Restrict the SNMP access rights of an NMS

Created: Jan 18, 2020 02:10:54Latest reply: Jan 18, 2020 18:54:03 153 7 0 0
  Rewarded Hi-coins: 0 (problem resolved)
Hello
How can I restrict the SNMP access rights of an NMS on CE series switches?
Thanks
  • x
  • convention:

Featured Answers
wissal
MVE Created Jan 18, 2020 05:55:17 Helpful(5) Helpful(5)

Hello,

There are two methods to restrict SNMP access rights: based on an ACL or MIB view. The two methods can be used together.

SNMP access rights based on an ACL are to control the access of NMSs to the switch using ACL rules. The ACL applied to SNMP follows these rules:
1. When permit is specified in an ACL rule, the NMS with the source IP address specified in the rule is allowed to access the switch.
2. When deny is specified in an ACL rule, the NMS with the source IP address specified in the rule is not allowed to access the switch.
3. If the packets from an NMS do not match any rule in an ACL, this NMS is denied to access the switch.
4. If an ACL does not have rules, any NMS is allowed to access the switch.
SNMP access control based on MIB view is to specify the MIB objects that can be monitored and managed by NMSs.
Detailed configurations for the two modes are shown below.



Configure SNMP access control based on ACL.
  • Configure ACL rules.
  • Specify ACL rules for the SNMP agent, community name, user group, or user name.

  • Run the snmp-agent acl acl-number command to configure the SNMP ACL. Only the NMS matching the rule can access the switch through the SNMP user.
  • Run the snmp-agent community { read | write } { community-name | cipher community-name } acl acl-number command to specify the ACL for SNMP community name. After the command is executed, only the NMS using the specified community name and matching the ACL can access the switch.
  • Run the snmp-agent group v3 group-name { authentication | privacy | noauthentication } acl acl-number command to specify the ACL for an SNMPv3 user group. After the command is executed, only the NMS using the user name in the specified user group and matching the ACL can access the switch.
  • Run the snmp-agent usm-user v3 user-name acl acl-number command to specify the ACL for an SNMPv3 user. After the command is executed, only the NMS using the specified SNMPv3 user name and matching the ACL can access the switch.
Configure SNMP access control based on MIB view.
  • Run the snmp-agent mib-view { excluded | included } view-name oid-tree command to create a MIB view and specify the MIB objects that the NMS can monitor and manage.
  • Specify the MIB view for the SNMP community name or user group.

  • Run the snmp-agent community { read | write } { community-name | cipher community-name } mib-view view-name command to specify the MIB view for SNMP community name. After the command is executed, the NMS using this community name can monitor and manage only the objects in the specified MIB view.
  • Run the snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ] * command to specify the MIB view for an SNMPv3 user group. After the command is executed, the NMS using the user name in this SNMPv3 user group can monitor and manage only the objects in the specified MIB view.

# Configure ACL 2001 to allow only the NMS on 192.168.1.0 to access the switch.

<HUAWEI> system-view
[~HUAWEI] acl 2001
[*HUAWEI-acl4-basic-2001] rule permit source 192.168.1.0 0.0.0.255
[*HUAWEI-acl4-basic-2001] rule deny source any
[*HUAWEI-acl4-basic-2001] commit
[~HUAWEI-acl4-basic-2001] quit

Configure the MIB view named alliso and the accessed view includes iso.

[~HUAWEI] snmp-agent mib-view included alliso iso
[*HUAWEI] commit

# Allow some NMSs using the specified SNMP community name to access only the objects in the MIB view alliso on the switch.

[~HUAWEI] snmp-agent community write private_user mib-view alliso acl 2001
[*HUAWEI] commit

# Allow some NMSs using the user names in the specified SNMPv3 user group to access only the objects in the MIB view alliso on the switch.

[~HUAWEI] snmp-agent group v3 huawei_group privacy write-view alliso acl 2001
[*HUAWEI] commit

# Allow some NMSs using the user names in an SNMPv3 user group to manage the switch.

[~HUAWEI] snmp-agent usm-user v3 huawei_user acl 2001
[*HUAWEI] commit



Thanks
  • x
  • convention:

Popeye_Wang
Admin Created Jan 18, 2020 02:59:29 Helpful(3) Helpful(3)

Hello,

Configure the ACL to allow only the NMS that matches the ACL to access the managed device, and configure mib-view to limit the MIB nodes monitored and managed by the NMS.

The commands for snmpv1 / v2c and v3 are slightly different.

SNMPv1/v2c: 

snmp-agent mib-view { excluded | included } view-name oid-tree

snmp-agent community { read | write } { community-name | cipher community-name } [ mib-view view-name | acl { acl-number | acl-name } ]

SNMPv3:

snmp-agent mib-view { excluded | included } view-name oid-tree

snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ] * [ acl { acl-number | acl-name } ]


For details see:

https://support.huawei.com/hedex/hdx.do?docid=EDOC1100101219&id=EN-US_TASK_0141116602&lang=en

https://support.huawei.com/hedex/hdx.do?docid=EDOC1100101219&id=EN-US_TASK_0141116610&lang=en

I hope this helps.

  • x
  • convention:

gabo.lr
gabo.lr Created Jan 18, 2020 12:17:17
Thanks for your answer!!  
All Answers
Popeye_Wang
Popeye_Wang Admin Created Jan 18, 2020 02:59:29 Helpful(3) Helpful(3)

Hello,

Configure the ACL to allow only the NMS that matches the ACL to access the managed device, and configure mib-view to limit the MIB nodes monitored and managed by the NMS.

The commands for snmpv1 / v2c and v3 are slightly different.

