(Optional) Restricting Management Rights of the NMS

Context

When multiple NMSs in the same SNMPv3 user group manage one device, perform this configuration according to the scenario.

Scenario	Steps
The NMSs access the ViewDefault view.	All NMSs access the ViewDefault view of the managed device. No action required
	1, 2 (NMS filtering based on SNMP agent)
	1, 3, 5 (NMS filtering based on user group)
	1, 6, 7 (NMS filtering based on user)
	1, 3, 5, 6, 7 (NMS filtering based on user group and user)
	1, 2, 3, 5 (NMS filtering based on SNMP agent and user group)
	1, 2, 6, 7 (NMS filtering based on SNMP agent and user)
	1, 2, 3, 5, 6, 7 (NMS filtering based on SNMP agent, user group, and user)
The NMSs access the specified objects on the managed device.	All NMSs access the specified node on the managed device: 1, 4, 5
	1, 2, 4, 5 (NMS filtering based on SNMP agent)
	1, 3, 4, 5 (NMS filtering based on user group)
	1, 4, 5, 6, 7 (NMS filtering based on user)
	1, 3, 4, 5, 6, 7 (NMS filtering based on user group and user)
	1, 2, 3, 4, 5 (NMS filtering based on SNMP agent and user group)
	1, 2, 4, 5, 6, 7 (NMS filtering based on SNMP agent and user)
	1, 2, 3, 4, 5, 6, 7 (NMS filtering based on SNMP agent, user group, and user)

The following describes how an ACL is used to control the access rights of NMSs:

When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device.
When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.
If a packet does not match any ACL rule, the NMS that sends the packet cannot access the local device.
When no ACL rule is configured, all NMSs can access the local device.

Procedure

Run system-view
The system view is displayed.
Configure NMS filtering based on SNMP agent.
1. Configure an ACL.
  Before configuring the access control rights, you must create an ACL. For instructions on how to create an ACL, see ACL Configuration in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security.
2. Run the snmp-agent acl { acl-number | acl-name }, snmp-agent acl-ipv4 { acl-number | acl-name } [ acl-ipv6 { acl-number | acl-name } ], or snmp-agent acl-ipv6 { acl-number | acl-name } command to configure an ACL for SNMP.
Configure an ACL for an SNMP user group to allow only the NMS matching the ACL to access the managed device.
For instructions on how to create an ACL, see ACL Configuration in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security.
Run snmp-agent mib-view { excluded | included } view-name oid-tree
A MIB view is created, and manageable MIB objects are specified.

By default, an NMS has no right to access the objects.

You can run this command multiple times. If it is run multiple times and the values of view-name and oid-tree are the same each time, the new configuration overwrites the original configuration. In contrast, if the values of view-name and oid-tree are different, the new and original configurations both take effect. The system can store a maximum of 256 MIB views, including four default views.

If both the included and excluded parameters are configured for MIB objects that have an inclusion relationship, whether the lowest MIB object is included or excluded depends on the parameter configured for it. For example, the snmpV2, snmpModules, and snmpUsmMIB objects have a top-down inclusion relationship in the MIB tree. If the excluded parameter is configured for snmpUsmMIB objects and included is configured for snmpV2, snmpUsmMIB objects will still be excluded.
Run snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]^* [ acl { acl-number | acl-name } ], snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]^* acl-ipv4 { acl-number | acl-name } [ acl-ipv6 { acl-number | acl-name } ] or snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]^* acl-ipv6 { acl-number | acl-name }
The write-read right is configured for a user group.

By default, the read-only view of an SNMP user group is the ViewDefault view, and the names of the read-write view and inform view are not specified.

To configure the NMS to receive traps specified by notify-view, you must first configure a target host for receiving traps.
Configure a basic ACL or an advanced ACL for an SNMP user to allow only the NMS matching the ACL to access the managed device.
For instructions on how to create an ACL, see ACL Configuration in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security.
Run snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group group-name | acl { acl-number | acl-name } ] ^*, snmp-agent [ remote-engineid engineid ] usm-user v3 user-name group group-name acl-ipv4 { acl-number | acl-name } [ acl-ipv6 { acl-number | acl-name } ] or snmp-agent [ remote-engineid engineid ] usm-user v3 user-name group group-name acl-ipv6 { acl-number | acl-name }
Authentication and encryption are configured for SNMPv3 users in the specified user group.
- To allow all NMSs using the same SNMPv3 user name to access the agent, do not specify the acl parameter.
- To allow only the specified NMSs using this user name to access the agent, configure the acl parameter.

Follow-up Procedure

If the NMS allowed to access the managed device changed its IP address for some reasons, for example, there is a location change or IP address reallocation, change the IP address in the ACL rule accordingly; otherwise, the NMS cannot access the managed device.