ON THIS PAGE
MIB Views
SNMPv3 defines the concept of MIB views in RFC 3415, View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). MIB views provide an agent better control over who can access specific branches and objects within its MIB tree. A view consists of a name and a collection of SNMP object identifiers, which are either explicitly included or excluded. Once defined, a view is then assigned to an SNMPv3 group or SNMPv1/v2c community (or multiple communities), automatically masking which parts of the agent’s MIB tree members of the group or community can (or cannot) access.
Configure MIB Views
By default, an SNMP community grants read access and denies
write access to all supported MIB objects (even communities configured
as authorization read-write
). To restrict or grant
read or write access to a set of MIB objects, you must configure a
MIB view and associate the view with a community.
To configure MIB views, see view (Configuring a MIB View).
To remove an OID completely, use the delete view all oid oid-number
command but omit the include
parameter.
[edit groups global snmp] user@host# set view view-name oid object-identifier (include | exclude)
The following example creates a MIB view called ping-mib-view.
The oid
statement does not require a dot at the beginning
of the object identifier. The snmp view
statement includes
the branch under the object identifier .1.3.6.1.2.1.80. This includes
the entire DISMAN-PINGMIB subtree (as defined in RFC 2925, Definitions of Managed Objects for Remote Ping, Traceroute, and Lookup
Operations), which effectively permits access to any object
under that branch.
[edit groups global snmp] user@host# set view ping-mib-view oid 1.3.6.1.2.1.80 include
The following example adds a second branch in the same MIB view.
[edit groups global snmp] user@host# set view ping-mib-view oid jnxPingMIB include
Assign a MIB view to a community that you want to control.
To associate MIB views with a community, see view (SNMP Community).
For more information about the Ping MIB, see RFC 2925 and PING MIB.
See Also
Configure Ping Proxy MIB
Restrict the ping-mib community to read and write access of the Ping MIB and jnxpingMIB
only. Read or write access to any other MIB using this community
is not allowed.
[edit snmp] view ping-mib-view { oid 1.3.6.1.2.1.80 include; #pingMIB oid jnxPingMIB include; #jnxPingMIB } community ping-mib { authorization read-write; view ping-mib-view; }
The following configuration prevents the no-ping-mib community from accessing Ping MIB and jnxPingMIB
objects. However, this configuration does not prevent
the no-ping-mib community from accessing
any other MIB object that is supported on the device.
[edit snmp] view no-ping-mib-view { oid 1.3.6.1.2.1.80 exclude; # deny access to pingMIB objects oid jnxPingMIB exclude; # deny access to jnxPingMIB objects } community no-ping-mib { authorization read-write; view ping-mib-view; }