SNMP Role

Overview

This role installs and configures Net-SNMP daemon (snmpd) on Linux systems to enable monitoring via SNMP protocol. It configures SNMPv2c with community-based authentication, defines access control lists (ACLs), creates views to control which OID subtrees are accessible, and supports multiple users with different permission levels. The role is designed for integration with Centreon monitoring and other SNMP management systems.

Purpose

SNMP Monitoring: Enable SNMP-based infrastructure monitoring
Centreon Integration: Provide SNMP access for Centreon monitoring plugins
Access Control: Define granular permissions with views and communities
Multi-User Support: Configure different access levels per user/group
MIB Access: Control which SNMP OID subtrees are accessible
Automated Configuration: Deploy consistent SNMP config across servers

Requirements

Ansible 2.9 or higher
Target system: RedHat/CentOS or Debian/Ubuntu
Root or sudo privileges
Network connectivity for SNMP queries (UDP port 161)
SNMP community strings stored in Ansible Vault

What is SNMP?

SNMP (Simple Network Management Protocol) enables remote monitoring and management:

How it works:

Monitoring System (Centreon) → SNMP Query → Target Server (snmpd)
                                          ← SNMP Response ←

Common uses:

Monitor CPU, memory, disk usage
Monitor network interface statistics
Check running processes
Query system information
Retrieve application metrics

Protocol versions:

SNMPv1: Original, least secure
SNMPv2c: Community-based (this role uses v2c)
SNMPv3: User-based with encryption (most secure)

Why SNMPv2c: Balance of simplicity and functionality, widely supported by monitoring tools.

Role Variables

Optional Variables

Variable	Default	Description
`snmp_protocol_version`	`2c`	SNMP version (v1, v2c, v3)
`snmp_view_subtrees`	See defaults	List of OID subtrees per view
`snmp_acl_info`	See defaults	User/group/view/community config
`snmp_config_path`	`/etc/snmp`	SNMP config directory
`snmp_config_file_name`	`snmpd.conf`	Config filename

Variable Details

snmp_protocol_version

SNMP protocol version to use.

Default: 2c (SNMPv2c)

Values:

1: SNMPv1 (legacy)
2c: SNMPv2c (community-based, recommended)
3: SNMPv3 (user-based with encryption)

This role configures: SNMPv2c

snmp_view_subtrees

Defines which MIB subtrees (OID paths) each view can access.

Default:

snmp_view_subtrees:
  - subtree: ".1.3.6.1"         # All SNMP OIDs (full access)
    view_name: "CentreonView"
    included: true
  - subtree: ".1.3.6.1.2.1.1"   # System information only
    view_name: "SystemView"
    included: true
  - subtree: ".1.3.6.1.2.1.25.1.1"  # Host resources
    view_name: "SystemView"
    included: true

Field descriptions:

Field	Description
`subtree`	OID path (e.g., `.1.3.6.1.2.1.1`)
`view_name`	Name of view to assign subtree to
`included`	`true` = allow access, `false` = deny

Common OID subtrees:

.1.3.6.1: All SNMP OIDs (full tree)
.1.3.6.1.2.1.1: System group (hostname, uptime, description)
.1.3.6.1.2.1.25: Host resources (CPU, memory, disk, processes)
.1.3.6.1.2.1.2: Interfaces (network statistics)
.1.3.6.1.4.1: Enterprise-specific OIDs

snmp_acl_info

Defines users, groups, views, and community strings.

Default:

snmp_acl_info:
  config:
    user: "ConfigUser"
    group: "ConfigGroup"
    view: "SystemView"
    community: "{{ vault_snmp_config_user_password }}"
  centreon:
    user: "CentreonUser"
    group: "CentreonGroup"
    view: "CentreonView"
    community: "{{ vault_snmp_centreon_user_password }}"

Structure per user:

Field	Description
`user`	Security name (username)
`group`	Group name for permissions
`view`	View name (defines accessible OIDs)
`community`	Community string (password)

Access model:

Community String → User → Group → View → OID Subtrees

Example:

Centreon queries with community “centreon_secret”
Maps to CentreonUser → CentreonGroup → CentreonView
CentreonView allows access to all OIDs (.1.3.6.1)

Dependencies

No Ansible role dependencies, but requires:

SNMP daemon (role installs net-snmp/snmpd)
Firewall rules allowing UDP port 161
Community strings stored in Ansible Vault

Often used with:

deploy_centreon: Centreon monitoring system
Monitoring tools: Nagios, Zabbix, LibreNMS

Example Playbook

Basic Usage

---
- name: Configure SNMP Daemon
  hosts: all
  become: true

  roles:
    - snmp

Custom Community Strings

---
- name: Configure SNMP with Custom Communities
  hosts: servers
  become: true

  vars:
    snmp_acl_info:
      monitoring:
        user: "MonitorUser"
        group: "MonitorGroup"
        view: "MonitorView"
        community: "{{ vault_snmp_monitoring_password }}"

  roles:
    - snmp

Full Access for Monitoring

---
- name: Configure SNMP with Full Access
  hosts: all
  become: true

  vars:
    snmp_view_subtrees:
      - subtree: ".1"  # Full SNMP tree
        view_name: "FullView"
        included: true

    snmp_acl_info:
      centreon:
        user: "CentreonUser"
        group: "CentreonGroup"
        view: "FullView"
        community: "{{ vault_snmp_centreon_password }}"

  roles:
    - snmp

Read-Only System Info

---
- name: Configure SNMP with Limited Access
  hosts: dmz_servers
  become: true

  vars:
    snmp_view_subtrees:
      - subtree: ".1.3.6.1.2.1.1"  # System info only
        view_name: "LimitedView"
        included: true

    snmp_acl_info:
      readonly:
        user: "ReadOnlyUser"
        group: "ReadOnlyGroup"
        view: "LimitedView"
        community: "{{ vault_snmp_readonly_password }}"

  roles:
    - snmp

What This Role Does

Install SNMP packages:
- RedHat/CentOS: Installs net-snmp, net-snmp-utils
- Debian/Ubuntu: Installs snmpd
- Package manager updates cache if needed
Deploy snmpd.conf:
- Template: snmpd.conf.j2
- Location: /etc/snmp/snmpd.conf
- Permissions: 0660 (root:root)
- Backup: Creates backup before overwriting
Configure ACLs:
- Defines community-to-user mappings
- Assigns users to groups
- Creates views with OID subtree access
- Links groups to views with read permissions
Restart snmpd:
- Restarts service via handler
- Enables service on boot
- Activates new configuration

SNMP Configuration Structure

Configuration File Generated

Location: /etc/snmp/snmpd.conf

Example content:

## This configuration file is used by snmpd to determine what parts of the snmp OIDs subtree the users have access to

# Define users and their community strings
#       sec.name        source          community
com2sec ConfigUser      default         config_secret_password
com2sec CentreonUser    default         centreon_secret_password

# Assigning users to groups and setting snmp protocol version
#                       sec.model       sec.name
group ConfigGroup     v2c             ConfigUser
group CentreonGroup   v2c             CentreonUser

# Define views and what subtrees they have access to
#                       incl/excl       subtree
view    SystemView      included        .1.3.6.1.2.1.1
view    SystemView      included        .1.3.6.1.2.1.25.1.1
view    CentreonView    included        .1.3.6.1

# Assigning views to groups so they can see their assigned subtrees
#                     context   model   level   prefix    read          write   notify
access ConfigGroup      ""      any     noauth  exact   SystemView    none    none
access CentreonGroup    ""      any     noauth  exact   CentreonView  none    none

Configuration Sections

1. com2sec (Community to Security Name):

com2sec <user> default <community_string>

Maps community string to security name (user)
default = accept from any source IP

2. group (User to Group):

group <group> v2c <user>

Assigns user to group
Sets protocol version (v2c)

3. view (OID Access Definition):

view <view_name> included <subtree>

Defines which OID subtrees are accessible
included = allow, excluded = deny

4. access (Group Permissions):

access <group> "" any noauth exact <view> none none

Links group to view
Sets read/write/notify permissions
noauth = no authentication (community string only)

SNMP OID Structure

OID Tree Hierarchy

.1 (iso)
└── .3 (org)
    └── .6 (dod)
        └── .1 (internet)
            ├── .2 (mgmt)
            │   └── .1 (mib-2)
            │       ├── .1 (system)
            │       ├── .2 (interfaces)
            │       ├── .4 (ip)
            │       ├── .25 (host)
            │       └── ...
            └── .4 (private)
                └── .1 (enterprises)

