HP 6125G HP Networking guide to hardening Comware-based devices - Page 12

SNMP Views, SNMP Version 3, SNMP Version 3 SNMPv3 is defined by RFC3410, RFC3411, and RFC3415

Get HP 6125G PDF manuals and user guides View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals

Page 12 highlights

snmp-agent community write READWRITE acl 2002 # For more information, see the snmp-server community command in "SNMP" in the Network Management and Monitoring Command Reference Guide. SNMP Views SNMP Views are a security feature that can permit or deny access to certain SNMP MIBs. Once a view is created and applied to a community string with the snmp-agent community command, if you access MIB data, you are restricted to the permissions that are defined by the view. When appropriate, you are advised to use views to limit SNMP users to the data that they require. The configuration example that follows restricts SNMP access with the community string LIMITED to the MIB data that is located in the system group: # snmp-agent mib-view included VIEW-SYSTEM-ONLY system # snmp-agent community read LIMITED mib-view VIEW-SYSTEM-ONLY # For more information, see "SNMP" in the Network Management and Monitoring Command Reference Guide. SNMP Version 3 SNMP Version 3 (SNMPv3) is defined by RFC3410, RFC3411, RFC3412, RFC3413, RFC3414, and RFC3415, and is an interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by authenticating and optionally encrypting packets over the network. Where supported, SNMPv3 can be used to add another layer of security when deploying SNMP. SNMPv3 consists of three primary configuration options: • no authentication This mode does not require any authentication or any encryption of SNMP packets. • authentication This mode requires authentication of the SNMP packet without encryption. • privacy This mode requires both authentication and encryption (privacy) of each SNMP packet. An authoritative engine ID must exist before the SNMPv3 security mechanisms authentication or authentication and encryption can be used for handling SNMP packets. By default, the engine ID is generated locally. The engine ID can be displayed with the display snmp-agent local-engineid command as shown in this example: # [HP]display snmp-agent local-engineid SNMP local EngineID: 800063A203000FE2000002 # Note that if the engine ID is changed, all SNMP user accounts must be reconfigured. The next step is to configure an SNMPv3 group. This command configures an HP Comware device for SNMPv3 with an SNMP server group AUTHGROUP and enables only authentication for this group by using the authentication keyword: # snmp-agent group v3 AUTHGROUP authentication # This command configures an HP Comware device for SNMPv3 with an SNMP server group PRIVGROUP and enables both authentication and encryption for this group by using the privacy keyword: # snmp-agent group v3 PRIVGROUP privacy 12

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
12
snmp-agent community write READWRITE acl 2002
#
For more information, see the
snmp-server community
command in “SNMP” in the
Network Management and
Monitoring Command Reference Guide
.
SNMP Views
SNMP Views are a security feature that can permit or deny access to certain SNMP MIBs. Once a view is created and
applied to a community string with the
snmp-agent community
command, if you access MIB data, you are restricted to
the permissions that are defined by the view. When appropriate, you are advised to use views to limit SNMP users to the
data that they require.
The configuration example that follows restricts SNMP access with the community string
LIMITED
to the MIB data that is
located in the
system
group:
#
snmp-agent mib-view included VIEW-SYSTEM-ONLY system
#
snmp-agent community read LIMITED mib-view VIEW-SYSTEM-ONLY
#
For more information, see “SNMP” in the
Network Management and Monitoring Command Reference Guide
.
SNMP Version 3
SNMP Version 3 (SNMPv3) is defined by RFC3410, RFC3411, RFC3412, RFC3413, RFC3414, and RFC3415, and is an
interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by
authenticating and optionally encrypting packets over the network. Where supported, SNMPv3 can be used to add
another layer of security when deploying SNMP. SNMPv3 consists of three primary configuration options:
no authentication
This mode does not require any authentication or any encryption of SNMP packets.
authentication
This mode requires authentication of the SNMP packet without encryption.
privacy
This mode requires both authentication and encryption (privacy) of each SNMP packet.
An authoritative engine ID must exist before the SNMPv3 security mechanisms authentication or authentication and
encryption can be used for handling SNMP packets. By default, the engine ID is generated locally. The engine ID can be
displayed with the
display snmp-agent local-engineid
command as shown in this example:
#
[HP]display snmp-agent local-engineid
SNMP local EngineID: 800063A203000FE2000002
#
Note that if the engine ID is changed, all SNMP user accounts must be reconfigured. The next step is to configure an
SNMPv3 group. This command configures an HP Comware device for SNMPv3 with an SNMP server group
AUTHGROUP
and enables only authentication for this group by using the
authentication
keyword:
#
snmp-agent group v3 AUTHGROUP authentication
#
This command configures an HP Comware device for SNMPv3 with an SNMP server group
PRIVGROUP
and enables both
authentication and encryption for this group by using the
privacy
keyword:
#
snmp-agent group v3 PRIVGROUP privacy