Difference between revisions of "Snmpd proxy"

From Net-SNMP Wiki
Jump to: navigation, search
 
m
Line 16: Line 16:
 
</pre>
 
</pre>
  
For proxy acess to multiple remote hosts, we need a v1/v2c community string per host. We'll assign these to the same 'notConfigUser' defined above. We also have to use '-Cn <context>' to assign a context to each, which is how the proxy configuration will know which remote host to set requests to.
+
For proxy acess to multiple remote hosts, we need a v1/v2c community string for each proxied host. We'll assign these to the same 'notConfigUser' defined above. We also have to use '-Cn <context>' to assign a context to each, which is how the proxy configuration will know which remote host to set requests to.
  
 
  com2sec <font color=red>-Cn ctx_remotehost1</font> notConfigUser  default      <font color=red>cmty_remotehost1</font>
 
  com2sec <font color=red>-Cn ctx_remotehost1</font> notConfigUser  default      <font color=red>cmty_remotehost1</font>

Revision as of 21:16, 9 May 2007

Setting up access control for proxy access to multiple devices

Normal access control looks like this:

# define a simple view 'systemview', which includes everthing under .1.3.6.1
view    systemview     included      .1.3.6.1

# map 'public' community to the 'notConfigUser'
com2sec notConfigUser  default       public

# map 'notConfigUser' to 'notConfigGroup'
group   notConfigGroup v1            notConfigUser
group   notConfigGroup v2c           notConfigUser

# give 'notConfigGroup' read access to objects in the view 'systemview'
access  notConfigGroup ""            any       noauth    exact  systemview none none

For proxy acess to multiple remote hosts, we need a v1/v2c community string for each proxied host. We'll assign these to the same 'notConfigUser' defined above. We also have to use '-Cn <context>' to assign a context to each, which is how the proxy configuration will know which remote host to set requests to.

com2sec -Cn ctx_remotehost1 notConfigUser  default       cmty_remotehost1
com2sec -Cn ctx_remotehost2 notConfigUser  default       cmty_remotehost2


Now, we need to allow the 'notConfigUser' (a member of 'notConfigGroup') access for these contexts. Since we used a common prefix for the context name, we just need one access line using prefix matching, instead of two using exact matching:

access  notConfigGroup ctx_remotehost            any       noauth    prefix  systemview none none

Now, to set up the proxy:

proxy -Cn ctx_remotehost1  -v 2c -c public  remotehost1  .1.3
proxy -Cn ctx_remotehost2  -v 2c -c public  remotehost2  .1.3

Start snmpd (or restart it, if it was already running), and then test your new setup.

Testing

Finally, to query via the proxy:

$ snmpget -v2c -c cmty_remotehost1 proxyhost sysContact.0