Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

SNMP Communities

An SNMP community defines the level of authorization granted to its members, such as the available MIB objects, the operations (read-only or read-write) that are valid for those objects, and the authorized SNMP clients, based on their source IP addresses.

Configure SNMP Communities

Configuring the SNMP agent in Junos OS is a straightforward task that shares familiar settings with other managed devices in your network. For example, you need to configure Junos OS with an SNMP community string and a destination for traps. Community strings are administrative names that group collections of devices and the agents that are running on them together into common management domains. If a manager and an agent share the same community, they can communicate with each other.

The SNMP community string defines the relationship between an SNMP server system and the client system. This string is a password to control the client's access to the server.

To create a read-only SNMP community:

  1. Enter the SNMP community used in your network.

    If the community name contains spaces, enclose it in quotation marks (" ").

    Community names must be unique.

    You cannot configure the same community name at the [edit snmp community] and [edit snmp v3 snmp-community community-index] hierarchy levels.

    This example uses the standard name public to create a community that gives limited read-only access.

  2. Define the authorization level for the community.

    The default authorization level for a community is read-only.

    To allow Set requests within a community, you need to define that community as authorization read-write. For Set requests, you also need to include the specific MIB objects that are accessible with read-write privileges using the view statement. The default view includes all supported MIB objects that are accessible with read-only privileges. No MIB objects are accessible with read-write privileges. For more information about the view statement, see Configure MIB Views.

    This example confines the public community to read-only access. Any SNMP client (for example, an SNMP management system) that belongs to the public community can read MIB variables but cannot set (change) them.

  3. Define a list of clients in the community who are authorized to communicate with the SNMP agent in Junos OS.

    The clients statement lists the IP addresses of the clients (community members) that are allowed to use this community. List the clients by IP address and prefix. Typically, the list includes the SNMP network management system in your network or the address of your management network. If no clients statement is present, all clients are allowed. For address, you must specify an IPv4 or IPv6 address, not a hostname.

    The following statement defines the hosts in the 192.168.1.0/24 network as being authorized in the public community.

  4. Define the clients that are not authorized within the community by specifying their IP address, followed by the restrict statement.

    The following statement defines all other hosts as being restricted from the public community.

  5. At the top level of the configuration, apply the configuration group.

    If you use a configuration group, you must apply it for it to take effect.

  6. Commit the configuration.

To create a read-write SNMP community:

  1. Enter the SNMP community used in your network.

    This example standard community string private to identify the community granted read-write access to the SNMP agent running on the device.

  2. Define the authorization level for the community.

    This example confines the public community to read-only access. Any SNMP client (for example, an SNMP management system) that belongs to the public community can read MIB variables but cannot set (change) them.

  3. Define a list of clients in the community who are authorized to make changes to the SNMP agent in Junos OS.

    List the clients by IP address and prefix.

    For example:

  4. Define the clients that are not authorized within the community by specifying their IP address, followed by the restrict statement.

    The following statement defines all other hosts as being restricted from the public community.

  5. At the top level of the configuration, apply the configuration group.

    If you use a configuration group, you must apply it for it to take effect.

  6. Commit the configuration.

Add a Group of Clients to an SNMP Community

Junos OS enables you to add one or more groups of clients to an SNMP community. You can include the client-list-name name statement at the [edit snmp community community-name] hierarchy level to add all the members of the client list or prefix list to an SNMP community.

To define a list of clients, use the set snmp client-list client-list-name statement followed by the IP addresses of the clients.

You can configure a prefix list at the [edit policy options] hierarchy level. Support for prefix lists in the SNMP community configuration enables you to use a single list to configure the SNMP and routing policies. For more information about the prefix-list statement, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.

To add a client list or prefix list to an SNMP community, use the set snmp commmunity community-name client-list-name statement.

The client list and prefix list must not have the same name.

The following example shows how to define a client list:

The following example shows how to add a client list to an SNMP community:

The following example shows how to add a prefix list to an SNMP community:

Configure SNMP Community String

The SNMP community string defines the relationship between an SNMP server system and the client system. This string acts like a password to control the client’s access to the server.

To configure a community string in a Junos OS configuration, use the set snmp community statement.

If the community name contains spaces, enclose it in quotation marks (" ").

The default authorization level for a community is read-only. To allow Set requests within a community, you need to define that community as authorization read-write. For Set requests, you also need to include the specific MIB objects that are accessible with read-write privileges using the view statement. The default view includes all supported MIB objects that are accessible with read-only privileges; no MIB objects are accessible with read-write privileges. For more information about the view statement, see Configure MIB Views.

