194
• Role based access control—RBAC mode controls access to MIB objects by assigning user
roles to SNMP communities.
{ The network-admin, mdc-admin, and level-15 user roles have the read and write access to
all MIB objects.
{ The network-operator user role and mdc-operator user role have the read-only access to all
MIB objects.
For more information about user roles, see Fundamentals Configuration Guide.
RBAC mode controls access on a per MIB object basis, and VACM mode controls access on a MIB
view basis. As a best practice to enhance MIB security, use RBAC mode.
You can create a maximum of 10 SNMP communities by using the snmp-agent community
command.
If you execute the command multiple times to specify the same community name but different other
settings each time, the most recent configuration takes effect.
To set and save a community name in plain text, do not specify the simple or cipher keyword.
The ACL is used to filter illegitimate NMSs.
• If you do not specify an ACL, the specified ACL does not exist, or the specified ACL does not
have any rules, all NMSs that use the community name can access the SNMP agent.
• If you specify an ACL and the ACL has rules, only NMSs permitted by the ACL can access the
SNMP agent.
For more information about ACL, see ACL and QoS Configuration Guide.
You can also create an SNMP community by using the snmp-agent usm-user { v1 | v2c } and
snmp-agent group { v1 | v2c } commands. These two commands create an SNMPv1 or SNMPv2c
user and the group to which the user is assigned. The system automatically creates an SNMP
community by using the SNMPv1 or SNMPv2c username.
Examples
# Create the read-only community readaccess in plain text so an SNMPv1 or SNMPv2c NMS can
use the community name readaccess to read the MIB objects in the default view ViewDefault.
<Sysname> system-view
[Sysname] snmp-agent sys-info version v1 v2c
[Sysname] snmp-agent community read simple readaccess
# Create the read and write community writeaccess in plain text so only the SNMPv2c NMS at
1.1.1.1 can use the community name writeaccess to read or set the MIB objects in the default view
ViewDefault.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 1.1.1.1 0.0.0.0
[Sysname-acl-ipv4-basic-2001] rule deny source any
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] snmp-agent sys-info version v2c
To Next Page
Loading...
Need help?
General
