3.2.35. snmp

SNMP configuration.

vsr running config# vrf <vrf> snmp

enabled (pushed)

Enable or disable the SNMP engine.

vsr running config# vrf <vrf> snmp
vsr running snmp# enabled true|false
Default value
true

interface-ignore

SNMP will ignore interfaces whose names start with this prefix in MIBs EtherLike-MIB, the IF-MIB, and the IP-MIB mibs. By default, all interfaces are monitored.

vsr running config# vrf <vrf> snmp
vsr running snmp# interface-ignore INTERFACE-IGNORE

INTERFACE-IGNORE

An interface name.

engine-id

Define SNMP entity engine id. The engine id will look like 0x80 concatenated with the hex value of the type used to build.

vsr running config# vrf <vrf> snmp engine-id

text

Build engine id from the text.

vsr running config# vrf <vrf> snmp engine-id
vsr running engine-id# text <string>{1,32}

ipv4

Build engine id from host’s IPv4 addr.

vsr running config# vrf <vrf> snmp engine-id
vsr running engine-id# ipv4

ipv6

Build engine id from host’s IPv6 addr.

vsr running config# vrf <vrf> snmp engine-id
vsr running engine-id# ipv6

interface

Build engine id from the interface’s mac addr.

vsr running config# vrf <vrf> snmp engine-id
vsr running engine-id# interface <string>

listen

Configuration of the transport endpoint on which the engine listens.

vsr running config# vrf <vrf> snmp listen

protocols

The protocols used for connecting to the SNMP agent.

vsr running config# vrf <vrf> snmp listen
vsr running listen# protocols PROTOCOLS

PROTOCOLS values

Description

udp

UDP.

tcp

TCP.

udp6

UDPv6.

tcp6

TCPv6.

Default value
udp

port

The TCP or UDP port on which the engine listens.

vsr running config# vrf <vrf> snmp listen
vsr running listen# port PORT

PORT

A 16-bit port number used by a transport protocol such as TCP or UDP.

Default value
161

source

Restrict access to requests from the specified address.

vsr running config# vrf <vrf> snmp listen
vsr running listen# source SOURCE

SOURCE values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

static-info

Most of the information reported by the SNMP agent is retrieved from the underlying system. However, certain MIB objects can be configured with a static value.

vsr running config# vrf <vrf> snmp static-info

location

System location (sysLocation.0) object value.

vsr running config# vrf <vrf> snmp static-info
vsr running static-info# location <string>

contact

System contact (sysContact.0) object value.

vsr running config# vrf <vrf> snmp static-info
vsr running static-info# contact <string>

name

System name (sysName.0) object value.

vsr running config# vrf <vrf> snmp static-info
vsr running static-info# name <string>

services

Value of the sysServices.0 object. For a host system, a good value is 72 (application + end-to-end layers).

vsr running config# vrf <vrf> snmp static-info
vsr running static-info# services <uint8>

description

System description of the SNMP agent (sysDescr.0).

vsr running config# vrf <vrf> snmp static-info
vsr running static-info# description <string>

object-id

System OID (sysObjectOID.0) object value.

vsr running config# vrf <vrf> snmp static-info
vsr running static-info# object-id OBJECT-ID

OBJECT-ID

SNMP object identifier either as a label or numeric form.

view

A named ‘view’ - a subset of the overall OID tree.

vsr running config# vrf <vrf> snmp view <string>

<string>

The name of the view.

subtree

A part of the OID tree to include or exclude from the view.

vsr running config# vrf <vrf> snmp view <string>
vsr running view <string># subtree <subtree> included true|false

<subtree>

SNMP object identifier either as a label or numeric form.

included

Set to false to exclude this OID from the view.

included true|false
Default value
true

community

An SNMPv1 or SNMPv2c community.

vsr running config# vrf <vrf> snmp community <string>

<string>

The name of the community.

authorization (mandatory)

The authorization level of the community.

vsr running config# vrf <vrf> snmp community <string>
vsr running community <string># authorization AUTHORIZATION

AUTHORIZATION values

Description

read-only

Read-only (GET and GETNEXT) access.

