JunOS and SNMPv3 into VRFs and Logical Systems

Without addition configuration, SNMP elements that lie without the scope of the base logical system and default routing instance (aka master) are not visible to SNMP agents. This means routes, BGP neighbours, etc that are configured in routing instances and logical systems are not accessible.

To make these elements accessible to SNMP agents, a non-default SNMPv3 context must be created that refers to the LSYS and/or instance that is to be exposed. To expose the default/master instance of a logical system:

set snmp v3 vacm access group <snmpv3Group> context-prefix <lsys>/default security-model usm security-level privacy <read-view|write-view> <snmpView>

To expose a VRF/routing instance of the base LSYS:

set snmp v3 vacm access group <snmpv3Group> context-prefix <routingInstance> security-model usm security-level privacy <read-view|write-view> <snmpView>

To expose a VRF/routing instance of an LSYS:

set snmp v3 vacm access group <snmpv3Group> context-prefix <lsys>/<routingInstance> security-model usm security-level privacy <read-view|write-view> <snmpView>

To access these contexts with UCD’s snmp utilities you must specify a context with the `-n’ option:

$ snmpwalk -v3 -l authPriv -u '<user>' -a SHA -A '<authPassword>' -x AES128 -X '<privacyPassword>' -n '<lsys>/<routingInstance>' <host> <oid>

For example:

$ snmpwalk -v3 -l authPriv -u '<user>' -a SHA -A '<authPassword>' -x AES128 -X '<privacyPassword>' -n 'LSYS-TEST/RI-TEST' <host> ipCidrRouteDest
IP-FORWARD-MIB::ipCidrRouteDest.100.1.1.2.255.255.255.255.0.0.0.0.0 = IpAddress: 100.1.1.2

While I’ve not configured anything similar for SNMP v2c, I believe the same functionality can be attained by combining the context with the community with the `@’ sign. Or something like that.

This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.