[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring Access Control for the VACM

To configure the access control for the view-based access control model (VACM):

  1. Map an SNMPv1 or SNMPv2c community name to a security name.

See Associating Security Names with a Community.

  1. Define a named view.

See Defining Named Views.

  1. Map from a group of users or communities to a view.

See Defining Access Privileges for an SNMP Group.

  1. Map a security name into a named group.

See Assigning Security Names to Groups.

Associating Security Names with a Community

For SNMPv1 or SNMPv2c packets, you must assign security names to groups at the [edit snmp v3 vacm security-to-group] hierarchy level and you must associate a security name with an SNMP community.

Use the following configuration statements to configure SNMPv1 or SNMPv2c communities for the VACM:

snmp v3 snmp-community community-index { 
    community-name community-name;
    security-name security-name;
    address address; 
}

To configure the community:

  1. From configuration mode, access the configuration statement that configures the community.
  2. [edit]
    
    user@host# edit snmp v3 snmp-community community-index 
    
    
    

Unique index that identifies an SNMP community.

  1. (Optional) Specify the community string for the SNMPv1 or SNMPv2c community.
  2. [edit snmp v3 snmp-community community-index] 
    
    user@host# set community-name community-name 
    
    
    

If a community name is not specified, the community index is used.

  1. Specify the VACM security name to associate with the community string.
  2. [edit snmp v3 snmp-community community-index] 
    
    user@host# set security-name security-name 
    
    
    
  3. (Optional) Specify the IP address or subnet of the SNMP clients that are authorized to use this community.
  4. [edit snmp v3 snmp-community community-index] 
    
    user@host# set address address 
    
    
    

If an address is not specified, all clients are authorized to use the community.

  1. (Optional) Verify your configuration.
  2. [edit snmp v3 snmp-community community-index] 
    
    user@host# show 
    
    
    

Defining Named Views

Use the following configuration statements to define named views:

snmp view view-name ... 

snmp view view-name oid oid { 
    (include|exclude); 
}

To configure named views:

  1. From configuration mode, access the configuration statement that configures the named views.
  2. [edit]
    
    user@host# edit snmp view view-name 
    
    
    

The view name identifies a group of MIB objects for which to define access.

  1. Specify the object identifier (OID) that represents a subtree of MIB objects for the view and whether the OID is included in or excluded from the view.

To include the OID in the view:

[edit snmp view view-name] 
user@host# set oid oid include 

To exclude the OID from the view:

[edit snmp view view-name] 
user@host# set oid oid exclude 

  1. (Optional) Verify your configuration.
  2. [edit snmp view view-name] 
    
    user@host# show 
    
    
    

Defining Access Privileges for an SNMP Group

Use the following configuration statements to define access privileges for SNMP groups:

snmp v3 vacm access group group-name ... 

snmp v3 vacm access group group-name default-context-prefix security-model 
(any|v1|v2c|usm) ... 

snmp v3 vacm access group group-name default-context-prefix security-model 
(any|v1|v2c|usm) security-level (authentication|none|privacy) { 
    read-view read-view; 
    write-view write-view; 
}

To configure MIB views with a group for the VACM:

  1. From configuration mode, access the configuration statement that configures the VACM group.
  2. [edit]
    
    user@host# edit snmp v3 vacm access group group-name 
    
    
    

The group name is the name for a collection of SNMP security names that belong to the same SNMP access policy.

  1. Specify the security model for access privileges.
  2. [edit snmp v3 vacm access group group-name] 
    
    user@host# set default-context-prefix security-model (any|v1|v2c|usm) 
    
    
    

To specify any security model:

user@host# set default-context-prefix security-model any 

To specify the SNMPv1 security model:

user@host# set default-context-prefix security-model v1 

To specify the SNMPv2c security model:

user@host# set default-context-prefix security-model v2c 

To specify the SNMPv3 user-based security model (USM):

user@host# set default-context-prefix security-model usm 

  1. Specify the security level for access privileges.
  2. [edit snmp v3 vacm access group group-name] 
    
    user@host# set default-context-prefix security-model (any|v1|v2c|usm) 
    security-level (authentication|none|privacy) 
    
    
    

To specify a security level that provides authentication but no encryption:

user@host# set default-context-prefix security-model (any|v1|v2c|usm) 
security-level authentication 

To specify a security level that provides no authentication and no encryption:

user@host# set default-context-prefix security-model (any|v1|v2c|usm) 
security-level none 

For SNMPv1 or SNMPv2c access, specify none as the security level.

To specify a security level that provides authentication and encryption:

user@host# set default-context-prefix security-model (any|v1|v2c|usm) 
security-level privacy 

  1. (Optional) Specify the view used for SNMP read access. You must specify the read-view option or the write-view option.
  2. [edit snmp v3 vacm access group group-name default-context-prefix security-model 
    (any|v1|v2c|usm) security-level (authentication|none|privacy)] 
    
    user@host# set read-view read-view 
    
    
    
  3. (Optional) Specify the view used for SNMP write access. You must specify the read-view option or the write-view option.
  4. [edit snmp v3 vacm access group group-name default-context-prefix security-model 
    (any|v1|v2c|usm) security-level (authentication|none|privacy)] 
    
    user@host# set write-view write-view 
    
    
    

Assigning Security Names to Groups

For SNMPv1 or SNMPv2c packets, you must assign security names to groups and you must associate a security name with an SNMP community at the [edit snmp v3 snmp-community community-index] hierarchy level.

Use the following configuration statements to assign security names to groups:

snmp v3 vacm security-to-group security-model (v1|v2c|usm) ... 

snmp v3 vacm security-to-group security-model (v1|v2c|usm) security-name 
security-name { 
    group-name group-name; 
}

To map security names to groups for the VACM:

  1. From configuration mode, access the configuration statement that configures the security model for a group.
  2. user@host# edit snmp v3 vacm security-to-group security-model (v1|v2c|usm) 
    
    
    

To specify the SNMPv1 security model:

user@host# edit snmp v3 vacm security-to-group security-model v1 

To specify the SNMPv2c security model:

user@host# edit snmp v3 vacm security-to-group security-model v2c 

To specify the SNMPv3 user-based security model (USM):

user@host# edit snmp v3 vacm security-to-group security-model usm 

  1. Specify the security name.
  2. user@host# edit snmp v3 vacm security-to-group security-model (v1|v2c|usm) 
    security-name security-name 
    
    
    

If the security model is USM, the security name is the username configured at the [edit snmp v3 usm local-engine user] hierarchy level.

  1. Specify the group to which the security name is assigned.
  2. [edit snmp v3 vacm security-to-group security-model (v1|v2c|usm) security-name 
    security-name] 
    
    user@host# set group-name group-name 
    
    
    

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]