< Home

(Optional) Restricting Management Rights of the NMS

Context

When multiple NMSs manage the same device using the same community name, perform this configuration according to the scenario.

Scenario

Steps

The NMS accesses the ViewDefault view of the managed device.

All NMSs access the ViewDefault view of the managed device.

No action required

1, 2 (NMS filtering based on SNMP agent)

1, 4 (NMS filtering based on community name)

1, 2, 4 (NMS filtering based on SNMP agent and community name)

The NMS accesses the specified object on the managed device.

All NMSs access the specified object on the managed device: 1, 3

1, 2, 3 (NMS filtering based on SNMP agent)

1, 3, 4 (NMS filtering based on community name)

1, 2, 3, 4 (NMS filtering based on SNMP agent and community name)

The ViewDefault view is the 1.3.6.1 view.

The following describes how an ACL is used to control the access rights of NMSs:

  • When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device.

  • When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.

  • If a packet does not match any ACL rule, the NMS that sends the packet cannot access the local device.

  • When no ACL rule is configured, all NMSs can access the local device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure NMS filtering based on SNMP agent.
    1. Configure an ACL.

      Before configuring the access control rights, you must create an ACL. For instructions on how to create an ACL, see ACL Configuration in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security.

    2. Run the snmp-agent acl { acl-number | acl-name }, snmp-agent acl-ipv4 { acl-number | acl-name } [ acl-ipv6 { acl-number | acl-name } ], or snmp-agent acl-ipv6 { acl-number | acl-name } command to configure an ACL for SNMP.
  3. Run snmp-agent mib-view { excluded | included } view-name oid-tree

    A MIB view is created, and manageable MIB objects are specified.

    By default, an NMS has right to access the objects in the ViewDefault view.

    You can run this command multiple times. If it is run multiple times and the values of view-name and oid-tree are the same each time, the new configuration overwrites the original configuration. In contrast, if the values of view-name and oid-tree are different, the new and original configurations both take effect. The system can store a maximum of 256 MIB views, including four default views.

    If both the included and excluded parameters are configured for MIB objects that have an inclusion relationship, whether the lowest MIB object is included or excluded depends on the parameter configured for it. For example, the snmpV2, snmpModules, and snmpUsmMIB objects have a top-down inclusion relationship in the MIB tree. If the excluded parameter is configured for snmpUsmMIB objects and included is configured for snmpV2, snmpUsmMIB objects will still be excluded.

  4. Configure NMS filtering based on community name.
    1. (Optional) Configure a basic ACL or an advanced ACL.

      Before configuring the access control rights, you must create a basic ACL or an advanced ACL. For instructions on how to create an ACL, see ACL Configuration in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security.

    2. Run the snmp-agent community { read | write } { community-name | cipher community-name } [ mib-view view-name | acl { acl-number | acl-name } | alias alias-name ] *, snmp-agent community { read | write } [ cipher ] community-name [ mib-view view-name ] acl-ipv4 { acl-number | acl-name } [ acl-ipv6 { acl-number | acl-name } ] [ alias alias-name ] or snmp-agent community { read | write } [ cipher ] community-name [ mib-view view-name ] acl-ipv6 { acl-number | acl-name } [ alias alias-name ] command to specify the NMS's access right.

      By default, the created community name allows the NMS to access the ViewDefault view.

      • To grant only the read permission (for example, to low-level administrators), specify the parameter read. To grant the read and write permissions (for example, to high-level administrators), specify the parameter write.

      • For security purposes, use the parameter cipher to configure the community name to be displayed in cipher text. The community name in cipher text cannot be queried on the device, so ensure you keep it safely for future reference.

      • If the NMSs using this community name can access the ViewDefault view, the parameter mib-view view-name is not required.

      • If all NMSs using this community name manage specified objects on the managed devices, the acl acl-number parameter is not required.

      • If some NMSs using this community name manage specified objects on the managed devices, the acl and mib-view parameters must be configured.

      If both community name and ACL are configured, the device checks the community name and then the ACL before allowing the NMS to access it.

Follow-up Procedure

After the access right is configured and the IP address of the NMS is specified, if the IP address changes, you need to change the IP address of the NMS in the ACL. (The IP address may change, for example, if the NMS changes its location, or IP addresses are reallocated due to network adjustment.) If the IP address is not updated, the NMS cannot access the device.

Parent Topic: Configuring a Device to Communicate with an NMS Through SNMPv2c
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >