configuring SNMPv3 on Huawei devices

SNMPv1 and SNMPv2c protocols security model uses the community-based pseudo-
authentication. That means that a password (called a community string) is sent in a clear text
between a network management station and managed devices. Both SNMPv1 and v2c are
subject to packet sniffing because they do not implement encryption. Security has been the
biggest weakness of the SNMP since the beginning. More about SNMPv2c concepts,
operation and configuration you can find at SNMPv2c configuration on Huawei devices.

What if we want SNMP to be used over a public network?

SNMPv3 can be implemented. It provides important security features, which are not available
in both SNMPv1 and v2c:

Confidentiality encryption of packets to prevent snooping by an unauthorized source

Integrity to ensure that a packet has not been tampered while in transit using optional
packet reply protection
Authentication to verify that a packet comes from a valid source.

SNMPv3 defines some new concepts: security level, user and group. The following security
levels exists:

Authentication without encryption authentication keyword in CLI only the

authenticated administrators can access the managed device.
No authentication and no encryption noauth keyword in CLI this security level
can be used only in secure networks
Authentication and encryption privacy keyword in CLI only authenticated
administrators can access the managed device and transmitted data is encrypted
preventing interception or data leaking. This level should be used over the networks
vulnerable to attacks.

A group defines the access policy for a user. Access policy defines which SNMP objects can
be accessed or which SNMP objects can generate notifications to the members of a group. If
the authentication and encryption mode are not specified, a user can only access views in non-
authentication and non-encryption mode.

When using SNMPv3, system firstly verifies a user based on the configured authentication
and encryption mode. After the user passes the authentication, the system verifies which
SNMP views that user can access, based on the group to which the user was assigned.

A group can be configured using command syntax:

snmp-agent group v3 group-name { authentication | noauth | privacy } [ read-view

read-view | write-view write-view | notify-view notify-view | acl acl-number ]

An SNMPv3 user can be assigned to the group using the following command syntax:

snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha }

authkey [ privacy-mode { aes128 | des56 } prikey | plain-text ] ] [ acl standard-
acl ]
After an SNMPv3 group is configured, the system can effectively control the access rights of
all users in the group, using the group settings. User access can be encrypted and
authenticated, authenticated but not encrypted, or neither authenticated nor encrypted. If the
access level of a user is lower than the security level of the specified group, the access fails.
When the group, to which a user belongs, has multiple security levels, the user can select the
group with the highest security level, among the groups that can be accessed, and access the
view of the group.

Lets configure SNMPv3 read access for NMS1 IP: 150.100.12.1. In order to do that, NMS1
user will be configured and added to the GROUP1. NMS1 user will use SHA algorithm with
AUTHKEY1 key for authentication and AES128 with ENCRYPTKEY1 key for encryption.
Access to the group GROUP1 will be allowed for NMS1 only. ACL 2001 will be configured
for that restriction.

[LabnarioR1]snmp-agent
[LabnarioR1]snmp-agent sys-info version v3
[LabnarioR1]snmp-agent group v3 GROUP1 privacy acl 2001

[LabnarioR1]acl 2001
[LabnarioR1-acl-basic-2001]rule 10 permit source 150.100.12.1 0.0.0.0

[LabnarioR1]snmp-agent usm-user v3 NMS1 GROUP1 authentication-mode sha AUTHKEY1

privacy-mode aes128 ENCRYPTKEY1

As a next step lets configure trap messages to be sent from our LabnarioR1 router to the
NMS1, using traps parameter sending list name NMSTRAPS1:

[LabnarioR1]snmp-agent trap enable

[LabnarioR1]snmp-agent target-host trap-hostname NMS1 address 150.100.12.1 trap-

paramsname NMS1TRAPS

Traps will be authenticated at the receive end and encrypted at the transmit end (privacy
keyword). Transmission protocol will be SNMPv3. Lets configure traps parameter sending
list NMS1TRAPS:

[LabnarioR1]snmp-agent target-host trap-paramsname NMS1TRAPS v3 securityname NMS1

privacy

As a source IP of traps generated, loopback1 address will be used:

[LabnarioR1]snmp-agent trap source LoopBack1

Equipment administrators contact information allows the NMS administrator to call

equipment administrator in case of a failure:

[LabnarioR1]snmp-agent sys-info contact CALL 0800-123456789

For verification use the commands as below:

[LabnarioR1]dis snmp-agent group GROUP1

Group name: GROUP1

Security model: v3 AuthPriv
Readview: ViewDefault
Writeview:
 Notifyview:
Storage type: nonVolatile
Acl: 2001

[LabnarioR1]dis snmp-agent usm-user

User name: NMS1
Engine ID: 800007DB03000000000000
Group name: GROUP1
Authentication mode: sha, Privacy mode: aes128
Storage type: nonVolatile
User status: active
Acl: 2001

Total number is 1

[LabnarioR1]dis snmp-agent target-host

Traphost list:
Target host name: NMS1
Traphost address: 150.100.12.1
Traphost portnumber: 162
Target host parameter: NMS1TRAPS

Total number is 1

Parameter list trap target host:

Parameter name of the target host: NMS1TRAPS
Message mode of the target host: SNMPV3
Trap version of the target host: v3
Security name of the target host: NMS1
Security level of the target host: privacy

Total number is 1

[LabnarioR1]display snmp-agent sys-info contact

The contact person for this managed node:
CALL 0800-123456789