Allied-Telesis AT-iMG624A Router Manual PDF (Setup & Configuration Guide)

Page 136 / 998 Scroll up to view Page 131 - 135

SNMP

Configuring source address checking

iMG/RG Software Reference Manual (System Configuration)

1-104

FIGURE 1-21

snmpTargetAddrTMask (continued)

This indicates that none of the bits of the source address will be compared to the value of

snmpTargetAd-

drTAddress

, and consequently, an incoming SNMP request will not be reject based on its source address.

1.6.5.3 Matching a source address in a subnet

If the high-order bits of

snmpTargetAddrTMask

are set to ‘1’ and the low-order bits are set to ‘0’, the

mask can be used to reject an SNMP request that does not come from a particular subnet. For example, if

snmpTargetAddrTMask

is

255.255.255.128:0

, then only the most significant 25 bits of the source

address must match the most significant 25 bits of the value of

snmpTargetAddrTAddress

.

FIGURE 1-22

snmpTargetAddrTMask (continued)

Consider the case where the value of

snmpTargetAddrTAddress

is

192.147.142.35

:

FIGURE 1-23

snmpTargetAddrTMask (continued)

in order not to be rejected, the source address of an incoming SNMP request must begin with

192.147.142

In the fourth byte, only the first bit will be compared to the same bit of the value of

snmpTargetAddrTAd-

dress

. The remaining bits are “don’t care” cases (shown in

Figure 1-24

).

0

byte 1

0 0 0 0

0

byte 2

0 0 0 0

0

byte 3

0 0 0 0

0

byte 4

0 0 0 0

binary

decimal

255

byte 1

1 1 1 1

255

byte 2

1 1 1 1

255

byte 3

1 1 1 1

128

byte 4

1 0 0 0

0 0 0 0

binary

decimal

192

byte 1

1 1 0 0

0 0 0 0

147

byte 2

1 0 0 1

0 0 1 1

142

byte 3

1 0 0 0

1 1 1 0

35

byte 4

0 0 1 0

0 0 1 1

binary

decimal

Page 137 / 998

Examples

SNMP

1-105

iMG/RG Software Reference Manual (System Configuration)

FIGURE 1-24

snmpTargetAddrTMask (continued)

Therefore, to not be rejected, the source address of an incoming SNMP request must be

192.147.142.xxx

where ‘xxx’ is a value between 0 (expressed as ‘00000000’in binary) and 127 (expressed as ‘01111111’ in

binary).

1.6.6

Examples

This section contains examples of SNMP configuration for SNMP agent entities.

1.6.6.1 noAuthNoPriv SNMPv3 users

To authorize the receipt of SNMPv3

noAuthNoPriv Get

and

Set

4

requests from the user

"

myV3NoAuthNoPrivUse

r” from exactly one manager station (one IP address), add the following lines to

the

snmpd.cnf

configuration file together with the

usmUserEntry

for the user

“

myV3NoAuthNoPrivUser

”.

vacmAccessEntry myV3NoAuthNoPrivGroup -usm noAuthNoPriv exact All All

-nonVolatile

vacmSecurityToGroupEntry usm myV3NoAuthNoPrivUser

myV3NoAuthNoPrivGroup nonVolatile

vacmViewTreeFamilyEntry All iso -included nonVolatile

snmpTargetAddrEntry myV3Manager_allRequests snmpUDPDomain

192.147.142.35:0 0 0 whereValidRequestsOriginate -nonVolatile

255.255.255.255:0 2048

To relax the agent configuration so that this user can access the MIB objects from additional hosts, change the

snmpTargetAddrTMask

to perform wildcard matching of the source address of the incoming request mes-

sage.

To relax the agent configuration so that this user can access the MIB objects from any host, change

“

whereValidRequestsOriginate

” in the

usmUserEntry

to a dash (-).

usmUserEntry localSnmpID myV3NoAuthNoPrivUser usmNoAuthProtocol usmNo-

PrivProtocol nonVolatile - - -

4.

