Saturday 30 May 2020

SNMPv2c and SNMPv3 Polling and Traps Configuration in Juniper


SNMPv2c
community: snmpcomm123
management IP address: 192.168.10.100
SNMP Polling Server: 192.168.20.199
SNMP Trap Server: 192.168.20.200

Configuration:
set snmp name JUNIPER-SNMP
set snmp description "Juniper SNMP"
set snmp location Datacentre
set snmp community snmp routing-instance mgmt_junos
set snmp community snmpcomm123  clients 192.168.10.100/32

Traps Configuration:
set snmp trap-options source-address 192.168.10.100
set snmp trap-options agent-address outgoing-interface
set snmp trap-group JUNOS_GROUP version v2
set snmp trap-group JUNOS_GROUP destination-port 162
set snmp trap-group JUNOS_GROUP categories authentication
set snmp trap-group JUNOS_GROUP categories chassis
set snmp trap-group JUNOS_GROUP categories link
set snmp trap-group JUNOS_GROUP categories remote-operations
set snmp trap-group JUNOS_GROUP categories routing
set snmp trap-group JUNOS_GROUP categories startup
set snmp trap-group JUNOS_GROUP categories rmon-alarm
set snmp trap-group JUNOS_GROUP categories configuration
set snmp trap-group JUNOS_GROUP targets 192.168.20.200
set snmp trap-group JUNOS_GROUP routing-instance mgmt_junos
set snmp routing-instance-access

Verify:
snmpwalk -M /usr/local/snmp/mibs -v2c -c snmpcomm123 192.168.10.100:161 sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: Juniper SNMP

SNMPv3
user: snmpuser
Security Level: Authpriv with SHA authentication and AES 128bit Privacy
management IP address: 192.168.10.100
AuthPass: authpass123!
PrivPass: privpass123!
View Name: ALLVIEW
Grou Name: SNMPGROUP
SNMP Polling Server: 192.168.20.199
SNMP Trap Server: 192.168.20.200

Important config:
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser authentication-sha authentication-key authpass123!
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser privacy-aes128 privacy-key

Full config (auth and privacy key output will be encrypted)
set groups SNMPv3-GROUP snmp location CHANGI
set groups SNMPv3-GROUP snmp stats-cache-lifetime 30
set groups SNMPv3-GROUP snmp filter-duplicates
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser authentication-sha authentication-key "$9$safsafasflvLx7sApORESreKxNwYgJUjbw4ZGUHkTz39CuSreghdhddghAtOF3vWXxdVqmPQ/C0BIcgh"
set groups SNMPv3-GROUP snmp v3 usm local-engine user snmpuser privacy-aes128 privacy-key "$9$Hk342df3d.mTGUtu0BEhdbwg4ZiHmzF/wYoGDjq.1REcevXxdsgoRhyKv34343t3i5QF6/tTQxz"
set groups SNMPv3-GROUP snmp v3 vacm security-to-group security-model usm security-name snmpuser group SNMPGROUP
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy read-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy write-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP default-context-prefix security-model any security-level privacy notify-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy read-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy write-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPGROUP context-prefix CEN security-model any security-level privacy notify-view ALLVIEW
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP tag-list SNMPGROUP-TAG
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP address-mask 255.255.255.255
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP routing-instance mgmt_junos
set groups SNMPv3-GROUP snmp v3 target-address SNMPGROUP target-parameters SNMPGROUP-parameters
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters message-processing-model v3
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-model usm
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-level privacy
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPGROUP-parameters parameters security-name SNMPGROUP
set groups SNMPv3-GROUP snmp v3 notify SNMPGROUP type inform
set groups SNMPv3-GROUP snmp v3 notify SNMPGROUP tag SNMPGROUP-TAG
set groups SNMPv3-GROUP snmp engine-id local snmpuser
set groups SNMPv3-GROUP snmp view ALLVIEW oid .1.3.6.1 include
set groups SNMPv3-GROUP routing-instances mgmt_junos description SNMP-Management
set apply-groups SNMPv3-GROUP


