# Complete SNMP Configuration ## Overview Highlight supports SNMP v1, v2c, and v3. There are two elements to the commands needed: * Limit access to the Highlight polling agents, by means of access control lists or similar. * Define a community string (v1/v2c), or authentication parameters (v3), which must match those set up in Highlight. For manufacturer-specific examples, refer to the relevant section below. ## Generic SNMP Access The following configuration steps need to be taken to allow SNMP communication from the server(s) hosting the Highlight pollers. Other IP sources will be blocked from using the SNMP community string configured. 1. Log onto the router using the management web interface. 2. Navigate to the Admin menu that allows you to modify the SNMP settings and the IP addresses that are allowed to poll your router. 3. Depending on your router model, select the appropriate system security menu option and enable SNMP Management. 4. Set your Get Community (Read only) and Set Community (Read-Write) to a string of your choice. The defaults of `public` and `private` must be changed. 5. Add in the IP addresses of the Highlight pollers as allowed SNMP sources. This is sometimes called the Manager Host IP (IPv4). 6. Some router models require you to enable remote management via the internet, so you may need to enable the SNMP Server option in the Internet Access Control section if your router has this option. 7. Apply and save the configuration. The device may need to be rebooted, depending on the model. {% hint style="warning" %} Always check to ensure you can still remotely manage the device; then continue to the next stage in adding the device as a watch in Highlight. {% endhint %} ## Cisco Basic SNMP Access The following lines of configuration allow read-only SNMP communication from the server(s) hosting the Highlight polling of the device. Other IP sources will be blocked from using the SNMP community string configured. ### SNMP v1/v2c ``` access-list 90 permit host access-list 90 permit host snmp-server community highlightREAD RO 90 ``` Where `highlightREAD` is the configured community string on the device, and `90` is any available access-list number or name. ### SNMP v3 ``` access-list 90 permit host access-list 90 permit host snmp-server group groupREAD v3 priv access 90 snmp-server user userREAD groupREAD v3 auth sha [auth_key] priv aes 128 [priv_key] ``` Where `90` is any available access-list number or name, and the keys are at least 8 characters in length. ## Cisco Performance SNMP Access In order to utilise the performance visibility elements of Highlight, the device needs to allow write access to the RTTMon MIB — a very small subset of the MIB tree only responsible for building IP SLA tests on the router. The `view` line limits the WRITE access to the RTTMon MIB and the separate community string (still supported by access-list restrictions) adds another layer of authentication to the WRITE process. ### SNMP v1/v2c ``` snmp-server view rttview ciscoRttMonMIB included snmp-server community highlightWRITE view rttview RW 90 ``` Where `highlightWRITE` is the Read-Write SNMP password, which must not be the same as the password used for Read-Only access; `rttview` is a view name used to restrict the SNMP read-write access; and `90` is the access-list number or name as used for Basic SNMP access. ### SNMP v3 ``` snmp-server view rttview ciscoRttMonMIB included snmp-server group groupWRITE v3 priv write rttview access 90 snmp-server user userWRITE groupWRITE v3 auth sha [auth_key] priv aes 128 [priv_key] ``` Where `rttview` is a view name used to restrict the SNMP read-write access; and `90` is the access-list number or name as used for Basic SNMP access. ### Additional Configuration The Precision Delay and MOS tests require a Cisco device as a target with the following configuration. A UDP Echo test between routers also requires this configuration on the target: ``` ip sla responder ``` {% hint style="info" %} Some performance tests will require DNS to be configured on the router. \ A Cisco router running IOS v15.x requires a license greater than "Base". Licence details are available from [Reporting Inventory](https://help.highlight.net/reporting/inventory). {% endhint %} ## Cisco Application Level SNMP Access There are two ways to enable application visibility in Highlight. The first is via the NBAR application in Cisco routers — details can be found on the [NBAR configuration page](https://help.highlight.net/device-setup/nbar). Alternatively, application visibility can be enabled using Flow — details can be found on the [Flow configuration page](https://help.highlight.net/device-setup/flow). {% hint style="info" %} Both NBAR and Flow are needed to enable AppVis™. {% endhint %} ## Cisco Quality of Service SNMP Access Highlight is capable of showing traffic levels and health of individual classes of