Extreme VSP SNMPv3 access-policy

I recently discovered that SNMPv3 stopped working on one of my VSP’s. I discovered that it had stopped working when I started using access policies on that device.

After some research, I found out that the default access-policy blocks SNMPv3. This is how the default access-policy looks like:

 

VSP#show access-policy 
************************************************************************************
Command Execution Time: Thu Oct 15 14:06:16 2020 CEST
************************************************************************************

AccessPolicyEnable: on

Id: 1
Name: default
PolicyEnable: true
Mode: allow
Service: ftp|http|tftp|telnet|ssh|snmpv3
Precedence: 128
NetAddrType: any
NetAddr: N/A
NetMask: N/A
TrustedHostAddr: N/A
TrustedHostUserName: none
AccessLevel: readOnly
AccessStrict: false
Usage: 12

In the above output, you can see that SNMPv3 is allowed. However, you have to specify the SNMP group(s) which should be allowed:

conf t
access-policy 5
access-policy 5 name "SNMPv3" network X.X.X.X/X
access-policy 5 http ssh snmpv3
access-policy 5 snmp-group <MySNMPGroup> usm

The “snmp-group” property won’t be shown in a “show access-policy”, but it seems to be required for SNMPv3 access to work IF you use access-policies at all.

More info about access-policies and SNMPv3 on VOSS can be found on the Extreme KB.

Leave a Reply

Your email address will not be published. Required fields are marked *