HPE FlexFabric 5930 Series Network Management And Monitoring Command Reference page 160

acl ipv6 ipv6-acl-number: Specifies a basic IPv6 ACL to filter NMSs by source IPv6 address. The
ipv6-acl-number argument represents an ACL number in the range of 2000 to 2999. Only NMSs with
an IPv6 address permitted in the IPv6 ACL can use the specified username to access the SNMP
agent. If no ACL is specified, or the specified ACL does not exist, any NMS can use the specified
username to access the SNMP agent. If the specified ACL does not have any rules, no NMS in the
SNMP community can access the SNMP agent.
local: Specifies the local SNMP engine.
engineid engineid-string: Specifies an SNMP engine. The engineid-string argument represents the
engine ID and must contain an even number of hexadecimal characters, in the range of 10 to 64.
All-zero and all-F strings are invalid. After you change the local engine ID, the existing SNMPv3
users and encrypted keys become invalid, and you must reconfigure them.
Usage guidelines
To send SNMPv3 informs to an NMS, you must perform the following tasks:
•
Specify an IPv4 or IPv6 address for the NMS in the snmp-agent usm-user v3 command.
•
Map the IPv4 or IPv6 address to the SNMP engine ID of the NMS by using the snmp-agent
remote command.
You can use the following modes to control access to MIB objects for an SNMPv3 user:
•
View-based Access Control Model—In VACM mode, you must create an SNMPv3 group
before you assign an SNMPv3 user to the group. Otherwise, the user cannot take effect after it
is created. An SNMP group contains one or multiple users and specifies the MIB views and
security model for the group of users. The authentication and encryption algorithms for each
user are specified when they are created.
•
Role based access control—The RBAC mode controls access to MIB objects by assigning
user roles to SNMP users.
An SNMP user with a predefined user role network-admin or level-15 has read and write
access to all MIB objects.
An SNMP user with a predefined user role network-operator has read-only access to all MIB
objects.
An SNMP user with a user role specified by the role command accesses MIB objects
through the user role rules specified by the rule command.
In VACM mode, if you configure an SNMPv3 user multiple times, the most recent configuration takes
effect.
In RBAC mode, you can assign different user roles to an SNMPv3 user:
•
If you specify only user roles but do not change any other settings, the snmp-agent usm-user
v3 command assigns different user roles to the user. Other settings remain unchanged.
•
If you specify user roles and also change other settings, the snmp-agent usm-user v3
command assigns different user roles to the user. The most recent configuration for other
settings takes effect.
For an NMS to access an agent:
•
The RBAC mode requires the user role bound to the username to have the same access right to
MIB objects as the NMS.
•
The VACM mode requires only the access right from the NMS to MIB objects.
The RBAC mode is more secure. As a best practice, use the RBAC mode to create an SNMPv3 user.
You must create an SNMPv3 group before you assign an SNMPv3 user to the group. Otherwise, the
user cannot take effect after it is created. An SNMP group contains one or multiple users and
specifies the MIB views and security model for the group of users. The authentication and encryption
algorithms for each user are specified when they are created.
151