Tip: Creating a SNMP OID restriction for temperature readings

[Forrequi]

Hi,

Today I've a little challenge on my network: configure a permission to a specific IP for read the temperature of two ERS8600. This specific host don't become part of my management network, so I can't use the same snmp read community. I don't like to free everthing on the core to be read, so I start to liberate only the specific OID (temperature of chassis) on my two ERS8600, and only for the specific IP of the host, with a new read community.

After some study on Nortel documentation (2008_04_04_SNMP_on_ERS_8600_TCG_NN48500564.pdf) I present us my little todo for everone that needs some similar, because this document is not the mos objective guide of the world. My steps:

Step1: Create a MIB view, called "only_temp", restricted for the temperature OID:

config snmp-v3 mib-view create only_temp 1.3.6.1.4.1.2272.1.100.1.2.0 type include


View the changes:

config snmp-v3 mib-view info

Step2: Create a access group called "group_temp", with snmpv1 and v2c, no authentication, reading the "only_temp" mib-view:

config snmp-v3 group-access create group_temp "" snmpv1 noAuthNoPriv
config snmp-v3 group-access create group_temp "" snmpv2c noAuthNoPriv
config snmp-v3 group-access view group_temp "" snmpv1 noAuthNoPriv read only_temp write only_temp
config snmp-v3 group-access view group_temp "" snmpv2c noAuthNoPriv read only_temp write only_temp



View the changes:

config snmp-v3 group-access info


Step3: Create the user "user_temp" inside the group:

config snmp-v3 group-member create user_temp snmpv1 group_temp
config snmp-v3 group-member create user_temp snmpv2c group_temp


View the changes:

config snmp-v3 group-member info


Step4: Create a new community "ers8600", index "third" (the first and second alredy exist, adapt for you scenary), for the user "user_temp"

config snmp-v3 community create third ers8600 user_temp


View the changes:

config snmp-v3 community info


Step5: Create a new access-policy (policy 6 in my case) for the specific IP 10.10.10.1 (where the temperature has been monitored):

config sys access-policy policy 6 create
config sys access-policy policy 6 name policy6
config sys access-policy policy 6 accesslevel ro
config sys access-policy policy 6 network 10.10.10.1/255.255.255.255
config sys access-policy policy 6 snmp-group-add group_temp snmpv1
config sys access-policy policy 6 snmp-group-add group_temp snmpv2c
config sys access-policy policy 6 service telnet disable
config sys access-policy policy 6 service ssh disable
config sys access-policy policy 6 service tftp disable
config sys access-policy policy 6 service ftp disable
config sys access-policy policy 6 service snmpv3 enable


I hope this can help someone. Bye!

[Michael McNamara]

That's really nice work!

With your permission I'd like to re-post this to my blog, giving you full credit for the post.

Cheers!

[Forrequi]

OK, off course!

Your blog help me so much some days that is a pleasure help others too.