I saw that.  Is that a script that gets run?  Or do you type everything in?  Do you type this next part out?  I get errors all over the place.

$esxName = <ESX-hostname>
$esxImpl = Get-VMHost -Name $esxName
$trapDestination = <mgmt-hostname>
$trapCommunity = "public"

No, it is not a script, it's a collection of code snippets that you can use to set up and query the SNMP service.

You have to replace the text between brackets with names that are valid for your environment.

Those 4 lines are just the start, after you have populated the variables you can start setting up or querying the SNMP service with 1 or more of the following lines.

There is a difference between Command Line and the PowerCLI:

If You Installed CLI on Linux:

-----------------------------------------

vicfg-snmp -server <Hostname> --username root --password <Host-Password> -c public

vicfg-snmp -server <Hostname>  --username root --password <Host-Password> -t <Trap-TargetIP>@162/private

vicfg-snmp -server <Hostname> --username root --password  <Host-Password> -E

If you Installed CLI On Windows:

-----------------------------------------------

C:\Program Files (x86)\VMware\VMware vSphere CLI\bin> vicfg-snmp.pl -server <Hostname> --username root --password <Host-Password> -c public

C:\Program Files (x86)\VMware\VMware vSphere CLI\bin> vicfg-snmp.pl -server <Hostname>  --username root --password <Host-Password> -t <Trap-TargetIP>@162/private

C:\Program Files (x86)\VMware\VMware vSphere CLI\bin> vicfg-snmp.pl -server <Hostname> --username root --password  <Host-Password> -E

After this Just check /etc/vmware/snmp.xml and make sure that you see the right Parameters in there.

Hey Guys,

I have made some progress using: (from the directory where vicfg-snmp.pl is located / powercli in windows)

.\vicfg-snmp.pl -server %servername% --username root --password %password% -E -c %communitystring% --port %portnumber% -t %Ipaddress%@161/%communitystring%

This sets up the snmp.  However it looks like any server in my environment can now snmp walk my esxi server.  There is a concern that the server is open to attack if this is the case.  Is there a way to make this READ ONLY only from the IP address of our monitoring server?

Is there a security vulnerability where an ESXi host could be attacked and brought down because snmp is open to everything?  And if so can I secure snmp?

Matthew

1. ESXi SNMP is constrained by resource pools both for memory and cpu.

2. ESXi SNMP is a read only agent and  does not support SNMPv1 SETs operations

So having access to it is quite unlikely to do anything untoward the system just because the udp port is reachable

itself though once having access to the data might be used in a further attack.

3. UDP source IP addresses can be spoofed meaning packets may still get to the agent regardless of configuration.

In any case typical network deployment limits the availability of the mgmt interface (typically vmk0) IPv4 address to a network/vlan that is already secured for mgmt to/from the systems that will access it and all other traffic to the host goes to vlans/networks that carry traffic for the VMs. I believe that using SNMPv3 (in ESXi 5.1) is a better solution than SNMPv1 plus firewall since packets benefit from SHA1 authenticity and/or AES128 privacy akin to TLS/SSL.

Great info, thanks for sharing.