Routing

Hello All,

I am not very familiar with the Junos style of ACL's so I apologize.

I would like to find out how to permit only certain SNMP traffic inbound. For example, I am receiving a large amount of SNMP Authentication Failures in Solar Winds Orion. When I run traceoptions, I see that I have incoming SNMP read and read writes for unknown community and unknown IP address. I would like to only permit traffic to my server and block all other traffic.

Per JTAC, I was told this can be done in the SNMP hierarchy by doing the following:

user@host# set snmp community TEST clients 172.22.0.0/16
user@host# set snmp community TEST clients 0.0.0.0/0 restrict

This would permit only 172.22 /16 clients but block everything else... however this is not the case. I am still receiving Auth Failure alerts. Could someone assist in properly filtering this traffic?

Thanks in advance.

You could also define a term on your loopback (lo0.0) interface to drop any snmp traffic not sourced from 172.22/16.

Do you have an existing firewall filter on the loopback?

I would also suggest to move to SNMPv3 if possible, as it provides a greater control of authentication.  If not possible and you must use SNMPv2c, I'd then suggest to change your community string if it is actually TEST.

Thanks routenull0. I am running this config on my J4350. The community is actually not TEST, just used that as an example. My J4350 is running in packet mode currently, Junos 10.2R3.10. I do not currently have any firewall configs on this router.

Even in packet-based mode, you still can define standard (non-zone based) filters to interface ingress/egress.

Hi Marc,

routenull0 is right, the Routing Engine protection firewall filter is the best way to stop this from happening. I think what you're seeing in the logs is normal because the connection has been made, but is refused by the snmp subsystem's access control list.

If you configure a firewall filter (like an ACL, not stateful, just packet rules) and apply it to lo0 it automatically applies to the routing engine even if you don't have an address on lo0.0.  This will filter traffic inbound to the routing-engine and its processes. You can explicitly allow SNMP from and to 172.22.0.0/16, everything else SNMP will get dropped before processing. This is generally good practice for all protocols because it reduces your attack surface of open services.

Ben

All,

Thank you for the advice. I created a firewall filter to block the culprit networks causing the snmp auth errors inbound on my T3 interface. I appreciate all of the assistance.

-Marc

Hi Marc, In your firewall filter, you can also use the apply-path knob and get the list of allowed snmp clients directly from the [edit snmp stenza]. Note that if you choose to go this way, you'll need to remove the "0.0.0.0/0 restrict" statement.

set snmp community TEST clients 192.168.1.100

set snmp community TEST clients 192.168.1.101

set policy-options prefix-list pfx-allow-snmp-from apply-path "snmp community <*> clients <*>"

This will give you:

erdems@saab# show policy-options prefix-list pfx-allow-snmp-from | display inheritance
##
## apply-path was expanded to:
##     192.168.1.100/32;
##     192.168.1.101/32;
##
apply-path "snmp community <*> clients <*>";

HTH