Difference between revisions of "Snmpd proxy"

From Net-SNMP Wiki
Jump to: navigation, search
m
(break out v1/v2 context mapping into a section; use v3 params for one of the proxy statements)
Line 1: Line 1:
 
==Setting up access control for proxy access to multiple devices==
 
==Setting up access control for proxy access to multiple devices==
 +
If you want to have the same OID tree proxied to muliple devices, (e.g. so the proxy responds as if it were the proxied device), you need to use '''contexts'''. Contexts were introduced in SNMPv3, but Net-SNMP had a feature to have a SNMPv1 community string map to a context for proxying. You will need a unique community string per proxied device.
 +
 +
=== Setting up SNMPv1 (and v2c) community/context mapping ===
 
Normal access control looks like this:
 
Normal access control looks like this:
 
<pre>
 
<pre>
Line 26: Line 29:
 
  access  notConfigGroup <font color=red>ctx_remotehost</font>            any      noauth    <font color=red>prefix</font>  systemview none none
 
  access  notConfigGroup <font color=red>ctx_remotehost</font>            any      noauth    <font color=red>prefix</font>  systemview none none
  
 +
=== Setting up the proxy configuration ===
 
Now, to set up the proxy:
 
Now, to set up the proxy:
  
 
  proxy -Cn ctx_remotehost1  -v 2c -c public  remotehost1  .1.3
 
  proxy -Cn ctx_remotehost1  -v 2c -c public  remotehost1  .1.3
  proxy -Cn ctx_remotehost2  -v 2c -c public remotehost2  .1.3
+
  proxy -Cn ctx_remotehost2  -v 3 -u MD5DESUser -a MD5 -A "PasswordA" -x DES -X "PasswordX" -l authPriv remotehost2  .1.3
  
 
Start snmpd (or restart it, if it was already running), and then test your new setup.
 
Start snmpd (or restart it, if it was already running), and then test your new setup.

Revision as of 15:58, 10 May 2007

Setting up access control for proxy access to multiple devices

If you want to have the same OID tree proxied to muliple devices, (e.g. so the proxy responds as if it were the proxied device), you need to use contexts. Contexts were introduced in SNMPv3, but Net-SNMP had a feature to have a SNMPv1 community string map to a context for proxying. You will need a unique community string per proxied device.

Setting up SNMPv1 (and v2c) community/context mapping

Normal access control looks like this:

# define a simple view 'systemview', which includes everthing under .1.3.6.1
view    systemview     included      .1.3.6.1

# map 'public' community to the 'notConfigUser'
com2sec notConfigUser  default       public

# map 'notConfigUser' to 'notConfigGroup'
group   notConfigGroup v1            notConfigUser
group   notConfigGroup v2c           notConfigUser

# give 'notConfigGroup' read access to objects in the view 'systemview'
access  notConfigGroup ""            any       noauth    exact  systemview none none

For proxy acess to multiple remote hosts, we need a v1/v2c community string for each proxied host. We'll assign these to the same 'notConfigUser' defined above. We also have to use '-Cn <context>' to assign a context to each, which is how the proxy configuration will know which remote host to set requests to.

com2sec -Cn ctx_remotehost1 notConfigUser  default       cmty_remotehost1
com2sec -Cn ctx_remotehost2 notConfigUser  default       cmty_remotehost2


Now, we need to allow the 'notConfigUser' (a member of 'notConfigGroup') access for these contexts. Since we used a common prefix for the context name, we just need one access line using prefix matching, instead of two using exact matching:

access  notConfigGroup ctx_remotehost            any       noauth    prefix  systemview none none

Setting up the proxy configuration

Now, to set up the proxy:

proxy -Cn ctx_remotehost1  -v 2c -c public  remotehost1  .1.3
proxy -Cn ctx_remotehost2  -v 3 -u MD5DESUser -a MD5 -A "PasswordA" -x DES -X "PasswordX" -l authPriv  remotehost2  .1.3

Start snmpd (or restart it, if it was already running), and then test your new setup.

Testing

Finally, to query via the proxy:

$ snmpget -v2c -c cmty_remotehost1 proxyhost sysContact.0