HP ProCurve 9304M Security Manual page 161

NOTE: Since the current implementation of SNMP version 3 does not support Notification, remote engine IDs
cannot be configured at this time.
The <hex-string> variable consists of 11 octets, entered as hexadecimal values. There are two hexadecimal
characters in each octet. There should be an even number of hexadecimal characters in an engine ID.
The default engine ID has a maximum of 11 octets:
• Octets 1 through 4 represent
Internet Assigned Numbers Authority (IANA). The most significant bit of Octet 1 is "1".
• Octet 5 is always 03 in hexadecimal and indicates that the next set of values represent a MAC address.
• Octets 6 through 11 form the MAC address of the lowest port in the management module.
NOTE: Engine ID must be a unique number among the various SNMP engines in the management domain.
Using the default engine ID ensures the uniqueness of the numbers.
Defining an SNMP Group
SNMP groups map SNMP users to SNMP views. For each SNMP group, you can configure a read view, a write
view, or both. Users who are mapped to a group will use its views for access control.
To configure an SNMP user group, enter a command such as the following:
ProCurveRS(config)# snmp-server group admin v3 auth read v1default write v1default
Syntax: [no] snmp-server group <groupname>
v1 | v2 | v3
auth | noauth | priv
[access <standard-acl-id>] [read <viewstring> | write <viewstring>]
NOTE: This command is not used for SNMP version 1 and SNMP version 2. In these versions, groups and
group views are created internally using community strings. (See "Establishing SNMP Community Strings" on
page 10-1.) When a community string is created, two groups are created, based on the community string name.
One group is for SNMP version 1 packets, while the other is for SNMP version 2 packets.
The group <groupname> parameter defines the name of the SNMP group to be created.
The v1, v2, or v3 parameter indicates which version of SNMP is used. In most cases, you will be using v3, since
groups are automatically created in SNMP versions 1 and 2 from community strings.
The auth | noauth parameter determines whether or not authentication will be required to access the supported
views. If auth is selected, then only authenticated packets are allowed to access the view specified for the user
group. Selecting noauth means that no authentication is required to access the specified view. Selecting priv
means that an authentication password will be required from the users.
The access <standard-acl-id> parameter is optional. It allows incoming SNMP packets to be filtered based on the
standard ACL attached to the group.
The read <viewstring> | write <viewstring> parameter is optional. It indicates that users who belong to this group
have either read or write access to the MIB.
The <viewstring> variable is the name of the view to which the SNMP group members have access. If no view is
specified, then the group has no access to the MIB.
The value of <viewstring> is defined using the snmp-server view command. The SNMP agent comes with the
"v1default" view, the default view that provides access to the entire MIB; however, it must be specified when
creating the group. The "v1default" view also allows SNMP version 3 to be backwards compatibility with SNMP
version 1 and version 2.
June 2005
the
agent's SNMP management private enterprise number as assigned by the
Securing SNMP Access
10 - 7