SRX

Hi guys

For my topology need to use SNMP in routing-instance. I use FireFly 12.1X47-D10.4 and this configuration

set snmp community ddos authorization read-only
set snmp community ddos routing-instance MNGT clients 10.31.122.72/32
set snmp routing-instance-access access-list MNGT,*

admin@vSRX> show configuration routing-instances | display set
set routing-instances MNGT instance-type virtual-router
set routing-instances MNGT interface ge-0/0/0.0
set routing-instances MNGT routing-options static route 0.0.0.0/0 next-hop 10.31.122.1

When i run snmpwalk on linux, i don't see anything, but ssh works fine. In sec zone i use this configuration

set security zones functional-zone management interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones functional-zone management interfaces ge-0/0/0.0 host-inbound-traffic protocols all

set security policies default-policy permit-all

If this statement is not included in the SNMP configuration, SNMP managers from routing instances other than the default routing instance cannot access SNMP information.

Dear MarcTB

In my post i showed that i use command routing-instance-access

Can you provide me the below outputs?

root> show configuration | display set | match MNGT

root> show route 10.31.122.72

Please try add a static route as below,

root# set routing-options static route 10.31.122.72 next-table MNGT.inet.0

root#commit

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Dear rsuraj

admin@vSRX> show configuration | display set | match MNGT
set snmp community ddos routing-instance MNGT clients 10.31.122.72/32
set snmp routing-instance-access access-list MNGT,*
set routing-instances MNGT instance-type virtual-router
set routing-instances MNGT interface ge-0/0/0.0
set routing-instances MNGT routing-options static route 0.0.0.0/0 next-hop 10.31.122.1

admin@vSRX> show route 10.31.122.72

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 6d 23:15:32
> to 10.10.1.2 via ge-0/0/1.0

MNGT.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.31.122.0/24 *[Direct/0] 6d 23:15:32
> via ge-0/0/0.0

SRX interface in direct connected network with linux machine with snmpwalk

I configure static route, but doesn't work)) I think it is some bugs...

Can you please confirm if you are using the community string as "MNGT@ddos"  and not just "ddos" ? if so can you try removing the access-list configured under SNMP and check?

#delete snmp routing-instance-access access-list

#commit

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

rsuraj, I clear my acc and now my configuration is 

admin@vSRX# show snmp
community ddos {
authorization read-only;
routing-instance MNGT {
clients {
10.31.122.72/32;
}
}
}
routing-instance-access;

But snmpwalk doesn't work.

My nmap says:

root@snmp:~# nmap 10.31.122.79 -Pn

Starting Nmap 6.00 () at 2015-03-23 00:01 MSK
Nmap scan report for 10.31.122.79
Host is up (0.0042s latency).
Not shown: 983 filtered ports
PORT STATE SERVICE
7/tcp closed echo
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
53/tcp closed domain
79/tcp closed finger
80/tcp open http
113/tcp closed ident
179/tcp closed bgp
443/tcp closed https
513/tcp closed login
514/tcp closed shell
646/tcp closed ldp
3221/tcp closed xnm-clear-text
3784/tcp closed bfd-control
5060/tcp closed sip
33899/tcp closed unknown

rsuraj, I use MNGT@ddos, and then i see snmpwalk output.

Why SRX use this "domen" in community? I undestand why...

Sorry guys, but i have new troubles with snmp on r-i.

I can see oid juniper srx from port on r-i, but  i can't see any informational about interfaces in global table.

admin@vSRX> show snmp mib walk ifDescr

..................................
ifDescr.521 = ge-0/0/3
ifDescr.522 = ge-0/0/3.0

But snmpwalk see only 

iso.3.6.1.2.1.2.2.1.2.507 = STRING: "ge-0/0/0"
iso.3.6.1.2.1.2.2.1.2.508 = STRING: "ge-0/0/0.0"

When i gets .522, i don't see anything, how i can see .522 index?

Which MIB are you using, please try with Juniper Mibs and see the result, in this case I belive you need to use "mib-jnx-if-extension" to get interface details.

http://www.juniper.net/techpubs/en_US/junos14.2/topics/reference/mibs/mib-jnx-if-extensions.txt

rsuraj, I use standart mib in linux systems.

If i don't use routing-instance i see any interfaces Descriptions, else see only Descr of interface in routing-instance.

I don't think trouble in mibs, oid index-interface-ge-0/0/0 on srx and on snmpwalk matches

Hi MonaxGT,

I blve you are hitting issue mentioned in http://kb.juniper.net/InfoCenter/index?page=content&id=KB27977

Please try the resolution mentioned in this KB.

rsuraj thx!

I don't khow about this features!

Hi all,

Ive read these posts.... But I like to make a clear point on routing instances in snmp feature  are being using for snmp features on junos...Can I ask about why routing instances are being using for the snmp on junos? Without any routing instance,  doesn't snmp functionality on junos work? 

If you think it is recommanded, why not we utilize it for syslog?

thx,

A. 

I would only enable snmp in a routing instance if the routing path to the snmp polling servers is simplest and most direct from that routing instance.

This can happen depending on how the network connections and isolation are setup on devices across the locations in the network.  Or if routing instances are setup specifically to isolation management / out of band traffic on devices consistently.

Also in recent versions of Junos it is possible to move the fxp0 interfaces into routing instances to isolate this mgmt interface traffic from production traffic.