Problem
You have a firewall filter on your interfaces and want to add a term to restrict NMS system access to the router.
Solution
You can add a term to the existing firewall filter that allows access to the desired NMS systems:
Add a term to an existing firewall filter that restricts SSH and Telnet access:
[edit firewall filter protect-RE term allow- snmp-from-nms-systems ] aviva@router1# set from source-address 10.0.0.1/32 aviva@router1# set from source-address 10.0.5.1/32 aviva@router1# set from source-address 10.0.6.1/34 aviva@router1# set from source-address 10.10.1.50/32 aviva@router1# set from protocol udp aviva@router1# set from destination-port snmp aviva@router1# set then accept
For the filter to affect incoming traffic, apply it to the desired interfaces:
[edit interfaces] aviva@router1# set fe-0/0/0 unit 0 family inet filter input protect-RE
Discussion
An interface can have one inbound and one outbound firewall filter, so if you already have filters in place that control the incoming and outgoing interface traffic, you can add a term that applies to NMS access. To filter polling requests from NMS systems, add the term to the inbound filter; to filter the router's responses, add it to the outbound filter. This term allows four NMS systems, all identified by IP address, to send SNMP requests to the router. The destination-port option matches the SNMP port number in the IP packet's destination field, and you include the udp option because SNMP exchanges use UDP, not TCP.
You then have to decide where in the filter to place the term. Because the terms in the firewall filter are evaluated in the order in which they appear, the placement affects the efficiency of the filter. Generally, terms for operations that need to be performed quickly, such as BGP peering and IGP and DNS traffic, are at the beginning of the filter. For operations that are less time-critical, including processing SNMP traffic, place the term towards the end of the filter.
For the filter to do anything, you apply it to the desired interface with the set filter input command.
To create a parallel filter for outbound SNMP traffic, you can incorporate the same term into the interface's outbound firewall filter and then apply it on the ongoing side:
[edit interfaces] aviva@router1# set fe-0/0/0 unit 0 family inet filter output outgoing-from-me
Fashion the firewall filter for outgoing SNMP a bit differently to allow the router to send SNMP traps. Specify a source port of snmp (port 161) and a destination port of snmptrap (port 162):
[edit firewall filter outgoing-from-me ] aviva@router1# set term allow- snmp-to-nms-systems source-port snmp aviva@router1# set term allow-snmp-to-nms-systems destination-port snmptrap
Instead of listing addresses individually in the from source-address portion of the configuration, a shortcut creates a prefix list and then just references the list. A prefix list is simply a named list of IP prefixes created in the [edit policy-options] portion of the configuration and then referred to in firewall filters and in routing policies.
See Also
Recipes 9.3, 9.15, and 9.16
Router Configuration and File Management
Basic Router Security and Access Control
IPSec
SNMP
Logging
NTP
Router Interfaces
IP Routing
Routing Policy and Firewall Filters
RIP
IS-IS
OSPF
BGP
MPLS
VPNs
IP Multicast