SNMP Security Commands
Page 308 7450 ESS System Mangement Guide
excluded - All MIB subtree objects that are identified with a 1 in the mask are denied access in
the view. (Default: included).
Default included
snmp
Syntax snmp
Context config>system>security
Description This command creates the context to configure SNMPv1, SNMPv2, and SNMPv3 parameters.
src-access-list
Syntax src-access-list list-name
no src-access-list list-name
Context config>system>security>snmp
Description This command is used to identify a list of source IP addresses that can be used to validate SNMPv1
and SNMPv2c requests once the list is associated with one or more SNMPv1 and SNMPv2c
communities.
An src-address-list referenced by one or more community instances is used to verify the source IP
addresses of an SNMP request using the community regardless of which VPRN/VRF interface (or
‘Base’ interface) the request arrived on. For example, if an SNMP request arrives on an interface in
vprn 100 but the request is referencing a community, then the source IP address in the packet would
be validated against the src-address-list configured for the community. This occurs regardless of
whether the request is destined to a VPRN interface address and the VPRN has SNMP access
enabled, or the reques is destined to the base system address via GRT leaking. If the request’s source
IP address does not match the ip-address of any of the src-hosts contained in the list, then the request
will be discarded and logged as an SNMP authentication failure.
Using src-access-list validation can have an impact on the time it takes for an SR OS node to reply to
an SNMP request. It is recommended to keep the lists short, including only the addresses that are
needed, and to place SNMP managers that send the highest volume of requests, such as the
5620 SAM, at the top of the list.
You can configure a maximum of 16 src-access-lists. Each src-access-list can contain a maximum of
16 src-hosts.
The no form of this command removes the named src-access-list. You cannot remove an src-access-
list that is referenced by one or more community instances.
Default none
Parameters list-name — Configures the name or key of the src-access-list. The list-name parameter must begin
with a letter (a-z or A-Z).
To Next Page
Loading...
