In this post, I will describe how you can configure SNMPv3 on Comware based and provision based switches. SNMP is used by management systems to monitor and configure network devices. As the information which
Configure SNMPv3 on Comware Based Devices
To configure SNMPv3 on a Comware based device, you have to enable SNMPv3 and disable all the other versions:
[RTG-Core]snmp-agent sys-info version v3 [RTG-Core]undo snmp-agent sys-info version v1 v2c [RTG-Core]dis snmp-agent sys-info version SNMP version running in the system: SNMPv3 [RTG-Core]
The next step is to create a group. The group is used, to allow access to certain SNMP MIB’s and/or OID’s. I will use a default group, but you can also define your own group with your own views. To create a custom view using this command:
[RTG-Core]snmp-agent mib-view included TestView iso
This will allow only the “iso” tree.
To create the group use this command:
[RTG-Core]snmp-agent group v3 snmpv3 read-view ViewDefault write-view ViewDefault notify-view ViewDefault
This will create the group “snmpv3” which is using the “ViewDefault” view for “read-view”, “write-view” and “notify-view”. This will allow access to all MIB’s and OID’s.
The next step, is to create the SNMPv3 user:
[RTG-Core]snmp-agent usm-user v3 imc snmpv3 authentication-mode sha imcimc privacy-mode aes128 imcimc
This will configure the snmpv3 user “imc” using “sha” for authentication with the password “imc” and the encryption key “imc”.
For Comware 7 you need to use this command:
[RTG-Core]snmp-agent usm-user v3 imc snmpv3 simple authentication-mode sha imcimc privacy-mode aes128 imcimc
The SNMPv3 configuration is done. You should now set some system information to recognize the device accordingly in your network management system:
[RTG-Core]snmp-agent sys-info contact Florian Baaske [RTG-Core]snmp-agent sys-info location LAB_RTG
You should now be able to monitor and configure the device using SNMPv3.
Configure SNMPv3 on provision based switches
To configure SNMPv3 on provision based switches you have to follow more or less the same procedure. You have to enable SNMPv3 on the switch:
ClientAccess(config)# snmpv3 enable SNMPv3 Initialization process. Creating user 'initial' Authentication Protocol: MD5 Enter authentication password: ********** Privacy protocol is DES Enter privacy password: ********** User 'initial' has been created Would you like to create a user that uses SHA? [y/n] n User creation is done. SNMPv3 is now functional. Would you like to restrict SNMPv1 and SNMPv2c messages to have read only access (you can set this later by the command 'snmpv3 restricted-access')? [y/n] n ClientAccess(config)# snmpv3 only
During the process of enabling SNMPv3 you have to create a default snmp user. You can delete this user later. With the command “snmpv3 only” you can allow access to the switch only for SNMPv3, all other snmp versions will be rejected.
You now need to configure the SNMPv3 users:
ClientAccess(config)# snmpv3 user imc auth sha imcimc priv aes imcimc
This will create the user “imc” using authentication and encryption. If you chose “aes” for encryption, it is always “AES-128”. No other algorithm is possible.
The next step is to assign the user to a predefined group. The groups are:
- managerpriv – v3 with full access, authentication and encryption (privacy)
- managerauth – v3 with full access and authentication
- operatorauth – v3 with operator access and authentication
- operatornoauth – v3 with operator access
I only listed the groups for SNMPv3. There are also groups for SNMPv1 and SNMPv2c. If you would like to use those groups, please have a look in the Management and Configuration Guide of the corresponding provision based switch. You will also find the difference between full access and operator access.
To actually assign a user to a group use this command:
ClientAccess(config)# snmpv3 group managerpriv user imc sec-model ver3
This will assign the user”
ClientAccess(config)# no snmpv3 user initial
You can now test the access with your network management system.
If you have any questions or would like to give feedback to this post, please use the comment function below.