Configuring Trusted Managers
The configuration of trusted managers determines which managers can access the device. You can define up to five trusted managers.
|
●
|
The concept of trusted managers is a weak form of security and is therefore, not a required part of SNMPv3 security, which uses authentication and privacy. |
|
●
|
Trusted managers are therefore, not supported in SNMPv3 – thus they apply only when the device is set to use SNMPv2c. |
|
●
|
If trusted managers are defined, then all community strings work from all trusted managers. That is, there is no way to associate a community string with particular trusted managers. |
The configuration can be done via ini file, SNMP and Web.
|
■
|
ini file: SNMPTRUSTEDMGR_x = <IP address>, where x is the entry index 0 to 4. |
|
■
|
SNMP: To configure Trusted Managers, the EM must use the SNMP-COMMUNITY-MIB, snmpCommunityMIB, and snmpTargetMIB. |
|
●
|
To add the first Trusted Manager: This procedure assumes that there is at least one configured read-write community. There are currently no Trusted Managers. The TransportTag for columns for all snmpCommunityTable rows are currently empty. |
|
i.
|
Add a row to the snmpTargetAddrTable with these values:
Name=mgr0
TagList=MGR
Params=v2cparams. |
|
ii.
|
Add a row to the snmpTargetAddrExtTable table with these values:
Name=mgr0
snmpTargetAddrTMask=255.255.255.255:0. |
The agent does not allow creation of a row in this table unless a corresponding row exists in the snmpTargetAddrTable.
|
iii.
|
Set the value of the TransportTag field on each non-TrapGroup row in the snmpCommunityTable to MGR. |
|
●
|
To add a subsequent Trusted Manager: This procedure assumes that there is at least one configured read-write community. There are currently one or more Trusted Managers. The TransportTag for columns for all rows in the snmpCommunityTable are currently set to MGR. This procedure must be done from one of the existing Trusted Managers. |
|
i.
|
Add a row to the snmpTargetAddrTable with these values:
Name=mgrN, where N is an unused number between 0 and 4.
TagList=MGR
Params=v2cparams |
|
ii.
|
Add a row to the snmpTargetAddrExtTable table with these values:
Name=mgrN
snmpTargetAddrTMask=255.255.255.255:0. |
An alternative to the above procedure is to set the snmpTargetAddrTMask column while you are creating other rows in the table.
|
●
|
To delete a Trusted Manager (not the final one): This procedure assumes that there is at least one configured read-write community. There are currently two or more Trusted Managers. The taglist for columns for all rows in the snmpCommunityTable are currently set to MGR. This procedure must be done from one of the existing trusted managers, but not the one that is being deleted. Remove the appropriate row from the snmpTargetAddrTable; The change takes effect immediately. The deleted trusted manager cannot access the device. The agent automatically removes the row in the snmpTargetAddrExtTable. |
|
●
|
To delete the final Trusted Manager: This procedure assumes that there is at least one configured read-write community. There is currently only one Trusted Manager. The taglist for columns for all rows in the snmpCommunityTable are currently set to MGR. This procedure must be done from the final Trusted Manager. |
|
i.
|
Set the value of the TransportTag field on each row in the snmpCommunityTable to the empty string. |
|
ii.
|
Remove the appropriate row from the snmpTargetAddrTable; The change takes effect immediately. All managers can now access the device. The agent automatically removes the row in the snmpTargetAddrExtTable. |
|
■
|
Web interface: SNMP Trusted Managers table (Setup menu > Administration tab > SNMP folder > SNMP Trusted Managers). Click the Apply button for applying your configuration. Use the check boxes for deleting. |
(config-system)# snmp settings
(snmp)# trusted-managers