(Optional) Controlling the NMS's Access to the Device

To enhance SNMP communication security, restrict the NMSs that are allowed to access the device and restrict the MIB objects to be managed.

Context

If a device is managed by multiple NMSs that use the same community name, note the following points:

If all the NMSs are required to access the objects in the Viewdefault view (1.3.6.1), skip the following steps.
If some of the NMSs are required to access the objects in the Viewdefault view (1.3.6.1), skip 7 and 8.
If all the NMSs are required to manage specified objects on the device, skip 2, 3, 4, and 5.
If some of the NMSs are required to manage specified objects on the device, perform all the following steps.

Procedure

Run system-view
The system view is displayed.
Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]
A basic ACL is created to filter the NMS users to manage the device.
Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] ^*
A rule is configured for the basic ACL.
- If the address of a login user matches an ACL rule in which the specified action is permit, the user is allowed to log in to the device.
- If the address of a login user matches an ACL rule in which the specified action is deny, the user is not allowed to log in to the device.
- If the address of a login user is not within the address range specified in an ACL rule, the login of the user is denied.
- If the ACL does not contain any rules or does not exist, the login of users is not subject to the ACL, and users can log in to the device.
Run commit
The configuration is committed.
Run quit
Return to the system view.
(Optional) Run snmp-agent acl { acl-number | aclName }
SNMP protocol level ACL is configured.
Run snmp-agent mib-view type view-name oid-tree
A MIB view is created, and manageable MIB objects are specified.
- excluded: If a few MIB objects on the device or some objects in the current MIB view do not or no longer need to be managed by the NMS, configure excluded in the command to exclude these MIB objects.
- included: If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NMS, configure included in the command to include these MIB objects.
Run snmp-agent community { read | write } cipher community-cipher [ mib-view view-name | acl { acl-number | aclName } | alias alias-name ] ^*
The NMS's access rights are specified.
- read: If the NMS administrator needs the read permission in a specified view, configure read in this command. For example, a low-level administrator needs to read certain data.
- write: If the NMS administrator needs the read and write permissions in a specified view, configure write in this command. For example, a high-level administrator needs to read and write certain data.
- mib-view: If some of the NMSs that use the community name need to have permission to access the objects in the Viewdefault view (1.3.6.1), you do not need to configure mib-view view-name in the command.
- acl: If all the NMSs that use the community name need to manage specified objects on the device, you do not need to configure acl acl-number in the command.
  
  If some of the NMSs that use the community name need to manage specified objects on the device, configure both mib-view and acl in the command.
Run commit
The configuration is committed.

Follow-up Procedure

After the access rights are configured, and the NMS's IP address is specified in the ACL rule, if the IP address changes (for example, the network management station changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address in the ACL. Otherwise, the NMS cannot access the device.