Common OIDs

OID	Name	Description
`.1.3.6.1.2.1.1`	system	Hostname, uptime, description
`.1.3.6.1.2.1.25`	host	CPU, memory, disk, processes
`.1.3.6.1.2.1.2`	interfaces	Network interface statistics
`.1.3.6.1.2.1.4`	ip	IP statistics
`.1.3.6.1.2.1.6`	tcp	TCP connection statistics
`.1.3.6.1.2.1.25.1.1`	hrSystemUptime	System uptime (ticks)
`.1.3.6.1.2.1.25.3.3.1.2`	hrProcessorLoad	CPU load percentage

Example Queries

System uptime:

snmpwalk -v2c -c centreon_secret 192.168.x.x .1.3.6.1.2.1.1.3.0

CPU load:

snmpwalk -v2c -c centreon_secret 192.168.x.x .1.3.6.1.2.1.25.3.3.1.2

Memory usage:

snmpwalk -v2c -c centreon_secret 192.168.x.x .1.3.6.1.2.1.25.2.3.1

SNMP Commands

Testing SNMP

snmpwalk (query OID tree):

# Query all system info
snmpwalk -v2c -c community_string hostname .1.3.6.1.2.1.1

# Query entire host resources
snmpwalk -v2c -c community_string hostname .1.3.6.1.2.1.25

snmpget (query specific OID):

# Get system description
snmpget -v2c -c community_string hostname .1.3.6.1.2.1.1.1.0

# Get system uptime
snmpget -v2c -c community_string hostname .1.3.6.1.2.1.1.3.0

snmptranslate (convert OID to name):

# OID to name
snmptranslate .1.3.6.1.2.1.1.1.0
# Output: SNMPv2-MIB::sysDescr.0

# Name to OID
snmptranslate -On SNMPv2-MIB::sysDescr.0
# Output: .1.3.6.1.2.1.1.1.0

Centreon Integration

Centreon SNMP Checks

Centreon uses SNMP to monitor:

CPU usage
Memory usage
Disk space
Network interfaces
Process counts
Service status

Centreon Configuration

Add host in Centreon:

Configuration → Hosts → Add
Set SNMP Version: 2c
Set SNMP Community: centreon_secret (from vault)
Apply host template: Linux-SNMP
Add services: CPU, Memory, Disk, etc.

Test from Centreon server:

# Test SNMP connectivity
snmpwalk -v2c -c centreon_secret target_host .1.3.6.1.2.1.1

# Test Centreon plugin
/usr/lib/centreon/plugins/centreon_linux_snmp.pl \
  --plugin=os::linux::snmp::plugin \
  --mode=cpu \
  --hostname=target_host \
  --snmp-version=2c \
  --snmp-community=centreon_secret

Network Requirements

Firewall rules needed:

# Allow SNMP queries from monitoring server
- action: pass
  source_net: centreon_ip
  destination_port: "161"
  protocol: udp
  description: "Allow SNMP from Centreon"

Test connectivity:

# From Centreon/monitoring server
nc -u -zv target_host 161

# Send SNMP query
snmpwalk -v2c -c community_string target_host .1.3.6.1.2.1.1.1

Security Considerations

Community Strings: Store in Ansible Vault (act as passwords)
Read-Only: This role configures read-only access (no write/notify)
Network Security: Limit SNMP access to monitoring servers only
No Encryption: SNMPv2c transmits in plain text (including community string)
- Use SNMPv3 for encryption (requires additional config)
- Use network segmentation and firewall rules
View Restrictions: Limit OID access based on security requirements
Source Filtering: Consider restricting by source IP in config
- Replace default with specific IP/subnet

Source IP Filtering

Restrict to specific sources:

# Instead of: com2sec CentreonUser default centreon_secret
# Use:
com2sec CentreonUser 192.168.x.x/24 centreon_secret
com2sec CentreonUser 192.168.x.x centreon_secret

Notes

Role runs on target systems (not localhost)
become: true required for package installation and config
Configuration file backed up before changes
Permissions: 0660 on snmpd.conf (sensitive due to community strings)
Service enabled and started automatically
Compatible with RedHat/CentOS and Debian/Ubuntu
Default: Read-only access, no write permissions