Optional:
Firewall Configuration (to protect RE)
set firewall family inet filter FIREWALL term SNMP-ALLOW from source-prefix-list SNMP-PREFIXES
set firewall family inet filter FIREWALL term SNMP-ALLOW from protocol udp
set firewall family inet filter FIREWALL term SNMP-ALLOW from destination-port snmp
set firewall family inet filter FIREWALL term SNMP-ALLOW then count SNMP-ALLOW
set firewall family inet filter FIREWALL term SNMP-ALLOW then accept

set policy-options prefix-list SNMP-PREFIXES 192.168.20.199/32


Here's the Cisco version for SNMPv2c and SNMPv3 configuration --> SNMP Configuration in Cisco IOS-XR
at 1 comment:

Thursday 21 May 2020

NTP Configuration via Management Routing Instance in Juniper


In related to configuring management interface in Juniper, NTP traffic should go via the management port and not through the data ports. Pre-requisite configuration can be found here:
https://mynetworkbio.blogspot.com/2020/03/configure-management-interface-in.html


NTP Server1: 192.168.10.101
NTP Server1: 192.168.10.102

Configuration:

set system ntp server 192.168.10.101 routing-instance mgmt_junos
set system ntp server 192.168.10.102 routing-instance mgmt_junos
set system ntp source-address 172.16.0.100 routing-instance mgmt_junos

where: 172.16.0.100 is your management (em0) interface IP

Sample Firewall configuration:

set firewall family inet filter FIREWALL-RE term NTP-PERMIT from source-prefix-list NTP-LIST
set firewall family inet filter FIREWALL-RE term NTP-PERMIT from protocol udp
set firewall family inet filter FIREWALL-RE term NTP-PERMIT from port ntp
set firewall family inet filter FIREWALL-RE term NTP-PERMIT then policer RE-POLICER-256K
set firewall family inet filter FIREWALL-RE term NTP-PERMIT then count NTP-PERMIT
set firewall family inet filter FIREWALL-RE term NTP-PERMIT then accept
set firewall policer ntp-policer if-exceeding bandwidth-limit 1m
set firewall policer ntp-policer if-exceeding burst-size-limit 15k
set firewall policer ntp-policer then discard

set policy-options prefix-list NTP-LIST 172.20.2.100/32
set policy-options prefix-list NTP-LIST 192.168.10.101/32
set policy-options prefix-list NTP-LIST 192.168.10.102/32

where:
172.20.2.100/32 is your loopback0 address
Note: Those highlighted commands in bold font are the most important to make this work.

Verification:

darwin@QFX-re0#run show ntp associations
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
 192.168.10.101    .GPS.            1 -    -   64    1    1.555   -0.053   0.026
 192.168.10.102     .GPS.            1 -    1   64    1    0.901   -0.045   0.031

{master}[edit]

darwin@QFX-re0#run show ntp status
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Thu Dec 26 20:26:31  2019 (1)", processor="amd64",
system="FreeBSDJNPR-11.0-20191223.5f5c7dc_buil", leap=00, stratum=2,
precision=-23, rootdelay=1.514, rootdispersion=13.291, peer=13884,
refid=192.168.10.101,
reftime=e270e335.ef6c45ca  Thu, May 21 2020 19:23:33.935, poll=6,
clock=e270e3fa.23b9d2ce  Thu, May 21 2020 19:26:50.139, state=4,
offset=-0.019, frequency=34.239, jitter=0.042, stability=0.000

Additional Tips:
Set timezone (example changing from default UTC to SGT)

darwin@QFX-re0# set system time-zone Asia/Singapore

darwin@QFX-re0# run show system uptime
Current time: 2020-05-21 11:24:09 UTC
Time Source:  NTP CLOCK
System booted: 2020-04-19 13:28:11 UTC (4w3d 21:55 ago)
Protocols started: 2020-04-19 13:29:05 UTC (4w3d 21:55 ago)
Last configured: 2020-05-21 11:23:18 UTC (00:00:51 ago) by darwin
11:24AM  up 31 days, 21:56, 1 users, load averages: 0.37, 0.28, 0.25

darwin@QFX-re0# run show system uptime
Current time: 2020-05-21 19:25:48 SGT
Time Source:  NTP CLOCK
System booted: 2020-04-19 21:28:11 SGT (4w3d 21:57 ago)
Protocols started: 2020-04-19 21:29:05 SGT (4w3d 21:56 ago)
Last configured: 2020-05-21 19:25:29 SGT (00:00:19 ago) by darwin
 7:25PM  up 31 days, 21:58, 1 users, load averages: 0.39, 0.30, 0.26




at No comments:
Subscribe to: Posts (Atom)