The device supports the FIPS mode thatcomplies with NIST FIPS 140-2 requirements. Support for features, commands, andparameters might differ in FIPS mode and non-FIPS mode. For more informationabout FIPS mode, see Security Configuration Guide.
The SNMP agent sends notifications (trapsand informs) to inform the NMS of significant events, such as link statechanges and user logins or logouts. Unless otherwise stated, the trap keyword in the command line includes both traps and informs.
display snmp-agent community
Use display snmp-agent community to display informationabout SNMPv1 or SNMPv2c communities.
Syntax
display snmp-agent community [ read | write ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
read: Specifies SNMP read-onlycommunities.
write: Specifies SNMPread and write communities.
Usage guidelines
This command is not available in FIPS mode.
If you do not specify the read or write keyword, thiscommand displays information about all SNMPv1 and SNMPv2c communities.
Two methods are available for creating an SNMPv1or SNMPv2c community:
·Execute the snmp-agent community command.
·Execute the snmp-agent usm-user { v1 | v2c } and snmp-agent group { v1 | v2c } commands to create an SNMPv1 or SNMPv2c user and assign the user toan SNMP group. The system then automatically creates an SNMP community by usingthe SNMPv1 or SNMPv2c username as the community name.
This command displays information onlyabout communities created and saved in plaintext form.
Examples
# Display information about all SNMPv1 andSNMPv2c communities.
<Sysname> display snmp-agentcommunity
Community name: aa
Group name: aa
ACL:2001
Storage-type: nonVolatile
Context name: con1
Community name: bb
Role name: bb
Storage-type: nonVolatile
Community name: userv1
Group name: testv1
Storage-type: nonvolatile
Community name: cc
Group name: cc
ACL name: testacl
Storage-type: nonVolatile
| Field | Description |
| Community name | Community name created by using the snmp-agent community command or username created by using the snmp-agent usm-user { v1 | v2c } command. |
| Group name | SNMP group name. ·If the community is created by using the snmp-agent community command in VACM mode, the group name is the same as the community name. ·If the community is created by using the snmp-agent usm-user { v1 | v2c } command, the name of the group that has the user is displayed. |
| Role name | User role name for the community. If the community is created by using the snmp-agent community command in RBAC mode, a user role can be bound to the community name. |
| ACL | Number of the ACL. This field is displayed only when an ACL number is specified for the SNMPv1 or SNMPv2c community. |
| ACL name | Name of the ACL. This field is displayed only when an ACL name is specified for the SNMPv1 or SNMPv2c community. |
| IPV6 ACL | Number of the IPv6 ACL. This field is displayed only when an IPv6 ACL number is specified for the SNMPv1 or SNMPv2c community. |
| IPV6 ACL name | Name of the IPv6 ACL. This field is displayed only when an IPv6 ACL name is specified for the SNMPv1 or SNMPv2c community. |
| Storage-type | Storage type: ·volatile—Settings are lost when the system reboots. ·nonVolatile—Settings remain after the system reboots. ·permanent—Settings remain after the system reboots and can be modified but not deleted. ·readOnly—Settings remain after the system reboots and cannot be modified or deleted. ·other—Any other storage type. |
| Context name | SNMP context: ·If a mapping between the SNMP community and an SNMP context is configured, the SNMP context is displayed. ·If no mapping between the SNMP community and an SNMP context exists, this field is empty. |
Related commands
snmp-agent community
snmp-agent usm-user { v1 | v2c }
displaysnmp-agent context
Use display snmp-agentcontext to display SNMP contexts.
Syntax
display snmp-agentcontext [ context-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
context-name: Specifiesan SNMP context by its name, a case-sensitive string of 1 to 32 characters. Ifyou do not specify this argument, the command displays all SNMP contexts.
Examples
# Display all SNMP contexts.
<Sysname> display snmp-agentcontext
testcontext
Related commands
snmp-agent context
display snmp-agent group
Use display snmp-agent group to display informationabout SNMP groups.
Syntax
display snmp-agent group [ group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
group-name: Specifiesan SNMPv1, SNMPv2c, or SNMPv3 group name in non-FIPS mode, and an SNMPv3 groupname in FIPS mode. It is a case-sensitive string of 1 to 32 characters. If youdo not specify a group, this command displays information about all SNMPgroups.
Examples
# Display information about all SNMPgroups.
<Sysname> display snmp-agentgroup
Group name: groupv3
Security model: v3noAuthnoPriv
Readview: ViewDefault
Writeview: <nospecified>
Notifyview: <nospecified>
Storage-type: nonvolatile
ACL name: testacl
Table 2 Command output
| Field | Description |
| Group name | SNMP group name. |
| Security model | Security model of the SNMP group: ·authPriv—Authentication with privacy. ·authNoPriv—Authentication without privacy. ·noAuthNoPriv—No authentication, no privacy. Security model of an SNMPv1 or SNMPv2c group can only be noAuthNoPriv. |
| Readview | Read-only MIB view accessible to the SNMP group. |
| Writeview | Write MIB view accessible to the SNMP group. |
| Notifyview | Notify MIB view for the SNMP group. The SNMP users in the group can send notifications only for the nodes in the notify MIB view. |
| Storage-type | Storage type, including volatile, nonvolatile, permanent, readOnly, and other. For more information, see Table 1. |
| ACL | Number of the IPv4 ACL. This field appears only when an IPv4 ACL is specified for the SNMP group. |
| ACL name | Name of the ACL. This field appears only when an ACL is specified for the SNMP group. |
| IPv6 ACL | Number of the IPv6 ACL. This field appears only when an IPv6 ACL is specified for the SNMP group. |
| IPV6 ACL name | Name of the IPv6 ACL. This field appears only when an IPv6 ACL is specified for the SNMP group. |
Related commands
snmp-agent group
display snmp-agent local-engineid
Use display snmp-agent local-engineid todisplay the local SNMP engine ID.
Syntax
display snmp-agent local-engineid
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
Every SNMP entity has one SNMP engine toprovide services for sending and receiving messages, authenticating andencrypting messages, and controlling access to managed objects.
An SNMP engine ID uniquely identifies anSNMP entity in an SNMP domain.
Examples
# Display the local SNMP engine ID.
<Sysname> display snmp-agentlocal-engineid
SNMP local engine ID:800063A2800084E52BED7900000001
Related commands
snmp-agent local-engineid
displaysnmp-agent mib-node
Use display snmp-agent mib-node to display SNMP MIB node information.
Syntax
display snmp-agent mib-node [ details | index-node | trap-node | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
details: Specifiesdetailed MIB node information, including node name, last octet of an OIDstring, and name of the next leaf node.
index-node: SpecifiesSNMP MIB tables, and node names and OIDs of MIB index nodes.
trap-node: Specifiesnode names and OIDs of MIB notification nodes, and node names and OIDs ofnotification objects.
verbose: Specifiesdetailed information about SNMP MIB nodes, including node names, OIDs, nodetypes, permissions to MIB nodes, data types, MORs, and parent, child, andsibling nodes.
Usage guidelines
If you do not specify any keywords, thiscommand displays information about all SNMP MIB nodes, including node name,OID, and permissions to MIB nodes.
The SNMP software package includesdifferent MIB files. Support for MIBs varies by SNMP software versions.
Examples
# Display SNMP MIB node information.
<Sysname> display snmp-agentmib-node
iso<1>(NA)
|-std<1.0>(NA)
|-iso8802<1.0.8802>(NA)
|-ieee802dot1<1.0.8802.1>(NA)
|-ieee802dot1mibs<1.0.8802.1.1>(NA)
...
Table 3 Command output
| Field | Description |
| -std | MIB node name |
| <1.0> | MIB node OID |
| (NA) | Access right to the MIB node: ·NA—Not accessible ·NF—Notifications ·RO—Read-only access ·RW—Read and write access ·RC—Read-write-create access ·WO—Write-only access |
| * | Leaf node or MIB table node |
# Display detailed MIB node information.
<Sysname> display snmp-agentmib-node details
iso(1)(dot1xPaeSystemAuthControl)
|-std(0)(dot1xPaeSystemAuthControl)
|-iso8802(8802)(dot1xPaeSystemAuthControl)
|-ieee802dot1(1)(dot1xPaeSystemAuthControl)
|-ieee802dot1mibs(1)(dot1xPaeSystemAuthControl)
...
Table 4 Command output
| Field | Description |
| -std | MIB node name |
| (0) | Last bit of the MIB OID string |
| (lldpMessageTxInterval) | Name of the leaf node |
| * | Leaf node or MIB table node |
# Display MIB table names, and node namesand OIDs of MIB index nodes.
<Sysname> display snmp-agentmib-node index-node
Table|dot1xPaePortTable
Index||dot1xPaePortNumber
OID |||1.0.8802.1.1.1.1.1.2.1.1
...
Table 5 Command output
| Field | Description |
| Table | MIB table name |
| Index | MIB index node name |
| OID | MIB index node OID |
# Display names and OIDs of MIBnotification nodes, and names and OIDs of notification objects.
<Sysname> display snmp-agentmib-node trap-node
Name |lldpRemTablesChange
OID ||1.0.8802.1.1.2.0.0.1
Trap Object
Name|||lldpStatsRemTablesInserts
OID||||1.0.8802.1.1.2.1.2.2
Name|||lldpStatsRemTablesDeletes
OID||||1.0.8802.1.1.2.1.2.3
Name|||lldpStatsRemTablesDrops
OID ||||1.0.8802.1.1.2.1.2.4
Name|||lldpStatsRemTablesAgeouts
OID||||1.0.8802.1.1.2.1.2.5
...
Table 6 Command output
| Field | Description |
| Name | MIB notification node name |
| OID | MIB notification node OID |
| Trap Object | Name and OID of a notification object |
# Display detailed information about SNMPMIB nodes, including node names, OIDs, node types, permissions to MIB nodes,data types, MORs, and parent, child, and sibling nodes.
<Sysname> display snmp-agentmib-node verbose
Name|iso
OID||1
Properties ||NodeType:Other
||AccessType:NA
||DataType:NA
||MOR:0x00000000
Parent ||
First child||std
Next leaf||dot1xPaeSystemAuthControl
Next sibling ||
...
Table 7 Command output
| Field | Description |
| Name | MIB node name. |
| OID | MIB node OID. |
| Properties | MIB node properties. |
| NodeType | MIB node type: ·Table—Table node. ·Row—Row node in a MIB table. ·Column—Column node in a MIB table. ·Leaf—Leaf node. ·Group—Group node (parent node of a leaf node). ·Trapnode—Notification node. ·Other—Other node type. |
| AccessType | Access right to the MIB node: ·NA—Not accessible. ·NF—Supports notifications. ·RO—Supports read-only access. ·RW—Supports read and write access. ·RC—Supports read-write-create access. ·WO—Supports write-only access. |
| DataType | Data type of the MIB node: ·Integer—An integer. ·Integer32—A 32-bit integer. ·Unsigned32—A 32-bit integer with no mathematical sign. ·Gauge—A non-negative integer that might increase or decrease. ·Gauge32—A 32-bit non-negative integer that might increase or decrease. ·Counter—A non-negative integer that might increase but not decrease. ·Counter32—A 32-bit non-negative integer that might increase but not decrease. ·Counter64—A 64-bit non-negative integer that might increase but not decrease. ·Timeticks—A non-negative integer for time keeping. ·Octstring—An octal string. ·OID—Object identifier. ·IPaddress—A 32-bit IP address. ·Networkaddress—A network IP address. ·Opaque—Any data. ·Userdefined—User-defined data. ·BITS—Bit enumeration. ·NA—Other data type. |
| MOR | MOR for the MIB node. |
| Parent | Name of the parent node. |
| First child | Name of the first leaf node. |
| Next leaf | Name of the next leaf node. |
| Next sibling | Name of the next sibling node. |
| Allow | Operation types allowed: ·get/set/getnext—All operations. ·get—Get operation. ·set—Set operation. ·getnext—GetNext operation. |
| Value range | Value range of the MIB node. |
| Index | Table index. This field appears only for a table node. |
display snmp-agent mib-view
Use display snmp-agent mib-view to display MIBviews.
Syntax
display snmp-agent mib-view [ exclude | include | viewname view-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
exclude: Displays thesubtrees excluded from any MIB view.
include: Displays thesubtrees included in any MIB view.
viewname view-name: Displays information about the specified MIB view. The view-name argument is a case-sensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify any parameters, thiscommand displays all MIB views.
Examples
# Display all MIB views.
<Sysname> display snmp-agentmib-view
View name: ViewDefault
MIB Subtree: iso
Subtree mask:
Storage-type: nonVolatile
View Type: included
View status: active
View name: ViewDefault
MIB Subtree: snmpUsmMIB
Subtree mask:
Storage-type: nonVolatile
View Type: excluded
View status: active
View name: ViewDefault
MIB Subtree: snmpVacmMIB
Subtree mask:
Storage-type: nonVolatile
View Type: excluded
View status: active
View name: ViewDefault
MIB Subtree: snmpModules.18
Subtree mask:
Storage-type: nonVolatile
View Type: excluded
View status: active
ViewDefault is the default MIB view. The output shows that except for the MIBobjects in the snmpUsmMIB, snmpVacmMIB,and snmpModules.18subtrees, all the MIB objects in the iso subtreeare accessible.
Table 8 Command output
| Field | Description |
| View name | MIB view name. |
| MIB Subtree | MIB subtree covered by the MIB view. |
| Subtree mask | MIB subtree mask. |
| Storage-type | Type of the medium (see Table 1) where the subtree view is stored. |
| View Type | Access privilege for the MIB subtree in the MIB view: ·Included—All objects in the MIB subtree are accessible in the MIB view. ·Excluded—None of the objects in the MIB subtree is accessible in the MIB view. |
| View status | Status of the MIB view: ·active—MIB view is effective. ·inactive—MIB view is ineffective. The objects in the MIB view are not accessible, but they can send notifications. |
Related commands
snmp-agent mib-view
display snmp-agent remote
Use display snmp-agent remote to displayengine IDs of the remote SNMP entities.
Syntax
display snmp-agent remote [ { ipv4-address| ipv6 ipv6-address } [ vpn-instancevpn-instance-name ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4-address: Specifiesa remote SNMP entity by its IPv4 address.
ipv6 ipv6-address: Specifies a remote SNMP entity by its IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the remote SNMP entitybelongs. The vpn-instance-nameargument represents the VPN instance name, a case-sensitive string of 1 to 31characters. If the remote SNMP entity belongs to the public network, do notspecify this option.
Usage guidelines
Every SNMP entity has one SNMP engine toprovide services for sending and receiving messages, authenticating andencrypting messages, and controlling access to managed objects.
An SNMP engine ID uniquely identifies anSNMP entity in an SNMP domain.
If you do not specify a remote SNMP entity,this command displays the engine IDs of all remote SNMP entities.
Examples
# Display engine IDs of all remote SNMPentities.
<Sysname> display snmp-agentremote
Remote engineID:800063A28000A0FC00580400000001
IPv4 address: 1.1.1.1
VPN instance: vpn1
Table 9 Command output
| Field | Description |
| Remote engineID | Remote SNMP engine ID you have configured using the snmp-agent remote command. |
| IPv4 address | IPv4 address of the remote SNMP entity. |
| IPv6 address | IPv6 address of the remote SNMP entity. This field is displayed if the remote SNMP entity is configured with an IPv6 address. |
| VPN instance | This field is available only if a VPN instance has been specified for the remote SNMP entity in the snmp-agent remote command. |
Related commands
snmp-agent remote
display snmp-agent statistics
Use display snmp-agent statistics to displaySNMP message statistics.
Syntax
display snmp-agent statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display SNMP message statistics.
<Sysname> display snmp-agentstatistics
1684 messages delivered to the SNMPentity.
5 messages were for an unsupportedversion.
0 messages used an unknown SNMPcommunity name.
0 messages represented an illegaloperation for the community supplied.
0 ASN.1 or BER errors in theprocess of decoding.
1679 messages passed from the SNMPentity.
0 SNMP PDUs had badValueerror-status.
0 SNMP PDUs had genErrerror-status.
0 SNMP PDUs had noSuchNameerror-status.
0 SNMP PDUs had tooBig error-status(Maximum packet size 1500).
16544 MIB objects retrievedsuccessfully.
2 MIB objects altered successfully.
7 GetRequest-PDU accepted andprocessed.
7 GetNextRequest-PDU accepted andprocessed.
1653 GetBulkRequest-PDU acceptedand processed.
1669 GetResponse-PDU accepted andprocessed.
2 SetRequest-PDU accepted andprocessed.
0 Trap PDUs accepted and processed.
0 alternate Response Class PDUsdropped silently.
0 forwarded Confirmed Class PDUsdropped silently.
Table 10 Command output
| Field | Description |
| messages delivered to the SNMP entity | Number of messages that the SNMP agent has received. |
| messages were for an unsupported version | Number of messages that are not supported by the SNMP agent version. |
| messages used an unknown SNMP community name | Number of messages that used an unknown SNMP community name. |
| messages represented an illegal operation for the community supplied | Number of messages carrying an operation that the community has no right to perform. |
| ASN.1 or BER errors in the process of decoding | Number of messages that had ASN.1 or BER errors during decoding. |
| messages passed from the SNMP entity | Number of messages sent by the SNMP agent. |
| SNMP PDUs had badValue error-status | Number of PDUs with a BadValue error. |
| SNMP PDUs had genErr error-status | Number of PDUs with a genErr error. |
| SNMP PDUs had noSuchName error-status | Number of PDUs with a NoSuchName error. |
| SNMP PDUs had tooBig error-status | Number of PDUs with a TooBig error (the maximum packet size is 1500 bytes). |
| MIB objects retrieved successfully | Number of MIB objects that have been successfully retrieved. |
| MIB objects altered successfully | Number of MIB objects that have been successfully modified. |
| GetRequest-PDU accepted and processed | Number of GetRequest requests that have been received and processed. |
| GetNextRequest-PDU accepted and processed | Number of getNext requests that have been received and processed. |
| GetBulkRequest-PDU accepted and processed | Number of getBulk requests that have been received and processed. |
| GetResponse-PDU accepted and processed | Number of get responses that have been received and processed. |
| SetRequest-PDU accepted and processed | Number of set requests that have been received and processed. |
| Trap PDUs accepted and processed | Number of notifications that have been received and processed. |
| alternate Response Class PDUs dropped silently | Number of dropped response packets. |
| forwarded Confirmed Class PDUs dropped silently | Number of forwarded packets that have been dropped. |
display snmp-agent sys-info
Use display snmp-agent sys-info to displaySNMP agent system information.
Syntax
display snmp-agent sys-info [ contact | location | version ] *
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
contact: Displays thesystem contact.
location: Displays thephysical location of the device.
version: Displays theSNMP agent version.
Usage guidelines
If you do not specify any keywords, thiscommand displays all SNMP agent system information.
Examples
# Display all SNMP agent systeminformation.
<Sysname> display snmp-agentsys-info
The contact information of theagent:
New H3C Technologies Co., Ltd.
The location information of theagent:
Hangzhou, China
The SNMP version of the agent:
SNMPv3
Related commands
snmp-agent sys-info
display snmp-agent trap queue
Use display snmp-agent trap queue to display basic information about the trap queue.
Syntax
display snmp-agent trap queue
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the trap queue configuration andusage status.
<Sysname> display snmp-agenttrap queue
Queue size: 100
Message number: 6
Related commands
snmp-agent trap life
snmp-agent trap queue-size
display snmp-agent trapbuffer drop
Use display snmp-agent trapbuffer drop to display SNMPnotifications drop records.
Syntax
display snmp-agent trapbuffer drop
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
When an SNMP notification is dropped fromthe SNMP trap queue, information about the notification is recorded in the SNMPtrap buffer.
Examples
# Display SNMP notifications drop records.
<Sysname> display snmp-agent trapbufferdrop
Current messages:1
Wed Dec 14 10:49:52:656 2019Notification hh3cCfgManEventlog(1.3.6.1.4.1.25506.2.4.2.1) dropped.
Current messages in the command output indicates the total number of SNMPnotifications drop records in the SNMP trap buffer.
Related commands
reset snmp-agent trapbuffer
display snmp-agent trapbuffer send
Use display snmp-agent trapbuffer send to display SNMPnotifications sending records.
Syntax
display snmp-agent trapbuffer send
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
After an SNMP notification is sent,information about the notification is recorded in the SNMP trap buffer. Theinformation includes the content, destination IP address, and sending result ofthe notification.
Examples
# Display SNMP notifications sendingrecords.
<Sysname> display snmp-agenttrapbuffer send
Current messages:2
Fri Jul 31 10:31:17 2020 Notificationhh3cLogOut(1.3.6.1.4.1.25506.2.2.1.1.3.0.2) failed to be sent to 19.16.11.89.
Fri Jul 31 10:31:17 2020 Notificationhh3cLogOut(1.3.6.1.4.1.25506.2.2.1.1.3.0.2) sent to 192.168.11.89 successfully.
Current messages in the command output indicates the total number of SNMPnotifications sending records in the SNMP trap buffer.
Related commands
reset snmp-agent trapbuffer
display snmp-agent trap-list
Use display snmp-agent trap-list to display SNMPnotifications enabling status for modules.
Syntax
display snmp-agent trap-list
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
If a module has multiple sub-modules andSNMP notifications are enabled for one of its sub-modules, the command outputshows that the module is SNMP notifications-enabled.
To determine whether a module supports SNMPnotifications, execute the snmp-agent trap enable ? command.
The display snmp-agent trap-list commandoutput varies by the snmp-agent trap enable commandconfiguration and the module configuration.
Examples
# Display SNMP notifications enablingstatus for modules.
<Sysname> display snmp-agenttrap-list
arp notification is disabled.
bfd notification is enabled.
…
Related commands
snmp-agent trap enable
display snmp-agent usm-user
Use display snmp-agent usm-user to displaySNMPv3 user information.
Syntax
display snmp-agent usm-user [ engineid engineid | group group-name | username user-name ] *
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
engineid engineid: Specifies an SNMP engine ID. The engine ID is case insensitive. Whenan SNMPv3 user is created, the system records the local SNMP entity engine ID.The user becomes invalid when the engine ID changes, and it becomes valid againwhen the recorded engine ID is restored.
group group-name: Specifies an SNMP group by its name. The group name is casesensitive.
username user-name: Specifies an SNMPv3 user by its name. The username is casesensitive.
Usage guidelines
This command displays only SNMPv3 usersthat you have created by using the snmp-agent usm-user v3 command. To display SNMPv1 or SNMPv2c users created by using the snmp-agentusm-user { v1 | v2c } command, use the display snmp-agent community command.
Examples
# Display information about all SNMPv3users.
<Sysname> display snmp-agentusm-user
Username: userv3
Group name: mygroupv3
Engine ID:800063A203000FE240A1A6
Storage-type: nonVolatile
UserStatus: active
ACL: 2000
Username: userv3
Group name: mygroupv3
Engine ID:8000259503000BB3100A508
Storage-type: nonVolatile
UserStatus: active
ACL name: testacl
Username: userv3code
Role name: groupv3code
network-operator
Engine ID:800063A203000FE240A1A6
Storage-type: nonVolatile
UserStatus: active
Username: userv3code
Role name: snmprole
network-operator
Engine ID: 800063A280000002BB0001
Storage-type: nonVolatile
UserStatus: active
Table 11 Command output
| Field | Description |
| Username | SNMP username. |
| Group name | SNMP group name. |
| Role name | SNMP user role name. |
| Engine ID | Engine ID that the SNMP agent used when the SNMP user was created. |
| Storage-type | Storage type: ·volatile. ·nonvolatile. ·permanent. ·readOnly. ·other. For more information about these storage types, see Table 1. |
| UserStatus | SNMP user status: ·active—The SNMP user is effective. ·notInService—The SNMP user is correctly configured but not activated. ·notReady—The SNMP user configuration is incomplete. ·other—Any other status. |
| ACL | Number of the ACL. This field appears only when an ACL is specified for the SNMPv3 user. |
| ACL name | Name of the ACL. This field appears only when an ACL is specified for the SNMPv3 user. |
| IPV6 ACL | Number of the IPv6 ACL. This field appears only when an ACL is specified for the SNMPv3 user. |
| IPV6 ACL name | Name of the IPv6 ACL. This field appears only when an ACL is specified for the SNMPv3 user. |
Related commands
snmp-agent usm-user v3
enable snmp trap updown
Use enable snmp trap updown to enable link state notifications on an interface.
