neither authentication nor encryption)
• If the security level of the SNMP user group is level 1, the security level of both the user and the alarm host must be level 1.
• If the security level of the SNMP user group is level 2:
the security level of the user and the alarm host can be both level 1 or level 2.
the user security level is level 2, the security level of the alarm host can be level 1 or level 2.
the user security level is level 1, the security level of the alarm host must be level 1.
Checking the configurations: