(Optional) Restricting Management Rights of the NMS
Context
Scenario |
Steps |
|---|---|
All NMSs in this SNMPv3 user group access the ViewDefault view. |
No action required |
Only the specified NMSs in this SNMPv3 user group access the ViewDefault view. |
|
All NMSs in this SNMPv3 user group access the specified objects on the managed devices. |
|
The specified NMSs in this SNMPv3 user group access the specified objects on the managed devices. |
|
The NMS can connect to only the specified physical interfaces on the managed device. |
When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device.
When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.
If a packet does not match an ACL rule, the NMS that sends the packet cannot access the local device.
When no ACL rule is configured, all NMSs can access the local device.
Procedure
- Run system-view
The system view is displayed.
- Configure a basic ACL
for an SNMP user group to allow only the NMS matching the ACL to access
the managed device.
For the creation procedure, see "ACL Configuration" in the Huawei AR Series Access Routers Configuration Guide-Security.
- Run snmp-agent mib-view view-name { exclude | include } subtree-name [ mask mask ]
A MIB view is created, and manageable MIB objects are specified.
By default, an NMS has right to access the objects in the ViewDefault view.
If both the included and excluded parameters are configured for MIB objects that have an inclusion relationship, whether to include or exclude the lowest MIB object will be determined by the parameter configured for the lowest MIB object. For example, the snmpV2, snmpModules, and snmpUsmMIB objects are from top down in the MIB table. If the excluded parameter is configured for snmpUsmMIB objects and included is configured for snmpV2, snmpUsmMIB objects will still be excluded.
- Run snmp-agent group v3 group-name { authentication | noauth | privacy } [ read-view read-view | write-view write-view | notify-view notify-view | acl acl-number ] *
The write-read right is configured for a user group.
By default, the read-only view of an SNMP user group is the ViewDefault view, and the names of the read-write view and inform view are not specified.
To configure the NMS to receive traps specified by notify-view, you must first configure a target host for receiving traps.
- Configure a basic ACL for
an SNMP user to allow only the NMS matching the ACL to access the
managed device.
For the creation procedure, see "ACL Configuration" in the Huawei AR Series Access Routers Configuration Guide-Security.
- Run snmp-agent usm-user v3 user-name [ group group-name | acl acl-number ] *
Authentication and encryption are configured for SNMPv3 users in the specified user group.
To allow all NMSs using the same SNMPv3 user name to access the agent, do not specify the acl parameter.
To allow only the specified NMSs using this user name to access the agent, configure the acl parameter.
- Run snmp-agent permit interface { interface-type interface-number } &<1-5>
Physical interfaces on the device to which the NMS can connect are specified.
By default, the NMS can connect to all the physical interfaces on the device.