beautypg.com

Enabling snmp monitoring – Amer Networks E5Web GUI User Manual

Page 99

background image

Network - The IP address or network from which SNMP requests will come.

Community - The community string which provides password security for the accesses.

The Community String

Security for SNMP Versions 1 and 2c is handled by the Community String which is the same as a
password for SNMP access. The Community String should be difficult to guess and should
therefore be constructed in the same way as any other password, using combinations of upper
and lower case letters along with digits.

Enabling an IP Rule for SNMP

The advanced setting SNMP Before Rules controls if the IP rule set checks all accesses by SNMP
clients. This is by default disabled and the recommendation is to always enable this setting.

The effect of enabling this setting is to add an invisible Allow rule at the top of the IP rule set
which automatically permits accesses on port 161 from the network and on the interface
specified for SNMP access. Port 161 is usually used for SNMP and cOS Core always expects SNMP
traffic on that port.

Remote Access Encryption

It should be noted that SNMP Version 1 or 2c access means that the community string will be
sent as plain text over a network. This is clearly insecure if a remote client is communicating over
the public Internet. It is therefore advisable to have remote access take place over an encrypted
VPN tunnel or similarly secure means of communication.

Preventing SNMP Overload

The advanced setting SNMP Request Limit restricts the number of SNMP requests allowed per
second. This can help prevent attacks through SNMP overload.

Example 2.23. Enabling SNMP Monitoring

This example enables SNMP access through the internal lan interface from the network
mgmt-net using the community string Mg1RQqR.

Since the management client is on the internal network, there is no need for it to communicate
via a VPN tunnel.

Command-Line Interface

Device:/> add RemoteManagement RemoteMgmtSNMP my_snmp

Interface=lan
Network=mgmt-net
SNMPGetCommunity=Mg1RQqR

Should it be necessary to enable SNMP Before Rules (which is enabled by default) then the
command is:

Device:/> set Settings RemoteMgmtSettings SNMPBeforeRules=Yes

Chapter 2: Management and Maintenance

99

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: