SNMP мониторинг в VyOS
SNMP обеспечивает мониторинг и управление сетевым оборудованием. VyOS поддерживает SNMP v1, v2c, и v3, позволяя интегрировать роутер с системами мониторинга (Nagios, Zabbix, PRTG, LibreNMS) и получать метрики о производительности, статусе интерфейсов, и других параметрах.
Обзор
Что такое SNMP
Simple Network Management Protocol:
- Протокол для мониторинга сетевых устройств
- Сбор метрик (CPU, memory, bandwidth, interfaces)
- Алерты через SNMP traps
- Стандартизированные MIB (Management Information Base)
Версии SNMP
SNMPv1:
- Базовая версия
- Community strings для аутентификации
- Не encrypted
- Устаревшая, но широко поддерживается
SNMPv2c:
- Улучшенная производительность
- Community strings
- Bulk operations
- Не encrypted
- Наиболее используемая версия
SNMPv3:
- Аутентификация и encryption
- User-based security
- Рекомендуется для production
- Более сложная конфигурация
SNMP компоненты
Agent:
- Запущен на VyOS
- Отвечает на SNMP запросы
- Отправляет traps
Manager (NMS - Network Management System):
- Мониторинг система (Zabbix, Nagios, etc.)
- Делает SNMP queries
- Получает traps
MIB (Management Information Base):
- База данных объектов
- OID (Object Identifier) - уникальный ID
- Standard MIBs (IF-MIB, HOST-RESOURCES-MIB, etc.)
SNMP операции
- GET - получить значение OID
- GETNEXT - получить следующий OID
- GETBULK - получить множественные OID (SNMPv2c/v3)
- SET - установить значение (опасно, обычно disabled)
- TRAP - асинхронное уведомление от agent
Базовая конфигурация
SNMPv2c (простая конфигурация)
# Community string (read-only)
set service snmp community public authorization ro
# Разрешить доступ с monitoring server
set service snmp community public network 192.168.1.0/24
# Location и contact
set service snmp location 'Data Center - Rack A12'
set service snmp contact 'admin@company.com'
# Listen address
set service snmp listen-address 0.0.0.0 port 161
commit
saveПроверка SNMP
# На VyOS проверить service
show service snmp
# С monitoring server
snmpwalk -v2c -c public 192.168.1.1
# Specific OID (system description)
snmpget -v2c -c public 192.168.1.1 1.3.6.1.2.1.1.1.0SNMPv3 (secure)
# User с аутентификацией и encryption
set service snmp v3 user monitor auth type md5
set service snmp v3 user monitor auth plaintext-password 'AuthPassword123!'
set service snmp v3 user monitor privacy type aes
set service snmp v3 user monitor privacy plaintext-password 'PrivPassword456!'
# Security level
set service snmp v3 user monitor mode ro
# View (ограничение доступа к MIB)
set service snmp v3 view default oid 1.3.6.1
# Group
set service snmp v3 group monitoring mode ro
set service snmp v3 group monitoring view default
# User в group
set service snmp v3 user monitor group monitoring
# Listen
set service snmp listen-address 0.0.0.0 port 161
commit
saveSNMPv3 test:
snmpwalk -v3 -l authPriv -u monitor \
-a MD5 -A 'AuthPassword123!' \
-x AES -X 'PrivPassword456!' \
192.168.1.1Communities (SNMPv1/v2c)
Read-only community
# Public community (не используйте в production!)
set service snmp community public authorization ro
set service snmp community public network 192.168.1.0/24
# Private community (лучше)
set service snmp community SecretMonitoring authorization ro
set service snmp community SecretMonitoring network 192.168.1.100/32
commitRead-write community
# Read-write (опасно!)
set service snmp community admin authorization rw
set service snmp community admin network 192.168.1.100/32
commitВнимание: RW access позволяет изменять конфигурацию через SNMP SET. Используйте осторожно.
Множественные communities
# Monitoring system
set service snmp community zabbix authorization ro
set service snmp community zabbix network 192.168.1.100/32
# Backup monitoring
set service snmp community nagios authorization ro
set service snmp community nagios network 192.168.1.101/32
# Management network
set service snmp community private authorization ro
set service snmp community private network 10.0.0.0/8
commitSNMPv3 Configuration
Users и authentication
# User 1: MD5 auth, AES encryption
set service snmp v3 user monitor1 auth type md5
set service snmp v3 user monitor1 auth plaintext-password 'StrongAuth1!'
set service snmp v3 user monitor1 privacy type aes
set service snmp v3 user monitor1 privacy plaintext-password 'StrongPriv1!'
set service snmp v3 user monitor1 mode ro
# User 2: SHA auth, DES encryption
set service snmp v3 user monitor2 auth type sha
set service snmp v3 user monitor2 auth plaintext-password 'StrongAuth2!'
set service snmp v3 user monitor2 privacy type des
set service snmp v3 user monitor2 privacy plaintext-password 'StrongPriv2!'
set service snmp v3 user monitor2 mode ro
commitViews (ограничение MIB access)
# Default view (весь MIB tree)
set service snmp v3 view default oid 1.3.6.1
# Limited view (только interfaces)
set service snmp v3 view interfaces-only oid 1.3.6.1.2.1.2
# System view
set service snmp v3 view system-only oid 1.3.6.1.2.1.1
commitGroups
# Monitoring group
set service snmp v3 group monitoring mode ro
set service snmp v3 group monitoring view default
# Admin group (read-write)
set service snmp v3 group admin mode rw
set service snmp v3 group admin view default
# Assign users to groups
set service snmp v3 user monitor1 group monitoring
set service snmp v3 user admin1 group admin
commitSecurity levels
noAuthNoPriv - no authentication, no encryption:
set service snmp v3 user public mode ro
# Не используйте в productionauthNoPriv - authentication, no encryption:
set service snmp v3 user monitor auth type md5
set service snmp v3 user monitor auth plaintext-password 'AuthPass!'
set service snmp v3 user monitor mode ro
# Privacy не настроенauthPriv - authentication и encryption (рекомендуется):
set service snmp v3 user secure auth type sha
set service snmp v3 user secure auth plaintext-password 'AuthPass!'
set service snmp v3 user secure privacy type aes
set service snmp v3 user secure privacy plaintext-password 'PrivPass!'
set service snmp v3 user secure mode roSNMP Traps
Trap configuration
# Trap target (monitoring server)
set service snmp trap-target 192.168.1.100 community 'trapCommunity'
set service snmp trap-target 192.168.1.100 port 162
# SNMPv3 trap
set service snmp v3 trap-target 192.168.1.100 user trapuser
set service snmp v3 trap-target 192.168.1.100 auth type md5
set service snmp v3 trap-target 192.168.1.100 auth plaintext-password 'TrapAuth!'
set service snmp v3 trap-target 192.168.1.100 privacy type aes
set service snmp v3 trap-target 192.168.1.100 privacy plaintext-password 'TrapPriv!'
commitTrap triggers
VyOS автоматически отправляет traps для:
- Link up/down events
- Cold start (router reboot)
- Authentication failures
Listen configuration
Listen addresses
# Listen на всех интерфейсах
set service snmp listen-address 0.0.0.0 port 161
# Или specific interfaces
set service snmp listen-address 192.168.1.1 port 161
set service snmp listen-address 10.0.0.1 port 161
# IPv6
set service snmp listen-address ::0 port 161
commitCustom port
# Нестандартный порт (security through obscurity)
set service snmp listen-address 0.0.0.0 port 10161
commitПримечание: Большинство NMS ожидают port 161.
Common OIDs
System information
# System description
1.3.6.1.2.1.1.1.0
# System uptime
1.3.6.1.2.1.1.3.0
# System contact
1.3.6.1.2.1.1.4.0
# System name (hostname)
1.3.6.1.2.1.1.5.0
# System location
1.3.6.1.2.1.1.6.0Interfaces
# Interface table
1.3.6.1.2.1.2.2
# Interface names
1.3.6.1.2.1.31.1.1.1.1
# Interface status (up/down)
1.3.6.1.2.1.2.2.1.8
# Interface speed
1.3.6.1.2.1.2.2.1.5
# Interface in octets (RX)
1.3.6.1.2.1.2.2.1.10
# Interface out octets (TX)
1.3.6.1.2.1.2.2.1.16CPU и Memory
# CPU usage (HOST-RESOURCES-MIB)
1.3.6.1.2.1.25.3.3.1.2
# Memory total
1.3.6.1.2.1.25.2.2.0
# Memory used
1.3.6.1.4.1.2021.4.6.0Storage
# Disk usage
1.3.6.1.4.1.2021.9.1.9
# Disk percentage
1.3.6.1.4.1.2021.9.1.9Integration с Monitoring Systems
Zabbix
SNMP template для VyOS:
- Zabbix → Configuration → Hosts → Create host
- Host name:
vyos-router - Groups:
Network devices - Interfaces: SNMP
- IP:
192.168.1.1 - Port:
161 - SNMP version:
SNMPv2 - SNMP community:
{$SNMP_COMMUNITY}
- IP:
- Templates: Link template
Template Net Network Generic Device SNMPTemplate Module Interfaces SNMP
Macros:
{$SNMP_COMMUNITY} = SecretMonitoring
{$IF_ERRORS_WARN} = 2
{$BANDWIDTH_WARN} = 80Custom items:
Name: CPU Usage
Type: SNMP agent
Key: system.cpu.util
SNMP OID: 1.3.6.1.4.1.2021.11.9.0
Type of information: Numeric (float)
Units: %Nagios
SNMP checks:
# Install plugin
apt-get install nagios-plugins-snmp
# Check interface status
/usr/lib/nagios/plugins/check_snmp -H 192.168.1.1 \
-C public \
-o 1.3.6.1.2.1.2.2.1.8.2 \
-r 1 -m RFC1213-MIB
# Check CPU
/usr/lib/nagios/plugins/check_snmp -H 192.168.1.1 \
-C public \
-o 1.3.6.1.4.1.2021.11.9.0 \
-w 80 -c 90
# Check bandwidth
/usr/lib/nagios/plugins/check_snmp -H 192.168.1.1 \
-C public \
-o 1.3.6.1.2.1.2.2.1.10.2 \
-w 100000000 -c 150000000Nagios config (/etc/nagios/objects/vyos.cfg):
define host{
use generic-switch
host_name vyos-router
alias VyOS Router
address 192.168.1.1
_snmp_community public
}
define service{
use generic-service
host_name vyos-router
service_description SNMP - CPU Usage
check_command check_snmp_cpu!80!90
}LibreNMS
Add device:
- Devices → Add Device
- Hostname:
192.168.1.1 - SNMP Version:
v2c - Community:
SecretMonitoring - Port:
161 - Add Device
LibreNMS автоматически обнаружит:
- Interfaces
- VLANs
- Routing protocols
- System metrics
SNMPv3 в LibreNMS:
SNMP Version: v3
Auth Level: authPriv
Auth User: monitor
Auth Password: AuthPassword123!
Crypto: AES
Crypto Password: PrivPassword456!PRTG
SNMP Traffic sensor:
- Add Sensor → SNMP Traffic Sensor
- Device: VyOS Router
- SNMP Version: v2c
- Community String: public
- Interface: eth0
- Traffic Mode: Use interface counters
- Add Sensor
Custom SNMP sensor:
- Add Sensor → SNMP Custom
- OID:
1.3.6.1.4.1.2021.11.9.0(CPU) - Sensor name: CPU Usage
- Unit: Percent
Prometheus + SNMP Exporter
snmp.yml:
auths:
public_v2:
community: public
security_level: noAuthNoPriv
version: 2
modules:
vyos:
walk:
- 1.3.6.1.2.1.1 # System
- 1.3.6.1.2.1.2 # Interfaces
- 1.3.6.1.4.1.2021 # UCD-SNMP-MIB
metrics:
- name: sysUpTime
oid: 1.3.6.1.2.1.1.3
type: gauge
- name: ifInOctets
oid: 1.3.6.1.2.1.2.2.1.10
type: counterPrometheus config:
scrape_configs:
- job_name: 'snmp'
static_configs:
- targets:
- 192.168.1.1
metrics_path: /snmp
params:
module: [vyos]
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: localhost:9116Мониторинг и диагностика
Проверка SNMP service
# Service status
show service snmp
# SNMP daemon status
systemctl status snmpd
# Listening ports
netstat -ulnp | grep 161SNMP tools на VyOS
# snmpwalk (получить все OID)
snmpwalk -v2c -c public localhost
# snmpget (specific OID)
snmpget -v2c -c public localhost 1.3.6.1.2.1.1.5.0
# snmpbulkwalk (faster для больших MIB)
snmpbulkwalk -v2c -c public localhostDebugging
# SNMP logs
show log | grep snmp
# Detailed snmpd log
cat /var/log/snmpd.log
# Test from remote
snmpwalk -v2c -c public -d 192.168.1.1Performance monitoring
# SNMP request rate
watch -n 1 'netstat -s | grep -i snmp'
# Bandwidth через SNMP
snmpget -v2c -c public 192.168.1.1 1.3.6.1.2.1.2.2.1.10.2
# Repeat и calculate deltaTroubleshooting
SNMP не отвечает
Проблема: SNMP queries timeout.
Причины:
- SNMP service не запущен
- Firewall блокирует UDP 161
- Wrong community string
- Listen address неправильный
Диагностика:
# Проверить service
show service snmp
# Проверить слушает ли
netstat -ulnp | grep 161
# Firewall
show firewall ipv4 input filter
# Test локально
snmpget -v2c -c public localhost 1.3.6.1.2.1.1.5.0Решение:
# Enable SNMP
set service snmp community public authorization ro
set service snmp listen-address 0.0.0.0 port 161
# Firewall
set firewall ipv4 input filter rule 50 action accept
set firewall ipv4 input filter rule 50 source address 192.168.1.0/24
set firewall ipv4 input filter rule 50 destination port 161
set firewall ipv4 input filter rule 50 protocol udp
commitSNMPv3 authentication failed
Проблема: “Authentication failure” для SNMPv3.
Причины:
- Wrong username/password
- Auth type mismatch
- Security level mismatch
Диагностика:
# Проверить users
show service snmp v3
# Test с verbose
snmpwalk -v3 -l authPriv -u monitor \
-a MD5 -A 'WrongPassword' \
-x AES -X 'PrivPassword' \
-d 192.168.1.1Решение:
# Проверить пароли
show configuration service snmp v3 user monitor
# Пересоздать user
delete service snmp v3 user monitor
set service snmp v3 user monitor auth type md5
set service snmp v3 user monitor auth plaintext-password 'CorrectAuthPass!'
set service snmp v3 user monitor privacy type aes
set service snmp v3 user monitor privacy plaintext-password 'CorrectPrivPass!'
commitCommunity string не работает
Проблема: “No Such Name” или timeout.
Причины:
- Community не существует
- Network restriction блокирует
- Authorization type неправильный
Решение:
# Проверить communities
show configuration service snmp community
# Добавить network
set service snmp community public network 192.168.1.0/24
# Или allow all (не рекомендуется)
set service snmp community public network 0.0.0.0/0
commitTraps не приходят
Проблема: Monitoring server не получает traps.
Причины:
- Trap target не настроен
- Firewall на NMS блокирует UDP 162
- Community string неправильный
Решение:
# Configure trap
set service snmp trap-target 192.168.1.100 community 'trapCommunity'
set service snmp trap-target 192.168.1.100 port 162
# Test trap
snmptrap -v2c -c trapCommunity 192.168.1.100 '' \
1.3.6.1.6.3.1.1.5.3 \
1.3.6.1.2.1.1.5.0 s "Test Trap"
commitOID не возвращает данные
Проблема: Specific OID возвращает “No Such Object”.
Причины:
- OID не существует
- View restriction блокирует
- Feature не enabled
Решение:
# Walk MIB для поиска OID
snmpwalk -v2c -c public localhost | grep -i cpu
# Проверить view restrictions
show configuration service snmp v3 view
# Enable необходимые MIB
# VyOS поддерживает standard MIBs по умолчаниюБезопасность
Рекомендации по безопасности
- Используйте SNMPv3:
set service snmp v3 user secure auth type sha
set service snmp v3 user secure auth plaintext-password 'StrongAuth!'
set service snmp v3 user secure privacy type aes
set service snmp v3 user secure privacy plaintext-password 'StrongPriv!'- Strong community strings:
# Не используйте 'public', 'private'
set service snmp community H8kL2mP9qR4sT7v authorization ro- Network restrictions:
# Только с monitoring servers
set service snmp community secure network 192.168.1.100/32
set service snmp community secure network 192.168.1.101/32- Firewall:
set firewall ipv4 input filter rule 50 action accept
set firewall ipv4 input filter rule 50 source address 192.168.1.100/32
set firewall ipv4 input filter rule 50 destination port 161
set firewall ipv4 input filter rule 50 protocol udp- Read-only access:
# Избегайте RW communities
set service snmp community monitor authorization ro- Specific listen address:
# Не listen на WAN
set service snmp listen-address 192.168.1.1 port 161- Views для SNMPv3:
# Ограничить доступ к sensitive OID
set service snmp v3 view limited oid 1.3.6.1.2.1.2
set service snmp v3 group monitoring view limited- Rate limiting:
set firewall ipv4 input filter rule 50 recent count 10
set firewall ipv4 input filter rule 50 recent time minute 1- Logging:
# Monitor SNMP access
show log | grep snmp- Regular audits:
- Review communities
- Check access logs
- Update passwords
Примеры конфигураций
Пример 1: Basic monitoring (SNMPv2c)
# Community для Zabbix
set service snmp community zabbix authorization ro
set service snmp community zabbix network 192.168.1.100/32
# System info
set service snmp location 'Main Office - Server Room'
set service snmp contact 'netadmin@company.com'
# Listen
set service snmp listen-address 0.0.0.0 port 161
# Firewall
set firewall ipv4 input filter rule 50 action accept
set firewall ipv4 input filter rule 50 source address 192.168.1.100/32
set firewall ipv4 input filter rule 50 destination port 161
set firewall ipv4 input filter rule 50 protocol udp
commit
saveПример 2: Enterprise SNMPv3
# SNMPv3 users
set service snmp v3 user monitor auth type sha
set service snmp v3 user monitor auth plaintext-password 'MonitorAuth2024!'
set service snmp v3 user monitor privacy type aes
set service snmp v3 user monitor privacy plaintext-password 'MonitorPriv2024!'
set service snmp v3 user monitor mode ro
# View
set service snmp v3 view monitoring oid 1.3.6.1
# Group
set service snmp v3 group monitoring-group mode ro
set service snmp v3 group monitoring-group view monitoring
# Assign
set service snmp v3 user monitor group monitoring-group
# Trap
set service snmp v3 trap-target 192.168.1.100 user monitor
set service snmp v3 trap-target 192.168.1.100 auth type sha
set service snmp v3 trap-target 192.168.1.100 auth plaintext-password 'TrapAuth!'
set service snmp v3 trap-target 192.168.1.100 privacy type aes
set service snmp v3 trap-target 192.168.1.100 privacy plaintext-password 'TrapPriv!'
# System
set service snmp location 'Data Center A - Rack 12'
set service snmp contact 'noc@enterprise.com'
# Listen
set service snmp listen-address 10.0.0.1 port 161
commit
saveПример 3: Multi-NMS environment
# Zabbix
set service snmp community zabbix authorization ro
set service snmp community zabbix network 192.168.1.100/32
# Nagios
set service snmp community nagios authorization ro
set service snmp community nagios network 192.168.1.101/32
# PRTG
set service snmp community prtg authorization ro
set service snmp community prtg network 192.168.1.102/32
# Management
set service snmp community mgmt authorization ro
set service snmp community mgmt network 10.0.0.0/8
# Traps для всех
set service snmp trap-target 192.168.1.100 community 'trapCommunity'
set service snmp trap-target 192.168.1.101 community 'trapCommunity'
set service snmp trap-target 192.168.1.102 community 'trapCommunity'
# System
set service snmp location 'Branch Office'
set service snmp contact 'admin@branch.com'
set service snmp listen-address 0.0.0.0 port 161
commit
saveЛучшие практики
SNMPv3 для production:
- Authentication и encryption
- User-based access control
Strong credentials:
- Community strings: 20+ символов
- SNMPv3 passwords: 12+ символов
Network restrictions:
- Specific monitoring server IPs
- Не allow 0.0.0.0/0
Read-only access:
- RW только если absolutely необходимо
- Ограничить RW к specific OID
Firewall protection:
- Allow только monitoring servers
- Rate limiting
Regular monitoring:
- Check SNMP performance
- Review access logs
- Monitor for authentication failures
Documentation:
- Document communities/users
- NMS configurations
- Custom OID mappings
Testing:
- Test after configuration
- Verify all OID accessible
- Test traps
Backup:
- Document SNMP credentials separately
- Include в disaster recovery plan
Keep updated:
- Regular password rotation
- Update NMS templates
- Review and cleanup unused communities
Заключение
SNMP в VyOS обеспечивает мощный инструмент для мониторинга и управления сетевой инфраструктурой. Основные возможности:
- SNMPv1/v2c/v3 support - совместимость со всеми NMS
- Standard MIBs - IF-MIB, HOST-RESOURCES-MIB, UCD-SNMP-MIB
- Traps - асинхронные уведомления
- Security - SNMPv3 с аутентификацией и encryption
Используйте SNMP для:
- Bandwidth monitoring
- Interface status tracking
- CPU/Memory monitoring
- Alerting через traps
- Integration с enterprise NMS
Правильная конфигурация SNMP обеспечивает visibility в сетевую инфраструктуру и позволяет proactive monitoring и troubleshooting.
Проверено OpenNix LLC · Обновлено