Controlling the NMS's Access to the Device

This section describes how to specify an NMS and manageable MIB objects for SNMP-based communication between the NMS and managed device to improve communication security.

Context

When multiple NMSs in the same SNMPv3 user group manage one device, perform this configuration based on the site requirements.

Scenario	Steps
All NMSs in this SNMPv3 user group have the right of the ViewDefault view.	No action required
Specified NMSs in this SNMPv3 user group have the right of the ViewDefault view.	Based on the user group: 1, 2, 4, and 5
	Based on the user group and user: 1, 2, 4, 5, and 6
All NMSs in this SNMPv3 user group manage specified objects on the managed devices.	1, 3, and 5
Specified NMSs in this SNMPv3 user group manage specified objects on the managed devices.	Based on the user group: 1, 2, 3, 4, and 5
	Based on the user group and user: 1, 2, 3, 4, 5, and 6

Procedure

Access the system view.
```
system-view
```
Configure a basic ACL.
1. Run the acl [ number ] acl-number [ vpn-instance vpn-instance-name ] command to create a basic ACL.
2. Run the rule [ rule-id ] { deny | permit } [ logging | source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | time-range time-name ] ^* [ description description ] command to define ACL rules.
3. Run the quit command to return to the system view.
Create a MIB view and specify manageable MIB objects.
```
snmp-agent mib-view { excluded | included } view-name oid-tree
```
By default, the NMS can read SNMPv3 MIB nodes in 1.3.6.1.2.1. To access other nodes, you must run the snmp-agent mib-view command to set the nodes. After the configuration is complete, the NMS can operate all the MIB nodes in the view.
- If a few MIB objects on a device or some objects in the current MIB view do not or no longer need to be managed by the NMS, excluded needs to be specified in the related command to exclude these MIB objects.
- If a few MIB objects on the device or some objects in the current MIB view need to be managed by the NMS, included needs to be specified in the related command to include these MIB objects.
Configure an SNMP ACL.
```
snmp-agent acl acl-number
```
By default, no SNMP ACL is configured.

SNMP ACLs take precedence over ACLs based on SNMP groups, and SNMP users.
Configure an SNMPv3 user group.
```
snmp-agent group v3 group-name { authentication | privacy | noauthentication } [ read-view read-view | write-view write-view | notify-view notify-view ]^* [ acl acl-number ]
```
If the NMS or devices are on an insecure network, you are advised to configure privacy in the command to enable data authentication and encryption.
- read-view needs to be configured in the command if the NMS administrator needs the read permission in the specified view in some cases. For example, a low-level administrator needs to read certain data. write-view needs to be configured in the command if the NMS administrator needs the read and write permissions in the specified view in some cases. For example, a high-level administrator needs to read and write certain data.
- notify-view needs to be configured in the command if you want to filter out irrelevant alarms and configure the managed device to send only the alarms of specified MIB objects to the NMS. If the parameter is configured, only the alarms of the MIB objects specified by notify-view will be sent to the NMS. To make the filtering policy take effect, you also need to configure notify-filter-profile in the snmp-agent target-host trap command when configuring the NMS.
- To improve security, configuring privacy is recommended. If noauthentication is configured, neither authentication nor encryption is performed. The security cannot be guaranteed. If authentication is configured, only authentication is performed. If privacy is configured, both authentication and encryption are performed. For details, see authentication and encryption selection guide.
- If some NMSs that are in the same SNMPv3 user group need to have permission to access the objects in the Viewdefault view (1.3.6.1), [ read-view read-view | write-view write-view | notify-view notify-view ] does not need to be configured in the command.
- If all NMSs that are in the same SNMPv3 user group need to manage specified objects on the device, acl acl-number does not need to be configured in the command.
- If some of the NMSs that are in the same SNMPv3 user group need to manage specified objects on the device, both the MIB view and ACL need to be configured in the command.
Configure an SNMPv3 user.
- If the NMS or devices are on an insecure network, you are advised to configure authentication-mode and privacy-mode in the command to enable data authentication and encryption.
- 3DES and DES56 are less secure, and AES128 or higher is recommended.
- To improve system security, you are advised to configure different authentication and encryption passwords for an SNMP user.
1. Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group group-name | acl acl-number ] ^* command to configure an SNMPv3 user.
2. Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name authentication-mode { md5 | sha } { cipher password } command to configure an authentication password for the SNMPv3 user.
3. Run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name privacy-mode { des56 | aes128 | aes192 | aes256 | 3des } [ cipher password ] command to configure an encryption password for the SNMPv3 user.

Follow-up Procedure

After the access rights are configured, especially after the IP address of the NMS is specified, if the IP address changes (for example, the NMS changes its location, or IP addresses are reallocated due to network adjustment), you need to change the IP address of the NMS in the ACL. Otherwise, the NMS cannot access the device.