In contrast to SNMPv1 and SNMPv2, SNMP version 3 (SNMPv3) supports authentication and privacy (encryption) for the communication between the SNMP server and the managed devices. SNMPv3 uses the User-Based Security Model (USM) for message security (encryption and authentication if required). It also uses the View-Based Access Control Model (VACM) for access control, determining what information from the managed devices, specific users or group of users can access. For more information regarding SNMPv3 support in the SRX, refer to SNMPv3 Overview.
This configuration example contains the SNMP related commands needed to read and write information to and from the Junos device via the SNMPv3 protocol. It does not include configuration related to SNMPv3 traps/notifications that are unsolicited messages sent from the Junos device to the SNMP server upon the occurrence of certain events.
In this article, four users will be created with the characteristics mentioned below. In addition, these users will be grouped and provided with full access to the Junos device's information.
- User “NOAUTH” will not use any encryption nor authentication when polling information from the the Junos device via SNMP.
- User “AUTHNOPRIV” will use authentication but no encryption when polling information from the the Junos device via SNMP.
- User “AUTHPRIV” will use both, authentication and encryption, when polling information from the the Junos device via SNMP.
- User “NOSNMPV3” will be created for backwards compatibility with SNMPv2 protocol and because of this, it will only support authentication via a community string shared in clear text.
Note: The SNMPv3 configuration in this example also applies to other Junos devices; however, the configuration for the zones is only needed if the device is SRX. For switches/routers, make sure that you have opened SNMP in the lo0 filter.
Topology
Configuration
-
Create users.
set snmp v3 usm local-engine user NOAUTH authentication-none
set snmp v3 usm local-engine user AUTHNOPRIV authentication-md5 authentication-password JTACTEST
set snmp v3 usm local-engine user AUTHNOPRIV privacy-none
set snmp v3 usm local-engine user AUTHPRIV authentication-md5 authentication-password JTACTEST
set snmp v3 usm local-engine user AUTHPRIV privacy-des privacy-password JTACTEST
Note: user “NOSNMPV3” is not a SNMPv3 user and will not use the USM security model; there is no need to create it under this hierarchy.
-
Group all four users in a group named SNMPV3GROUP.
set snmp v3 vacm security-to-group security-model v2c security-name NOSNMPV3 group SNMPV3GROUP
set snmp v3 vacm security-to-group security-model usm security-name NOAUTH group SNMPV3GROUP
set snmp v3 vacm security-to-group security-model usm security-name AUTHNOPRIV group SNMPV3GROUP
set snmp v3 vacm security-to-group security-model usm security-name AUTHPRIV group SNMPV3GROUP
Note: User “NOSNMPV3” is included in this group because they will share the same access privileges as the other users. However, it's security-model is V2C and not USM like the other users.
-
Create SNMP view that specifies that the users will be able to access all the Junos device's OIDs. For more information about SNMP views, refer to Configuring MIB Views.
set snmp view SNMPVIEW oid .1 include
- Specify that users of group SNMPV3GROUP will have read and write access to the information specified in view SNMPVIEW.
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level none read-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level none write-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level authentication read-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level authentication write-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level privacy read-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model any security-level privacy write-view SNMPVIEW
Note: The above configuration specifies the read/write permission based on the following security-levels:
- none: users part of group SNMPV3GROUP that do not use encryption nor authentication.
- authentication: users part of group SNMPV3GROUP that use authentication only.
- privacy: users part of group SNMPV3GROUP that use encryption and authentication.
-
Specify the community that will be used by user NOSNMPV3 that does not support SNMPv3 and will use SNMPv2.
s
et snmp v3 snmp-community SNMPV3COMMUNITY community-name JTACCOMMUNITY
set snmp v3 snmp-community SNMPV3COMMUNITY security-name NOSNMPV3
- [If Junos device in an SRX] Enable SNMP protocol under Host-Inbound-Traffic in the security-zone where the SNMP messages are received by the SRX. For more information about Host-Inbound-Traffic, refer to Controlling Inbound Traffic Based on Traffic Types
set security zones security-zone JTACZONE host-inbound-traffic system-services snmp
Verification
For verification purposes, the shell of a Junos Space server was used to poll the sysDescr OID from the configured the Junos device. This is included for illustration purposes:
-
SNMPv2 user:
# snmpwalk -v 2c -c JTACCOMMUNITY 10.85.32.64 sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx345 internet router, kernel JUNOS 15.1X49-D100.6, Build date: 2017-06-28 07:44:20 UTC Copyright (c) 1996-2017 Juniper Networks, Inc.