Use undo enable snmp trap updown to disable linkstate notifications on an interface.
Syntax
enable snmp trap updown
undo enable snmp trap updown
Default
Link state notifications are enabled.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
For an interface to generatelinkUp/linkDown notifications when its state changes, you must also enable thelinkUp/linkDown notification function globally by using the snmp-agent trapenable standard [ linkdown | linkup ] * command.
Examples
# Enable GigabitEthernet 1/0/1 to sendlinkUp/linkDown SNMP traps to 10.1.1.1 in the community public.
<Sysname> system-view
[Sysname] snmp-agent trap enable
[Sysname] snmp-agent target-host trapaddress udp-domain 10.1.1.1 params securityname public
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] enable snmp trapupdown
Related commands
snmp-agent target-host
snmp-agent trap enable
reset snmp-agent trapbuffer
Use reset snmp-agent trapbuffer to clear all records from the SNMP trap buffer.
Syntax
reset snmp-agent trapbuffer
Views
User view
Predefined user roles
network-admin
Examples
# Clear all records from the SNMP trapbuffer.
<Sysname> reset snmp-agenttrapbuffer
Related commands
display snmp-agent trapbuffer drop
display snmp-agent trapbuffer send
snmp-agent
Use snmp-agent toenable the SNMP agent.
Use undo snmp-agent to disable the SNMP agent.
Syntax
snmp-agent
undo snmp-agent
Default
The SNMP agent is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The SNMP agent is automatically enabledwhen you execute any command that begins with snmp-agent except for the snmp-agent calculate-password command.
The SNMP agent will fail to be enabled whenthe port that the agent will listen on is used by another service. You can usethe snmp-agentport command to specify a listening port. Toview the UDP port use information, execute the display udpverbose command.
If you disable the SNMP agent, the SNMPsettings do not take effect. The display current-configuration command does not display the SNMP settings and the SNMP settingswill not be saved in the configuration file. For the SNMP settings to takeeffect, enable the SNMP agent.
Examples
# Enable the SNMP agent.
<Sysname> system-view
[Sysname] snmp-agent
Related commands
display udp verbose(see IP performance optimization commands in Layer 3—IPServices Configuration Guide)
snmp-agent port
snmp-agentacl
Use snmp-agent acl to configure an SNMP global ACL.
Use undo snmp-agent acl to delete the SNMP global ACL.
Syntax
snmp-agent acl [ ipv6 ] { acl-number | name acl-name }
undo snmp-agent acl [ ipv6 ]
Default
No SNMP global ACL is configured.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6ACL type. If you do not specify this keyword, this command configures an IPv4ACL.
acl-number: Specifiesan ACL by its number. The value range is 2000 to 2999 for basic ACLs and 3000to 3999 for advanced ACLs.
name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63characters.
Usage guidelines
After you configure this command, thedevice processes only SNMP packets permitted by the ACL and discards SNMPpackets denied by the ACL. The permitted SNMP packets will be further filteredby the ACLs configured in the snmp-agent community, snmp-agent group and then snmp-agent usm-user { v1 | v2c }, or snmp-agent group and then snmp-agent usm-user v3 commands. Only the NMSs that match the ACLs can use the community name orusername to access the device.
This command does not control NMS access ifthe specified ACL does not exist or does not contain any rules.
If you configure this command multipletimes to configure multiple IPv4 or IPv6 ACLs, the most recent configurationtakes effect.
When specifying ACLs, pay attention to thefollowing points:
·If the specified ACL does not exist, or thespecified ACL does not contain any rule, all NMSs can access the device.
·If a VPN instance is specified in an ACL rule,the rule applies only to the packets of the VPN instance. If no VPN instance isspecified in an ACL rule, the rule applies only to the packets on the publicnetwork.
·If the specified ACL contains rules, only NMSspermitted by the rules can access the device.
For more information about ACL, see ACL and QoS Configuration Guide.
Examples
# Create SNMP global ACL 2001.
<Sysname> system-view
[Sysname] snmp-agent acl 2001
Related commands
snmp-agent community
snmp-agent group
snmp-agent usm-user { v1 | v2c }
snmp-agent usm-user v3
snmp-agent calculate-password
Use snmp-agent calculate-password to calculate the encrypted form for a key in plaintext form.
Syntax
In non-FIPS mode:
snmp-agent calculate-password plain-password mode { 3desmd5 | 3dessha | 3dessha224 | 3dessha256 | 3dessha384 | 3dessha512 | aes192md5 | aes192sha | aes192sha224| aes192sha256 | aes192sha384 | aes192sha512 | aes256md5 | aes256sha | aes256sha224| aes256sha256 | aes256sha384 | aes256sha512 | md5 | sha | sha224 | sha256 | sha384 | sha512 } { local-engineid | specified-engineid engineid }
In FIPS mode:
snmp-agent calculate-password plain-password mode { aes192sha | aes192sha224 | aes192sha256 | aes192sha384 | aes192sha512 | aes256sha | aes256sha224 | aes256sha256 | aes256sha384 | aes256sha512 | sha | sha224 | sha256 | sha384 | sha512 } { local-engineid | specified-engineid engineid }
Views
System view
Predefined user roles
network-admin
Parameters
plain-password:Specifies a key in plaintext form. The plain-password argument is a case-sensitive string of 1 to 64 characters.
mode: Specifies an authenticationalgorithm and encryption algorithm. Options include:
·3desmd5: Calculates the encrypted formfor the encryption key by using the 3DES encryption algorithm and HMAC-MD5authentication algorithm.
·3dessha: Calculates the encrypted formfor the encryption key by using the 3DES encryption algorithm and HMAC-SHA1authentication algorithm.
·3dessha224: Calculates the encryptedform for the encryption key by using the 3DES encryption algorithm and HMAC-SHA224authentication algorithm.
·3dessha256: Calculates the encryptedform for the encryption key by using the 3DES encryption algorithm and HMAC-SHA256authentication algorithm.
·3dessha384: Calculates the encryptedform for the encryption key by using the 3DES encryption algorithm and HMAC-SHA384authentication algorithm.
·3dessha512: Calculates the encryptedform for the encryption key by using the 3DES encryption algorithm and HMAC-SHA512authentication algorithm.
·aes192md5: Calculates the encrypted formfor the encryption key by using the AES192 encryption algorithm and the HMAC-MD5authentication algorithm.
·aes192sha: Calculates the encrypted formfor the encryption key by using the AES192 encryption algorithm and the HMAC-SHA1authentication algorithm.
·aes192sha224: Calculates the encryptedform for the encryption key by using the AES192 encryption algorithm and the HMAC-SHA224authentication algorithm.
·aes192sha256: Calculates the encryptedform for the encryption key by using the AES192 encryption algorithm and the HMAC-SHA256authentication algorithm.
·aes192sha384: Calculates the encryptedform for the encryption key by using the AES192 encryption algorithm and the HMAC-SHA384authentication algorithm.
·aes192sha512: Calculates the encryptedform for the encryption key by using the AES192 encryption algorithm and the HMAC-SHA512authentication algorithm.
·aes256md5: Calculates the encrypted formfor the encryption key by using the AES256 encryption algorithm and the HMAC-MD5authentication algorithm.
·aes256 sha: Calculates the encrypted form for the encryption key by using the AES256encryption algorithm and the HMAC-SHA1 authentication algorithm.
·aes256sha224:Calculates the encrypted form for the encryption key by using the AES256encryption algorithm and the HMAC-SHA224 authentication algorithm.
·aes256sha256:Calculates the encrypted form for the encryption key by using the AES256encryption algorithm and the HMAC-SHA256 authentication algorithm.
·aes256sha384:Calculates the encrypted form for the encryption key by using the AES256encryption algorithm and the HMAC-SHA384 authentication algorithm.
·aes256sha512:Calculates the encrypted form for the encryption key by using the AES256encryption algorithm and the HMAC-SHA512 authentication algorithm.
·md5: Calculates the encrypted form for theauthentication key by using the HMAC-MD5 authentication algorithm and the encryptedform for the encryption key by using the HMAC-MD5 authentication algorithm and AESor DES encryption algorithm. When the HMAC-MD5 authentication algorithm isused, the encrypted authentication key and encryption key calculated from thesame plaintext password will be the same.
·sha: Calculates the encrypted form for theauthentication key by using the HMAC-SHA1 authentication algorithm and the encryptedform for the encryption key by using the HMAC-SHA1 authentication algorithm andAES or DES encryption algorithm. When the HMAC-SHA1 authentication algorithm isused, the encrypted authentication key and encryption key calculated from thesame plaintext password will be the same.
·sha224: Calculates the encrypted formfor the authentication key by using the HMAC-SHA224 authentication algorithmand the encrypted form for the encryption key by using the HMAC-SHA224authentication algorithm and AES or DES encryption algorithm. When the HMAC-SHA224authentication algorithm is used, the encrypted authentication key andencryption key calculated from the same plaintext password will be the same.
·sha256: Calculates the encrypted formfor the authentication key by using the HMAC-SHA256 authentication algorithmand the encrypted form for the encryption key by using HMAC-SHA256authentication algorithm and AES or DES encryption algorithm. When the HMAC-SHA256authentication algorithm is used, the encrypted authentication key andencryption key calculated from the same plaintext password will be the same.
·sha384: Calculates the encrypted formfor the authentication key by using the HMAC-SHA384 authentication algorithmand the encrypted form for the encryption key by using the HMAC-SHA384authentication algorithm and AES or DES encryption algorithm. When the HMAC-SHA384authentication algorithm is used, the encrypted authentication key andencryption key calculated from the same plaintext password will be the same.
·sha512: Calculates the encrypted formfor the authentication key by using the HMAC-SHA512 authentication algorithmand the encrypted form for the encryption key by using the HMAC-SHA512authentication algorithm and AES or DES encryption algorithm. When the HMAC-SHA512authentication algorithm is used, the encrypted authentication key andencryption key calculated from the same plaintext password will be the same.
local-engineid: Usesthe local engine ID to calculate the encrypted form for the key. You canconfigure the local engine ID by using the snmp-agent local-engineid command.
specified-engineid engineid: Uses a user-defined engine ID to calculate the encrypted form forthe key. The engineid argument is aneven number of case-insensitive hexadecimal characters. All-zero and all-Fstrings are invalid. The even number is in the range of 10 to 64.
Usage guidelines
Application scenarios
For security purposes, use the encrypted-formkey generated by using this command when you create SNMPv3 users by specifyingthe cipher keyword in the snmp-agentusm-user v3 command.
Operating mechanism
The device supports the HMAC-MD5 and HMAC-SHAauthentication algorithms.
·The computation speed of HMAC-MD5 is faster thanthat of HMAC-SHA, but the security strength of HMAC-SHA is higher than that ofHMAC-MD5.
·HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,HMAC-SHA384, and HMAC-SHA512 are all variants of the HMAC algorithm based onSHA. They are algorithms used for message authentication, but they differ insecurity and output length. HMAC-SHA1 uses the SHA1 algorithm, HMAC-SHA224 usesSHA224, HMAC-SHA256 uses SHA256, HMAC-SHA384 uses SHA384, and HMAC-SHA512 usesSHA512. The output lengths are 160 bits, 224 bits, 256 bits, 384 bits, and 512bits, respectively. In terms of security, as the output length increases, thesecurity also correspondingly increases.
The security levels of encryptionalgorithms supported by the device from highest to lowest are: AES256, AES192,AES, 3DES, DES. The more secure encryption algorithms have more complexmechanisms and slower processing speeds. For ordinary security requirements,the DES algorithm is sufficient to meet the needs.
Restrictions and guidelines
Make sure the SNMP agent is enabled beforeyou execute the snmp-agent calculate-password command.
The encrypted form of the key is valid onlyunder the engine ID specified for key conversion.
