How can I restrict the NMSs that can manage S series switches

6

You can use the following methods to restrict the NMSs that can manage S series switches (except the S1700):
1. For switches running all SNMP versions, you can run the snmp-agent acl command to configure an SNMP access control list (ACL). Only the NMS that matches the ACL can manage switches based on SNMP.
2. To restrict the NMSs that can manage switches running SNMPv1 or SNMPv2c based on community names, run the snmp-agent community { read | write } { community-name | cipher community-name } acl acl-number command with an ACL specified. After the command is executed, only the NMS using the specified SNMP community name and matching this ACL can manage the switches.
3. To restrict the NMSs that can manage switches running SNMPv3 based on user groups or users, run the snmp-agent group v3 group-name { authentication | privacy | noauthentication } acl acl-number or the snmp-agent usm-user v3 user-name acl acl-number command with an ACL specified to configure an SNMPv3 user group or user. After the command is executed, only the NMS using the specified SNMPv3 user group or user and matching the ACL can manage the switches.

Note:
If the login user name used by the NMS to send a request packet is not configured on the switch, the switch discards the request packet and records an error log. In addition, the switch does not check the request packet against the ACL.
If the login user name used by the NMS to send a request packet is configured on the switch, the switch checks the request packet against the ACL. If the packet does not match the ACL, a log indicating negative ACL matching is recorded.

For example, run the following commands to restrict the NMSs that can manage the switch based on an SNMP community name.
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 permit source 10.1.1.2 0.0.0.0
[HUAWEI-acl-basic-2001] rule 6 deny source 10.1.1.1 0.0.0.0
[HUAWEI-acl-basic-2001] quit
[HUAWEI] snmp-agent community write huawei_user acl 2001
For example, run the following command to restrict the NMSs that can manage the switch based on an SNMPv3 user group.
[HUAWEI] snmp-agent group v3 huawei_group privacy acl 2001
For example, run the following command to restrict the NMSs that can manage the switch based on an SNMPv3 user.
[HUAWEI] snmp-agent usm-user v3 huawei_user acl 2001

For details on typical SNMP configuration examples, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples and choose Typical Network Management and Monitoring Configuration > Typical SNMP Configuration.
Choose corresponding materials based on the device model. Sx700 series is used here as an example.

Other related questions:
Can ACLs on S series switches restrict time range
ACLs on S series switches can restrict time range. For example, you can use a Layer 2 ACL to restrict the PPPoE dial-up time segment on a switch. Run the time-range command to specify a time range, and reference the time range in a Layer 2 ACL rule.

Can S series switches be managed by the U2000
Only S1720-10GW-2P-E, S12700 series switches, and S9300 series switches can be managed by the U2000.

How to configure ARP entry restriction on S and E series switches
For S and E series switches (except S1700 switches): To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added. # Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries. [HUAWEI] vlan batch 10 [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] arp-limit maximum 20 # Configure that Layer 2 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries from VLAN 10. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20 # Configure that Layer 3 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] arp-limit maximum 20 The interfaces on some switch models cannot switch between Layer 2 and Layer 3 modes through the undo portswitch command.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top