Home > Blogs > VMware vSphere Blog


Configuring SNMP v1/v2c/v3 Using ESXCLI 5.1

In previous releases of ESXi, only SNMP v1 and v2c was supported on the host. With the latest release of ESXi 5.1, we now have added support for SNMPv3 which provides additional security when collecting data from the ESXi host. You also have the ability to specify where to source hardware alerts using either IPMI sensors (as used by previous release of ESXi) or CIM indicators. You can also filter out specific traps you do not wish to send to your SNMP management server.

In addition to SNMPv3 support, we also now have an ESXCLI equivalent command to the old vicfg-snmp command. This means that you no longer have to use multiple commands to configure your ESXI hosts and can standardize on just using ESXCLI for all your host level configurations.

To access the new SNMP namespace in ESXCLI, you just need to run the following command: esxcli system snmp

Note: ESXCLI is available in both the ESXi Shell as well as remotely via vCLI 5.1 or through PowerCLI’s Get-EsxCli cmdlet. You will also need to be running ESXi 5.1 to see the new SNMP namespace.

We have a very thorough walk through of SNMP v1, v2c, and v3 configurations using ESXCLI in our documentation which can be found here, but I thought I quickly show you how easy it is to configure both a SNMP v1/v2c and v3 for your ESXi hosts.

SNMP v1 Configurations:

There are 4 steps:

  1. Set the community string
  2. Set the SNMP target which includes the port and the community string
  3. Enable SNMP service on the ESXi host
  4. Validate SNMP configuration by performing a test operation

esxcli system snmp set –communities public
esxcli system snmp set –targets pod23-esx-01a.pml.local@161/public
esxcli system snmp set –enable true
esxcli system snmp test

Another way you can check to ensure you can reach the ESXi host from your SNMP target system is by using the snmpwalk utility which is available on most UNIX/Linux systems. Run the following command which requires you to specify the SNMP version, the community string and the hostname or IP Address of the ESXi host:

snmpwalk -v1 -c public pod23-esx-01a.pml.local

If the command was successful, then you should see a huge list of SNMP data being returned from the ESXi hosts.

SNMP v2c Configurations:

SNMP v2c configuration is similar to SNMP v3 configuration but without any authentication or privacy protocols configured.

There are 4 steps:

  1. Set the community string
  2. Configure an SNMP user and we will use the “-” symbol for no authentication or privacy protocols.
  3. Set the SNMP target which includes the port and user in our previous step
  4. Enable SNMP service on the ESXi host
  5. Validate SNMP configuration by performing a test operation

esxcli system snmp set –communities public
esxcli system snmp set –users william/-/-/none
esxcli system snmp set –v3targets 10.24.145.55@161/william/none/trap
esxcli system snmp set –enable true
esxcli system snmp test

Again, we can verify using the snmpwalk utility just like we did in the v1 example but now we will need to include the username that we had configured. To validate, run the following command:

snmpwalk -v2c -c public -u william pod23-esx-01a.pml.local

Note: There currently is not an SNMP v2c specific example in the ESXCLI documentation, but we are looking to update the documentation with this example.

SNMP v3 Configurations:

There are 8 steps (not all are applicable):

  1. Set the engine Id (need to convert string to hexidecimal string)
  2. Set the authentication protocol which either be SHA1, MD5 or none
  3. Set the privacy protocol which can be AES128 or none
  4. Generate the authentication and privacy hash from the user supplied passwords if either protocols were enabled. You can either provide a file that has the password or use the -r flag which specifies the raw input password
  5. Configure an SNMP user and associating the authentication and privacy hash from the previous step
  6. Set the SNMP target which includes the port and user
  7. Enable SNMP service on the ESXi host
  8. Validate SNMP configuration by performing a test operation

esxcli system snmp set –engineid 766d77617265
esxcli system snmp set –authentication SHA1
esxcli system snmp set –privacy AES128
esxcli system snmp hash -r -A secret1234 -X secret5678
esxcli system snmp set –users william/f9f7311379046ebcb5d134439ee5b7754da8a90f/d300f16eec59fb3b7ada7844ff764cbf4641fe5f/priv
esxcli system snmp set –v3targets pod23-esx-01a.pml.local@161/william/priv/trap
esxcli system snmp set –enable true
esxcli system snmp test