service. The [Basic SNMP Access](#cisco-basic-snmp-access) defined above will show traffic for any outbound classes. Because ISPs normally only set outbound QoS, to see a full 2-direction view of traffic it is necessary to add an inbound policy which, although not setting any prioritisation or queueing, does create SNMP counters for each class. The configuration is fully dependent on the configuration of the outbound QoS policy — read [Class of Service](https://help.highlight.net/device-setup/classes) for further details. ## Huawei Configuration Example Whether using SNMP v2c or v3, restrict SNMP access with an access control list as follows: ``` acl 2090 rule 5 permit source 0 rule 10 permit source 0 ``` Where `2090` is any available access-list number or name. ### SNMP v2c Additional code to set up SNMP access: ``` snmp-agent sys-info version v2c snmp-agent community read highlightREAD acl 2090 ``` Where `highlightREAD` is the configured community string on the device, and `2090` is the configured access list. ### SNMP v3 Additional code to set up SNMP access: ``` snmp-agent sys-info version v3 snmp-agent group v3 groupREAD privacy write-view ViewDefault notify-view ViewDefault acl 2090 snmp-agent usm-user v3 userREAD snmp-agent usm-user v3 userREAD group groupREAD snmp-agent usm-user v3 userREAD authentication-mode sha Enter password: [auth_key] Confirm password: [auth_key] snmp-agent usm-user v3 userREAD privacy-mode aes128 Enter password: [priv_key] Confirm password: [priv_key] ``` Where `2090` is the configured access list. ## Juniper Configuration Example ### SNMP v2c ``` snmp view rpm-view oid .1.3.6.1.4.1.2636.3.7 include snmp view rpm-view oid .1.3.6.1.2.1.80 include snmp community highlightREAD authorization read-only snmp community highlightREAD clients default restrict snmp community highlightREAD clients /32 snmp community highlightREAD clients /32 snmp community highlightWRITE authorization read-write snmp community highlightWRITE view rpm-view snmp community highlightWRITE clients default restrict snmp community highlightWRITE clients /32 snmp community highlightWRITE clients /32 ``` ### SNMP v3 The basic v3 config for a Juniper SRX is shown below. Commands may differ per version and other platforms. Replace values in brackets with your own credentials. ``` set snmp v3 usm local-engine user [HighlightUser] authentication-sha authentication-key [mykeyhere] set snmp v3 usm local-engine user [HighlightUser] privacy-aes128 privacy-key [mykeyhere] set snmp v3 vacm security-to-group security-model usm security-name [HighlightUser] group [HighlightGroup] set snmp v3 vacm access group [HighlightGroup] default-context-prefix security-model any security-level privacy read-view all set snmp v3 vacm access group [HighlightGroup] default-context-prefix security-model any security-level privacy write-view all set snmp view all oid .1 ``` ## OneAccess Configuration Example The following example configuration for a OneAccess device allows for SNMP v2c read-only access restricted to two specific poller IP addresses: ``` SET security[remark="fallback user"]/remark = "fallback user" SET security[remark="fallback user"]/password=admin:admin SET security[remark="snmp user RO"]/remark = "snmp user RO" SET security[remark="snmp user RO"]/password=highlightREAD SET security[remark="snmp user RO"]/accessRights = { readAccess = on writeAccess = off securityAccess = off fileSystemAccess = off testAccess = on} SET security[remark="snmp user RO"]/applications/allow = {snmp = enabled SET { select profiles { select policy {select traffic { select ipTrafficPolicy[iptp_mgmt] {} } } } } SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp A"]/name = "allow snmp A" SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp A"]/sourceIpStartAddress = /32 SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp A"]/ipProtocol = UDP SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp A"]/destinationPortStart = snmp SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp B"]/name = "allow snmp B" SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp B"]/sourceIpStartAddress = /32 SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp B"]/ipProtocol = UDP SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow snmp B"]/destinationPortStart = snmp SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "deny snmp other"]/name = "deny snmp other" SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "deny snmp other"]/ipProtocol = UDP SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "deny snmp other"]/destinationPortStart = snmp SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "deny snmp other"]/interface = silentDiscard SET profiles/policy/traffic/ipTrafficPolicy[iptp_mgmt]/trafficShaping[name = "allow other"]/name = "allow other" SET snmp/minVersion = v2c SET management/accessPolicy = "iptp_mgmt" action "Activate Configuration" ```