SNMP Configuration¶
The SNMP configuration is managed using the snmp
command from config
mode. This command has several options which are collectively used to define
VACM rules to grant access to clients.
Note
TNSR automatically restarts the SNMP service when making changes to the SNMP configuration. The SNMP service will be momentarily unavailable while the service is reloading with the new configuration.
Tip
Basic system information for SNMP such as contact (sysContact
), location
(sysLocation
), description (sysDescr
), and hostname (sysName
) is
pulled from the values configured using the system
command. See
Basic System Information for information on setting these values.
SNMP Communities¶
An SNMP community in SNMPv1 and SNMPv2c is similar to a username and password in a single string. The community name is given by a client and checked against communities listed in the SNMP configuration. If the community is known, and the source of the request matches the source defined for the community, then the request continues on to have its access checked further.
Warning
SNMPv1 and SNMPv2c are not encrypted. Only allow access to the SNMP daemon from management networks or similar secure locations.
A community
entry maps a traditional SNMP community name (e.g. public
)
to a VACM security name:
tnsr(config)# [no] snmp community community-name <community-name>
source (<src-prefix>|default)
security-name <security-name>
The following parameters are available:
- community-name <community-name>:
The name for this community.
Warning
The SNMP community name should be considered as a password. Do not use an easily guessed name, and keep the community name a secret from others. Do not transmit the community name over an insecure network.
- source (<src-prefix>|default):
The IPv4 or IPv6 source network from which requests for this community will originate. For example, a management network.
The keyword
default
may also be used for the source, which allows a request from any source.Warning
The best practice is to limit access by source so that only specific clients may access SNMP information. Avoid using
default
if at all possible.- security-name <security-name>:
The VACM security name to which this community should be mapped. This name is then used in groups.
This command may be repeated multiple times. Thus, multiple sources can set be for the same community. It can also be used to setup more complex policies such as different sources for the same community being mapped to different security names, or mapping multiple communities/sources to the same security name.
SNMP Groups¶
A group
defines a VACM group, which is a collection of security names that
have the same level of access.
tnsr(config)# [no] snmp group group-name <group-name>
security-name <security-name>
security-model (any|v1|v2c)
The following parameters are available:
- group-name <group-name>:
The name of this group, which is used by access rules.
- security-name <security-name>:
The security name to add as a member of this group.
Note
In SNMPv1 and SNMPv2, the security name is mapped from a community entry (SNMP Communities). In future versions with SNMPv3, this may also be a SNMPv3 security name (e.g. USM username, TSM identity, etc).
- security-model (any|v1|v2c):
The source of this security name, based on how its connection was authorized.
This command may be repeated to add multiple members to the same group.
SNMP Views¶
A view
defines a subset of the entire SNMP object identifier (OID) tree.
Multiple views with the same name may be defined to build a collection of OIDs
to which groups may be granted access.
tnsr(config)# [no] snmp view view-name <view-name>
view-type (included|excluded)
oid <oid>
The following parameters are available:
- view-name <view-name>:
The name of this view. Used in access rules to grant read and write access to portions of the OID tree.
- view-type (included|excluded):
Sets the type of view being defined.
- included:
When set, objects under
oid
will be included in the view.- excluded:
When set, objects under
oid
will be excluded from the view.
- oid <oid>:
The base
oid
under which this view either includes or excludes objects. This may be specified numerically or using names known to the SNMP daemon from MIB files.For example, the root OID
.1
may also be given by its name.iso
. Refer to MIB files for details.
This command may be repeated to define complex views which may include and exclude portions of the same OID hierarchy.
SNMP Access Rules¶
An access
rule defines which views may be accessed by a given group. This
ties together the other VACM entries, granting access to clients.
tnsr(config)# [no] snmp access group-name <group-name>
prefix (exact|prefix)
model (any|v1|v2c)
level (noauth|auth|priv)
read <read-view>
write <write-view>
The following parameters are available:
- group-name <group-name>:
The name of the group being granted access, as defined by VACM group entries (SNMP Groups).
- prefix (exact|prefix):
Used by SNMPv3 to control how a context on the rule is applied to the context of the incoming connection. Since SNMPv3 is not yet supported, this must be set to
exact
.- model (any|v1|v2c):
The security model of the client connection, based on how its connection was authorized.
- level (auth|noauth|priv):
The minimum security level at which this access rule will be allowed. Since SNMPv3 and transport security are not yet supported, this must be set to
noauth
.- read (<read-view>|none):
The name of the view (SNMP Views) to which matching clients will have read access. Use
none
to deny read access.- write (<write-view>|none):
The name of the view (SNMP Views) to which matching clients will have write access. Use
none
to deny write access.