(Optional) Controlling the NMS's Access to the Device

This section describes how to specify an NMS and manageable MIB objects for SNMP based communication between the NMS and managed device to improve communication security.

Context

If a device is managed by multiple NMSs that use the same community name, note the following points:

If all the NMSs need to have permission to access the objects in the Viewdefault view, skip the following steps.
If some of the NMSs need to have permission to access the objects in the Viewdefault view, skip 9 and 10.
If all the NMSs are required to manage specified objects on the device, skip 2, 4, 6, and 7.
If some of the NMSs are required to manage specified objects on the device, perform all the following steps.

Procedure

Run system-view
The system view is displayed.
Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]
A basic ACL is created to filter the NMS users to manage the device.
Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] ^*
A rule is configured for the basic ACL.
- If the address of a login user matches an ACL rule in which the specified action is permit, the user is allowed to log in to the device.
- If the address of a login user matches an ACL rule in which the specified action is deny, the user is not allowed to log in to the device.
- If the address of a login user is not within the address range specified in an ACL rule, the login of the user is denied.
- If the ACL does not contain any rules or does not exist, the login of users is not subject to the ACL, and users can log in to the device.
Run commit
The configuration is committed.
Run quit
Return to the system view.
(Optional) Run snmp-agent acl
SNMP protocol level ACL is configured.

By executing the snmp-agent acl command, you can control the user access.
Run snmp-agent mib-view { excluded | included } view-name oid-tree
A MIB view is created, and manageable MIB objects are specified.
- excluded: If a few MIB objects on the device or some objects in the current MIB view do not or no longer need to be managed by the NMS, excluded needs to be specified in the command to exclude these MIB objects.
- included: If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NMS, included needs to be specified in the command to include these MIB objects.
Run snmp-agent community { read | write } cipher community-cipher [ mib-view view-name | acl { acl-number | acl-name } | alias alias-name ] ^*
The NMS's access permission is specified.
- read: NMS administrator configures the read parameter to provide read access to the low level administrator for a specified view.
- write: NMS administrator configures the write parameter to provide read and write access to the low level administrator for a specified view.
- mib-view: If some of the NMSs that use the community name need to have permission to access the objects in the Viewdefault view, mib-view view-name does not need to be configured in the command.
- acl: If all the NMSs that use the community name need to manage specified objects on the device, acl acl-number does not need to be configured in the command.
  
  If some of the NMSs that use the community name need to manage specified objects on the device, both mib-view and acl need to be configured in the command.
Run commit
The configuration is committed.

Follow-up Procedure

After the access permission is configured, especially after the IP address of the NMS is specified, if the IP address changes (for example, the NMS changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address of the NMS in the ACL. Otherwise, the NMS cannot access the device.