(Optional) Controlling the NMS's Access to the Device

This section describes how to specify an NMS and manageable MIB objects for SNMPv3-based communication between the NMS and managed device to improve communication security.

Context

If a device is managed by multiple NMSs that are in the same SNMPv3 user group, note the following points:

  • If all the NMSs need to have permission to access the objects in the Viewdefault view, skip the following steps.

  • If some of the NMSs need to have permission to access the objects in the Viewdefault view, skip 8 and 10.

  • If all the NMSs are required to manage specified objects on the device, skip 2, 4, 6, and 7.

  • If some of the NMSs are required to manage specified objects on the device, perform all the following steps.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]

    A basic ACL is created to filter the NMS users to manage the device.

    SNMP supports only basic ACLs whose numbers range from 2000 to 2999.

  3. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

    A rule is configured for the basic ACL.

    • If the address of a login user matches an ACL rule in which the specified action is permit, the user is allowed to log in to the device.

    • If the address of a login user matches an ACL rule in which the specified action is deny, the user is not allowed to log in to the device.

    • If the address of a login user is not within the address range specified in an ACL rule, the login of the user is denied.

    • If the ACL does not contain any rules or does not exist, the login of users is not subject to the ACL, and users can log in to the device.

  4. Run commit

    The configuration is committed.

  5. Run quit

    Return to the system view.

  6. Run snmp-agent mib-view { excluded | included } view-name oid-tree

    A MIB view is created, and manageable MIB objects are specified.

    • excluded: If a few MIB objects on the device or some objects in the current MIB view do not or no longer need to be managed by the NMS, excluded needs to be specified in the command to exclude these MIB objects.

    • included: If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NMS, included needs to be specified in the command to include these MIB objects.

  7. (Optional) Run snmp-agent acl { acl-number | acl-name }

    SNMP protocol level ACL is configured.

    By executing the snmp-agent acl command, you can control the user access.

  8. Run snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ] * [ acl { acl-number | acl-name } ]

    An SNMPv3 user group is configured.

    If the NMS and network devices are in an insecure environment (for example, the network is vulnerable to attacks), authentication or privacy can be configured in the command to enable data authentication or privacy.

    The available authentication and privacy modes are as follows:

    • No authentication and no privacy: Neither authentication nor privacy or noauthentication is configured in the command. This mode is applicable to secure networks managed by a specified administrator.

    • Authentication without privacy: Only authentication is configured in the command. This mode is applicable to secure networks managed by many administrators who may frequently perform operations on the same device. In this mode, only the authenticated administrators can access the managed device.

    • Authentication and privacy: privacy is configured in the command. This mode is applicable to insecure networks managed by many administrators who may frequently perform operations on the same device. In this mode, only the authenticated administrators can access the managed device, and transmitted data is encrypted to guard against tampering and data leaking.

    read-view needs to be configured in the command if the NMS administrator needs the read permission in a specified view in some cases. For example, a low-level administrator needs to read certain data.

    write-view needs to be configured in the command if the NMS administrator needs the read and write permissions in a specified view in some cases. For example, a high-level administrator needs to read and write certain data.

    notify-view needs to be configured in the command if you want to filter out irrelevant alarms and configure the managed device to send only the alarms of specified MIB objects to the NMS. If the parameter is configured, only the alarms of the MIB objects specified by notify-view is sent to the NMS.

  9. Run commit

    The configuration is committed.

Follow-up Procedure

After the access rights are configured, especially after the IP address of the NMS is specified, if the IP address changes (for example, the NMS changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address of the NMS in the ACL. Otherwise, the NMS cannot access the device.

Parent Topic: Configuring a Device to Communicate with an NMS Using SNMPv3 USM User
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >