Complete SNMP Configuration
Overview
Highlight supports SNMP v1, v2c, and v3. There are two elements to the commands needed:
- Limit access to the Highlight polling agents, by means of access control lists or similar
- Define a community string (v1/v2c), or authentication parameters (v3), which must match those set up in Highlight
For manufacturer specific examples, refer to the relevant section below:
Generic SNMP Access
The following configuration steps need to be taken to allow SNMP communication from the server(s) hosting the Highlight pollers. Other IP sources will be blocked from using the SNMP community string configured.
- Log onto the router using the management web interface.
- Navigate to the Admin menu that allows you to modify the SNMP settings and the IP addresses that are allowed to poll your router.
- Depending on your router model, select the appropriate system security menu option and enable SNMP Management.
- Set your Get Community (Read only) and Set Community (Read-Write) to a string of your choice. The defaults of "public" and "private" must be changed.
- Add in the IP addresses of the Highlight pollers as allowed SNMP sources. This is sometimes called the Manager Host IP(IPv4).
- Some router models require you to enable remote management via the internet so you may need to enable the SNMP Server option in the Internet Access Control section if your router has this option.
- Apply and save the configuration. The device may need to be rebooted, depending on the model.
Always check to ensure you can still remotely manage the device; then continue to the next stage in adding the device as a watch in Highlight.
Cisco Basic SNMP Access
The following lines of configuration allow read-only SNMP communication from the server(s) hosting the Highlight polling of the device. Other IP sources will be blocked from using the SNMP community string configured.
SNMP v1/v2c
access-list 90 permit host **IP ADDRESS OF PRIMARY SERVER**
access-list 90 permit host **IP ADDRESS OF SECONDARY SERVER**
snmp-server community highlightREAD RO 90 where highlightREAD is the configured community string on the device, and 90 is any available access-list number or name.
SNMP v3
access-list 90 permit host **IP ADDRESS OF PRIMARY SERVER**
access-list 90 permit host **IP ADDRESS OF SECONDARY SERVER**
snmp-server group groupREAD v3 priv access 90
snmp-server user userREAD groupREAD v3 auth sha [auth_key] priv aes 128 [priv_key] where 90 is any available access-list number or name, and the keys are at least 8 characters in length.
Cisco Performance SNMP Access
In order to utilise the performance visibility elements of Highlight the device needs to allow write access to the RTTMon MIB - a very small subset of the MIB tree only responsible for building IP SLA tests on the router. The 'view' line limits the WRITE access to the RTTMon MIB and the separate community string (still supported by access-list restrictions) adds another layer of authentication to the WRITE process:
SNMP v1/v2c
snmp-server view rttview ciscoRttMonMIB included
snmp-server community highlightWRITE view rttview RW 90 where highlightWRITE is the Read-Write SNMP password which must not be the same as the password used for Read-Only access; rttview is a view name used to restrict the SNMP read-write access; and 90 is the access-list number or name as used for Basic SNMP access.
SNMP v3
snmp-server view rttview ciscoRttMonMIB included
snmp-server group groupWRITE v3 priv write rttview access 90
snmp-server user userWRITE groupWRITE v3 auth sha [auth_key] priv aes 128 [priv_key] where rttview is a view name used to restrict the SNMP read-write access; and 90 is the access-list number or name as used for Basic SNMP access.
Additional configuration
The Precision Delay and MOS tests require a Cisco device as a target with the following configuration, and similarly a UDP Echo test between routers also requires this configuration on the target:
ip sla responder Cisco Application Level SNMP Access
There are two ways to enable application visibility in Highlight. The first is via the NBAR application in Cisco routers, and details can be found on the NBAR configuration page.
Alternatively application visibility could be enabled using Flow, and details can be found on the Flow configuration page.
Both NBAR and Flow are needed to enable AppVisā¢.
Cisco Quality of Service SNMP Access
Highlight is capable of showing traffic levels and health of individual classes of service.
The Basic SNMP Access defined above will show traffic for any outbound classes.
Because ISPs normally only set outbound QoS, to see a full 2-direction view of traffic it is necessary to add an inbound policy which, although not setting any prioritisation or queueing, does create SNMP counters for each class. The configuration is fully dependent on the configuration of the outbound QoS policy - read Class of Service for further details.
