Snmpd proxy

From Net-SNMP Wiki
Revision as of 16:01, 10 May 2007 by Rstory (Talk | contribs) (add note to skip mapping if using v3)

Jump to: navigation, search

Setting up access control for proxy access to multiple devices

If you want to have the same OID tree proxied to muliple devices, (e.g. so the proxy responds as if it were the proxied device), you need to use contexts. Contexts were introduced in SNMPv3, but Net-SNMP had a feature to have a SNMPv1 community string map to a context for proxying. You will need a unique community string per proxied device.

Setting up SNMPv1 (and v2c) community/context mapping

(Skip this section if you are going to be using SNMPv3 to access the proxy agent).

Normal access control looks like this:

# define a simple view 'systemview', which includes everthing under .1.3.6.1
view    systemview     included      .1.3.6.1

# map 'public' community to the 'notConfigUser'
com2sec notConfigUser  default       public

# map 'notConfigUser' to 'notConfigGroup'
group   notConfigGroup v1            notConfigUser
group   notConfigGroup v2c           notConfigUser

# give 'notConfigGroup' read access to objects in the view 'systemview'
access  notConfigGroup ""            any       noauth    exact  systemview none none

For proxy acess to multiple remote hosts, we need a v1/v2c community string for each proxied host. We'll assign these to the same 'notConfigUser' defined above. We also have to use '-Cn <context>' to assign a context to each, which is how the proxy configuration will know which remote host to set requests to.

com2sec -Cn ctx_remotehost1 notConfigUser  default       cmty_remotehost1
com2sec -Cn ctx_remotehost2 notConfigUser  default       cmty_remotehost2


Now, we need to allow the 'notConfigUser' (a member of 'notConfigGroup') access for these contexts. Since we used a common prefix for the context name, we just need one access line using prefix matching, instead of two using exact matching:

access  notConfigGroup ctx_remotehost            any       noauth    prefix  systemview none none

Setting up the proxy configuration

Now, to set up the proxy:

proxy -Cn ctx_remotehost1  -v 2c -c public  remotehost1  .1.3

# Note: this should be 1 line, without the '\' continuation..
proxy -Cn ctx_remotehost2  -v 3 -u MD5DESUser -a MD5 -A "PasswordA" \
      -x DES -X "PasswordX" -l authPriv  remotehost2  .1.3

Start snmpd (or restart it, if it was already running), and then test your new setup.

Testing

Finally, to query via the proxy:

$ snmpget -v2c -c cmty_remotehost1 proxyhost sysContact.0