Examples
# Use the local engine ID and the HMAC-SHA1algorithm to calculate the encrypted form for key authkey.
<Sysname> system-view
[Sysname] snmp-agentcalculate-password authkey mode sha local-engineid
The encrypted key is:09659EC5A9AE91BA189E5845E1DDE0CC
Related commands
snmp-agent local-engineid
snmp-agent usm-user v3
snmp-agent community
Use snmp-agent community to configure an SNMPv1 or SNMPv2c community.
Use undo snmp-agent community to delete anSNMPv1 or SNMPv2c community.
Syntax
In VACM mode:
snmp-agent community { read | write } [ simple | cipher ] community-name [ mib-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name} ] *
undo snmp-agent community [ cipher ] community-name
In RBAC mode:
snmp-agent community [ simple | cipher ] community-name user-role role-name [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name} ] *
undo snmp-agent community [ cipher ] community-name
Default
No SNMPv1 or SNMPv2c communities exist.
Views
System view
Predefined user roles
network-admin
Parameters
read: Assigns thespecified community read-only access to MIB objects. A read-only community canonly inquire MIB information.
write: Assigns thespecified community read and write access to MIB objects. A read and writecommunity can configure MIB information.
simple: Specifies acommunity name in plaintext form. For security purposes, the community name specifiedin plaintext form will be stored in encrypted form.
cipher: Specifies a communityname in encrypted form.
community-name: Specifiesthe community name. The plaintext form is a case-sensitive string of 1 to 32characters. The encrypted form is a case-sensitive string of 33 to 73characters. Input a string as escape characters after a backslash (\).
mib-view view-name: Specifies the MIB view available for the community. The view-name argument represents a MIB view name, a case-sensitive string of 1 to32 characters. A MIB view represents a set of accessible MIB objects. If you donot specify a view, the specified community can access the MIB objects in thedefault MIB view ViewDefault.
user-role role-name: Specifies a user role name for the community, a case-sensitivestring of 1 to 63 characters.
acl: Specifies a basic oradvanced IPv4 ACL for the community.
ipv4-acl-number: Specifiesa basic or advanced IPv4 ACL by its number. The basic IPv4 ACL number is in therange of 2000 to 2999. The advanced IPv4 ACL number is in the range of 3000 to 3999.
name ipv4-acl-name: Specifies a basic or advanced IPv4 ACL by its name, acase-insensitive string of 1 to 63 characters.
acl ipv6: Specifies a basic or advanced IPv6 ACL for the community.
ipv6-acl-number:Specifies a basic or advanced IPv6 ACL by its number. The basic IPv6 ACL numberis in the range of 2000 to 2999. The advanced IPv6 ACL number is in the rangeof 3000 to 3999.
name ipv6-acl-name: Specifies a basic or advanced IPv6 ACL by its name, acase-insensitive string of 1 to 63 characters.
Usage guidelines
This command is not available in FIPS mode.
Only users with the network-admin orlevel-15 user role can execute this command. Users with other user roles cannotexecute this command even if these roles are granted access to commands of theSNMP feature or this command.
An SNMP community is identified by acommunity name. It contains a set of NMSs and SNMP agents. Devices in an SNMPcommunity authenticate each other by using the community name. An NMS and anSNMP agent can communicate only when they use the same community name.
Typically, publicis used as the read-only community name and privateis used as the read and write community name. To enhance security, you can assignyour SNMP communities a name other than public and private.
The snmp-agent community command allows you to use either of the following modes to control SNMPcommunity access to MIB objects:
·View-based access controlmodel—The VACM mode controls access to MIBobjects by assigning MIB views to SNMP communities.
·Role based access control—The RBAC mode controls access to MIB objects by assigning userroles to SNMP communities.
¡
¡The network-adminand level-15 user roles have the read and write access to all MIB objects.
¡Thenetwork-operator user role has the read-only access to all MIB objects.
For more information about user roles,see Fundamentals Configuration Guide.
RBAC mode controls access on a per MIBobject basis, and VACM mode controls access on a MIB view basis. As a bestpractice to enhance MIB security, use RBAC mode.
You can create a maximum of 10 SNMPcommunities by using the snmp-agent communitycommand.
If you execute the command multiple timesto specify the same community name but different other settings each time, themost recent configuration takes effect.
To set and save a community name in plaintext, do not specify the simple or cipher keyword.
The device uses the global ACL (configuredby using the snmp-agent acl command)and the ACL specified in this command in sequence to control NMS access. OnlyNMSs permitted by these two ACLs can access the device. When specifying ACLs, followthese guidelines:
·If the specified ACL does not exist, or thespecified ACL does not contain any rule, all NMSs can access the device.
·If a VPN instance is specified in an ACL rule,the rule applies only to the packets of the VPN instance. If no VPN instance isspecified in an ACL rule, the rule applies only to the packets on the publicnetwork.
·If you specify an ACL and the ACL has rules,only NMSs permitted by the ACL can access the device.
For more information about ACL, see ACL and QoS Configuration Guide.
You can also create an SNMP community byusing the snmp-agent usm-user { v1 | v2c } and snmp-agent group { v1 | v2c } commands. These two commands create an SNMPv1 or SNMPv2c user and thegroup to which the user is assigned. The system automatically creates an SNMPcommunity by using the SNMPv1 or SNMPv2c username as the community name.
The display snmp-agent community commanddisplays information only about communities created and saved in plaintextform.
Examples
# Create the read-only community with theplaintext form name readaccess so an SNMPv1 orSNMPv2c NMS can use the community name readaccessto read the MIB objects in the default view ViewDefault.
<Sysname> system-view
[Sysname] snmp-agent sys-info versionv1 v2c
[Sysname] snmp-agent community readsimple readaccess
# Create the read and write community withthe plaintext form name writeaccess so only theSNMPv2c NMS at 1.1.1.1 can use the community name writeaccessto read or set the MIB objects in the default view ViewDefault.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rulepermit source 1.1.1.1 0.0.0.0
[Sysname-acl-ipv4-basic-2001] ruledeny source any
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] snmp-agent sys-info versionv2c
[Sysname] snmp-agent community writesimple writeaccess acl 2001
# Create the read and write community withthe plaintext form name writeaccess so only theSNMPv2c NMS at 1.1.1.2 can use the community name writeaccessto read or set the MIB objects in the default view ViewDefault.
<Sysname> system-view
[Sysname] acl basic name testacl
[Sysname-acl-ipv4-basic-testacl] rulepermit source 1.1.1.2 0.0.0.0
[Sysname-acl-ipv4-basic-testacl] ruledeny source any
[Sysname-acl-ipv4-basic-testacl] quit
[Sysname] snmp-agent sys-info versionv2c
[Sysname] snmp-agent community write simplewriteaccess acl name testacl
# Create the read and write community withthe plaintext form name wr-sys-acc so an SNMPv1 orSNMPv2c NMS can use the community name wr-sys-accto read or set the MIB objects in the system subtree (OID 1.3.6.1.2.1.1).
<Sysname> system-view
[Sysname] snmp-agent sys-info versionv1 v2c
[Sysname] undo snmp-agent mib-viewViewDefault
[Sysname] snmp-agent mib-view includedtest system
[Sysname] snmp-agent community writesimple wr-sys-acc mib-view test
Related commands
display snmp-agent community
snmp-agent acl
snmp-agent mib-view
snmp-agentcommunity-map
Use snmp-agent community-map to map an SNMP community to an SNMP context.
Use undo snmp-agent community-map to delete the mapping between an SNMP community and an SNMPcontext.
Syntax
snmp-agent community-map community-name context context-name
undo snmp-agent community-map community-name context context-name
Default
No mapping exists between an SNMP communityand an SNMP context.
Views
System view
Predefined user roles
network-admin
Parameters
community-name:Specifies an SNMP community, a case-sensitive string of 1 to 32 characters.
context-name: Specifiesan SNMP context, a case-sensitive string of 1 to 32 characters.
Usage guidelines
This command enables a module on an agentto obtain the context mapped to a community name when an NMS accesses the agentby using SNMPv1 or SNMPv2c.
You can configure a maximum of 10community-context mappings on the device.
Examples
# Map SNMP community privateto SNMP context trillcontext.
<Sysname> system-view
[Sysname] snmp-agent community-mapprivate context testcontext
Related commands
display snmp-agent community
snmp-agent configuration-examineinterval
Use snmp-agent configuration-examine interval to set the intervals at which the SNMP module examines the systemconfiguration for changes.
Use undo snmp-agent configuration-examineinterval to restore the default.
Syntax
snmp-agent configuration-examine interval interval
undo snmp-agent configuration-examine interval
Default
The SNMP module examines the systemconfiguration for changes at intervals of 600 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies theintervals at which the SNMP module examines the system configuration forchanges, in seconds. The value is in the range of 1 to 86400.
Usage guidelines
The SNMP module examines the system runningconfiguration, startup configuration, and next-startup configuration file forchanges periodically and generates a log if any change is found. If SNMPnotifications for configuration changes has been enabled, the system generates alsoan SNMP notification.
You can use this command to modify theexamination interval.
Examples
# Set the intervals at which the SNMPmodule examines the system configuration for changes to 600 seconds.
<sysname> system-view
[sysname] snmp-agent configuration-examineinterval 600
Related commands
snmp-agent trap enable
snmp-agentcontext
Use snmp-agent context to create an SNMP context.
Use undo snmp-agent context to delete an SNMP context.
Syntax
snmp-agent context context-name
undo snmp-agent context context-name
Default
No SNMP contexts exist.
Views
System view
Predefined use roles
network-admin
Parameters
context-name: Specifiesan SNMP context, a case-sensitive string of 1 to 32 characters.
Usage guidelines
For an NMS and an SNMP agent tocommunicate, configure the same SNMP context for them or do not configure acontext for the NMS.
You can create a maximum of 20 SNMPcontexts.
Examples
# Create SNMP context trillcontext.
<Sysname> system-view
[Sysname] snmp-agent context testcontext
Related commands
display snmp-agent context
snmp-agent group
Use snmp-agent group to create an SNMP group.
Use undo snmp-agentgroup to delete an SNMP group.
Syntax
In non-FIPS mode:
·SNMPv1 and SNMP v2c:
snmp-agent group { v1 | v2c } group-name [ notify-view view-name | read-view view-name | write-view view-name ] * [ acl { ipv4-acl-number | name ipv4-acl-name} | acl ipv6 { ipv6-acl-number| name ipv6-acl-name } ] *
undo snmp-agent group { v1 | v2c } group-name
·SNMPv3:
snmp-agent group v3 group-name [ authentication | privacy ] [ notify-view view-name | read-view view-name | write-view view-name ] * [ acl { ipv4-acl-number | name ipv4-acl-name} | acl ipv6 { ipv6-acl-number| name ipv6-acl-name } ] *
undo snmp-agent group v3 group-name [ authentication | privacy ]
In FIPS mode:
snmp-agent group v3 group-name { authentication | privacy } [ notify-view view-name | read-view view-name | write-view view-name ] * [ acl { ipv4-acl-number | name ipv4-acl-name} | acl ipv6 { ipv6-acl-number| name ipv6-acl-name } ] *
undo snmp-agent group v3 group-name { authentication | privacy }
Default
No SNMP groups exist.
Views
System view
Predefined use roles
network-admin
Parameters
v1: Specifies SNMPv1.
v2c: Specifies SNMPv2c.
v3: Specifies SNMPv3.
group-name: Specifies anSNMP group name, a case-sensitive string of 1 to 32 characters.
authentication:Specifies the authentication without privacy security model for the SNMPv3group.
privacy: Specifies theauthentication with privacy security model for the SNMPv3 group.
read-view view-name: Specifies a read-only MIB view by its name, a case-sensitive stringof 1 to 32 characters. If you do not specify a read-only MIB view, the SNMPgroup has read access to the default view ViewDefault.
notify-view view-name: Specifies a notify MIB view by its name, a case-sensitive stringof 1 to 32 characters. By default, no notify MIB view is configured.
write-view view-name: Specifies a read and write MIB view by its name, a case-sensitive stringof 1 to 32 characters. If you do not specify a read and write view, the SNMPgroup cannot set any MIB object on the SNMP agent.
acl: Specifies a basic oradvanced IPv4 ACL for the group.
ipv4-acl-number:Specifies a basic or advanced IPv4 ACL by its number. The basic IPv4 ACL numberis in the range of 2000 to 2999. The advanced IPv4 ACL number is in the rangeof 3000 to 3999.
name ipv4-acl-name: Specifies a basic or advanced IPv4 ACL by its name, acase-insensitive string of 1 to 63 characters.
acl ipv6: Specifies a basic or advanced IPv6 ACL for the group.
ipv6-acl-number:Specifies a basic or advanced IPv6 ACL by its number. The basic IPv6 ACL numberis in the range of 2000 to 2999. The advanced IPv6 ACL number is in the rangeof 3000 to 3999.
name ipv6-acl-name: Specifies a basic or advanced IPv6 ACL by its name, acase-insensitive string of 1 to 63 characters.
Usage guidelines
SNMPv1 and SNMPv2c settings in this commandare not supported in FIPS mode.
Only users with the network-admin orlevel-15 user role can execute this command. Users with other user roles cannotexecute this command even if these roles are granted access to commands of theSNMP feature or this command.
All users in an SNMP group share thesecurity model and access rights of the group.
You can create a maximum of 20 SNMP groups,including SNMPv1, SNMPv2c, and SNMPv3 groups.
All SNMPv3 users in a group share the samesecurity model, but can use different authentication and encryption keysettings. To implement a security model for a user and avoid SNMP communicationfailures, make sure the security model configuration for the group and thesecurity key settings for the user are compliant with Table 12 andmatch the settings on the NMS.
Table 12 Basic security setting requirementsfor different security models
| Security model | Security model keyword for the group | Security key settings for the user | Remarks |
| Authentication with privacy | privacy | Authentication key, encryption key | If the authentication key or the encryption key is not configured, SNMP communication will fail. |
| Authentication without privacy | authentication | Authentication key | If no authentication key is configured, SNMP communication will fail. The encryption key (if any) for the user does not take effect. |
| No authentication, no privacy | Neither authentication nor privacy | None | The authentication and encryption keys, if configured, do not take effect. |
The device uses the global ACL (configuredby using the snmp-agent acl command),the ACL specified for the SNMP group, and the ACL specified for the SNMP userin sequence to control NMS access. Only NMSs permitted by these three ACLs canaccess the device. When specifying ACLs, follow these guidelines:
·If the specified ACL does not exist, or thespecified ACL does not contain any rule, all NMSs can access the device.
·If a VPN instance is specified in an ACL rule,the rule applies only to the packets of the VPN instance. If no VPN instance isspecified in an ACL rule, the rule applies only to the packets on the publicnetwork.
·If you specify an ACL and the ACL has rules,only NMSs permitted by the ACL can access the device.
For more information about ACL, see ACL and QoS Configuration Guide.
Examples
# Create the SNMPv3 group group1.
<Sysname> system-view
[Sysname] snmp-agent group v3 group1
Related commands
display snmp-agent group
snmp-agent acl
snmp-agent mib-view
snmp-agent usm-user
snmp-agent local-engineid
Use snmp-agent local-engineid to set an SNMP engine ID.
Use undo snmp-agent local-engineid to restore the default.
Syntax
snmp-agent local-engineid { engineid | bridge-mac-based }
undo snmp-agent local-engineid
Default
The SNMP engine ID of the device is thecompany ID plus the device ID.
Views
System view
Predefined user roles
network-admin
Parameters
engineid: Specifies anSNMP engine ID, a case-insensitive hexadecimal string. Its length is an evennumber in the range of 10 to 64. All-zero and all-F strings are invalid.
bridge-mac-based: Generatesan SNMP engine ID based on the bridge MAC address of the device.
Usage guidelines
Application scenarios
Under normal circ*mstances, the deviceautomatically generates an SNMP engine ID, and no modification is required. Ifa conflict of SNMP engine IDs occurs within the network managed by the sameNMS, meaning multiple devices have the same ID, execute this command to modifyand ensure the uniqueness of the SNMP engine ID.
Operating mechanism
The SNMP engine ID is an importantparameter in the SNMP protocol used to uniquely identify a management entityand has the following roles in practical applications:
·Agent identification: The SNMP engine ID can be used to uniquely identify differentnetwork devices or management entity SNMP Agents. This enables accurate identificationand distinction of different devices within the network management system,facilitating management and monitoring.
·Security authentication: In the SNMP protocol, the engine ID is used for securityauthentication. For example, in SNMPv3, the engine ID is an important parameterrequired for computing the Message Authentication Code (MAC), ensuring theintegrity and security of the message.
·Context identification: The SNMP engine ID is commonly used along with other parameters todefine a context identifier, which is used in SNMP operations to specify aparticular instance of management information or a management information view.
By default, the device uses the smallestMAC address among the addresses of all interfaces to automatically generate theSNMP engine ID for the device. Typically, the default engine ID of the deviceis sufficient. However, in certain special networking scenarios, such as DRNIVLAN dual-active networking, it is required that the VLAN interfaces associatedwith the DRNI interfaces on two devices are configured with the same MACaddress. If the MAC address specified by the user happens to be the smallest,then the default generated SNMP engine IDs of these two devices will be thesame. In this case, you can use this command to modify the SNMP engine ID ofone of the devices.
This command supports generating the SNMPengine ID in either of the following ways:
·Users can plan the SNMP engine ID according to acertain pattern and configure it using this command to ensure it is differentfrom the SNMP engine IDs of other devices. For example, the engine ID for Device1 on the first floor of building A can be set as 000Af0010001, while the engineID for Device 2 can be configured as 000Af0010002.
·Configure this command to automatically generatethe SNMP engine ID based on the device bridge MAC address. Since the devicebridge MAC address is globally unique, this method can more easily generate aunique SNMP engine ID across the network without the need for manual input ofthe SNMP engine ID.
Restrictions and guidelines
In SNMPv3, the username and ciphertextpassword are associated with the engine ID. If the engine ID is changed, theusername and password configured under the original engine ID become invalid. Inthis case, reconfigure the username and password.
Examples
# Set the local SNMP engine ID to 123456789A.
<Sysname> system-view
[Sysname] snmp-agent local-engineid123456789A
Related commands
display snmp-agent local-engineid
snmp-agent usm-user
snmp-agent log
Use snmp-agent log to enable SNMP logging.
Use undo snmp-agent log to disable SNMP logging.
Syntax
snmp-agent log { all | authfail | get-operation | set-operation }
undo snmp-agent log { all | authfail | get-operation | set-operation }
Default
SNMP logging is enabled for set operationsand disabled for SNMP authentication failures and get operations.
Views
System view
Predefined user roles
network-admin
Parameters
all: Enables loggingSNMP authentication failures, Get operations, and Set operations.
authfail: Enableslogging SNMP authentication failures.
get-operation: Enableslogging SNMP Get operations.
set-operation: Enableslogging SNMP Set operations.
Usage guidelines
Use SNMP logging to record the SNMPoperations performed on the SNMP agent or authentication failures from the NMSto the agent for auditing NMS behaviors. The SNMP agent sends log data to theinformation center. You can configure the information center to output the datato a destination as needed.
Examples
# Enable logging SNMP Get operations.
<Sysname> system-view
[Sysname] snmp-agent logget-operation
# Enable logging SNMP Set operations.
<Sysname> system-view
[Sysname] snmp-agent logset-operation
# Enable logging SNMP authenticationfailures.
<Sysname> system-view
[Sysname] snmp-agent log authfail
snmp-agent mib-view
Use snmp-agent mib-view to create or update a MIB view.
Use undo snmp-agent mib-view to delete a MIB view.
Syntax
snmp-agent mib-view { excluded | included } view-name oid-tree [ mask mask-value ]
undo snmp-agent mib-view view-name
Default
The system creates the ViewDefault view when the SNMP agent is enabled. In thisdefault MIB view, all MIB objects in the iso subtreebut the snmpUsmMIB, snmpVacmMIB,and snmpModules.18 subtrees are accessible.
Views
System view
Predefined user roles
network-admin
Parameters
excluded: Denies accessto any node in the specified MIB subtree.
included: Permitsaccess to all the nodes in the specified MIB subtree.
view-name: Specifies aview name, a case-sensitive string of 1 to 32 characters.
oid-tree: Specifies aMIB subtree by its root node's OID (for example, 1.3.6.1.2.1.1)or object name (for example, system). The oid-tree argument is a case-sensitive string of 1 to 255 characters. An OIDis a dotted numeric string that uniquely identifies an object in the MIB tree.
mask mask-value: Sets a MIB subtree mask, a case-insensitive hexadecimal string.Its length is an even number in the range of 1 to 32.
Usage guidelines
A MIB view represents a set of MIB objects(or MIB object hierarchies) with certain access privilege. The MIB objectsincluded in the MIB view are accessible while those excluded from the MIB vieware inaccessible.
Each view-name oid-tree pair represents a view record. If you specify the same record withdifferent MIB subtree masks multiple times, the most recent configuration takeseffect.
Be cautious with deleting the default MIBview. The operation blocks the access to any MIB object on the device from NMSsthat use the default view.
Examples
# Include the mib-2(OID 1.3.6.1.2.1) subtree in the mibtest view andexclude the system subtree from this view.
<Sysname> system-view
[Sysname] snmp-agent sys-info versionv1
[Sysname] snmp-agent mib-viewincluded mibtest 1.3.6.1.2.1
[Sysname] snmp-agent mib-viewexcluded mibtest system
[Sysname] snmp-agent community readpublic mib-view mibtest
An SNMPv1 NMS in the publiccommunity can query the objects in the mib-2subtree but not any object (for example, the sysDescr orsysObjectID node) in the system subtree.
Related commands
display snmp-agent mib-view
snmp-agent group
snmp-agent packet max-size
Use snmp-agent packet max-size to set the maximum size (in bytes) of SNMP packets that an SNMPagent can receive or send.
Use undo snmp-agent packet max-size to restore the default.
Syntax
snmp-agent packet max-size byte-count
undo snmp-agent packet max-size
Default
An SNMP agent can process SNMP packets witha maximum size of 1500 bytes.
Views
System view
Predefined user roles
network-admin
Parameters
byte-count: Sets themaximum size (in bytes) of SNMP packets that the SNMP agent can receive orsend. The value range is 484 to 17940.
Usage guidelines
If any device on the path to the NMS doesnot support packet fragmentation, limit the SNMP packet size to preventlarge-sized packets from being discarded. For most networks, the default valueis sufficient.
Examples
# Set the maximum SNMP packet size to 1024bytes.
<Sysname> system-view
[Sysname] snmp-agent packet max-size1024
snmp-agent packet response dscp
Use snmp-agent packet response dscp to set the DSCP value for SNMP responses.
Use undo snmp-agent packet response dscp to restore the default.
Syntax
snmp-agent packet response dscp dscp-value
undo snmp-agent packet response dscp
Default
The DSCP value for SNMP responses is 0.
Views
System view
Predefined user roles
network-admin
Parameters
dscp-value: Sets theDSCP value for SNMP responses, in the range of 0 to 63. A greater DSCP valuerepresents a higher priority.
Usage guidelines
The DSCP value is encapsulated in the ToSfield of an IP packet. It specifies the priority level of the packet andaffects the transmission priority of the packet.
Examples
# # Set the DSCP value to 40 for SNMP responses.
<Sysname> system-view
[Sysname] snmp-agent packet responsedscp 40
snmp-agent port
Use snmp-agent port to specify an SNMP listening port.
Use undo snmp-agent port to restore the default.
Syntax
snmp-agent port port-number
undo snmp-agent port
Default
The SNMP listening port is UDP port 161.
Views
System view
Predefined user roles
network-admin
Parameters
port-number: Specifies anSNMP listening port by its number in the range of 1 to 65535.
Usage guidelines
The SNMP agent will fail to be enabled whenthe port that the agent will listen on is used by another service. You can usethe snmp-agentport command to change the SNMP listening port.As a best practice, execute the display udp verbose command to view the UDP port use information before specifying a newSNMP listening port.
After you change the SNMP listening port, theNMS can perform SNMP set and get operations on the device only after reconnectingthe device by using the new port number.
