Configuring SNMP

Previous page
Table of content
Next page

To configure SNMP, you include statements at the [edit snmp] hierarchy level of the configuration: 

 snmp {   community  community-name  {     authorization  authorization  ;     clients {  address  restrict;     }     view  view-name  ;   }   contact  contact  ;   description  description  ;   interface [  interface-name  ];   location  location  ;   traceoptions {     file  files number  size  size  ;     flag  flag  ;   }   trap-group  group-name  {     categories  category  ;     targets {  address  ;     }     version  version  ;   }   trap-options {     agent-address outgoing-interface;     source-address  address  ;   }   view  view-name  ;     oid  object-identifier  (include  exclude);   } }

By default, SNMP is disabled.

To configure the minimum requirements for SNMP, include the following statements. The community defined here as public grants read access to all MIB data to any client. 

 [edit]  snmp {   community public; }

Configuring System Information

You can specify an administrative contact, the location of each system being managed, and a description for each system being managed by SNMP. To configure a contact name, include the contact statement: 

 [edit snmp]  contact  contact  ;

To configure a system location, include the location statement: 

 [edit snmp]  location  location  ;

To configure a description, include the description statement: 

 [edit snmp]  description  description  ;

Configuring the SNMP Community String

If the community name contains spaces, enclose it in quotation marks (" ").

The SNMP community string defines the relationship between an SNMP server system and the client systems. This string acts like a password to control the clients' access to the server. To configure a community string, include the community statement: 

 [edit snmp]  community  name  {   authorization  authorization  ;   clients {     default restrict;  address  restrict;   }   view  view-name  ; }

The default authorization level for a community is read-only . To allow Set requests within a community, you need to define that community as authorization read-write . (The JUNOS SNMP implementation supports Set requests only with the ping MIB.) For Set requests, you also need to include which specific MIB objects are accessible with read-write privileges using the view statement. The default view includes all supported MIB objects that are accessible with read-only privileges; no MIB objects are accessible with read-write privileges.

The clients statement lists the IP addresses of the clients (community members ) that are allowed to use this community. If no clients statement is present, all clients are allowed. For the address, you must specify an address, not a hostname. Include the default restrict statement to deny access to all SNMP clients for which access is not explicitly granted. We recommend that you always include the default restrict statement to limit SNMP client access to the local router.

Configuring SNMP Trap Options

Some carriers have more than one trap receiver that forwards traps to a central NMS. This allows for more than one path for SNMP traps from a router to the central NMS through different trap receivers. A router can be configured to send the same copy of each SNMP trap to each trap receiver configured in the trap group.

By default, the source address in the IP header of each SNMP trap packet is set to the address of the outgoing interface. When a trap receiver forwards the packet to the central NMS, the source address is preserved. The central NMS, looking only at the source address of each SNMP trap packet, assumes that each SNMP trap comes from a different source. In reality, the SNMP traps came from the same router, but each left the router through a different outgoing interface.

SNMP trap options allow the NMS to recognize duplicate traps and to distinguish version 1 SNMP traps based on the outgoing interface.

Using SNMP trap options, you can set the source address of each SNMP trap packet sent by the router to a single address regardless of the outgoing interface. In addition, you can set the agent address of the SNMP version 1 traps.

You can configure the source address and the agent address of trap packets. The agent address is available only in the SNMP version 1 trap packets (see RFC 1157). Currently, the only value that can be specified for the source address is lo0 , which indicates that the source address of the SNMP trap packets is set to the lowest loopback address configured at the lo0 interface.

To enable and configure the source address of SNMP traps, include the source-address statement: 

 [edit snmp]  trap-options {   source-address  address  ; }

To configure the loopback address, include the address statement: 

 [edit interfaces]  lo0 {   unit 0 {     family inet {       address  ip-address  ;     }   } }

By default, the agent address for SNMP traps is disabled. To set the agent address, include the agent-address statement. Currently, the only option available is the address of the outgoing interface. 

 [edit snmp]  trap-options {   agent-address outgoing-interface; }

You can create and name a group of one or more types of SNMP trap and then define which systems receive the group of SNMP traps. The trap group must be configured for SNMP traps to be sent. To create an SNMP trap group, include the trap-group statement: 

 [edit snmp]  trap-group  group-name  {   categories  category  ;   targets {  address  ;   }   version  version  ; }

The trap group name can be any string and is embedded in SNMP trap notification packets as one variable binding (varbind) known as the community name. Each trap group you define must have a name and one or more targets, which are the systems that receive the SNMP traps. Specify the targets by address, not by hostname. Specify the types of traps the trap group can receive in the categories statement.

For information about which traps belong to which category, see the JUNOS Network Management technical documentation.

The version statement specifies the SNMP version of the traps sent to targets of the trap group. If you specify version 1 only, SNMP version 1 traps are sent. If you specify version 2 only, SNMP version 2 traps are sent. If all is specified, both an SNMP version 1 and an SNMP version 2 trap are sent for every trap condition.

Configuring the Interfaces on Which SNMP Requests Are Accepted

By default, all router interfaces have SNMP access privileges. To limit the access through certain interfaces only, include the interface statement. Specify the names of any logical or physical interfaces that should have SNMP access privileges. Any SNMP requests entering the router from interfaces not listed are discarded. 

 [edit snmp]  interface [  interface-names  ];

Configuring MIB Views

By default, an SNMP community grants read access and denies write access to all supported MIB objects (even communities configured as authorization read-write ). To restrict or grant read or write access to a set of MIB objects, you must configure a MIB view and associate the views with a community. To configure MIB views, include the view statement: 

 [edit snmp]  view  view-name  {   oid  object-identifier  (include  exclude); }

The view statement defines a MIB view and identifies a group of MIB objects. Each MIB object of a view has a common OID prefix. Each object identifier represents a subtree of the MIB object hierarchy.

To associate a MIB view with a community, include the view statement: 

 [edit snmp community  community-name  ]  view  view-name  ;

Tracing SNMP Activity

To trace SNMP activity, include the traceoptions statement: 

 [edit snmp]  traceoptions {   file files  number  size size;   flag  flag  ; }

The output of the tracing operations is placed into log files in the /var/log directory. Each of these log files is named after the SNMP agent that generates it. Currently, the following log files are created in the /var/log directory when the traceoptions statement is used:

  • chassisd

  • craftd

  • ilmid

  • mib2d

  • rmopd

  • serviced

  • snmpd

You can use the file statement to control log file generation. The size statement limits the size (in kilobytes) of each log file before it is closed, compressed, and a new file opened in its place. The file statement limits the total number of log files archived for each SNMP agent.

Yours truly, can specify one or more of the following values for the flag option:

  • all ” All SNMP events

  • interface-stats ” Physical and logical interface statistics

  • pdu ” SNMP request and response packets

  • protocol-timeouts ” SNMP response timeouts

  • routing-socket ” Routing socket calls

  • subagent ” Subagent restarts

  • timer ” Internal timer events

  • varbind-error ” Variable-binding errors


Previous page
Table of content
Next page
Juniper Networks Field Guide and Reference
Juniper Networks Field Guide and Reference
ISBN: 0321122445
EAN: 2147483647
Year: 2002
Pages: 185
Authors: Aviva Garrett, Gary Drenan, Cris Morris, Juniperu00ae Networks
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
Image Processing with LabVIEW and IMAQ Vision
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy