Configuring SNMP View Tree Family
The View Tree Family table lets you configure up to 10 View Tree Families. Each View Tree Family can be configured with view subtrees (SNMP OIDs or nodes) that allows ("included") or denies ("excluded") view access by the SNMP client (request).
Once configured, you can assign SNMP View Tree Families to Access Groups in the SNMP Access Groups table (see Configuring SNMP Access Groups). This allows you to specify the types of MIB data (view tree) that each Access Group can read, write, or notify.
This feature uses the view-based access control model (VACM), which allows you to configure SNMP MIB tree access privileges for Access Groups.
The device provides a default View Tree Family at Index #0 with the name "All". This View Tree Family includes a pre-configured View Subtree Family ("iso"), which allows (includes) access to all the device's MIBs.
If you delete the default view subtree ("iso") and configure an subtree view to exclude, the device excludes access to all MIBs. Therefore, if you delete the default subtree, configure only subtrees that you want to allow access to.
The View Tree Family table is applicable only to the advanced SNMP mode. To enable the advanced mode, see Enabling the SNMP View-based Access Control Model
View Tree Family rules are configured using two tables with parent-child relationship:
| ■ | View Tree Family table (parent): Defines a name for the View Tree Family. You can configure up to 10 View Tree Family rows. |
| ■ | View Subtree Family table (child): Defines MIB subtrees per View Tree Family. You can configure up to 100 rows in total (i.e., for all View Tree Families combined). |
The following procedure describes how to configure a View Tree Family through the Web interface. You can also configure it through ini file [VacmViewTreeFamily] or CLI (configure system > snmp settings > view-tree-family).
| ➢ | To configure SNMP View Tree Family: |
| 1. | Open the View Tree Family table (Setup menu > Administration tab > SNMP folder > View Tree Family). |
| 2. | Click New; the following dialog box appears: |
| 3. | Configure a name for the View Tree Family according to the parameters described in the table below, and then click Apply. |
| 4. | Select the row that you added, and then click the View Subtree Family link located below the table; the View Subtree Family table appears. |
| 5. | Click New; the following dialog box appears: |
| 6. | Configure a View Subtree Family rule according to the parameters described in the table below, and then click Apply. |
| 7. | Reset the device with a burn-to-flash for your settings to take effect. |
View Tree Family Table and View Subtree Family Table Parameter Descriptions
|
Parameter |
Description |
||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
View Tree Family Table (parent table) |
|||||||||||||||||||
|
'Index' [VacmViewTreeFamily_Index] |
Defines an index number for the new table row. Note: Each row must be configured with a unique index. |
||||||||||||||||||
|
'Name' view-name [VacmViewTreeFamily_Name] |
Defines a descriptive name for the View Tree Family. The valid value is a string of characters. |
||||||||||||||||||
|
View Subtree Family Table (child table) |
|||||||||||||||||||
|
'Index' [VacmViewSubTreeFamily_Index] |
Defines an index number for the new table row. Note: Each row must be configured with a unique index. |
||||||||||||||||||
|
'Subtree' family-subtree [VacmViewSubTreeFamily_Subtree] |
Defines the SNMP MIB subtree (nodes or OIDs) to be included or exclude from the view. The valid value is a MIB OID number (e.g., 1.3.6.1.4.1.5003.9.10.10.3.1.1.5), or the string "iso" to represent the standard ISO (i.e., entire MIB tree). |
||||||||||||||||||
|
'Mask' mask [VacmViewSubTreeFamily_Mask] |
(Optional) Defines a mask, which is an octet string represented as a sequence of hexadecimal numbers separated by colon or space. Each octet is within the range 0x00 through 0xff. An empty octet string is represented with a dash (-). This means that all entries under the OID configured in the 'Subtree' parameter is visible. A mask provides finer granularity than the 'Subtree' parameter and couples with the OID subtree to make MIB view subtrees. For instance, a view can be restricted to a specific row of a table. The mask is created using octets that correspond to the OID specified in the 'Subtree' parameter, as explained using the below example. Example: Let's say you want to restrict the view of the ifTable to only the second row (all columns). The OID for ifEntry.0.2 is 1.3.6.1.2.2.1.0.2. The mask is a series of ones (1) and zeros (0) that are used for masking out parts of the tree. A zero indicates a wildcard (i.e., matches anything) and a one indicates an exact match. The below mask requires an exact match on all fields, except the table column (i.e., the 0 in ifEntry.0.2):
The bits of this mask are grouped into bytes, and then the right end padded with ones if necessary to fill out the last byte.
Thus, you would configure the 'Mask' parameter to the value of "ff:bf". With this configuration and all other appropriate configuration, performing a getmany on the ifTable would return:
|
||||||||||||||||||
|
'Type' type [VacmViewSubTreeFamily_Type] |
Defines if an SNMP request is authorized to access the MIB OID specified above.
Below shows various ways you can include and exclude MIB OIDs:
|
||||||||||||||||||