We can also use the snmpwalk utility to query an SNMPv3 host and using the information we supplied earlier to configure SNMP on the ESXi host. To do so, run the following command (you will need to specify the v3 specific flags which includes the username, authentication/privacy password as well as the authentication & privacy protocols):

snmpwalk -v3 -u william -l AuthPriv -a SHA -A secret1234 -x AES -X secret5678 pod23-esx-01a.pml.local

 

Now that you know how to configure SNMP settings for a single ESXi host, how do you go about applying this across all your ESXi hosts, say 100 or 10,000? There are several ways which will depend on how your environment is setup. If you are using vCenter Server to centrally manage your ESXi hosts, then you can easily proxy ESXCLI authentication using vCenter Server and you do not need to specify the login credentials to each and every ESXi host. Here is an example of connecting to an ESXi host called esx-1.local which is being managed by vcenter-1.local and we will enable the SNMP test command:

esxcli –server vcenter-1.local –vihost esx-1.local system –user administrator snmp test

Notice, instead of specifying the hostname of the ESXi host we are using the –server flag, to specify the vCenter Server and –vihost to specify the specific ESXi host we would like to operate on. Finally, we will also need to provide the credentials to connect to the vCenter Server.

If you are not using vCenter Server or prefer to connect to each individual ESXi hosts, then you will need to specify the individual credentials to each ESXi host. You also can interact with the ESXCLI interface using PowerCLI if you are more familiar with that by using the Get-EsxCli cmdlet.

In all three options, you simply just need to specify a list of ESXi hosts which can then be read from a flat text file, CSV, etc. and place the ESXCLI commands in a “for” loop which will iterate through the list of ESXi hosts and apply the SNMP configurations.

Instead of talking about automation, let me show you with an example shell script that I created called configureSNMPv3.sh that uses the remote ESXCLI and reads in a text file containing a list of ESXi hosts and applies the SNMPv3 settings that is defined within the script. Though this script was written to use the remote ESXCLI, you can easily convert this into a PowerCLI script calling the same set of commands through the Get-EsxCli cmdlet.

Disclaimer: These script are provided for informational/educational purposes only. It should be thoroughly tested before attempting to use in a production environment.

The script contains several variables which needs to be set for the SNMPv3 configurations. Once you have saved the changes, to execute the script, you just need to pass in a file that contains the hostname or IP Address of the ESXi hosts you wish to apply the SNMP settings. I would highly recommend you take a look at the SNMP configuration documentation for ESXCLI before using the script, so you understand the various configuration options.

Here is a screenshot of the script being executed:

To confirm that the settings were applied correctly (even though we enabled the SNMP test operation within the script). We can issue our snmpwalk command again and here is a screenshot showing the response from one of the ESXI hosts:

Get notification of new blog postings and more by following lamw on Twitter:  @lamw

17 thoughts on “Configuring SNMP v1/v2c/v3 Using ESXCLI 5.1

  1. Pingback: Network Troubleshooting Using ESXCLI 5.1 | VMware vSphere Blog - VMware Blogs

  2. Pingback: VMware vSphere Blog: Network Troubleshooting Using ESXCLI 5.1 | Virtualization

  3. hviet

    Plese support me, where is hostlist?

    #./configureSNMPv3.sh hostlist
    cat: hostlist: No such file or directory

      1. hviet

        i created hostlist with name ESXi server:
        example: ESXi-LAN

        file config snmpv3:
        #!/bin/bash
        # William Lam
        # http://blogs.vmware.com/vsphere/automation

