Configure SNMP in Junos OS
Configure SNMP
You can implement SNMP in the Junos OS Software running on the QFX Series and OCX Series
products. By default, SNMP is not enabled. To enable SNMP, you must include the SNMP
configuration statements at the [edit]
hierarchy level.
To configure the minimum requirements for SNMP, include community public
statement at the [edit snmp]
hierarchy level.
To configure complete SNMP features, see snmp.
Configuration Statements at the [edit snmp] Hierarchy Level
This topic shows all configuration statements at the [edit snmp]
hierarchy level and their level in the configuration hierarchy. When you are
configuring Junos OS, your current hierarchy level is shown in the banner on the
line preceding the user@host#
prompt.
[edit] snmp { alarm-management { alarm-list-name list-name { alarm-id id { alarm-state state { description alarm-description; notification-id notification-id-of-alarm; resource-prefix alarm-resource-prefix; varbind-index varbind-index-in-alarm-varbind-list; varbind-subtree alarm-varbind-subtree; varbind-value alarm-varbind-value; } } } } client-list client-list-name { ip-addresses; } community community-name { authorization authorization; client-list-name client-list-name; clients { address <restrict>; } logical-system logical-system-name { routing-instance routing-instance-name; clients { address <restrict>; } } routing-instance routing-instance-name { clients { address <restrict>; } } view view-name; } contact contact; description description; engine-id { (local engine-id | use-default-ip-address | use-mac-address); } filter-duplicates; interface [ interface-names ]; location location; name name; nonvolatile { commit-delay seconds; } {rmon { alarm index { description description; falling-event-index index; falling-threshold integer; falling-threshold-interval seconds; interval seconds; request-type (get-next-request | get-request | walk-request); rising-event-index index; rising-threshold integer; sample-type type; startup-alarm alarm; syslog-subtag syslog-subtag; variable oid-variable; } event index { community community-name; description description; type type; } } traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regular-expression>; flag flag; memory-trace; no-remote-trace; no-default-memory-trace; } trap-group group-name { categories { category; } destination-port port-number; routing-instance instance; logical-system logical-system-name; targets { address; } version (all | v1 | v2); } trap-options { agent-address outgoing-interface; source-address address; enterprise-oid; logical-system logical-system-name { routing-instance routing-instance-name { source-address address; } } routing-instance routing-instance-name { source-address address; } } v3 { notify name { tag tag-name; type (trap | inform); } notify-filter profile-name { oid oid (include | exclude); } snmp-community community-index { community-name community-name; security-name security-name; tag tag-name; } target-address target-address-name { address address; address-mask address-mask; logical-system logical-system; port port-number; retry-count number; routing-instance instance; tag-list tag-list; target-parameters target-parameters-name; timeout seconds; } target-parameters target-parameters-name { notify-filter profile-name; parameters { message-processing-model (v1 | v2c | v3); security-level (authentication | none | privacy); security-model (usm | v1 | v2c); security-name security-name; } } usm { local-engine { user username { authentication-md5 { authentication-password authentication-password; } authentication-none; authentication-sha { authentication-password authentication-password; } privacy-3des { privacy-password privacy-password; } privacy-aes128 { privacy-password privacy-password; } privacy-des { privacy-password privacy-password; } privacy-none; } } } vacm { access { group group-name { (default-context-prefix | context-prefix context-prefiix){ security-model (any | usm | v1 | v2c) { security-level (authentication | none | privacy) { notify-view view-name; read-view view-name; write-view view-name; } } } } } security-to-group { security-model (usm | v1 | v2c) { security-name security-name { group group-name; } } } } } view view-name { oid object-identifier (include | exclude); } }
Starting from Junos OS and Junos OS Evolved Release 22.2R1, the packet-size
option is enabled in the CLI under [edit snmp]
hierarchy.
Configure Basic Settings for SNMP
The following sections contain information about basic SNMP configuration and a few examples of configuring the basic SNMP operations on devices running Junos OS:
Configure Basic Settings for SNMPv1 and SNMPv2
You cannot enable SNMP on devices running Junos OS by default. To enable SNMP on
devices running Junos OS, include the community public
statement at the [edit snmp]
hierarchy level.
Enabling SNMPv1 and SNMPv2 Get and GetNext Operations
[edit] snmp { community public; }
A community that is defined as public grants access to all MIB data to any client.
