>>It does not, as that would be contrary to the intent of the
snmpTargetAddrTable.
I think that this is not true. The snmpTargetAddrTable defines a tagList
that can be used to limit the outgoing notifications and also can be
used to limit the incoming requests.
I attached the v3 specifications for this below - please let me know if
this aspect of v3 is supported via net-snmp.
The basic idea is that you can set up a list of target address's in the
snmpTargetAddress table that can be used to define a list of ip address
that you will accept SNMPv2 access request from. This is much different
from globally denying access based on an ip address, which would result
in also denying v3 access from the same ip address. This is meant to
allow for v2 co-existance in a v3 environment.
V3 Specifications where this is defined:
snmpCommunityTransportTag OBJECT-TYPE
DESCRIPTION
"This object specifies a set of transport endpoints
which are used in two ways:
- to specify the transport endpoints from which an
SNMP entity will accept management requests, and
- to specify the transport endpoints to which a
notification may be sent using the community
string matching the corresponding instance of
snmpCommunityName.
In either case, if the value of this object has
zero-length, transport endpoints are not checked when
either authenticating messages containing this community
string, nor when generating notifications.
The transports identified by this object are specified
in the snmpTargetAddrTable. Entries in that table
whose snmpTargetAddrTagList contains this tag value
are identified.
If a management request containing a community string
that matches the corresponding instance of
snmpCommunityName is received on a transport endpoint
other than the transport endpoints identified by this
object the request is deemed unauthentic.
When a notification is to be sent using an entry in
this table, if the destination transport endpoint of
the notification does not match one of the transport
endpoints selected by this object, the notification
is not sent."
DEFVAL { ''H } -- the empty string
::= { snmpCommunityEntry 6 }
Joan Landry
-----Original Message-----
From: Mike Ayers [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 10, 2008 12:57 PM
To: Joan Landry; net-snmp-users@lists.sourceforge.net
Subject: RE: SnmpTargetAddress
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Joan Landry
> Sent: Tuesday, April 08, 2008 1:48 PM
> Does net-snmp support the ability to add entries to the
> snmpTargetAddress for means of limiting v2 access to a v3 box.
> If so how would this be configured via snmpd.conf?
It does not, as that would be contrary to the intent of the
snmpTargetAddrTable. It's for target configuration, not source
configuration. There is no standard way to restrict by source address -
please consider v3/USM/VACM for this. The net-snmp specific com2sec
directive of snmpd.conf can be used to restrict access of a v2c user by
IP address.
HTH,
Mike
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