Huawei configuration example
Whether using SNMP v2c or v3, restrict SNMP access with an access control list as follows:
acl 2090
rule 5 permit source **IP ADDRESS OF PRIMARY SERVER** 0
rule 10 permit source **IP ADDRESS OF SECONDARY SERVER** 0
where 2090 is any available access-list number or name
SNMP v2c
Additional code to set up SNMP access:
snmp-agent sys-info version v2c
snmp-agent community read highlightREAD acl 2090 where highlightREAD is the configured community string on the device, and 2090 is the configured access list.
SNMP v3
Additional code to set up SNMP access:
snmp-agent sys-info version v3
snmp-agent group v3 groupREAD privacy write-view ViewDefault notify-view ViewDefault acl 2090
snmp-agent usm-user v3 userREAD
snmp-agent usm-user v3 userREAD group groupREAD
snmp-agent usm-user v3 userREAD authentication-mode sha
Enter password: [auth_key]
Confirm password: [auth_key]
snmp-agent usm-user v3 userREAD privacy-mode aes128
Enter password: [priv_key]
Confirm password: [priv_key] where 2090 is the configured access list.
Juniper configuration example
SNMP v2c
snmp view rpm-view oid .1.3.6.1.4.1.2636.3.7 include
snmp view rpm-view oid .1.3.6.1.2.1.80 include
snmp community highlightREAD authorization read-only
snmp community highlightREAD clients default restrict
snmp community highlightREAD clients **IP ADDRESS OF PRIMARY SERVER**/32
snmp community highlightREAD clients **IP ADDRESS OF SECONDARY SERVER**/32
snmp community highlightWRITE authorization read-write
snmp community highlightWRITE view rpm-view
snmp community highlightWRITE clients default restrict
snmp community highlightWRITE clients **IP ADDRESS OF PRIMARY SERVER**/32
snmp community highlightWRITE clients **IP ADDRESS OF SECONDARY SERVER**/32 SNMP v3
The basic v3 config for a Juniper SRX are below. Commands may differ per version and other platforms. Replace values in brackets with your own credentials.
set snmp v3 usm local-engine user [HighlightUser] authentication-sha authentication-key [mykeyhere]
set snmp v3 usm local-engine user [HighlightUser] privacy-aes128 privacy-key [mykeyhere]
set snmp v3 vacm security-to-group security-model usm security-name [HighlightUser] group [HighlightGroup]
set snmp v3 vacm access group [HighlightGroup] default-context-prefix security-model any security-level privacy read-view all
set snmp v3 vacm access group [HighlightGroup] default-context-prefix security-model any security-level privacy write-view all
set snmp view all oid .1
OneAccess configuration example
The following example configuration for a OneAccess device allows for SNMP v2c read only access restricted to two specific poller IP addresses:
SET security[remark="fallback user"]/remark = "fallback user"
SET security[remark="fallback user"]/password=admin:admin
SET security[remark="snmp user RO"]/remark = "snmp user RO"
SET security[remark="snmp user RO"]/password=highlightREAD
SET security[remark="snmp user RO"]/accessRights = { readAccess = on writeAccess = off securityAccess = off fileSystemAccess = off testAccess = on}
SET security[remark="snmp user RO"]/applications/allow = {snmp = enabled
SET { select profiles { select policy {select traffic { select ipTrafficPolicy[iptp_mgmt] {} } } } }
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp A"]/name = "allow snmp A"
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp A"]/sourceIpStartAddress = **IP ADDRESS OF PRIMARY SERVER**/32
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp A"]/ipProtocol = UDP
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp A"]/destinationPortStart = snmp
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp B"]/name = "allow snmp B"
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp B"]/sourceIpStartAddress = **IP ADDRESS OF SECONDARY SERVER**/32
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp B"]/ipProtocol = UDP
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp B"]/destinationPortStart = snmp
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "deny snmp other"]/name = "deny snmp other"
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "deny snmp other"]/ipProtocol = UDP
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "deny snmp other"]/destinationPortStart = snmp
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "deny snmp other"]/interface = silentDiscard
SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow other"]/name = "allow other"
SET snmp/minVersion = v2c
SET management/accessPolicy = "iptp_mgmt"
action "Activate Configuration"