configure snmp access-profile
Configures SNMP to use an ACL policy or ACL rule for access control.
|access_profile||Specifies an ACL policy.|
|readonly||Specifies that access granted by the specified policy is read only.|
|readwrite||Specifies that access granted by the specified policy is read/write.|
|add||Specifies that an ACL rule is to be added to the SNMP application.|
|rule||Specifies an ACL rule.|
|first||Specifies that the new rule is to be added before all other rules.|
|before||Specifies that the new rule is to be added before a previous rule.|
|after||Specifies that the new rule is to be added after a previous rule.|
|previous_rule||Specifies an existing rule in the application.|
|delete||Specifies that the named rule is to be deleted.|
|none||Specifies that all the rules or a policy file is to be deleted.|
SNMP access is enabled by default, with no ACL policies.
You must be logged in as administrator to configure SNMP parameters. You can restrict SNMP access in the following ways:
- Implement an ACL policy. You create an ACL policy file that
permits or denies a specific list of IP addresses and subnet masks for SNMP. You
must create the ACL policy file before you can use this command. If the ACL
policy file does not exist on the switch, the switch returns an error message
indicating that the file does not exist.
In the ACL policy file for SNMP, the source-address field is the only supported match condition. Any other match conditions are ignored.
Use the none option to remove a previously configured ACL policy.
- Add an ACL rule to the SNMP application through this
command. Once an ACL is associated with SNMP, all the packets that reach an SNMP
module are evaluated with this ACL and appropriate action (permit or deny) is
taken, as is done using policy files.
The permit or deny counters are also updated accordingly, regardless of whether the ACL is configured to add counters. To display counter statistics, use the show access-list counters process snmp command.
Only the following match conditions and actions are copied to the client memory. Others that may be in the rule are not copied.
- Source-address—IPv4 and IPv6
When adding a new rule, use the first, before, and after previous_rule parameters to position it within the existing rules.
If the SNMP traffic does not match any of the rules, the default behavior is deny.
Creating an ACL Policy File
To create an ACL policy file, use the edit policy command. For more information about creating and implementing ACL policy files, see the Policy Manager and ACLs chapters in the Switch Engine 32.2 User Guide .
If you attempt to implement a policy that does not exist, an error message similar to the following appears:
Error: Policy /config/MyAccessProfile.pol does not exist on file system
If this occurs, make sure the policy you want to implement exists. To confirm the existence of the policies, use the ls command. If the policy does not exist, create the ACL policy file.
Viewing SNMP Information
To display the current management configuration, including SNMP access related information, whether SNMP access is enabled or disabled, and whether any ACL or rules are configured for SNMP, use the following command: show management
The following example applies the ACL policy file MyAccessProfile_2 to SNMP:
configure snmp access-profile MyAccessProfile_2
The following example applies the ACL rule DenyAccess to SNMP as the first rule in the list:
configure snmp access-profile add DenyAccess first
The following example deletes the ACL rule DenyAccess from the SNMP application:
configure snmp access-profile delete DenyAccess
To delete the use of all the ACL rules or a policy file by SNMP, use the following command:
configure snmp access-profile none
This command was first available in ExtremeXOS 11.6.
Support for individual ACL rules was added in ExtremeXOS 12.5.
This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.