(Optional) Controlling the NMS's Access to the Device

This section describes how to specify an NMS and manageable MIB objects for SNMP-based communication between the NMS and managed device to improve communication security.

Context

When multiple NMSs using the same community name manage one device, perform this configuration based on the site requirements.

Scenario	Steps
All NMSs using this community name have the right of the ViewDefault view (1.3.6.1).	No action required
Specified NMSs using this community name have the right of the ViewDefault view (1.3.6.1).	1, 2, and 5
All NMSs using this community name manage specified objects on the managed device.	1, 3, and 5
Specified NMSs using this community name manage specified objects on the managed devices.	1, 2, 3, 4, and 5

Procedure

Access the system view.
```
system-view
```
Configure a basic ACL.
1. Run the acl [ number ] acl-number [ vpn-instance vpn-instance-name ] command to create a basic ACL.
2. Run the rule [ rule-id ] { deny | permit } [ logging | source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | time-range time-name ] ^* [ description description ] command to define ACL rules.
3. Run the quit command to return to the system view.
Create a MIB view and specify manageable MIB objects.
```
snmp-agent mib-view { excluded | included } view-name oid-tree
```
By default, an NMS has permission to access the objects in the Viewdefault view (1.3.6.1).
- If a few MIB objects on a device or some objects in the current MIB view do not or no longer need to be managed by the NMS, excluded needs to be specified in the related command to exclude these MIB objects.
- If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NMS, included needs to be specified in the related command to include these MIB objects.
Configure an SNMP ACL.
```
snmp-agent acl acl-number
```
By default, no SNMP ACL is configured.

SNMP ACLs take precedence over ACLs based on SNMP community names.
Specify the NMS's access rights.
```
snmp-agent community { read | write } { community-name | cipher community-name } [ acl acl-number | mib-view view-name ]^*
```
- read needs to be configured in the command if the NMS administrator needs the read permission in the specified view in some cases. For example, a low-level administrator needs to read certain data. write needs to be configured in the command if the NMS administrator needs the read and write permissions in the specified view in some cases. For example, a high-level administrator needs to read and write certain data.
- cipher is used to display the community name in cipher text. It can be configured in the command to improve security. If the parameter is configured, the administrator needs to remember the community name. If the community name is forgotten, it cannot be obtained by querying the device.
- If some of the NMSs that use the community name need to have permission to access the objects in the Viewdefault view (1.3.6.1), mib-view view-name does not need to be configured in the command.
- If all the NMSs that use the community name need to manage specified objects on the device, acl acl-number does not need to be configured in the command.
- If some of the NMSs that use the community name need to manage specified objects on the device, both mib-view and acl need to be configured in the command.

Follow-up Procedure

After the access rights are configured, especially after the IP address of the NMS is specified, if the IP address changes (for example, the NMS changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address of the NMS in the ACL. Otherwise, the NMS cannot access the device.