How does Junos OS ensure the security of SNMPv3 configuration on managed devices?

Junos OS ensures the security of SNMPv3 configurations by utilizing authentication and encryption mechanisms. The SNMPv3 protocol enhances security through features like message integrity, authentication, and privacy, which protect against unauthorized data access and ensure the confidentiality of the SNMP messages . Additionally, SNMPv3 supports the use of security names and access control lists that map community strings to security levels .

What strategies are used in Junos OS to manage and configure SNMP trap groups and options effectively?

Junos OS employs strategies for managing and configuring SNMP trap groups and options that include specifying SNMP versions, creating targeted trap lists, and defining security contexts. An example configuration could involve setting trap-group names to define category notifications and target addresses, and assigning SNMP community strings as identifiers to ensure traps are sent to the correct network management hosts . Additionally, context configuration helps in organizing management information while security names and community strings enforce access control .

Describe the implications of using the [edit snmp] hierarchy for security configurations in Junos OS.

Using the [edit snmp] hierarchy for security configurations in Junos OS involves critical settings like defining community access parameters, securing SNMP with access lists, and setting authentication and privacy levels for SNMP v3. These configurations control which clients can access SNMP data, which types of requests are logged or allowed, and how authentication is managed, ultimately defining the security posture of the network's SNMP management capabilities. Proper configuration is essential for preventing unauthorized access and ensuring data integrity in SNMP communications .

What challenges can arise when configuring SNMP access on Junos OS devices, and how can they be mitigated?

Challenges in configuring SNMP access on Junos OS devices include ensuring secure access control and preventing unauthorized data retrieval, which can be mitigated by setting up access lists, defining SNMP community strings and security levels, and utilizing SNMPv3 security features like authentication and encryption . Moreover, properly configuring the interface list for SNMP access ensures that requests that do not originate from specified interfaces are blocked, thus securing the network from potential threats .

How does Junos OS facilitate SNMP management of devices with multiple routing instances?

In Junos OS, SNMP management of devices with multiple routing instances is enabled by associating SNMPv1 or SNMPv2c communities with specific routing instances. This involves specifying the context for SNMP requests and associating a security name with each context. Additionally, access controls and configuration for SNMP over routing instances allow selective management of network segments, optimizing SNMP traffic management across multiple logical partitions .

In what ways does SNMP support provided by Junos OS facilitate network diagnostics and troubleshooting?

SNMP support in Junos OS enhances network diagnostics and troubleshooting through features like real-time performance monitoring, trap generation for specific network events, and detailed logging via traceoptions. These capabilities allow network administrators to track device status, detect faults, and respond to network issues promptly. SNMP traps can be configured to notify administrators of network changes or anomalies, providing a proactive diagnostic tool. Additionally, RPM results accessible via SNMP enable the analysis of network performance metrics .

What are the functionalities of RPM (Real-Time Performance Monitoring) in Junos OS and how are they integrated within SNMP?

RPM in Junos OS provides capabilities to monitor network performance by sending various types of probes like ICMP, HTTP, UDP, and TCP to target addresses, which helps gauge latency, jitter, and packet loss. RPM results are integrated into SNMP through MIB objects, allowing network managers to collect and analyze performance data via SNMP queries. This integration enables the creation of a comprehensive monitoring setup that combines performance data with SNMP-based network management .

How is SNMP trap configuration managed on Junos OS, particularly with regard to securing access and specifying target addresses?

SNMP trap configuration on Junos OS involves defining trap groups where specific categories of events are logged and sent as traps to designated target devices. Security is managed by assigning community names as security parameters and specifying target parameters like message-processing models, security levels, and filters. For instance, trap groups are assigned targets, which are IP addresses that receive the traps, and these can be configured at the [edit snmp] hierarchy level with options for SNMP versions and trap categories .

What SNMP configuration options are available at the [edit snmp] hierarchy level in Junos OS?

The [edit snmp] hierarchy level in Junos OS contains several configuration options including alarm management, client list specifications, community definitions, contact and location information, interface access controls, RMON configuration, traceoptions, and trap-group settings. Each of these options allows for detailed customization of how SNMP is managed on the device, with parameters for alarming, client access, and trap configuration amongst others .

How does the Junos OS facilitate the synchronization of SNMP configuration across dual Routing Engines, and what are the benefits?

Junos OS facilitates the synchronization of SNMP configuration across dual Routing Engines by running independent SNMP processes on each engine. This design allows each engine to independently manage SNMP settings like the snmpEngineBoots object, ensuring that operations remain unaffected even if there is a failure on one engine . This approach benefits the network by enhancing resilience and providing continuous network management capabilities, promoting high availability and reliability without service interruptions .

Open navigation menu

Upload

0% found this document useful (0 votes)

1K views922 pages

Junos OS Network Management Admin Guide

Juniper Junos Operating System Network Management Administration Guide

Uploaded by

Danny Sassin

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

1K views922 pages

Junos OS Network Management Admin Guide

Juniper Junos Operating System Network Management Administration Guide

Uploaded by

Danny Sassin

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 922

Junos® OS

Network Management Administration Guide

Modified: 2017-03-14

Copyright © 2017, Juniper Networks, Inc.

Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.

®
Junos OS Network Management Administration Guide
Copyright © 2017, Juniper Networks, Inc.
All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.

ii Copyright © 2017, Juniper Networks, Inc.

Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv

Part 1 Overview
Chapter 1 Network Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Understanding Device Management Functions in Junos OS . . . . . . . . . . . . . . . . . . 3
Understanding the Integrated Local Management Interface . . . . . . . . . . . . . . . . . . 6
Chapter 2 Introduction to Network Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Diagnostic Tools Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
J-Web Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
CLI Diagnostic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Part 2 Network Monitoring Using SNMP

Chapter 3 SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Understanding SNMP Implementation in Junos OS . . . . . . . . . . . . . . . . . . . . . . . . 13
SNMPv3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 4 SNMP MIBs and Traps Supported by Junos OS . . . . . . . . . . . . . . . . . . . . . . . . 19
Enterprise-Specific SNMP MIBs Supported by Junos OS . . . . . . . . . . . . . . . . . . . . 19
Standard SNMP MIBs Supported by Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Enterprise-Specific MIBs and Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . 47
Standard SNMP Traps Supported by Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Standard SNMP Version 1 Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Standard SNMP Version 2 Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Enterprise-Specific SNMP Traps Supported by Junos OS . . . . . . . . . . . . . . . . . . . 64
Juniper Networks Enterprise-Specific SNMP Version 1 Traps . . . . . . . . . . . . . 64
Juniper Networks Enterprise-Specific SNMP Version 2 Traps . . . . . . . . . . . . . 70

Copyright © 2017, Juniper Networks, Inc. iii

Network Management Administration Guide

Chapter 5 Loading MIB Files to a Network Management System . . . . . . . . . . . . . . . . . . 79

Loading MIB Files to a Network Management System . . . . . . . . . . . . . . . . . . . . . . 79
Chapter 6 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configuration Statements at the [edit snmp] Hierarchy Level . . . . . . . . . . . . . . . 84
Optimizing the Network Management System Configuration for the Best
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Changing the Polling Method from Column-by-Column to Row-by-Row . . . 87
Reducing the Number of Variable Bindings per PDU . . . . . . . . . . . . . . . . . . . 88
Increasing Timeout Values in Polling and Discovery Intervals . . . . . . . . . . . . 88
Reducing Incoming Packet Rate at the snmpd . . . . . . . . . . . . . . . . . . . . . . . . 88
Configuring Options on Managed Devices for Better SNMP Response Time . . . . 88
Enabling the stats-cache-lifetime Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Filtering Out Duplicate SNMP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Excluding Interfaces That Are Slow in Responding to SNMP Queries . . . . . . 89
Configuring SNMP on Devices Running Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuring Basic Settings for SNMPv1 and SNMPv2 . . . . . . . . . . . . . . . . . . . 91
Configuring Basic Settings for SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring System Name, Location, Description, and Contact
Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Configuring the System Contact on a Device Running Junos OS . . . . . . . . . . . . . . 94
Configuring the System Location for a Device Running Junos OS . . . . . . . . . . . . . 95
Configuring the System Description on a Device Running Junos OS . . . . . . . . . . . 95
Configuring SNMP Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Configuring a Different System Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring the Commit Delay Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Filtering Duplicate SNMP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configuring SNMP Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Examples: Configuring the SNMP Community String . . . . . . . . . . . . . . . . . . . . . . 102
Adding a Group of Clients to an SNMP Community . . . . . . . . . . . . . . . . . . . . . . . 103
Configuring a Proxy SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Configuring SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Configuring SNMP Trap Options and Groups on a Device Running Junos OS . . . 107
Configuring SNMP Trap Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Configuring the Source Address for SNMP Traps . . . . . . . . . . . . . . . . . . . . . 109
Configuring the Agent Address for SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . 111
Adding snmpTrapEnterprise Object Identifier to Standard SNMP Traps . . . . 111
Configuring SNMP Trap Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Example: Configuring SNMP Trap Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configuring the Interfaces on Which SNMP Requests Can Be Accepted . . . . . . . 114
Example: Configuring Secured Access List Checking . . . . . . . . . . . . . . . . . . . . . . . 115
Filtering Interface Information Out of SNMP Get and GetNext Output . . . . . . . . . 115
Configuring MIB Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Configuring Ping Proxy MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Chapter 7 Configuring SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Minimum SNMPv3 Configuration on a Device Running Junos OS . . . . . . . . . . . . . 122
Example: SNMPv3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Configuring the Local Engine ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

iv Copyright © 2017, Juniper Networks, Inc.

Table of Contents

Creating SNMPv3 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Example: Creating SNMPv3 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Configuring the SNMPv3 Authentication Type . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Configuring MD5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Configuring SHA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Configuring No Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Configuring the SNMPv3 Encryption Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Configuring the Advanced Encryption Standard Algorithm . . . . . . . . . . . . . . 130
Configuring the Data Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configuring Triple DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configuring No Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Defining Access Privileges for an SNMP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Configuring the Access Privileges Granted to a Group . . . . . . . . . . . . . . . . . . . . . 133
Configuring the Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Configuring the Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Configuring the Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Associating MIB Views with an SNMP User Group . . . . . . . . . . . . . . . . . . . . . 134
Configuring the Notify View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Configuring the Read View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Configuring the Write View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Example: Configuring the Access Privileges Granted to a Group . . . . . . . . . . . . . 136
Assigning Security Model and Security Name to a Group . . . . . . . . . . . . . . . . . . . 137
Configuring the Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Assigning Security Names to Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring the Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Example: Security Group Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring SNMPv3 Traps on a Device Running Junos OS . . . . . . . . . . . . . . . . . 139
Configuring the SNMPv3 Trap Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Example: Configuring SNMPv3 Trap Notification . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configuring the Trap Notification Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configuring the Trap Target Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Configuring the Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Configuring the Address Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Configuring the Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Configuring the Routing Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Configuring the Trap Target Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Applying Target Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Example: Configuring the Tag List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Defining and Configuring the Trap Target Parameters . . . . . . . . . . . . . . . . . . . . . 146
Applying the Trap Notification Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Configuring the Target Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Configuring the Message Processing Model . . . . . . . . . . . . . . . . . . . . . . 147
Configuring the Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Configuring the Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Configuring the Security Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Configuring SNMP Informs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Configuring the Remote Engine and Remote User . . . . . . . . . . . . . . . . . . . . . . . . 150
Example: Configuring the Remote Engine ID and Remote User . . . . . . . . . . . . . . 151
Configuring the Inform Notification Type and Target Address . . . . . . . . . . . . . . . 154

Copyright © 2017, Juniper Networks, Inc. v

Network Management Administration Guide

Example: Configuring the Inform Notification Type and Target Address . . . . . . . 155
Configuring the SNMPv3 Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Configuring the Community Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Configuring the Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Configuring the Security Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Configuring the Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Example: Configuring an SNMPv3 Community . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Chapter 8 Configuring SNMP for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Understanding SNMP Support for Routing Instances . . . . . . . . . . . . . . . . . . . . . . 159
SNMP MIBs Supported for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Support Classes for MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
SNMP Traps Supported for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Identifying a Routing Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Enabling SNMP Access over Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community . . . . . . . . 173
Example: Configuring Interface Settings for a Routing Instance . . . . . . . . . . . . . . 174
Configuring Access Lists for SNMP Access over Routing Instances . . . . . . . . . . . 176
Chapter 9 Configuring SNMP Remote Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
SNMP Remote Operations Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
SNMP Remote Operation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Setting SNMP Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Example: Setting SNMP Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Setting Trap Notification for Remote Operations . . . . . . . . . . . . . . . . . . . . . . 179
Example: Setting Trap Notification for Remote Operations . . . . . . . . . . 179
Using Variable-Length String Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Example: Set Variable-Length String Indexes . . . . . . . . . . . . . . . . . . . . . 179
Enabling Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Using the Ping MIB for Remote Monitoring Devices Running Junos OS . . . . . . . . 180
Starting a Ping Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Using Multiple Set Protocol Data Units (PDUs) . . . . . . . . . . . . . . . . . . . . . . . 181
Using a Single Set PDU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Monitoring a Running Ping Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
pingResultsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
pingProbeHistoryTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Generating Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Gathering Ping Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Stopping a Ping Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Interpreting Ping Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS . . . 187
Starting a Traceroute Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Using Multiple Set PDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Using a Single Set PDU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Monitoring a Running Traceroute Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
traceRouteResultsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
traceRouteProbeResultsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
traceRouteHopsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

vi Copyright © 2017, Juniper Networks, Inc.

Table of Contents

Generating Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Monitoring Traceroute Test Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Gathering Traceroute Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Stopping a Traceroute Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Interpreting Traceroute Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Chapter 10 Tracing SNMP Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance
on a Device Running Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Checking for MIB Objects Registered with the snmpd . . . . . . . . . . . . . . . . . . 197
Tracking SNMP Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Monitoring SNMP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Checking CPU Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Checking Kernel and Packet Forwarding Engine Response . . . . . . . . . . . . . 202
Tracing SNMP Activity on a Device Running Junos OS . . . . . . . . . . . . . . . . . . . . . 203
Configuring the Number and Size of SNMP Log Files . . . . . . . . . . . . . . . . . . 204
Configuring Access to the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Configuring a Regular Expression for Lines to Be Logged . . . . . . . . . . . . . . . 205
Configuring the Trace Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Example: Tracing SNMP Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Chapter 11 SNMP FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Junos OS SNMP FAQ Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Junos OS SNMP FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Junos OS SNMP Support FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Junos OS MIBs FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Junos OS SNMP Configuration FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
SNMPv3 FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
SNMP Interaction with Juniper Networks Devices FAQs . . . . . . . . . . . . . . . . 224
SNMP Traps and Informs FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Junos OS Dual Routing Engine Configuration FAQs . . . . . . . . . . . . . . . . . . . . 232
SNMP Support for Routing Instances FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . 233
SNMP Counters FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Part 3 Remote Monitoring (RMON) with SNMP

Chapter 12 RMON Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Understanding RMON Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
alarmTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
jnxRmonAlarmTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Understanding RMON Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
eventTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Chapter 13 Configuring RMON Alarms and Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Understanding RMON Alarms and Events Configuration . . . . . . . . . . . . . . . . . . . 243
Minimum RMON Alarm and Event Entry Configuration . . . . . . . . . . . . . . . . . . . . 244
Configuring an RMON Alarm Entry and Its Attributes . . . . . . . . . . . . . . . . . . . . . 244
Configuring the Alarm Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Configuring the Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Configuring the Falling Event Index or Rising Event Index . . . . . . . . . . . . . . . 245

Copyright © 2017, Juniper Networks, Inc. vii

Network Management Administration Guide

Configuring the Falling Threshold or Rising Threshold . . . . . . . . . . . . . . . . . 246

Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Configuring the Falling Threshold Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Configuring the Request Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configuring the Sample Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configuring the Startup Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configuring the System Log Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Configuring the Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Configuring an RMON Event Entry and Its Attributes . . . . . . . . . . . . . . . . . . . . . . 248
Example: Configuring an RMON Alarm and Event Entry . . . . . . . . . . . . . . . . . . . 249
Chapter 14 Monitoring RMON Alarms and Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Using alarmTable to Monitor MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Creating an Alarm Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Configuring the Alarm MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
alarmInterval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
alarmVariable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
alarmSampleType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
alarmValue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
alarmStartupAlarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
alarmRisingThreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
alarmFallingThreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
alarmOwner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
alarmRisingEventIndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
alarmFallingEventIndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Activating a New Row in alarmTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Modifying an Active Row in alarmTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Deactivating a Row in alarmTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Using eventTable to Log Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Creating an Event Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Configuring the MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
eventType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
eventCommunity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
eventOwner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
eventDescription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Activating a New Row in eventTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Deactivating a Row in eventTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Chapter 15 Using RMON to Monitor Network Service Quality . . . . . . . . . . . . . . . . . . . . . 257
Understanding RMON for Monitoring Service Quality . . . . . . . . . . . . . . . . . . . . . 257
Setting Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
RMON Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
RMON Event Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
RMON Alarm Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Troubleshooting RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Understanding Measurement Points, Key Performance Indicators, and Baseline
Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Measurement Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Basic Key Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Setting Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

viii Copyright © 2017, Juniper Networks, Inc.

Table of Contents

Defining and Measuring Network Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Defining Network Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Monitoring the SLA and the Required Bandwidth . . . . . . . . . . . . . . . . . 264
Measuring Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Real-Time Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Measuring Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Measuring Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Measuring Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Inbound Firewall Filter Counters per Class . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Monitoring Output Bytes per Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Dropped Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Part 4 Health Monitoring with SNMP

Chapter 16 Configuring Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Configuring Health Monitoring on Devices Running Junos OS . . . . . . . . . . . . . . . 285
Monitored Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Minimum Health Monitoring Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Configuring the Falling Threshold or Rising Threshold . . . . . . . . . . . . . . . . . 287
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Log Entries and Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Example: Configuring Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Part 5 Gathering Statistics for Accounting Purposes Using Accounting

Options, Source Class Usage and Destination Class Usage
Options
Chapter 17 Accounting Options, Source Class Usage and Destination Class Usage
Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Accounting Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Understanding Source Class Usage and Destination Class Usage Options . . . . 292
Chapter 18 Configuring Accounting Options, Source Class Usage and Destination
Class Usage Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Configuration Statements at the [edit accounting-options] Hierarchy Level . . . 295
Accounting Options Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Accounting Options—Full Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Minimum Accounting Options Configuration . . . . . . . . . . . . . . . . . . . . . . . . 300
Configuring Accounting-Data Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Configuring How Long Backup Files Are Retained . . . . . . . . . . . . . . . . . . . . 305
Configuring the Maximum Size of the File . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Configuring Archive Sites for the Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Configuring Local Backup for Accounting Files . . . . . . . . . . . . . . . . . . . . . . . 306
Configuring Files to Be Compressed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Configuring the Maximum Number of Files . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Configuring the Storage Location of the File . . . . . . . . . . . . . . . . . . . . . . . . . 307
Configuring Files to Be Saved After a Change in Mastership . . . . . . . . . . . . 308
Configuring the Start Time for File Transfer . . . . . . . . . . . . . . . . . . . . . . . . . 308

Copyright © 2017, Juniper Networks, Inc. ix

Network Management Administration Guide

Configuring the Transfer Interval of the File . . . . . . . . . . . . . . . . . . . . . . . . . 308

Configuring the Interface Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Configuring Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Configuring the File Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Example: Configuring the Interface Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Configuring the Filter Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Configuring the Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Configuring the File Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Example: Configuring a Filter Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Example: Configuring Interface-Specific Firewall Counters and Filter Profiles . . 314
Configuring SCU or DCU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Creating Prefix Route Filters in a Policy Statement . . . . . . . . . . . . . . . . . . . . 316
Applying the Policy to the Forwarding Table . . . . . . . . . . . . . . . . . . . . . . . . . 316
Enabling Accounting on Inbound and Outbound Interfaces . . . . . . . . . . . . . 316
Configuring SCU on a Virtual Loopback Tunnel Interface . . . . . . . . . . . . . . . . . . . 318
Example: Configuring a Virtual Loopback Tunnel Interface on a Provider
Edge Router Equipped with a Tunnel PIC . . . . . . . . . . . . . . . . . . . . . . . . 318
Example: Mapping the VRF Instance Type to the Virtual Loopback Tunnel
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Example: Sending Traffic Received from the Virtual Loopback Interface Out
the Source Class Output Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Configuring Class Usage Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Configuring a Class Usage Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Configuring the File Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Creating a Class Usage Profile to Collect Source Class Usage Statistics . . . 320
Creating a Class Usage Profile to Collect Destination Class Usage
Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Configuring the MIB Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Configuring the File Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Configuring the MIB Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Configuring MIB Object Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Example: Configuring a MIB Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Configuring the Routing Engine Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Configuring Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Configuring the File Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Example: Configuring a Routing Engine Profile . . . . . . . . . . . . . . . . . . . . . . . 325

Part 6 Configuring Monitoring Options

Chapter 19 Configuring Interface Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Alarm Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Alarm Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Alarm Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

x Copyright © 2017, Juniper Networks, Inc.

