Configuring SNMP Communities

 

Configuring the SNMP agent in Junos OS is a straightforward task that shares many familiar settings common to other managed devices in your network. For example, you need to configure Junos OS with an SNMP community string and a destination for traps. Community strings are administrative names that group collections of devices and the agents that are running on them together into common management domains. If a manager and an agent share the same community, they can communicate with each other. An SNMP community defines the level of authorization granted to its members, such as which MIB objects are available, which operations (read-only or read-write) are valid for those objects, and which SNMP clients are authorized, based on their source IP addresses.

The SNMP community string defines the relationship between an SNMP server system and the client systems. This string acts like a password to control the clients’ access to the server.

To create a read-only SNMP community:

  1. Enter the SNMP community used in your network.

    If the community name contains spaces, enclose it in quotation marks (" ").

    Community names must be unique.

    Note

    You cannot configure the same community name at the [edit snmp community] and [edit snmp v3 snmp-community community-index] hierarchy levels.

    This example uses the standard name public to create a community that gives limited read-only access.

  2. Define the authorization level for the community.

    The default authorization level for a community is read-only.

    To allow Set requests within a community, you need to define that community as authorization read-write. For Set requests, you also need to include the specific MIB objects that are accessible with read-write privileges using the view statement. The default view includes all supported MIB objects that are accessible with read-only privileges. No MIB objects are accessible with read-write privileges. For more information about the view statement, see Configuring MIB Views.

    This example confines the public community to read-only access. Any SNMP client (for example, an SNMP management system) that belongs to the public community can read MIB variables but cannot set (change) them.

  3. Define a list of clients in the community who are authorized to communicate with the SNMP agent in Junos OS.

    The clients statement lists the IP addresses of the clients (community members) that are allowed to use this community. List the clients by IP address and prefix. Typically, the list includes the SNMP network management system in your network or the address of your management network. If no clients statement is present, all clients are allowed. For address, you must specify an IPv4 or IPv6 address, not a hostname.

    The following statement defines the hosts in the 192.168.1.0/24 network as being authorized in the public community.

  4. Define the clients that are not authorized within the community by specifying their IP address, followed by the restrict statement.

    The following statement defines all other hosts as being restricted from the public community.

  5. At the top level of the configuration, apply the configuration group.

    If you use a configuration group, you must apply it for it to take effect.

  6. Commit the configuration.


To create a read-write SNMP community:

  1. Enter the SNMP community used in your network.

    This example standard community string private to identify the community granted read-write access to the SNMP agent running on the device.

  2. Define the authorization level for the community.

    This example confines the public community to read-only access. Any SNMP client (for example, an SNMP management system) that belongs to the public community can read MIB variables but cannot set (change) them.

  3. Define a list of clients in the community who are authorized to make changes to the SNMP agent in Junos OS.

    List the clients by IP address and prefix.

    For example:

  4. Define the clients that are not authorized within the community by specifying their IP address, followed by the restrict statement.

    The following statement defines all other hosts as being restricted from the public community.

  5. At the top level of the configuration, apply the configuration group.

    If you use a configuration group, you must apply it for it to take effect.

  6. Commit the configuration.