        ESXI_USERNAME=root
        ESXI_PASSWORD=zaq1xsw2!@#

        ENGINE_STRING=vmware
        AUTHENTICATION_PROTOCOL=SHA1
        PRIVACY_PROTOCOL=AES128
        AUTH_SECRET=admin@a123
        PRIVACY_SECRET=snmpv3@encryption
        SNMP_USER=snmpv3
        SNMP_TARGET=10.10.5.111
        SNMP_PORT=161
        #10.10.5.111 ESXi server

        hostlist and file config on ESXi and run:

        etc/vmware # sh configureSNMPv3.sh hostlist
        Configuring SNMPv3 targets for ESXi-LAN …
        Setting EngineId: vmware
        configureSNMPv3.sh: line 68: xxd: not found
        Usage: esxcli [options] {namespace}+ {cmd} [cmd options]

        esxcli: error: no such option: –server
        Setting Authentication Protocol: SHA1
        Usage: esxcli [options] {namespace}+ {cmd} [cmd options]

        esxcli: error: no such option: –server
        Setting Privacy Protocol: AES128
        Usage: esxcli [options] {namespace}+ {cmd} [cmd options]

        esxcli: error: no such option: –server
        Generating Authentication & Privacy hash
        Usage: esxcli [options] {namespace}+ {cmd} [cmd options]

        esxcli: error: no such option: –server
        Setting SNMP User: snmpv3
        Usage: esxcli [options] {namespace}+ {cmd} [cmd options]

        esxcli: error: no such option: –server
        Setting SNMP Target: 10.10.5.111:161
        Usage: esxcli [options] {namespace}+ {cmd} [cmd options]

        esxcli: error: no such option: –server
        Enabling SNMP Service
        Usage: esxcli [options] {namespace}+ {cmd} [cmd options]

        esxcli: error: no such option: –server
        Enabling SNMP test …
        Usage: esxcli [options] {namespace}+ {cmd} [cmd options]

        esxcli: error: no such option: –server

        Please support me !!!
        Thanks

        1. herlix

          My suggestion

          #!/bin/bash

          R=`esxcli system snmp hash -r -X ‘zaq1xsw2!@#’ -A ‘zaq1xsw2!@#’ |awk ‘{print $2}’ | head -1`
          VEG=`echo -n ${R}`
          HOST=`hostname`
          USR=”zabbix”
          C=”public”

          esxcli system snmp set -a SHA1 -n info -p 161 -x AES128 -t ${HOST}@161/${C} -c ${C}
          esxcli system snmp set –users zabbix/${VEG}/${VEG}/priv
          esxcli system snmp set –v3targets ${HOST}@161/zabbix/priv/trap
          esxcli system snmp set –enable true

  4. Pingback: vSphere 5.1 – Feature enhancements – Networking MIB support – Part 2 | VMware vSphere Blog - VMware Blogs

  5. Richard Walls

    How would you incorporate this to filter traps that are considered spam type traps in enterprise environments e.g. vm events “power on / off”

  6. Pingback: SNMP in ESXI5

  7. Sandeep

    Hi William,

    I am receiving an error “SNMPv3 – Unsupported Security Level – Either the requested MIB is not readable for this username, or this username requires a higher level of authentication/encryption” on an SNMPWalk v3 utility. I tried to execute this on several hosts and get the same error. Is there any configuration setting that I am missing here ?

    Also SNMPWalk v2 is working fine when I configure a community on ESXi host. The issue is only with SNMPWalk v3.

    Thank you..

  8. john c. welch

    One thing, you might want to point out that setting the engineID step is not a requirement. If you don’t specify one, one will be created automatically.

    Also, to pass the snmp test step, you HAVE to set the trap destination for either v1/v2c traps or v3 traps. The post makes this look somewhat optional.

  9. Pingback: Cómo instalar y fusionar el Cacti y Nagios en linux para gestionar nuestra infraestructura virtual Parte 5 | ColombiaVirtualizada

  10. sms marketing statistics 2012

    Portfolios and brochures work best when you meet your prospects in person.
    If something isn’t working then we need to decide if
    we move on or we keep trying different things. These are just some of the ways that show that what you do online is not only making a
    difference to someone but also making them take action.

  11. Lawrence

    Hi William

    How about if I want to set a IP range :(xxx.xxx.xxx.0/22) for the snmp under esxi 5.5?

    i.e. esxcli system snmp set -i “?”@161/none/none/inform

Comments are closed.