I was configuring my new extreme switches and trying to limit down SNMP access to just two IP addresses (our Cacti monitoring box and EPICenter). In Cisco, this would be super-easy – I would just have two snmp-server host lines in my config:

In Extreme there’s no function built into the SNMP config to limit down by IP, you have to create an ACL (which in itself doesn’t really bother me). What does kind of bother me is how terrible their ACL syntax is. The two line Cisco ACL breaks down into this when you go to Extreme-land:

Crippity cripes! The two-line ACL grows into a 20 line ACL. I can’t even imagine trying to reconstruct a more complicated ACL in this format. XOS ACL’s also do not have a implicit deny, which I am a hair away from submitting as a bug report in protest.

Once you write all this out, you’re still not done. You have to launch vi on the switch and write the ACL into a policy file.

The .pol extension is a policy file on the switch (used to contain ACL’s, QoS info, etc.). The two other extensions that you’ll run into commonly are .xos, which is a system image and .xmod, which is a additional package (adds features, for example SSH).

Once you have saved your policy file, you can run a syntax check against it with

and it will notify you of any issues (a total possibility when you have that many squiggly brackets).

Then you have to apply your new policy file to SNMP. There are different ways to apply policy files in different situations, but in this example you would use

specifying readwrite or readonly depending on if you want the permitted IP’s to have read or read/write SNMP (Hint: you want readonly).

Makes me glad these guys make switches and not routers or firewalls.