Setting up SNMPv3 Access on the N-Series

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 5086 

Products
Matrix N-Series DFE 

Protocols/Features
SNMP
SNMPv3 

Goals
Configure for SNMPv3
Sample configuration 

Solution
The default SNMP configuration for the DFE includes a single community name - "public" - which grants read-write access to the whole MIB tree for both SNMPv1 and SNMPv2c.
See 5245 for more about this, and about configuring SNMPv1.
See 5610 about configuring SNMP views.
See 5390 about configuring SNMPv3 informs/traps. 

If you wish to create an SNMPv3 user, then here is a quick sample configuration to use as a template. This creates a group "SystemAdmin" which has read-only access to the whole MIB tree using authentication but not privacy (encryption), read-write access to the whole MIB (with trap capability) using both authentication and privacy, or read-only access when using neither authentication nor privacy. 

# Set up access rules for group "SystemAdmin".
set snmp access SystemAdmin security-model usm authentication read All write All
set snmp access SystemAdmin security-model usm privacy read All write All notify All
set snmp access SystemAdmin security-model usm noauthentication read All

Note1: The above use of the parameter "usm" invokes the SNMPv3 User Model. The other possibilities are "v2c" for SNMPv2 and "v1" for SNMPv1.
Note2: The above use of the parameter "All" refers to the MIB view defined by the 'set snmp view viewname All subtree 1' command, present by default. This is case sensitive, and must exactly correspond to any view name which defines the portion of the MIBs that may be accessed. The predefined "All" view permits users to access MIB OID branch "1=iso" - effectively, the whole MIB tree.
Note3: Typically only a single access command is utilized per group, except when router context (see below) comes into play. 

# Map user "MyUserName" into the "SystemAdmin" group.
set snmp group SystemAdmin user MyUserName security-model usm

# Create the user "MyUserName" who will utilize MD5 authentication.
set snmp user MyUserName authentication md5 myauthpass privacy myprivpass

On the DFE, the above configured rules give access to only the switching elements of the device (5232). To give the same user access to all the router contexts, also add the following commands. Optionally, you can add granularity by referencing "router1" or "router2", instead of the more general term "router". 

set snmp access SystemAdmin security-model usm authentication context router read All write All
set snmp access SystemAdmin security-model usm privacy context routerread All write All notify All 
set snmp access SystemAdmin security-model usm noauthentication context router read All

See the Matrix DFE Configuration Guide for more detail.
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.