(Recycling this from "SNMP v3 network source restriction?" question on StackOverflow that so far got no answers.)
How does one restrict a set of SNMPv3 credentials to only work from a specific IP (range)? I.e. what is the minimum valid "snmpd.conf" file (on a CentOS 7.x host) where external SNMPv3 requests are restricted to a specific IP range?
com2sec mynetwork 192.168.0.0/24 read_only_community_string group MyROGroup usm mynetwork view all included .1 access MyROGroup "" any noauth exact all none none
"mynetwork" SNMP v3 user was created via 'net-snmp-create-v3-user' command and it works (polling data via a Solarwinds server). However when I update the snmpd.conf file with a bogus IP (e.g. 220.127.116.11) - it still works. When I do a similar configuration with SNMP v2 and community strings - the restrictions work as expected.
P.S. If this makes it easier: what is the simplest possible SNMP v3 configuration restricting access to a specific IP range?
P.P.S. To reiterate what I did:
P.P.P.S. This is not a firewall question, please do not answer it as such. 🙂 The question is about tightening SNMP v3 configuration without involving a firewall. More on this:
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.