read-write

Read-write (GET, GETNEXT and SET) access.

source

Restrict access to requests from the specified address or prefix list.

vsr running config# vrf <vrf> snmp community <string>
vsr running community <string># source SOURCE

SOURCE values

Description

<ipv4-address>

The ipv4-address type represents an IPv4 address in dotted-quad notation. The IPv4 address may include a zone index, separated by a % sign. The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used. The canonical format for the zone index is the numerical format

<ipv6-address>

The ipv6-address type represents an IPv6 address in full, mixed, shortened, and shortened-mixed notation. The IPv6 address may include a zone index, separated by a % sign. The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used. The canonical format of IPv6 addresses uses the textual representation defined in Section 4 of RFC 5952. The canonical format for the zone index is the numerical format as described in Section 11.2 of RFC 4007.

<domain-name>{1,253}

The domain-name type represents a DNS domain name. The name SHOULD be fully qualified whenever possible. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. The description clause of schema nodes using the domain-name type MUST describe when and how these names are resolved to IP addresses. Note that the resolution of a domain-name value may require to query multiple DNS records (e.g., A for IPv4 and AAAA for IPv6). The order of the resolution process and which DNS record takes precedence can either be defined explicitly or may depend on the configuration of the resolver. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be A-labels as per RFC 5890.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv6-prefix>

An IPv6 prefix: address and CIDR mask.

view

Restricts access for that community to the subtree rooted at the given view name. If not specified, the community has access to the whole OID tree.

vsr running config# vrf <vrf> snmp community <string>
vsr running community <string># view <leafref>

monitored-vrf

Monitored VRF.

vsr running config# vrf <vrf> snmp monitored-vrf <string>

<string>

The name of the monitored VRF. Included in the SNMPv3 TRAPs and SNMPv3 INFORMs notifications from this VRF (as context).

interface-ignore

SNMP will ignore interfaces whose names start with this prefix in MIBs EtherLike-MIB, the IF-MIB, and the IP-MIB mibs. By default, all interfaces are monitored.

vsr running config# vrf <vrf> snmp monitored-vrf <string>
vsr running monitored-vrf <string># interface-ignore INTERFACE-IGNORE

INTERFACE-IGNORE

An interface name.

identifier

Identifier to access the monitored VRF, acts as a community for SNMPv1 or SNMPv2c and as a context for SNMPv3.

vsr running config# vrf <vrf> snmp monitored-vrf <string> identifier <string>

<string>

The monitored VRF identifier (community for SNMPv1 or SNMPv2c and context for SNMPv3).

authorization (mandatory)

The authorization level of the identifier.

vsr running config# vrf <vrf> snmp monitored-vrf <string> identifier <string>
vsr running identifier <string># authorization AUTHORIZATION

AUTHORIZATION values

Description

read-only

Read-only (GET and GETNEXT) access.

read-write

Read-write (GET, GETNEXT and SET) access.

source

Restrict access to requests from the specified address or prefix list for SNMPv1 or SNMPv2.

vsr running config# vrf <vrf> snmp monitored-vrf <string> identifier <string>
vsr running identifier <string># source SOURCE

SOURCE values

Description

<ipv4-address>

The ipv4-address type represents an IPv4 address in dotted-quad notation. The IPv4 address may include a zone index, separated by a % sign. The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used. The canonical format for the zone index is the numerical format

<ipv6-address>

The ipv6-address type represents an IPv6 address in full, mixed, shortened, and shortened-mixed notation. The IPv6 address may include a zone index, separated by a % sign. The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used. The canonical format of IPv6 addresses uses the textual representation defined in Section 4 of RFC 5952. The canonical format for the zone index is the numerical format as described in Section 11.2 of RFC 4007.

