SNMP Configuration

The SNMP configuration is managed using the snmp command from config mode. This command has several options which are collectively used to define VACM rules to grant access to clients.

SNMP Communities

An SNMP community in SNMPv1 and SNMPv2c is similar to a username and password in a single string. The community name is given by a client and checked against communities listed in the SNMP configuration. If the community is known, and the source of the request matches the source defined for the community, then the request continues on to have its access checked further.

Warning

SNMPv1 and SNMPv2c are not encrypted. Only allow access to the SNMP daemon from management networks or similar secure locations.

A community entry maps a traditional SNMP community name (e.g. public) to a VACM security name:

tnsr(config)# [no] snmp community community-name <community-name>
                                  source (<src-prefix>|default)
                                  security-name <security-name>

The following parameters are available:

community-name <community-name>

The name for this community.

Warning

The SNMP community name should be considered as a password. Do not use an easily guessed name, and keep the community name a secret from others. Do not transmit the community name over an insecure network.

source (<src-prefix>|default)

The IPv4 or IPv6 source network from which requests for this community will originate. For example, a management network.

The keyword default may also be used for the source, which allows a request from any source.

Warning

The best practice is to limit access by source so that only specific clients may access SNMP information. Avoid using default if at all possible.

security-name <security-name>

The VACM security name to which this community should be mapped. This name is then used in groups.

This command may be repeated multiple times. Thus, multiple sources can set be for the same community. It can also be used to setup more complex policies such as different sources for the same community being mapped to different security names, or mapping multiple communities/sources to the same security name.

SNMP Groups

A group defines a VACM group, which is a collection of security names that have the same level of access.

tnsr(config)# [no] snmp group group-name <group-name>
                              security-name <security-name>
                              security-model (any|v1|v2c)

The following parameters are available:

group-name <group-name>

The name of this group, which is used by access rules.

security-name <security-name>

The security name to add as a member of this group.

Note

In SNMPv1 and SNMPv2, the security name is mapped from a community entry (SNMP Communities). In future versions with SNMPv3, this may also be a SNMPv3 security name (e.g. USM username, TSM identity, etc).

security-model (any|v1|v2c)

The source of this security name, based on how its connection was authorized.

This command may be repeated to add multiple members to the same group.

SNMP Views

A view defines a subset of the entire SNMP object identifier (OID) tree. Multiple views with the same name may be defined to build a collection of OIDs to which groups may be granted access.

tnsr(config)# [no] snmp view view-name <view-name>
                             view-type (included|excluded)
                             oid <oid>

The following parameters are available:

view-name <view-name>

The name of this view. Used in access rules to grant read and write access to portions of the OID tree.

view-type (included|excluded)

Sets the type of view being defined.

included

When set, objects under oid will be included in the view.

excluded

When set, objects under oid will be excluded from the view.

oid <oid>

The base oid under which this view either includes or excludes objects. This may be specified numerically or using names known to the SNMP daemon from MIB files.

For example, the root OID .1 may also be given by its name .iso. Refer to MIB files for details.

This command may be repeated to define complex views which may include and exclude portions of the same OID hierarchy.

SNMP Access Rules

An access rule defines which views may be accessed by a given group. This ties together the other VACM entries, granting access to clients.

tnsr(config)# [no] snmp access group-name <group-name>
                               prefix (exact|prefix)
                               model (any|v1|v2c)
                               level (noauth|auth|priv)
                               read <read-view>
                               write <write-view>

The following parameters are available:

group-name <group-name>

The name of the group being granted access, as defined by VACM group entries (SNMP Groups).

prefix (exact|prefix)

Used by SNMPv3 to control how a context on the rule is applied to the context of the incoming connection. Since SNMPv3 is not yet supported, this must be set to exact.

model (any|v1|v2c)

The security model of the client connection, based on how its connection was authorized.

level (auth|noauth|priv)

The minimum security level at which this access rule will be allowed. Since SNMPv3 and transport security are not yet supported, this must be set to noauth.

read (<read-view>|none)

The name of the view (SNMP Views) to which matching clients will have read access. Use none to deny read access.

write (<write-view>|none)

The name of the view (SNMP Views) to which matching clients will have write access. Use none to deny write access.