Restricting users to only view parts of the SNMP tree – Junos

This is a similar post to this one over here where I described how to do it in IOS: http://mellowd.co.uk/ccie/?p=2332

I recently had a project where I had to give certain customers full read-access to a subinterface on an Juniper SRX. I wanted them to see the system via SNMP, but only see their subinterface and subinterface stats.

The first part of this is getting the SNMP ifindex value. This you can get very easily:

darrenolocal> show interfaces ge-0/0/0.0 | match SNMP
  Logical interface ge-0/0/0.0 (Index 73) (SNMP ifIndex 656)

For this subinterface I need to reference 656

Now we create the view:

darrenolocal> show configuration snmp
view CUSTOMER1 {
    oid ifName.656;
    oid ifDescr.656;
    oid ifInErrors.656;
    oid ifOutErrors.656;
    oid ifOperStatus.656;
    oid ifInOctets.656;
    oid ifOutOctets.656;
    oid sysDescr.0;
    oid sysUpTime.0;
    oid sysContact.0;
    oid sysName.0;
    oid sysLocation.0;
    oid ifNumber.656;
    oid ifHCInOctets.656;
    oid ifHCOutOctets.656;
    oid ifIndex.656;
    oid ifNumber.*;
}

Here I’ve given them a number of oids to view that interface index value. I’ve also allowed them to see the system name, uptime, and various other things.

I now bind this view to a community and allow only the customer to view it:

darrenolocal> show configuration snmp
community CUSTOMER1 {
    view CUSTOMER1;
    clients {
        192.168.100.1/32;
    }
}

As a test, let’s do an snmpwalk from the monitoring station using this community now:

C:\snmpwalk>snmpwalk -v 1 -c CUSTOMER1 192.168.31.252
iso.3.6.1.2.1.1.1.0 = STRING: "Juniper Networks, Inc. srx210h internet router, kernel JUNOS 12.1X45-D10 #0: 2013-07
-04 06:05:04 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X45-D10/obj-octeon/junos/bsd/k
ernels/JSRXNLE/kernel Build date: 2013-07-04 07:32:04 U"
iso.3.6.1.2.1.1.3.0 = Timeticks: (7437040) 20:39:30.40
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = ""
iso.3.6.1.2.1.1.6.0 = ""
iso.3.6.1.2.1.2.1.0 = INTEGER: 48
iso.3.6.1.2.1.2.2.1.1.656 = INTEGER: 656
iso.3.6.1.2.1.2.2.1.2.656 = STRING: "ge-0/0/0.0"
iso.3.6.1.2.1.2.2.1.8.656 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.10.656 = Counter32: 19240538
iso.3.6.1.2.1.2.2.1.14.656 = Counter32: 0
iso.3.6.1.2.1.2.2.1.16.656 = Counter32: 19226558
iso.3.6.1.2.1.2.2.1.20.656 = Counter32: 0
iso.3.6.1.2.1.31.1.1.1.1.656 = STRING: "ge-0/0/0.0"
iso.3.6.1.2.1.31.1.1.1.6.656 = Counter64: 19240538
iso.3.6.1.2.1.31.1.1.1.10.656 = Counter64: 19226558
End of MIB

A nice short walk giving them just what you want and nothing more.

© 2009-2020 Darren O'Connor All Rights Reserved -- Copyright notice by Blog Copyright