(Optional) Restricting Management Rights of the NMS
Context
Scenario |
Steps |
|---|---|
All NMSs using this community name have the right of the ViewDefault view. |
No action required |
Specified NMSs using this community name have the right of the ViewDefault view. |
|
All NMSs using this community name manage specified objects on the managed device. |
NOTE:
In 3, ACL does
not need to be configured. |
Specified NMSs using this community name manage specified objects on the managed devices. |
The ViewDefault view is the 1.3.6.1 view.
When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device.
When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.
If a packet matches no ACL rule, the NMS that sends the packet cannot access the local device.
When no ACL rule is configured, all NMSs can access the local device.
Procedure
- Run:
system-viewThe system view is displayed.
- Run:
snmp-agent mib-view { excluded | included } view-name oid-tree
A MIB view is created, and manageable MIB objects are specified.
By default, an NMS has right to access the objects in the ViewDefault view.
You run this command for multiple times, the new configuration overwrites the original configuration if the values of view-name and oid-tree are the same; the new and original configurations both take effect if the values of view-name and oid-tree are different. The system can store a maximum of 20 MIB view configurations, among which there are four default views.
If both the included and excluded parameters are configured for MIB objects that have an inclusion relationship, whether to include or exclude the lowest MIB object will be determined by the parameter configured for the lowest MIB object. For example, the snmpV2, snmpModules, and snmpUsmMIB objects are from top down in the MIB table. If the excluded parameter is configured for snmpUsmMIB objects and included is configured for snmpV2, snmpUsmMIB objects will still be excluded.
- Configure NMS filtering based
on community name.
- Run:
snmp-agent community { read | write } { community-name | cipher community-name } [ mib-view view-name | acl acl-number ] *
The NMS's access right are specified.
By default, the community name has the right of the ViewDefault view.
To grant only the read permission to low-level administrators, specify the parameter read. To grant the read and write permissions to high-level administrators, specify the parameter write.
To ensure security, use the parameter cipher to configure the community name to be displayed in cipher text. Administrators must keep the community name properly, because they cannot query the community name on the device.
If the NMSs using this community name have the right of the ViewDefault view, the parameter mib-view view-name is not required.
If all NMSs using this community name manage specified objects on the managed devices, the parameter acl acl-number is not required.
If some NMSs using this community name manage specified objects on the managed devices, the parameters acl and mib-view must be configured.
Before specifying the NMS to manage devices with this community name, check the ACL rule. When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device. When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.
- Run:
Follow-up Procedure
After the access right are configured, especially after the IP address of the NMS is specified, if the IP address changes (for example, the NMS changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address of the NMS in the ACL. Otherwise, the NMS cannot access the device.
