SNMPv3 Traps
In SNMPv3, you create traps and informs by configuring the notify,
target-address, and target-parameters parameters.
Traps are unconfirmed notifications, whereas informs are confirmed notifications. This
section describes how to configure SNMP traps.
Configure SNMPv3 Traps on a Device Running Junos OS
The target address defines a management application’s address and parameters used in sending notifications. Target parameters define the message processing and security parameters used in sending notifications to a particular management target. SNMPv3 also lets you define SNMPv1 and SNMPv2c traps.
When you configure SNMP traps, ensure your configured access privileges allow the
traps to be sent. You can configure access privileges at the [edit snmp v3
vacm access] and [edit snmp v3 vacm security-to-group]
hierarchy levels.
For details on SNMP v1 or v2 trap to OID translation and trap details that are sent by each category, see MIB Explorer.
Configure SNMPv3 Trap Notification
The notify statement specifies the type of notification
(trap) and contains a single tag. The tag defines a set of target
addresses to receive a trap. The tag list contains one or more tags
and is configured at the [edit snmp v3 target-address target-address-name] hierarchy level. If the tag
list contains this tag, Junos OS sends a notification to all the target
addresses associated with this tag.
To configure the trap notifications, include the notify statement at the
[edit snmp v3] hierarchy level.
Each notify entry name must be unique.
Junos OS supports two types of notification: trap and
inform.
See Also
Example: Configure SNMPv3 Trap Notification
Specify three sets of destinations to send traps:
[edit snmp v3]
notify n1 {
tag router1;
type trap;
}
notify n2 {
tag router2;
type trap
}
notify n3 {
tag router3;
type trap;
}
Configure the Trap Notification Filter
SNMPv3 uses the notify filter to define which traps (or which objects from which traps) are sent to the network management system (NMS). The trap notification filter limits the type of traps that are sent to the NMS.
Each object identifier represents a subtree of the MIB object hierarchy. You can represent the
subtree either by a sequence of dotted integers (such as 1.3.6.1.2.1.2) or by its
subtree name (such as interfaces). You can also use the wildcard
character asterisk (*) in the object identifier (OID) to specify object identifiers
that match a particular pattern.
To configure the trap notifications filter, include the notify-filter statement
at the [edit snmp v3] hierarchy level.
By default, the OID is set to include. To define access to traps (or objects
from traps), include the oid statement at the [edit snmp v3
notify-filter profile-name] hierarchy level. For
more information about this statement, see notify-filter (Configuring the Profile Name).
Configure the Trap Target Address
The target address defines a management application’s address and parameters that are used in sending notifications. It can also identify management stations that are allowed to use specific community strings. When you receive a packet with a recognized community string and a tag is associated with it, Junos OS looks up all the target addresses with this tag and verifies that the source address of this packet matches one of the configured target addresses.
You must configure the address mask when you configure the SNMP community.
To specify where you want the traps to be sent and define what SNMPv1 and SNMPv2cc packets are
allowed, include the target-address statement at the [edit snmp
v3] hierarchy level.
To configure the target address properties, include the following statements at the [edit
snmp v3 target-address target-address-name] hierarchy
level:
Unlike with SNMP v2, In SNMPv3, there is no configuration option to limit inbound polling. But you can configure a lo0 filter to limit inbound polling by creating a rule to allow SNMP from your monitoring system IPs. For example:
set policy-options prefix-list SNMP 10.1.1.1/32 set policy-options prefix-list SNMP 192.168.1.0/24 set firewall family inet filter CoPP term SNMP from source-prefix-list SNMP set firewall family inet filter CoPP term SNMP from protocol udp set firewall family inet filter CoPP term SNMP from destination-port snmp set firewall family inet filter CoPP term SNMP then accept set firewall family inet filter CoPP term SNMP then count SNMP
- Configure the Address
- Configure the Address Mask
- Configure the Port
- Configure the Routing Instance
- Configure the Trap Target Address
- Apply Target Parameters
Configure the Address
To configure the address, include the address statement at the [edit
snmp v3 target-address target-address-name]
hierarchy level. For more information about this statement, see address (SNMP).
address is the SNMP target address.
Configure the Address Mask
The address mask specifies a set of addresses that are allowed to use a community string and verifies the source addresses for a group of target addresses.
To configure the address mask, include the address-mask statement at the
[edit snmp v3 target-address
target-address-name] hierarchy level. address-mask.
address-mask combined with the address defines a range of
addresses.
Configure the Port
By default, the UDP port is set to 162. To configure a different port number, include the
port statement at the [edit snmp v3 target-address
target-address-name] hierarchy level. For
more information about this statement, see port.
Configure the Routing Instance
Traps are sent over the default routing instance. To configure the routing instance for sending
traps, include the routing-instance statement at the
[edit snmp v3 target-address
target-address-name] hierarchy level. For more
information about this statement, see routing-instance (SNMPv3).
