11.2.8.1. Monitoring-settings using the SNMP function

Operation Confirmed Version:
 vSRX Version15.1X49-D105.1

Operation management settings using the SNMP function are described in this section. Using the SNMP function allows to acquire information such as MIB from SNMP agents and to detect various events and unusable changes of the device and transmit SNMP traps.

Note

  • It has been identified that the CPU values of the control plane tend to become high under specific scenarios when ver.15.1X49D105.1 is used. For occurrence conditions and details to note, refer to Points to note when using ver.15.1X49D105.1 .

Setting multiple community values

Information acquisition from SNMP agents can be performed by SNMP manager, using snmpwalk, for example. For this acquisition, community values need to be set. The method for setting multiple community values is described in this section.

Presumed case for sample setting

  • To acquire information regarding vSRX-02 through SNMP manager (192.168.2.15) with snmpwalk

  • To set test and test2 as community values to be used

Command to be entered with CLI

user01@vSRX-02# set snmp community test authorization read-only
user01@vSRX-02# set snmp community test2 authorization read-only

The configuration after completion of appropriate settings is as follows.

snmp {
    community test {
        authorization read-only;
    }
    community test2 {
        authorization read-only;
    }
}

Note

To use SNMP communications in terms of interface (ge-0/0/x), the interface must have been assigned to a zone and snmp,snmp-trap must have been allowed by system-services under host-inbound-traffic in terms of the zone.

Zone setting for making snmp usable in a trust zone

user01@vSRX-02# set security zones security-zone trust host-inbound-traffic system-services snmp user01@vSRX-02# set security zones security-zone trust host-inbound-traffic system-services snmp-trap

Make the settings in terms of the zone to be used.

Operation check result

The verification result log below allowed to confirm that information acquisition from an SNMP agent can be performed with the snmpwalk command after community values test and test2 have been set through SNMP manager (192.168.2.15).

Result of snmpwalk execution using community value test

[user01@centsv-02 ~]$ snmpwalk -v 2c -c test 192.168.2.102
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. vsrx internet router, kernel JUNOS 15.1X49-D100.6, Build date: 2017-06-28 07:39:27 UTC Copyright (c) 1996-2017 Juniper Networks, Inc.
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.129
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (33273843) 3 days, 20:25:38.43
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: vSRX-02
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 4
IF-MIB::ifNumber.0 = INTEGER: 40
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.4 = INTEGER: 4
IF-MIB::ifIndex.5 = INTEGER: 5
(省略)

Result of snmpwalk execution using community value test2

[user01@centsv-02 ~]$ snmpwalk -v 2c 192.168.2.102 -c test2
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. vsrx internet router, kernel JUNOS 15.1X49-D100.6, Build date: 2017-06-28 07:39:27 UTC Copyright (c) 1996-2017 Juniper Networks, Inc.
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.129
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (25820487) 2 days, 23:43:24.87
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: vSRX-02
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 4
IF-MIB::ifNumber.0 = INTEGER: 40
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.4 = INTEGER: 4
IF-MIB::ifIndex.5 = INTEGER: 5
(省略)

Setting destination and source IP addresses of an SNMP trap

An SNMP trap can be transmitted to SNMP manager because it can function as an SNMP agent. Descriptions are provided about the methods for setting SNMP manager and specifying an IP address to be used as the source IP address of an SNMP trap.

Presumed case for sample setting

  • To set SNMP (10.0.0.16) manager as a transmission destination

  • To set a source IP address when transmitting an SNMP trap

Command to be entered with CLI

user01@vSRX-02# set snmp trap-options source-address 10.0.0.102
user01@vSRX-02# set snmp trap-group TRAP-GROUP version all
user01@vSRX-02# set snmp trap-group TRAP-GROUP categories authentication
user01@vSRX-02# set snmp trap-group TRAP-GROUP targets 10.0.0.16

Note

Regarding the category setting of an SNMP trap, select and set the category which is needed at the time of failure or event occurrence.

The configuration after completion of appropriate settings is as follows.

snmp {
    community test {
        authorization read-only;
    }
    community test2 {
        authorization read-only;
    }
    trap-options {
        source-address 10.0.0.102;
    }
    trap-group TRAP-GROUP {
        version all;
        categories {
            authentication;
        }
        targets {
            10.0.0.16;
        }
    }
}

Operation check result

The packet capture below allowed to confirm that SNMP trap transmission to SNMP manager (10.0.0.16) uses source IP address (10.0.0.102) and selection of the source IP address is followed by success of SNMP trap transmission.

Note

For vSRX, a command for transmitting an SNMP trap as a test is supported.

user01@vSRX-02> request snmp spoof-trap <Name>

The operation check result below came from execution of the following command and transmission of an SNMP trap as a test. SNMP manager confirms by SNMP manager that an SNMP trap transmitted by vSRX can be received, and thus it was confirmed that network settings needed for SNMP traps were made properly.

user01@vSRX-02> request snmp spoof-trap authenticationFailure

  • Packet capture with SNMP manager (10.0.0.16)