SNMPv2c and SNMPv3 Polling and Traps Configuration in Juniper

Here is sample SNMPv2 and SNMPv3 configuration in Juniper routers. It also detailed on configuring SNMP trap for your Network Monitoring System(NMS).
SNMPv2c
community: snmpcomm123
management IP address: 192.168.10.100
SNMP Polling Server: 192.168.20.199
SNMP Trap Server: 192.168.20.200
Configuration:
set snmp name JUNIPER-SNMP
set snmp description “Juniper SNMP”
set snmp location Datacentre
set snmp community snmp routing-instance mgmt_junos
set snmp community snmpcomm123  clients 192.168.10.100/32
Traps Configuration:
set snmp trap-options source-address 192.168.10.100
set snmp trap-options agent-address outgoing-interface
set snmp trap-group SNMPGROUP version v2
set snmp trap-group SNMPGROUP destination-port 162
set snmp trap-group SNMPGROUP categories authentication
set snmp trap-group SNMPGROUP categories chassis
set snmp trap-group SNMPGROUP categories link
set snmp trap-group SNMPGROUP categories remote-operations
set snmp trap-group SNMPGROUP categories routing
set snmp trap-group SNMPGROUP categories startup
set snmp trap-group SNMPGROUP categories rmon-alarm
set snmp trap-group SNMPGROUP categories configuration
set snmp trap-group SNMPGROUP targets 192.168.20.200
set snmp trap-group SNMPGROUP routing-instance mgmt_junos
set snmp routing-instance-access
Verify:
snmpwalk -M /usr/local/snmp/mibs -v2c -c snmpcomm123 192.168.10.100:161 sysDescr.0
Output:
SNMPv2-MIB::sysDescr.0 = STRING: Juniper SNMP
SNMPv3
user: snmpuser
Security Level: Authpriv with SHA authentication and AES 128bit Privacy
management IP address: 192.168.10.100
AuthPass: authpass123!
PrivPass: privpass123!
View Name: ALLVIEW
Grou Name: SNMPGROUP
SNMP Polling Server: 192.168.20.199
SNMP Trap Server: 192.168.20.200
Important config:
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser authentication-sha authentication-key authpass123!
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser privacy-aes128 privacy-key
Full config (auth and privacy key output will be encrypted)
set groups SNMPv3-GROUP snmp location LOCATION
set groups SNMPv3-GROUP snmp stats-cache-lifetime 30
set groups SNMPv3-GROUP snmp filter-duplicates
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser authentication-sha authentication-key “$9$safsafasflvLx7sApORESreKxNwYgJUjbw4ZGUHddghAtOF3vWXxkTz39CuSreghdhdVqmPQ/C0BIcgh”
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser privacy-aes128 privacy-key “$9$Hk342df3d.mTGUtu0BEhdbwg4ZiHmzF/wYoGDjq.1REcevXxdsgoRhyKv34343t3i5QF6/tTQxz”
set groups SNMPv3-GROUP snmp v3 vacm security-to-group security-model usm security-name snmpuser group SNMPGROUP
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy read-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy write-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy notify-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy read-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy write-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy notify-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP tag-list SNMPGROUP-TAG
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP address-mask 255.255.255.255
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP routing-instance mgmt_junos
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP target-parameters SNMPGROUP-parameters
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters message-processing-model v3
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-model usm
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-level privacy
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-name SNMPGROUP
set groups SNMPv3-GROUP snmp v3 notify SNMPGROUP type inform
set groups SNMPv3-GROUP snmp v3 notify SNMPGROUP tag SNMPGROUP-TAG
set groups SNMPv3-GROUP snmp engine-id local snmpuser
set groups SNMPv3-GROUP snmp view ALLVIEW oid .1.3.6.1 include
set groups SNMPv3-GROUP routing-instances mgmt_junos description SNMP-Management
set apply-groups SNMPv3-GROUP
Optional:
Firewall Configuration (to protect RE)
set firewall family inet filter FIREWALL term SNMP-ALLOW from source-prefix-list SNMP-PREFIXES
set firewall family inet filter FIREWALL term SNMP-ALLOW from protocol udp
set firewall family inet filter FIREWALL term SNMP-ALLOW from destination-port snmp
set firewall family inet filter FIREWALL term SNMP-ALLOW then count SNMP-ALLOW
set firewall family inet filter FIREWALL term SNMP-ALLOW then acceptset policy-options prefix-list SNMP-PREFIXES 192.168.20.199/32
Testing SNMPv3:
Command:
/usr/bin/snmpwalk -M /usr/local/snmp/mibs -v3 -u snmpuser -l authPriv -a SHA -A authpass123! -x AES -X privpass123!  192.168.10.100:161 sysDescr.0
Output
RFC1213-MIB::sysDescr.0 = STRING: “Juniper SNMP
Here’s the Cisco version for SNMPv2c and SNMPv3 configuration –> SNMPv2c and SNMPv3 Polling and Traps Configuration in Cisco (IOS-XR)

4 Comments

  1. […] /usr/bin/snmpwalk -M /usr/local/snmp/mibs -v2c -c snmpcomm123 192.168.10.100:161 sysDescr.0 SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS XR Software (Cisco ASR9K Series),  Version 6.2.3[Default] Copyright (c) 2018 by Cisco Systems, Inc. SNMPv3 user: snmpuser Security Level: Authpriv with SHA authentication and AES 128bit Privacy management IP address: 192.168.10.100 AuthPass: authpass123! PrivPass: privpass123! View Name: ALLVIEW Username: Group Name: SNMPGROUP SNMP Polling Server: 192.168.20.199 SNMP Trap Server: 192.168.20.200 SNMPv3 Polling Configuration:   ipv4 access-list SNMP-ALLOW  10 permit ipv4 host 192.168.20.199 any snmp-server view ALLVIEW 1.3 included snmp-server group SNMPGROUP  v3 priv notify ALLVIEW read ALLVIEW IPv4 SNMP-ALLOW snmp-server user SNMPUSER SNMPGROUP v3 auth sha authpass123! priv aes 128 privpass123! IPv4 SNMP-ALLOW SNMPv3 Traps Configuration: snmp-server host 192.168.20.200 traps version 3 priv SNMPUSER Additional Tip: (Manual trigger of SNMP traps) #snmp test trap interface link-down #snmp test trap interface link-up Here’s the Juniper version for SNMPv2c and SNMPv3 configuration –> SNMP Configuration in Juniper […]

  2. Mark Villaluz said:

    Hello Author, I noticed that you are using the management instance mgmt_junos for the SNMPv3. I just want to ask if you are able to poll information from the default instance.

    Also, I notice that there is no destination address for the target-address line, did you remove it for security?

    Can you also show the snmpwalk output for the version3? Thanks.

    • Thanks for the comment. Yes, NMS server able to poll as long it is reachable, regardless which instance.Meaning can poll using Loopback IP as long the polling server is able to reach that IP. BTW instance mgmt_junos is configured to basically separate management from data traffic.
      Regarding the target address line, thanks for pointing out, you can see the SNMPGROUP configuration.
      Sample:
      snmpwalk -M /usr/local/snmp/mibs -v3 -u USERNAME -l authPriv -a SHA -A ****** -x AES -X ****** 192.168.0.100:161 sysDescr.0
      Output:
      RFC1213-MIB::sysDescr.0 = STRING: “Juniper SNMP”

Leave a Reply

Your email address will not be published. Required fields are marked *