Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

close
keyboard_arrow_left
Network Management and Monitoring Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Configure SNMP in Junos OS

date_range 26-Aug-24

Configure SNMP

You can implement SNMP in the Junos OS Software running on the QFX Series and OCX Series products. By default, SNMP is not enabled. To enable SNMP, you must include the SNMP configuration statements at the [edit] hierarchy level.

To configure the minimum requirements for SNMP, include community public statement at the [edit  snmp] hierarchy level.

To configure complete SNMP features, see snmp.

Configuration Statements at the [edit snmp] Hierarchy Level

This topic shows all configuration statements at the [edit snmp] hierarchy level and their level in the configuration hierarchy. When you are configuring Junos OS, your current hierarchy level is shown in the banner on the line preceding the user@host# prompt.

content_copy zoom_out_map
[edit]
snmp {
        alarm-management {
            alarm-list-name list-name {
                alarm-id id {
                    alarm-state state {
                        description alarm-description;
                        notification-id notification-id-of-alarm;
                        resource-prefix alarm-resource-prefix;
                        varbind-index varbind-index-in-alarm-varbind-list;
                        varbind-subtree alarm-varbind-subtree;
                        varbind-value alarm-varbind-value;
                    }
                }
            }
        }
    client-list client-list-name {
        ip-addresses;
    }
    community community-name {
        authorization authorization;
        client-list-name client-list-name;
        clients {
            address <restrict>;
        }
        logical-system logical-system-name {
            routing-instance routing-instance-name;
            clients {
                address <restrict>;
            }
        }
        routing-instance routing-instance-name {
            clients {
                address <restrict>;
            }
        }
        view view-name;
    }
    contact contact;
    description description;
    engine-id {
        (local engine-id | use-default-ip-address | use-mac-address);
    }
    filter-duplicates;
    interface [ interface-names ];
    location location;
    name name;
    nonvolatile {
        commit-delay seconds;
    }
      {rmon {
        alarm index {
            description description;
            falling-event-index index;
            falling-threshold integer;
            falling-threshold-interval seconds;
            interval seconds;
            request-type (get-next-request | get-request | walk-request);
            rising-event-index index;
            rising-threshold integer;
            sample-type type;
            startup-alarm alarm;
            syslog-subtag syslog-subtag;
            variable oid-variable;
        }
        event index {
            community community-name;
            description description;
            type type;
        }
    }
    traceoptions {
        file filename <files number> <size size> <world-readable | no-world-readable> <match regular-expression>;
        flag flag;
        memory-trace;
        no-remote-trace;
        no-default-memory-trace;
    }
    trap-group group-name {
        categories {
            category;
        }
        destination-port port-number;
        routing-instance instance;
        logical-system logical-system-name;
        targets {
            address;
        }
        version (all | v1 | v2);
    }
    trap-options {
        agent-address outgoing-interface;
        source-address address;
        enterprise-oid; 
        logical-system logical-system-name {
            routing-instance routing-instance-name {
                source-address address;
            }
        }
        routing-instance routing-instance-name {
            source-address address;
        }
    }
    v3 {
        notify name {
            tag tag-name;
            type (trap | inform);
        }
        notify-filter profile-name {
            oid oid (include | exclude);
        }
        snmp-community community-index {
            community-name community-name;
            security-name security-name;
            tag tag-name;
        }
        target-address target-address-name {
            address address;
            address-mask address-mask;
            logical-system logical-system;
            port port-number;
            retry-count number;
            routing-instance instance;
            tag-list tag-list;
            target-parameters target-parameters-name;
            timeout seconds;
        }
        target-parameters target-parameters-name {
            notify-filter profile-name;
            parameters {
                message-processing-model (v1 | v2c | v3);
                security-level (authentication | none | privacy);
                security-model (usm | v1 | v2c);
                security-name security-name;
            }
        }
        usm {
            local-engine {
                user username {
                    authentication-md5 {
                        authentication-password authentication-password;
                    }
                    authentication-none;
                    authentication-sha {
                        authentication-password authentication-password;
                    }
                    privacy-3des {
                        privacy-password privacy-password;
                    }
                    privacy-aes128 {
                        privacy-password privacy-password;
                    }
                    privacy-des {
                        privacy-password privacy-password;
                    }
                    privacy-none;
                }
            }
        }
        vacm {
            access {
                group group-name {
                    (default-context-prefix | context-prefix context-prefiix){
                        security-model (any | usm | v1 | v2c) {
                            security-level (authentication | none | privacy) {
                                notify-view view-name;
                                read-view view-name;
                                write-view view-name;
                            }
                        }
                    }
                }
            }
            security-to-group {
                security-model (usm | v1 | v2c) {
                    security-name security-name {
                        group group-name;
                    }
                }
            }
        }
    }
    view view-name {
        oid object-identifier (include | exclude);
    }
}
Note:

Starting from Junos OS and Junos OS Evolved Release 22.2R1, the packet-size option is enabled in the CLI under [edit snmp] hierarchy.

Configure Basic Settings for SNMP

The following sections contain information about basic SNMP configuration and a few examples of configuring the basic SNMP operations on devices running Junos OS:

Configure Basic Settings for SNMPv1 and SNMPv2

You cannot enable SNMP on devices running Junos OS by default. To enable SNMP on devices running Junos OS, include the community public statement at the [edit  snmp] hierarchy level.

Enabling SNMPv1 and SNMPv2 Get and GetNext Operations

content_copy zoom_out_map
[edit]
snmp {
    community public;
}

A community that is defined as public grants access to all MIB data to any client.

To enable SNMPv1 and SNMPv2 Set operations on the device, you must include the following statements at the [edit snmp] hierarchy level:

Enabling SNMPv1 and SNMPv2 Set Operations

content_copy zoom_out_map
[edit snmp]
view all {
    oid .1;
}
community private {
    view all;
    authorization read-write;
}

The following example shows the basic minimum configuration for SNMPv1 and SNMPv2 traps on a device:

Configuring SNMPv1 and SNMPv2 Traps

content_copy zoom_out_map
[edit snmp]
trap-group jnpr {
    targets {
        192.168.69.179;
    }
}

Configure Basic Settings for SNMPv3

The following example shows the minimum SNMPv3 configuration for enabling Get, GetNext, and Set operations on a device (note that the configuration has authentication set to md5 and privacy to none):

Enabling SNMPv3 Get, GetNext, and Set Operations

content_copy zoom_out_map
[edit snmp]
v3 {
    usm {
        local-engine {
            user jnpruser {
                authentication-md5 {
                    authentication-key "$9$guaDiQFnAuOQzevMWx7ikqP"; ## SECRET-DATA
                }
                privacy-none;
            }
        }
    }
    vacm {
        security-to-group {
            security-model usm {
                security-name jnpruser {
                    group grpnm;
                }
            }
        }
        access {
            group grpnm {
                default-context-prefix {
                    security-model any {
                        security-level authentication {
                            read-view all;
                            write-view all;
                        }
                    }
                }
            }
        }
    }
}
view all {
    oid .1;
}

The following example shows the basic configuration for SNMPv3 informs on a device (the configuration has authentication and privacy settings to none):

Configuring SNMPv3 Informs

content_copy zoom_out_map
[edit snmp]
v3 {
    usm {
        remote-engine 00000063200133a2c0a845c3 {
            user RU2_v3_sha_none {
                authentication-none;
                privacy-none;
            }
        }
    }
    vacm {
        security-to-group {
            security-model usm {
                security-name RU2_v3_sha_none {
                    group g1_usm_auth;
                }
            }
        }
        access {
            group g1_usm_auth {
                default-context-prefix {
                    security-model usm {
                        security-level authentication {
                            read-view all;
                            write-view all;
                            notify-view all;
                        }
                    }
                }
            }
        }
    }
    target-address TA2_v3_sha_none {
        address 192.168.69.179;
        tag-list tl1;
        address-mask 255.255.252.0;
        target-parameters TP2_v3_sha_none;
    }
    target-parameters TP2_v3_sha_none {
        parameters {
            message-processing-model v3;
            security-model usm;
            security-level none;
            security-name RU2_v3_sha_none;
        }
        notify-filter nf1;
    }
    notify N1_all_tl1_informs {
        type inform; # Replace inform with trap to convert informs to traps.
        tag tl1;
    }
    notify-filter nf1 {
        oid .1 include;
    }
}
view all {
    oid .1 include;
}

You can convert the SNMPv3 informs to traps by setting the value of the type statement at the [edit snmp v3 notify N1_all_tl1_informs] hierarchy level to trap as shown in the following example:

Converting Informs to Traps

content_copy zoom_out_map
user@host# set snmp v3 notify N1_all_tl1_informs type trap

Configure SNMP Details

You can use SNMP to store basic administrative details, such as a contact name and the location of the device. Your management system can then retrieve this information remotely when you are troubleshooting an issue or performing an audit. In SNMP terminology, these are the sysName, sysContact, sysDescription, and sysLocation objects found within the system group of MIB-2 (as defined in RFC 1213, Management Information Base for Network Management of TCP/IP-based internets: MIB-II). You can set initial values directly in the Junos OS configuration for each system being managed by SNMP.

Note:

For the devices that are managed by SNMP, always keep the name, location, contact, and description information configured and updated.

