Cli And Snmp User Synchronization; Restricting Switch Access; Group-Based Snmp Access - Cisco AP775A - Nexus Converged Network Switch 5010 Configuration Manual

Chapter 40 Configuring SNMP
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
SNMPv3 user management can be centralized at the AAA server level. This centralized user
management allows the SNMP agent running on the Cisco MDS switch to leverage the user
authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are
processed further. Additionally, the AAA server is also used to store user group names. SNMP uses the
group names to apply the access/role policy that is locally available in the switch.
This section includes the following topics:
•
•
•

CLI and SNMP User Synchronization

Any configuration changes made to the user group, role, or password results in database synchronization
for both SNMP and AAA.
Users are synchronized as follows:
•
•
Note
Note
•
•

Restricting Switch Access

You can restrict access to a Cisco MDS 9000 Family switch using IP Access Control Lists (IP-ACLs).
See the

Group-Based SNMP Access

Because group is a standard SNMP term used industry-wide, we refer to role(s) as group(s) in this SNMP
Note
section.
SNMP access rights are organized by groups. Each group in SNMP is similar to a role through the CLI.
Each group is defined with three accesses: read access, write access, and notification access. Each access
can be enabled or disabled within each group.
OL-17256-03, Cisco MDS NX-OS Release 4.x
CLI and SNMP User Synchronization, page 40-3
Restricting Switch Access, page 40-3
Group-Based SNMP Access, page 40-3
Deleting a user using either command results in the user being deleted for both SNMP and the CLI.
User-role mapping changes are synchronized in SNMP and the CLI.
When the passphrase/password is specified in localized key/encrypted format, the password is
not synchronized.
Starting in 3.0(1), the temporary SNMP login created for FM is no longer 24 hours. It is one
hour.
Existing SNMP users continue to retain the auth and priv passphrases without any changes.
If the management station creates an SNMP user in the usmUserTable, the corresponding CLI user
is created without any password (login is disabled) and will have the network-operator role.
Chapter 42, "Configuring IPv4 and IPv6 Access Control
SNMPv3 CLI User Management and AAA Integration
Lists"..
Cisco MDS 9000 Family Fabric Manager Configuration Guide
40-3