Security Management

  • 1.  SNMPv3 with Client-list?

    Posted 02-20-2019 06:52

    Hi, 

     

    I've configured SNMPv3 with auth/priv, it works as expected. 

    I would now like to limit the clients that can read the device via SNMP.  with SNMP v2 you can use the Client-list, but I don't see this option vor SNMPv3? 

     

    any ideas? 

     

    kind regards

     



  • 2.  RE: SNMPv3 with Client-list?

     
    Posted 02-20-2019 06:59
    With SNMPV2 how can you use client list?

    Regards,
    PL


  • 3.  RE: SNMPv3 with Client-list?

    Posted 02-20-2019 07:19

    don't know how that will help my question, but something like this:

     

    client-list READ {
       1.2.3.4/32;

    )

    community comvalue {
    authorization read-only;
    client-list-name READ;
    }



  • 4.  RE: SNMPv3 with Client-list?

     
    Posted 02-20-2019 07:54
    It should be the same for snmpv3 as well.
    Set snmp client-list ...

    Btw this forum is for management products like Junos Space, NSM and this query mainly looks to be for junos specific.

    Regards,
    PL


  • 5.  RE: SNMPv3 with Client-list?

    Posted 02-20-2019 08:15

    appologies on the wrong section. setting a client-list doesn't work.

    I currently have SNMPv3 setup, and I'm able to connect with every possible IP, without a client list.

    would like to get this limited to our monitoring tools.



     



  • 6.  RE: SNMPv3 with Client-list?
    Best Answer

    Posted 02-21-2019 07:11

    Hi gvandaal,

     

    Restricting access to the certain IP and/or subnet in [snmp] config stanza is not present for snmpv3 afaik.

     

    But you always can use control plane protection filter for lo0.0 interface.

     

    Just create a rule to allow snmp from your monitoring system IPs. For example:

     

     

    set policy-options prefix-list SNMP 10.1.1.1/32
    set policy-options prefix-list SNMP 192.168.1.0/24
    
    set firewall family inet filter CoPP term SNMP from source-prefix-list SNMP
    set firewall family inet filter CoPP term SNMP from protocol udp
    set firewall family inet filter CoPP term SNMP from destination-port snmp
    set firewall family inet filter CoPP term SNMP then accept
    set firewall family inet filter CoPP term SNMP then count SNMP

     

     

    Just don't forget to allow mgmt traffic to your box.

    You can find more details on protecting control plane of your Juniper routers in the "Day One: Securing the Routing Engine" book.

     

    Thanks,

    Alex