Forum Discussion

_KT_'s avatar
_KT_
Icon for Nimbostratus rankNimbostratus
May 11, 2018

Restricting SNMP access to LTM (especially use of "sys snmp agent-addresses")

I am wondering about restricting SNMP access to an LTM. I want to understand how the following two commands should be used:

modify sys snmp agent-addresses
modify sys snmp allowed-addresses

The CLI help output provides the following for the two options:

agent-addresses    A list of protocol/address combinations that the agent listens for traffic on.
allowed-addresses  Configures hosts or networks from which snmpd can accept traffic. Entries go directly into hosts.allow.

Allowed-addresses is the example I see on many websites which give example setup, and it seems to tie in with the restrictions that you can set via the GUI. So setting this makes sense to me in that only SNMP traffic sourced from these addresses will be allowed.

Agent-addresses is less obvious to me. If you use this to specify IP addresses then what is the behaviour of the SNMP daemon - will it only listen for (and therefore allow) connections from these specific source addresses? If so what is the difference between this and the allowed-addresses command.

So I am looking for a fuller explanation of how these commands operate - on their own and also how they combine when both are deployed. Examples to illustrate sensible use combinations would be great.

1 Reply

  • You can read about restricting SNMP access here:

     

    https://support.f5.com/csp/article/K13535

     

    agentaddress <- This is the address that the BigIP is listening for requests on. By default, it's all addresses. So as long as you had the proper port open, you could query for SNMPD data on management or on your self IPs. You could use this to limit access to only your management IP. Read more here: http://www.net-snmp.org/docs/man/snmpd.conf.html

     

    So agentaddress specifies the address that's being listened on, while the other is remote addresses that are allowed to access. So you may be listening on your management address only (agentaddress), but you may only allow your SNMP system to actually query that address.