To set the SNMP details:

  1. Configure a system name.
    Set the system name details by including the name statement at the [edit snmp] hierarchy level.
    content_copy zoom_out_map
    [edit snmp]
    user@host# set name name
    

    For example:

    content_copy zoom_out_map
    [edit snmp]
    user@host# set name "host” # Overrides the system name
    
  2. Configure a system contact.
    Set the system contact details by including the contact statement at the [edit snmp] hierarchy level, or in an appropriate configuration group as shown here.

    This administrative contact is placed into the MIB II sysContact object.

    If the name contains spaces, enclose it in quotation marks (" ").

    content_copy zoom_out_map
    [edit snmp]
    user@host# set contact contact
    

    For example:

    content_copy zoom_out_map
    [edit snmp]
    user@host# set contact "Enterprise Support, (650) 555-1234" # Specifies the name and phone number of the
    administrator.
    
  3. Configure a system description.

    This string is placed into the MIB II sysDescription object. If the description contains spaces, enclose it in quotation marks (" ").

    content_copy zoom_out_map
    [edit snmp]
    user@host# set description description
    

    For example:

    content_copy zoom_out_map
    [edit snmp]
    user@host# set description "M10i router with 8 FPCs" # Specifies the description for the device.
    
  4. Configure a system location.

    This string is placed into the MIB II sysLocation object. If the location contains spaces, enclose it in quotation marks (" ").

    To specify the system location:

    content_copy zoom_out_map
    [edit]
    snmp {
        location "Row 11, Rack C";
    }
    
    content_copy zoom_out_map
    [edit snmp]
    user@host# set location location
    

    For example:

    content_copy zoom_out_map
    [edit snmp] 
    user@host# set location "London Corporate Office, Lab 5, Row 11, Rack C" # Specifies the location of the device.
    
  5. Commit the configuration.
    content_copy zoom_out_map
    user@host# commit
    
  6. To verify the configuration, enter the show snmp mib walk system operational-mode command.

    The show snmp mib walk system command performs a MIB walk through of the system table (from MIB-2 as defined in RFC 1213). The SNMP agent in Junos OS responds by printing each row in the table and its associated value. You can use the same command to perform a MIB walk through any part of the MIB tree supported by the agent.

    content_copy zoom_out_map
    user@host> show snmp mib walk system
    sysDescr.0    = M10i router with 8 FPCs
    sysObjectID.0 = jnxProductNameM10i
    sysUpTime.0   = 173676474
    sysContact.0  = Enterprise Support, (650) 555-1234
    sysName.0     = host
    sysLocation.0 = London Corporate Office, Lab 5, Row 11, Rack C
    sysServices.0 = 4

Configure the Commit Delay Timer

When a router or switch first receives an SNMP nonvolatile Set request, a Junos OS XML protocol session opens and prevents other users or applications from changing the candidate configuration (equivalent to the command-line interface [CLI] configure exclusive command). If the router receives new SNMP Set requests while the candidate configuration is being committed, the SNMP Set request is rejected and an error is generated. If the router receives new SNMP Set requests before 5 seconds have elapsed, the commit-delay timer (the length of time between when the last SNMP request is received and the commit is requested) resets to 5 seconds.

By default, the timer is set to 5 seconds. To configure the timer for the SNMP Set reply and start of the commit, include the commit-delay statement at the [edit snmp nonvolatile] hierarchy level:

content_copy zoom_out_map
[edit snmp nonvolatile]
commit-delay seconds;

seconds is the length of the time between when the SNMP request is received and the commit is requested for the candidate configuration. For more information about the configure exclusive command and locking the configuration, see the Junos OS CLI User Guide .

Configure SNMP on a Device Running Junos OS

By default, SNMP is disabled on devices running Junos OS. To enable SNMP on a router or switch, you must include the SNMP configuration statements at the [edit snmp] hierarchy level.

To configure the minimum requirements for SNMP, include community public statement at the [edit  snmp] hierarchy level.

The community defined here as public grants read access to all MIB data to any client.

To configure complete SNMP features, include the following statements at the [edit snmp] hierarchy level:

content_copy zoom_out_map
snmp {
    client-list client-list-name {
        ip-addresses;
    }
    community community-name {
        authorization authorization;
        client-list-name client-list-name;
        clients {
            address restrict;
        }
        routing-instance routing-instance-name {
            clients {
            addresses;
            }
        }
        logical-system logical-system-name {
            routing-instance routing-instance-name {
                clients {
                addresses;
                }
            }
        }
        view view-name;
    }
    contact contact;
    description description;
    engine-id {
        (local engine-id | use-mac-address | use-default-ip-address);
    }
    filter-duplicates;
    health-monitor {
        falling-threshold integer;
        interval seconds;
        rising-threshold integer;
    }
    interface [ interface-names ];
    location location;
    name name;
    nonvolatile {
        commit-delay seconds;
    }
    rmon {
        alarm index {
            description text-description;
            falling-event-index index;
            falling-threshold integer;
            falling-threshold-interval seconds;
            interval seconds;
            request-type (get-next-request | get-request | walk-request);
            rising-event-index index;
            sample-type type;
            startup-alarm alarm;
            syslog-subtag syslog-subtag;
            variable oid-variable;
        }
        event index {
            community community-name;
            description text-description;
            type type;
        }
    }
    traceoptions {
        file filename <files number> <size size> <world-readable | no-world-readable> <match regular-expression>;
        flag flag;
    }
    trap-group group-name {
        categories {
            category;
        }
        destination-port port-number;
        routing-instance instance;
        targets {
            address;
        }
        version (all | v1 | v2);
    }
    trap-options {
        agent-address outgoing-interface;
        source-address address;
    }
    view view-name {
        oid object-identifier (include | exclude);
    }
}

