HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.2 administrator guide (5697-0 - Page 104
SNMP and Virtual Fabrics, The security level
View all HP StorageWorks 8/80 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 104 highlights
For information on the specific commands used in these procedures, see online help or the Fabric OS Command Reference. SNMP and Virtual Fabrics When an SNMPv3 request arrives with a particular username, it executes in the home-Virtual Fabric. From the SNMP manager all SNMPv3 requests must have a home-Virtual Fabric that is specified in the contextName field. Whenever the home Virtual Fabric is specified, it will be converted to the corresponding switch ID and the home-Virtual Fabric will be set. If the user does not have permission for the specified home Virtual Fabric, this request fails with an error code of noAccess. For an SNMPv3 user to have a home Virtual Fabric, a list of allowed Virtual Fabrics, an RBAC role, and the name of the SNMPv3 user should match that of the Fabric OS user in the local switch database. SNMPv3 users whose names do not match with any of the existing Fabric OS local users have a default RBAC role of admin with the SNMPv3 user access control of read/write. Their SNMPv3 user logs in with an access control of read-only. Both user types will have the default switch as their home-Virtual Fabrics. The contextName field should have the format VF:xxx where xxx is the actual VF_ID, for example VF:1. If the contextName field is empty, the home Virtual Fabric of the local Fabric OS user with the same name shall be used. As Virtual Fabrics and Admin Domains are mutually exclusive, this field is considered as Virtual Fabrics context whenever Virtual Fabrics is enabled. You cannot specify chassis context in the contextName field. Filtering ports Each port can belong to only one Virtual Fabric at any time. An SNMP request coming to one Virtual Fabric is able to view only the port information of the ports belonging to that Virtual Fabric. All port attributes are filtered to allow SNMP to obtain the port information only from within the current Virtual Fabrics context. Switch and Chassis context enforcement All attributes are classified into two categories: • Chassis-level attributes • Switch-level attributes Attributes that are specific to each Logical Switch belong to the switch category. These attributes are available in the Virtual Fabrics context and not available in the Chassis context. Attributes that are common across the Logical Switches belong to the chassis level. These attributes are accessible to users having the chassis-role permission. When a chassis table is queried the context is set to chassis context, if the user has the chassis-role permission. The context is switched back to the original context after the operation is performed. The security level Use the snmpConfig --set seclevel command to set the security level. You can specify no security, authentication only, authentication and privacy, or off. You need to set the security for the GET command and the SET command. For example, to configure for authentication and privacy for both commands: switch:admin> snmpconfig --set seclevel Select SNMP GET Security Level (0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 = No Access): (0..3) [1] 2 Select SNMP SET Security Level (0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 = No Access): (2..3) [2] 2 switch:admin> snmpconfig --show seclevel GET security level = 2, SET level = 2 SNMP GET Security Level: Authentication and Privacy SNMP SET Security Level: Authentication and Privacy 102 Configuring standard security features