Tracking Router Configuration Changes

Problem

You want an NMS system to track when the router's configuration has been changed.

Solution

First, define the NMS system and its password:

[edit snmp v3] aviva@router1# set usm local-engine user nms2 authentication-sha authentication- password $0212roZH aviva@router1# set usm local-engine user nms2 privacy-des privacy-password 0212roZH

Then, define two views that allow the NMS access to the configuration information. The first view defines what the NMS can read from the MIB:

[edit snmp v3] aviva@router1# set view config-info-read oid jnxCfgMgmt include

The second view sets what the router includes in notifications sent to the NMS:

[edit snmp v3] aviva@router1# set view config-info-notify oid jnxCfgMgmt include aviva@router1# set view config-info-notify oid jnxCmNotifications include aviva@router1# set view config-info-notify oid snmpMIBObjects include aviva@router1# set view config-info-notify oid system include

Finally, create groups and their users and assign access privileges for the groups:

[edit snmp v3] aviva@router1# set vacm security-to-group security-model usm security-name nms2 group config-only aviva@router1# set vacm access group config-only default-context-prefix security- model usm security-level privacy read-view config-info-read aviva@router1# set vacm access group config-only default-context-prefix security- model usm security-level privacy notify-view config-info-notify

Discussion

To use SNMP to extract the router configuration, use the Juniper Networks configuration management MIB extension, which tracks who made changes to the configuration and when. This recipe gives the NMS system called nms2 access to configuration information.

The first commands in this recipe configure USM for security, with SHA1 authentication and DES message payload encryption. You then create two views, one that defines what nms2 can read from the MIB and a second that sets what the router can include in notifications. The final commands configure the VACM to provide access to desired groups.

Again, this recipe is somewhat involved, so here's what the resulting configuration looks like after you issue the commands in this recipe, with some added comments:

aviva@router1# show | except SECRET-DATA v3 { usm { # <-- which NMS systems can access the router local-engine { user nms2 { authentication-sha { privacy-des { } } } } vacm { # <-- what the NMS systems can access on the router security-to-group { # <-- which access group each NMS is in security-model usm { security-name nms2 { group config-only; } } } access { # <-- which MIB views the NMS systems can access group config-only { default-context-prefix { security-model usm { security-level privacy { read-view config-info-read; notify-view config-info-notify; } } } } } } } view config-info-read { # <-- view of enterprise configuration management objects oid jnxCfgMgmt include; } view config-info-notify { # <-- view for objects used by SNMPv3 traps oid jnxCfgMgmt include; oid jnxCmNotifications include; oid snmpMIBObjects include; oid system include; }