安奈特中文操作指南

1、目 錄初始登錄設(shè)置：2預(yù)備操作知識(shí)：2三層交換機(jī)vlan基本配置：3ip基本配置：6ip helper設(shè)置（廣播轉(zhuǎn)發(fā)）：7dhcp（動(dòng)態(tài)主機(jī)配置協(xié)議）服務(wù)器設(shè)置：7ip filter的配置（訪問(wèn)控制列表，acl）：8hardware filter的設(shè)置（硬件包過(guò)濾，hwf）：10ip nat的配置（網(wǎng)絡(luò)地址轉(zhuǎn)換，標(biāo)準(zhǔn)ip nat只適用于路由器）：13snmp（簡(jiǎn)單網(wǎng)絡(luò)管理協(xié)議）設(shè)置：13ping polling的設(shè)置：16trigger（觸發(fā)器）的設(shè)置：17test工具之virtual cable test facility：18ospf（開(kāi)放式最短路徑優(yōu)先）的設(shè)置：19vrrp（虛擬路由器冗

2、余協(xié)議）的設(shè)置：23qos（服務(wù)質(zhì)量）的設(shè)置：24物理端口速率限制：25各種二層隧道協(xié)議及ipsec vpn設(shè)置：25配置文件的保存及設(shè)置：31上傳下載文件至路由器/三層交換機(jī)：31#初始登錄設(shè)置：#使用超級(jí)終端通過(guò)串口登錄進(jìn)入路由器/三層交換機(jī)。超級(jí)終端設(shè)置：9600波特率，8數(shù)據(jù)位，1停止位，no奇偶校驗(yàn)，硬件流控制。在login:狀態(tài)輸入用戶名：manager密碼：friend如果有相應(yīng)權(quán)限，也可通過(guò)telnet路由器/三層交換機(jī)的任意活躍接口的ip地址訪問(wèn)設(shè)備。安奈特路由器/三層交換機(jī)的配置環(huán)境是不區(qū)分層次化的，不存在類似cisco的“全局配置模式”、“接口配置模式”、“路由協(xié)議配置模

3、式”，所有的配置命令均在同一模式/界面下執(zhí)行，其提示符為：登錄用戶級(jí)別 設(shè)備名稱例如，使用manager權(quán)限用戶登錄名稱為test的設(shè)備，則顯示為：manager test使用securityofficer權(quán)限用戶登錄名稱為coreswitch的設(shè)備，則顯示為：secoff coreswitch然后即可配置所有內(nèi)容。%#預(yù)備操作知識(shí)：#安奈特路由器/三層交換機(jī)的主要配置命令包括五個(gè)：createdestroycreate：創(chuàng)建原本并不存在的實(shí)體。例如，缺省所有交換機(jī)端口屬于僅有的一個(gè)vlan1，不存在其他的vlan。如果要?jiǎng)?chuàng)建其他的vlan，則需使用create vlan=vlan-name

4、vid=vlan-iddestroy：刪除通過(guò)create創(chuàng)建的實(shí)體，在刪除之前，需先刪除其他的關(guān)聯(lián)配置內(nèi)容。例如，如果要?jiǎng)h除vlan2，則需先刪除vlan2中所有的port，刪除vlan2的ip地址（如果有），刪除其他地方對(duì)于interface vlan2的引用，等等。add deleteadd：對(duì)已有的實(shí)體增加屬性。例如，vlan1缺省存在，不能用create創(chuàng)建，也不能用destroy刪除，如果要對(duì)vlan1增加端口，則：add vlan=1 port=port-list；如果要對(duì)vlan1增加ip地址，則：add ip int=vlan1 ip=ip-address mask=ip-m

5、ask；如果對(duì)已經(jīng)創(chuàng)建的vlan2增加ip地址，則：add ip int=vlan2 ip=ip-address mask=ip-mask；如果要增加路由，則：add ip route=dest-ip-segment mask=dest-ip-segment-mask int=out-interface-name nexthop=nexthop-ip-address；delete：對(duì)已有的實(shí)體刪除某些屬性。例如，將某些端口從vlan3刪除，則：delete vlan=3 port=port-list；如果要?jiǎng)h除vlan4的ip地址設(shè)置，則：delete ip int=vlan4 ip=ip-a

6、ddress；如果要?jiǎng)h除已存在的防火墻規(guī)則條目10，則：delete firewall policy=fire rule=10；setset：對(duì)已有的實(shí)體屬性進(jìn)行修改。例如，直接修改接口vlan2的ip地址，則：set ip int=vlan2 ip=new-ip-address mask=new-ip-mask；設(shè)置用戶自身的密碼，則：set password；設(shè)置其他用戶的密碼（需具備高級(jí)權(quán)限），則：set user=user-name password=password；注意：create與destroy對(duì)應(yīng)，add與delete對(duì)應(yīng)。因此，如果通過(guò)create創(chuàng)建的實(shí)體，不能使用del

7、ete刪除；如果通過(guò)add增加的屬性，不能使用destroy刪除。%#三層交換機(jī)vlan基本配置：#port-based vlan with untagged ports設(shè)置需求：vlan name vlan id portsmarketing vid=2 port 1-3training vid=3 port 14-16配置示例：1. create vlans.#create the two vlans using the following commands on the switch:create vlan=marketing vid=2create vlan=training vid=

8、32. add ports to vlans.#add the ports to these vlans on the switch by using the following commands:add vlan=marketing port=1-3add vlan=training port=14-16#check the vlan configuration by using the command:show vlan3. check the switch.#check that the switch is switching across the ports. traffic on t

9、he switch can be monitored using the command:show switch countervlan with tagged ports設(shè)置需求：switch a switch bvlan name vid tagged portsuntagged ports tagged ports untagged portsadmin vid=2 port 2 port 1training vid=3 port 26 port 3 port 25 port 21,22marketing vid=4 port 2,26 port 4 port 25 port 23to

10、configure switch a1. create vlans.#create the three vlans using the following commands on the switch:create vlan=admin vid=2create vlan=training vid=3create vlan=marketing vid=42. add ports to vlans.#add the ports to these vlans on the switch by using the following commands:add vlan=admin port=2 fra

11、me=taggedadd vlan=admin port=1 frame=untaggedadd vlan=training port=26 frame=taggedadd vlan=training port=3 frame=untaggedadd vlan=marketing port=2,26 frame=taggedadd vlan=marketing port=4 frame=untagged#check the vlan configuration by using the command:show vlanto configure switch b1. create vlans.

12、#create the two vlans using the following commands on the switch:create vlan=training vid=3create vlan=marketing vid=42. add ports to vlans.#add the ports to these vlans on the switch by using the following commands:add vlan=training port=5 frame=taggedadd vlan=training port=1,2 frame=untaggedadd vl

13、an=marketing port=5 frame=taggedadd vlan=marketing port=3 frame=untagged#check the vlan configuration by using the command:show vlancheck#check that the switch is switching across the ports. traffic on switch a can be monitored using the command:show switch counter=1-4,26#traffic on switch b can be

14、monitored using the command:show switch counter=21-23,25#ip基本配置：#針對(duì)路由器/三層交換機(jī)配置ip內(nèi)容，為每個(gè)網(wǎng)段指定ip地址，作為該網(wǎng)段客戶端pc的網(wǎng)關(guān)地址。首先，激活ip功能模塊：enable ip假定int=eth1連接了internet路由器，本地eth1的地址為192.168.2.253，internet路由器與本地路由器相連的接口ip地址為192.168.2.254。add ip int=eth1 ip=192.168.2.253 mask=255.255.255.0添加缺省路由，以允許內(nèi)部網(wǎng)絡(luò)聯(lián)接外部網(wǎng)絡(luò)，例如聯(lián)接in

15、ternet。add ip route=0.0.0.0 mask=0.0.0.0 int=eth1 next=192.168.2.254關(guān)于網(wǎng)絡(luò)地址轉(zhuǎn)換內(nèi)容請(qǐng)見(jiàn)后文敘述。在下面的配置中，假定允許eth1的客戶端只可以訪問(wèn)內(nèi)部企業(yè)網(wǎng)各網(wǎng)段，不能訪問(wèn)其他地址，例如不能訪問(wèn)internet。#ip helper設(shè)置（廣播轉(zhuǎn)發(fā)）：#假定windows服務(wù)器位于eth0，其地址為10.94.4.1/3/5/7。客戶端位于eth1，那么需要配置ip helper address轉(zhuǎn)發(fā)netbios流量。# port=137指明protocol port=137enable ip helperadd ip h

16、elper port=137 int=eth1 destination=10.94.4.1add ip helper port=137 int=eth1 destination=10.94.4.3add ip helper port=137 int=eth1 destination=10.94.4.5add ip helper port=137 int=eth1 destination=10.94.4.7add ip helper port=138 int=eth1 destination=10.94.4.1add ip helper port=138 int=eth1 destination

17、=10.94.4.3#dhcp（動(dòng)態(tài)主機(jī)配置協(xié)議）服務(wù)器設(shè)置：#如果需要，可以為每個(gè)以太網(wǎng)接口設(shè)置一個(gè)dhcp服務(wù)器。# dhcp configuration - post ip#enable dhcpcreate dhcp poli=rjc lease=14400add dhcp poli=rjc subn=255.255.255.0add dhcp poli=rjc rou=192.168.3.1add dhcp poli=rjc dnss=10.94.4.5create dhcp ran=eth0 poli=rjc ip=192.168.1.2 num=50create dhcp pol

18、i=yzgh lease=14400add dhcp poli=yzgh subn=255.255.255.0add dhcp poli=yzgh rou=192.168.2.1add dhcp poli=yzgh dnss=10.94.4.5create dhcp ran=eth1 poli=yzgh ip=192.168.2.2 num=50對(duì)打印機(jī)等設(shè)備進(jìn)行固定ip地址分配：create dhcp poli=xxjsj lease=14400add dhcp poli=xxjsj subn=255.255.255.0add dhcp poli=xxjsj rou=192.168.25.1

19、add dhcp poli=xxjsj dnss=10.94.4.5create dhcp ran=vlan25 poli=xxjsj ip=192.168.25.2 num=80add dhcp range=office policy=xxjsj ip=192.168.25.50 address=00-00-0c-00-28-73#ip filter的配置（訪問(wèn)控制列表，acl）：#traffic filter:add ip filter=0.99 action=include|exclude source=ipadd smask=ipadd sport=port-name|port-id

20、destination=ipadd dmask=ipadd dport=port-name|port-id icmpcode=icmp-code-name|icmp-code-idicmptype=icmp-type-name|icmp-type-id log=4.1600|dump|header|none options=false|off|on|no|true|yesprotocol=protocol|any|egp|icmp|ospf|tcp|udpsession=any|established|start size=size entry=1.255policy filter:add i

21、p filter=100.199 policy=0.15 source=ipadd smask=ipadd sport=port-name|port-id destination=ipadd dmask=ipadd dport=port-name|port-id icmpcode=icmp-code-name|icmp-code-idicmptype=icmp-type-name|icmp-type-id log=4.1600|dump|header|none options=false|off|on|no|true|yesprotocol=protocol|any|egp|icmp|ospf

22、|tcp|udpsession=any|established|start size=size entry=1.255priority filter:add ip filter=200.299 priority=p0.p7 source=ipadd smask=ipadd sport=port-name|port-id destination=ipadd dmask=ipadd dport=port-name|port-id icmpcode=icmp-code-name|icmp-code-idicmptype=icmp-type-name|icmp-type-id log=4.1600|d

23、ump|header|none options=false|off|on|no|true|yesprotocol=protocol|any|egp|icmp|ospf|tcp|udpsession=any|established|start size=sizeentry=1.255routing filter:add ip filter=300.399 action=include|exclude source=ipadd entry=1.255 smask=ipadd設(shè)置舉例：enable ipadd ip filter=1 so=0.0.0.0 ac=include prot=udp dp

24、=bootpsadd ip filter=1 so=0.0.0.0 ac=include prot=udp dp=bootpcadd ip filter=1 so=192.168.2.0 sm=255.255.255.0 des=10.94.3.0 dm=255.255.255.0 ac=includeadd ip filter=1 so=192.168.2.0 sm=255.255.255.0 des=10.94.4.0 dm=255.255.255.0 ac=includeadd ip filter=1 so=192.168.2.0 sm=255.255.255.0 des=10.94.5

25、.0 dm=255.255.255.0 ac=includeadd ip filter=1 so=192.168.2.0 sm=255.255.255.0 ac=exclude（上面例子中最后這句可以省略，缺省的ip filter的最后隱含了一句拒絕所有的流量通過(guò)，即add ip filter=1 so=0.0.0.0 sm=0.0.0.0 ac=exclude）ip filter在接口上的使用，總是應(yīng)用于交換機(jī)接口的in方向！每一個(gè)ip filter組中包含的語(yǔ)句由entry值定位其位置，如果在輸入命令時(shí)，未指明entry值，則缺省從1開(kāi)始，依次累加。通過(guò)show ip filter可以查看

26、具體的每個(gè)語(yǔ)句的位置，在執(zhí)行ip filter的操作時(shí)，按照從頂向下的方向執(zhí)行，一旦匹配某條語(yǔ)句，則立即執(zhí)行相應(yīng)操作，并結(jié)束ip filter的查找。通過(guò)acl來(lái)實(shí)現(xiàn)所有通信流量的單向訪問(wèn)控制非常困難，因?yàn)榻^大多數(shù)時(shí)候的通信需求都是雙向的，我們拒絕從低優(yōu)先級(jí)側(cè)主動(dòng)發(fā)起會(huì)話，但是必須允許從低優(yōu)先級(jí)側(cè)回復(fù)給高優(yōu)先級(jí)的會(huì)話。（注意：對(duì)于無(wú)應(yīng)答的udp單向通信并不需要額外關(guān)心）。因?yàn)閍cl不保存每個(gè)會(huì)話的狀態(tài)，無(wú)法判斷低優(yōu)先級(jí)測(cè)發(fā)起的流量是初始發(fā)送數(shù)據(jù)包還是對(duì)高優(yōu)先級(jí)數(shù)據(jù)包的回復(fù)，而這種狀態(tài)檢測(cè)功能通常由防火墻實(shí)現(xiàn)。對(duì)于這種情況，所有acl的實(shí)現(xiàn)只能有選擇的針對(duì)tcp會(huì)話實(shí)現(xiàn)單向通信。通過(guò)指定esta

27、blished關(guān)鍵字實(shí)現(xiàn)（cisco命令也類似）：add ip filter=filter-number source=ipadd smask=ipadd session=any|established|start譬如，我們可以在低優(yōu)先級(jí)側(cè)（假定接口為vlan100）配置訪問(wèn)控制列表如下：add ip filter=99 so=0.0.0.0 session=established ac=includeset ip int=vlan100 filter=99這樣可以允許從vlan100這個(gè)低優(yōu)先級(jí)網(wǎng)段返回高優(yōu)先級(jí)發(fā)起的通信，同時(shí)拒絕所有低優(yōu)先級(jí)側(cè)對(duì)外的所有其他通信。將ip filter應(yīng)用于接

28、口的命令為：set ip interface=eth0 filter=filter_id對(duì)于本地交換機(jī)配置的所有以太網(wǎng)接口，均為直連網(wǎng)段，缺省情況下，所有網(wǎng)段間通信都是被許可的。對(duì)于eth1，做了上面所述的訪問(wèn)控制限制。如果將訪問(wèn)控制列表從接口上去掉，可以使用：set ip int=eth1 filter=none。add ip int=eth1 ip=192.168.2.253 filter=1add ip int=eth0 ip=192.168.1.253#hardware filter的設(shè)置（硬件包過(guò)濾，hwf）：#硬件包過(guò)濾的配置（hwf，可以代替ip filter的工作，通過(guò)硬件執(zhí)行

29、過(guò)濾操作，不牽涉cpu的中斷，只適用于三層交換機(jī)）：# classifier general configuration#create class=7 tcpd=4444create class=8 tcpd=445create class=9 udpd=445create class=10 tcpd=593create class=11 udpd=1434create class=12 udpd=135create class=13 tcpd=135create class=14 udpd=139# switch (post-vlan) configuration#add switch hw

30、f class=7 ac=discardadd switch hwf class=8 ac=discardadd switch hwf class=9 ac=discardadd switch hwf class=10 ac=discardadd switch hwf class=11 ac=discardadd switch hwf class=12 ac=discardadd switch hwf class=13 ac=discardadd switch hwf class=14 ac=discard對(duì)于at-rapier系列的交換機(jī)，hwf的執(zhí)行方式為，從頂向下執(zhí)行“所有”的語(yǔ)句，即找

31、到第一個(gè)匹配項(xiàng)以后，對(duì)數(shù)據(jù)包做相應(yīng)的標(biāo)記，然后繼續(xù)尋找隨后的匹配語(yǔ)句，如果再次匹配某個(gè)語(yǔ)句，則做相應(yīng)的標(biāo)記。因此，可能出現(xiàn)開(kāi)始的標(biāo)記被覆蓋的情況。對(duì)于at-switchblade/at-9900/at-9800系列的交換機(jī)，hwf的執(zhí)行方式為，從頂向下執(zhí)行，找到匹配語(yǔ)句以后，則停止執(zhí)行當(dāng)前hwf_id組中的其他語(yǔ)句。對(duì)于所有的三層交換機(jī)，所有不匹配hwf任何語(yǔ)句的數(shù)據(jù)包均被“允許”通過(guò)，按照正常轉(zhuǎn)發(fā)動(dòng)作執(zhí)行。at-rapier系列hwf示例（在port24上，只允許特定ip地址的全部流量及所有ip地址的特定tcp應(yīng)用通過(guò)，其他tcp流量均丟棄）：create class=1 ipprot=tc

32、p tcpdport=5000 eport=24create class=2 ipprot=tcp tcpsport=5000 eport=24create class=3 ipprot=tcp tcpdport=21 eport=24create class=4 ipprot=tcp tcpsport=21 eport=24create class=5 ipprot=tcp tcpdport=25 eport=24create class=6 ipprot=tcp tcpsport=25 eport=24create class=7 ipprot=tcp tcpdport=80 eport=

33、24create class=8 ipprot=tcp tcpsport=80 eport=24create class=9 ipprot=tcp tcpdport=110 eport=24create class=10 ipprot=tcp tcpsport=110 eport=24create class=11 ipprot=tcp tcpdport=1433 eport=24create class=12 ipprot=tcp tcpsport=1433 eport=24create class=13 ipprot=tcp tcpdport=1000 eport=24create cla

34、ss=14 ipprot=tcp tcpsport=1000 eport=24create class=15 ipprot=tcp tcpdport=3000 eport=24create class=16 ipprot=tcp tcpsport=3000 eport=24create class=17 ipprot=tcp tcpdport=9970 eport=24create class=18 ipprot=tcp tcpsport=9970 eport=24create class=19 ipprot=tcp tcpdport=9971 eport=24create class=20

35、ipprot=tcp tcpsport=9971 eport=24create class=100 ipsadd=192.15.200.10 eport=24create class=101 ipdadd=192.15.200.10 eport=24create class=102 ipsadd=192.15.200.227 eport=24create class=103 ipdadd=192.15.200.227 eport=24create class=104 ipsadd=192.15.200.225 eport=24create class=105 ipdadd=192.15.200

36、.225 eport=24create class=900 epo=24 ippr=tcp add switch hwf class=900 action=discardadd switch hwf class=1-20 action=nodropadd switch hwf class=100-105 action=nodrop利用hardware filter實(shí)現(xiàn)tcp的單向訪問(wèn)：第一種配置方式：# vlan general configuration, vlan 3 has higher prioritycreate vlan=v2 vid=2create vlan=v3 vid=3#

37、vlan port configuration#add vlan=2 port=24add vlan=3 port=1# classifier general configuration#create class=1 ipsa=10.12.1.0/24 ipda=11.12.1.0/24 tcpf=syncreate class=2 ipsa=10.12.1.0/24 ipda=11.12.1.0/24 tcpf=ack,syn#創(chuàng)建兩條calssifier：classifier1 對(duì)應(yīng)vlan2 至vlan3 tcp 標(biāo)志位為syn 的流量；classifier2 對(duì)應(yīng)vlan2 至vlan

38、3 tcp 標(biāo)志位為syn+ack的流量。# switch (post-vlan) configuration#add switch hwf class=1 ac=discardadd switch hwf class=2 ac=nodrop#添加hwfiler，禁止匹配classifier1 的所有流量，但允許其中匹配classifier2 的流量通過(guò)。# ip configuration#enable ipadd ip int=vlan2 ip=10.12.1.1 mask=255.255.255.0add ip int=vlan3 ip=11.12.1.1 mask=255.255.25

39、5.0第二種配置方式：# classifier general configuration#create class=1 prot=0800 ipsa=10.12.1.0/24 ipda=11.12.1.0/24 ippr=tcp match1=0002 mask1=00ff offset1=50#創(chuàng)建一條calssifier：classifier1 對(duì)應(yīng)vlan2 至vlan3 只有 tcp 標(biāo)志位為syn 的流量。注意：該classsifier 不匹配vlan2 至vlan3 tcp 標(biāo)志位為syn+ack的流量！# switch (post-vlan) configuration#add

40、 switch hwf class=1 ac=discard#添加hwfiler，禁止匹配classifier1 的所有流量。#ip nat的配置（網(wǎng)絡(luò)地址轉(zhuǎn)換，標(biāo)準(zhǔn)ip nat只適用于路由器）：#enable ip nat靜態(tài)nat：add ip nat ip=192.168.1.2 gblip=203.56.3.78靜態(tài)enat：add ip nat ip=192.168.10.3 prot=tcp port=80 gblip=203.56.3.78 gblport=80add ip nat ip=192.168.10.4 prot=tcp port=20 gblip=203.56.3.7

41、8 gblport=20add ip nat ip=192.168.10.4 prot=tcp port=21 gblip=203.56.3.78 gblport=21動(dòng)態(tài)nat：add ip nat ip=192.168.1.0 mask=255.255.255.0 gblip=203.56.3.128 gblmask=255.255.255.128動(dòng)態(tài)enat：add ip nat ip=192.168.1.0 mask=255.255.255.0 gblip=203.56.3.78或者：add ip nat ip=192.168.1.0 mask=255.255.255.0 gblint

42、=eth0對(duì)于具備防火墻功能的網(wǎng)絡(luò)設(shè)備，如果開(kāi)啟了防火墻，則nat功能由firewall執(zhí)行，ip nat將被自動(dòng)disable。關(guān)于firewall的詳細(xì)設(shè)置，請(qǐng)參考相應(yīng)命令手冊(cè)。%#snmp（簡(jiǎn)單網(wǎng)絡(luò)管理協(xié)議）設(shè)置：#snmpv1&v2的設(shè)置：enable snmpenable snmp authenticate_trapcreate snmp community=atisnmpr access=read open=noenable snmp community=atisnmpr trapadd snmp community=atisnmpr manager=10.12.3.222add

43、snmp community=atisnmpr traphost=10.12.3.222create snmp community=atisnmpwr access=write open=noenable snmp community=atisnmpwr trapadd snmp community=atisnmpwr manager=10.12.3.222add snmp community=atisnmpwr traphost=10.12.3.222enable interface=vlan1 linktrap查看配置：show snmpshow snmp communityshow in

44、terface=vlan1snmpv3的簡(jiǎn)介：snmpv3提供了兩個(gè)主要的增強(qiáng)特征：authentication、privacy；對(duì)于配置而言，體現(xiàn)在三個(gè)不同的安全級(jí)別：1. noauthnopriv(no authentication and no privacy)2. authnopriv(authentication but no privacy)3. authpriv(authentication and privacy)同時(shí)，通過(guò)view、group、user的定義提供不同的mib信息訪問(wèn)權(quán)限。可配置的三種不同權(quán)限的view訪問(wèn)：1. readview (specifies snmp

45、 view the group has read access to)2. writeview(specifies snmp view the group has write access to)3. notifyview(specifies snmp view the group will receive notifications for)view、group、user之間的關(guān)系如下圖所示：同一網(wǎng)絡(luò)設(shè)備上group的名稱及關(guān)聯(lián)的安全級(jí)別必須唯一。snmp target address和snmp target params必須唯一。snmpv3的設(shè)置：#enables snmpenable

46、snmp#enables snmp authentication failure traps.enable snmp authenticate_trap#adds snmp target parameters set, to specify a security profile for target addresses.add snmp targetparams=netmonpc securitylevel=authpriv user=steve#adds a target address where traps will be sent.add snmp targetaddress=nms

47、ip=192.168.11.23 udp=162 params=netmonpc#creates an snmp view which will allow access to everything from the specified object identifier (oid) onwards.add snmp view=full oid=1.3.6.1 type=include#creates an snmp view which will allow access to everything from the specified oid onwards, and also adds

48、a restriction to anything on a particular sub-tree.add snmp view=restricted oid=1.3.6.1 type=includeadd snmp view=restricted oid=1.3.6.1.6 type=exclude#adds another restriction to snmp view restricted, preventing access to the specified mib name and everything below it. this is an alternative to the

49、 command syntax shown in the command above, and it should be noted that commands entered with the syntax shown below will appear in the configuration with the syntax above - i.e. as an oid.add snmp view=restricted mib=bgp type=exclude#creates an snmp group which has full read/write and notify privil

50、ege to the full view, and specifies authentication and privacy.add snmp group=super-users securitylevel=authpriv readview=full writeview=full notifyview=full#creates an snmp group with full read and notify privilege to the full view, and specifies authentication but not privacy.add snmp group=users securitylevel=authnopriv readview=full notifyview=full#creates an snmp group with read access to the restricted view only, with no authentication or privacy specified.add snmp group=restricted-users securitylevel=noauthnopriv readview=restricted#creates an snmp user and associates