Restricting SNMP access to LTM (especially use of "sys snmp agent-addresses")

Question

I am wondering about restricting SNMP access to an LTM.  I want to understand how the following two commands should be used:
modify sys snmp agent-addresses
modify sys snmp allowed-addresses

The CLI help output provides the following for the two options:
agent-addresses    A list of protocol/address combinations that the agent listens for traffic on.
allowed-addresses  Configures hosts or networks from which snmpd can accept traffic. Entries go directly into hosts.allow.

Allowed-addresses is the example I see on many websites which give example setup, and it seems to tie in with the restrictions that you can set via the GUI.  So setting this makes sense to me in that only SNMP traffic sourced from these addresses will be allowed.
Agent-addresses is less obvious to me.  If you use this to specify IP addresses then what is the behaviour of the SNMP daemon - will it only listen for (and therefore allow) connections from these specific source addresses?  If so what is the difference between this and the allowed-addresses command.
So I am looking for a fuller explanation of how these commands operate - on their own and also how they combine when both are deployed.  Examples to illustrate sensible use combinations would be great.

chris_grant · Answer

You can read about restricting SNMP access here:&nbsp;
https://support.f5.com/csp/article/K13535&nbsp;
agentaddress    &lt;- This is the address that the BigIP is listening for requests on. By default, it's all addresses.  So as long as you had the proper port open, you could query for SNMPD data on management or on your self IPs.  You could use this to limit access to only your management IP.  Read more here: http://www.net-snmp.org/docs/man/snmpd.conf.html&nbsp;
So agentaddress specifies the address that's being listened on, while the other is remote addresses that are allowed to access.  So you may be listening on your management address only (agentaddress), but you may only allow your SNMP system to actually query that address.&nbsp;

Forum Discussion

Restricting SNMP access to LTM (especially use of "sys snmp agent-addresses")

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

irule to enable http/2 acceleration

VS FORWARDING & ROUTE

Statistics ›› Analytics : HTTP : Overview

SNI Sites not taking correct certificate.

Related Content

Especial Load Balancing Active-Passive Scenario (I)

Especial Load Balancing Active-Passive Scenario (II)

Office 365 Tenant Restrictions

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

F5 iRule Geolocation restriction

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS