Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint
    Share this Page URL
    Help

    Chapter 4. SNMP > Using a Firewall Filter to Protect SNMP Access

    Recipe 4.5. Using a Firewall Filter to Protect SNMP Access

    4.6.1. Problem

    You have a firewall filter on your interfaces and want to add a term to restrict NMS system access to the router.

    4.6.2. Solution

    You can add a term to the existing firewall filter that allows access to the desired NMS systems:

    Add a term to an existing firewall filter that restricts SSH and Telnet access:

    	[edit firewall filter protect-RE term allow- 
snmp-from-nms-systems ]
	aviva@router1# set from source-address 10.0.0.1/32 
	aviva@router1# set from source-address 10.0.5.1/32 
	aviva@router1# set from source-address 10.0.6.1/34 
	aviva@router1# set from source-address 10.10.1.50/32 
	aviva@router1# set from protocol udp 
	aviva@router1# set from destination-port snmp 
	aviva@router1# set then accept

    For the filter to affect incoming traffic, apply it to the desired interfaces:

    	[edit interfaces]
	aviva@router1# set fe-0/0/0 unit 0 family inet filter input protect-RE

    4.6.3. Discussion

    An interface can have one inbound and one outbound firewall filter, so if you already have filters in place that control the incoming and outgoing interface traffic, you can add a term that applies to NMS access. To filter polling requests from NMS systems, add the term to the inbound filter; to filter the router's responses, add it to the outbound filter. This term allows four NMS systems, all identified by IP address, to send SNMP requests to the router. The destination-port option matches the SNMP port number in the IP packet's destination field, and you include the udp option because SNMP exchanges use UDP, not TCP.

    You then have to decide where in the filter to place the term. Because the terms in the firewall filter are evaluated in the order in which they appear, the placement affects the efficiency of the filter. Generally, terms for operations that need to be performed quickly, such as BGP peering and IGP and DNS traffic, are at the beginning of the filter. For operations that are less time-critical, including processing SNMP traffic, place the term towards the end of the filter.

    For the filter to do anything, you apply it to the desired interface with the set filter input command.

    To create a parallel filter for outbound SNMP traffic, you can incorporate the same term into the interface's outbound firewall filter and then apply it on the ongoing side:

    Code View: Scroll / Show All
    	[edit interfaces]
	aviva@router1# set fe-0/0/0 unit 0 family inet filter output outgoing-from-me

    Fashion the firewall filter for outgoing SNMP a bit differently to allow the router to send SNMP traps. Specify a source port of snmp (port 161) and a destination port of snmptrap (port 162):

    Code View: Scroll / Show All
    	
	[edit firewall filter outgoing-from-me ]
	aviva@router1# set term allow- 
snmp-to-nms-systems source-port snmp 
	aviva@router1# set term allow-snmp-to-nms-systems destination-port snmptrap

    Instead of listing addresses individually in the from source-address portion of the configuration, a shortcut creates a prefix list and then just references the list. A prefix list is simply a named list of IP prefixes created in the [edit policy-options] portion of the configuration and then referred to in firewall filters and in routing policies.

    4.6.4. See Also

    Recipes 9.3, 9.15, and 9.16