SNMPv1/v2c: 

snmp-agent mib-view { excluded | included } view-name oid-tree

snmp-agent community { read | write } { community-name | cipher community-name } [ mib-view view-name | acl { acl-number | acl-name } ]

SNMPv3:

snmp-agent mib-view { excluded | included } view-name oid-tree

snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ] * [ acl { acl-number | acl-name } ]


For details see:

https://support.huawei.com/hedex/hdx.do?docid=EDOC1100101219&id=EN-US_TASK_0141116602&lang=en

https://support.huawei.com/hedex/hdx.do?docid=EDOC1100101219&id=EN-US_TASK_0141116610&lang=en

I hope this helps.

  • x
  • convention:

gabo.lr
gabo.lr Created Jan 18, 2020 12:17:17
Thanks for your answer!!  
wissal
wissal MVE Created Jan 18, 2020 05:55:17 Helpful(5) Helpful(5)

Hello,

There are two methods to restrict SNMP access rights: based on an ACL or MIB view. The two methods can be used together.

SNMP access rights based on an ACL are to control the access of NMSs to the switch using ACL rules. The ACL applied to SNMP follows these rules:
1. When permit is specified in an ACL rule, the NMS with the source IP address specified in the rule is allowed to access the switch.
2. When deny is specified in an ACL rule, the NMS with the source IP address specified in the rule is not allowed to access the switch.
3. If the packets from an NMS do not match any rule in an ACL, this NMS is denied to access the switch.
4. If an ACL does not have rules, any NMS is allowed to access the switch.
SNMP access control based on MIB view is to specify the MIB objects that can be monitored and managed by NMSs.
Detailed configurations for the two modes are shown below.



Configure SNMP access control based on ACL.
  • Configure ACL rules.
  • Specify ACL rules for the SNMP agent, community name, user group, or user name.

  • Run the snmp-agent acl acl-number command to configure the SNMP ACL. Only the NMS matching the rule can access the switch through the SNMP user.
  • Run the snmp-agent community { read | write } { community-name | cipher community-name } acl acl-number command to specify the ACL for SNMP community name. After the command is executed, only the NMS using the specified community name and matching the ACL can access the switch.
  • Run the snmp-agent group v3 group-name { authentication | privacy | noauthentication } acl acl-number command to specify the ACL for an SNMPv3 user group. After the command is executed, only the NMS using the user name in the specified user group and matching the ACL can access the switch.
  • Run the snmp-agent usm-user v3 user-name acl acl-number command to specify the ACL for an SNMPv3 user. After the command is executed, only the NMS using the specified SNMPv3 user name and matching the ACL can access the switch.
Configure SNMP access control based on MIB view.
  • Run the snmp-agent mib-view { excluded | included } view-name oid-tree command to create a MIB view and specify the MIB objects that the NMS can monitor and manage.
  • Specify the MIB view for the SNMP community name or user group.

  • Run the snmp-agent community { read | write } { community-name | cipher community-name } mib-view view-name command to specify the MIB view for SNMP community name. After the command is executed, the NMS using this community name can monitor and manage only the objects in the specified MIB view.
  • Run the snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ] * command to specify the MIB view for an SNMPv3 user group. After the command is executed, the NMS using the user name in this SNMPv3 user group can monitor and manage only the objects in the specified MIB view.

# Configure ACL 2001 to allow only the NMS on 192.168.1.0 to access the switch.

<HUAWEI> system-view
[~HUAWEI] acl 2001
[*HUAWEI-acl4-basic-2001] rule permit source 192.168.1.0 0.0.0.255
[*HUAWEI-acl4-basic-2001] rule deny source any
[*HUAWEI-acl4-basic-2001] commit
[~HUAWEI-acl4-basic-2001] quit

Configure the MIB view named alliso and the accessed view includes iso.

[~HUAWEI] snmp-agent mib-view included alliso iso
[*HUAWEI] commit

# Allow some NMSs using the specified SNMP community name to access only the objects in the MIB view alliso on the switch.

[~HUAWEI] snmp-agent community write private_user mib-view alliso acl 2001
[*HUAWEI] commit

# Allow some NMSs using the user names in the specified SNMPv3 user group to access only the objects in the MIB view alliso on the switch.

[~HUAWEI] snmp-agent group v3 huawei_group privacy write-view alliso acl 2001
[*HUAWEI] commit

# Allow some NMSs using the user names in an SNMPv3 user group to manage the switch.

[~HUAWEI] snmp-agent usm-user v3 huawei_user acl 2001
[*HUAWEI] commit



Thanks
  • x
  • convention:

gabo.lr
gabo.lr MVE Created Jan 18, 2020 12:16:53 Helpful(0) Helpful(0)

Posted by wissal at 2020-01-17 16:55 Hello,There are two methods to restrict SNMP access rights: based on an ACL or MIB view. The two met ...
Thanks for your answer!!
  • x
  • convention:

Telecommunications%20and%20Electronics%20Engineer%2C%20with%208%20years%20of%20experience%20working%20with%20Huawei%20equipment.
lucian2003
lucian2003 Created Jan 18, 2020 17:15:44 Helpful(0) Helpful(0)

Great to share
  • x
  • convention:

Hello%20friends%2C%20I%20am%20a%20Telecommunications%20and%20electronics%20engineer%20and%20I%20just%20graduated%20as%20a%20master%20in%20telecommunications%20systems.%20I%20work%20in%20the%20telecommunications%20company%20of%20Cuba%2C%20ETECSA.%20I%20am%2035%20years%20old%20and%20I%20attend%20the%20transport%20network%20in%20my%20province%2C%20which%20is%20mainly%20Huawei.
Saqib123
Saqib123 Created Jan 18, 2020 18:53:54 Helpful(0) Helpful(0)

hmmm
  • x
  • convention:

Saqib123
Saqib123 Created Jan 18, 2020 18:54:03 Helpful(0) Helpful(0)

Good
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login