Forum Discussion

Cirrus

Jan 03, 2023

How to limit some snmp mib access

Hi, folks.

How can i limit some snmp (snmpv2) mib's from begin accessed by a monitoring system (for exampe PRTG).

I want the monitoring system to be able to monitor all items on F5-BIGIP-SYSTEM-MIB but not F5-BIGIP-LOCAL-MIB or F5-BIGIP-GLOBAL-MIB.

thanks

application delivery

JRahm

Jan 04, 2023

If you translate the globals in each of those mibs, you'll see where you can delineate in your oid string:

[root@ltm3:Active:Standalone] mibs # snmptranslate -On F5-BIGIP-SYSTEM-MIB::sysGlobals
.1.3.6.1.4.1.3375.2.1.1
[root@ltm3:Active:Standalone] mibs # snmptranslate -On F5-BIGIP-LOCAL-MIB::ltmGlobals
.1.3.6.1.4.1.3375.2.2.1
[root@ltm3:Active:Standalone] mibs # snmptranslate -On F5-BIGIP-GLOBAL-MIB::gtmGlobals
.1.3.6.1.4.1.3375.2.3.1

So if you want to define a community string that will only be allowed to read from the F5-BIGIP-SYSTEM-MIB, but not the others, you can set the string to allow everything from:

.1.3.6.1.4.1.3375.2.1

which after applied would look something like this:

sys snmp {
    agent-addresses { tcp6:161 udp6:161 }
    communities {
        if5devcentralrocks_1 {
            community-name f5devcentralrocks
            oid-subset .1.3.6.1.4.1.3375.2.1
            source 192.168.1.245
        }
    }
...
}

JRahm
Admin
Jan 04, 2023
If you translate the globals in each of those mibs, you'll see where you can delineate in your oid string:

[root@ltm3:Active:Standalone] mibs # snmptranslate -On F5-BIGIP-SYSTEM-MIB::sysGlobals .1.3.6.1.4.1.3375.2.1.1 [root@ltm3:Active:Standalone] mibs # snmptranslate -On F5-BIGIP-LOCAL-MIB::ltmGlobals .1.3.6.1.4.1.3375.2.2.1 [root@ltm3:Active:Standalone] mibs # snmptranslate -On F5-BIGIP-GLOBAL-MIB::gtmGlobals .1.3.6.1.4.1.3375.2.3.1

So if you want to define a community string that will only be allowed to read from the F5-BIGIP-SYSTEM-MIB, but not the others, you can set the string to allow everything from:

.1.3.6.1.4.1.3375.2.1

which after applied would look something like this:

sys snmp { agent-addresses { tcp6:161 udp6:161 } communities { if5devcentralrocks_1 { community-name f5devcentralrocks oid-subset .1.3.6.1.4.1.3375.2.1 source 192.168.1.245 } } ... }
- レザ
  Cirrus
  Jan 10, 2023
  Hi,
  
  Now the problem is that when I limit it to only one Oid, the device's general snmps such as uptime and interface statistics are no longer accessible.
  Is it possible to exclude only F5-BIGIP-LOCAL-MIB and not the others?
  - Paulius
    MVP
    Jan 10, 2023
    レザ Sadly the SNMP OID restriction is an include not an exclude when you end up getting down to specific sections. You would have to create a user for each OID node in question if it seperates by a similar value to one that you don't want that user to have access to.
Paulius
MVP
Jan 03, 2023
レザI believe this can be achieved by configuring the appropriate OID for the top most node in question for the SNMP v2 community. This articel outlines the configuration for OID for SNMP v1 and v2c and a section for v3 as well.
https://support.f5.com/csp/article/K52219241
- レザ
  Cirrus
  Jan 03, 2023
  Hi Paulius, unfortunately, this is not what I want. I think this is not possible in snmpv2