Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure SNMPv3

The QFX3500 switch supports SNMP version 3 (SNMPv3). SNMPv3 enhances the functionality of SNMPv1 and SNMPv2c by supporting user authentication and data encryption. SNMPv3 uses the user-based security model (USM) to provide security for SNMP messages, and the view-based access control model (VACM) for user access control.

SNMPv3 features include:

  • With USM, the SNMP messages between the SNMP manager and the agent can have the message source authenticated and the data integrity checked. USM reduces messaging delays and message replays by enforcing timeout limits and by checking for duplicate message request IDs.

  • VACM complements USM by providing user access control for SNMP queries to the agent. You define access privileges that you wish to extend to a group of one or more users. Access privileges are determined by the security model parameters (usm, v1, or v2) and security level parameters (authentication, privacy, or none). For each security level, you must associate one MIB view for the group. Associating a MIB view with a group grants the read, write, or notify permission to a set of MIB objects for the group.

  • You configure security parameters for each user, including the username, authentication type and authentication password, and privacy type and privacy password. The username given to each user is in a format that is dependent on the security model configured for that user.

  • To ensure messaging security, another type of username, called the security name, is included in the messaging data that is sent between the local SNMP server and the destination SNMP server. Each user name is mapped to a security name, but the security name is in a format that is independent of the security model.

  • Trap entries in SNMPv3 are created by configuring the notify, notify filter, target address, and target parameters. The notify statement specifies the type of notification (trap) and contains a single tag that defines a set of target addresses to receive a trap. The notify filter defines access to a collection of trap object identifiers (OIDs). The target address defines the address of an SNMP management application and other attributes used in sending notifications. Target parameters define the message processing and security parameters used in sending notifications to a particular target.

To configure SNMPv3, perform the following tasks:

Note:

SNMPv3 ensures enhanced security for SNMP messages by using USM with authentication and encryption keys. As a result, you don't need to restrict external machines when using SNMPv3 to query a router or switch. Therefore, SNMPv3 configuration on Junos OS or Junos OS Evolved does not support client list for access restriction.

However, SNMPv2 does require the use of client list to allow specific client machines to send SNMP queries, as it relies on community string based access.

Create SNMPv3 Users

For each SNMPv3 user, you can specify the username, authentication type, authentication password, privacy type, and privacy password. After a user enters a password, a key based on the engine ID and password is generated and written to the configuration file. After the generation of the key, you can delete the password from this configuration file.

You can configure only one encryption type for each SNMPv3 user.

To create users, include the user statement at the [edit snmp v3 usm local-engine] hierarchy level.

To configure user authentication and encryption, include the following statements at the [edit snmp v3 usm local-engine user username] hierarchy level.

Minimum SNMPv3 Configuration on a Device Running Junos OS

To configure the minimum requirements for SNMPv3, include the following statements at the [edit snmp v3] and [edit snmp] hierarchy levels.

You must configure at least one view (notify, read, or write) at the [edit snmp view-name] hierarchy level.

  1. Create users and configure authentication.
    user@host# set snmp v3 usm local-engine user superuser authentication-md5 authentication-password 12345678
    user@host#set snmp v3 usm local-engine user superuser privacy-aes128 privacy-password 12345678
  2. Configure access privileges to a group.
    user@host# set snmp v3 vacm access group supergroup default-context-prefix security-model usm security-level authentication context-match exact
    user@host# set snmp v3 vacm access group supergroup default-context-prefix security-model usm security-level authentication read-view readview
    user@host# set snmp v3 vacm access group supergroup default-context-prefix security-model usm security-level authentication write-view writeview
    user@host# set snmp v3 vacm access group supergroup default-context-prefix security-model usm security-level authentication notify-view notifyview
    user@host# set snmp v3 vacm security-to-group security-model usm security-name superuser group supergroup
  3. (Optional) Configure the target address properties to which the trap notification is sent.
    user@host# set snmp v3 target-address TA address <nms-ipaddress> tag-list trap_recv target-parameters tp1
    user@host# set snmp v3 target-parameters tp1 parameters message-processing-model v3 security-model usm security-level authentication security-name superuser
    user@host# set snmp v3 target-parameters tp1 notify-filter nfilter1
    user@host# set snmp v3 notify-filter nfilter1 oid .1 include
    user@host# set snmp v3 notify notify1 type trap tag trap_recv
  4. Configure snmp view to read, write and notify access to the MIB.
    user@host# set snmp view readview oid .1 include
    user@host# set snmp view writeview oid .1 include
    user@host# set snmp view notifyview oid .1 include

Example: SNMPv3 Configuration

Define an SNMPv3 configuration: