Controlling Access to Router MIBs

Problem

You want to limit the access of a group of NMS systems so they can gather only basic system and chassis information from the router.

Solution

Use the following commands to define the MIB branches that a community can access:

[edit snmp] aviva@router1# set view chassis-info-only oid jnxBoxAnatomy include aviva@router1# set view chassis-info-only oid snmpMIBObjects include aviva@router1# set view chassis-info-only oid system include

Then associate the MIB view with the community:

[edit snmp] aviva@router1# set community chassis-access-only view chassis-info-only

Discussion

By default, an SNMP community can access the whole MIB installed on the router. You can limit the MIB access that a community has by creating partial views of the MIB. This recipe creates a community that can view information only about objects in the Juniper Networks chassis MIB and in the standard MIB-II MIB. Controlling access consists of two steps: create the view itself using the set view commands and then associate the view with the community using the set community command.

If you want a community to be able to read most but not all of the MIB, you can restrict access to just a few MIB branches.

You might want to give access to all MIB branches except the two in which the JUNOS software allows SNMP Set operations, the ping and traceroute MIB branches:

[edit snmp] aviva@router1# set view ping-traceroute-exclude oid jnxPingMIB exclude aviva@router1# set view ping-traceroute-exclude oid jnxTraceRouteMIB exclude aviva@router1# set community public view ping-traceroute-exclude