-
SNMPv3 user without authentication nor encryption:
# snmpwalk -v 3 -l noAuthNoPriv -u NOAUTH 10.85.32.64 sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx345 internet router, kernel JUNOS 15.1X49-D100.6, Build date: 2017-06-28 07:44:20 UTC Copyright (c) 1996-2017 Juniper Networks, Inc.
- SNMPv3 user with authentication but no encryption:
# snmpwalk -v 3 -l authNopriv -u AUTHNOPRIV -a md5 -A JTACTEST 10.85.32.64 sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx345 internet router, kernel JUNOS 15.1X49-D100.6, Build date: 2017-06-28 07:44:20 UTC Copyright (c) 1996-2017 Juniper Networks, Inc.
- SNMPv3 user with authentication and encryption:
# snmpwalk -v 3 -l authPriv -u AUTHPRIV -a md5 -A JTACTEST -x des -X JTACTEST 10.85.32.64 sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx345 internet router, kernel JUNOS 15.1X49-D100.6, Build date: 2017-06-28 07:44:20 UTC Copyright (c) 1996-2017 Juniper Networks, Inc.
-
Packet capture of a SNMPv3 communication without encryption nor authentication.
- Packet capture of a SNMPv3 communication with encryption and authentication.
Troubleshooting
If the communication between the SNMP server and the Junos device is not working, verify the following information:
set security policies from-zone Untrust to-zone Trust policy ALLOW-SNMP match source-address any
set security policies from-zone Untrust to-zone Trust policy ALLOW-SNMP match destination-address INTERNAL-ADDRESS
set security policies from-zone Untrust to-zone Trust policy ALLOW-SNMP match application SNMP
set security policies from-zone Untrust to-zone Trust policy ALLOW-SNMP then permit
set security address-book global address INTERNAL-ADDRESS 10.85.32.64/32
set applications application SNMP protocol udp
set applications application SNMP destination-port 161
#delete snmp
#commit
# run start shell
% rm /var/db/snmp_engine.db
% cli
> edit
# rollback 1
# set smnp engine-id local 30:b6:4f:02:29:06
# commit
-
Is there IP connectivity between the SNMP server and the Junos device? A ping test can be used to confirm this information.
-
Is SNMP configured under Host-Inbound-Traffic for the correct Security-Zone/Interface as shown in the configuration step #7.
-
Is the SNMP session seen on the SRX?
root@SRX# run show security flow session source-prefix [SNMP Server Address]
Session ID: 1234, Policy name: self-policy/1, Timeout: 1750, Valid
In: 10.85.42.144/33758 --> 10.85.32.64/161;udp, If: ge-0/0/0.0, Pkts: 2, Bytes: 92
Out: 10.85.32.64/161 --> 10.85.42.144/33758;udp, If: local, Pkts: 1, Bytes: 52
-
Confirm that there is not a firewall filter applied on the loopback interface nor the physical interface receiving the SNMP traffic, which is dropping the SNMP messages.
-
If the interface that is receiving the traffic is not the interface to which the SNMP packets are destined to, a security-policy is required to allow SNMP messages to reach the destination interface.
-
Is the Junos device reachable via an interface in a custom routing-instance? If so, the routing-instance of the interface receiving the SNMP requests needs to be included in the SNMPv3 configuration; refer to KB27284.
-
The SNMPv3 authentication key is calculated based on the user's password and the value of the engine ID. If suspected that the authentication is failing, a fixed Engine ID can be configured and the passwords re-configured to generate new keys in the following way:
- Delete SNMP configuration and commit:
- Delete the current SNMP Engine ID from shell. Then, in configuration mode, rollback to the previous SNMP configuration and add the local Engine ID. A MAC address of any of the local interfaces can be used as the new Engine ID value:
Note: Refer to KB27191 to understand how this could affect the SNMP communication in chassis cluster.
-
Gather SNMP traceoptions for further debugging:
# set snmp traceoptions file snmp.tr
# set snmp traceoptions file size 5m
# set snmp traceoptions file files 5
# set snmp traceoptions file world-readable
# set snmp traceoptions flag all
# commit
After the configuration is committed, try the SNMP query and then review the logs:
> show log snmp.tr