Examples
# Specify 5555 asthe SNMP listening port.
<Sysname> system-view
[Sysname] snmp-agent port 5555
Related commands
display udp verbose(see IP performance optimization commands in Layer 3—IPServices Configuration Guide)
snmp-agent remote
Use snmp-agent remote to set an SNMP engine ID for a remote SNMP entity.
Use undo snmp-agent remote to delete the SNMPengine ID of a remote SNMP entity.
Syntax
snmp-agent remote { ipv4-address | ipv6 ipv6-address } [ vpn-instancevpn-instance-name ] engineid engineid
undo snmp-agent remote ip-address
Default
No SNMP engine IDs are configured forremote SNMP entities.
Views
System view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifiesa remote SNMP entity by its IPv4 address.
ipv6 ipv6-address: Specifies a remote SNMP entity by its IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the remote SNMP entitybelongs. The vpn-instance-nameargument represents the VPN instance name. a case-sensitive string of 1 to 31characters. If the SNMP entity belongs to the public network, do not specifythis option.
engineid: Specifies theSNMP engine ID of the remote SNMP entity. This argument is a case-insensitive hexadecimalstring. Its length is an even number in the range of 10 to 64. All-zero andall-F strings are invalid.
Usage guidelines
To send informs to an NMS, you mustconfigure the SNMP engine ID of the NMS on the SNMP agent.
The NMS accepts the SNMPv3 informs from theSNMP agent only if the engine ID in the informs is the same as its local engineID.
You can configure a maximum of 20 remoteSNMP engine IDs.
Examples
# Set the SNMP engine ID to 123456789A for the remote entity 10.1.1.1.
<Sysname> system-view
[Sysname] snmp-agent remote 10.1.1.1engineid 123456789A
Related commands
display snmp-agent remote
snmp-agent silence enable
Use snmp-agent silence enable to enable SNMP silence.
Use undo snmp-agent silence enable to disable SNMP silence.
Syntax
snmp-agent silence enable
undo snmp-agent silence enable
Default
SNMP silence is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
SNMP silence enables the device to automaticallydetect and defend against SNMP attacks.
After you enable SNMP, the deviceautomatically starts an SNMP silence timer and counts the number of SNMPpackets that fail authentication within 1 minute.
·If the number of the packets is smaller than100, the device restarts the timer and counting.
·If the number of the packets is equal to orgreater than 100, the SNMP module enters a 5-minute silence period, duringwhich the device does not respond to any SNMP packets. After the 5 minutesexpire, the device restarts the timer and counting.
Examples
# Enable SNMP silence.
<Sysname> system-view
[Sysname] snmp-agentsilence enable
snmp-agent sys-info contact
Use snmp-agent sys-info contact to configure the system contact.
Use undo snmp-agent sys-info contact to restore the default contact.
Syntax
snmp-agent sys-info contact sys-contact
undo snmp-agent sys-info contact
Default
The system contact is NewH3C Technologies Co., Ltd..
Views
System view
Predefined user roles
network-admin
Parameters
sys-contact: Specifiesthe system contact, a case-sensitive string of 1 to 255 characters.
Usage guidelines
Configure the system contact for systemmaintenance and management.
Examples
# Configure the system contact as Dial System Operator # 27345.
<Sysname> system-view
[Sysname] snmp-agent sys-info contactDial System Operator # 27345
Related commands
display snmp-agent sys-info
snmp-agentsys-info location
Use snmp-agent sys-info location to configure the system location.
Use undo snmp-agent sys-info location to restore the default location.
Syntax
snmp-agent sys-info location sys-location
undo snmp-agent sys-info location
Default
The system location is Hangzhou, China.
Views
System view
Predefined user roles
network-admin
Parameters
sys-location: Specifiesthe system location, a case-sensitive string of 1 to 255 characters.
Usage guidelines
Configure the location of the device forsystem maintenance and management.
Examples
# Configure the system location as Room524-row1-3.
<Sysname> system-view
[Sysname] snmp-agent sys-infolocation Room524-row1-3
Related commands
display snmp-agent sys-info
snmp-agentsys-info version
Use snmp-agent sys-info version to enable SNMP versions.
Use undo snmp-agent sys-info version to disable SNMP versions.
Syntax
In non-FIPS mode:
snmp-agent sys-info contact version { all | { v1 | v2c | v3 } * }
undo snmp-agent sys-info version { all | { v1 | v2c | v3 } * }
In FIPS mode:
snmp-agent sys-info version v3
undo snmp-agent sys-info version v3
Default
SNMPv3 is enabled.
Views
System view
Predefined user roles
network-admin
Parameters
all: Specifies SNMPv1,SNMPv2c, and SNMPv3.
v1: Specifies SNMPv1.
v2c: Specifies SNMPv2c.
v3: Specifies SNMPv3.
Usage guidelines
SNMPv1 and SNMPv2c settings in this commandare not supported in FIPS mode.
Configure the SNMP agent with the same SNMPversion as the NMS for successful communications between them.
The community name and data carried inSNMPv1 and SNMPv2c messages are in plaintext form, putting the SNMPcommunication at risks. As a best practice, use SNMPv3.
To use SNMP notifications in IPv6, enable SNMPv2cor SNMPv3.
Examples
# Enable SNMPv3.
<Sysname> system-view
[Sysname] snmp-agent sys-info versionv3
Related commands
display snmp-agent sys-info
snmp-agent target-host
Use snmp-agent target-host to configure an SNMP notification target host.
Use undo snmp-agenttarget-host to remove an SNMP notificationtarget host.
Syntax
In non-FIPS mode:
snmp-agent target-host inform address udp-domain { ipv4-target-host | ipv6 ipv6-target-host} [ udp-port port-number ] [ vpn-instance vpn-instance-name ] params { cipher-securitynamecipher-security-string v2c | securityname security-string { v2c | v3 [ authentication | privacy ] } }
snmp-agent target-host trap address udp-domain { ipv4-target-host | ipv6 ipv6-target-host} [ udp-port port-number ] [ dscp dscp-value ] [ vpn-instancevpn-instance-name ] params { cipher-securityname cipher-security-string [ v1 | v2c ] | securityname security-string [ v1 | v2c | v3 [ authentication | privacy ] ] }
undo snmp-agent target-host { trap | inform } address udp-domain { ipv4-target-host | ipv6 ipv6-target-host} params { cipher-securitynamecipher-security-string | securityname security-string } [ vpn-instancevpn-instance-name ]
In FIPS mode:
snmp-agent target-host inform address udp-domain { ipv4-target-host | ipv6 ipv6-target-host} [ udp-port port-number ] [ vpn-instance vpn-instance-name ] params securityname security-string v3 { authentication | privacy }
snmp-agent target-host trap address udp-domain { ipv4-target-host | ipv6 ipv6-target-host} [ udp-port port-number ] [ dscp dscp-value ] [ vpn-instance vpn-instance-name ] params securityname security-string v3 { authentication | privacy }
undo snmp-agent target-host { trap | inform } address udp-domain { ipv4-target-host | ipv6 ipv6-target-host} params securityname security-string [ vpn-instance vpn-instance-name ]
Default
No SNMP notification target hosts exist.
Views
System view
Predefined user roles
network-admin
Parameters
inform: Specifies ahost that receives informs.
trap: Specifies a host thatreceives traps.
address: Specifies thedestination address of SNMP notifications.
udp-domain: SpecifiesUDP as the transport protocol.
ipv4-target-host:Specifies a target host by its IPv4 address or host name. The host name is acase-insensitive string of 1 to 253 characters. The string can only containletters, numbers, hyphens (-), underscores (_), and dots (.). If you specify ahost name, the IPv4 address of the target host can be obtained.
ipv6 ipv6-target-host: Specifies a target hostby its IPv6 address or host name. The host name is a case-insensitive string of1 to 253 characters, which only contains letters, numbers, hyphens (-),underscores (_), and dots (.). If you specify a host name, the IPv6 address ofthe target host can be obtained. If you specify an IPv6 address, the addresscannot be a link local address.
udp-port port-number: Specifies the UDP port for SNMP notifications. The default portnumber is 162.
dscp-value: Sets theDSCP value for traps sent to the target host, in the range of 0 to 63. The DSCPvalue is encapsulated in the ToS field of an IP packet. It specifies thepriority level of the packet and affects the transmission priority of thepacket. A greater DSCP value represents a higher priority. The default DSCPvalue for traps is 0.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the target host belongs.The vpn-instance-name argument represents the VPN instance name, a case-sensitive stringof 1 to 31 characters. If the target host belongs to the public network, do notspecify this option.
params: Configuresauthentication parameters.
cipher-securityname cipher-security-string: Specifies a plaintext or ciphertext authentication parameter. Forsecurity purposes, the authentication parameter is saved in ciphertext. The cipher-security-stringargument specifies an SNMPv1 or SNMPv2ccommunity name. It can be a string of 1 to 32 characters in plain text or astring of 33 to 73 characters in ciphertext.
securityname security-string: Specifies a plaintext authentication parameter. The security-string argument specifies an SNMPv1 or SNMPv2c community name or an SNMPv3username. It is a string of 1 to 32 characters in plain text.
v1: Specifies SNMPv1.
v2c: Specifies SNMPv2c.
v3: Specifies SNMPv3.
·authentication: Specifies the securitymodel to be authentication without privacy. You must specify the authenticationkey when you create the SNMPv3 user.
·privacy: Specifies the security model tobe authentication with privacy. You must specify the authentication key and encryptionkey when you create the SNMPv3 user.
Usage guidelines
You can specify multiple SNMP notificationtarget hosts.
Make sure the SNMP agent uses the same UDPport for SNMP notifications as the target host. Typically, NMSs, for example,IMC and MIB Browser, use port 162 for SNMP notifications as defined in the SNMPprotocols.
If none of the keywords v1, v2c, or v3 is specified, SNMPv1 is used. Make sure the SNMP agent uses thesame SNMP version as the target host so the host can receive the notification.
If neither authentication nor privacy is specified,the security model is no authentication, no privacy.
Examples
# Configure the SNMP agent to send SNMPv3traps to 10.1.1.1 by using the username public.
<Sysname> system-view
[Sysname] snmp-agent trap enablestandard
[Sysname] snmp-agent target-host trapaddress udp-domain 10.1.1.1 params securityname public v3
Related commands
snmp-agent { inform | trap } source
snmp-agent trap enable
snmp-agent trap life
snmp-agent trap enable
Use snmp-agent trap enable to enable SNMP notifications.
Use undo snmp-agent trap enable to disable SNMP notifications.
Syntax
snmp-agent trap enable [ configuration | protocol | standard [ authentication | coldstart | linkdown | linkup | warmstart ] * | system ]
undo snmp-agent trap enable [ configuration | protocol | standard [ authentication | coldstart | linkdown | linkup | warmstart ] * | system ]
Default
Configuration change notifications, SNMP standardnotifications, and system notifications are enabled. For SNMP notifications enablingstatus for other modules, see the module guide.
Views
System view
Predefined user roles
network-admin
Parameters
configuration:Specifies configuration change notifications. After configuration changenotifications is enabled, the SNMP module examines the system runningconfiguration, startup configuration, and next-startup configuration file forchanges periodically. The system generate a log and also an SNMP notificationif any change is found. You can use the snmp-agent configuration-examine interval command to modify the intervals at which the SNMP module examines thesystem configuration for changes.
protocol: Specifies protocolmodule notifications. You can use the snmp-agent trap enable ? command toobtain the value of this argument. For more information about this argument,see the command reference for each module.
standard: SpecifiesSNMP standard notifications.
Table 13 Standard SNMP notifications
| Keyword | Definition |
| authentication | Authentication failure notification sent when an NMS fails to be authenticated by the SNMP agent. |
| coldstart | Notification sent when the SNMP entity restarts and its configuration might be altered. |
| linkdown | Notification sent when the link of a port goes down. |
| linkup | Notification sent when the link of a port comes up. |
| warmstart | Notification sent when the SNMP entity restarts with its configuration unaltered. |
system: Specifiessystem notifications. A system notification is sent when the system time ismodified, the system reboots, or the main system software image is notavailable.
Usage guidelines
To report critical protocol events to anNMS, first enable the protocol and then enable SNMP notifications for theprotocol.
To use SNMP notifications in IPv6, enableSNMPv2c or SNMPv3.
For SNMP notifications to be sent correctly,you must also configure the notification sending parameters as required.
If no optional parameters are specified, thiscommand or its undo form enables ordisables all SNMP notifications supported by the device.
Examples
# Enable the SNMP agent to send SNMPauthentication failure notifications.
<Sysname> system-view
[Sysname] snmp-agent trap enablestandard authentication
Related commands
snmp-agent configuration-examine interval
snmp-agent sys-info version
snmp-agent target-host
snmp-agenttrap format
Use snmp-agent trap format to specify the notification format.
Use undo snmp-agent trapformat to restore the default.
Syntax
snmp-agent trap format cmcc
undo snmp-agent trap format
Default
The SNMP notifications are in generalformat.
Views
System view
Predefined user roles
network-admin
Parameters
cmcc: Specifies theCMCC format.
Usage guidelines
You can select the standard or CMCC formatfor notifications sent to an NMS as needed.
Examples
# Specify the notification format as CMCC.
<Sysname> system-view
[Sysname] snmp-agent trap format cmcc
Related commands
snmp-agent target-host
snmp-agent trap if-mib link extended
Use snmp-agent trap if-mib link extended to configure the SNMP agent to send extended linkUp/linkDownnotifications.
Use undo snmp-agent trap if-mib link extended to restore the default.
Syntax
snmp-agent trap if-mib link extended
undo snmp-agent trap if-mib link extended
Default
The SNMP agent sends standardlinkUp/linkDown notifications.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Extended linkUp and linkDown notificationsadd interface description and interface type to the standard linkUp/linkDownnotifications for fast failure point identification.
When you use this command, make sure theNMS supports the extended linkup and linkDown notifications.
Examples
# Enable extended linkUp/linkDownnotifications.
<Sysname> system-view
[Sysname] snmp-agent trap if-mib linkextended
snmp-agent trap life
Use snmp-agent trap life to set the lifetime of notifications in the SNMP notification queue.
Use undo snmp-agent trap life to restore the default notification lifetime.
Syntax
snmp-agent trap life seconds
undo snmp-agent trap life
Default
The SNMP notification lifetime is 120seconds.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Sets alifetime in the range of 1 to 2592000, in seconds.
Usage guidelines
When congestion occurs, the SNMP agentbuffers notifications in a queue. The notification lifetime sets how long anotification can stay in the queue. A notification is deleted when its lifetimeexpires.
Examples
# Set the SNMP notification lifetime to 60seconds.
<Sysname> system-view
[Sysname] snmp-agent trap life 60
Related commands
snmp-agent target-host
snmp-agent trap enable
snmp-agent trap queue-size
snmp-agent trap log
Use snmp-agent trap log to enable SNMP notification logging.
Use undo snmp-agent trap log to disableSNMP notification logging.
Syntax
snmp-agent trap log
undo snmp-agent trap log
Default
SNMP notification logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use SNMP notification logging to recordSNMP notifications sent by the SNMP agent for notification tracking. The SNMPagent sends the logs to the information center. You can configure theinformation center to output the logs to a destination as needed.
Examples
# Enable SNMP notification logging.
<Sysname> system-view
[Sysname] snmp-agent trap log
snmp-agent trap snmpv2-mib authenticationfailure extended
Use snmp-agent trap snmpv2-mib authenticationfailureextended to enable the device to generate authenticationfailure alarm messages in extended format.
Use undo snmp-agent trap snmpv2-mibauthenticationfailure extended to restore thedefault.
Syntax
snmp-agent trap snmpv2-mib authenticationfailureextended
undo snmp-agent trap snmpv2-mib authenticationfailureextended
Default
The device sends authentication failurealarm messages in standard format, instead of extended format.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Application scenarios
When the NMS accesses a device andauthentication fails, the device logs the IP address type and information ofthe NMS for network administrators to trace the source.
Operating mechanism
For SNMP versions v1/v2c, if an NMS accessrequest carries a nonexistent community string, the device considers the NMSauthentication failed and generates an authentication failure alarm. Forversion v3, if the username or authentication password carried in the NMSaccess request is incorrect, the device also considers the authentication failedand generates an authentication failure alarm.
After you configure this command, when anNMS accesses the device and fails authentication, the device generates anauthentication failure alarm in extended format. This extended format adds theIP address type and IP address to the authentication failure alarm in standard format.The extended alarm format helps network administrators quickly locate NMSinformation.
Restrictions and guidelines
After you configure this command, theauthentication failure alarms sent by the device are in extended format. If theNMS does not support the extended format, it might fail to parse the suchalarms.
This command takes effect only whenauthentication failure alarm is enabled in SNMP standard alarms. By default,authentication failure alarm is enabled in SNMP standard alarms.
Examples
# Enable the device to generate authenticationfailure alarm messages in extended format
<Sysname> system-view
[Sysname] snmp-agent trap snmpv2-mibauthenticationfailure extended
# Disable the device from generating authenticationfailure alarm messages in extended format
<Sysname> system-view
[Sysname] undo snmp-agent trapsnmpv2-mib authenticationfailure extended
Related commands
snmp-agent trap enable
snmp-agent trap queue-size
Use snmp-agent trap queue-size to set the SNMP notification queue size.
Use undo snmp-agent trap queue-size to restore the default queue size.
Syntax
snmp-agent trap queue-size size
undo snmp-agent trap queue-size
Default
The SNMP notification queue can store amaximum of 100 notifications.
Views
System view
Predefined user roles
network-admin
Parameters
size: Specifies themaximum number of notifications that the SNMP notification queue can hold. Thevalue range is 1 to 1000.
Usage guidelines
When congestion occurs, the SNMP agentbuffers notifications in a queue. SNMP notification queue size sets the maximumnumber of notifications that this queue can hold.
When the queue size is reached, the systemdiscards the new notification it receives.
If modification of the queue size causesthe number of notifications in the queue to exceed the queue size, the oldestnotifications are dropped for new notifications.
Examples
# Set the SNMP notification queue size to200.
<Sysname> system-view
[Sysname] snmp-agent trap queue-size200
Related commands
snmp-agent target-host
snmp-agent trap enable
snmp-agent trap life
snmp-agenttrap withsn
Use snmp-agent trap withsn to enable the notifications to carry the device serial number.
Use undo snmp-agent trap withsn to restore the default.
Syntax
snmp-agent trap withsn
undo snmp-agent trap withsn
Default
The notifications do not carry the deviceserial number.
Views
System view
Predefined user roles
network-admin
Examples
# Enable the notifications to carry thedevice serial number.
<Sysname> system-view
[Sysname] snmp-agent trap withsn
Related commands
snmp-agent target-host
snmp-agent usm-user { v1 | v2c }
Use snmp-agent usm-user { v1 | v2c } to create an SNMPv1 or SNMPv2c user.
Use undo snmp-agent usm-user { v1 | v2c } to delete an SNMPv1 or SNMPv2c user.
Syntax
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl { ipv4-acl-number | name ipv4-acl-name} | acl ipv6 { ipv6-acl-number| name ipv6-acl-name } ] *
undo snmp-agent usm-user { v1 | v2c } user-name
Default
No SNMPv1 or SNMPv2c users exist.
Views
System view
Predefined user roles
network-admin
Parameters
v1: Specifies SNMPv1.
v2c: Specifies SNMPv2c.
user-name: Specifies anSNMP username, a case-sensitive string of 1 to 32 characters.
group-name: Specifiesan SNMPv1 or SNMPv2c group name, a case-sensitive string of 1 to 32 characters.The group can be one that has been created or not. The user takes effect only afteryou create the group.
acl: Specifies a basic oradvanced IPv4 ACL for the user.
ipv4-acl-number:Specifies a basic or advanced IPv4 ACL by its number. The basic IPv4 ACL numberis in the range of 2000 to 2999. The advanced IPv4 ACL number is in the rangeof 3000 to 3999.
name ipv4-acl-name: Specifies a basic or advanced IPv4 ACL by its name, acase-insensitive string of 1 to 63 characters.
acl ipv6: Specifies a basic or advanced IPv6 ACL for the user.
ipv6-acl-number:Specifies a basic or advanced IPv6 ACL by its number. The basic IPv6 ACL numberis in the range of 2000 to 2999. The advanced IPv6 ACL number is in the rangeof 3000 to 3999.
name ipv6-acl-name: Specifies a basic or advanced IPv6 ACL by its name, acase-insensitive string of 1 to 63 characters.
Usage guidelines
This command is not available in FIPS mode.
Only users with the network-admin orlevel-15 user role can execute this command. Users with other user roles cannotexecute this command even if these roles are granted access to commands of theSNMP feature or this command.
On an SNMPv1 or SNMPv2c network, NMSs andagents authenticate each other by using the community name. On an SNMPv3network, NMSs and agents authenticate each other by using the username.
You can create an SNMPv1 or SNMPv2ccommunity by using either of the following ways:
·Execute the snmp-agent community command.
·Execute the snmp-agent usm-user { v1 | v2c } and snmp-agent group { v1 | v2c } commands to create an SNMPv1 or SNMPv2c user and assign the user toan SNMP group. The system then automatically creates an SNMP community by usingthe SNMPv1 or SNMPv2c username as the community name.
The display snmp-agent community commanddisplays information only about communities created and saved in plaintextform.
The device uses the global ACL (configuredby using the snmp-agent acl command),the ACL specified for the SNMP group, and the ACL specified for the SNMP userin sequence to control NMS access. Only NMSs permitted by these three ACLs canaccess the device. When specifying ACLs, follow these guidelines:
·If the specified ACL does not exist, or thespecified ACL does not contain any rule, all NMSs can access the device.
·If a VPN instance is specified in an ACL rule,the rule applies only to the packets of the VPN instance. If no VPN instance isspecified in an ACL rule, the rule applies only to the packets on the publicnetwork.
·If you specify an ACL and the ACL has rules,only NMSs permitted by the ACL can access the device.
For more information about ACL, see ACL and QoS Configuration Guide.
Examples
# Add the user userv2cto the SNMPv2c group readCom so an NMS can use theprotocol SNMPv2c and the read-only community name userv2cto access the device.
<Sysname> system-view
[Sysname] snmp-agent sys-info versionv2c
[Sysname] snmp-agent group v2creadCom
[Sysname] snmp-agent usm-user v2cuserv2c readCom
# Add the user userv2cin the SNMPv2c group readCom so only the NMS at1.1.1.1 can use the protocol SNMPv2c and read-only community name userv2c to access the device.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rulepermit source 1.1.1.1 0.0.0.0
[Sysname-acl-ipv4-basic-2001] ruledeny source any
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] snmp-agent sys-info versionv2c
[Sysname] snmp-agent group v2creadCom
[Sysname] snmp-agent usm-user v2c userv2creadCom acl 2001
# Add the user userv2cin the SNMPv2c group readCom so only the NMS at1.1.1.2 can use the protocol SNMPv2c and read-only community name userv2c to access the device.
[Sysname] acl basic name testacl
[Sysname-acl-ipv4-basic-testacl] rulepermit source 1.1.1.2 0.0.0.0
[Sysname-acl-ipv4-basic-testacl] ruledeny source any
[Sysname-acl-ipv4-basic-testacl] quit
[Sysname] snmp-agent sys-info versionv2c
[Sysname] snmp-agent group v2creadCom
[Sysname] snmp-agent usm-user v2cuserv2c readCom acl name testacl
Related commands
snmp-agent acl
display snmp-agent community
snmp-agent community
snmp-agent group
snmp-agent usm-user v3
Use snmp-agent usm-user v3 to create an SNMPv3 user.
Use undo snmp-agent usm-user v3 to delete an SNMPv3 user.