Configure the Trap Target Address
Each target-address statement can have one or more
tags configured in its tag list. Each tag can appear in more than
one tag list. When a significant event occurs on the network device,
the tag list identifies the targets to which a notification is sent.
To configure the tag list, include the tag-list statement at the [edit
snmp v3 target-address target-address-name]
hierarchy level. For more information about this statement, see tag-list.
tag-list specifies one or more
tags as a space-separated list enclosed within double quotes.
When you configure SNMP traps, make sure your configured access privileges allow
the traps to be sent. Configure access privileges at the [edit snmp v3
vacm access] hierarchy level.
Apply Target Parameters
The target-parameters statement at the [edit
snmp v3] hierarchy level applies the target parameters configured
at the [edit snmp v3 target-parameters target-parameters-name] hierarchy level.
To reference configured target parameters, include the target-parameters statement at the [edit snmp v3 target-address target-address-name] hierarchy level:
Example: Configure the Tag List
In the following example, two tag entries (router1 and router2) are defined at the [edit snmp v3 notify notify-name] hierarchy level. When an event triggers
a notification, Junos OS sends a trap to all target addresses that
have router1 or router2 configured in their
target-address tag list. This results in the first two targets getting
one trap each, and the third target getting two traps.
[edit snmp v3]
notify n1 {
tag router1; # Identifies a set of target addresses
type trap; # Defines the type of notification
}
notify n2 {
tag router2;
type trap;
}
target-address ta1 {
address 10.1.1.1;
address-mask 255.255.255.0;
port 162;
tag-list router1;
target-parameters tp1;
}
target-address ta2 {
address 10.1.1.2;
address-mask 255.255.255.0;
port 162;
tag-list router2;
target-parameters tp2;
}
target-address ta3 {
address 10.1.1.3;
address-mask 255.255.255.0;
port 162;
tag-list “router1 router2”; #Define multiple tags in the target address tag list
target-parameters tp3;
}
Define and Configure the Trap Target Parameters
Target parameters define the message processing and security parameters that are used in sending notifications to a particular management target.
To define a set of target parameters, include the target-parameters statement at the [edit snmp v3] hierarchy level:
For more information about configuring subscriber secure policies, see Subscriber Secure Policy Overview.
This topic includes the following sections:
Apply the Trap Notification Filter
To apply the trap notification filter, include the notify-filter statement at
the [edit snmp v3 target-parameters
target-parameter-name] hierarchy level. For
more information about this statement, see notify-filter (Applying to the Management Target).
Configure the Target Parameters
To configure target parameter properties, include the following statements at the [edit
snmp v3 target-parameters target-parameter-name
parameters] hierarchy level.
This section includes the following topics:
- Configure the Message Processing Model
- Configure the Security Model
- Configure the Security Level
- Configure the Security Name
Configure the Message Processing Model
The message processing model defines which version of SNMP to use when generating SNMP
notifications. To configure the message processing model, include the
message-processing-model statement at the [edit
snmp v3 target-parameters target-parameter-name
parameters] hierarchy level. For more information about this
statement, see message-processing-model.
The subscriber secure policy on MX Series routers requires the
v3 message-processing model. See Subscriber Secure Policy Overview.
Configure the Security Model
To define the security model to use when generating SNMP notifications, include the
security-model statement at the [edit snmp v3
target-parameters target-parameter-name
parameters] hierarchy level. For more information about this
statement, see security-model (SNMP Notifications).
The subscriber secure policy on MX Series routers requires the
usm security model. See Subscriber Secure Policy Overview.
Configure the Security Level
The security-level statement specifies whether the
trap is authenticated and encrypted before it is sent.
To configure the security level to use when generating SNMP notifications, include the
security-level statement at the [edit snmp v3
target-parameters target-parameter-name
parameters] hierarchy level. For more information about this
statement, see security-level (Generating SNMP Notifications).
If you are configuring the SNMPv1 or SNMPV2c security model, use
none as your security level. If you are configuring the
SNMPv3 (USM) security model, use the authentication or
privacy security level.
The subscriber secure policy on MX Series routers requires the
privacy security level . See Subscriber Secure Policy Overview for more information.
Configure the Security Name
To configure the security name to use when generating SNMP notifications, include the
security-name statement at the [edit snmp v3
target-parameters target-parameter-name
parameters] hierarchy level. For more information about this
statement, see security-name (SNMP Notifications).
If you use USM as security model, the security-name identifies the user that is
used when the notification is generated. If you use v1 or v2c as security
models, security-name identifies the SNMP community used
when the notification is generated.
The access privileges for the group associated with a security name must allow this notification to be sent.
If you are using the v1 or v2 security models, the security name at the
[edit snmp v3 vacm security-to-group] hierarchy level
must match the security name at the [edit snmp v3 snmp-community
community-index] hierarchy level.