Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] How to permit SNMPv1 and SNMPv2c polling for an interface in a routing instance

0

0

Article ID: KB13080 KB Last Updated: 10 Dec 2018Version: 9.0
Summary:

This article explains how to configure a J/SRX device to allow SNMP polling of an interface that belongs in a non-default routing instance.

For SNMPv3, the configuration and polling method is different and is covered in KB27284 - How to pull SNMP v3 information from non-default routing-instance.

Symptoms:

What is the configuration required to perform an SNMPv1 or v2c poll to an interface that is part of a routing instance?

Solution:

To poll an interface that is part of the routing instance, refer to the following example configuration:

[edit]
root@B8_42# show interfaces 
ge-0/0/2 {
    unit 0 {
        family inet {
            address 172.19.46.70/24;
        }
    }
}

[edit]
root@B8_42# show routing-instances 
INTERNET {
    instance-type virtual-router;
    interface ge-0/0/2.0;
    routing-options {
        static {
            route 172.19.47.0/24 next-hop 172.19.46.1;
        }
    }
}


[edit snmp]
root@B8_42# show 
community public {
    authorization read-only;
    routing-instances INTERNET {         clients {
            172.19.47.2/32;
        }
    }
}
routing-instance-access; 

If the device is running in flow mode, then the SNMP protocol must be added under the [host-inbound-filter system-services] stanza in the appropriate security zone:

[edit security zones]
root@B8_42# show
security-zone INTERNET {
    interfaces {
        ge-0/0/2.0 {
            host-inbound-traffic {
                system-services {
                    ping;
                    snmp;
                }
            }
        }
    }
}


In the example, the ge-0/0/2 interface is part of the INTERNET routing instance. The SNMP server should be reachable from the interface that is being polled. To access MIB objects and perform SNMP operations for the routing instances, SNMPv1 and v2c clients must encode the routing-instance name in the community string in their SNMP requests.

As per the above example, the community string for SNMPv1 and v2c requests should look like this:

INTERNET@public


To access MIB objects and perform SNMP operations on default routing instance via an interface on routing instance, the community string for SNMPv1 and v2c requests should be defined as "default@public" in the snmp server.

Otherwise, if the community that is used in SNMP requests does not specify the routing-instance name (just the community string public), no MIB objects specific to the routing instance will be read/written.

Note: If the device is running in high availability (HA) mode and configured to send SNMP packets from an interface belonging to a custom routing instance, snmp routing-instance-access and snmp community <community-name> routing-instance <routing-instance-name> must be configured. 

For SNMPv3, the configuration and polling method is different and is covered in KB27284 - How to pull SNMP v3 information from non-default routing-instance.

Modification History:

2018-12-10: Added a sentence in the solution to clarify accessing MIB objects and performing SNMP operations on default routing instance via an interface on routing instance.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search