Example: Configure SNMP on the QFabric System

By default, SNMP is disabled on devices running Junos OS. This example describes the steps for configuring SNMP on the QFabric system.

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 12.2

  • Network management system (NMS) (running the SNMP manager)

  • QFabric system (running the SNMP agent) with multiple Node devices

Overview

You must enable SNMP on your device by including configuration statements at the [edit snmp] hierarchy level. At a minimum, you must configure the community public statement. The community defined as public grants read-only access to MIB data to any client.

If no clients statement is configured, all clients are allowed. We recommend that you always include the restrict option to limit SNMP client access to the switch.

Topology

The network topology in this example includes an NMS, a QFabric system with four Node devices, and external SNMP servers that are configured for receiving traps.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

content_copy zoom_out_map
set snmp name “snmp qfabric” description “qfabric0 switch”
set snmp location “Lab 4 Row 11” contact “qfabric-admin@qfabric0”
set snmp community public authorization read-only
set snmp client-list list0 192.168.0.0/24
set snmp community public client-list-name list0
set snmp community public clients 192.170.0.0/24 restrict
set snmp trap-group “qf-traps” destination-port 155 targets 192.168.0.100
Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To configure SNMP on the QFabric system:

Note:

If the name, description, location, contact, or community name contains spaces, enclose the text in quotation marks (" ").

  1. Configure the SNMP system name:

    content_copy zoom_out_map
    [edit snmp]
    user@switch# set name “snmp qfabric”
    
    Note:

    You can access the above configured SNMP system name:

    • By doing a query with the SNMPGet on policy object identifier (OID) sysName.0.

    • From the generic jnxSyslogTrap. To send the jnxSyslogTrap, configure the trap events at [edit event-options policy] hierarchy.

  2. Specify a description.

    content_copy zoom_out_map
    [edit snmp]
    user@switch# set description “qfabric0 system”
    

    This string is placed into the MIB II sysDescription object.

  3. Specify the physical location of the QFabric system.

    content_copy zoom_out_map
    [edit snmp]
    user@switch# set location “Lab 4 Row 11”
    

    This string is placed into the MIB II sysLocation object.

  4. Specify an administrative contact for the SNMP system.

    content_copy zoom_out_map
    [edit snmp]
    user@switch# set contact “qfabric-admin@qfabric0”
    

    This name is placed into the MIB II sysContact object.

  5. Specify a unique SNMP community name and the read-only authorization level.

    Note:

    The read-write option is not supported on the QFabric system.

    content_copy zoom_out_map
    [edit snmp]
    user@switch# set community public authorization read-only
    
  6. Create a client list with a set of IP addresses that can use the SNMP community.

    content_copy zoom_out_map
    [edit snmp]
    user@switch# set client-list list0 192.168.0.0/24
    user@switch# set community public client-list-name list0
    
  7. Specify IP addresses of clients that are restricted from using the community.

    content_copy zoom_out_map
    [edit snmp]
    user@switch# set community public clients 198.51.100.0/24 restrict
    
  8. Configure a trap group, destination port, and a target to receive the SNMP traps in the trap group.

    content_copy zoom_out_map
    [edit snmp]
    user@switch# set trap-group “qf-traps” destination-port 155 targets 192.168.0.100
    
    Note:

    You do not need to include the destination-port statement if you use the default port 162.

    The trap group qf-traps is configured to send traps to 192.168.0.100.

Results

From configuration mode, confirm your configuration by entering the show command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
[edit]
user@switch# show
    snmp {
        name "snmp qfabric";
        description "qfabric0 system";
        location "Lab 4 Row 11";
        contact "qfabric-admin@qfabric0";
        client-list list0 {
            192.168.0.0/24;
        }
        community public {
            authorization read-only;
            clients {
                198.51.100.0/24 restrict;
            }
        }
        trap-group qf-traps {
            destination-port 155;
            targets {
                192.168.0.100;
            }
        }
    }

If you are done configuring the device, enter commit from configuration mode.

external-footer-nav