Syntax
In non-FIPS mode:
·In VACM mode:
snmp-agent usm-user v3 user-name group-name [ remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha | sha224 | sha256 | sha384 | sha512 } auth-password [ privacy-mode{ 3des | aes128 | aes192 | aes256 | des56 } priv-password ] ] [ acl { ipv4-acl-number | name ipv4-acl-name} | acl ipv6 { ipv6-acl-number| name ipv6-acl-name } ] *
undo snmp-agent usm-user v3 user-name { local | engineid engineid-string | remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
·In RBAC mode:
snmp-agent usm-user v3 user-name user-role role-name [ remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { md5 | sha | sha224 | sha256 | sha384 | sha512 } auth-password [ privacy-mode{ 3des | aes128 | aes192 | aes256 | des56 } priv-password ] ] [ acl { ipv4-acl-number | name ipv4-acl-name} | acl ipv6 { ipv6-acl-number| name ipv6-acl-name } ] *
undo snmp-agent usm-user v3 user-name { local | engineid engineid-string | remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
In FIPS mode:
·In VACM mode:
snmp-agent usm-user v3 user-name group-name [ remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] { cipher | simple } authentication-mode { sha | sha224 | sha256 | sha384 | sha512 } auth-password [ privacy-mode{ aes128 | aes192 | aes256 } priv-password ] [ acl { ipv4-acl-number | name ipv4-acl-name} | acl ipv6 { ipv6-acl-number| name ipv6-acl-name } ] *
undo snmp-agent usm-user v3 user-name { local | engineid engineid-string | remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
·In RBAC mode:
snmp-agent usm-user v3 user-name user-role role-name [ remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ { cipher | simple } authentication-mode { sha | sha224 | sha256 | sha384 | sha512 } auth-password [ privacy-mode{ aes128 | aes192 | aes256 } priv-password ] ] [ acl { ipv4-acl-number | name ipv4-acl-name} | acl ipv6 { ipv6-acl-number| name ipv6-acl-name } ] *
undo snmp-agent usm-user v3 user-name { local | engineid engineid-string | remote { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
Default
No SNMPv3 users exist.
Views
System view
Predefined user roles
network-admin
Parameters
user-name: Specifies anSNMPv3 username, a case-sensitive string of 1 to 32 characters.
group-name: Specifiesan SNMPv3 group name, a case-sensitive string of 1 to 32 characters. The groupcan be one that has been created or not. The user takes effect only after youcreate the group.
user-role role-name: Specifies a user role name, a case-sensitive string of 1 to 63characters.
remote { ipv4-address | ipv6 ipv6-address }: Specifiesa target host by its IPv4 or IPv6 address, typically the NMS, to receive the informs.To send SNMPv3 informs to a target host, you need to specify this option anduse the snmp-agent remote command to bind the IPv4 or IPv6 address to the remote engine ID.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the target host belongsto. The vpn-instance-name argument representsthe VPN instance name, a case-sensitive string of 1 to 31 characters. If the targethost belongs to the public network, do not specify this option.
cipher: Specifies anauthentication key and an encryption key in encrypted form. The keys will beconverted to a digest in encrypted form and stored in the device.
simple: Specifies anauthentication key and an encryption key in plaintext from. The keys will beconverted to a digest in encrypted form and stored in the device.
authentication-mode:Specifies an authentication algorithm. If you do not specify the keyword, thesystem does not perform authentication.
·md5: Specifies the HMAC-MD5authentication algorithm.
·sha: Specifies the HMAC-SHA1authentication algorithm.
·sha224: Specifies the HMAC-SHA224authentication algorithm.
·sha256: Specifies the HMAC-SHA256authentication algorithm.
·sha384: Specifies the HMAC-SHA384authentication algorithm.
·sha512: Specifies the HMAC-SHA512authentication algorithm.
auth-password: Specifiesan authentication key. This argument is case sensitive.
·The plaintext form of the key in non-FIPS modeis a string of 1 to 64 characters. The plaintext form of the key in FIPS modeis a string of 15 to 64 characters, which must contain numbers, uppercaseletters, lowercase letters, and special characters.
·The encrypted form of the key can be calculatedby using the snmp-agent calculate-passwordcommand.
privacy-mode: Specifiesan encryption algorithm. If you do not specify this keyword, the system doesnot perform encryption.
·3des: Specifies the3DES encryption algorithm that uses a 168-bit key.
·aes128: Specifies the AES encryption algorithmthat uses a 128-bit key.
·aes192: Specifies theAES encryption algorithm that uses a 192-bit key.
·aes256: Specifies the AES encryptionalgorithm that uses a 256-bit key.
·des56: Specifies the DES encryption algorithmthat uses a 56-bit key.
priv-password:Specifies an encryption key. This argument is case sensitive.
·The plaintext form of the key in non-FIPS modeis a string of 1 to 64 characters. The plaintext form of the key in FIPS modeis a string of 15 to 64 characters, which must contain numbers, uppercaseletters, lowercase letters, and special characters.
·The encrypted form of the key can be calculatedby using the snmp-agent calculate-passwordcommand.
acl: Specifies a basic oradvanced IPv4 ACL for the user.
ipv4-acl-number:Specifies a basic or advanced IPv4 ACL by its number. The basic IPv4 ACL numberis in the range of 2000 to 2999. The advanced IPv4 ACL number is in the rangeof 3000 to 3999.
name ipv4-acl-name: Specifies a basic or advanced IPv4 ACL by its name, acase-insensitive string of 1 to 63 characters.
acl ipv6: Specifies a basic or advanced IPv6 ACL for the user.
ipv6-acl-number:Specifies a basic or advanced IPv6 ACL by its number. The basic IPv6 ACL numberis in the range of 2000 to 2999. The advanced IPv6 ACL number is in the rangeof 3000 to 3999.
name ipv6-acl-name: Specifies a basic or advanced IPv6 ACL by its name, acase-insensitive string of 1 to 63 characters.
local: Specifies thelocal SNMP engine. By default, an SNMPv3 user is associated with the local SNMPengine.
engineid engineid-string: Specifies an SNMP engine ID. The engineid-string argument is an even number of hexadecimal characters. All-zero andall-F strings are invalid. The even number is in the range of 10 to 64. If youchange the local engine ID, the existing SNMPv3 users and keys become invalid.To delete an invalid username, specify the engine ID associated with theusername in the undo snmp-agent usm-user v3 command.
Usage guidelines
Only users with the network-admin orlevel-15 user role can execute this command. Users with other user roles cannotexecute this command even if these roles are granted access to commands of theSNMP feature or this command.
You can use either of the following modesto control SNMPv3 user access to MIB objects.
·VACM—Controls user access to MIB objects by assigning the user to anSNMP group. To make sure the user takes effect, make sure the group has beencreated. An SNMP group contains one or multiple users and specifies the MIBviews and security model for the users. The authentication and encryptionalgorithms for each user are specified when they are created.
·RBAC—Controls user access to MIB objects by assigning user roles to theuser. A user role specifies the MIB objects accessible to the user and theoperations that the user can perform on the objects. After you create a user inRBAC mode, you can use the snmp-agent usm-user v3 user-role command to assign more user roles to the user. You can assign amaximum of 64 user roles to a user.
RBAC mode controls access on a per MIBobject basis, and VACM mode controls access on a MIB view basis. As a bestpractice to enhance MIB security, use RBAC mode.
You can execute the snmp-agentusm-user v3 command multiple times to createdifferent SNMPv3 users in VACM mode. If you do not change the username eachtime, the most recent configuration takes effect.
You can execute the snmp-agentusm-user v3 command in RBAC mode multiple timesto assign different user roles to an SNMPv3 user. The following restrictionsand guidelines apply:
·If you specify only user roles but do not changeany other settings each time, the snmp-agent usm-user v3 command assigns different user roles to the user. Other settings remainunchanged.
·If you specify user roles and also change othersettings each time, the snmp-agent usm-user v3command assigns different user roles to the user. The most recent configurationfor other settings takes effect.
The device uses the global ACL (configuredby using the snmp-agent acl command),the ACL specified for the SNMP group, and the ACL specified for the SNMP userin sequence to control NMS access. Only NMSs permitted by these three ACLs canaccess the device. When specifying ACLs, follow these guidelines:
·If the specified ACL does not exist, or thespecified ACL does not contain any rule, all NMSs can access the device.
·If a VPN instance is specified in an ACL rule,the rule applies only to the packets of the VPN instance. If no VPN instance isspecified in an ACL rule, the rule applies only to the packets on the publicnetwork.
·If you specify an ACL and the ACL has rules,only NMSs permitted by the ACL can access the device.
For more information about ACL, see ACL and QoS Configuration Guide.
Examples
In VACM mode:
# Add user testUserto SNMPv3 group testGroup, and enableauthentication for the group. Specify authentication algorithm HMAC-SHA1 and plaintext-form authentication key 123456TESTplat&! for the user.
<Sysname> system-view
[Sysname] snmp-agent group v3testGroup authentication
[Sysname] snmp-agent usm-user v3testUser testGroup simple authentication-mode sha 123456TESTplat&!
# For an NMS to access the MIB objects inthe default view ViewDefault, make sure thefollowing configurations on the NMS are the same as the SNMP agent:
·SNMPv3 username.
·SNMP protocol version.
·Authentication algorithm and key.
# Add user testUserto SNMPv3 group testGroup, and enableauthentication and encryption for the group. Specify authentication algorithm HMAC-SHA1, encryption algorithm AES,plaintext-form authentication key 123456TESTauth&!,and plaintext-form encryption key 123456TESTencr&! for the user.
<Sysname> system-view
[Sysname] snmp-agent group v3testGroup privacy
[Sysname] snmp-agent usm-user v3testUser testGroup simple authentication-mode sha 123456TESTauth&!privacy-mode aes128 123456TESTencr&!
# For an NMS to access the MIB objects inthe default view ViewDefault, make sure thefollowing configurations on the NMS are the same as the SNMP agent:
·SNMPv3 username.
·SNMP protocol version.
·Authentication algorithm.
·Privacy algorithm.
·Plaintext authentication and encryption keys.
# Add user remoteUserfor the SNMP remote engine at 10.1.1.1 to SNMPv3group testGroup, and enable authentication and encryptionfor the group. Specify authentication algorithm HMAC-SHA1,encryption algorithm AES, plaintext-formauthentication key 123456TESTauth&!, and plaintext-form encryption key 123456TESTencr&!for the user.
<Sysname> system-view
[Sysname] snmp-agent remote 10.1.1.1engineid 123456789A
[Sysname] snmp-agent group v3testGroup privacy
[Sysname] snmp-agent usm-user v3remoteUser testGroup remote 10.1.1.1 simple authentication-mode sha 123456TESTauth&!privacy-mode aes128 123456TESTencr&!
In RBAC mode:
# Create SNMPv3 user testUserwith user role network-operator and enableauthentication for the user. Specify authentication algorithm HMAC-SHA1 and plaintext-form authentication key 123456TESTplat&! for the user.
<Sysname> system-view
[Sysname] snmp-agent usm-user v3testUser user-role network-operator simple authentication-mode sha 123456TESTplat&!
For an NMS to have read-only access to allMIB objects, make sure the following configurations on the NMS are the same asthe SNMP agent:
·SNMPv3 username.
·SNMP protocol version.
·Authentication algorithm and key.
Related commands
display snmp-agent usm-user
snmp-agent acl
snmp-agent calculate-password
snmp-agent group
snmp-agent remote
snmp-agent usm-user v3 user-role
snmp-agent usm-user v3 user-role
Use snmp-agent usm-user v3 user-role to assigna user role to an SNMPv3 user created in RBAC mode.
Use undo snmp-agent usm-user user-role to remove a user role.
Syntax
snmp-agent usm-user v3 user-name user-role role-name
undo snmp-agent usm-user v3 user-name user-role role-name
Default
An SNMPv3 user has the user role assignedto it at its creation.
Views
System view
Predefined user roles
network-admin
Parameters
user-name: Specifies anSNMPv3 username, a case-sensitive string of 1 to 32 characters.
user-role role-name:Specifies a user role name, a case-sensitive string of 1 to 63 characters.
Usage guidelines
You can assign a maximum of 64 user rolesto an SNMPv3 user.
An SNMPv3 user must have a minimum of oneuser role.
Examples
# Assign the user role network-admin to the SNMPv3 user testUser.
<Sysname> system-view
[Sysname] snmp-agent usm-user v3testUser user-role network-admin
Related commands
snmp-agent usm-user v3
