Configuring Access Control for the VACM
To configure the access control for the view-based access control model (VACM):
See Associating Security Names with a Community.
See Defining Named Views.
See Defining Access Privileges for an SNMP Group.
See Assigning Security Names to Groups.
Associating Security Names with a Community
For SNMPv1 or SNMPv2c packets, you must assign security names to groups at the
[edit snmp v3 vacm security-to-group]
hierarchy level and you must associate a security name with an SNMP community.Use the following configuration statements to configure SNMPv1 or SNMPv2c communities for the VACM:
snmp v3 snmp-community community-index {community-name community-name;security-name security-name;address address;}
- From configuration mode, access the configuration statement that configures the community.
[edit]user@host# edit snmp v3 snmp-community community-indexUnique index that identifies an SNMP community.
- (Optional) Specify the community string for the SNMPv1 or SNMPv2c community.
[edit snmp v3 snmp-community community-index]user@host# set community-name community-nameIf a community name is not specified, the community index is used.
- Specify the VACM security name to associate with the community string.
[edit snmp v3 snmp-community community-index]user@host# set security-name security-name- (Optional) Specify the IP address or subnet of the SNMP clients that are authorized to use this community.
[edit snmp v3 snmp-community community-index]user@host# set address addressIf an address is not specified, all clients are authorized to use the community.
Defining Named Views
Use the following configuration statements to define named views:
snmp view view-name ...snmp view view-name oid oid {(include|exclude);}
- From configuration mode, access the configuration statement that configures the named views.
[edit]user@host# edit snmp view view-nameThe view name identifies a group of MIB objects for which to define access.
- Specify the object identifier (OID) that represents a subtree of MIB objects for the view and whether the OID is included in or excluded from the view.
To include the OID in the view:
[edit snmp view view-name]user@host# set oid oid includeTo exclude the OID from the view:
[edit snmp view view-name]user@host# set oid oid excludeDefining Access Privileges for an SNMP Group
Use the following configuration statements to define access privileges for SNMP groups:
snmp v3 vacm access group group-name ...snmp v3 vacm access group group-name default-context-prefix security-model (any|v1|v2c|usm) ...snmp v3 vacm access group group-name default-context-prefix security-model (any|v1|v2c|usm) security-level (authentication|none|privacy) {read-view read-view;write-view write-view;}To configure MIB views with a group for the VACM:
- From configuration mode, access the configuration statement that configures the VACM group.
[edit]user@host# edit snmp v3 vacm access group group-nameThe group name is the name for a collection of SNMP security names that belong to the same SNMP access policy.
- Specify the security model for access privileges.
[edit snmp v3 vacm access group group-name]user@host# set default-context-prefix security-model (any|v1|v2c|usm)To specify any security model:
user@host# set default-context-prefix security-model anyTo specify the SNMPv1 security model:
user@host# set default-context-prefix security-model v1To specify the SNMPv2c security model:
user@host# set default-context-prefix security-model v2cTo specify the SNMPv3 user-based security model (USM):
user@host# set default-context-prefix security-model usm
- Specify the security level for access privileges.
[edit snmp v3 vacm access group group-name]user@host# set default-context-prefix security-model (any|v1|v2c|usm) security-level (authentication|none|privacy)To specify a security level that provides authentication but no encryption:
user@host# set default-context-prefix security-model (any|v1|v2c|usm) security-level authenticationTo specify a security level that provides no authentication and no encryption:
user@host# set default-context-prefix security-model (any|v1|v2c|usm) security-level noneFor SNMPv1 or SNMPv2c access, specify
none
as the security level.To specify a security level that provides authentication and encryption:
user@host# set default-context-prefix security-model (any|v1|v2c|usm) security-level privacy
- (Optional) Specify the view used for SNMP read access. You must specify the
read-view
option or thewrite-view
option.[edit snmp v3 vacm access group group-name default-context-prefix security-model (any|v1|v2c|usm) security-level (authentication|none|privacy)]user@host# set read-view read-view- (Optional) Specify the view used for SNMP write access. You must specify the
read-view
option or thewrite-view
option.[edit snmp v3 vacm access group group-name default-context-prefix security-model (any|v1|v2c|usm) security-level (authentication|none|privacy)]user@host# set write-view write-viewAssigning Security Names to Groups
For SNMPv1 or SNMPv2c packets, you must assign security names to groups and you must associate a security name with an SNMP community at the
[edit snmp v3 snmp-community
community-index]
hierarchy level.Use the following configuration statements to assign security names to groups:
snmp v3 vacm security-to-group security-model (v1|v2c|usm) ...snmp v3 vacm security-to-group security-model (v1|v2c|usm) security-name security-name {group-name group-name;}To map security names to groups for the VACM:
- From configuration mode, access the configuration statement that configures the security model for a group.
user@host# edit snmp v3 vacm security-to-group security-model (v1|v2c|usm)To specify the SNMPv1 security model:
user@host# edit snmp v3 vacm security-to-group security-model v1To specify the SNMPv2c security model:
user@host# edit snmp v3 vacm security-to-group security-model v2cTo specify the SNMPv3 user-based security model (USM):
user@host# edit snmp v3 vacm security-to-group security-model usm
- Specify the security name.
user@host# edit snmp v3 vacm security-to-group security-model (v1|v2c|usm) security-name security-nameIf the security model is USM, the security name is the username configured at the
[edit snmp v3 usm local-engine user]
hierarchy level.