Table of Contents

Alarm Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Interface Alarm Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
System Alarm Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Example: Configuring Interface Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Monitoring Active Alarms on a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Monitoring Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Chapter 20 Using RPM to Measure Network Performance . . . . . . . . . . . . . . . . . . . . . . . . 341
RPM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
RPM Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Probe and Test Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Jitter Measurement with Hardware Timestamping . . . . . . . . . . . . . . . . . . . . 343
RPM Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
RPM Thresholds and Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
RPM for BGP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
IPv6 RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Guidelines for Configuring RPM Probes for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 345
RPM Support for VPN Routing and Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Example: Configuring Basic RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Example: Configuring RPM Using TCP and UDP Probes . . . . . . . . . . . . . . . . . . . . 351
Example: Configuring RPM Probes for BGP Monitoring . . . . . . . . . . . . . . . . . . . . 354
Directing RPM Probes to Select BGP Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Configuring IPv6 RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Tuning RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
RPM Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Monitoring RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Chapter 21 Configuring IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
IP Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Understanding IP Monitoring Test Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Example: Configuring IP Monitoring on SRX Series Devices . . . . . . . . . . . . . . . . 369
Understanding IP Monitoring Through Redundant Ethernet Interface Link
Aggregation Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Example: Configuring IP Monitoring on SRX Series Devices . . . . . . . . . . . . . . . . . 372
Example: Configuring Chassis Cluster Redundancy Group IP Address
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Part 7 Monitoring Common Security Features

Chapter 22 Displaying Real-Time Information from Device to Host . . . . . . . . . . . . . . . 383
Displaying Real-Time Monitoring Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Displaying Multicast Path Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Chapter 23 Monitoring Application Layer Gateways Features . . . . . . . . . . . . . . . . . . . . 389
Monitoring H.323 ALG Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Monitoring MGCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Monitoring MGCP ALG Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Monitoring MGCP ALG Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Copyright © 2017, Juniper Networks, Inc. xi

Network Management Administration Guide

Monitoring MGCP ALG Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Monitoring SCCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Monitoring SCCP ALG Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Monitoring SCCP ALG Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Monitoring SIP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Monitoring SIP ALG Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Monitoring SIP ALG Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Monitoring SIP ALG Rate Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Monitoring SIP ALG Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Monitoring Voice ALG H.323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Monitoring Voice ALG MGCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Monitoring Voice ALG SCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Monitoring Voice ALG SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Monitoring Voice ALG Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Chapter 24 Monitoring Interfaces and Switching Functions . . . . . . . . . . . . . . . . . . . . . . 415
Displaying Real-Time Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Monitoring Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Monitoring Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Monitoring GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Monitoring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Monitoring MPLS Traffic Engineering Information . . . . . . . . . . . . . . . . . . . . . . . . . 421
Monitoring MPLS Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Monitoring MPLS LSP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Monitoring MPLS LSP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Monitoring RSVP Session Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Monitoring MPLS RSVP Interfaces Information . . . . . . . . . . . . . . . . . . . . . . . 426
Monitoring PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Monitoring PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Monitoring Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Monitoring the WAN Acceleration Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Chapter 25 Monitoring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Monitoring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Monitoring Source NAT Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Monitoring Destination NAT Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Monitoring Static NAT Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Monitoring Incoming Table Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Monitoring Interface NAT Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Chapter 26 Monitoring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Monitoring Policy Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Monitoring Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Monitoring Route Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Monitoring RIP Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Monitoring OSPF Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

xii Copyright © 2017, Juniper Networks, Inc.

Table of Contents

Monitoring BGP Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Monitoring Security Events by Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Monitoring Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Monitoring Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Checking Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Monitoring Screen Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Monitoring IDP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Monitoring Flow Gate Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Monitoring Firewall Authentication Table . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Monitoring Firewall Authentication History . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Monitoring 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Chapter 27 Monitoring Events, Services and System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Monitoring DHCP Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Monitoring Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Monitoring the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Monitoring System Properties for SRX Series Devices . . . . . . . . . . . . . . . . . 474
Monitoring Chassis Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
System Health Management for SRX Series Devices . . . . . . . . . . . . . . . . . . 478
Chapter 28 Monitoring Unified Threat Management Features . . . . . . . . . . . . . . . . . . . . 481
Monitoring Antivirus Scan Engine Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Monitoring Antivirus Scan Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Monitoring Antivirus Session Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Monitoring Content Filtering Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Monitoring Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Threats Monitoring Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Traffic Monitoring Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Monitoring Web Filtering Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Chapter 29 Monitoring VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Monitoring VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Monitoring IKE Gateway Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Monitoring IPsec VPN—Phase I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Monitoring IPsec VPN—Phase II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Monitoring IPsec VPN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Copyright © 2017, Juniper Networks, Inc. xiii

Network Management Administration Guide

Part 8 Resource Monitoring of Memory Regions and Types Using CLI

and SNMP Queries
Chapter 30 Effective Troubleshooting of System Performance With Resource
Monitoring Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Resource Monitoring Usage Computation Overview . . . . . . . . . . . . . . . . . . . . . . 509
Resource Monitoring and Usage Computation For Trio-Based Line
Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Resource Monitoring and Usage Computation For I-Chip-Based Line
Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Resource Monitoring Mechanism on MX Series Routers Overview . . . . . . . . . . . . 512
Examining the Utilization of Memory Resource Regions Using show
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Diagnosing and Debugging System Performance By Configuring Memory
Resource Usage Monitoring on MX Series Routers . . . . . . . . . . . . . . . . . . . . . 515
Troubleshooting the Mismatch of jnxNatObjects Values for MS-DPC and
MS-MIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Managed Objects for Ukernel Memory for a Packet Forwarding Engine in an FPC
Slot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Managed Objects for Packet Forwarding Engine Memory Statistics Data . . . . . . 519
Managed Objects for Next-Hop, Jtree, and Firewall Filter Memory for a Packet
Forwarding Engine in an FPC Slot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
jnxPfeMemoryErrorsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
pfeMemoryErrors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Part 9 Troubleshooting
Chapter 31 Configuring Data Path Debugging and Trace Options . . . . . . . . . . . . . . . . . 523
Understanding Data Path Debugging for SRX Series Devices . . . . . . . . . . . . . . . 523
Debugging the Data Path (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Example: Configuring End-to-End Debugging on SRX Series Device . . . . . . . . . 525
Understanding Security Debugging Using Trace Options . . . . . . . . . . . . . . . . . . 530
Setting Security Trace Options (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 530
Displaying Log and Trace Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Displaying Output for Security Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Displaying Multicast Trace Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Using the J-Web Traceroute Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
J-Web Traceroute Results and Output Summary . . . . . . . . . . . . . . . . . . . . . . . . . 535
Understanding Flow Debugging Using Trace Options . . . . . . . . . . . . . . . . . . . . . 536
Setting Flow Debugging Trace Options (CLI Procedure) . . . . . . . . . . . . . . . . . . . 537
Displaying a List of Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Chapter 32 Using MPLS to Diagnose LSPs, VPNs, and Layer 2 Circuits . . . . . . . . . . . . . 541
MPLS Connection Checking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Understanding Ping MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
MPLS Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Loopback Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

xiv Copyright © 2017, Juniper Networks, Inc.

Table of Contents

Source Address for Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544

Using the ping Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Using the J-Web Ping Host Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
J-Web Ping Host Results and Output Summary . . . . . . . . . . . . . . . . . . . . . . . . . 548
Using the J-Web Ping MPLS Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
J-Web Ping MPLS Results and Output Summary . . . . . . . . . . . . . . . . . . . . . . . . . 552
Pinging Layer 2 Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Pinging Layer 2 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Pinging Layer 3 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Pinging RSVP-Signaled LSPs and LDP-Signaled LSPs . . . . . . . . . . . . . . . . . . . . 557
Chapter 33 Using Packet Capture to Analyze Network Traffic . . . . . . . . . . . . . . . . . . . . 559
Packet Capture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Packet Capture on Device Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Firewall Filters for Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Packet Capture Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Analysis of Packet Capture Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Example: Enabling Packet Capture on a Device . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Example: Configuring Packet Capture on an Interface . . . . . . . . . . . . . . . . . . . . . 565
Example: Configuring a Firewall Filter for Packet Capture . . . . . . . . . . . . . . . . . . 567
Example: Configuring Packet Capture for Datapath Debugging . . . . . . . . . . . . . 569
Disabling Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Deleting Packet Capture Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Changing Encapsulation on Interfaces with Packet Capture Configured . . . . . . 574
Displaying Packet Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Using the J-Web Packet Capture Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
J-Web Packet Capture Results and Output Summary . . . . . . . . . . . . . . . . . . . . . 582
Chapter 34 Troubleshooting Security Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Recovering the Root Password for SRX Series Devices . . . . . . . . . . . . . . . . . . . . 585
Troubleshooting DNS Name Resolution in Logical System Security Policies
(Master Administrators Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Troubleshooting the Link Services Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Determine Which CoS Components Are Applied to the Constituent
Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Determine What Causes Jitter and Latency on the Multilink Bundle . . . . . . 589
Determine If LFI and Load Balancing Are Working Correctly . . . . . . . . . . . . 590
Determine Why Packets Are Dropped on a PVC Between a Juniper Networks
Device and a Third-Party Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Troubleshooting Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Synchronizing Policies Between Routing Engine and Packet Forwarding
Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Checking a Security Policy Commit Failure . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Verifying a Security Policy Commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Debugging Policy Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Understanding Log Error Messages for Troubleshooting ISSU-Related
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Chassisd Process Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Kernel State Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Installation-Related Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Copyright © 2017, Juniper Networks, Inc. xv

Network Management Administration Guide

ISSU Support-Related Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600

Redundancy Group Failover Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Initial Validation Checks Fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Understanding Common Error Handling for ISSU . . . . . . . . . . . . . . . . . . . . . 601

Part 10 Configuration Statements and Operational Commands

Chapter 35 Configuration Statements: Accounting Options, Source Class Usage and
Destination Class Usage Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
accounting-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
archive-sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
backup-on-failure (Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
class-usage-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
cleanup-interval (Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
compress (Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
destination-classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
egress-stats (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
fields (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
fields (for Interface Profiles) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
fields (for Routing Engine Profiles) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
file (Associating with a Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
file (Configuring a Log File) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
file (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
filter-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
flat-file-profile (Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
format (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
general-param (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . 627
ingress-stats (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
interface-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
interval (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
l2-stats (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
mib-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
mpls (Security Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
nonpersistent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
object-names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
overall-packet (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . 638
push-backup-to-master (Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . 639
routing-engine-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
schema-version (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . 641
size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
source-classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
start-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
traceoptions (System Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
transfer-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

xvi Copyright © 2017, Juniper Networks, Inc.

Table of Contents

Chapter 36 Configuration Statements: Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 647

cluster (Chassis) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
global-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
global-weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
ip-monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
ip-monitoring (Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
Chapter 37 Configuration Statements: Datapath Debug . . . . . . . . . . . . . . . . . . . . . . . . 655
action-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
capture-file (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
datapath-debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
flow (Security Flow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
maximum-capture-size (Datapath Debug) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
traceoptions (Security Datapath Debug) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Chapter 38 Configuration Statements: Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . 665
falling-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
health-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
idp (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
rising-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Chapter 39 Configuration Statements: Remote Monitoring (RMON) . . . . . . . . . . . . . . 671
alarm (SNMP RMON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
falling-event-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
falling-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676
falling-threshold-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
request-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
rising-event-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
rising-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
rmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
sample-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
startup-alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
syslog-subtag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
Chapter 40 Configuration Statements: Resource Monitoring for Memory Regions . . 687
free-fw-memory-watermark (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . 687
free-heap-memory-watermark (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . 688
free-nh-memory-watermark (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . 689
high-threshold (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
no-logging (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
resource-category jtree (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691

Copyright © 2017, Juniper Networks, Inc. xvii

Network Management Administration Guide

resource-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
traceoptions (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Chapter 41 Configuration Statements: Security Alarms . . . . . . . . . . . . . . . . . . . . . . . . . 695
decryption-failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
idp (Security Alarms) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Chapter 42 Configuration Statements: SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
agent-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
alarm-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
alarm-list-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
alarm-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
alarm-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
client-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
client-list-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
commit-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708
community (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
contact (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
enterprise-oid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
filter-duplicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
filter-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
interface (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
location (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
logical-system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
logical-system-trap-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
nonvolatile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
oid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
proxy (snmp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
routing-instance-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
snmp-value-match-msmic (Services NAT Options) . . . . . . . . . . . . . . . . . . . . . . 720
source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
traceoptions (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
trap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
trap-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
version (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
view (Associating a MIB View with a Community) . . . . . . . . . . . . . . . . . . . . . . . . 726
view (Configuring a MIB View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727

xviii Copyright © 2017, Juniper Networks, Inc.

Table of Contents

Chapter 43 Configuration Statements: SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729

address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
address-mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
authentication-md5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
authentication-none . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
authentication-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
authentication-sha . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
community-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
context (SNMPv3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737
engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
group (Configuring Group Name) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
group (Defining Access Privileges for an SNMPv3 Group) . . . . . . . . . . . . . . . . . . 740
retry-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740
timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
local-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742
message-processing-model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743
notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744
notify-filter (Applying to the Management Target) . . . . . . . . . . . . . . . . . . . . . . . 745
notify-filter (Configuring the Profile Name) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745
notify-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746
oid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747
parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
privacy-3des . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
privacy-aes128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750
privacy-des . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
privacy-none . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752
privacy-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
read-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754
remote-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756
security-level (Defining Access Privileges) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
security-level (Generating SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . . . . . 758
security-model (Access Privileges) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759
security-model (Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
security-model (SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761
security-name (Community String) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762
security-name (Security Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
security-name (SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
security-to-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
snmp-community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
tag-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
target-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768
target-parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
usm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773

Copyright © 2017, Juniper Networks, Inc. xix

Network Management Administration Guide

vacm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
write-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776
Chapter 44 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
clear chassis cluster ip-monitoring failure-count . . . . . . . . . . . . . . . . . . . . . . . . . 779
clear chassis cluster ip-monitoring failure-count ip-address . . . . . . . . . . . . . . . . 780
clear ilmi statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
clear snmp history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782
clear snmp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783
request pppoe connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
request pppoe disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
request services ip-monitoring preempt-restore policy . . . . . . . . . . . . . . . . . . . . 787
request snmp spoof-trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
show chassis alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
show chassis cluster ip-monitoring status redundancy-group . . . . . . . . . . . . . . 796
show interfaces (SRX Series) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
show interfaces snmp-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830
show interfaces summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
show ilmi statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833
show security alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
show security datapath-debug capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
show security datapath-debug counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
show security monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
show security monitoring fpc fpc-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
show security monitoring performance session . . . . . . . . . . . . . . . . . . . . . . . . . . 847
show security monitoring performance spu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 848
show services ip-monitoring status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850
show snmp health-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
show snmp inform-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861
show snmp mib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
show snmp rmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866
show snmp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870
show snmp stats-response-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
show snmp v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880
show system alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
show system resource-monitor fpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884

xx Copyright © 2017, Juniper Networks, Inc.

List of Figures
Part 2 Network Monitoring Using SNMP
Chapter 7 Configuring SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Figure 1: Inform Request and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Chapter 8 Configuring SNMP for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Figure 2: SNMP Data for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Part 3 Remote Monitoring (RMON) with SNMP

Chapter 15 Using RMON to Monitor Network Service Quality . . . . . . . . . . . . . . . . . . . . . 257
Figure 3: Setting Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Figure 4: Network Entry Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Figure 5: Regional Points of Presence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Figure 6: Measurements to Each Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Figure 7: Network Behavior During Congestion . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Part 6 Configuring Monitoring Options

Chapter 20 Using RPM to Measure Network Performance . . . . . . . . . . . . . . . . . . . . . . . . 341
Figure 8: Sample RPM Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Chapter 21 Configuring IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Figure 9: IP Monitoring on an SRX Series Device Topology Example . . . . . . . . . . 373

Part 9 Troubleshooting
Chapter 34 Troubleshooting Security Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Figure 10: PPP and MLPPP Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

Copyright © 2017, Juniper Networks, Inc. xxi

Network Management Administration Guide

xxii Copyright © 2017, Juniper Networks, Inc.

List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii

Part 1 Overview
Chapter 1 Network Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Device Management Features in Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 2 Introduction to Network Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Table 4: J-Web Interface Troubleshoot Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Table 5: CLI Diagnostic Command Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Part 2 Network Monitoring Using SNMP

Chapter 4 SNMP MIBs and Traps Supported by Junos OS . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 6: Enterprise-specific MIBs supported by Junos OS . . . . . . . . . . . . . . . . . . . 19
Table 7: Standard MIBs supported by Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Table 8: Enterprise-Specific MIBs and Supported Devices . . . . . . . . . . . . . . . . . . 47
Table 9: Standard Supported SNMP Version 1 Traps . . . . . . . . . . . . . . . . . . . . . . . 57
Table 10: Standard Supported SNMP Version 2 Traps . . . . . . . . . . . . . . . . . . . . . . 60
Table 11: Juniper Networks Enterprise-Specific Supported SNMP Version 1
Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 2
Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Chapter 7 Configuring SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Table 13: Values to Use in Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Chapter 8 Configuring SNMP for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Table 14: MIB Support for Routing Instances (Juniper Networks MIBs) . . . . . . . . 160
Table 15: Class 1 MIB Objects (Standard and Juniper MIBs) . . . . . . . . . . . . . . . . . 164
Table 16: Class 2 MIB Objects (Standard and Juniper MIBs) . . . . . . . . . . . . . . . . 168
Table 17: Class 3 MIB Objects (Standard and Juniper MIBs) . . . . . . . . . . . . . . . . . 169
Table 18: Class 4 MIB Objects (Standard and Juniper MIBs) . . . . . . . . . . . . . . . . 170
Chapter 9 Configuring SNMP Remote Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Table 19: Results in pingProbeHistoryTable: After the First Ping Test . . . . . . . . . . 185
Table 20: Results in pingProbeHistoryTable: After the First Probe of the Second
Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Table 21: Results in pingProbeHistoryTable: After the Second Ping Test . . . . . . . 186
Table 22: traceRouteProbeHistoryTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Copyright © 2017, Juniper Networks, Inc. xxiii

Network Management Administration Guide

Chapter 10 Tracing SNMP Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Table 23: SNMP Tracing Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Chapter 11 SNMP FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Table 24: Monitored Object Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Part 3 Remote Monitoring (RMON) with SNMP

Chapter 15 Using RMON to Monitor Network Service Quality . . . . . . . . . . . . . . . . . . . . . 257
Table 25: RMON Event Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Table 26: RMON Alarm Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Table 27: jnxRmon Alarm Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Table 28: Real-Time Performance Monitoring Configuration Options . . . . . . . . 266
Table 29: Health Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Table 30: Counter Values for vlan-ccc Encapsulation . . . . . . . . . . . . . . . . . . . . . 274
Table 31: Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Table 32: Inbound Traffic Per Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Table 33: Inbound Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Table 34: Outbound Counters for ATM Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 279
Table 35: Outbound Counters for Non-ATM Interfaces . . . . . . . . . . . . . . . . . . . . 280
Table 36: Dropped Traffic Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Part 4 Health Monitoring with SNMP

Chapter 16 Configuring Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Table 37: Monitored Object Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Part 5 Gathering Statistics for Accounting Purposes Using Accounting

Part 6 Configuring Monitoring Options

Chapter 19 Configuring Interface Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Table 39: Interface Alarm Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Table 40: System Alarm Conditions and Corrective Actions . . . . . . . . . . . . . . . . 334
Table 41: Alarms Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Chapter 20 Using RPM to Measure Network Performance . . . . . . . . . . . . . . . . . . . . . . . . 341
Table 42: RPM Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Table 43: RPM Configuration Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Table 44: Summary of Key RPM Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Chapter 21 Configuring IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Table 45: Test Parameters and Default Values . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Table 46: Threshold Supported and Description . . . . . . . . . . . . . . . . . . . . . . . . . 369

xxiv Copyright © 2017, Juniper Networks, Inc.