<domain-name>{1,253}

The domain-name type represents a DNS domain name. The name SHOULD be fully qualified whenever possible. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. The description clause of schema nodes using the domain-name type MUST describe when and how these names are resolved to IP addresses. Note that the resolution of a domain-name value may require to query multiple DNS records (e.g., A for IPv4 and AAAA for IPv6). The order of the resolution process and which DNS record takes precedence can either be defined explicitly or may depend on the configuration of the resolver. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be A-labels as per RFC 5890.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv6-prefix>

An IPv6 prefix: address and CIDR mask.

view

Restricts access to the subtree rooted at the given view name. If not specified, the identifier has access to the whole OID tree.

vsr running config# vrf <vrf> snmp monitored-vrf <string> identifier <string>
vsr running identifier <string># view <leafref>

traps

Active monitoring and automatic notifications configuration.

vsr running config# vrf <vrf> snmp monitored-vrf <string> traps

destination

The destination of SNMPv1 TRAPs, SNMPv2c TRAP2s, SNMPv3 TRAPs, SNMPv2 INFORM or SNMPv3 INFORM notifications.

vsr running config# vrf <vrf> snmp monitored-vrf <string> traps destination <leafref>

<leafref>

The receiver address to use.

community

The community string to use when sending traps to this destination.

vsr running config# vrf <vrf> snmp monitored-vrf <string> traps destination <leafref>
vsr running destination <leafref># community <leafref>

access-control

SNMPv3 access control configuration.

vsr running config# vrf <vrf> snmp access-control

user

An SNMPv3 user.

vsr running config# vrf <vrf> snmp access-control user <string>

<string>

The name of the user (securityName).

auth-password (mandatory) (hidden)

The authentication password.

vsr running config# vrf <vrf> snmp access-control user <string>
vsr running user <string># auth-password <string>{8,max}

auth-method

The authentication method.

vsr running config# vrf <vrf> snmp access-control user <string>
vsr running user <string># auth-method AUTH-METHOD

AUTH-METHOD values

Description

md5

MD5.

sha

SHA.

Default value
sha

priv-password (hidden)

The privacy (encryption) password. If not specified, it is assumed to be the same as the authentication password.

vsr running config# vrf <vrf> snmp access-control user <string>
vsr running user <string># priv-password <string>{8,max}

priv-protocol

The encryption protocol.

vsr running config# vrf <vrf> snmp access-control user <string>
vsr running user <string># priv-protocol PRIV-PROTOCOL

PRIV-PROTOCOL values

Description

aes

AES.

des

DES.

Default value
aes

engine-id

An SNMP engine ID uniquely identifies an SNMP user. It is necessary to send SNMPv3 traps. However it must not be set for users who perform snmpget commands.

vsr running config# vrf <vrf> snmp access-control user <string>
vsr running user <string># engine-id <0x0000000001-0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe>

group

An SNMPv3 group.

vsr running config# vrf <vrf> snmp access-control group <string>

<string>

The name of the group.

user (mandatory)

Name of a user to add to this group.

vsr running config# vrf <vrf> snmp access-control group <string>
vsr running group <string># user <leafref>

security-level (mandatory)

The security level enforced on this group.

vsr running config# vrf <vrf> snmp access-control group <string>
vsr running group <string># security-level SECURITY-LEVEL

SECURITY-LEVEL values

Description

auth

Authentication is required.

priv

Authentication and encryption are required.

view

Restricts access for that group to the subtree rooted at the given view name. If not specified, the group has access to the whole OID tree.

vsr running config# vrf <vrf> snmp access-control group <string>
vsr running group <string># view <leafref>

authorization

The authorization level of this group.

vsr running config# vrf <vrf> snmp access-control group <string>
vsr running group <string># authorization AUTHORIZATION

AUTHORIZATION values

Description

read-only

Read-only (GET and GETNEXT) access.

read-write

Read-write (GET, GETNEXT and SET) access.

Default value
read-only

traps

Active monitoring and automatic notifications configuration.

vsr running config# vrf <vrf> snmp traps

destination

Notification receiver that should be sent SNMPv1 TRAPs, SNMPv2c TRAP2s, SNMPv3 TRAPs, SNMPv2 INFORM or SNMPv3 INFORM notifications.

vsr running config# vrf <vrf> snmp traps
vsr running traps# destination <destination> source SOURCE port PORT protocol PROTOCOL \
... notification-type NOTIFICATION-TYPE community <leafref> user <leafref>

<destination> values

Description

<ipv4-address>

The ipv4-address type represents an IPv4 address in dotted-quad notation. The IPv4 address may include a zone index, separated by a % sign. The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used. The canonical format for the zone index is the numerical format

<ipv6-address>

The ipv6-address type represents an IPv6 address in full, mixed, shortened, and shortened-mixed notation. The IPv6 address may include a zone index, separated by a % sign. The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used. The canonical format of IPv6 addresses uses the textual representation defined in Section 4 of RFC 5952. The canonical format for the zone index is the numerical format as described in Section 11.2 of RFC 4007.

