In previous releases of ESXi, only SNMP v1 and v2c was supported on the host. With the latest release of ESXi 5.1, we now have added support for SNMPv3 which provides additional security when collecting data from the ESXi host. You also have the ability to specify where to source hardware alerts using either IPMI sensors (as used by previous release of ESXi) or CIM indicators. You can also filter out specific traps you do not wish to send to your SNMP management server.
In addition to SNMPv3 support, we also now have an ESXCLI equivalent command to the old vicfg-snmp command. This means that you no longer have to use multiple commands to configure your ESXI hosts and can standardize on just using ESXCLI for all your host level configurations.
To access the new SNMP namespace in ESXCLI, you just need to run the following command: esxcli system snmp
Note: ESXCLI is available in both the ESXi Shell as well as remotely via vCLI 5.1 or through PowerCLI’s Get-EsxCli cmdlet. You will also need to be running ESXi 5.1 to see the new SNMP namespace.
We have a very thorough walk through of SNMP v1, v2c, and v3 configurations using ESXCLI in our documentation which can be found here, but I thought I quickly show you how easy it is to configure both a SNMP v1/v2c and v3 for your ESXi hosts.
SNMP v1 Configurations:
There are 4 steps:
Set the community string
Set the SNMP target which includes the port and the community string
Enable SNMP service on the ESXi host
Validate SNMP configuration by performing a test operation
esxcli system snmp set –communities public
esxcli system snmp set –targets pod23-esx-01a.pml.local@161/public
esxcli system snmp set –enable true
esxcli system snmp test
Another way you can check to ensure you can reach the ESXi host from your SNMP target system is by using the snmpwalk utility which is available on most UNIX/Linux systems. Run the following command which requires you to specify the SNMP version, the community string and the hostname or IP Address of the ESXi host:
snmpwalk -v1 -c public pod23-esx-01a.pml.local
If the command was successful, then you should see a huge list of SNMP data being returned from the ESXi hosts.
SNMP v2c Configurations:
SNMP v2c configuration is similar to SNMP v3 configuration but without any authentication or privacy protocols configured.
There are 4 steps:
Set the community string
Configure an SNMP user and we will use the “-” symbol for no authentication or privacy protocols.
Set the SNMP target which includes the port and user in our previous step
Enable SNMP service on the ESXi host
Validate SNMP configuration by performing a test operation
esxcli system snmp set –communities public
esxcli system snmp set –users william/-/-/none
esxcli system snmp set –v3targets 10.24.145.55@161/william/none/trap
esxcli system snmp set –enable true
esxcli system snmp test
Again, we can verify using the snmpwalk utility just like we did in the v1 example but now we will need to include the username that we had configured. To validate, run the following command:
snmpwalk -v2c -c public -u william pod23-esx-01a.pml.local
Note:There currently is not an SNMP v2c specific example in the ESXCLI documentation, but we are looking to update the documentation with this example.
SNMP v3 Configurations:
There are 8 steps (not all are applicable):
Set the engine Id (need to convert string to hexidecimal string)
Set the authentication protocol which either be SHA1, MD5 or none
Set the privacy protocol which can be AES128 or none
Generate the authentication and privacy hash from the user supplied passwords if either protocols were enabled. You can either provide a file that has the password or use the -r flag which specifies the raw input password
Configure an SNMP user and associating the authentication and privacy hash from the previous step
Set the SNMP target which includes the port and user
Enable SNMP service on the ESXi host
Validate SNMP configuration by performing a test operation
esxcli system snmp set –engineid 766d77617265
esxcli system snmp set –authentication SHA1
esxcli system snmp set –privacy AES128
esxcli system snmp hash -r -A secret1234 -X secret5678
esxcli system snmp set –users william/f9f7311379046ebcb5d134439ee5b7754da8a90f/d300f16eec59fb3b7ada7844ff764cbf4641fe5f/priv
esxcli system snmp set –v3targets pod23-esx-01a.pml.local@161/william/priv/trap
esxcli system snmp set –enable true
esxcli system snmp test
We can also use the snmpwalk utility to query an SNMPv3 host and using the information we supplied earlier to configure SNMP on the ESXi host. To do so, run the following command (you will need to specify the v3 specific flags which includes the username, authentication/privacy password as well as the authentication & privacy protocols):
snmpwalk -v3 -u william -l AuthPriv -a SHA -A secret1234 -x AES -X secret5678 pod23-esx-01a.pml.local
Now that you know how to configure SNMP settings for a single ESXi host, how do you go about applying this across all your ESXi hosts, say 100 or 10,000? There are several ways which will depend on how your environment is setup. If you are using vCenter Server to centrally manage your ESXi hosts, then you can easily proxy ESXCLI authentication using vCenter Server and you do not need to specify the login credentials to each and every ESXi host. Here is an example of connecting to an ESXi host called esx-1.local which is being managed by vcenter-1.local and we will enable the SNMP test command:
esxcli –server vcenter-1.local –vihost esx-1.local system –user administrator snmp test
Notice, instead of specifying the hostname of the ESXi host we are using the –server flag, to specify the vCenter Server and –vihost to specify the specific ESXi host we would like to operate on. Finally, we will also need to provide the credentials to connect to the vCenter Server.
If you are not using vCenter Server or prefer to connect to each individual ESXi hosts, then you will need to specify the individual credentials to each ESXi host. You also can interact with the ESXCLI interface using PowerCLI if you are more familiar with that by using the Get-EsxCli cmdlet.
In all three options, you simply just need to specify a list of ESXi hosts which can then be read from a flat text file, CSV, etc. and place the ESXCLI commands in a “for” loop which will iterate through the list of ESXi hosts and apply the SNMP configurations.
Instead of talking about automation, let me show you with an example shell script that I created called configureSNMPv3.sh that uses the remote ESXCLI and reads in a text file containing a list of ESXi hosts and applies the SNMPv3 settings that is defined within the script. Though this script was written to use the remote ESXCLI, you can easily convert this into a PowerCLI script calling the same set of commands through the Get-EsxCli cmdlet.
Disclaimer: These script are provided for informational/educational purposes only. It should be thoroughly tested before attempting to use in a production environment.
The script contains several variables which needs to be set for the SNMPv3 configurations. Once you have saved the changes, to execute the script, you just need to pass in a file that contains the hostname or IP Address of the ESXi hosts you wish to apply the SNMP settings. I would highly recommend you take a look at the SNMP configuration documentation for ESXCLI before using the script, so you understand the various configuration options.
Here is a screenshot of the script being executed:
To confirm that the settings were applied correctly (even though we enabled the SNMP test operation within the script). We can issue our snmpwalk command again and here is a screenshot showing the response from one of the ESXI hosts:
Get notification of new blog postings and more by following lamw on Twitter: @lamw
To confirm that the settings were applied correctly (even though we enabled the SNMP test operation within the script). We can issue our snmpwalk command again and here is a screenshot showing the response from one of the ESXI hosts:
