SNMPv3 Informs
Junos OS supports two types of notifications: traps and informs.
With traps, the receiver does not send any acknowledgment when it receives a trap. Therefore, the sender cannot determine if the trap was received. A trap may be lost because a problem occurred during transmission. To increase reliability, an inform is similar to a trap except that the inform is stored and retransmitted at regular intervals until one of these conditions occurs:
-
The receiver (target) of the inform returns an acknowledgment to the SNMP agent.
-
A specified number of unsuccessful retransmissions have been attempted and the agent discards the inform message.
If the sender never receives a response, the inform can be sent again. Thus, informs are more likely to reach their intended destination than traps are. Informs use the same communications channel as traps (same socket and port) but have different protocol data unit (PDU) types.
Informs are more reliable than traps, but they consume more network, router, and switch resources. Unlike a trap, an inform is held in memory until a response is received or the timeout is reached. Also, traps are sent only once, whereas an inform may be retried several times. Use informs when it is important that the SNMP manager receive all notifications. However, if you are more concerned about network traffic, or router and switch memory, use traps.
Example: Configure the Inform Notification Type and Target Address
In the following example, target 172.17.20.184 is configured to respond to informs. The inform timeout is 30 seconds and the maximum retransmit count is 3. The inform is sent to all targets in the tl1 list. The security model for the remote user is usm and the remote engine username is u10.
[edit snmp v3]
notify n1 {
type inform;
tag tl1;
}
notify-filter nf1 {
oid .1.3 include;
}
target-address ta1 {
address 172.17.20.184;
retry-count 3;
tag-list tl1;
address-mask 255.255.255.0;
target-parameters tp1;
timeout 30;
}
target-parameters tp1 {
parameters {
message-processing-model v3;
security-model usm;
security-level privacy;
security-name u10;
}
notify-filter nf1;
}
Example: Configure the Remote Engine ID and Remote User
This example shows how to configure a remote engine and remote user so you can receive and respond to SNMP inform notifications. Inform notifications can be authenticated and encrypted. They are also more reliable than traps, another type of notification that Junos OS supports. Unlike traps, inform notifications are stored and retransmitted at regular intervals until one of these conditions occurs:
The target of the inform notification returns an acknowledgment to the SNMP agent.
A specified number of unsuccessful retransmissions have been attempted.
Requirements
This feature requires the use of plain-text passwords valid for SNMPv3. SNMPv3 has the following requirements when you create plain-text passwords on a router or a switch:
The password must be at least eight characters long.
The password can include alphabetic, numeric, and special characters, but it cannot include control characters.
It is best to use quotation marks to enclose passwords although it is not necessary. You need quotation marks if the password contains any spaces or in the case of certain special characters or punctuation.
Overview
Inform notifications are supported in SNMPv3 to increase reliability. For example, an SNMP agent receiving an inform notification acknowledges the receipt.
For inform notifications, the remote engine ID identifies the SNMP agent on the remote device where the user resides, and the username identifies the user on a remote SNMP engine who receives the inform notifications.
Consider a scenario in which you have the values in Table 1 to use in configuring the remote engine ID and remote user in this example.
To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. When sending an inform message, the agent uses the credentials of the user configured on the remote engine (inform target).
For informs, remote-engine engine-id is the
identifier for the SNMP agent on the remote device where the user resides.
For informs, user username is the user on a
remote SNMP engine who receives the informs.
Informs generated can be unauthenticated,
authenticated, or authenticated_and_encrypted,
depending on the security level of the SNMPv3 user configured on the remote engine
(the inform receiver). The authentication key is used for generating message
authentication code (MAC). The privacy key is used to encrypt the inform PDU part of
the message.
Name of Variable |
Value |
|---|---|
username |
u10 |
remote engine ID |
800007E5804089071BC6D10A41 |
authentication type |
authentication-md5 |
authentication password |
qol67R%? |
encryption type |
privacy-des |
privacy password |
m*72Jl9v |
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands and paste them into a text file, remove any line
breaks and change any details necessary to match your network configuration,
copy and paste these commands into the CLI at the [edit snmp
v3] hierarchy level, and then enter commit from configuration
mode.
set usm remote-engine 800007E5804089071BC6D10A41 user u10 authentication-md5 authentication-password "qol67R%?" set usm remote-engine 800007E5804089071BC6D10A41 user u10 privacy-des privacy-password "m*72Jl9v"
Configuring the Remote Engine and Remote User
Step-by-Step Procedure
The following example requires that you navigate to various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure the remote engine ID and remote user:
Configure the remote engine ID, username, and authentication type and password.
[edit snmp v3] user@host# set usm remote-engine 800007E5804089071BC6D10A41 user u10 authentication-md5 authentication-password "qol67R%?"
Configure the encryption type and privacy password.
You can configure only one encryption type per SNMPv3 user.
[edit snmp v3] user@host# set usm remote-engine 800007E5804089071BC6D10A41 user u10 privacy-des privacy-password "m*72Jl9v"
Results
In configuration mode, confirm your configuration by
entering the show command. If the output does not display
the intended configuration, repeat the instructions in this example
to correct the configuration.
[edit snmp v3]
user@ host# show
usm {
remote-engine 800007E5804089071BC6D10A41 {
user u10 {
authentication-md5 {
authentication-key "$9$hagSyKNdbY2acyvLN-2g69CtpBRhSvMX/CLx-V4oZUjkqfQz69CuF36Apu1Idbw2ZUiHm3/C.mF/CA1IVws4oGkqf6CtzF";## SECRET-DATA
}
privacy-des {
privacy-key "$9$GJDmf3nCtO1zFnCu0hcrevM87bs2oaUbwqmP5F3Ap0O1hrevMLxcSYgoaUDqmf5n/Ap0REyk.BIREyr4aJZUHfTz9tu5T";## SECRET-DATA
}
}
}
}
After you have confirmed that the configuration is correct,
enter commit from configuration mode.
Verification
Verifying the Configuration of the Remote Engine ID and Username
Purpose
Verify the status of the engine ID and user information.
Action
Display information about the SNMPv3 engine ID and user.
user@host> show snmp v3
Local engine ID: 80 00 0a 4c 01 0a ff 03 e3
Engine boots: 3
Engine time: 769187 seconds
Max msg size: 65507 bytes
Engine ID: 80 00 07 e5 80 40 89 07 1b c6 d1 0a 41
User Auth/Priv Storage Status
u10 md5/des nonvolatile active
Meaning
The output displays the following information:
Local engine ID and detail about the engine
Remote engine ID (labeled
Engine ID)Username
Authentication type and encryption (privacy) type that is configured for the user
Type of storage for the username, either nonvolatile (configuration saved) or volatile (not saved)
Status of the new user; only users with an active status can use SNMPv3