List of Tables

Part 7 Monitoring Common Security Features

Chapter 22 Displaying Real-Time Information from Device to Host . . . . . . . . . . . . . . . 383
Table 47: CLI traceroute monitor Command Options . . . . . . . . . . . . . . . . . . . . . . 383
Table 48: CLI traceroute monitor Command Output Summary . . . . . . . . . . . . . 384
Table 49: CLI mtrace from-source Command Options . . . . . . . . . . . . . . . . . . . . 385
Table 50: CLI mtrace from-source Command Output Summary . . . . . . . . . . . . 387
Chapter 23 Monitoring Application Layer Gateways Features . . . . . . . . . . . . . . . . . . . . 389
Table 51: Summary of Key H.323 Counters Output Fields . . . . . . . . . . . . . . . . . . 389
Table 52: Summary of Key MGCP Calls Output Fields . . . . . . . . . . . . . . . . . . . . . 391
Table 53: Summary of Key MGCP Counters Output Fields . . . . . . . . . . . . . . . . . 392
Table 54: Summary of Key MGCP Endpoints Output Fields . . . . . . . . . . . . . . . . 393
Table 55: Summary of Key SCCP Calls Output Fields . . . . . . . . . . . . . . . . . . . . . 394
Table 56: Summary of Key SCCP Counters Output Fields . . . . . . . . . . . . . . . . . . 394
Table 57: Summary of Key SIP Calls Output Fields . . . . . . . . . . . . . . . . . . . . . . . 396
Table 58: Summary of Key SIP Counters Output Fields . . . . . . . . . . . . . . . . . . . . 397
Table 59: Summary of Key SIP Rate Output Fields . . . . . . . . . . . . . . . . . . . . . . . 399
Table 60: Summary of Key SIP Transactions Output Fields . . . . . . . . . . . . . . . . 400
Table 61: ALG H.323 Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Table 62: Voice ALG MGCP Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Table 63: Voice ALG SCCP Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Table 64: Voice ALG SIP Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Table 65: Voice ALG Summary Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Chapter 24 Monitoring Interfaces and Switching Functions . . . . . . . . . . . . . . . . . . . . . . 415
Table 66: CLI monitor interface Output Control Keys . . . . . . . . . . . . . . . . . . . . . . 416
Table 67: CLI monitor interface traffic Output Control Keys . . . . . . . . . . . . . . . . . 416
Table 68: Address Pools Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Table 69: Summary of Ethernet Switching Output Fields . . . . . . . . . . . . . . . . . . 419
Table 70: GVRP Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Table 71: Summary of Key MPLS Interface Information Output Fields . . . . . . . . 422
Table 72: Summary of Key MPLS LSP Information Output Fields . . . . . . . . . . . . 422
Table 73: Summary of Key MPLS LSP Statistics Output Fields . . . . . . . . . . . . . . 424
Table 74: Summary of Key RSVP Session Information Output Fields . . . . . . . . . 425
Table 75: Summary of Key RSVP Interfaces Information Output Fields . . . . . . . 426
Table 76: Summary of Key PPPoE Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 428
Table 77: Spanning Tree Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Chapter 25 Monitoring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Table 78: Source NAT Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Table 79: Summary of Key Destination NAT Output Fields . . . . . . . . . . . . . . . . . 439
Table 80: Summary of Key Static NAT Output Fields . . . . . . . . . . . . . . . . . . . . . . 441
Table 81: Summary of Key Incoming Table Output Fields . . . . . . . . . . . . . . . . . . 443
Table 82: Summary of Key Interface NAT Output Fields . . . . . . . . . . . . . . . . . . . 443
Chapter 26 Monitoring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Table 83: Filtering Route Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Table 84: Summary of Key Routing Information Output Fields . . . . . . . . . . . . . . 447
Table 85: Summary of Key RIP Routing Output Fields . . . . . . . . . . . . . . . . . . . . . 448
Table 86: Summary of Key OSPF Routing Output Fields . . . . . . . . . . . . . . . . . . 450

Copyright © 2017, Juniper Networks, Inc. xxv

Network Management Administration Guide

Table 87: Summary of Key BGP Routing Output Fields . . . . . . . . . . . . . . . . . . . . 452

Table 88: View Policy Log Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Table 89: Policy Events Detail Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Table 90: Security Policies Monitoring Output Fields . . . . . . . . . . . . . . . . . . . . . 456
Table 91: Check Policies Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Table 92: Summary of Key Screen Counters Output Fields . . . . . . . . . . . . . . . . . 461
Table 93: Summary of IDP Status Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 464
Table 94: Summary of Key Flow Gate Output Fields . . . . . . . . . . . . . . . . . . . . . . 465
Table 95: Summary of Key Firewall Authentication Table Output Fields . . . . . . 466
Table 96: Summary of Key Firewall Authentication History Output Fields . . . . . 467
Table 97: Summary of Dot1X Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Chapter 27 Monitoring Events, Services and System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Table 98: Summary of Key DHCP Client Binding Output Fields . . . . . . . . . . . . . . 471
Table 99: Events Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Chapter 28 Monitoring Unified Threat Management Features . . . . . . . . . . . . . . . . . . . . 481
Table 100: Statistics Tab Output in the Threats Report . . . . . . . . . . . . . . . . . . . . 487
Table 101: Activities Tab Output in the Threats Report . . . . . . . . . . . . . . . . . . . . 489
Table 102: Traffic Report Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Chapter 29 Monitoring VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Table 103: Summary of Key IKE SA Information Output Fields . . . . . . . . . . . . . . 495
Table 104: IPsec VPN—Phase I Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . 499
Table 105: IPsec VPN—Phase II Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . 500
Table 106: Summary of Key IPsec VPN Information Output Fields . . . . . . . . . . . 502

Part 8 Resource Monitoring of Memory Regions and Types Using CLI

and SNMP Queries
Chapter 30 Effective Troubleshooting of System Performance With Resource
Monitoring Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Table 107: jnxPfeMemoryUKernTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Table 108: jnxPfeMemory Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Table 109: jnxPfeMemoryForwardingTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Table 110: jnxPfeMemoryErrorsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Table 111: pfeMemoryErrors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Part 9 Troubleshooting
Chapter 31 Configuring Data Path Debugging and Trace Options . . . . . . . . . . . . . . . . . 523
Table 112: CLI mtrace monitor Command Output Summary . . . . . . . . . . . . . . . . 533
Table 113: Traceroute Field Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Table 114: J-Web Traceroute Results and Output Summary . . . . . . . . . . . . . . . . 535
Table 115: CLI traceroute Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Chapter 32 Using MPLS to Diagnose LSPs, VPNs, and Layer 2 Circuits . . . . . . . . . . . . . 541
Table 116: Options for Checking MPLS Connections . . . . . . . . . . . . . . . . . . . . . . . 542
Table 117: CLI ping Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Table 118: J-Web Ping Host Field Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Table 119: Ping Host Results and Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

xxvi Copyright © 2017, Juniper Networks, Inc.

List of Tables

Table 120: J-Web Ping MPLS Field Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

Table 121: J-Web Ping MPLS Results and Output Summary . . . . . . . . . . . . . . . . . 552
Table 122: CLI ping mpls l2circuit Command Options . . . . . . . . . . . . . . . . . . . . . 553
Table 123: CLI ping mpls l2vpn Command Options . . . . . . . . . . . . . . . . . . . . . . . 554
Table 124: CLI ping mpls l3vpn Command Options . . . . . . . . . . . . . . . . . . . . . . . 556
Table 125: CLI ping mpls ldp and ping mpls lsp-end-point Command Options . . 557
Chapter 33 Using Packet Capture to Analyze Network Traffic . . . . . . . . . . . . . . . . . . . . 559
Table 126: CLI monitor traffic Command Options . . . . . . . . . . . . . . . . . . . . . . . . . 575
Table 127: CLI monitor traffic Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Table 128: CLI monitor traffic Logical Operators . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Table 129: CLI monitor traffic Arithmetic, Binary, and Relational Operators . . . . 578
Table 130: Packet Capture Field Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Table 131: J-Web Packet Capture Results and Output Summary . . . . . . . . . . . . . 582
Chapter 34 Troubleshooting Security Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Table 132: CoS Components Applied on Multilink Bundles and Constituent
Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Table 133: PPP and MLPPP Encapsulation Overhead . . . . . . . . . . . . . . . . . . . . . 592
Table 134: Number of Packets Transmitted on a Queue . . . . . . . . . . . . . . . . . . . 595
Table 135: ISSU-Related Errors and Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

Part 10 Configuration Statements and Operational Commands

Chapter 44 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Table 136: show chassis alarms Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Table 137: show chassis cluster ip-monitoring status Output Fields . . . . . . . . . . 796
Table 138: show chassis cluster ip-monitoring status redundancy group Reason
Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
Table 139: show interfaces Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
Table 140: show interfaces summary Output Fields . . . . . . . . . . . . . . . . . . . . . . . 831
Table 141: show ilmi statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
Table 142: show security alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Table 143: show security monitoring fpc fpc-number Output Fields . . . . . . . . . . 844
Table 144: show services ip-monitoring status Output Fields . . . . . . . . . . . . . . . 850
Table 145: show snmp health-monitor Output Fields . . . . . . . . . . . . . . . . . . . . . 854
Table 146: show snmp inform-statistics Output Fields . . . . . . . . . . . . . . . . . . . . 861
Table 147: show snmp mib Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
Table 148: show snmp rmon Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866
Table 149: show snmp statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
Table 150: show snmp statistics subagents Output Fields . . . . . . . . . . . . . . . . . 874
Table 151: show snmp stats-response-statistics Output Fields . . . . . . . . . . . . . . 878
Table 152: show snmp v3 Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
Table 153: show system resource-monitor fpc Output Fields . . . . . . . . . . . . . . . 885

Copyright © 2017, Juniper Networks, Inc. xxvii

Network Management Administration Guide

xxviii Copyright © 2017, Juniper Networks, Inc.

About the Documentation

• Documentation and Release Notes on page xxix

• Supported Platforms on page xxix
• Using the Examples in This Manual on page xxx
• Documentation Conventions on page xxxi
• Documentation Feedback on page xxxiii
• Requesting Technical Support on page xxxiv

Documentation and Release Notes

®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.

Supported Platforms

For the features described in this document, the following platforms are supported:

• ACX Series

• M Series

• MX Series

• T Series

• PTX Series

• SRX Series

• vSRX

• QFX Series

• EX Series

Copyright © 2017, Juniper Networks, Inc. xxix

Network Management Administration Guide

Using the Examples in This Manual

If you want to use the examples in this manual, you can use the load merge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.

If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the load merge command.

If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.

Merging a Full Example

To merge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.

For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}

2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command:

[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete

xxx Copyright © 2017, Juniper Networks, Inc.

About the Documentation

Merging a Snippet
To merge a snippet, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration snippet into a text
file, save the file with a name, and copy the file to a directory on your routing platform.

For example, copy the following snippet to a file and name the file
ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.

commit {
file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:

[edit]
user@host# edit system scripts
[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing the
load merge relative configuration mode command:

[edit system scripts]

user@host# load merge relative /var/tmp/ex-script-snippet.conf
load complete

For more information about the load command, see CLI Explorer.

Documentation Conventions

Table 1 on page xxxii defines notice icons used in this guide.

Copyright © 2017, Juniper Networks, Inc. xxxi

Network Management Administration Guide

Table 1: Notice Icons

Icon Meaning Description

Informational note Indicates important features or instructions.

Caution Indicates a situation that might result in loss of data or hardware damage.

Warning Alerts you to the risk of personal injury or death.

Laser warning Alerts you to the risk of personal injury from a laser.

Tip Indicates helpful information.

Best practice Alerts you to a recommended use or implementation.

Table 2 on page xxxii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Convention Description Examples

Bold text like this Represents text that you type. To enter configuration mode, type the
configure command:

user@host> configure

Fixed-width text like this Represents output that appears on the user@host> show chassis alarms
terminal screen.
No alarms currently active

Italic text like this • Introduces or emphasizes important • A policy term is a named structure
new terms. that defines match conditions and
• Identifies guide names. actions.
• Junos OS CLI User Guide
• Identifies RFC and Internet draft titles.
• RFC 1997, BGP Communities Attribute

Italic text like this Represents variables (options for which Configure the machine’s domain name:
you substitute a value) in commands or
configuration statements. [edit]
root@# set system domain-name
domain-name

xxxii Copyright © 2017, Juniper Networks, Inc.

About the Documentation

Table 2: Text and Syntax Conventions (continued)

Convention Description Examples

Text like this Represents names of configuration • To configure a stub area, include the
statements, commands, files, and stub statement at the [edit protocols
directories; configuration hierarchy levels; ospf area area-id] hierarchy level.
or labels on routing platform • The console port is labeled CONSOLE.
components.

< > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>;

| (pipe symbol) Indicates a choice between the mutually broadcast | multicast

exclusive keywords or variables on either
side of the symbol. The set of choices is (string1 | string2 | string3)
often enclosed in parentheses for clarity.

# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS only
same line as the configuration statement
to which it applies.

[ ] (square brackets) Encloses a variable for which you can community name members [
substitute one or more values. community-ids ]

Indention and braces ( { } ) Identifies a level in the configuration [edit]

hierarchy. routing-options {
static {
route default {
; (semicolon) Identifies a leaf statement at a
nexthop address;
configuration hierarchy level.
retain;
}
}
}

GUI Conventions
Bold text like this Represents graphical user interface (GUI) • In the Logical Interfaces box, select
items you click or select. All Interfaces.
• To cancel the configuration, click
Cancel.

> (bold right angle bracket) Separates levels in a hierarchy of menu In the configuration editor hierarchy,
selections. select Protocols>Ospf.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following
methods:

• Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.

Copyright © 2017, Juniper Networks, Inc. xxxiii

Network Management Administration Guide

• E-mail—Send your comments to [email protected]. Include the document

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

xxxiv Copyright © 2017, Juniper Networks, Inc.

About the Documentation

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

Copyright © 2017, Juniper Networks, Inc. xxxv

Network Management Administration Guide

xxxvi Copyright © 2017, Juniper Networks, Inc.

PART 1

Overview
• Network Management Overview on page 3
• Introduction to Network Monitoring on page 7

Copyright © 2017, Juniper Networks, Inc. 1

Network Management Administration Guide

2 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 1

Network Management Overview

• Understanding Device Management Functions in Junos OS on page 3

• Understanding the Integrated Local Management Interface on page 6

Understanding Device Management Functions in Junos OS

Supported Platforms ACX Series, M Series, MX Series, T Series

After you have installed a device into your network, you need to manage the device within
your network. Device management can be divided into five tasks:

• Fault management—Monitor the device; detect and fix faults.

• Configuration management—Configure device attributes.

• Accounting management—Collect statistics for accounting purposes.

• Performance management—Monitor and adjust device performance.

• Security management—Control device access and authenticate users.

®
The Junos operating system (Junos OS) network management features work in
conjunction with an operations support system (OSS) to manage the devices within the
network. Junos OS can assist you in performing these management tasks, as described
in Table 3 on page 4.

Copyright © 2017, Juniper Networks, Inc. 3

Network Management Administration Guide

Table 3: Device Management Features in Junos OS

Task Junos OS Feature

Fault management Monitor and see faults using:

• Operational mode commands—For more information about

operational mode commands, see the CLI Explorer.
• SNMP MIBs—For more information about SNMP MIBs supported by
Junos OS, see ““Standard SNMP MIBs Supported by Junos OS” on
page 30” and ““Enterprise-Specific SNMP MIBs Supported by Junos
OS” on page 19.
• Standard SNMP traps—For more information about standard SNMP
traps, see the “Standard SNMP Traps Supported by Junos OS” on
page 57.
• Enterprise-specific SNMP traps—For more information about
enterprise-specific traps, see ““Enterprise-Specific SNMP Traps
Supported by Junos OS” on page 64”.
• System log messages—For more information about how to configure
system log messages, see the Junos OS Administration Library. For
more information about how to view system log messages, see the
System Log Explorer.

Configuration • Configure router attributes using the command-line interface (CLI),

management the Junos XML management protocol, and the NETCONF XML
management protocol. For more information about configuring the
router using the CLI, see the Junos OS Administration Library. For more
information about configuring the router using the APIs, see the Junos
XML Management Protocol Guide and NETCONF XML Management
Protocol Guide.
• Configuration Management MIB—For more information about the
Configuration Management MIB, see Configuration Management
MIB.

4 Copyright © 2017, Juniper Networks, Inc.

Chapter 1: Network Management Overview

Table 3: Device Management Features in Junos OS (continued)

Task Junos OS Feature

Accounting Perform the following accounting-related tasks:

management
• Collect statistics for interfaces, firewall filters, destination classes,
source classes, and the Routing Engine. For more information about
collecting statistics, see “Accounting Options Configuration” on
page 296.
• Use interface-specific traffic statistics and other counters, available
in the Standard Interfaces MIB, Juniper Networks enterprise-specific
extensions to the Interfaces MIB, and media-specific MIBs, such as
the enterprise-specific ATM MIB.
• Use per-ATM virtual circuit (VC) counters, available in the
enterprise-specific ATM MIB. For more information about the ATM
MIB, see ATM MIB.
• Group source and destination prefixes into source classes and
destination classes and count packets for those classes. Collect
destination class and source class usage statistics. For more
information about classes, see “Destination Class Usage MIB” and
“Source Class Usage MIB”, “Configuring Class Usage Profiles” on
page 319, the Junos OS Network Interfaces Library for Routing Devices,
and the Junos OS Routing Protocols Library.
• Count packets as part of a firewall filter. For more information about
firewall filter policies, see “Enterprise-Specific SNMP MIBs Supported
by Junos OS” on page 19 and the Junos OS Routing Protocols Library.
• Sample traffic, collect the samples, and send the collection to a host
running the CAIDA cflowd utility. For more information about CAIDA
and cflowd, see the Junos OS Routing Protocols Library for Security
Devices.

Performance Monitor performance in the following ways:

management
• Use operational mode commands. For more information about
monitoring performance using operational mode commands, see
the CLI Explorer.
• Use firewall filter. For more information about performance
monitoring using firewall filters, see the Junos OS Routing Protocols
Library.
• Sample traffic, collect the samples, and send the samples to a host
running the CAIDA cflowd utility. For more information about CAIDA
and cflowd, see the Junos OS Routing Protocols Library.
• Use the enterprise-specific Class-of-Service MIB. For more
information about this MIB, see Class-of-Service MIB.

Security management Assure security in your network in the following ways:

• Control access to the router and authenticate users. For more

information about access control and user authentication, see the
Junos OS Administration Library.
• Control access to the router using SNMPv3 and SNMP over IPv6. For
more information, see “Configuring the Local Engine ID” on page 126
and “Tracing SNMP Activity on a Device Running Junos OS” on
page 203.

Copyright © 2017, Juniper Networks, Inc. 5

Network Management Administration Guide

Related • Understanding the Integrated Local Management Interface on page 6

Documentation
• Understanding the SNMP Implementation in Junos OS

• Understanding Measurement Points, Key Performance Indicators, and Baseline Values

on page 261

• Accounting Options Overview on page 291

Understanding the Integrated Local Management Interface

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

The Integrated Local Management Interface (ILMI) provides a mechanism for

Asynchronous Transfer Mode (ATM)-attached devices, such as hosts, routers, and ATM
switches, to transfer management information. ILMI provides bidirectional exchange of
management information between two ATM interfaces across a physical connection.
ILMI information is exchanged over a direct encapsulation of SNMP version 1 (RFC 1157,
A Simple Network Management Protocol) over ATM Adaptation Layer 5 (AAL5) using a
virtual path identifier/virtual channel identifier (VPI/VCI) value (VPI=0, VCI=16).

Junos OS supports only two ILMI MIB variables: atmfMYIPNmAddress and

atmfPortMyIfname. For ATM1 and ATM2 intelligent queuing (IQ) interfaces, you can
configure ILMI to communicate directly with an attached ATM switch to enable querying
of the switch’s IP address and port number.

For more information about the ILMI MIB, see the ATM Forum at
http://www.atmforum.com/.

Related • Understanding Device Management Functions in Junos OS on page 3

Documentation

6 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 2

Introduction to Network Monitoring

• Monitoring Overview on page 7

• Diagnostic Tools Overview on page 8

Monitoring Overview

Supported Platforms SRX Series, vSRX

Junos OS supports a suite of J-Web tools and CLI operational mode commands for
monitoring the system health and performance of your device. Monitoring tools and
commands display the current state of the device. To use the J-Web user interface and
CLI operational tools, you must have the appropriate access privileges.

You can use the J-Web Monitor option to monitor a device. J-Web results appear in the
browser.

You can also monitor the device with CLI operational mode commands. CLI command
output appears on the screen of your console or management device, or you can filter
the output to a file. For operational commands that display output, such as the show
commands, you can redirect the output into a filter or a file. When you display help about
these commands, one of the options listed is |, called a pipe, which allows you to filter
the command output.

For example, if you enter the show configuration command, the complete device
configuration appears on the screen. To limit the display to only those lines of the
configuration that contain address, enter the show configuration command using a pipe
into the match filter:

user@host> show configuration | match address

address-range low 192.168.3.2 high 192.168.3.254;
address-range low 192.168.71.71 high 192.168.71.254;
address 192.168.71.70/21;
address 192.168.2.1/24;
address 127.0.0.1/32;

For a complete list of the filters, type a command, followed by the pipe, followed by a
question mark (?):

user@host> show configuration | ?

Possible completions:
compare Compare configuration changes with prior version
count Count occurrences

Copyright © 2017, Juniper Networks, Inc. 7

Network Management Administration Guide

display Show additional kinds of information

except Show only text that does not match a pattern
find Search for first occurrence of pattern
hold Hold text without exiting the prompt
last Display end of output only
match Show only text that matches a pattern
no-more Don't paginate output
request Make system-level requests
resolve Resolve IP addresses
save Save output text to file
trim Trim specified number of columns from start of line

You can specify complex expressions as an option for the match and except filters.

NOTE: To filter the output of configuration mode commands, use the filter
commands provided for the operational mode commands. In configuration
mode, an additional filter is supported.

Related • Monitoring Interfaces on page 420

Documentation
• Diagnostic Tools Overview on page 8

Diagnostic Tools Overview

Supported Platforms SRX Series, vSRX

Juniper Networks devices support a suite of J-Web tools and CLI operational mode
commands for evaluating system health and performance. Diagnostic tools and
commands test the connectivity and reachability of hosts in the network.

• Use the J-Web Diagnose options to diagnose a device. J-Web results appear in the
browser.

• Use CLI operational mode commands to diagnose a device. CLI command output
appears on the screen of your console or management device, or you can filter the
output to a file.

To use the J-Web user interface and CLI operational tools, you must have the appropriate
access privileges.

This section contains the following topics:

• J-Web Diagnostic Tools on page 8

• CLI Diagnostic Commands on page 9

J-Web Diagnostic Tools

The J-Web diagnostic tools consist of the options that appear when you select
Troubleshoot and Maintain in the task bar. Table 4 on page 9 describes the functions of
the Troubleshoot options.

8 Copyright © 2017, Juniper Networks, Inc.

Chapter 2: Introduction to Network Monitoring

Table 4: J-Web Interface Troubleshoot Options

Option Function

Troubleshoot Options
Ping Host Allows you to ping a remote host. You can configure advanced options for the ping operation.

Ping MPLS Allows you to ping an MPLS endpoint using various options.

Traceroute Allows you to trace a route between the device and a remote host. You can configure advanced options
for the traceroute operation.

Packet Capture Allows you to capture and analyze router control traffic.

