Example for Applying Basic ACLs to SNMP to Filter NMSs

Networking Requirements

As shown in Figure 1, two NMSs are available on the network to monitor network devices. The network size is small and the network has a high security level. Therefore, the administrator requires that only the trusted NMS (NMS2) manage network devices and the Switch use SNMPv1 to communicate with the NMS. Unauthorized NMSs cannot manage the Switch. According to service requirements, the administrator allows the NMS to manage the objects on the Switch except RMON, and the administrator needs to locate and rectify faults quickly through the NMS.

Figure 1 Applying basic ACLs to SNMP to filter NMSs

Configuration Roadmap

The configuration roadmap is as follows:

Configure the SNMP version on the Switch to SNMPv1.
Configure the ACL, MIB view, and community name to control the access rights of NMSs. NMS2 can only manage the objects on the Switch except RMON, and NMS1 cannot manage the Switch.
Configure the trap host for the Switch to deliver traps generated on the Switch to NMS2. To help quickly identify faults according to trap messages and reduce useless traps, configure the Switch to send only the traps of the modules enabled by default.
Configure NMS2.

Procedure

Configure an IP address for an interface of the Switch to provide a reachable route between the NMS and the Switch.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.2.1 24
[Switch-Vlanif100] quit

Set the SNMP version on the Switch to SNMPv1.
```
[Switch] snmp-agent sys-info version v1
```

Configure the access rights.

# Configure an ACL that allows NMS2 to manage the Switch and prevents NMS1 from managing the Switch.

[Switch] acl 2001
[Switch-acl-basic-2001] rule 5 permit source 10.1.1.2 0.0.0.0
[Switch-acl-basic-2001] rule 6 deny source 10.1.1.1 0.0.0.0
[Switch-acl-basic-2001] quit

# Configure the MIB view to allow NMS2 to manage all MIB objects on the Switch except RMON objects.

[Switch] snmp-agent mib-view excluded allextrmon 1.3.6.1.2.1.16

# Configure a community name and reference the ACL and MIB view for the community.

[Switch] snmp-agent community write adminnms2 mib-view allextrmon acl 2001

Configure the trap host.

[Switch] snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname adminnms2

Configure NMS2.
You must set a read-write community name for an NMS running SNMPv1. For details about the NMS configuration, see the manual of the NMS.

The authentication parameter configuration on the NMS must be the same as that on the Switch. Otherwise, the NMS cannot manage the Switch. If only the write community name is configured on the device, the read and write community names on the NMS must be the same as the write community name configured on the device.

Verify the configuration.

After completing the configuration, run the following commands to verify that the configurations have taken effect.

# View the SNMP version.

[Switch] display snmp-agent sys-info version
   SNMP version running in the system:                                                                                              
           Polling: SNMPv1:enable,  SNMPv2c:disable, SNMPv3:disable                                                                 
           Trap   : SNMPv1:enable,  SNMPv2c:disable, SNMPv3:disable

# View the configuration of the target host used to receive traps.

[Switch] display snmp-agent target-host
Target-host NO. 1                                                               
-----------------------------------------------------------                     
  IP-address    : 10.1.1.2                                                       
  Domain        : -
  Source interface : - 
  VPN instance  : -                                                             
  Security name : %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%#                                        
  Port          : 162                                                           
  Type          : trap                                                          
  Version       : v1                                                            
  Level         : No authentication and privacy                                 
  NMS type      : NMS                                                           
  With ext-vb   : No                                                            
-----------------------------------------------------------

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 100
#
acl number 2001
 rule 5 permit source 10.1.1.2 0
 rule 6 deny source 10.1.1.1 0
#                                                                               
interface Vlanif100                                                             
 ip address 10.1.2.1 255.255.255.0                                               
#
interface GigabitEthernet0/0/1
 port link-type hybrid
 port hybrid pvid vlan 100                                                      
 port hybrid untagged vlan 100     
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent community write cipher %^%#.T|&Whvyf$<Gd"I,wXi5SP_6~Nakk6<<+3H:N-h@aJ6d,l0md%HCeAY8~>X=>xV\JKNAL=124r839v<*%^%# mib-view allextrmon acl 2001
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname cipher %^%#uq/!YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%^%#
snmp-agent mib-view excluded allextrmon rmon 
#
return