How can I restrict the NMSs that can manage S series switches

You can use the following methods to restrict the NMSs that can manage S series switches (except the S1700):
1. For switches running all SNMP versions, you can run the snmp-agent acl command to configure an SNMP access control list (ACL). Only the NMS that matches the ACL can manage switches based on SNMP.
2. To restrict the NMSs that can manage switches running SNMPv1 or SNMPv2c based on community names, run the snmp-agent community { read | write } { community-name | cipher community-name } acl acl-number command with an ACL specified. After the command is executed, only the NMS using the specified SNMP community name and matching this ACL can manage the switches.
3. To restrict the NMSs that can manage switches running SNMPv3 based on user groups or users, run the snmp-agent group v3 group-name { authentication | privacy | noauthentication } acl acl-number or the snmp-agent usm-user v3 user-name acl acl-number command with an ACL specified to configure an SNMPv3 user group or user. After the command is executed, only the NMS using the specified SNMPv3 user group or user and matching the ACL can manage the switches.

Note:
If the login user name used by the NMS to send a request packet is not configured on the switch, the switch discards the request packet and records an error log. In addition, the switch does not check the request packet against the ACL.
If the login user name used by the NMS to send a request packet is configured on the switch, the switch checks the request packet against the ACL. If the packet does not match the ACL, a log indicating negative ACL matching is recorded.

For example, run the following commands to restrict the NMSs that can manage the switch based on an SNMP community name.
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 permit source 10.1.1.2 0.0.0.0
[HUAWEI-acl-basic-2001] rule 6 deny source 10.1.1.1 0.0.0.0
[HUAWEI-acl-basic-2001] quit
[HUAWEI] snmp-agent community write huawei_user acl 2001
For example, run the following command to restrict the NMSs that can manage the switch based on an SNMPv3 user group.
[HUAWEI] snmp-agent group v3 huawei_group privacy acl 2001
For example, run the following command to restrict the NMSs that can manage the switch based on an SNMPv3 user.
[HUAWEI] snmp-agent usm-user v3 huawei_user acl 2001

For details on typical SNMP configuration examples, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples and choose Typical Network Management and Monitoring Configuration > Typical SNMP Configuration.
Choose corresponding materials based on the device model. Sx700 series is used here as an example.

Scroll to top