How to filter source address with community when using SNMPv2

terryz · October 28, 2020, 1:57pm

Hi Frank,
I want to filter the source address with community when SNMPv2 request coming in.
I thought that I could configure snmpCommunityTransportTag, snmpTargetAddrTAddress, and snmpTargetAddrTagList to achieve the purpose
Here is my configuration:

vcapuser@localhost ncs-packages]$ snmpwalk -v 2c -c test localhost 1.3.6.1.6.3.18|grep “.‘test’”
SNMP-COMMUNITY-MIB::snmpCommunityName.‘test’ = STRING: “test”
SNMP-COMMUNITY-MIB::snmpCommunitySecurityName.‘test’ = STRING: public
SNMP-COMMUNITY-MIB::snmpCommunityContextEngineID.‘test’ = STRING: “32473”
SNMP-COMMUNITY-MIB::snmpCommunityContextName.‘test’ = STRING:
SNMP-COMMUNITY-MIB::snmpCommunityTransportTag.‘test’ = STRING: test
SNMP-COMMUNITY-MIB::snmpCommunityStorageType.‘test’ = INTEGER: permanent(4)
SNMP-COMMUNITY-MIB::snmpCommunityStatus.‘test’ = INTEGER: active(1)
SNMP-COMMUNITY-MIB::snmpTargetAddrTMask.‘test’ = “”
SNMP-COMMUNITY-MIB::snmpTargetAddrMMS.‘test’ = INTEGER: 484

[vcapuser@localhost ncs-packages]$ snmpwalk -v 2c -c test localhost 1.3.6.1.6.3.12|grep “.‘test’”
SNMP-TARGET-MIB::snmpTargetAddrTDomain.‘test’ = OID: SNMPv2-SMI::mib-2.100.1.1
SNMP-TARGET-MIB::snmpTargetAddrTAddress.‘test’ = Hex-STRING: C0 A8 64 11 D8 ED
SNMP-TARGET-MIB::snmpTargetAddrTimeout.‘test’ = INTEGER: 250
SNMP-TARGET-MIB::snmpTargetAddrRetryCount.‘test’ = INTEGER: 1
SNMP-TARGET-MIB::snmpTargetAddrTagList.‘test’ = STRING: test
SNMP-TARGET-MIB::snmpTargetAddrParams.‘test’ = STRING: SNMPv2c
SNMP-TARGET-MIB::snmpTargetAddrStorageType.‘test’ = INTEGER: permanent(4)
SNMP-TARGET-MIB::snmpTargetAddrRowStatus.‘test’ = INTEGER: active(1)

I think with this configuration, we accept snmp request with community “test” only when it comes from 192.168.100.1:55533 (snmpTargetAddrTAddress C0 A8 64 11 D8 ED)
After test, it seems not working.

Then I called SnmpCommunityMIB.setSourceAddressFiltering(true), the configuration above seems working now, request with community “test” is being filtered.

Could you please help to confirm if my configuration and the usage of API setSourceAddressFiltering is right? is setSourceAddressFiltering designed to achieve this kind of purpose?

And one more question, if I don’t want to specify the port, only filter on IP adress, then I need to set snmpTargetAddrTMask as “255.255.255.255:0”. is this right?

Looking forward to your advice.
Thanks.

BR,
Terry

AGENTPP · November 2, 2020, 11:41pm

The source address filtering (if enabled) is doing source address (and port) filtering based on SNMP-COMMUNITY- and SNMP-TARGET-MIB. That is correct.

However, the SnmpTargetAddTMask needs to be specified for a TDomain like

TransportAddressIPv4 ::= TEXTUAL-CONVENTION
    DISPLAY-HINT "1d.1d.1d.1d:2d"
    STATUS  current
    DESCRIPTION
            "Represents a transport address consisting of an IPv4
            address and a port number (as used for example by UDP,
            TCP and SCTP):

             octets       contents         encoding
              1-4         IPv4 address     network-byte order
              5-6         port number      network-byte order

            This textual convention SHOULD NOT be used directly in object
            definitions since it restricts addresses to a specific format.
            However, if it is used, it MAY be used either on its own or
            in conjunction with TransportAddressType or TransportDomain
            as a pair."
    SYNTAX OCTET STRING (SIZE (6))

as

OctetString.fromHexString("FF:FF:FF:FF:00:00")

to match the IPv4 address only, but not the TCP port.

terryz · November 3, 2020, 9:37am

Thanks for your answer, Frank.