To authorize Get request without authorizing Set requests, the fields “All All –" in the vacmAccessEntry should be

changed to "All - - "

byte 4

0 0 1 0

0 0 1 1

snmpTargetAddrTMask

(binary)

0 0 1 0

0 0 1 1

snmpTargetAddrTAddress

(binary)

0 ? ? ?

? ? ? ?

source address of SNMP request

Page 138 / 998

SNMP

authNoPriv SNMPv3 users

iMG/RG Software Reference Manual (System Configuration)

1-106

To authorize the sending of SNMPv3

noAuthNoPriv Trap

messages to a user at exactly one SNMP man-

ager station (one IP address), add the following lines to the

snmpd.cnf

configuration file together with the

usmUserEntry

for the user “

myV3NoAuthNoPrivUser

”.

vacmAccessEntry myV3NoAuthNoPrivGroup -usm noAuthNoPriv exact - - All

nonVolatile

vacmSecurityToGroupEntry usm myV3NoAuthNoPrivUser

myV3NoAuthNoPrivGroup nonVolatile

vacmViewTreeFamilyEntry All iso -included nonVolatile

snmpNotifyEntry myTrap whereMyNotificationsGo trap nonVolatile

snmpTargetAddrEntry myV3Manager_noAuthNoPrivNotifications snmpUDPDo-

main 192.147.142.35:0 100 3 whereMyNotificationsGo

myV3NoAuthNoPrivParams nonVolatile 1.2.3.4:0 2048

snmpTargetParamsEntry myV3NoAuthNoPrivParams 3 usm

myV3NoAuthNoPrivUser noAuthNoPriv non-Volatile

To configure additional Trap destinations (additional IP addresses where the user is authorized to operate a

management station), add additional

snmpTargetAddrEntry

entries to the

snmpd.cnf

configuration file.

For example, to authorize 192.147.142.111 as an additional Trap destination, add the following line to the

snmpd.cnf

configuration file.

snmpTargetAddrEntry anotherV3Manager_noAuthNoPrivNotifications snm-

pUDPDomain 192.147.142.111:0 100 3 whereMyNotificationsGo

myV3NoAuthNoPrivParams nonVolatile 1.2.3.4:0 2048

1.6.7

authNoPriv SNMPv3 users

To authorize the receipt of SNMPv3

authNoPriv Get

and

Set

5

requests from the user

"

myV3AuthNoPrivUser

” from exactly one manager station (one IP address), add the following lines to the

snmpd.cnf

configuration file together with the

usmUserEntry

for the user "

myV3AuthNoPrivUser

”.

vacmAccessEntry myV3AuthNoPrivGroup -usm authNoPriv exact All All -

nonVolatile

vacmSecurityToGroupEntry usm myV3AuthNoPrivUser myV3AuthNoPrivGroup

nonVolatile

vacmViewTreeFamilyEntry All iso -included nonVolatile

snmpTargetAddrEntry myV3Manager_allRequests snmpUDPDomain

192.147.142.35:0 0 0 whereValidRequestsOriginate -nonVolatile

255.255.255.255:0 2048

5.

To authorize Get request without authorizing Set requests, the fields "All All –" in the vacmAccessEntry should be

changed to "All - - "

Page 139 / 998

Additional configuration for SNMPv3 agent entities

SNMP

1-107

iMG/RG Software Reference Manual (System Configuration)

To relax the agent configuration so that this user can access the MIB objects from additional hosts, change the

snmpTargetAddrTMask

to perform wildcard matching of the source address of the incoming request mes-

sage.

To relax the agent configuration so that this user can access the MIB objects from any host, change

“

whereValidRequestsOriginate

” in the

usmUserEntry

to a dash (-).

To authorize the sending of SNMPv3

authNoPriv Trap

messages to a user at exactly one SNMP manager

station (one IP address), add the following lines to the

snmpd.cnf

configuration file together with the

usmUserEntry

for the user “

myV3AuthNoPrivUser

”.

vacmAccessEntry myV3AuthNoPrivGroup -usm authNoPriv exact - - All

nonVolatile

vacmSecurityToGroupEntry usm myV3AuthNoPrivUser myV3AuthNoPrivGroup

nonVolatile

vacmViewTreeFamilyEntry All iso -included nonVolatile

snmpNotifyEntry myTrap whereMyNotificationsGo trap nonVolatile

snmpTargetAddrEntry myV3Manager_authNoPrivNotifications snmpUDPDomain

192.147.142.35:0 100 3 whereMyNotificationsGo myV3AuthNoPrivParams

nonVolatile 1.2.3.4:0 2048

snmpTargetParamsEntry myV3AuthNoPrivParams 3 usm myV3AuthNoPrivUser

authNoPriv non-Volatile

To configure additional Trap destinations (additional IP addresses where the user is authorized to operate a

management station), add additional snmpTargetAddrEntry entries to the

snmpd.cnf

configuration file. For

example, to authorize 192.147.142.111 as an additional Trap destination, add the following line to the

snmpd.cnf

configuration file.

snmpTargetAddrEntry anotherV3Manager_authNoPrivNotifications snmpUDP-

Domain 192.147.142.111:0 100 3 whereMyNotificationsGo

myV3AuthNoPrivParams nonVolatile 1.2.3.4:0 2048

1.6.8

Additional configuration for SNMPv3 agent entities

1.6.8.1 Configuring context names

A context is a collection MIB objects. An SNMP entity can potentially provide access to many contexts and a

particular MIB object instance can exist in multiple contexts. A context is often associated with a particular

physical or logical device, so a context name is an identifier to distinguish MIB object instances for one device

from MIB object instances for another device.

When a management request is sent to an SNMP agent, the context name which appears in the SNMPv3 mes-

sage (or which is derived from the SNMPv1 or SNMPv2c message) must exist in the agent, or the command

responder application will return a

noSuchContext

error.

Page 140 / 998

SNMP

Additional configuration for SNMPv1 and

iMG/RG Software Reference Manual (System Configuration)

1-108

The configuration of context names is static and must be performed before the SNMP agent is launched for the

first time.

To configure a context name, add a

vacmContextEntry

line to the

snmpd.cnf

file accordingly the

following syntax:

vacmContextEntry <vacmContextName>

vacmContextName

is a human readable string representing the name of a context to be supported by this configuration.

Note:

Note that the default context is always supported by an SNMPv3 agent.

1.6.9

Additional configuration for SNMPv1 and SNMPv2 agent entities

This section describes SNMP configuration that is required for SNMP entities that support SNMPv1 and/or

SNMPv2c in addition to SNMPv3.

1.6.9.1 Configuring communities

Configuration of at least one community string must be provided for an SNMP engine to send or receive

SNMPv1 or SNMPv2c messages. To configure an SNMPv1 or SNMPv2c community, add a

snmpCommunity-

Entry

line to the

snmpd.cnf

file accordingly the following syntax:

snmpCommunityEntry <snmpCommunityIndex> <snmpCommunityName> <snmpCom-

munitySecurityName> <snmpCommunityContextEngineID> <snmpCommunity-

ContextName> <snmpCommunityTransportTag> <snmpCommunityStorageType>

snmpCommunityIndex

is a human readable string which is an arbitrary index. The value of this field is unimportant, other than it must

unique from other values in this field in other

snmpCommunityEntry

entries.

snmpCommunityName

is the community string, which may be a human readable string or a hexadecimal representation containing

unprintable characters.

For example, if the community string was the word “public” with an unprintable ‘bell' character (ASCII code 7)

at the end, then the value of this field would be

70:75:62:6c:69:63:07

(the ASCII codes for

‘p,’‘u,’‘b,’‘l,’‘i,’‘c,’ and ‘bell').

snmpCommunitySecurityName

is a human readable string which identifies the security name for this community string. This string should

appear in at least one

vacmSecurityToGroupEntry

to assign the community string (principal) to an

access control group.

snmpCommunityContextEngineID

is an

OctetString

, usually “

localSnmpID

”.

snmpCommunityContextName

is the SNMPv3 context implied by the community string. A dash (-) in this field represents the default context.

Rate

Popular Allied-Telesis Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share