Configuring SNMPv3

SNMPv3 Configuration shows how to complete a basic SNMPv3 configuration.

.

SNMPv3 Configuration

Step	Task	Command(s)
1	Create an SNMPv3 user and specify authentication, encryption, and security credentials. If remote is not specified, the user will be registered for the local SNMP engine. If authentication is not specified, no authentication will be applied. If privacy is not specified, no encryption will be applied.	set snmp user user [remote remoteid] [authentication {md5 | sha}] [authpassword] [privacy privpassword]
2	Create a user group and add the user created in Step 1. If storage type is not specified, nonvolatile will be applied.	set snmp group groupname user user security-model usm [volatile | nonvolatile]
3	Set security access rights for the group. If security level is not specified, no authentication will be applied. If context is not specified, access is granted to the default context. If context is specified without a context match, exact match will be applied.Only one context, the “default context”, is supported in this release. There is no need to configure this parameter. If read view is not specified none will be applied. If write view is not specified, none will be applied. If notify view is not specified, none will be applied. If storage type is not specified, entries will be stored as permanent and will be held through device reboot.	set snmp access groupname security-model usm [noauthentication | authentication | privacy] [context context] [exact | prefix] [read readviewname] [write writeviewname] [notify notifyviewname] [volatile | nonvolatile]
4	Define views created in Step 3. If not specified, mask will be set to empty. If not specified, subtree use will be included. If storage type is not specified, nonvolatile (permanent) will be applied.	set snmp view viewname viewname subtree subtree [mask mask] [included | excluded] [volatile | nonvolatile]
5	Set SNMP target parameters. If not specified, security level will be set to noauthentication. If not specified, storage type will be set to nonvolatile.	set snmp targetparams paramset_name user user security-model usm message-processing v3 [noauthentication | authentication | privacy] [volatile | nonvolatile]
6	Set the SNMP target address for notification message generation. If not specified, udpport will be set to 162. If not specified, mask will be set to 255.255.255.255. If not specified, timeout will be set to 1500 (15 seconds). If not specified, number of retries will be set to 3. If taglist is not specified, none will be set. If not specified, storage type will be nonvolatile.	set snmp targetaddr targetaddr_name ipaddr param paramset_name [udpport udpport] [mask mask] [timeout timeout] [retries retries] [taglist taglist] [volatile | nonvolatile]
7	Set SNMP notification parameters. If not specified, message type will be set to trap. If not specified, storage type will be set to nonvolatile.	set snmp notify notify tag tag [trap | inform] [volatile | nonvolatile]

The following example is an S- K- and 7100-Series device configuration using the steps in SNMPv3 Configuration. It shows how to:

• Create the user Extremenetworks_user, specifying authentication, encryption, and security credentials.
• Assign Extremenetworks_user to the Extremenetworks group and associate it to the SNMPv3 security model, usm.
• Specify that, if SNMP messages are received with authentication and encryption, the view, readView for read requests, and the view writeView for write requests will be applied to this user group based on the USM security model.
• For the view writeView, include the MIB subtree denoted with OID 1, and exclude the subtree denoted by OID 1.3.6.1.4.1.5624.1.2.16.
• Assign an SNMPv3 target parameters entry named matrixn to the Extremenetworks_user using the USM security model.
• Create a target address entry named Extreme_Networks at IP address 172.29.10.1 which will use security and authorization criteria contained in a target parameters entry called matrixn, and bind these parameters together with a tag entry called v3TrapTag.

  System(su)->set snmp user Extremenetworks_user authentication md5 my_authentication             privacy my_privacy
  System(su)->set snmp group Extremenetworks user Extremenetworks_user security-model usm
  System(su)->set snmp access Extremenetworks security-model usm privacy read readView             write writeView
  System(su)->set snmp view viewname readView subtree 1
  System(su)-> set snmp view viewname writeView subtree 1
  System(su)-> set snmp view viewname writeView subtree 1.3.6.1.4.1.5624.1.2.16              excluded
  System(su)-> set snmp targetparams matrixn user Extremenetworks_user security-model usm              message-processing v3
  System(su)-> set snmp targetaddr Extreme_Networks 172.29.10.1 param matrixn              taglist v3TrapTag
  System(su)->set snmp notify SNMPv3TrapGen tag v3TrapTag inform

  How SNMP Will Process This Configuration

As described in How SNMP Processes a Notification Configuration, if the SNMP agent on the device needs to send an inform message, it looks to see if there is a notification entry that says what to do with inform messages. Then, it looks to see if the tag list (v3TrapTag) specified in the notification entry exists. If it exists, then the inform message is sent to the target addresses specified by the tag list, (Extreme_Networks) using the parameters specified for each address (matrixn).