(Optional) Restricting Management Rights of the NMS
Context
Scenario |
Steps |
---|---|
All NMSs using this community name have the right of the ViewDefault view. |
No action required |
Specified NMSs using this community name have the right of the ViewDefault view. |
|
All NMSs using this community name manage specified objects on the managed device. |
NOTE:
In 3, ACL does
not need to be configured. |
Specified NMSs using this community name manage specified objects on the managed devices. |
The ViewDefault view is the 1.3.6.1 view.
When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device.
When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.
If a packet matches no ACL rule, the NMS that sends the packet cannot access the local device.
When no ACL rule is configured, all NMSs can access the local device.
Procedure
- Run:
system-view
The system view is displayed.
- Run:
snmp-agent mib-view { excluded | included } view-name oid-tree
A MIB view is created, and manageable MIB objects are specified.
By default, an NMS has right to access the objects in the ViewDefault view.
You run this command for multiple times, the new configuration overwrites the original configuration if the values of view-name and oid-tree are the same; the new and original configurations both take effect if the values of view-name and oid-tree are different. The system can store a maximum of 20 MIB view configurations, among which there are four default views.
If both the included and excluded parameters are configured for MIB objects that have an inclusion relationship, whether to include or exclude the lowest MIB object will be determined by the parameter configured for the lowest MIB object. For example, the snmpV2, snmpModules, and snmpUsmMIB objects are from top down in the MIB table. If the excluded parameter is configured for snmpUsmMIB objects and included is configured for snmpV2, snmpUsmMIB objects will still be excluded.
- Configure NMS filtering based
on community name.
Follow-up Procedure
After the access right are configured, especially after the IP address of the NMS is specified, if the IP address changes (for example, the NMS changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address of the NMS in the ACL. Otherwise, the NMS cannot access the device.