To enable SNMPv1 and SNMPv2 Set
operations on the device, you
must include the following statements at the [edit snmp]
hierarchy level:
Enabling SNMPv1 and SNMPv2 Set Operations
[edit snmp] view all { oid .1; } community private { view all; authorization read-write; }
The following example shows the basic minimum configuration for SNMPv1 and SNMPv2 traps on a device:
Configuring SNMPv1 and SNMPv2 Traps
[edit snmp] trap-group jnpr { targets { 192.168.69.179; } }
Configure Basic Settings for SNMPv3
The following example shows the minimum SNMPv3 configuration for enabling
Get
, GetNext
, and Set
operations on a device (note that the configuration has authentication set to
md5
and privacy to none
):
Enabling SNMPv3 Get, GetNext, and Set Operations
[edit snmp] v3 { usm { local-engine { user jnpruser { authentication-md5 { authentication-key "$9$guaDiQFnAuOQzevMWx7ikqP"; ## SECRET-DATA } privacy-none; } } } vacm { security-to-group { security-model usm { security-name jnpruser { group grpnm; } } } access { group grpnm { default-context-prefix { security-model any { security-level authentication { read-view all; write-view all; } } } } } } } view all { oid .1; }
The following example shows the basic configuration for SNMPv3 informs on a
device (the configuration has authentication and privacy settings to
none
):
Configuring SNMPv3 Informs
[edit snmp] v3 { usm { remote-engine 00000063200133a2c0a845c3 { user RU2_v3_sha_none { authentication-none; privacy-none; } } } vacm { security-to-group { security-model usm { security-name RU2_v3_sha_none { group g1_usm_auth; } } } access { group g1_usm_auth { default-context-prefix { security-model usm { security-level authentication { read-view all; write-view all; notify-view all; } } } } } } target-address TA2_v3_sha_none { address 192.168.69.179; tag-list tl1; address-mask 255.255.252.0; target-parameters TP2_v3_sha_none; } target-parameters TP2_v3_sha_none { parameters { message-processing-model v3; security-model usm; security-level none; security-name RU2_v3_sha_none; } notify-filter nf1; } notify N1_all_tl1_informs { type inform; # Replace inform with trap to convert informs to traps. tag tl1; } notify-filter nf1 { oid .1 include; } } view all { oid .1 include; }
You can convert the SNMPv3 informs to traps by setting the value of the
type
statement at the [edit snmp v3 notify
N1_all_tl1_informs]
hierarchy level to trap
as
shown in the following example:
Converting Informs to Traps
user@host# set snmp v3 notify N1_all_tl1_informs type trap
See Also
Configure SNMP Details
You can use SNMP to store basic administrative details, such as a contact name and the location of the device. Your management system can then retrieve this information remotely when you are troubleshooting an issue or performing an audit. In SNMP terminology, these are the sysName, sysContact, sysDescription, and sysLocation objects found within the system group of MIB-2 (as defined in RFC 1213, Management Information Base for Network Management of TCP/IP-based internets: MIB-II). You can set initial values directly in the Junos OS configuration for each system being managed by SNMP.
For the devices that are managed by SNMP, always keep the name, location, contact, and description information configured and updated.
To set the SNMP details:
Configure the Commit Delay Timer
When a router or switch first receives an SNMP nonvolatile Set
request, a Junos
OS XML protocol session opens and prevents other users or applications from changing
the candidate configuration (equivalent to the command-line interface [CLI]
configure exclusive
command). If the router receives new SNMP
Set
requests while the candidate configuration is being
committed, the SNMP Set
request is rejected and an error is
generated. If the router receives new SNMP Set
requests before 5
seconds have elapsed, the commit-delay timer (the length of time between when the
last SNMP request is received and the commit is requested) resets to 5 seconds.
By default, the timer is set to 5 seconds. To configure
the timer for the SNMP Set
reply and start
of the commit, include the commit-delay
statement at the [edit snmp nonvolatile]
hierarchy level:
[edit snmp nonvolatile] commit-delay seconds;
seconds
is the length of the
time between when the SNMP request is received and the commit is requested
for the candidate configuration. For more information about the configure exclusive
command and locking the configuration,
see the Junos OS CLI User Guide .
Configure SNMP on a Device Running Junos OS
By default, SNMP is disabled on devices running Junos OS. To
enable SNMP on a router or switch, you must include the SNMP configuration
statements at the [edit snmp]
hierarchy level.
To configure the minimum requirements for SNMP, include community public
statement at the [edit snmp]
hierarchy level.
The community defined here as public
grants read
access to all MIB data to any client.
To configure complete SNMP features, include the following
statements at the [edit snmp]
hierarchy level:
snmp { client-list client-list-name { ip-addresses; } community community-name { authorization authorization; client-list-name client-list-name; clients { address restrict; } routing-instance routing-instance-name { clients { addresses; } } logical-system logical-system-name { routing-instance routing-instance-name { clients { addresses; } } } view view-name; } contact contact; description description; engine-id { (local engine-id | use-mac-address | use-default-ip-address); } filter-duplicates; health-monitor { falling-threshold integer; interval seconds; rising-threshold integer; } interface [ interface-names ]; location location; name name; nonvolatile { commit-delay seconds; } rmon { alarm index { description text-description; falling-event-index index; falling-threshold integer; falling-threshold-interval seconds; interval seconds; request-type (get-next-request | get-request | walk-request); rising-event-index index; sample-type type; startup-alarm alarm; syslog-subtag syslog-subtag; variable oid-variable; } event index { community community-name; description text-description; type type; } } traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regular-expression>; flag flag; } trap-group group-name { categories { category; } destination-port port-number; routing-instance instance; targets { address; } version (all | v1 | v2); } trap-options { agent-address outgoing-interface; source-address address; } view view-name { oid object-identifier (include | exclude); } }
See Also
Example: Configure SNMP on the QFabric System
By default, SNMP is disabled on devices running Junos OS. This example describes the steps for configuring SNMP on the QFabric system.
Requirements
This example uses the following hardware and software components:
Junos OS Release 12.2
Network management system (NMS) (running the SNMP manager)
QFabric system (running the SNMP agent) with multiple Node devices
Overview
You must enable SNMP on
your device by including configuration statements at the [edit
snmp]
hierarchy level. At a minimum, you must configure the
community public
statement. The community defined as public
grants read-only access to MIB data to any client.
If no clients
statement is configured, all clients
are allowed. We recommend that you always include the restrict
option to limit SNMP client access to the switch.
Topology
The network topology in this example includes an NMS, a QFabric system with four Node devices, and external SNMP servers that are configured for receiving traps.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit]
hierarchy level.
set snmp name “snmp qfabric” description “qfabric0 switch” set snmp location “Lab 4 Row 11” contact “qfabric-admin@qfabric0” set snmp community public authorization read-only set snmp client-list list0 192.168.0.0/24 set snmp community public client-list-name list0 set snmp community public clients 192.170.0.0/24 restrict set snmp trap-group “qf-traps” destination-port 155 targets 192.168.0.100
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .
To configure SNMP on the QFabric system:
If the name, description, location, contact, or community name contains spaces, enclose the text in quotation marks (" ").
Configure the SNMP system name:
[edit snmp] user@switch# set name “snmp qfabric”
Note:You can access the above configured SNMP system name:
-
By doing a query with the SNMPGet on policy object identifier (OID) sysName.0.
-
From the generic jnxSyslogTrap. To send the jnxSyslogTrap, configure the trap events at
[edit event-options policy]
hierarchy.
-
Specify a description.
[edit snmp] user@switch# set description “qfabric0 system”
This string is placed into the MIB II sysDescription object.
Specify the physical location of the QFabric system.
[edit snmp] user@switch# set location “Lab 4 Row 11”
This string is placed into the MIB II sysLocation object.
Specify an administrative contact for the SNMP system.
[edit snmp] user@switch# set contact “qfabric-admin@qfabric0”
This name is placed into the MIB II sysContact object.
Specify a unique SNMP community name and the read-only authorization level.
Note:The
read-write
option is not supported on the QFabric system.[edit snmp] user@switch# set community public authorization read-only
Create a client list with a set of IP addresses that can use the SNMP community.
[edit snmp] user@switch# set client-list list0 192.168.0.0/24 user@switch# set community public client-list-name list0
Specify IP addresses of clients that are restricted from using the community.
[edit snmp] user@switch# set community public clients 198.51.100.0/24 restrict
Configure a trap group, destination port, and a target to receive the SNMP traps in the trap group.
[edit snmp] user@switch# set trap-group “qf-traps” destination-port 155 targets 192.168.0.100
Note:You do not need to include the
destination-port
statement if you use the default port 162.The trap group qf-traps is configured to send traps to 192.168.0.100.
Results
From configuration mode, confirm your configuration
by entering the show
command. If the output does not display
the intended configuration, repeat the instructions in this example
to correct the configuration.
[edit] user@switch# show snmp { name "snmp qfabric"; description "qfabric0 system"; location "Lab 4 Row 11"; contact "qfabric-admin@qfabric0"; client-list list0 { 192.168.0.0/24; } community public { authorization read-only; clients { 198.51.100.0/24 restrict; } } trap-group qf-traps { destination-port 155; targets { 192.168.0.100; } } }
If you are done configuring the device, enter commit
from configuration mode.