Tracking Router Configuration Changes

Problem

You want an NMS system to track when the router's configuration has been changed.

Solution

First, define the NMS system and its password:

	[edit snmp v3]
	aviva@router1# set 
usm local-engine user nms2 authentication-sha authentication-
	password $0212roZH
	aviva@router1# set usm local-engine user nms2 privacy-des privacy-password 0212roZH

Then, define two views that allow the NMS access to the configuration information. The first view defines what the NMS can read from the MIB:

	[edit snmp v3]
	aviva@router1# set view config-info-read oid jnxCfgMgmt include

The second view sets what the router includes in notifications sent to the NMS:

	[edit snmp v3]
	aviva@router1# set view config-info-notify oid jnxCfgMgmt include
	aviva@router1# set view config-info-notify oid jnxCmNotifications include
	aviva@router1# set view config-info-notify oid snmpMIBObjects include
	aviva@router1# set view config-info-notify oid system include

Finally, create groups and their users and assign access privileges for the groups:

	[edit snmp v3]
	aviva@router1# set vacm security-to-group security-model usm security-name nms2 group
	config-only
	aviva@router1# set vacm access group config-only default-context-prefix security-
	model usm security-level privacy read-view config-info-read
	aviva@router1# set vacm access group config-only default-context-prefix security-
	model usm security-level privacy notify-view config-info-notify

 

Discussion

To use SNMP to extract the router configuration, use the Juniper Networks configuration management MIB extension, which tracks who made changes to the configuration and when. This recipe gives the NMS system called nms2 access to configuration information.

The first commands in this recipe configure USM for security, with SHA1 authentication and DES message payload encryption. You then create two views, one that defines what nms2 can read from the MIB and a second that sets what the router can include in notifications. The final commands configure the VACM to provide access to desired groups.

Again, this recipe is somewhat involved, so here's what the resulting configuration looks like after you issue the commands in this recipe, with some added comments:

	aviva@router1# show | except SECRET-DATA
	v3 {
	 usm { # <-- which NMS systems can access the router
	 local-engine {
	 user nms2 {
	 authentication-sha {
	 privacy-des {
	 }
	 }
	 }
	 }
	 vacm { # <-- what the NMS systems can access on the router
	 security-to-group { # <-- which access group each NMS is in
	 security-model usm {
	 security-name nms2 {
	 group config-only;
	 }
	 }
	 }
	 access { # <-- which MIB views the NMS systems can access
	 group config-only {
	 default-context-prefix {
	 security-model usm {
	 security-level privacy {
	 read-view config-info-read;
	 notify-view config-info-notify;
	 }
	 }
	 }
	 }
	 }
	 }
	}
	view config-info-read { # <-- view of enterprise configuration management objects
	oid jnxCfgMgmt include;
	}
	view config-info-notify { # <-- view for objects used by SNMPv3 traps
	 oid jnxCfgMgmt include;
	 oid jnxCmNotifications include;
	 oid snmpMIBObjects include;
	 oid system include;
	}



Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net