Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
SNMPv1 and SNMPv2c protocols security model uses the community-based pseudo-
authentication. That means that a password (called a community string) is sent in a clear text
between a network management station and managed devices. Both SNMPv1 and v2c are
subject to packet sniffing because they do not implement encryption. Security has been the
biggest weakness of the SNMP since the beginning. More about SNMPv2c concepts,
operation and configuration you can find at SNMPv2c configuration on Huawei devices.
SNMPv3 can be implemented. It provides important security features, which are not available
in both SNMPv1 and v2c:
SNMPv3 defines some new concepts: security level, user and group. The following security
levels exists:
A group defines the access policy for a user. Access policy defines which SNMP objects can
be accessed or which SNMP objects can generate notifications to the members of a group. If
the authentication and encryption mode are not specified, a user can only access views in non-
authentication and non-encryption mode.
When using SNMPv3, system firstly verifies a user based on the configured authentication
and encryption mode. After the user passes the authentication, the system verifies which
SNMP views that user can access, based on the group to which the user was assigned.
An SNMPv3 user can be assigned to the group using the following command syntax:
Lets configure SNMPv3 read access for NMS1 IP: 150.100.12.1. In order to do that, NMS1
user will be configured and added to the GROUP1. NMS1 user will use SHA algorithm with
AUTHKEY1 key for authentication and AES128 with ENCRYPTKEY1 key for encryption.
Access to the group GROUP1 will be allowed for NMS1 only. ACL 2001 will be configured
for that restriction.
[LabnarioR1]snmp-agent
[LabnarioR1]snmp-agent sys-info version v3
[LabnarioR1]snmp-agent group v3 GROUP1 privacy acl 2001
[LabnarioR1]acl 2001
[LabnarioR1-acl-basic-2001]rule 10 permit source 150.100.12.1 0.0.0.0
As a next step lets configure trap messages to be sent from our LabnarioR1 router to the
NMS1, using traps parameter sending list name NMSTRAPS1:
Traps will be authenticated at the receive end and encrypted at the transmit end (privacy
keyword). Transmission protocol will be SNMPv3. Lets configure traps parameter sending
list NMS1TRAPS:
Total number is 1
Total number is 1
Total number is 1