configuring SNMPv3 on Huawei devices

SNMPv1 and SNMPv2c protocols security model uses the community-based pseudo-authentication. That means that a password (called a community string) is sent in a clear text between a network management station and managed devices. Both SNMPv1 and v2c are subject to packet sniffing because they do not implement encryption. Security has been the biggest weakness of the SNMP since the beginning. More about SNMPv2c concepts, operation and configuration you can find at “SNMPv2c configuration on Huawei devices“.

What if we want SNMP to be used over a public network?

SNMPv3 can be implemented. It provides important security features, which are not available in both SNMPv1 and v2c:

  • Confidentiality – encryption of packets to prevent snooping by an unauthorized source
  • Integrity – to ensure that a packet has not been tampered while in transit using optional packet reply protection
  • Authentication – to verify that a packet comes from a valid source.

SNMPv3 defines some new concepts: security level, user and group. The following security levels exists:

  • Authentication without encryption – authentication keyword in CLI – only the authenticated administrators can access the managed device.
  • No authentication and no encryption – noauth keyword in CLI – this security level can be used only in secure networks
  • Authentication and encryption – privacy keyword in CLI – only authenticated administrators can access the managed device and transmitted data is encrypted preventing interception or data leaking. This level should be used over the networks vulnerable to attacks.

A group defines the access policy for a user. Access policy defines which SNMP objects can be accessed or which SNMP objects can generate notifications to the members of a group. If the authentication and encryption mode are not specified, a user can only access views in non-authentication and non-encryption mode.

When using SNMPv3, system firstly verifies a user based on the configured authentication and encryption mode. After the user passes the authentication, the system verifies which SNMP views that user can access, based on the group to which the user was assigned.

A group can be configured using command syntax:

snmp-agent group v3 group-name { authentication | noauth | privacy } [ read-view read-view | write-view write-view | notify-view notify-view | acl acl-number ]

An SNMPv3 user can be assigned to the group using the following command syntax:

snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } authkey [ privacy-mode { aes128 | des56 } prikey | plain-text ] ] [ acl standard-acl ]

After an SNMPv3 group is configured, the system can effectively control the access rights of all users in the group, using the group settings. User access can be encrypted and authenticated, authenticated but not encrypted, or neither authenticated nor encrypted. If the access level of a user is lower than the security level of the specified group, the access fails. When the group, to which a user belongs, has multiple security levels, the user can select the group with the highest security level, among the groups that can be accessed, and access the view of the group.

Let’s configure SNMPv3 read access for NMS1 IP: In order to do that, NMS1 user will be configured and added to the GROUP1. NMS1 user will use SHA algorithm with AUTHKEY1 key for authentication and AES128 with ENCRYPTKEY1 key for encryption. Access to the group GROUP1 will be allowed for NMS1 only. ACL 2001 will be configured for that restriction.

[LabnarioR1]snmp-agent sys-info version v3
[LabnarioR1]snmp-agent group v3 GROUP1 privacy acl 2001

[LabnarioR1]acl 2001
[LabnarioR1-acl-basic-2001]rule 10 permit source 
[LabnarioR1]snmp-agent usm-user v3 NMS1 GROUP1 authentication-mode sha AUTHKEY1 privacy-mode aes128 ENCRYPTKEY1

As a next step let’s configure trap messages to be sent from our LabnarioR1 router to the NMS1, using traps parameter sending list name NMSTRAPS1:

[LabnarioR1]snmp-agent trap enable

[LabnarioR1]snmp-agent target-host trap-hostname NMS1 address trap-paramsname NMS1TRAPS

Traps will be authenticated at the receive end and encrypted at the transmit end (privacy keyword). Transmission protocol will be SNMPv3. Let’s configure traps parameter sending list NMS1TRAPS:

[LabnarioR1]snmp-agent target-host trap-paramsname NMS1TRAPS v3 securityname NMS1 privacy

As a source IP of traps generated, loopback1 address will be used:

[LabnarioR1]snmp-agent trap source LoopBack1

Equipment administrator’s contact information allows the NMS administrator to call equipment administrator in case of a failure:

[LabnarioR1]snmp-agent sys-info contact CALL 0800-123456789

For verification use the commands as below:

[LabnarioR1]dis snmp-agent group GROUP1

   Group name: GROUP1 
   Security model: v3 AuthPriv
   Readview: ViewDefault 
   Storage type: nonVolatile 
   Acl: 2001

[LabnarioR1]dis snmp-agent usm-user 
   User name: NMS1 
   Engine ID: 800007DB03000000000000 
   Group name: GROUP1 
   Authentication mode: sha, Privacy mode: aes128 
   Storage type: nonVolatile 
   User status: active 
   Acl: 2001

   Total number is 1 

[LabnarioR1]dis snmp-agent target-host 
   Traphost list:
   Target host name: NMS1 
   Traphost address: 
   Traphost portnumber: 162   
   Target host parameter: NMS1TRAPS 

   Total number is 1 

   Parameter list trap target host:
   Parameter name of the target host: NMS1TRAPS 
   Message mode of the target host: SNMPV3 
   Trap version of the target host: v3 
   Security name of the target host: NMS1 
   Security level of the target host: privacy 

   Total number is 1 

[LabnarioR1]display snmp-agent sys-info contact 
   The contact person for this managed node: 
           CALL 0800-123456789

Download as PDF


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s