rc/network
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

access: limit OIDs exposed over SNMP

Browse source 
Define a custom SNMP group with read access only to fields we need.

For D-Link switches, modifying the group must be handled the same as
user, i.e. the group (and user) must be removed and readded.

Untested for FS S5800.
This commit is contained in:
Timotej Lazar 2025-10-22 13:43:07 +02:00
parent 2c93cab682
commit 7a2223ea71
5 changed files with 61 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

6
roles/access/templates/config-d-link.j2
View file

@ -112,7 +112,11 @@ snmp-server name {{ inventory_hostname }}
snmp-server location {{ rack }}
{# SNMP engine ID must be exactly 24 hex digits #}
snmp-server engineID local {{ snmp_engine_id }}
snmp-server group public v3 priv read CommunityView
{# limit MIBs exposed over SNMP #}
snmp-server view public 1.3.6.1.2.1.1 included {# system +#}
snmp-server view public 1.3.6.1.2.1.2 included {# interfaces +#}
snmp-server view public 1.3.6.1.2.1.17.7 included {# qBridgeMIB +#}
snmp-server view public 1.3.6.1.2.1.31 included {# ifMIB +#}
sntp enable
{% for address in ntp %}

6
roles/access/templates/config-fs-s5800-48t4s.j2
View file

@ -17,7 +17,11 @@ vlan database
snmp-server enable
snmp-server system-location {{ rack }}
snmp-server engineID {{ snmp_engine_id }}
snmp-server access public security-model usm priv read _all_
snmp-server view public included 1.3.6.1.2.1.1 {# system +#}
snmp-server view public included 1.3.6.1.2.1.2 {# interfaces +#}
snmp-server view public included 1.3.6.1.2.1.17.7 {# qBridgeMIB +#}
snmp-server view public included 1.3.6.1.2.1.31 {# ifMIB +#}
snmp-server access public security-model usm priv read public
{# sort to ensure LAG interfaces are added last #}
{% for iface in interfaces | sort(attribute="type.value") | sort(attribute="mgmt_only") %}

7
roles/access/templates/config-fs-s5860-48xmg-u.j2
View file

@ -58,4 +58,9 @@ interface {{ iface.name }}
enable service snmp-agent
snmp-server location {{ rack }}
snmp-server group public v3 priv read default
{# limit MIBs exposed over SNMP #}
snmp-server view public 1.3.6.1.2.1.1 include {# system +#}
snmp-server view public 1.3.6.1.2.1.2 include {# interfaces +#}
snmp-server view public 1.3.6.1.2.1.17.7 include {# qBridgeMIB +#}
snmp-server view public 1.3.6.1.2.1.31 include {# ifMIB +#}
snmp-server group public v3 priv read public