Configure SNMPv3
The QFX3500 switch supports SNMP version 3 (SNMPv3). SNMPv3 enhances the functionality of SNMPv1 and SNMPv2c by supporting user authentication and data encryption. SNMPv3 uses the user-based security model (USM) to provide security for SNMP messages, and the view-based access control model (VACM) for user access control.
SNMPv3 features include:
-
With USM, the SNMP messages between the SNMP manager and the agent can have the message source authenticated and the data integrity checked. USM reduces messaging delays and message replays by enforcing timeout limits and by checking for duplicate message request IDs.
-
VACM complements USM by providing user access control for SNMP queries to the agent. You define access privileges that you wish to extend to a group of one or more users. Access privileges are determined by the security model parameters (
usm
,v1
, orv2
) and security level parameters (authentication
,privacy
, ornone
). For each security level, you must associate one MIB view for the group. Associating a MIB view with a group grants the read, write, or notify permission to a set of MIB objects for the group. -
You configure security parameters for each user, including the username, authentication type and authentication password, and privacy type and privacy password. The username given to each user is in a format that is dependent on the security model configured for that user.
-
To ensure messaging security, another type of username, called the security name, is included in the messaging data that is sent between the local SNMP server and the destination SNMP server. Each user name is mapped to a security name, but the security name is in a format that is independent of the security model.
-
Trap entries in SNMPv3 are created by configuring the notify, notify filter, target address, and target parameters. The
notify
statement specifies the type of notification (trap) and contains a single tag that defines a set of target addresses to receive a trap. The notify filter defines access to a collection of trap object identifiers (OIDs). The target address defines the address of an SNMP management application and other attributes used in sending notifications. Target parameters define the message processing and security parameters used in sending notifications to a particular target.
To configure SNMPv3, perform the following tasks:
SNMPv3 ensures enhanced security for SNMP messages by using USM with authentication and encryption keys. As a result, you don't need to restrict external machines when using SNMPv3 to query a router or switch. Therefore, SNMPv3 configuration on Junos OS or Junos OS Evolved does not support client list for access restriction.
However, SNMPv2 does require the use of client list to allow specific client machines to send SNMP queries, as it relies on community string based access.
Create SNMPv3 Users
For each SNMPv3 user, you can specify the username, authentication type, authentication password, privacy type, and privacy password. After a user enters a password, a key based on the engine ID and password is generated and written to the configuration file. After the generation of the key, you can delete the password from this configuration file.
You can configure only one encryption type for each SNMPv3 user.
To create users, include the user
statement at the [edit snmp v3 usm
local-engine]
hierarchy level.
To configure user authentication and encryption, include the following statements at the
[edit snmp v3 usm local-engine user
username]
hierarchy level.
Minimum SNMPv3 Configuration on a Device Running Junos OS
To configure the minimum requirements for SNMPv3, include the following statements at the
[edit snmp v3]
and [edit snmp]
hierarchy
levels.
You must configure at least one view (notify, read, or write) at the [edit
snmp view-name]
hierarchy level.
See Also
Example: SNMPv3 Configuration
Define an SNMPv3 configuration:
[edit snmp] engine-id { use-mac-address; } view jnxAlarms { oid 1.3.6.1.4.1.2636.3.4 include; } view interfaces { oid 1.3.6.1.2.1.2 include; } view ping-mib { oid 1.3.6.1.2.1.80 include; } [edit snmp v3] notify n1 { tag router1; # Identifies a set of target addresses type trap;# Defines type of notification } notify n2 { tag host1; type trap; } notify-filter nf1 { oid .1 include; # Defines which traps to send } # In this case, includes all traps notify-filter nf2 { oid 1.3.6.1.4.1 include; # Sends enterprise-specific traps only } notify-filter nf3 { oid 1.3.6.1.2.1.1.5 include; # Sends BGP traps only } snmp-community index1 { community-name "$9$JOZi.QF/AtOz3"; # SECRET-DATA security-name john; # Matches the security name at the target parameters tag host1; # Finds the addresses that are allowed to be used with } target-address ta1 {# Associates the target address with the group # san-francisco. address 10.1.1.1; address-mask 255.255.255.0; # Defines the range of addresses port 162; tag-list router1; target-parameters tp1; # Applies configured target parameters } target-address ta2 { address 10.1.1.2; address-mask 255.255.255.0; port 162; tag-list host1; target-parameters tp2; } target-address ta3 { address 10.1.1.3; address-mask 255.255.255.0; port 162; tag-list “router1 host1”; target-parameters tp3; } target-parameters tp1 { # Defines the target parameters notify-filter nf1; # Specifies which notify filter to apply parameters { message-processing-model v1; security-model v1; security-level none; security-name john; # Matches the security name configured at the } # [edit snmp v3 snmp-community community-index hierarchy level. } target-parameters tp2 { notify-filter nf2; parameters { message-processing-model v1; security-model v1; security-level none; security-name john; } } target-parameters tp3 { notify-filter nf3; parameters { message-processing-model v1; security-model v1; security-level none; security-name john; } } usm { local-engine { # Defines authentication and encryption for SNMPv3 users user john { # security-name john is defined here authentication-md5 { authentication-password authentication-password; } privacy-des { privacy-password privacy-password; } } user bob { # security-name bob is defined here authentication-sha { authentication-password authentication-password; } privacy-none; } user julia { # security-name julia is defined here authentication-none; privacy-none; } user lauren { # security-name lauren is defined here authentication-sha { authentication-password authentication-password; } privacy-aes128 { privacy-password privacy-password; } } user richard { # security-name richard is defined here authentication-sha { authentication-password authentication-password; } privacy-none; } } } vacm { access { group san-francisco { #Defines the access privileges for the group default-context-prefix { # called san-francisco security-model v1 { security-level none { notify-view ping-mib; read-view interfaces; write-view jnxAlarms; } } } } } security-to-group { security-model v1 { security-name john { # Assigns john to security group san-fancisco group san-francisco; } security-name bob { # Assigns bob to security group new-york group new-york; } security-name julia {# Assigns julia to security group chicago group chicago; } security-name lauren {# Assigns lauren to security group paris group paris; } security-name richard {# Assigns richard to security group geneva group geneva; } } } }