User's Manual
Technical Configuration Guide for SNMP v2.0 December 2006
______________________________________________________________________________________________________
NORTEL External Distribution
9
3.2.1 Configuration Example: Blocking SNMP via an Access Policy
In this example, we will create an access policy to not allow SNMP for any user coming from
network 172.30.x.y/16.
a) Enable access policy globally:
• ERS-8606:5# config sys access-policy enable true
b) Add a new policy, in this example, since it is the first policy, we will simply create policy 2
and name it policy2:
• ERS-8606:5# config sys access-policy policy 2 create
• ERS-8606:5# config sys access-policy policy 2 name policy2
c) Add network 172.30.0.0/16 to policy 2:
• ERS-8606:5# config sys access-policy policy 2 network 172.30.0.0/16
d) Add read/write/all access level to policy 2:
• ERS-8606:5# config sys access-policy policy 2 accesslevel rwa
e) Disable SNMP service for policy 2:
• ERS-8606:5# config sys access-policy policy 2 service snmp disable
After the policy has been created, enter the following command to view policy 2:
• ERS-8606:5# show sys access-policy info policy2
AccessPolicyEnable: on
Id: 2
Name: policy2
PolicyEnable: true
Mode: allow
Service: http|telnet|ssh
Precedence: 128
NetAddr: 172.30.0.0
NetMask: 255.255.0.0
TrustedHostAddr: 0.0.0.0
TrustedHostUserName: none
AccessLevel: readWriteAll
AccessStrict: false
Usage: 337
3.3 SNMP Group Access Policy – Release 3.7.9, 4.1 or
higher
In release 3.7.9 or 4.1, a new policy enhancement was added that allows the administrator to
specify a group or groups for SNMPv3 access. With SNMPv3, the community name is not
mapped to an access level, but determined only through VACM. This allows the administrator to
create separate policies for SNMP users based on USM or community and associate them to
groups.
The following items where added high-lighted in red below.
ERS-8610:5# config sys access-policy policy 1 ?