Maintain Options
Files Allows you to manage log, temporary, and core files on the device.

Upgrade Allows you to upgrade and manage Junos OS packages.

Licenses Displays a summary of the licenses needed and used for each feature that requires a license. Allows you
to add licenses.

Reboot Allows you to reboot the device at a specified time.

CLI Diagnostic Commands

The CLI commands available in operational mode allow you to perform the same
monitoring, troubleshooting, and management tasks you can perform with the J-Web
user interface. Instead of invoking the tools through a graphical interface, you use
operational mode commands to perform the tasks.

You can perform certain tasks only through the CLI. For example, you can use the mtrace
command to display trace information about a multicast path from a source to a receiver,
which is a feature available only through the CLI.

To view a list of top-level operational mode commands, type a question mark (?) at the
command-line prompt.

At the top level of operational mode are the broad groups of CLI diagnostic commands
listed in Table 5 on page 9.

Table 5: CLI Diagnostic Command Summary

Command Function

Controlling the CLI Environment

set option Configures the CLI display.

Diagnosis and Troubleshooting

clear Clears statistics and protocol database information.

Copyright © 2017, Juniper Networks, Inc. 9

Network Management Administration Guide

Table 5: CLI Diagnostic Command Summary (continued)

Command Function

mtrace Traces information about multicast paths from source to receiver.

monitor Performs real-time debugging of various Junos OS components, including the

routing protocols and interfaces.

ping Determines the reachability of a remote network host.

ping mpls Determines the reachability of an MPLS endpoint using various options.

test Tests the configuration and application of policy filters and AS path regular
expressions.

traceroute Traces the route to a remote network host.

Connecting to Other Network Systems

ssh Opens secure shell connections.

telnet Opens Telnet sessions to other hosts on the network.

Management
copy Copies files from one location on the device to another, from the device to a remote
system, or from a remote system to the device.

restart option Restarts the various system processes, including the routing protocol, interface,
and SNMP processes.

request Performs system-level operations, including stopping and rebooting the device
and loading Junos OS images.

start Exits the CLI and starts a UNIX shell.

configuration Enters configuration mode.

quit Exits the CLI and returns to the UNIX shell.

Related • MPLS Connection Checking Overview on page 541

Documentation
• Understanding Ping MPLS on page 543

• Using the J-Web Ping Host Tool on page 546

• Using the ping Command on page 544

10 Copyright © 2017, Juniper Networks, Inc.

PART 2

Network Monitoring Using SNMP

• SNMP Overview on page 13
• SNMP MIBs and Traps Supported by Junos OS on page 19
• Loading MIB Files to a Network Management System on page 79
• Configuring SNMP on page 83
• Configuring SNMPv3 on page 121
• Configuring SNMP for Routing Instances on page 159
• Configuring SNMP Remote Operations on page 177
• Tracing SNMP Activity on page 197
• SNMP FAQs on page 209

Copyright © 2017, Juniper Networks, Inc. 11

Network Management Administration Guide

12 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 3

SNMP Overview

• Understanding SNMP Implementation in Junos OS on page 13

• SNMPv3 Overview on page 16

Understanding SNMP Implementation in Junos OS

Supported Platforms ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX

Do you use a central network management system (NMS)? Most NMS’s use a version
of Simple Network Management Protocol (SNMP) that can monitor the status of Junos
OS devices that send unsolicited messages called traps. You can configure the IP address
of your NMS so that Junos OS can send its traps.

SNMP uses a very basic form of authentication called community strings to control access
between a manager and remote agents. Community strings are administrative names
used to group collections of devices (and the agents running on them) into common
management domains. If a manager and an agent share the same community, they can
talk to one another.

Many people associate SNMP community strings with passwords and keys because the
jobs they do are similar. As a result, SNMP communities are traditionally referred to as
strings. The community string is the first level of management authentication implemented
by the SNMP agent in Junos OS.

You might also want to configure remote logging on your device. Junos OS uses a system
log (syslog) mechanism similar to many Unix devices to forward log messages to a
specified log host address. This allows each of your devices to forward their messages
to one central host, making it easier to monitor the network as a whole. Syslog is a very
flexible and rich way of logging messages and is used by many device vendors to
supplement the information provided by SNMP traps.

A typical SNMP implementation includes three components:

• Managed device

• SNMP agent

• Network management system (NMS)

Copyright © 2017, Juniper Networks, Inc. 13

Network Management Administration Guide

A managed device is any device on a network, also known as a network element, that is
managed by the network management system. Routers and switches are common
examples of managed devices. The SNMP agent is the SNMP process that resides on
the managed device and communicates with the network management system. The
NMS is a combination of hardware and software that is used to monitor and administer
a network.

The SNMP data is stored in a highly-structured, hierarchical format known as a

management information base (MIB). The MIB structure is based on a tree structure,
which defines a grouping of objects into related sets. Each object in the MIB is associated
with an object identifier (OID), which names the object. The “leaf” in the tree structure
is the actual managed object instance, which represents a resource, event, or activity
that occurs in your network device.

The SNMP agent exchanges network management information with SNMP manager
software running on an NMS, or host. The agent responds to requests for information
and actions from the manager. The agent also controls access to the agent’s MIB, the
collection of objects that can be viewed or changed by the SNMP manager.

The SNMP manager collects information about network connectivity, activity, and events
by polling managed devices.

Communication between the agent and the manager occurs in one of the following
forms:

• Get, GetBulk, and GetNext requests—The manager requests information from the agent.
The agent returns the information in a Get response message.

• Set requests—The manager changes the value of a MIB object controlled by the agent.
The agent indicates status in a Set response message.

• Traps notification—The agent sends traps to notify the manager of significant events
that occur on the network device.

The SNMP implementation in Junos OS contains:

• A master SNMP agent (known as the SNMP process or snmpd) that resides on the
managed device and is managed by the NMS or host.

• Various subagents that reside on different modules of Junos OS, such as the Routing
Engine, and are managed by the master SNMP agent (snmpd).

NOTE: By default, SNMP is not enabled on devices running Junos OS. For
information about enabling SNMP on a device running the Junos OS, see
“Configuring SNMP on Devices Running Junos OS” on page 90.

The SNMP implementation in Junos OS uses both standard (developed by the IETF and
documented in RFCs) and enterprise-specific (developed and supported by specific
vendors) MIBs.

14 Copyright © 2017, Juniper Networks, Inc.

Chapter 3: SNMP Overview

In Junos OS, the management data is maintained by the snmpd at one level (for example,
snmpVacmMIB and snmpUsmMIB), and the subagents at the next level (for example,
routing MIBs and RMON MIBs). However, there is another level of data that is maintained
neither by the master agent nor by the subagents. In such cases, the data is maintained
by the Junos OS processes that share the data with the subagents when polled for SNMP
data. Interface-related MIBs and Firewall MIBs are good examples of data maintained
by Junos OS processes.

When a network mangement system polls the master agent for data, the master agent
immediately shares the data with the network mangement system if the requested data
is available with the master agent or one of the subagents. However, if the requested
data does not belong to those categories that are maintained by the master agent or the
subagents, the subagent polls the Junos OS kernel or the process that maintains that
data. On receiving the required data, the subagent passes the response back to the
master agent, which in turn passes it to the NMS.

The following illustration shows the communication flow among the NMS, SNMP process
(snmpd), SNMP subagents, and the Junos OS processes.

When a significant event, most often an error or a failure, occurs on a network device,
the SNMP agent sends notifications to the SNMP manager. The SNMP implementation
in Junos OS supports two types of notifications: traps and informs. Traps are unconfirmed
notifications, whereas informs are confirmed notifications. Informs are supported only
on devices that support SNMP version 3 (SNMPv3) configuration.

Junos OS supports trap queuing to ensure that traps are not lost because of temporary
unavailability of routes. Two types of queues, destination queues and a throttle queue,
are formed to ensure delivery of traps and to control the trap traffic.

Junos OS forms a destination queue when a trap to a particular destination is returned

because the host is not reachable, and adds the subsequent traps to the same destination
to the queue. Junos OS checks for availability of routes every 30 seconds and sends the
traps from the destination queue in a round-robin fashion.

If the trap delivery fails, the trap is added back to the queue, and the delivery attempt
counter and the next delivery attempt timer for the queue are reset. Subsequent attempts
occur at progressive intervals of 1 minute, 2 minutes, 4 minutes, and 8 minutes. The
maximum delay between the attempts is 8 minutes, and the maximum number of

Copyright © 2017, Juniper Networks, Inc. 15

Network Management Administration Guide

attempts is 10. After 10 unsuccessful attempts, the destination queue and all the traps
in the queue are deleted.

Junos OS also has a throttle mechanism to control the number of traps (throttle threshold;
default value of 500 traps) sent during a particular time period (throttle interval; default
of 5 seconds) and to ensure consistency in trap traffic, especially when large number of
traps are generated because of interface status changes. The throttle interval period
begins when the first trap arrives at the throttle. All traps within the trap threshold are
processed, and the traps beyond the threshold limit are queued.

The maximum size of trap queues—that is, throttle queue and destination queue put
together—is 40,000. However, on EX Series Ethernet Switches, the maximum size of the
trap queue is 1,000. The maximum size of any one queue is 20,000 for devices other
than EX Series Switches. On EX Series Switches, the maximum size of one queue is 500.
When a trap is added to the throttle queue, or if the throttle queue has exceeded the
maximum size, the trap is added back on top of the destination queue, and all subsequent
attempts from the destination queue are stopped for a 30-second period, after which
the destination queue restarts sending the traps.

Related • FAQ: SNMP Support on Junos OS

Documentation
• Configuring SNMP on Devices Running Junos OS on page 90

• Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS on page 197

• Optimizing the Network Management System Configuration for the Best Results on
page 87

• Configuring Options on Managed Devices for Better SNMP Response Time on page 88

• Managing Traps and Informs

• Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage

SNMPv3 Overview

Supported Platforms ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

In contrast to SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2), SNMP version
3 (SNMPv3) supports authentication and encryption. SNMPv3 uses the user-based
security model (USM) for message security and the view-based access control model
(VACM) for access control. USM specifies authentication and encryption. VACM specifies
access-control rules.

USM uses the concept of a user for which security parameters (levels of security,
authentication, privacy protocols, and keys) are configured for both the agent and the
manager. Messages sent using USM are better protected than messages sent with
community strings, where passwords are sent in the clear. With USM, messages
exchanged between the manager and the agent can have data integrity checking and
data origin authentication. USM protects against message delays and message replays
by using time indicators and request IDs. Encryption is also available.

16 Copyright © 2017, Juniper Networks, Inc.

Chapter 3: SNMP Overview

To complement the USM, SNMPv3 uses the VACM, a highly granular access-control
model for SNMPv3 applications. Based on the concept of applying security policies to
the name of the groups querying the agent, the agent decides whether the group is
allowed to view or change specific MIB objects. VACM defines collections of data (called
views), groups of data users, and access statements that define which views a particular
group of users can use for reading, writing, or receiving traps.

Trap entries in SNMPv3 are created by configuring the notify, notify filter, target address,
and target parameters. The notify statement specifies the type of notification (trap) and
contains a single tag. The tag defines a set of target addresses to receive a trap. The
notify filter defines access to a collection of trap object identifiers (OIDs). The target
address defines a management application's address and other attributes to be used in
sending notifications. Target parameters define the message processing and security
parameters to be used in sending notifications to a particular management target.

To configure SNMPv3, perform the following tasks:

• Creating SNMPv3 Users on page 127

• Configuring MIB Views on page 116

• Defining Access Privileges for an SNMP Group on page 132

• Configuring SNMPv3 Traps on a Device Running Junos OS on page 139

• Configuring SNMP Informs on page 149

Related • Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Documentation

Copyright © 2017, Juniper Networks, Inc. 17

Network Management Administration Guide

18 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 4

SNMP MIBs and Traps Supported by

Junos OS

• Enterprise-Specific SNMP MIBs Supported by Junos OS on page 19

• Standard SNMP MIBs Supported by Junos OS on page 30
• Enterprise-Specific MIBs and Supported Devices on page 47
• Standard SNMP Traps Supported by Junos OS on page 57
• Enterprise-Specific SNMP Traps Supported by Junos OS on page 64

Enterprise-Specific SNMP MIBs Supported by Junos OS

Supported Platforms ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX

Junos OS supports the enterprise-specific MIBs listed in Table 6 on page 19. For
information about enterprise-specific SNMP MIB objects, see the SNMP MIB Explorer.

Table 6: Enterprise-specific MIBs supported by Junos OS

Enterprise-Specific MIB Description Platforms

AAA Objects MIB Provides support for monitoring user SRX Series and vSRX
authentication, authorization, and
accounting through the RADIUS, LDAP,
SecurID, and local authentication
servers.

Access Authentication Objects MIB Provides support for monitoring firewall SRX Series and vSRX
authentication, including data about the
users trying to access firewall-protected
resources and the firewall authentication
service itself.

Alarm MIB Provides information about alarms from All platforms

the router chassis.

Copyright © 2017, Juniper Networks, Inc. 19

Network Management Administration Guide

Table 6: Enterprise-specific MIBs supported by Junos OS (continued)

Enterprise-Specific MIB Description Platforms

Analyzer MIB Provides information about analyzer and EX Series, QFabric system, and QFX Series
remote analyzer related to port mirroring
on the EX Series Ethernet Switches. Port
mirroring is a method used on enterprise
switches to monitor and analyze traffic
on the network. When port mirroring is
enabled, copies of all (or a sample set
of) packets are forwarded from one port
of the switch to another port on the
same switch (analyzer) or on another
switch (remote analyzer) where the
packet can be analyzed and studied.

Antivirus Objects MIB Provides information about the antivirus SRX Series and vSRX
engine, antivirus scans, and antivirus
scan-related traps.

ATM Class-of-Service MIB Provides support for ATM interfaces and ACX Series, M Series, and T Series
virtual connections.

ATM MIB Provides support for monitoring M Series, SRX Series, T Series and vSRX
Asynchronous Transfer Mode, version 2
(ATM2) virtual circuit (VC)
class-of-service (CoS) configurations.
It also provides CoS queue statistics for
all VCs that have CoS configured.

BGP4 V2 MIB Provides support for monitoring BGP All platforms

peer-received prefix counters. It is based
upon similar objects in the MIB
documented in Internet draft
draft-ietf-idr-bgp4-mibv2-03.txt,
Definitions of Managed Objects for the
Fourth Version of BGP (BGP-4), Second
Version.

Bidirectional Forwarding Detection MIB Provides support for monitoring All platforms
Bidirectional Forwarding Detection
(BFD) sessions.

Chassis Cluster MIB Provides information about objects that SRX Series and vSRX
are used whenever the state of the
control link interfaces or fabric link
interfaces changes (up to down or down
to up) in a chassis cluster deployment.

Chassis Definitions for Router Model MIB Contains the object identifiers (OIDs) ACX Series, M Series, MX Series, PTX
that are used by the Chassis MIB to Series, QFX Series, SRX 1500, SRX 550,
identify platform and chassis and T Series
components. The Chassis MIB provides
information that changes often, whereas
the Chassis Definitions for Router Model
MIB provides information that changes
less often.

20 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 6: Enterprise-specific MIBs supported by Junos OS (continued)

Enterprise-Specific MIB Description Platforms

Chassis MIBs Provides support for environmental All platforms

monitoring (power supply state, board
voltages, fans, temperatures, and air
flow) and inventory support for the
chassis, System Control Board (SCB),
System and Switch Board (SSB),
Switching and Forwarding Module
(SFM), Switch Fabric Board (SFB),
Flexible PIC Concentrators (FPCs), and
PICs.

Class-of-Service MIB Provides support for monitoring ACX Series, EX Series, M Series, MX Series,
interface output queue statistics per PTX Series, QFabric system, QFX Series,
interface and per forwarding class. SRX Series, T Series, and vSRX

Configuration Management MIB Provides notification for configuration All platforms

changes as SNMP traps. Each trap
contains the time at which the
configuration change was committed,
the name of the user who made the
change, and the method by which the
change was made. A history of the last
32 configuration changes is kept in
jnxCmChgEventTable.

Destination Class Usage MIB Provides support for monitoring packet EX Series, M Series, SRX Series, T Series,
counts based on the ingress and egress and vSRX
points for traffic transiting your
networks. Ingress points are identified
by the input interface. Egress points are
identified by destination prefixes
grouped into one or more sets, known
as destination classes. One counter is
managed per interface per destination
class, up to a maximum of 16 counters
per interface.

DHCP MIB Provides SNMP support (get and trap) M Series, MX Series, and T Series
for DHCP local server and relay
configurations. It also provides support
for bindings and leases tables, and for
statistics.

DHCPv6 MIB Provides SNMP support (get and trap) M Series, MX Series, and T Series
for DHCPv6 local server and relay
configurations. It also provides support
for bindings and leases tables, and for
statistics.

Digital Optical Monitoring MIB Provides support for the SNMP Get EX Series, M Series, MX Series, PTX Series,
request for statistics and SNMP Trap and T Series
notifications for alarms.

Copyright © 2017, Juniper Networks, Inc. 21

Network Management Administration Guide

Table 6: Enterprise-specific MIBs supported by Junos OS (continued)

Enterprise-Specific MIB Description Platforms

DNS Objects MIB Provides support for monitoring DNS SRX Series and vSRX
proxy queries, requests, responses, and
failures.

Dynamic Flow Capture MIB Provides support for monitoring the M Series and T Series
operational status of dynamic flow
capture (DFC) PICs.

Ethernet MAC MIB Monitors media access control (MAC) EX Series, M Series, MX Series, QFX Series,
statistics on Gigabit Ethernet intelligent SRX1500, SRX300, SRX320, SRX340,
queuing (IQ) interfaces. It collects MAC SRX550, and T Series
statistics; for example, inoctets,
inframes, outoctets, and outframes on
each source MAC address and virtual
LAN (VLAN) ID for each Ethernet port.

Event MIB Defines a generic trap that can be ACX Series, EX Series, M Series, MX Series,
generated using an op script or event PTX Series, QFabric system, QFX Series,
policy. This MIB provides the ability to SRX1500, SRX300, SRX320, SRX340,
specify a system log string and raise a SRX550, and T Series
trap if that system log string is found.

Experimental MIB Contains object identifiers for ACX Series, M series, MX Series, and T
experimental MIBs. series

EX Series MAC Notification MIB Contains Juniper Networks' EX Series

implementation of enterprise-specific
MIB for Ethernet Mac Stats for EX Series.

EX Series SMI MIB Contains the Structure of Management EX Series

Information for Juniper Networks EX
Series platforms.

Firewall MIB Provides support for monitoring firewall ACX Series, EX Series, M Series, MX Series,
filter counters. Routers must have the PTX Series, QFabric system, QFX Series,
Internet Processor II ASIC to perform SRX1500, SRX300, SRX320, SRX340,
firewall monitoring. SRX550, and T Series

Flow Collection Services MIB Provides statistics on files, records, M Series and T Series
memory, FTP, and error states of a
monitoring services interface. It also
provides SNMP traps for unavailable
destinations, unsuccessful file transfers,
flow overloading, and memory
overloading.

22 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 6: Enterprise-specific MIBs supported by Junos OS (continued)

Enterprise-Specific MIB Description Platforms

Host Resources MIB Extends the hrStorageTable object, ACX Series, EX Series, M Series, MX Series,
providing a measure of the usage of each QFX Series, SRX1500, SRX300, SRX320,
file system on the router in percentage SRX340, SRX550, and T Series
format. Previously, the objects in the
hrStorageTable measured the usage in
allocation units—hrStorageUsed and
hrStorageAllocationUnits—only. Using
the percentage measurement, you can
more easily monitor and apply
thresholds on usage.

Interface Accounting Forwarding Class Extends the Juniper Enterprise Interface M Series, MX Series, SRX Series, and vSRX
MIB MIB and provides support for monitoring
statistcs data for interface accounting
and IETF standardization.

Interface MIB Extends the standard ifTable (RFC ACX Series, EX Series, M Series, MX Series,
2863) with additional statistics and PTX Series, QFabric system, QFX Series,
Juniper Networks enterprise-specific SRX1500, SRX300, SRX320, SRX340,
chassis information. SRX550, and T Series

IP Forward MIB Extends the standard IP Forwarding All platforms

Table MIB (RFC 4292) to include CIDR
forwarding information.

IPsec Generic Flow Monitoring Object Based on jnx-ipsec-monitor-mib, this MIB SRX Series and vSRX
MIB provides support for monitoring IPsec
and IPsec VPN management objects.

IPsec Monitoring MIB Provides operational and statistical M Series, SRX Series, and T Series
information related to the IPsec and IKE
tunnels on Juniper Networks routers.

IPsec VPN Objects MIB Provides support for monitoring IPsec SRX Series
and IPsec VPN management objects for
Juniper security product lines. This MIB
is an extension of
jnx-ipsec-flow-mon.mib.

IPv4 MIB Provides additional Internet Protocol All plarforms

version 4 (IPv4) address information,
supporting the assignment of identical
IPv4 addresses to separate interfaces.

IPv6 and ICMPv6 MIB Provides IPv6 and Internet Control M series, MX Series, PTX Series, SRX
Message Protocol version 6 (ICMPv6) Series, T Series, and vSRX
statistics.