The IP addresses of the clients (community members) that are allowed to use this community are listed in the clients statement lists. If no clients statement is present, all clients are allowed. For address, you must specify an IPv4 address, not a hostname. Include the default restrict option to deny access to all SNMP client’s for which access is not granted. We recommend that you always include the default restrict option to limit SNMP client access to the local switch.

Community names must be unique within each SNMP system.

Examples: Configure the SNMP Community String

Grant read-only access to all clients. With the following configuration, the system responds to SNMP Get, GetNext, and GetBulk requests that contain the community string public:

Grant all clients read-write access to the ping MIB and jnxPingMIB. With the following configuration, the system responds to SNMP Get, GetNext, GetBulk, and Set requests that contain the community string private and specify an OID contained in the ping MIB or jnxPingMIB hierarchy:

The following configuration allows read-only access to clients with IP addresses in the range 1.2.3.4/24, and denies access to systems in the range fe80::1:2:3:4/64:

Configure the SNMPv3 Community

The SNMP community defines the relationship between an SNMP server system and the client systems. This statement is optional.

To configure the SNMP community, include the snmp-community statement at the [edit snmp v3] hierarchy level:

community-index is the index for the SNMP community.

To configure the SNMP community properties, include the following statements at the [edit snmp v3 snmp-community community-index] hierarchy level:

The following is a minimal set of sample configuration that is needed for snmp v3 snmp-community configuration:

Note:

The community used by the user which does not support SNMPv3, will continue to use SNMPv2.

For more information, see the following configuration:

This section includes the following topics:

Configuring the Community Name

The community name defines the SNMP community. The SNMP community authorizes SNMPv1 or SNMPv2c clients. The access privileges associated with the configured security name define which MIB objects are available and the operations (read, write, or notify) allowed on those objects.

To configure the SNMP community name, include the community-name statement at the [edit snmp v3 snmp-community community-index] hierarchy level. For more information about this statement, see community-name.

Configuring the Context

An SNMP context defines a collection of management information that is accessible to an SNMP entity. Typically, an SNMP entity has access to multiple contexts. A context can be a physical or logical system, a collection of multiple systems, or even a subset of a system. Each context in a management domain has a unique identifier.

To configure an SNMP context, include the context context-name statement at the [edit snmp v3 snmp-community community-index] hierarchy level. For more information about this statement, see context (SNMPv3).

Note:

To query a routing instance or a logical system,

Configuring the Security Names

To assign a community string to a security name, include the security-name statement at the [edit snmp v3 snmp-community community-index] hierarchy level:

security-name is used when access control is set up. The security-to-group configuration at the [edit snmp v3 vacm] hierarchy level identifies the group.

Note:

This security name must match the security name configured at the [edit snmp v3 target-parameters target-parameters-name parameters] hierarchy level when you configure traps.

Configuring the Tag

To configure the tag, include the tag statement at the [edit snmp v3 snmp-community community-index] hierarchy level. For more information about this statement, see tag.

Example: Configure SNMPv3 Community

This example shows how to configure an SNMPv3 community.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

This example demonstrates how to create an SNMPv3 community. Define the SNMP community name, specify security name to perform the access control, and define tag name which identifies the address of managers that are allowed to use a community string. The target address defines a management application's address and parameters that are used in sending notifications.

When the device receives a packet with a recognized community string and a tag is associated with that packet, the Junos software looks up all the target addresses with this tag and verifies that the source address of this packet matches one of the configured target addresses.

Specify where you want the traps to be sent and define what SNMPv1 and SNMPv2c packets are allowed. Specify target address name that identifies the target address, define the target address, mask range of address, port number, tag list, and target parameter.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit snmp v3] hierarchy level, and then enter commit from configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

  1. Configure the SNMP community name.

    Note:

    The SNMP community name must be unique.

  2. Configure the security name to perform access control.

  3. Define the tag name. The tag name identifies the address of managers that are allowed to use a community string.

  4. Configure SNMP target address.

  5. Configure the mask range of the address for the community string access control.

  6. Configure SNMPv3 target port number.

  7. Configure SNMPv3 tag list to select the target addresses.

  8. Configure SNMPv3 target parameter name in the target parameter table.

Results

From configuration mode, confirm your configuration by entering the show snmp v3 command. If the output does not display the intended configuration, repeat the configuration instructions in this example.

Verification

Verifying SNMPv3 community

Purpose

Verify if SNMPv3 community is enabled.

Action

To verify SNMPv3 community configuration, enter show snmp v3 community command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Meaning

The output displays the information about SNMPv3 community being enabled on the system.