Management
Management

SNMPv3 with Client-list?

‎02-20-2019 06:52 AM

Hi, 

 

I've configured SNMPv3 with auth/priv, it works as expected. 

I would now like to limit the clients that can read the device via SNMP.  with SNMP v2 you can use the Client-list, but I don't see this option vor SNMPv3? 

 

any ideas? 

 

kind regards

 

5 REPLIES 5
Management

Re: SNMPv3 with Client-list?

‎02-20-2019 06:59 AM
With SNMPV2 how can you use client list?

Regards,
PL
Management

Re: SNMPv3 with Client-list?

‎02-20-2019 07:18 AM

don't know how that will help my question, but something like this:

 

client-list READ {
   1.2.3.4/32;

)

community comvalue {
authorization read-only;
client-list-name READ;
}

Management

Re: SNMPv3 with Client-list?

‎02-20-2019 07:54 AM
It should be the same for snmpv3 as well.
Set snmp client-list ...

Btw this forum is for management products like Junos Space, NSM and this query mainly looks to be for junos specific.

Regards,
PL
Management

Re: SNMPv3 with Client-list?

‎02-20-2019 08:14 AM

appologies on the wrong section. setting a client-list doesn't work.

I currently have SNMPv3 setup, and I'm able to connect with every possible IP, without a client list.

would like to get this limited to our monitoring tools.



 

Management
Solution
Accepted by topic author gvandaal
‎02-22-2019 10:52 AM

Re: SNMPv3 with Client-list?

‎02-21-2019 07:10 AM

Hi gvandaal,

 

Restricting access to the certain IP and/or subnet in [snmp] config stanza is not present for snmpv3 afaik.

 

But you always can use control plane protection filter for lo0.0 interface.

 

Just create a rule to allow snmp from your monitoring system IPs. For example:

 

 

set policy-options prefix-list SNMP 10.1.1.1/32
set policy-options prefix-list SNMP 192.168.1.0/24

set firewall family inet filter CoPP term SNMP from source-prefix-list SNMP
set firewall family inet filter CoPP term SNMP from protocol udp
set firewall family inet filter CoPP term SNMP from destination-port snmp
set firewall family inet filter CoPP term SNMP then accept
set firewall family inet filter CoPP term SNMP then count SNMP

 

 

Just don't forget to allow mgmt traffic to your box.

You can find more details on protecting control plane of your Juniper routers in the "Day One: Securing the Routing Engine" book.

 

Thanks,

Alex