Copyright © 2017, Juniper Networks, Inc. 23

Network Management Administration Guide

Table 6: Enterprise-specific MIBs supported by Junos OS (continued)

Enterprise-Specific MIB Description Platforms

L2ALD MIB Contains information about the Layer 2 EX Series, MX Series, QFX Series, and T
Address Learning Daemon (L2ALD) and Series
related traps, such as the routing
instance MAC limit trap and the interface
MAC limit trap. This MIB also provides
VLAN information in the
jnxL2aldVlanTable table for Enhanced
Layer 2 Software (ELS) EX Series and
QFX Series switches.

NOTE: Non-ELS EX Series switches

support the VLAN MIB (jnxExVlanTable
table) for VLAN information instead of
this MIB. See the SNMP MIB Explorer.

L2CP MIB Provides information about Layer 2 MX Series

Control Protocols (L2CP) based
features. Currently, Junos OS supports
only the
jnxDot1dStpPortRootProtectEnabled,
jnxDot1dStpPortRootProtectState, and
jnxPortRootProtectStateChangeTrap
objects.

L2TP MIB Provides information about Layer 2 M Series, MX Series, and T Series
Transport Protocol (L2TP) tunnels and
sessions.

LDP MIB Provides LDP statistics and defines LDP ACX Series, M Series, PTX Series, SRX
label-switched path (LSP) notifications. Series, and T Series
LDP traps support only IPv4 standards.

License MIB Extends SNMP support to licensing M Series, MX Series, SRX Series, and T
information, and introduces SNMP traps Series
that alert users when the licenses are
about to expire, expire, or when the total
number of users exceeds the number
specified in the license.

Logical Systems MIB Extend SNMP support to logical systems SRX Series
security profile through various MIBs
defined under jnxLsysSecurityProfile.

MIMSTP MIB Provides information about MSTP MX Series and T Series

instances (that is, routing instances of
type Virtual Switch/Layer 2 control, also
known as virtual contexts), MSTIs within
the MSTP instance, and VLANs
associated with the MSTI.

24 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 6: Enterprise-specific MIBs supported by Junos OS (continued)

Enterprise-Specific MIB Description Platforms

MPLS LDP MIB Contains object definitions as described ACX Series, EX Series, M Series, MX Series,
in RFC 3815, Definitions of Managed PTX Series, QFX Series, and T Series
Objects for the Multiprotocol Label
Switching (MPLS), Label Distribution
Protocol (LDP).

NOTE: Objects in the MPLS LDP MIB

were supported in earlier releases of
Junos OS as a proprietary LDP MIB
(mib-ldpmib.txt). Because the branch
used by the proprietary LDP
(mib-ldpmib.txt) conflicts with RFC 3812,
the proprietary LDP MIB (mib-ldpmib.txt)
has been deprecated and replaced by
the enterprise-specific MPLS LDP MIB
(mib-jnx-mpls-ldp.txt).

MPLS MIB Provides MPLS information and defines ACX Series, EX Series, M Series, MX Series,
MPLS notifications. PTX Series, QFX Series, SRX Series, and
T Series
NOTE: To collect information about
MPLS statistics on transit routers, use
the enterprise-specific RSVP MIB
(mib-jnx-rsvp.txt) instead of the
enterprise-specific MPLS MIB
(mib-jnx-mpls.txt).

MVPN MIB Contains objects that enable SNMP All platforms

manager to monitor MVPN connections
on the provider edge routers. The
enterprise-specific MVPN MIB is the
Juniper Networks extension of the IETF
standard MIBs defined in Internet draft
draft-ietf-l3vpn-mvpn-mib-03.txt,
MPLS/BGP Layer 3 VPN Multicast
Management Information Base.

NAT Objects MIB Provides support for monitoring network EX Series and SRX Series
address translation (NAT). .

NAT Resources-Monitoring MIB Provides support for monitoring NAT M Series and MX Series
pools usage and NAT rules. Notifications
of usage of NAT resources are also
provided by this MIB. This MIB is
currently supported on the Multiservices
PIC and Multiservices DPC on M Series
and MX Series routers only.

OTN Interface Management MIB Defines objects for managing Optical M Series, MX series, PTX Series, and T
Transport Network (OTN) interfaces on Series
devices running Junos OS.

Packet Forwarding Engine MIB Provides notification statistics for Packet ACX Series, EX Series, M Series, PTX
Forwarding Engines. Series, SRX Series, and T Series

Copyright © 2017, Juniper Networks, Inc. 25

Network Management Administration Guide

Table 6: Enterprise-specific MIBs supported by Junos OS (continued)

Enterprise-Specific MIB Description Platforms

Packet Mirror MIB Enables you to capture and view packet MX Series
mirroring-related information. This MIB
is currently supported by Junos OS for
MX Series routers only. Packet mirroring
traps are an extension of the standard
SNMP implementation and are only
available to SNMPv3 users.

PAE Extension MIB Extends the standard IEEE802.1x PAE EX Series

Extension MIB, and contains information
for Static MAC Authentication.

Passive Monitoring MIB Performs traffic flow monitoring and M Series and T Series
lawful interception of packets transiting
between two routers.

Ping MIB Extends the standard Ping MIB control ACX Series, EX Series, M Series, MX Series,
table (RFC 2925). Items in this MIB are QFX Series, SRX Series, and T Series
created when entries are created in
pingCtlTable of the Ping MIB. Each item
is indexed exactly as it is in the Ping MIB.

Policy Objects MIB Provides support for monitoring the SRX Series
security policies that control the flow of
traffic from one zone to another.

Power Supply Unit MIB Enables monitoring and managing of the EX Series and QFabric system
power supply on a device running Junos
OS.

PPP MIB Provides SNMP support for PPP-related M Series and MX Series
information such as the type of
authentication used, interface
characteristics, status, and statistics.
This MIB is supported on Common Edge
PPP process, jpppd.

PPPoE MIB Provides SNMP support for M Series and MX Series

PPPoE-related information such as the
type of authentication used, interface
characteristics, status, and statistics.
This MIB is supported on Common Edge
PPPoE process, jpppoed.

Pseudowire ATM MIB Extends the standard Pseudowire MIB, M Series and MX Series
and defines objects used for managing
the ATM pseudowires in Juniper
products. The enterprise-specific
Pseudowire ATM MIB is the Juniper
Networks implementation of RFC 5605,
Managed Objects for ATM over Packet
Switched Networks (PSNs).

26 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 6: Enterprise-specific MIBs supported by Junos OS (continued)

Enterprise-Specific MIB Description Platforms

Pseudowire TDM MIB Extends the standard Pseudowire MIB, ACX Series, M Series, and T Series
and contains information about
configuration and statistics for specific
pseudowire types. The
enterprise-specific Pseudowire TDM MIB
is the Juniper Networks implementation
of the standard Managed Objects for
TDM over Packet Switched Network MIB
(draft-ietf-pwe3-tdm-mib-08.txt).

PTP MIB Monitors the operation of PTP clocks MX Series

within the network.

Real-Time Performance Monitoring MIB Provides real-time performance-related EX Series, M Series, MX Series, SRX Series,
data and enables you to access jitter and T Series
measurements and calculations using
SNMP.

Reverse-Path-Forwarding MIB Monitors statistics for traffic that is All platforms

rejected because of
reverse-path-forwarding (RPF)
processing.

RMON Events and Alarms MIB Supports the Junos OS extensions to the All platforms
standard Remote Monitoring (RMON)
Events and Alarms MIB (RFC 2819). The
extension augments alarmTable with
additional information about each
alarm. Two new traps are also defined
to indicate when problems are
encountered with an alarm.

RSVP MIB Provides information about RSVP-traffic ACX Series, M Series, MX Series, PTX
engineering sessions that correspond to Series, and T Series
MPLS LSPs on transit routers in the
service provider core network.

NOTE: To collect information about

MPLS statistics on transit routers, use
the enterprise-specific RSVP MIB
(mib-jnx-rsvp.txt) instead of the
enterprise-specific MPLS MIB
(mib-jnx-mpls.txt).

Security Interface Extension Objects MIB Provides support for the security EX Series, SRX Series, and vSRX
management of interfaces.

Security Screening Objects MIB Defines the MIB for the Juniper Networks SRX Series and vSRX
Enterprise Firewall screen functionality.

Services PIC MIB Provides statistics for Adaptive Services M Series and T Series
(AS) PICs and defines notifications for
AS PICs.

Copyright © 2017, Juniper Networks, Inc. 27

Network Management Administration Guide

Table 6: Enterprise-specific MIBs supported by Junos OS (continued)

Enterprise-Specific MIB Description Platforms

SNMP IDP MIB Contains Juniper Networks' SRX Series and vSRX
implementation of enterprise specific
MIB for IDP.

SONET APS MIB Monitors any SONET interface that M Series and T Series
participates in Automatic Protection
Switching (APS).

SONET/SDH Interface Management MIB Monitors the current alarm for each M Series and T Series
SONET/SDH interface.

Source Class Usage MIB Counts packets sent to customers by M Series, T Series, and SRX Series
performing a lookup on the IP source
address and the IP destination address.
The Source Class Usage (SCU) MIB
makes it possible to track traffic
originating from specific prefixes on the
provider core and destined for specific
prefixes on the customer edge.

SPU Monitoring MIB Provides support for monitoring SPUs SRX Series and vSRX
on SRX5600 and SRX5800 devices.

Structure of Management Information Explains how the Juniper Networks ACX Series, EX Series, M Series, MX series,
MIB enterprise-specific MIBs are structured. QFX Series, SRX Series, T Series and vSRX

Structure of Management Information Defines a MIB branch for EX Series

MIB for EX Series Ethernet Switches switching-related MIB definitions for the
EX Series Ethernet Switches.

Structure of Management Information Contains object identifiers (OIDs) for the SRX Series and vSRX
MIB for SRX Series security branch of the MIBs used in Junos
OS for SRX Series devices, services, and
traps.

Subscriber MIB Provides SNMP support for ACX Series, MX Series, and T Series
subscriber-related information.

System Log MIB Enables notification of an SNMP EX Series, M Series, MX Series, PTX Series,
trap-based application when an QFX Series, SRX Series, and T Series
important system log message occurs.

Traceroute MIB Supports the Junos OS extensions of EX Series, M Series, MX Series, SRX Series,
traceroute and remote operations. Items T Series, and vSRX
in this MIB are created when entries are
created in the traceRouteCtlTable of the
Traceroute MIB. Each item is indexed
exactly the same way as it is in the
Traceroute MIB.

28 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 6: Enterprise-specific MIBs supported by Junos OS (continued)

Enterprise-Specific MIB Description Platforms

Utility MIB Provides SNMP support for exposing the EX Series, M Series, MX Series, QFabric
Junos OS data and has tables that system, QFX Series, SRX Series, T Series,
contain information about each type of and vSRX
data, such as integer and string.

Virtual Chassis MIB Contains information about the virtual EX Series and MX Series
chassis on the EX Series Ethernet
Switches and the MX Series.

VLAN MIB Contains information about prestandard EX Series and QFX Series
IEEE 802.10 VLANs and their association
with LAN emulation clients.

NOTE: For ELS EX Series switches and

QFX Series switches, VLAN information
is provided in the L2ALD MIB in the
jnxL2aldVlanTable table instead of in this
MIB. See theSNMP MIB Explorer for
details.

Non-ELS EX Series Ethernet switches

use the jnxExVlanTable table in this MIB
to provide VLAN configuration
information, and the jnxVlanTable table
in this MIB has been deprecated and is
no longer used.

VPLS MIBs Provides information about generic, M Series, MX Series, and T Series
BGP-based, and LDP-based VPLS, and
pseudowires associated with the VPLS
networks. The enterprise-specific VPLS
MIBs are Juniper Networks extensions
of the following IETF standard MIBs
defined in Internet draft
draft-ietf-l2vpn-vpls-mib-05.txt, and
are implemented as part of the
jnxExperiment branch:

• VPLS-Generic-Draft-01-MIB
implemented as
mib-jnx-vpls-generic.txt
• VPLS-BGP-Draft-01-MIB implemented
as mib-jnx-vpls-bgp.txt
• VPLS-LDP-Draft-01-MIB implemented
as mib-jnx-vpls-ldp.txt

VPN Certificate Objects MIB Provides support for monitoring the local EX Series, SRX Series, and vSRX
and CA certificates loaded on the router.

VPN MIB Provides monitoring for Layer 3 VPNs, ACX Series, EX Series, M Series, MX Series,
Layer 2 VPNs, and virtual private LAN and T Series
service (VPLS) (read access only).

Copyright © 2017, Juniper Networks, Inc. 29

Network Management Administration Guide

For information about enterprise-specific SNMP MIB objects, see the SNMP MIB Explorer.

Related • Network Management Administration Guide

Documentation
• Standard SNMP MIBs Supported by Junos OS on page 30

• Enterprise-Specific SNMP Traps Supported by Junos OS on page 64

Standard SNMP MIBs Supported by Junos OS

Supported Platforms ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX

Junos OS supports the Standard MIBs listed in Table 7 on page 30.

NOTE: For details on SNMP MIB support on EX4600 switches, QFX Series
switches, and QFabric systems, see SNMP MIBs Support.

Table 7: Standard MIBs supported by Junos OS

Standard MIB Exceptions Platforms

IEEE 802.1ab section 12.1, Link Layer EX Series implementation of LLDP MIB EX Series and MX Series
Discovery Protocol (LLDP) MIB supports both IPv4 and IPv6
configuration.

IEEE, 802.3ad, Aggregation of Multiple Supported tables and objects: EX Series, M Series, MX Series, PTX
Link Segments Series, SRX Series, T Series, and vSRX
• dot3adAggPortTable,
dot3adAggPortListTable,
dot3adAggTable, and
dot3adAggPortStatsTable

NOTE: EX Series switches do not

support the dot3adAggPortTable and
dot3adAggPortStatsTable.

• dot3adAggPortDebugTable (only
dot3adAggPortDebugRxState,
dot3adAggPortDebugMuxState,
dot3adAggPortDebugActorSyncTransitionCount,
dot3adAggPortDebugPartnerSyncTransitionCount,
dot3adAggPortDebugActorChangeCount,
and
dot3adAggPortDebugPartnerChangeCount)

NOTE: EX Series switches do not

support the
dot3adAggPortDebugTable.

• dot3adTablesLastChanged

30 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

IEEE, 802.1ag, Connectivity Fault Supported tables and objects: EX Series, MX Series, and QFX Series
Management
• dot1agCfmMdTableNextIndex
• dot1agCfmMdTable (except
dot1agCfmMdMhfldPermission)
• dot1agCfmMaNetTable
• dot1agCfmMaMepListTable
• dot1agCfmDefaultMdDefLevel
• dot1agCfmDefaultMdDefMhfCreation
• dot1agCfmMepTable (except
dot1agCfmMepLbrBadMsdu,
dot1agCfmMepTransmitLbmVlanPriority,
dot1agCfmMepTransmitLbmVlanDropEnable,
dot1agCfmMepTransmitLtmFlags,
dot1agCfmMepPbbTeCanReportPbbTePresence,
dot1agCfmMepPbbTeTrafficMismatchDefect,
dot1agCfmMepPbbTransmitLbmLtmReverseVid,
dot1agCfmMepPbbTeMismatchAlarm,
dot1agCfmMepPbbTeLocalMismatchDefect,
and
dot1agCfmMepPbbTeMismatchSinceReset)
• dot1agCfmLtrTable (except
dot1agCfmLtrChassisIdSubtype,
dot1agCfmLtrChassisId,
dot1agCfmLtrManAddressDomain,
dot1agCfmLtrManAddress,
dot1agCfmLtrIngressPortIdSubtype,
dot1agCfmLtrIngressPortId,
dot1agCfmLtrEgressPortIdSubtype,
dot1agCfmLtrEgressPortId, and
dot1agCfmLtrOrganizationSpecificTlv)
• dot1agCfmMepDbTable (except
dot1agCfmMebDbChassisIdSubtype,
dot1agCfmMebDbChassisId,
dot1agCfmMebDbManAddressDomain,
and dot1agCfmMebDbManAddress)

IEEE, 802.1ap, Management Information Supported tables and objects: MX Series

Base (MIB) definitions for VLAN Bridges
• ieee8021CfmStackTable
• ieee8021CfmVlanTable
• ieee8021CfmDefaultMdTable (except
ieee8021CfmDefaultMdIdPermission)
• ieee8021CfmMaCompTable (except
ieee8021CfmMaCompIdPermission)

RFC 1155, Structure and Identification of No exceptions All platforms

Management Information for
TCP/IP-based Internets

RFC 1157, A Simple Network Management No exceptions All platforms

Protocol (SNMP)

Copyright © 2017, Juniper Networks, Inc. 31

Network Management Administration Guide

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 1195, Use of OSI IS-IS for Routing in Supported tables and objects: All platforms
TCP/IP and Dual Environments
• isisSystem
• isisMANAreaAddr
• isisAreaAddr
• isisSysProtSupp
• isisSummAddr
• isisCirc
• isisCircLevel
• isisPacketCount
• isisISAdj
• isisISAdjAreaAddr
• isisAdjIPAddr
• isisISAdjProtSupp
• isisRa
• isisIPRA

RFC 1212, Concise MIB Definitions No exceptions ACX Series, EX Series, M Series, MX
Series, PTX Series, SRX Series, and T
Series

RFC 1213, Management Information Base Junos OS supports the following areas: ACX Series, EX Series, M Series, MX
for Network Management of Series, PTX Series, SRX Series, and T
TCP/IP-Based Internets: MIB-II • MIB II and its SNMP version 2 Series
derivatives, including:

• Statistics counters
• IP, except for ipRouteTable, which
has been replaced by
ipCidrRouteTable (RFC 2096, IP
Forwarding Table MIB)
• SNMP management
• Interface management

• SNMPv1 Get, GetNext requests, and

version 2 GetBulk request
• Junos OS-specific secured access list
• Master configuration keywords
• Reconfigurations upon SIGHUP

RFC 1215, A Convention for Defining Traps Junos OS supports only MIB II SNMP ACX Series, EX Series, M Series, MX
for use with the SNMP version 1 traps and version 2 notifications. Series, PTX Series, SRX Series, and T
Series

RFC 1406, Definitions of Managed Objects Junos OS supports T1 MIB. ACX Series, M Series, SRX Series, and T
for the DS1 and E1 Interface Types Series

RFC 1407, Definitions of Managed Objects Junos OS supports T3 MIB. M Series and T Series
for the DS3/E3 Interface Type

32 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 1471, Definitions of Managed Objects Supported tables and objects: M Series, MX Series, and PTX Series
for the Link Control Protocol of the
Point-to-Point Protocol • pppLcp 1 object
• pppLinkStatustable table
• pppLinkConfigTable table

RFC 1657, Definitions of Managed Objects No exceptions ACX Series, EX Series, M Series, MX
for the Fourth Version of the Border Series, and T Series
Gateway Protocol (BGP-4) using SMIv2

RFC 1695, Definitions of Managed Objects No exceptions ACX Series, M Series, PTX Series, and T
for ATM Management Version 8.0 Using Series
SMIv2

RFC 1850, OSPF Version 2 Management Unsupported tables, objects, and traps: ACX Series, EX Series, M Series, MX
Information Base Series, PTX Series, SRX Series, and T
• ospfOriginateNewLsas object Series
• ospfRxNewLsas object
• The host table
• ospfOriginateLSA trap
ospfLsdbOverflow trap
ospfLsdbApproachingOverflow trap

RFC 1901, Introduction to No exceptions All platforms

Community-based SNMPv2

RFC 2011, SNMPv2 Management No exceptions ACX Series, EX Series, M Series, MX

Information Base for the Internet Protocol Series, PTX Series, and T Series
Using SMIv2

RFC 2012, SNMPv2 Management No exceptions ACX Series, EX Series, M Series, MX

Information Base for the Transmission Series, PTX Series, SRX Series, and T
Control Protocol Using SMIv2 Series

RFC 2013, SNMPv2 Management No exceptions ACX Series, EX Series, M Series, MX

Information Base for the User Datagram Series, PTX Series, SRX Series, and T
Protocol Using SMIv2 Series

Copyright © 2017, Juniper Networks, Inc. 33

Network Management Administration Guide

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 2024, Definitions of Managed Objects Unsupported tables, objects, and traps M Series, MX Series, and T Series
for Data Link Switching Using SMIv2 with read-only access:

• dlswInterface object group

dlswSdlc object group
dlswDirLocateMacTable table
dlswDirNBTabletable
dlswDirLocateNBTable table
dlswCircuitDiscReasonLocal tabular
object
dlswCircuitDiscReasonRemote tabular
object
dlswDirMacCacheNextIndex scalar
object
dlswDirNBCacheNextIndex scalar
object

RFC 2096, IP Forwarding Table MIB The ipCidrRouteTable has been extended ACX Series, EX Series, M Series, MX
to include the tunnel name when the next Series, PTX Series, SRX Series, and T
NOTE: RFC 2096 has been replaced by hop is through an RSVP-signaled LSP. Series
RFC 4292. However, Junos OS currently
supports both RFC 2096 and RFC 4292.

RFC 2115, Management Information Base Unsupported table and objects: M Series, MX Series, SRX Series, and T
for Frame Relay DTEs Using SMIv2 Series
• frCircuitTable
• frErrTable

RFC 2233, The Interfaces Group MIB Using No exceptions ACX Series, EX Series, M Series, MX
SMIv2 Series, PTX Series, SRX Series, and T
Series
NOTE: RFC 2233 has been replaced by
RFC 2863, IF MIB. However, Junos OS
supports both RFC 2233 and RFC 2863.

