HPE FlexNetwork 7500 Series Command Reference Manual page 221

range of 10 to 64. If you change the local engine ID, the existing SNMPv3 users and keys become
invalid. To delete an invalid username, specify the engine ID associated with the username in the
undo snmp-agent usm-user v3 command.
Usage guidelines
Only users with the network-admin, mdc-admin or level-15 user role can execute this command.
Users with other user roles cannot execute this command even if these roles are granted access to
commands of the SNMP feature or this command.
You can use either of the following modes to control SNMPv3 user access to MIB objects.
•
VACM—Controls user access to MIB objects by assigning the user to an SNMP group. To make
sure the user takes effect, make sure the group has been created. An SNMP group contains
one or multiple users and specifies the MIB views and security model for the users. The
authentication and encryption algorithms for each user are specified when they are created.
•
RBAC—Controls user access to MIB objects by assigning user roles to the user. A user role
specifies the MIB objects accessible to the user and the operations that the user can perform on
the objects. After you create a user in RBAC mode, you can use the snmp-agent usm-user v3
user-role command to assign more user roles to the user. You can assign a maximum of 64
user roles to a user.
RBAC mode controls access on a per MIB object basis, and VACM mode controls access on a MIB
view basis. As a best practice to enhance MIB security, use RBAC mode.
You can execute the snmp-agent usm-user v3 command multiple times to create different SNMPv3
users in VACM mode. If you do not change the username each time, the most recent configuration
takes effect.
You can execute the snmp-agent usm-user v3 command in RBAC mode multiple times to assign
different user roles to an SNMPv3 user. The following restrictions and guidelines apply:
•
If you specify only user roles but do not change any other settings each time, the snmp-agent
usm-user v3 command assigns different user roles to the user. Other settings remain
unchanged.
•
If you specify user roles and also change other settings each time, the snmp-agent usm-user
v3 command assigns different user roles to the user. The most recent configuration for other
settings takes effect.
You can specify an ACL for the user and group, respectively, to filter illegitimate NMSs from
accessing the agent. Only the NMSs permitted by the ACLs for both the user and group can access
the SNMP agent. The following rules apply to the ACLs for the user and group:
•
If you do not specify an ACL, the specified ACL does not exist, or the specified ACL does not
have any rules, all NMSs that use the username can access the SNMP agent.
•
If you have specified an ACL and the ACL has rules, only the NMSs permitted by the ACL can
access the agent.
For more information about ACL, see ACL and QoS Configuration Guide.
Examples
In VACM mode:
# Add user testUser to SNMPv3 group testGroup, and enable authentication for the group. Specify
authentication algorithm HMAC-SHA1 and plaintext-form authentication key 123456TESTplat&! for
the user.
<Sysname> system-view
[Sysname] snmp-agent group v3 testGroup authentication
[Sysname] snmp-agent usm-user v3 testUser testGroup simple authentication-mode sha
123456TESTplat&!
# For an NMS to access the MIB objects in the default view ViewDefault, make sure the following
configurations on the NMS are the same as the SNMP agent:
211