(Optional) Restricting Management Rights of the NMS
Context
Scenario |
Steps |
---|---|
All NMSs in this SNMPv3 user group have the right of the ViewDefault view. |
No action required |
Specified NMSs in this SNMPv3 user group have the right of the ViewDefault view. |
|
All NMSs in this SNMPv3 user group manage specified objects on the managed devices. |
|
Specified NMSs in this SNMPv3 user group manage specified objects on the managed devices. |
|
When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device.
When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.
If a packet matches no ACL rule, the NMS that sends the packet cannot access the local device.
When no ACL rule is configured, all NMSs can access the local device.
Procedure
- Run:
system-view
The system view is displayed.
- Configure a basic ACL for
an SNMP user group to filter the NMS that does not match the ACL.
For the creation procedure, see "ACL Configuration" in the S2700 and S3700 Series Ethernet Switches Configuration Guide-Security.
- Run:
snmp-agent mib-view { excluded | included } view-name oid-tree
A MIB view is created, and manageable MIB objects are specified.
By default, an NMS has no right to access the objects.
You run this command for multiple times, the new configuration overwrites the original configuration if the values of view-name and oid-tree are the same; the new and original configurations both take effect if the values of view-name and oid-tree are different. The system can store a maximum of 20 MIB view configurations, among which there are four default views.
If both the included and excluded parameters are configured for MIB objects that have an inclusion relationship, whether to include or exclude the lowest MIB object will be determined by the parameter configured for the lowest MIB object. For example, the snmpV2, snmpModules, and snmpUsmMIB objects are from top down in the MIB table. If the excluded parameter is configured for snmpUsmMIB objects and included is configured for snmpV2, snmpUsmMIB objects will still be excluded.
- Run:
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view | write-view write-view | notify-view notify-view ]* [ acl acl-number ]
The write-read right is configured for a user group.
By default, the read-only view of an SNMP group is the ViewDefault view, and the names of the read-write view and inform view are not specified.
To configure the NMS to receive traps specified by notify-view, you must first configure the destination host for receiving traps.
- Configure a basic ACL for
an SNMP user to filter the NMS that does not match the ACL.
For the creation procedure, see "ACL Configuration" in the S2700 and S3700 Series Ethernet Switches Configuration Guide-Security.
- Run:
snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } password [ privacy-mode { aes128 | des56 } encrypt-password ] ] [ acl acl-number ]
Authentication and encryption are configured for SNMPv3 users in the specified user group.
To allow all NMSs using the same SNMPv3 user name to access the agent, omit the parameter acl.
To allow specified NMSs to use this user name to access the agent, configure the parameter acl.
Follow-up Procedure
After the access right are configured, especially after the IP address of the NMS is specified, if the IP address changes (for example, the NMS changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address of the NMS in the ACL. Otherwise, the NMS cannot access the device.