Configuring the SNMP Community String

The SNMP community string defines the relationship between an SNMP server system and the client systems. This string acts like a password to control the clients' access to the server. To configure a community string, include the community statement at the [edit snmp] hierarchy level:

[edit snmp]

community name { 

    authorization authorization; 

    clients { 

        default restrict; 

        address restrict;

    }

    view view-name;

}

If the community name contains spaces, enclose it in quotation marks (" ").

The default authorization level for a community is read-only. To allow Set requests within a community, you need to define that community as authorization read-write. For Set requests, you also need to include the specific MIB objects that are accessible with read-write privileges using the view statement. The default view includes all supported MIB objects that are accessible with read-only privileges; no MIB objects are accessible with read-write privileges. For more information on the view statement, see view.

The clients statement lists the IP addresses of the clients (community members) that are allowed to use this community. If no clients statement is present, all clients are allowed. For address, you must specify an IPv4 or IPv6 address, not a hostname. Include the default restrict option to deny access to all SNMP clients for which access is not explicitly granted. We recommend that you always include the default restrict option to limit SNMP client access to the local router.

NOTE: Community names must be unique. You cannot configure the same community name at the [edit snmp community] and [edit snmp v3 snmp-community community-index] hierarchy levels.

Examples: Configuring the SNMP Community String

Grant read-only access to all clients. With the following configuration, the system responds to SNMP Get, GetNext, and GetBulk requests that contain the community string public:

[edit]

snmp {

    community public {

        authorization read-only;

    }

}

Grant all clients read-write access to the ping MIB and jnxPingMIB. With the following configuration, the system responds to SNMP Get, GetNext, GetBulk, and Set requests that contain the community string private and specify an OID contained in the ping MIB or jnxPingMIB hierarchy:

[edit]

snmp {

    view ping-mib-view {

        oid pingMIB include;                                                        

        oid jnxPingMIB include;                                                        

    community private {

        authorization read-write;

        view ping-mib-view;

        }

    }

}

The following configuration allows read-only access to clients with IP addresses in the range 1.2.3.4/24, and denies access to systems in the range fe80::1:2:3:4/64:

[edit]

snmp {

    community field-service {

        authorization read-only;

        clients {

            default restrict;     # Restrict access to all SNMP clients not explicitly

                                         # listed on the following lines.

            1.2.3.4/24;                             # Allow access by all clients in 1.2.3.4/24; except

            fe80::1:2:3:4/64 restrict;                                                    # fe80::1:2:3:4/64

        }

    } 

}