<domain-name>{1,253}

The domain-name type represents a DNS domain name. The name SHOULD be fully qualified whenever possible. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. The description clause of schema nodes using the domain-name type MUST describe when and how these names are resolved to IP addresses. Note that the resolution of a domain-name value may require to query multiple DNS records (e.g., A for IPv4 and AAAA for IPv6). The order of the resolution process and which DNS record takes precedence can either be defined explicitly or may depend on the configuration of the resolver. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be A-labels as per RFC 5890.

source

The source IP used to reach the receiver.

source SOURCE

SOURCE values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

port

The port number of the host where to send the traps.

port PORT

PORT

A 16-bit port number used by a transport protocol such as TCP or UDP.

Default value
162

protocol

The protocol used to connect to the destination host.

protocol PROTOCOL

PROTOCOL values

Description

udp

UDP.

tcp

TCP.

udp6

UDPv6.

tcp6

TCPv6.

Default value
udp

notification-type (mandatory)

The type of notifications that is to be sent to the specified host.

notification-type NOTIFICATION-TYPE

NOTIFICATION-TYPE values

Description

TRAP

Send SNMPv1 TRAPs to the specified host.

TRAP2

Send SNMPv2c TRAP2s to the specified host.

TRAP3

Send SNMPv3 TRAPs to the specified host.

INFORM

Send SNMPv2 INFORM notifications to the specified host.

INFORM3

Send SNMPv3 INFORM notifications to the specified host.

community

The community string to use when sending traps to this destination. Mandatory for SNMPv1 TRAPs, SNMPv2c TRAP2s and SNMPv2 INFORM.

community <leafref>

user

The user name to use when sending traps to this destination. Mandatory for SNMPv3 TRAP3s and SNMPv3 INFORM3s.

user <leafref>

authfail-check

Monitor authentication failures.

vsr running config# vrf <vrf> snmp traps
vsr running traps# authfail-check enabled true|false

enabled

Enable or disable authentication failures monitoring.

enabled true|false
Default value
true

process-check

Monitor the important processes of the system, triggering a notification when one of them is not alive.

vsr running config# vrf <vrf> snmp traps
vsr running traps# process-check frequency FREQUENCY enabled true|false

frequency

Check for network interfaces being taken up or down every <frequency> period.

frequency FREQUENCY

FREQUENCY

Value in seconds or optionnally suffixed by one of s (for seconds), m (for minutes), h (for hours), d (for days) or w (for weeks).

Default value
2s

enabled

Enable or disable process monitoring.

enabled true|false
Default value
true

disk-space-check

Enables monitoring of all disks found on the system, using the specified (percentage) threshold.

vsr running config# vrf <vrf> snmp traps
vsr running traps# disk-space-check threshold <1-99> frequency FREQUENCY \
... enabled true|false

threshold (mandatory)

The minimum free disk space in percentage of the total space.

threshold <1-99>

frequency

Check for free disk space every <frequency> period.

frequency FREQUENCY

FREQUENCY

Value in seconds or optionnally suffixed by one of s (for seconds), m (for minutes), h (for hours), d (for days) or w (for weeks).

Default value
5m

enabled

Enable or disable disk space monitoring.

enabled true|false
Default value
true

load-check

Enables monitoring of the load average and trigger notifications if it goes above the specified thresholds.

vsr running config# vrf <vrf> snmp traps
vsr running traps# load-check threshold <uint16> enabled true|false

threshold (mandatory)

The maximum system load average.

threshold <uint16>

enabled

Enable or disable system load monitoring.

enabled true|false
Default value
true