[no] access group group-name security-model security-model security-level security-level [context context-name [prefix-match]] [read view-name-1] [write view-name-2] [notify view-name-3]
config>system>security>snmp
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command creates an association between a user group, a security model, and the views that the user group can access. Access parameters must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2. An access group is defined by a unique combination of the group name, security model, and security level.
Access must be configured unless security is limited to SNMPv1/SNMPv2c with community strings (see the community command).
Default access group configurations cannot be modified or deleted.
To remove the user group with associated, security models, and security levels, use the no access group group-name command.
To remove a security model and security level combination from a group, use the no access group group-name security-model {snmpv1 | snmpv2c | usm} security-level {no-auth-no-privacy | auth-no-privacy | privacy} command.
Specifies a unique group name, up to 32 characters.
Specifies the security model required to access the views configured in this node. A group can have multiple security models. For example, one view may only require SNMPv1/ SNMPv2c access while another view may require USM (SNMPv3) access rights.
Specifies the required authentication and privacy levels to access the views configured in this node.
Specifies that no authentication or privacy (encryption) is required. When configuring the user authentication, select the none option.
Specifies that authentication is required but privacy (encryption) is not required. When this option is configured, both the group and the user must be configured for authentication.
Specifies that both authentication and privacy (encryption) is required. When this option is configured, both the group and the user must be configured for authentication. The user must also be configured for privacy.
Specifies a set of SNMP objects that are associated with the context name. The context-name is treated as either a full context name string or a context name prefix depending on the keyword specified (exact or prefix).
Specifies the name of the view, up to 32 characters, to read the MIB objects. This command must be configured for each view to which the group has read access.
Specifies the name of the view, up to 32 characters, to configure the contents of the agent. This command must be configured for each view to which the group has write access.
Specifies the name of the view, up to 32 characters, to send a trap about MIB objects.This command must be configured for each view to which the group has notify access.
attempts [count] [time minutes1] [lockout minutes2]
no attempts
config>system>security>snmp
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures a threshold value of unsuccessful SNMP connection attempts allowed in a specified time frame. The command parameters are used to counter denial of service (DOS) attacks through SNMP.
If the threshold is exceeded, the host is locked out for the configured lockout time period.
If multiple attempts commands are entered, each new command overwrites the previously entered command.
The no form of this command resets the parameters to the default values.
attempts 20 time 5 lockout 10
Specifies the number of unsuccessful SNMP attempts allowed for the specified time.
Specifies the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the host is locked out.
Specifies the lockout period, in minutes, where the host is not allowed to login. When the host exceeds the attempted count times in the specified time, that host is locked out from any further login attempts for the configured time period.
community community-string [hash | hash2] access-permissions [version SNMP-version]
no community community-string]
config>system>security>snmp
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command enables SNMP community strings for SNMPv1 and SNMPv2c access. This command is used in combination with the predefined access groups and views. To create custom access groups and views and associate them with SNMPv1 or SNMPv2c access, use the usm-community command.
When configured, this command implies a security model for SNMPv1 and SNMPv2c only. For SNMPv3 security, the command must be configured.
The no form of this command removes a community string.
Specifies the SNMPv1 / SNMPv2c community string.
Specifies the access permissions.
r — Grants only read access to objects in the MIB, except security objects.
rw — Grants read and write access to all objects in the MIB, except security.
rwa — Grants read and write access to all objects in the MIB, including security.
vpls-mgmt — Assigns a unique SNMP community string to the management virtual router.
Specifies the scope of the community string for SNMPv1, SNMPv2c, or both SNMPv1 and SNMPv2c access.
mask mask-value [type {included | excluded}]
no mask
config>system>security>snmp>view
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
The mask value and mask type, along with the oid-value configured in the view command, determines the access of each sub-identifier of an object identifier (MIB subtree) in the view.
Each bit in the mask corresponds to a sub-identifier position; for example, the most significant bit for the first sub-identifier, the next most significant bit for the second sub-identifier, and so on. If the bit position on the sub-identifier is available, it can be included or excluded.
For example, the MIB subtree that represents MIB-II is 1.3.6.1.2.1. The mask that catches all MIB-II would be 0xfc or 0b11111100.
Only a single mask may be configured per view and OID value combination. If more than one entry is configured, each subsequent entry overwrites the previous entry.
Per RFC 2575, View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), each MIB view is defined by two sets of view subtrees: the included view subtrees, and the excluded view subtrees. Every view subtree, both the included and the excluded, are defined in this table. To determine whether a particular object instance is in a particular MIB view, compare the OID with each of the MIB view active entries in this table. If none match, the object instance is not in the MIB view. If one or more match, the object instance is included in, or excluded from, the MIB view according to the value of vacmViewTreeFamilyType in the entry whose value of vacmViewTreeFamilySubtree has the most sub-identifiers.
The no form of this command removes the mask from the configuration.
The mask value associated with the OID value determines whether the sub-identifiers are included or excluded from the view. (Default: all 1s)
The mask can be entered either
in hex; for example, 0xfc
in binary; for example, 0b11111100
If the number of bits in the bit mask is less than the number of sub-identifiers in the MIB subtree, the mask is extended with ones until the mask length matches the number of subidentifiers in the MIB subtree.
Specifies whether to include or exclude MIB subtree objects.
Included means that all MIB subtree objects that are identified with a 1 in the mask are available in the view.
Excluded means that all MIB subtree objects that are identified with a 1 in the mask are denied access in the view.
snmp
config>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Commands in this context configure SNMPv1, SNMPv2, and SNMPv3 parameters.
usm-community community-string [hash | hash2] group group-name
no usm-community community-string [hash | hash2]
config>system>security>snmp
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command is used to associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group.
The Nokia implementation of SNMP uses SNMPv3. To implement SNMPv1 and SNMPv2c configurations, several access groups are predefined. To implement SNMP with security features (Version 3), security models, security levels, and USM communities must be explicitly configured. Optionally, additional views that specify more specific OIDs (MIB objects in the subtree) can be configured.
The no form of this command removes a community string.
Specifies the SNMPv1/SNMPv2c community string to determine the SNMPv3 access permissions to be used.
Specifies the group that governs the access rights of this community string. This group must first be configured in the config system security snmp access group context.
view view-name subtree oid-value
no view view-name [subtree oid-value]
config>system>security>snmp
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures a view. Views control the accessibility of an MIB object within the configured MIB view and subtree. OIDs uniquely identify MIB objects in the subtree. OIDs are organized hierarchically with specific values assigned by different organizations.
When the subtree (OID) is identified, a mask can be created to select the portions of the subtree to be included or excluded for access using this particular view. See the mask command for more information. The views configured with this command can subsequently be used in read, write, and notify commands, which are used to assign specific access group permissions to created views and assigned to particular access groups.
Multiple subtrees can be added or removed from a view name to tailor a view to the requirements of the user access group.
The no view view-name command removes a view and all subtrees.
The no view view-name subtree oid-value removes a sub-tree from the view name.
Specifies a view name up to 32 characters.
Specifies the OID value for the view-name. This value, for example, 1.3.6.1.6.3.11.2.1, combined with the mask and include and exclude statements, configures the access available in the view.
It is possible to have a view with different subtrees with their own masks and include and exclude statements. This allows for customizing visibility and write capabilities to specific user requirements.