RFC 2287, Definitions of System-Level Supported tables and objects: ACX Series, EX Series, M Series, MX
Managed Objects for Applications Series, PTX Series, SRX Series, and T
• sysApplInstallPkgTable Series
• sysApplInstallElmtTable
• sysApplElmtRunTable
• sysApplMapTable

RFC 2465, Management Information Base Junos OS does not support IPv6 interface ACX Series, M Series, MX Series, PTX
for IP Version 6: Textual Conventions and statistics. Series, SRX Series, and T Series
General Group (except for IPv6 interface
statistics)

34 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 2495, Definitions of Managed Unsupported tables, objects, and traps: ACX Series, M Series, SRX Series, and T
Objects for the DS1, E1, DS2, and E2 Series
Interface Types • dsx1FarEndConfigTable
• dsx1FarEndCurrentTable
• dsx1FarEndIntervalTable
• dsx1FarEndTotalTable
• dsx1FracTable

RFC 2515, Definitions of Managed Objects Unsupported table and objects: ACX Series, M Series, and T Series
for ATM Management
• atmVpCrossConnectTable
• atmVcCrossConnectTable
• aal5VccTable

RFC 2570, Introduction to Version 3 of the No exceptions ACX Series, EX Series, M Series, MX
Internet-standard Network Management Series, PTX Series, SRX Series, and T
Framework Series

RFC 2571, An Architecture for Describing No exceptions ACX Series, EX Series, M Series, MX
SNMP Management Frameworks Series, PTX Series, SRX Series, and T
(read-only access) Series

NOTE: RFC 2571 has been replaced by

RFC 3411. However, Junos OS supports
both RFC 2571 and RFC 3411.

RFC 2572, Message Processing and No exceptions ACX Series, EX Series, M Series, MX
Dispatching for the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMP) Series
(read-only access)

NOTE: RFC 2572 has been replaced by

RFC 3412. However, Junos OS supports
both RFC 2572 and RFC 3412.

RFC 2576, Coexistence between Version No exceptions ACX Series, EX Series, M Series, MX
1, Version 2, and Version 3 of the Series, PTX Series, SRX Series, and T
Internet-standard Network Management Series
Framework

NOTE: RFC 2576 has been replaced by

RFC 3584. However, Junos OS supports
both RFC 2576 and RFC 3584.

RFC 2578, Structure of Management No exceptions ACX Series, EX Series, M Series, MX

Information Version 2 (SMIv2) Series, PTX Series, SRX Series, and T
Series

RFC 2579, Textual Conventions for SMIv2 No exceptions ACX Series, EX Series, M Series, MX
Series, PTX Series, SRX Series, and T
Series

Copyright © 2017, Juniper Networks, Inc. 35

Network Management Administration Guide

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 2580, Conformance Statements for No exceptions ACX Series, EX Series, M Series, MX
SMIv2 Series, PTX Series, SRX Series, and T
Series

RFC 2662, Definitions of Managed Objects No exceptions M Series, MX Series, SRX Series, and T
for ADSL Lines Series

RFC 2665, Definitions of Managed For M Series, T Series, and MX Series, the ACX Series, EX Series, M Series, MX
Objects for the Ethernet-like Interface SNMP counters do not count the Series, PTX Series, SRX Series, and T
Types Ethernet header and frame check Series
sequence (FCS). Therefore, the Ethernet
NOTE: The list of managed objects header bytes and the FCS bytes are not
specified in RFC 2665 has been updated included in the following four tables:
by RFC 3635 by including information
useful for the management of 10-Gigabit • ifInOctets
per second Ethernet interfaces. • ifOutOctets
• ifHCInOctets
• ifHCOutOctets

However, the EX switches adhere to RFC

2665.

RFC 2787, Definitions of Managed Objects Unsupported table and objects: ACX Series, EX Series, M Series, MX
for the Virtual Router Redundancy Series, PTX Series, SRX Series, and T
Protocol • vrrpStatsPacketLengthErrors Series

NOTE: Junos OS does not support this

standard for row creation and the Set
operation.

RFC 2790, Host Resources MIB Supported tables and objects: ACX Series, EX Series, M Series, MX
Series, PTX Series, SRX Series, and T
• hrStorageTable Series

NOTE: The file systems /, /config, /var,

and /tmp always return the same
index number. When SNMP restarts,
the index numbers for the remaining
file systems might change.

• hrSystem group
• hrSWInstalled group
• hrProcessorTable

36 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 2819, Remote Network Monitoring Supported tables and objects: ACX Series, EX Series, M Series, MX
Management Information Base Series, PTX Series, SRX Series, and T
• etherStatsTable (for Ethernet Series
interfaces only), alarmTable,
eventTable, and logTable are
supported on all devices running Junos
OS.
• historyControlTable and
etherHistoryTable (except
etherHistoryUtilization object) are
supported only on EX Series switches.

RFC 2863, The Interfaces Group MIB No exceptions ACX Series, EX Series, M Series, MX
Series, PTX Series, SRX Series, and T
NOTE: RFC 2863 replaces RFC 2233. Series
However, Junos OS supports both RFC
2233 and RFC 2863.

RFC 2864, The Inverted Stack Table No exceptions M Series, MX Series, PTX Series, SRX
Extension to the Interfaces Group MIB Series, and T Series

RFC 2922, The Physical Topology Supported objects: EX Series and SRX Series
(PTOPO) MIB
• ptopoConnDiscAlgorithm
• ptopoConnAgentNetAddrType
• ptopoConnAgentNetAddr
• ptopoConnMultiMacSASeen
• ptopoConnMultiNetSASeen
• ptopoConnIsStatic
• ptopoConnLastVerifyTime
• ptopoConnRowStatus

RFC 2925, Definitions of Managed Objects Supported tables and objects: ACX Series, EX Series, M Series, MX
for Remote Ping, Traceroute, and Lookup Series, PTX Series, SRX Series, and T
Operations • pingCtlTable Series
• pingResultsTable
• pingProbeHistoryTable
• pingMaxConcurrentRequests
• traceRouteCtlTable
• traceRouteResultsTable
• traceRouteProbeHistoryTable
• traceRouteHopsTable

RFC 2932, IPv4 Multicast Routing MIB No exceptions ACX Series, EX Series, M Series, MX
Series, PTX Series, SRX Series, and T
Series

Copyright © 2017, Juniper Networks, Inc. 37

Network Management Administration Guide

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 2934, Protocol Independent Support for the pimNeighborLoss trap ACX Series, EX Series, M Series, MX
Multicast MIB for IPv4 was added in Release 11.4. Series, PTX Series, SRX Series, and T
Series
NOTE: In Junos OS, RFC 2934 is
implemented based on a draft version,
pimmib.mib, of the now standard RFC.

RFC 2981, Event MIB No exceptions ACX Series, M Series, MX Series, PTX
Series, and T Series

RFC 3014, Notification Log MIB No exceptions ACX Series, M Series, MX Series, PTX
Series, and T Series

RFC 3019, IP Version 6 Management No exceptions M Series, MX Series, PTX Series, SRX
Information Base for The Multicast Series, and T Series
Listener Discovery Protocol

RFC 3410, Introduction and Applicability No exceptions ACX Series, EX Series, M Series, MX
Statements for Internet-Standard Series, PTX Series, SRX Series, and T
Management Framework Series

RFC 3411, An Architecture for Describing No exceptions ACX Series, EX Series, M Series, MX
Simple Network Management Protocol Series, PTX Series, SRX Series, and T
(SNMP) Management Frameworks Series

NOTE: RFC 3411 replaces RFC 2571.

However, Junos OS supports both RFC
3411 and RFC 2571.

RFC 3412, Message Processing and No exceptions ACX Series, EX Series, M Series, MX
Dispatching for the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMP) Series

NOTE: RFC 3412 replaces RFC 2572.

However, Junos OS supports both RFC
3412 and RFC 2572.

RFC 3413, Simple Network Management Unsupported tables and objects: ACX Series, EX Series, M Series, MX
Protocol (SNMP) Applications Series, PTX Series, SRX Series, and T
• Proxy MIB Series

RFC 3414, User-based Security Model No exceptions ACX Series, EX Series, M Series, MX
(USM) for version 3 of the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMPv3) Series

RFC 3415, View-based Access Control No exceptions ACX Series, EX Series, M Series, MX
Model (VACM) for the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMP) Series

38 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 3416, Version 2 of the Protocol No exceptions ACX Series, EX Series, M Series, MX
Operations for the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMP) Series

NOTE: RFC 3416 replaces RFC 1905,

which was supported in earlier versions
of Junos OS.

RFC 3417, Transport Mappings for the No exceptions ACX Series, EX Series, M Series, MX
Simple Network Management Protocol Series, PTX Series, SRX Series, and T
(SNMP) Series

RFC 3418, Management Information Base No exceptions ACX Series, EX Series, M Series, MX
(MIB) for the Simple Network Series, PTX Series, SRX Series, and T
Management Protocol (SNMP) Series

NOTE: RFC 3418 replaces RFC 1907,

which was supported in earlier versions
of Junos OS.

RFC 3498, Definitions of Managed No exceptions M Series and T Series

Objects for Synchronous Optical Network
(SONET) Linear Automatic Protection
Switching (APS) Architectures
(implemented under the Juniper
Networks enterprise branch
[jnxExperiment])

RFC 3584, Coexistence between Version No exceptions ACX Series, EX Series, M Series, MX
1, Version 2, and Version 3 of the Series, PTX Series, SRX Series, and T
Internet-standard Network Management Series
Framework

RFC 3591 Managed Objects for the Supported tables and objects: M Series, MX Series, PTX Series, and T
Optical Interface Type Series
• optIfOTMnTable (except
optIfOTMnOpticalReach,
optIfOTMnInterfaceType, and
optIfOTMnOrder)
• optIfOChConfigTable (except
optIfOChDirectionality and
optIfOChCurrentStatus)
• optIfOTUkConfigTable (except
optIfOTUkTraceIdentifierAccepted,
optIfOTUkTIMDetMode,
optIfOTUkTIMActEnabled,
optIfOTUkTraceIdentifierTransmitted,
optIfOTUkDEGThr, optIfOTUkDEGM,
optIfOTUkSinkAdaptActive, and
optIfOTUkSourceAdaptActive)
• optIfODUkConfigTable (except
optIfODUkPositionSeqCurrentSize and
optIfODUkTtpPresent)

Copyright © 2017, Juniper Networks, Inc. 39

Network Management Administration Guide

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 3592, Definitions of Managed Objects No exceptions M Series, MX Series, and T Series
for the Synchronous Optical
Network/Synchronous Digital Hierarchy
(SONET/SDH) Interface Type

RFC 3621, Power Ethernet MIB No exceptions EX Series

RFC 3635, Definitions of Managed Objects Unsupported tables and objects: MX Series
for the Ethernet-like Interface Types
• dot3StatsRateControlAbility
• dot3StatsRateControlStatus in
dot3StatsEntry table

NOTE: The values of the following

objects in dot3HCStatsEntry table will be
always zero for both 32-bit counters and
64-bit counters:

• dot3HCStatsSymbolErrors
• dotHCStatsInternalMacTransmitErrors

RFC 3637, Definitions of Managed Objects Unsupported tables and objects: M Series, MX Series, PTX Series, and T
for the Ethernet WAN Interface Sublayer Series
• etherWisDeviceTable,
• etherWisSectionCurrentTable
• etherWisFarEndPathCurrentTable

RFC 3811, Definitions of Textual No exceptions ACX Series, M Series, MX Series, PTX
Conventions (TCs) for Multiprotocol Label Series, SRX Series, and T Series
Switching (MPLS) Management

40 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 3812, Multiprotocol Label Switching MPLS tunnels as interfaces are not ACX Series, M Series, MX Series, PTX
(MPLS) Traffic Engineering (TE) supported. Series, and T Series
Management Information Base (MIB)
(read-only access) mplsTunnelCHopTable is supported on
ingress routers only.

NOTE: The branch used by the

proprietary LDP MIB (ldpmib.mib)
conflicts with RFC 3812. ldpmib.mib has
been deprecated and replaced by
jnx-mpls-ldp.mib.

Unsupported tables and objects:

• mplsTunnelResourceMeanRate in
TunnelResource table
• mplsTunnelResourceMaxBurstSize in
TunnelResource table
• mplsTunnelResourceMeanBurstSize in
TunnelResource table
• mplsTunnelResourceExBurstSize in
TunnelResource table
• mplsTunnelResourceWeight in
TunnelResource table
• mplsTunnelPerfTable
• mplsTunnelCRLDPResTable

RFC 3813, Multiprotocol Label Switching Unsupported tables and objects ACX Series, M Series, MX Series, PTX
(MPLS) Label Switching Router (LSR) (read-only access): Series, SRX Series, and T Series
Management Information Base (MIB)
• mplsInterfacePerfTable
• mplsInSegmentPerfTable
• mplsOutSegmentPerfTable
• mplsInSegmentMapTable
• mplsXCUp
• mplsXCDown

RFC 3826, The Advanced Encryption No exceptions ACX Series, EX Series, M Series, MX
Standard (AES) Cipher Algorithm in the Series, PTX Series, SRX Series, and T
SNMP User-based Security Model Series

RFC 3877, Alarm Management • Junos OS does not support the MX Series
Information Base alarmActiveStatsTable.
• Traps that do not conform to the
alarm model are not supported.
However, these traps can be redefined
to conform to the alarm model.

Copyright © 2017, Juniper Networks, Inc. 41

Network Management Administration Guide

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 3896, Definitions of Managed Unsupported tables and objects: M Series and T Series
Objects for the DS3/E3 Interface Type
• dsx3FarEndConfigTable
• dsx3FarEndCurrentTable
• dsx3FarEndIntervalTable
• dsx3FarEndTotalTable
• dsx3FracTable

RFC 4087, IP Tunnel MIB Describes MIB objects in the following M Series, MX Series, and T Series
tables for managing tunnels of any type
over IPv4 and IPv6 networks:

• tunnelIfTable—Provides information
about the tunnels known to a router.
• tunnelInetConfigTable—Assists
dynamic creation of tunnels and
provides mapping from end-point
addresses to the current interface
index value.

NOTE: Junos OS supports MAX-ACCESS

of read-only for all the MIB objects in
tunnelIfTable and tunnelInetConfigTable
tables.

RFC 4133, Entity MIB Unsupported tables and objects: Only MX240, MX480, and MX960
routers, and EX2200 and EX3300
• entityLogicalGroup table switches
• entPhysicalMfgDate and
entPhysicalUris objects in
entityPhysical2Group table
• entLPMappingTable and
entPhysicalContainsTable in
entityMappingGroup table
• entityNotoficationsGroup table

RFC 4188, Definitions of Managed Objects • Supports 802.1D STP(1998) MX Series, EX Series, and M Series and
for Bridges • Supported subtrees and objects: T Series

• dot1dStp subtree is supported on

MX Series 3D Universal Edge
Routers.
• dot1dTpFdbAddress,
dot1dTpFdbPort, and
dot1dTpFdbStatus objects from the
dot1dTpFdbTable of the dot1dTp
subtree are supported on EX Series
Ethernet Switches.
• dot1dTpLearnedEntryDiscards and
dot1dTpAgingTime objects are
supported on M Series and T Series
routers.

42 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 4268, Entity State MIB No exceptions Only MX240, MX480, and MX960
routers, and EX2200 and EX3300
switches

RFC 4273, Definitions of Managed Objects Supported tables and objects: ACX Series, EX Series, M Series, MX
for BGP-4 Series, SRX Series, and T Series
• jnxBgpM2PrefixInPrefixesAccepted
• jnxBgpM2PrefixInPrefixesRejected

RFC 4292, IP Forwarding MIB Supported tables and objects: ACX Series, EX Series, M Series, MX
Series, PTX Series, and T Series
• inetCidrRouteTable
• inetCidrRouteNumber
• inetCidrRouteDiscards

NOTE: Junos OS currently supports

these MIB objects that will be deprecated
in future releases: ipCidrRouteTable,
ipCidrRouteNumber, and
ipCidrRouteDiscards.

RFC 4293, Management Information Base Supports only the mandatory groups. MX Series and EX Series
for the Internet Protocol (IP)

RFC 4318, Definitions of Managed Objects Supports 802.1w and 802.1t extensions EX Series, M Series, MX Series, and T
for Bridges with Rapid Spanning Tree for RSTP. Series
Protocol

RFC 4363b, Q-Bridge VLAN MIB No exceptions MX Series and EX Series

RFC 4382, MPLS/BGP Layer 3 Virtual Supported tables and objects: EX Series, M Series, MX Series, PTX
Private Network (VPN) MIB Series, and T Series
• mplsL3VpnActiveVrfs
• mplsL3VpnConfiguredVrfs
• mplsL3VpnConnectedInterfaces
• mplsL3VpnVrfConfMidRteThresh
• mplsL3VpnVrfConfHighRteThresh
• mplsL3VpnIfConfRowStatus
• mplsL3VpnIllLblRcvThrsh
• mplsL3VpnNotificationEnable
• mplsL3VpnVrfConfMaxPossRts
• mplsL3VpnVrfConfRteMxThrshTime
• mplsL3VpnVrfOperStatus
• mplsL3VpnVrfPerfCurrNumRoutes
• mplsL3VpnVrfPerfTable
• mplsL3VpnVrfRteTable
• mplsVpnVrfRTTable
• mplsL3VpnVrfTable
• mplsL3VpnIfConfTable

Copyright © 2017, Juniper Networks, Inc. 43

Network Management Administration Guide

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 4444, IS-IS MIB No exceptions ACX Series, EX Series, M Series, MX

Series, PTX Series, SRX Series, and T
Series

RFC 4668, RADIUS Accounting Client No exceptions MX Series

Management Information Base (MIB) for
IPv6 (read-only access)

RFC 4670, RADIUS Accounting Client No exceptions MX Series

Management Information Base (MIB)
(read-only access)

RFC 4801, Definitions of Textual No exceptions M Series, MX Series, and T Series

Conventions for Generalized Multiprotocol
Label Switching (GMPLS) Management
Information Base (MIB) (read-only
access)

RFC 4802, Generalized Multiprotocol Unsupported tables and objects: M Series, MX Series, and T Series
Label Switching (GMPLS) Traffic
Engineering (TE) Management • gmplsTunnelReversePerfTable
Information Base (MIB) (read-only • gmplsTeScalars
access)
• gmplsTunnelTable
• gmplsTunnelARHopTable
• gmplsTunnelCHopTable
• gmplsTunnelErrorTable

RFC 4803, Generalized Multiprotocol Unsupported tables and objects: M Series, MX Series, and T Series
Label Switching (GMPLS) Label Switching
Router (LSR) Management Information • gmplsLabelTable
Base (MIB) (read-only access) • gmplsOutsegmentTable

NOTE: The tables in GMPLS TE (RFC

4802) and LSR (RFC 4803) MIBs are
extensions of the corresponding tables
from the MPLS TE (RFC 3812) and LSR
(RFC 3813) MIBs and use the same index
as the MPLS MIB tables.

RFC 5132, IP Multicast MIB Unsupported table: All platforms

NOTE: This RFC obsoletes RFC2932. • ipMcastZoneTable

44 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

RFC 5643, Management Information Base Unsupported tables and objects: M Series, MX Series, PTX Series, SRX
for OSPFv3 (read-only access) Series, and T Series
• ospfv3HostTable
• ospfv3CfgNbrTable
• ospfv3ExitOverflowInterval
• ospfv3ReferenceBandwidth
• ospfv3RestartSupport
• ospfv3RestartInterval
• ospfv3RestartStrictLsaChecking
• ospfv3RestartStatus
• ospfv3RestartAge
• ospfv3RestartExitReason
• ospfv3NotificationEnable
• ospfv3StubRouterSupport
• ospfv3StubRouterAdvertisement
• ospfv3DiscontinuityTime
• ospfv3RestartTime
• ospfv3AreaNssaTranslatorRole
• ospfv3AreaNssaTranslatorState
• ospfv3AreaNssaTranslatorStabInterval
• ospfv3AreaNssaTranslatorEvents
• ospfv3AreaTEEnabled
• ospfv3IfMetricValue
• ospfv3IfDemandNbrProbe

RFC 6527, Definitions of Managed Objects • Row creation ACX Series

for the Virtual Router Redundancy • The Set operation
Protocol Version 3 (VRRPv3)
• Unsupported tables and objects:
• vrrpv3StatisticsRowDiscontinuityTime
• vrrpv3StatisticsPacketLengthErrors

Internet Assigned Numbers Authority, No exceptions ACX Series, EX Series, M Series, MX

IANAiftype Textual Convention MIB Series, PTX Series, SRX Series, and T
Series

Internet draft As defined under the Juniper Networks M Series, MX Series, and T Series
draft-ietf-atommib-sonetaps-mib-10.txt, enterprise branch [jnxExperiment] only
Definitions of Managed Objects for
SONET Linear APS Architectures

Internet draft draft-ieft-bfd-mib-02.txt, (Represented by mib-jnx-bfd-exp.txt and ACX Series, EX Series, M Series, MX
Bidirectional Forwarding Detection implemented under the Juniper Networks Series, SRX Series, and T Series
Management Information Base enterprise branch [jnxExperiment]. Read
only. Includes bfdSessUp and
bfdSessDown traps. Does not support
bfdSessPerfTable and
bfdSessMapTable.)

Copyright © 2017, Juniper Networks, Inc. 45

Network Management Administration Guide

Table 7: Standard MIBs supported by Junos OS (continued)

Standard MIB Exceptions Platforms

Internet draft (Implemented under the Juniper M Series, MX Series, and T Series
draft-ietf-l3vpn-mvpn-mib-03.txt, Networks enterprise branch
MPLS/BGP Layer 3 VPN Multicast [jnxExperiment]. OID for
Management Information Base jnxMvpnExperiment is .1.3.6.1.4.1.2636.5.12.
Read only. Includes jnxMvpnNotifications
traps.)

Internet draft No exceptions EX Series, M Series, MX Series, PTX

draft-ietf-idmr-igmp-mib-13.txt, Internet Series, SRX Series, and T Series
Group Management Protocol (IGMP) MIB

Internet draft No exceptions ACX Series, EX Series, M Series, MX

draft-reeder-snmpv3-usm-3desede-00.txt, Series, PTX Series, SRX Series, and T
Extension to the User-Based Security Series
Model (USM) to Support Triple-DES EDE
in ‘Outside’ CBC Mode

Internet draft Unsupported tables and objects: ACX Series, EX Series, M Series, MX
draft-ietf-isis-wg-mib-07.txt, Series, PTX Series, SRX Series, and T
Management Information Base for IS-IS • isisISAdjTable Series
• isisISAdjAreaAddrTable
NOTE: Replaced with RFC 4444, IS-IS
• isisISAdjIPAddrTable
MIB in Junos OS Release 11.3 and later.
• isisISAdjProtSuppTable)

Internet draft Supported tables and objects: M Series, MX Series, PTX Series, and T
draft-ietf-ppvpn-mpls-vpn-mib-04.txt, Series
MPLS/BGP Virtual Private Network • mplsVpnScalars
Management Information Base Using • mplsVpnVrfTable
SMIv2
• mplsVpnPerTable
• mplsVpnVrfRouteTargetTable

Internet draft Support for ospfv3NbrTable only. M Series, MX Series, PTX Series, SRX
draft-ietf-ospf-ospfv3-mib-11.txt, Series, and T Series
Management Information Base for
OSPFv3

Internet draft No exceptions ACX Series, EX Series, M Series, MX

draft-ietf-idmr-pim-mib-09.txt, Protocol Series, PTX Series, SRX Series , and T
Independent Multicast (PIM) MIB Series

ESO Consortium MIB, which can be No exceptions ACX Series, EX Series, M Series, MX
found at http://www.snmp.com/eso/ Series, PTX Series, SRX Series, and T
Series
NOTE: The ESO Consortium MIB has
been replaced by RFC 3826.

Internet Draft P2MP MPLS-TE MIB Unsupported table: ACX Series, M Series, MX Series, PTX
(draft-ietf-mpls-p2mp-te-mib-09.txt) Series, and T Series
(read-only access) • mplsTeP2mpTunnelBranchPerfTable

For information about standard SNMP MIB objects, see the SNMP MIB Explorer.

46 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Related • Enterprise-Specific SNMP MIBs Supported by Junos OS on page 19

Documentation
• Network Management Administration Guide

• Standard SNMP Traps Supported by Junos OS on page 57

Enterprise-Specific MIBs and Supported Devices

Supported Platforms ACX Series, EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

NOTE: Starting with Junos OS Release 16.1, this topic has been deprecated;
refer instead to “Enterprise-Specific SNMP MIBs Supported by Junos OS” on
page 19.

Table 8 on page 47 lists the enterprise-specific MIBs that are supported on various devices
running Junos OS.

NOTE: In this table, a value of 1 in any of the platform columns (ACX, M, MX,
T, EX, PTX, and SRX) denotes that the corresponding MIB is supported on
that particular platform. A value of 0 denotes that the MIB is not supported
on the platform.

Table 8: Enterprise-Specific MIBs and Supported Devices

Platforms

SRX

SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800

AAA Objects MIB 0 1 1 0 0 0 0 1 1

Access Authentication Objects MIB 0 0 0 0 1 0 1 1 1

Alarm MIB 1 1 1 1 1 1 1 1 1

Copyright © 2017, Juniper Networks, Inc. 47

Network Management Administration Guide

Table 8: Enterprise-Specific MIBs and Supported Devices (continued)

Platforms

SRX

SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800

Analyzer MIB 0 0 0 1 0 0 0 0 0

Antivirus Objects MIB 0 0 0 0 0 0 1 0 0

ATM Class-of-Service MIB 0 1 1 0 0 0 1 0 1

ATM MIB 1 1 1 0 0 0 0 0 0

BGP4 V2 MIB 1 1 1 1 1 1 1 1 1

Bidirectional Forwarding Detection MIB 1 1 1 1 1 1 1 1 1

Chassis Forwarding MIB 1 0 0 0 1 1 1 0 0

Chassis MIBs 1 1 1 1 1 1 1 1 1

48 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 8: Enterprise-Specific MIBs and Supported Devices (continued)

Platforms

SRX

SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800

Chassis Cluster MIBs 0 0 0 0 0 0 0 1 1

Class-of-Service MIB 1 1 1 1 1 1 0 0 1

Configuration Management MIB 1 1 1 1 1 1 1 1 1

Destination Class Usage MIB 0 1 1 0 1 0 0 1 1

DHCP MIB 0 1 1 0 0 0 0 0 0

DHCPv6 MIB 0 1 1 0 0 0 0 0 0

Digital Optical Monitoring MIB 0 1 1 1 1 1 0 0 1

DNS Objects MIB 0 0 0 0 0 0 0 1 1

Dynamic Flow Capture MIB 0 1 1 0 0 0 0 0 0

Copyright © 2017, Juniper Networks, Inc. 49

Network Management Administration Guide

Table 8: Enterprise-Specific MIBs and Supported Devices (continued)

Platforms

SRX

SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800

Ethernet MAC MIB 0 1 1 1 1 0 0 0 1

Event MIB 1 1 1 1 1 1 1 1 1

EX Series MAC Notification MIB 0 0 0 1 0 0 0 0 0

EX Series SMI MIB 0 0 0 1 0 0 0 0 0

Experimental MIB 1 1 1 1 1 0 0 0 0

Firewall MIB 1 1 1 1 1 1 1 1 1

Flow Collection Services MIB 0 1 1 0 0 0 0 0 0

Host Resources MIB 1 1 1 1 1 0 1 1 1

Interface MIB 1 1 1 1 1 1 1 1 1

50 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 8: Enterprise-Specific MIBs and Supported Devices (continued)

Platforms

SRX

SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800

IP Forward MIB 1 1 1 1 1 1 1 1 1

IPsec Generic Flow Monitoring Object MIB 0 0 0 0 0 0 1 1 1

IPsec Monitoring MIB 0 1 1 1 1 0 0 1 0

IPsec VPN Objects MIB 0 0 0 0 0 0 1 0 0

IPv4 MIB 1 1 1 1 1 1 1 1 1

IPv6 and ICMPv6 MIB 0 1 1 1 0 1 1 1 1

L2ALD MIB 0 0 1 1 0 0 0 0 0

L2CP MIB 0 0 0 1 0 0 0 0 0

L2TP MIB 0 1 1 0 0 0 0 0 0

Copyright © 2017, Juniper Networks, Inc. 51

Network Management Administration Guide

Table 8: Enterprise-Specific MIBs and Supported Devices (continued)

Platforms

SRX

SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800

LDP MIB 1 1 1 0 0 1 0 0 1

License MIB 0 1 1 0 0 0 1 1 1

Logical Systems MIB 0 0 0 0 0 0 0 1 1

MIMSTP MIB 0 0 1 1 0 0 0 0 0

MPLS LDP MIB 1 1 1 1 1 1 0 0 0

MPLS MIB 1 1 1 1 1 1 0 0 1

MVPN MIB 1 1 1 1 1 1 1 1 1

http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-mvpn.txt and
http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-l2l3vpn-mcast.txt.

NAT Objects MIB 0 0 0 0 1 0 1 1 1

52 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 8: Enterprise-Specific MIBs and Supported Devices (continued)

Platforms

SRX

SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800

NAT Resources-Monitoring MIB 0 1 1 0 0 0 0 0 0

OTN Interface Management MIB 0 1 1 0 0 0 0 0 0

Packet Forwarding Engine MIB 1 1 1 0 1 1 1 1 1

Packet Mirror MIB 0 0 0 1 0 0 0 0 0

PAE Extension MIB 0 0 0 1 0 0 0 0 0

Passive Monitoring MIB 0 1 1 0 0 0 0 0 0

Ping MIB 1 1 1 1 1 0 1 1 1

Policy Objects MIB 0 0 0 0 1 0 1 1 1

Power Supply Unit MIB 0 0 0 1 0 1 0 0 0

Copyright © 2017, Juniper Networks, Inc. 53

Network Management Administration Guide

Table 8: Enterprise-Specific MIBs and Supported Devices (continued)

Platforms

SRX

SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800

PPP MIB 0 1 1 0 0 0 0 0 0

PPPoE MIB 0 1 1 0 0 0 0 0 0

Pseudowire ATM MIB 0 1 0 1 0 0 0 0 0

Pseudowire TDM MIB 1 1 1 0 0 0 0 0 0

PTP MIB 0 0 0 1 0 0 0 0 0

Real-Time Performance Monitoring MIB 0 1 1 1 1 0 1 0 0

Reverse-Path-Forwarding MIB 1 1 1 1 1 1 1 1 1

RMON Events and Alarms MIB 1 1 1 1 1 1 1 1 1

RSVP MIB 1 1 1 1 0 1 0 0 0

54 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 8: Enterprise-Specific MIBs and Supported Devices (continued)

Platforms

SRX

SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800

Security Interface Extension Objects MIB 0 0 0 0 1 0 1 1 1

Security Screening Objects MIB 0 0 0 0 0 0 0 0 1

Services PIC MIB 0 1 1 0 0 0 0 0 0

SNMP IDP MIB 0 0 0 0 0 0 1 1 0

SONET APS MIB 0 1 1 0 0 0 0 0 0

SONET/SDH Interface Management MIB 0 1 1 0 0 0 0 0 0

Source Class Usage MIB 0 1 1 0 0 0 0 0 1

SPU Monitoring MIB 0 0 0 0 0 0 1 1 1

Structure of Management Information MIB 1 1 1 1 1 0 1 1 1

Copyright © 2017, Juniper Networks, Inc. 55

Network Management Administration Guide

Table 8: Enterprise-Specific MIBs and Supported Devices (continued)

Platforms

SRX

SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800

Subscriber MIB 1 0 1 0 0 0 0 0 0

System Log MIB 0 1 1 1 1 1 1 1 1

Traceroute MIB 0 1 1 1 1 0 1 1 1

Utility MIB 0 1 1 1 1 0 1 1 1

Virtual Chassis MIB 0 0 0 1 1 0 0 0 0

VLAN MIB 0 0 0 1 0 0 0 0 0

VPLS MIBs 0 1 1 1 0 0 0 0 0

• http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-vpls-generic.txt
• http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-vpls-ldp.txt
• http://www.juniper.net/techpubs/en_US/junos15.1/
topics/reference/mibs/mib-jnx-vpls-bgp.txt

VPN Certificate Objects MIB 0 0 0 0 1 0 1 1 1

56 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 8: Enterprise-Specific MIBs and Supported Devices (continued)

Platforms

SRX

SRX1500,
SRX300, SRX5400,
SRX320, SRX5600,
and and
Enterprise-Specific MIB ACX M T MX EX PTX SRX340 SRX550M SRX5800

VPN MIB 1 1 1 1 1 0 0 0 0

Related • Enterprise-Specific SNMP Traps Supported by Junos OS on page 64

Documentation
• Standard SNMP MIBs Supported by Junos OS

• Loading MIB Files to a Network Management System on page 79

Standard SNMP Traps Supported by Junos OS

Supported Platforms ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX

This topic provides the list of standard SNMPv1 and SNMPv2 traps supported by devices
running Junos OS. For more information about traps see SNMP MIB Explorer.

Standard SNMP Version 1 Traps

Table 9 on page 57 provides an overview of the standard traps for SNMPv1. The traps
are organized first by trap category and then by trap name, and include their enterprise
ID, generic trap number, and specific trap number. The system logging severity levels are
listed for those traps that have them with their corresponding system log tag. Traps that
do not have corresponding system logging severity levels are marked with an en dash
(–) in the table.

For more information about system log messages, see the System Log Explorer. For more
information about configuring system logging, see the Junos OS System Basics
Configuration Guide.

Table 9: Standard Supported SNMP Version 1 Traps

System
Generic Specific Logging
Trap Trap Severity
Defined in Trap Name Enterprise ID Number Number Level Syslog Tag Supported On

Startup Notifications

Copyright © 2017, Juniper Networks, Inc. 57

Network Management Administration Guide

Table 9: Standard Supported SNMP Version 1 Traps (continued)

System
Generic Specific Logging
Trap Trap Severity
Defined in Trap Name Enterprise ID Number Number Level Syslog Tag Supported On

RFC 1215, authenticationFailure 1.3.6.1.4.1.2636 4 0 Notice SNMPD_ TRAP_ All devices running
Conventions GEN_FAILURE Junos OS.
for Defining
Traps for
coldStart 1.3.6.1.4.1.2636 0 0 Critical SNMPD_TRAP_ All devices running
Use with
COLD_START Junos OS.
the SNMP

warmStart 1.3.6.1.4.1.2636 1 0 Error SNMPD_TRAP_ All devices running

WARM_START Junos OS.

Link Notifications
RFC 1215, linkDown 1.3.6.1.4.1.2636 2 0 Warning SNMP_ TRAP_ All devices running
Conventions LINK_DOWN Junos OS.
for Defining
Traps for
linkUp 1.3.6.1.4.1.2636 3 0 Info SNMP_TRAP_ All devices running
Use with
LINK_UP Junos OS.
the SNMP

Remote Operations Notifications

RFC 2925, pingProbeFailed 1.3.6.1.2.1.80.0 6 1 Info SNMP_TRAP _PING_ All devices running
Definitions PROBE_ FAILED Junos OS.
of Managed
Objects for pingTestFailed 1.3.6.1.2.1.80.0 6 2 Info SNMP_TRAP_ All devices running
Remote PING_TEST _FAILED Junos OS.
Ping,
Traceroute,
pingTestCompleted 1.3.6.1.2.1.80.0 6 3 Info SNMP_TRAP_ All devices running
and Lookup
PING_TEST_ Junos OS.
Operations
COMPLETED

traceRoutePathChange 1.3.6.1.2.1.81.0 6 1 Info SNMP_TRAP_ All devices running

TRACE_ROUTE_ Junos OS.
PATH_CHANGE

traceRouteTestFailed 1.3.6.1.2.1.81.0 6 2 Info SNMP_TRAP_ All devices running

TRACE_ROUTE_ Junos OS.
TEST_FAILED

traceRouteTestCompleted 1.3.6.1.2.1.81.0 6 3 Info SNMP_TRAP_ All devices running

TRACE_ROUTE_ Junos OS.
TEST_COMPLETED

RMON Alarms
RFC 2819a, fallingAlarm 1.3.6.1.2.1.16 6 2 – – All devices running
RMON MIB Junos OS.

risingAlarm 1.3.6.1.2.1.16 6 1 – – All devices running

Junos OS.

58 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 9: Standard Supported SNMP Version 1 Traps (continued)

System
Generic Specific Logging
Trap Trap Severity
Defined in Trap Name Enterprise ID Number Number Level Syslog Tag Supported On

Routing Notifications
BGP 4 MIB bgpEstablished 1.3.6.1.2.1.15.7 6 1 – – M, T, MX, J, EX, and
SRX Series devices.

bgpBackwardTransition 1.3.6.1.2.1.15.7 6 2 – – M, T, MX, J, EX, and

SRX Series devices.

OSPF TRAP ospfVirtIfStateChange 1.3.6.1.2.1.14.16.2 6 1 – – M, T, MX, J, EX, and

MIB SRX Series devices.

ospfNbrStateChange 1.3.6.1.2.1.14.16.2 6 2 – – M, T, MX, J, EX, and

SRX Series devices.

ospfVirtNbrStateChange 1.3.6.1.2.1.14.16.2 6 3 – – M, T, MX, J, EX, and

SRX Series devices.

ospfIfConfigError 1.3.6.1.2.1.14.16.2 6 4 – – M, T, MX, J, EX, and

SRX Series devices.

ospfVirtIfConfigError 1.3.6.1.2.1.14.16.2 6 5 – – M, T, MX, J, EX, and

SRX Series devices.

ospfIfAuthFailure 1.3.6.1.2.1.14.16.2 6 6 – – M, T, MX, J, EX, and

SRX Series devices.

ospfVirtIfAuthFailure 1.3.6.1.2.1.14.16.2 6 7 – – M, T, MX, J, EX, and

SRX Series devices.

ospfIfRxBadPacket 1.3.6.1.2.1.14.16.2 6 8 – – M, T, MX, J, EX, and

SRX Series devices.

ospfVirtIfRxBadPacket 1.3.6.1.2.1.14.16.2 6 9 – – M, T, MX, J, EX, and

SRX Series devices.

ospfTxRetransmit 1.3.6.1.2.1.14.16.2 6 10 – – M, T, MX, J, EX, and

SRX Series devices.

ospfVirtIfTxRetransmit 1.3.6.1.2.1.14.16.2 6 11 – – M, T, MX, J, EX, and

SRX Series devices.

ospfMaxAgeLsa 1.3.6.1.2.1.14.16.2 6 13 – – M, T, MX, J, EX, and

SRX Series devices.

ospfIfStateChange 1.3.6.1.2.1.14.16.2 6 16 – – M, T, MX, J, EX, and

SRX Series devices.

Copyright © 2017, Juniper Networks, Inc. 59

Network Management Administration Guide

Table 9: Standard Supported SNMP Version 1 Traps (continued)

System
Generic Specific Logging
Trap Trap Severity
Defined in Trap Name Enterprise ID Number Number Level Syslog Tag Supported On

VRRP Notifications
RFC 2787, vrrpTrapNewMaster 1.3.6.1.2.1.68 6 1 Warning VRRPD_NEW All devices running
Definitions MASTER_TRAP Junos OS.
of Managed
Objects for
vrrpTrapAuthFailure 1.3.6.1.2.1.68 6 2 Warning VRRPD_AUTH_ All devices running
the Virtual
FAILURE_TRAP Junos OS.
Router
Redundancy
Protocol

RFC 6527, vrrpv3NewMaster 1.3.6.1.2.1.207 6 1 Warning VRRPD_NEW_MASTER M and MX

Definitions
of Managed
vrrpv3ProtoError 1.3.6.1.2.1.207 6 2 Warning VRRPD_V3_PROTO_ERROR M and MX
Objects for
the Virtual
Router
Redundancy
Protocol
Version 3
(VRRPv3)

Standard SNMP Version 2 Traps

Table 10 on page 60 provides an overview of the standard SNMPv2 traps supported by
the Junos OS. The traps are organized first by trap category and then by trap name and
include their snmpTrapOID. The system logging severity levels are listed for those traps
that have them with their corresponding system log tag. Traps that do not have
corresponding system logging severity levels are marked with an en dash (–) in the table.

For more information about system log messages, see System Log Messages Configuration
Guide.

Table 10: Standard Supported SNMP Version 2 Traps

System
Logging
Severity
Defined in Trap Name snmpTrapOID Level Syslog Tag Supported On

Startup Notifications

60 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 10: Standard Supported SNMP Version 2 Traps (continued)

System
Logging
Severity
Defined in Trap Name snmpTrapOID Level Syslog Tag Supported On

RFC 1907, coldStart 1.3.6.1.6.3.1.1.5.1 Critical SNMPD_TRAP_ All devices running

Management COLD_START Junos OS.
Information Base
for Version 2 of
warmStart 1.3.6.1.6.3.1.1.5.2 Error SNMPD_TRAP_ All devices running
the Simple
WARM_START Junos OS.
Network
Management
Protocol authenticationFailure 1.3.6.1.6.3.1.1.5.5 Notice SNMPD_TRAP_ All devices running
(SNMPv2) GEN_FAILURE Junos OS.

Link Notifications
RFC 2863, The linkDown 1.3.6.1.6.3.1.1.5.3 Warning SNMP_TRAP_ All devices running
Interfaces Group LINK_DOWN Junos OS.
MIB
linkUp 1.3.6.1.6.3.1.1.5.4 Info SNMP_TRAP_ All devices running
LINK_UP Junos OS.

Remote Operations Notifications

RFC 2925, pingProbeFailed 1.3.6.1.2.1.80.0.1 Info SNMP_TRAP_ All devices running
Definitions of PING_PROBE_ Junos OS.
Managed Objects FAILED
for Remote Ping,
Traceroute, and
pingTestFailed 1.3.6.1.2.1.80.0.2 Info SNMP_TRAP_PING_ All devices running
Lookup
TEST_FAILED Junos OS.
Operations

pingTestCompleted 1.3.6.1.2.1.80.0.3 Info SNMP_TRAP_PING_ All devices running

TEST_COMPLETED Junos OS.

traceRoutePathChange 1.3.6.1.2.1.81.0.1 Info SNMP_TRAP_TRACE_ All devices running

ROUTE_PATH_ Junos OS.
CHANGE

traceRouteTestFailed 1.3.6.1.2.1.81.0.2 Info SNMP_TRAP_TRACE_ All devices running

ROUTE_TEST_FAILED Junos OS.

traceRouteTestCompleted 1.3.6.1.2.1.81.0.3 Info SNMP_TRAP_TRACE_ All devices running

ROUTE_TEST_ Junos OS.
COMPLETED

RMON Alarms
RFC 2819a, RMON fallingAlarm 1.3.6.1.2.1.16.0.1 – – All devices running
MIB Junos OS.

risingAlarm 1.3.6.1.2.1.16.0.2 – – All devices running

Junos OS.

