Interfaces to Accept SNMP Requests
Configure the Interfaces on Which SNMP Requests Can Be Accepted
By default, all router or switch interfaces have SNMP access privileges. To limit the access
through certain interfaces only, include the interface
statement at
the [edit snmp]
hierarchy level.
Specify the names of any logical or physical interfaces that should have SNMP access privileges. Any SNMP requests entering the router or switch from interfaces not listed are discarded.
Configure a Proxy SNMP Agent
Starting with Release 12.3, Junos OS enables you to assign one of the devices in the network as a proxy SNMP agent through which the network management system (NMS) can query other devices in the network. When you configure a proxy, you can specify the names of devices to be managed through the proxy SNMP agent.
When the NMS queries the proxy SNMP agent, the NMS specifies the community name (for SNMPv1 and SNMPv2) or the context and security name (for SNMPv3) associated with the device from which it requires the information.
If you have configured authentication and privacy methods and passwords for SNMPv3, those parameters are also specified in the query for SNMPv3 information.
To configure a proxy SNMP agent and specify devices to be managed by the proxy SNMP agent, see proxy (snmp).
Starting with Junos OS Release 15.2, you must configure the interface
<interface-name>
statement at the
[edit snmp]
hierarchy level for the proxy SNMP agent.
The community and security configurations for the proxy should match the corresponding configurations on the device that is to be managed.
The devices managed by the proxy SNMP agent send the traps directly to the network management system since the proxy SNMP agent does not have trap-forwarding capabilities.
You can use the show snmp proxy
operational mode
command to view proxy details on a device. The show snmp proxy
command returns the proxy names, device names, SNMP version, community/security,
and context information.
Example: Configure Secured Access List Checking
SNMP access privileges are granted to only devices on
interfaces so-0/0/0
and at-1/0/1
. The following
example does this by configuring a list of logical interfaces:
[edit] snmp { interface [ so-0/0/0.0 so-0/0/0.1 at-1/0/1.0 at-1/0/1.1 ]; }
The following example grants the same access by configuring a list of physical interfaces:
[edit] snmp { interface [ so-0/0/0 at-1/0/1 ]; }
Filter Interface Information Out of SNMP Get and GetNext Output
Junos OS enables you to filter out information related to specific interfaces from the output of
SNMP Get
and GetNext
requests. You can perform
this on interface-related MIBs such as IF MIB, ATM MIB, RMON MIB, and the Juniper
Networks enterprise-specific IF MIB.
You can use the following options of the filter-interfaces
statement at the [edit snmp]
hierarchy level to specify
the interfaces that you want to exclude from SNMP Get
and GetNext
queries:
interfaces
—Interfaces that match the specified regular expressions.all-internal-interfaces
—Internal interfaces.
[edit] snmp { filter-interfaces { interfaces { interface-name 1; interface-name 2; } all-internal-interfaces; } }
Starting with Release 12.1, Junos OS provides an except option
(!
operator) that enables you to filter out all interfaces
except those interfaces that match all the regular expressions prefixed
with the !
mark.
For example, to filter out all interfaces except the ge
interfaces from the SNMP get
and get-next
results,
enter the following command:
[edit snmp] user@host# set filter-interfaces interfaces “!^ge-.*” user@host# commit
When this is configured, Junos OS filters out all interfaces
except the ge
interfaces from the SNMP get
and get-next
results.
The !
mark is supported only as the first character
of the regular expression. If it appears anywhere else in a regular
expression, Junos OS considers the regular expression invalid, and
returns an error.
However, note that these settings are only applicable to SNMP operations. The users can continue
to access information related to the interfaces (including those hidden using the
filter-interfaces
options) using the appropriate Junos OS
command-line interface (CLI) commands.