Troubleshooting

SNMP queries timeout

Symptom: No response to snmpwalk/snmpget

Check snmpd running:

systemctl status snmpd

# RedHat
systemctl status snmpd

# Debian
systemctl status snmpd

Check snmpd listening:

netstat -uln | grep 161
# Should show: 0.0.0.0:161 (listening on all interfaces)

Check firewall:

# iptables
iptables -L INPUT -v -n | grep 161

# firewalld
firewall-cmd --list-all | grep snmp

# ufw
ufw status | grep 161

Test locally first:

# Query localhost
snmpwalk -v2c -c community_string localhost .1.3.6.1.2.1.1.1

Authentication failure

Symptom: “Timeout: No Response from”

Causes:

Wrong community string
Community not in snmpd.conf
View doesn’t include requested OID

Check configuration:

cat /etc/snmp/snmpd.conf | grep -A 20 "com2sec"

# Verify:
# - Community string correct
# - View includes OID
# - Access line present

Test with verbose output:

snmpwalk -v2c -c community_string -d hostname .1.3.6.1.2.1.1
# Shows detailed debug output

No data returned for OID

Symptom: snmpwalk returns empty or “No Such Object”

Causes:

OID not in view
OID doesn’t exist on system
SNMP daemon doesn’t support OID

Check view permissions:

# View configuration in snmpd.conf
grep "view.*included" /etc/snmp/snmpd.conf

# Try broader OID
snmpwalk -v2c -c community_string hostname .1.3.6.1.2.1

Check OID exists:

# Query from localhost (bypasses ACLs)
snmpwalk -v2c -c public localhost .1.3.6.1.2.1.25

Config file syntax error

Check syntax:

# Test configuration
snmpd -Dread_config -f -Le

# Should not show errors

Restart daemon:

systemctl restart snmpd
journalctl -u snmpd -n 50
# Check for errors

Testing the Role

Verify Installation

# Check package installed
# Debian
dpkg -l | grep snmpd

# RedHat
rpm -qa | grep net-snmp

Verify Configuration

# Check config file exists
ls -la /etc/snmp/snmpd.conf

# Check permissions (should be 0660)
stat /etc/snmp/snmpd.conf

# View configuration
cat /etc/snmp/snmpd.conf

Test SNMP Queries

# Test from target host (local query)
snmpwalk -v2c -c community_string localhost .1.3.6.1.2.1.1

# Test from monitoring server (remote query)
snmpwalk -v2c -c centreon_secret target_host .1.3.6.1.2.1.1

# Specific queries
snmpget -v2c -c centreon_secret target_host .1.3.6.1.2.1.1.5.0  # Hostname
snmpget -v2c -c centreon_secret target_host .1.3.6.1.2.1.1.3.0  # Uptime

Test with Centreon

# From Centreon server, test plugin
/usr/lib/centreon/plugins/centreon_linux_snmp.pl \
  --plugin=os::linux::snmp::plugin \
  --mode=list-interfaces \
  --hostname=target_host \
  --snmp-version=2c \
  --snmp-community=centreon_secret

Best Practices

Store community strings in Vault: Never commit passwords to git
Use descriptive community strings: Not “public” or “private”
Limit OID access: Only grant access to needed subtrees
Restrict source IPs: Use IP-based filtering when possible
Firewall rules: Allow SNMP only from monitoring servers
Consider SNMPv3: For environments requiring encryption
Monitor SNMP logs: Watch for unauthorized access attempts
Regular updates: Keep net-snmp/snmpd updated
Document views: Clearly document which OIDs each view accesses
Test after changes: Verify SNMP queries work after updates

Upgrading to SNMPv3

For high-security environments, consider SNMPv3:

Benefits:

Username/password authentication
Encrypted traffic (DES/AES)
Integrity checking (MD5/SHA)

Configuration changes needed:

snmp_protocol_version: 3
# Additional config for:
# - Users (createUser)
# - Auth protocol (MD5/SHA)
# - Privacy protocol (DES/AES)
# - Passwords

This role currently supports: SNMPv2c

This role is often used with:

deploy_centreon: Centreon monitoring system
Monitoring tools: Configure SNMP-based checks
Firewall roles: Open UDP port 161 for monitoring

License

MIT

Author

Created for homelab infrastructure management.

SNMP