195
You can use either of the following modes to control SNMPv3 user access to MIB objects.
VACM—Controls user access to MIB objects by assigning the user to an SNMP group. To make
sure the user takes effect, make sure the group has been created. An SNMP group contains
one or multiple users and specifies the MIB views and security model for the users. The
authentication and encryption algorithms for each user are specified when they are created.
RBAC—Controls user access to MIB objects by assigning user roles to the user. A user role
specifies the MIB objects accessible to the user and the operations that the user can perform on
the objects. After you create a user in RBAC mode, you can use the snmp-agent usm-user v3
user-role command to assign more user roles to the user. You can assign a maximum of 64
user roles to a user.
RBAC mode controls access on a per MIB object basis, and VACM mode controls access on a MIB
view basis. As a best practice to enhance MIB security, use RBAC mode.
You can execute the snmp-agent usm-user v3 command multiple times to create different SNMPv3
users in VACM mode. If you do not change the username each time, the most recent configuration
takes effect.
You can execute the snmp-agent usm-user v3 command in RBAC mode multiple times to assign
different user roles to an SNMPv3 user. The following restrictions and guidelines apply:
If you specify only user roles but do not change any other settings each time, the snmp-agent
usm-user v3 command assigns different user roles to the user. Other settings remain
unchanged.
If you specify user roles and also change other settings each time, the snmp-agent usm-user
v3 command assigns different user roles to the user. The most recent configuration for other
settings takes effect.
You can specify an ACL for the user and group, respectively, to filter illegitimate NMSs from
accessing the agent. Only the NMSs permitted by the ACLs for both the user and group can access
the SNMP agent. The following rules apply to the ACLs for the user and group:
If you do not specify an ACL, the specified ACL does not exist, or the specified ACL does not
have any rules, all NMSs that use the username can access the SNMP agent.
If you have specified an ACL and the ACL has rules, only the NMSs permitted by the ACL can
access the agent.
For more information about ACL, see ACL and QoS Configuration Guide.
Examples
In VACM mode:
# Create SNMPv3 group testGroup and specify the authentication without privacy security model for
the group. Add user testUser to the group. Specify authentication algorithm HMAC-SHA1 and
plaintext-form authentication key 123456TESTplat&! for the user.
<Sysname> system-view
[Sysname] snmp-agent group v3 testGroup authentication
[Sysname] snmp-agent usm-user v3 testUser testGroup simple authentication-mode sha
123456TESTplat&!
For an NMS to access the MIB objects in default view, make sure the following configurations are the
same on both the NMS and the SNMP agent:
SNMP protocol version.
SNMPv3 username.
Authentication algorithm and key.
# Create SNMPv3 group testGroup and specify the authentication with privacy security model for
the group. Add user testUser to the group. Specify authentication algorithm HMAC-SHA1,
encryption algorithm AES, plaintext-form authentication key 123456TESTauth&!, and plaintext-form
encryption key 123456TESTencr&! for the user.
To Next Page
Loading...
Need help?
General