Copyright © 2017, Juniper Networks, Inc. 61

Network Management Administration Guide

Table 10: Standard Supported SNMP Version 2 Traps (continued)

System
Logging
Severity
Defined in Trap Name snmpTrapOID Level Syslog Tag Supported On

Routing Notifications
BGP 4 MIB bgpEstablished 1.3.6.1.2.1.15.7.1 – – All devices running
Junos OS.

bgpBackwardTransition 1.3.6.1.2.1.15.7.2 – – All devices running

Junos OS.

OSPF Trap MIB ospfVirtIfStateChange 1.3.6.1.2.1.14.16.2.1 – – All devices running

Junos OS.

ospfNbrStateChange 1.3.6.1.2.1.14.16.2.2 – – All devices running

Junos OS.

ospfVirtNbrStateChange 1.3.6.1.2.1.14.16.2.3 – – All devices running

Junos OS.

ospfIfConfigError 1.3.6.1.2.1.14.16.2.4 – – All devices running

Junos OS.

ospfVirtIfConfigError 1.3.6.1.2.1.14.16.2.5 – – All devices running

Junos OS.

ospfIfAuthFailure 1.3.6.1.2.1.14.16.2.6 – – All devices running

Junos OS.

ospfVirtIfAuthFailure 1.3.6.1.2.1.14.16.2.7 – – All devices running

Junos OS.

ospfIfRxBadPacket 1.3.6.1.2.1.14.16.2.8 – – All devices running

Junos OS.

ospfVirtIfRxBadPacket 1.3.6.1.2.1.14.16.2.9 – – All devices running

Junos OS.

ospfTxRetransmit 1.3.6.1.2.1.14.16.2.10 – – All devices running

Junos OS.

ospfVirtIfTxRetransmit 1.3.6.1.2.1.14.16.2.11 – – All devices running

Junos OS.

ospfMaxAgeLsa 1.3.6.1.2.1.14.16.2.13 – – All devices running

Junos OS.

ospfIfStateChange 1.3.6.1.2.1.14.16.2.16 – – All devices running

Junos OS.

62 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 10: Standard Supported SNMP Version 2 Traps (continued)

System
Logging
Severity
Defined in Trap Name snmpTrapOID Level Syslog Tag Supported On

MPLS Notifications
RFC 3812, mplsTunnelUp
Multiprotocol
Label Switching
(MPLS) Traffic mplsTunnelDown
Engineering (TE)
Management
mplsTunnelRerouted
Information Base

mplsTunnelReoptimized

Entity State MIB Notifications

RFC 4268, Entity entStateOperEnabled 1.3.6.1.2.1.131.0.1 Notice CHASSISD_SNMP_TRAP3 MX240, MX480, and
State MIB MX960

entStateOperDisabled 1.3.6.1.2.1.131.0.2 Notice CHASSISD_SNMP_TRAP3 MX240, MX480, and

MX960

L3VPN Notifications
RFC 4382, mplsL3VpnVrfUp
MPLS/BGP Layer
3 Virtual Private
mplsL3VpnVrfDown
Network (VPN)

mplsL3VpnVrf
RouteMidThresh
Exceeded

mplsL3VpnVrf
NumVrfRouteMax
ThreshExceeded

mplsL3VpnNum
VrfRouteMax
ThreshCleared

VRRP Notifications
RFC 2787, vrrpTrapNewMaster 1.3.6.1.2.1.68.0.1 Warning VRRPD_ All devices running
Definitions of NEWMASTER_ TRAP Junos OS.
Managed Objects
for the Virtual
vrrpTrapAuthFailure 1.3.6.1.2.1.68.0.2 Warning VRRPD_AUTH_ All devices running
Router
FAILURE_ TRAP Junos OS.
Redundancy
Protocol

Copyright © 2017, Juniper Networks, Inc. 63

Network Management Administration Guide

Table 10: Standard Supported SNMP Version 2 Traps (continued)

System
Logging
Severity
Defined in Trap Name snmpTrapOID Level Syslog Tag Supported On

RFC 6527, vrrpv3NewMaster 1.3.6.1.2.1.207.0.1 Warning VRRPD_NEW_MASTER M and MX

Definitions of
Managed Objects
vrrpv3ProtoError 1.3.6.1.2.1.207.0.2 Warning VRRPD_V3_PROTO_ERROR M and MX
for the Virtual
Router
Redundancy
Protocol Version 3
(VRRPv3)

Related • Enterprise-Specific SNMP Traps Supported by Junos OS on page 64

Documentation
• Enterprise-Specific SNMP MIBs Supported by Junos OS on page 19

• Standard SNMP MIBs Supported by Junos OS on page 30

• Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 107

• Managing Traps and Informs

Enterprise-Specific SNMP Traps Supported by Junos OS

Supported Platforms ACX Series, EX Series, M Series, MX Series, PTX Series, T Series

This topic provides the list of Juniper Networks enterprise-specific SNMPv1and SNMPv2
traps supported on devices running Junos OS. For more information about traps see
SNMP MIB Explorer.

• Juniper Networks Enterprise-Specific SNMP Version 1 Traps on page 64

• Juniper Networks Enterprise-Specific SNMP Version 2 Traps on page 70

Juniper Networks Enterprise-Specific SNMP Version 1 Traps

The Junos OS supports enterprise-specific SNMP version 1 traps shown in
Table 11 on page 65. The traps are organized first by trap category and then by trap name.
The system logging severity levels are listed for those traps that have them. Traps that
do not have corresponding system logging severity levels are marked with an en dash
(–).

For more information about system log messages, see the Junos OS System Log Reference
for Security Devices.

64 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 11: Juniper Networks Enterprise-Specific Supported SNMP Version 1 Traps

System
Generic Specific Logging
Trap Trap Severity System Supported
Defined in Trap Name Enterprise ID Number Number Level Log Tag On

Chassis Notifications (Alarm Conditions)

Chassis MIB jnxPowerSupplyFailure 1.3.6.1.4.1.2636.4.1 6 1 Warning CHASSISD_ All devices
(jnx-chassis. SNMP_ running Junos
mib) TRAP OS.

jnxFanFailure 1.3.6.1.4.1.2636.4.1 6 2 Critical CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxOverTemperature 1.3.6.1.4.1.2636.4.1 6 3 Alert CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxRedundancySwitchOver 1.3.6.1.4.1.2636.4.1 6 4 Critical CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxFruRemoval 1.3.6.1.4.1.2636.4.1 6 5 Notice CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxFruInsertion 1.3.6.1.4.1.2636.4.1 6 6 Notice CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxFruPowerOff 1.3.6.1.4.1.2636.4.1 6 7 Notice CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxFruPowerOn 1.3.6.1.4.1.2636.4.1 6 8 Notice CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxFruFailed 1.3.6.1.4.1.2636.4.1 6 9 Warning CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxFruOffline 1.3.6.1.4.1.2636.4.1 6 10 Notice CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxFruOnline 1.3.6.1.4.1.2636.4.1 6 11 Notice CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxFruCheck 1.3.6.1.4.1.2636.4.1 6 12 Warning CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

Copyright © 2017, Juniper Networks, Inc. 65

Network Management Administration Guide

Table 11: Juniper Networks Enterprise-Specific Supported SNMP Version 1 Traps (continued)
System
Generic Specific Logging
Trap Trap Severity System Supported
Defined in Trap Name Enterprise ID Number Number Level Log Tag On

jnxFEBSwitchover 1.3.6.1.4.1.2636.4.1 6 13 Warning CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxHardDiskFailed 1.3.6.1.4.1.2636.4.1 6 14 Warning CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxHardDiskMissing 1.3.6.1.4.1.2636.4.1 6 15 Warning CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxPowerSupplyOk 1.3.6.1.4.1.2636.4.2 6 1 Critical CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxFanOK 1.3.6.1.4.1.2636.4.2 6 2 Critical CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

jnxTemperatureOK 1.3.6.1.4.1.2636.4.2 6 3 Alert CHASSISD_ All devices

SNMP_ running Junos
TRAP OS.

Configuration Notifications
Configuration jnxCmCfgChange 1.3.6.1.4.1.2636.4.5 6 1 – – All devices
Management running Junos
MIB (jnx- OS.
configmgmt.
mib)
jnxCmRescueChange 1.3.6.1.4.1.2636.4.5 6 2 – – All devices
running Junos
OS.

66 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Link Notifications
Flow jnxCollUnavailableDest 1.3.6.1.4.1.2636.4.8 6 1 – – Devices that
Collection run Junos OS
Services MIB and have
(jnx-coll.mib) collector PICs
installed.

jnxCollUnavailableDestCleared 1.3.6.1.4.1.2636.4.8 6 2 – – Devices that

run Junos OS
and have
collector PICs
installed.

jnxCollUnsuccessfulTransfer 1.3.6.1.4.1.2636.4.8 6 3 – – Devices that

run Junos OS
and have
collector PICs
installed.

jnxCollFlowOverload 1.3.6.1.4.1.2636.4.8 6 4 – – Devices that

run Junos OS
and have
collector PICs
installed.

jnxCollFlowOverloadCleared 1.3.6.1.4.1.2636.4.8 6 5 – – Devices that

run Junos OS
and have
collector PICs
installed.

jnxCollMemoryUnavailable 1.3.6.1.4.1.2636.4.8 6 6 – – Devices that

run Junos OS
and have
collector PICs
installed.

jnxCollMemoryAvailable 1.3.6.1.4.1.2636.4.8 6 7 – – Devices that

run Junos OS
and have
collector PICs
installed.

jnxCollFtpSwitchover 1.3.6.1.4.1.2636.4.8 6 8 – – Devices that

run Junos OS
and have
collector PICs
installed.

Copyright © 2017, Juniper Networks, Inc. 67

Network Management Administration Guide

Passive jnxPMonOverloadSet 1.3.6.1.4.1.2636. 6 1 – – Devices that

Monitoring 4.7.0.1 run Junos OS
MIB and have PICs
(jnx-pmon.mib) that support
passive
monitoring
installed.

jnxPMonOverloadCleared 1.3.6.1.4.1.2636. 6 2 – – Devices that

4.7.0.2 run Junos OS
and have PICs
that support
passive
monitoring
installed.

SONET APS apsEventChannelMismatch 1.3.6.1.4.1.2636. 6 3 – – Devices that

MIB (jnx- 3.24.2 run Junos OS
sonetaps. and have
mib) SONET PICs
installed.

apsEventPSBF 1.3.6.1.4.1.2636. 6 4 – – Devices that

3.24.2 run Junos OS
and have
SONET PICs
installed.

apsEventFEPLF 1.3.6.1.4.1.2636. 6 5 – – Devices that

3.24.2 run Junos OS
and have
SONET PICs
installed.

Remote Operations
PING MIB jnxPingRttThresholdExceeded 1.3.6.1.4.1.2636.4.9 6 1 – – All devices
(jnx-ping.mib) running Junos
OS.

jnxPingRttStdDevThreshold 1.3.6.1.4.1.2636.4.9 6 2 – – All devices

Exceeded running Junos
OS.

jnxPingRttJitterThreshold Exceeded 1.3.6.1.4.1.2636.4.9 6 3 – – All devices

running Junos
OS.

jnxPingEgressThreshold Exceeded 1.3.6.1.4.1.2636.4.9 6 4 – – All devices

running Junos
OS.

68 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

jnxPingEgressStdDev 1.3.6.1.4.1.2636.4.9 6 5 – – All devices

ThresholdExceeded running Junos
OS.

jnxPingEgressJitter 1.3.6.1.4.1.2636.4.9 6 6 – – All devices

ThresholdExceeded running Junos
OS.

jnxPingIngressThreshold Exceeded 1.3.6.1.4.1.2636.4.9 6 7 – – All devices

running Junos
OS.

jnxPingIngressStddevThreshold 1.3.6.1.4.1.2636.4.9 6 8 – – All devices

Exceeded running Junos
OS.

jnxPingIngressJitterThreshold 1.3.6.1.4.1.2636.4.9 6 9 – – All devices

Exceeded running Junos
OS.

Routing Notifications
BFD bfdSessUp 1.3.6.1.4.1. 6 1 – – All devices
Experimental 2636.5.3.1 running Junos
MIB (jnx-bfd- OS.
exp.mib)
bfdSessDown 1.3.6.1.4.1. 6 2 – – All devices
2636.5.3.1 running Junos
OS.

LDP MIB jnxLdpLspUp 1.3.6.1.4.1.2636.4.4 6 1 – – M, T, and MX

(jnx-ldp.mib) Series routers.

jnxLdpLspDown 1.3.6.1.4.1.2636.4.4 6 2 – – M, T, and MX

Series routers.

jnxLdpSesUp 1.3.6.1.4.1.2636.4.4 6 3 – – M, T, and MX

Series routers.

jnxLdpSesDown 1.3.6.1.4.1.2636.4.4 6 4 – – M, T, and MX

Series routers.

Copyright © 2017, Juniper Networks, Inc. 69

Network Management Administration Guide

MPLS MIB mplsLspUp (Deprecated) 1.3.6.1.4.1.2636.3.2.4 6 1 – –

(jnx-mpls.mib)
mplsLspDown (Deprecated) 1.3.6.1.4.1.2636.3.2.4 6 2 – –

mplsLspChange (Deprecated) 1.3.6.1.4.1.2636.3.2.4 6 3 – –

mplsLspPathDown (Deprecated) 1.3.6.1.4.1.2636.3.2.4 6 4 – –

VPN MIB jnxVpnIfUp 1.3.6.1.4.1.2636. 6 1 – – M, T, and MX

(jnx-vpn.mib) 3.26 Series routers.

jnxVpnIfDown 1.3.6.1.4.1.2636. 6 2 – – M, T, and MX

3.26 Series routers.

jnxVpnPwUp 1.3.6.1.4.1.2636. 6 3 – – M, T, and MX

3.26 Series routers.

jnxVpnPwDown 1.3.6.1.4.1.2636. 6 4 – – M, T, and MX

3.26 Series routers.

RMON Alarms
RMON MIB jnxRmonAlarmGetFailure 1.3.6.1.4.1.2636.4.3 6 1 – – All devices
(jnx-rmon. running Junos
mib) OS.

jnxRmonGetOk 1.3.6.1.4.1.2636.4.3 6 2 – – All devices

running Junos
OS.

SONET Alarms
SONET MIB jnxSonetAlarmSet 1.3.6.1.4.1.2636.4.6 6 1 – – Devices that
(jnx-sonet. run Junos OS
mib) and have
SONET PICs
installed.

jnxSonetAlarmCleared 1.3.6.1.4.1.2636.4.6 6 2 – – Devices that

run Junos OS
and have
SONET PICs
installed.

Juniper Networks Enterprise-Specific SNMP Version 2 Traps

The Junos OS supports the enterprise-specific SNMP version 2 traps shown in
Table 12 on page 71. The traps are organized first by trap category and then by trap name.

70 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

The system logging severity levels are listed for those traps that have them. Traps that
do not have corresponding system logging severity levels are marked with an en dash
(–).

For more information about system messages, see the System Log Explorer. For more
information about configuring system logging, see the Junos OS Administration Library for
Routing Devices.

Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps

System
Logging
Severity
Source MIB Trap Name snmpTrapOID Level System Log Tag Supported On

Chassis (Alarm Conditions) Notifications

Chassis MIB jnxPowerSupplyFailure 1.3.6.1.4.1.2636.4.1.1 Alert CHASSISD_ SNMP_ All devices running Junos
(jnx-chassis. TRAP OS.
mib)
jnxFanFailure 1.3.6.1.4.1.2636.4.1.2 Critical CHASSISD_ SNMP_ All devices running Junos
TRAP OS.

jnxOverTemperature 1.3.6.1.4.1.2636.4.1.3 Critical CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxFruNotifAdminStatus Notice

jnxFruNotifMismatch Notice

jnxFruNotifOperStatus Notice

jnxRedundancySwitchOver 1.3.6.1.4.1.2636.4.1.4 Critical CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxFruRemoval 1.3.6.1.4.1.2636.4.1.5 Notice CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxFruInsertion 1.3.6.1.4.1.2636.4.1.6 Notice CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxFruPowerOff 1.3.6.1.4.1.2636.4.1.7 Notice CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxFruPowerOn 1.3.6.1.4.1.2636.4.1.8 Notice CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxFruFailed 1.3.6.1.4.1.2636.4.1.9 Warning CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxFruOffline 1.3.6.1.4.1.2636.4.1.10 Notice CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

Copyright © 2017, Juniper Networks, Inc. 71

Network Management Administration Guide

Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
System
Logging
Severity
Source MIB Trap Name snmpTrapOID Level System Log Tag Supported On

jnxFruOnline 1.3.6.1.4.1.2636.4.1.11 Notice CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxFruCheck 1.3.6.1.4.1.2636.4.1.12 Notice CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxFEBSwitchover 1.3.6.1.4.1.2636.4.1.13 Notice CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxHardDiskFailed 1.3.6.1.4.1.2636.4.1.14 Notice CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxHardDiskMissing 1.3.6.1.4.1.2636.4.1.15 Notice CHASSISD_ SNMP_ All devices running Junos

TRAP OS.

jnxPowerSupplyOK 1.3.6.1.4.1.2636.4.2.1 Critical CHASSISD_ All devices running

SNMP_ Junos OS.
TRAP

jnxFanOK 1.3.6.1.4.1.2636.4.2.2 Critical CHASSISD_ All devices running

SNMP_ Junos OS.
TRAP

jnxTemperatureOK 1.3.6.1.4.1.2636.4.2.3 Alert CHASSISD_ All devices running

SNMP_ Junos OS.
TRAP

Configuration Notifications
Configuration jnxCmCfgChange 1.3.6.1.4.1.2636.4.5.0.1 – – All devices running Junos
Management OS.
MIB (jnx-
cfgmgmt.mib)
jnxCmRescueChange 1.3.6.1.4.1.2636.4.5.0.2 – – All devices running Junos
OS.

Link Notifications

72 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
System
Logging
Severity
Source MIB Trap Name snmpTrapOID Level System Log Tag Supported On

Flow jnxCollUnavailableDest 1.3.6.1.4.1.2636.4.8.0.1 – – Devices that run Junos OS

Collection and have collector PICs
Services MIB installed.
(jnx-coll.mib)
jnxCollUnavailableDestCleared 1.3.6.1.4.1.2636.4.8.0.2 – – Devices that run Junos OS
and have collector PICs
installed.

jnxCollUnsuccessfulTransfer 1.3.6.1.4.1.2636.4.8.0.3 – – Devices that run Junos OS

and have collector PICs
installed.

jnxCollFlowOverload 1.3.6.1.4.1.2636.4.8.0.4 – – Devices that run Junos OS

and have collector PICs
installed.

jnxCollFlowOverloadCleared 1.3.6.1.4.1.2636.4.8.0.5 – – Devices that run Junos OS

and have collector PICs
installed.

jnxCollMemoryUnavailable 1.3.6.1.4.1.2636.4.8.0.6 – – Devices that run Junos OS

and have collector PICs
installed.

jnxCollMemoryAvailable 1.3.6.1.4.1.2636.4.8.0.7 – – Devices that run Junos OS

and have collector PICs
installed.

jnxCollFtpSwitchover 1.3.6.1.4.1.2636.4.8.0.8 – – Devices that run Junos OS

and have collector PICs
installed.

PMON MIB jnxPMonOverloadSet 1.3.6.1.4.1.2636.4.7.0.1 – – Devices that run Junos OS

(jnx-pmon.mib) and have PICs that
support passive
monitoring installed.

jnxPMonOverloadCleared 1.3.6.1.4.1.2636.4.7.0.2 – – Devices that run Junos OS

and have PICs that
support passive
monitoring installed.

Copyright © 2017, Juniper Networks, Inc. 73

Network Management Administration Guide

Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
System
Logging
Severity
Source MIB Trap Name snmpTrapOID Level System Log Tag Supported On

SONET APS apsEventChannelMismatch 1.3.6.1.4.1.2636.3. – – Devices that run Junos OS

MIB (jnx- 24.2.0.3 and have SONET PICs
sonetaps.mib) installed.

apsEventPSBF 1.3.6.1.4.1.2636.3. – – Devices that run Junos OS

24.2.0.4 and have SONET PICs
installed.

apsEventFEPLF 1.3.6.1.4.1.2636.3. – – Devices that run Junos OS

24.2.0.5 and have SONET PICs
installed.

Remote Operations Notifications

PING MIB jnxPingRttThreshold Exceeded 1.3.6.1.4.1.2636.4.9.0.1 – – All devices running Junos
(jnx-ping.mib) OS.

jnxPingRttStdDevThreshold 1.3.6.1.4.1.2636.4.9.0.2 – – All devices running Junos

Exceeded OS.

jnxPingRttJitterThreshold 1.3.6.1.4.1.2636.4.9.0.3 – – All devices running Junos

Exceeded OS.

jnxPingEgressThreshold 1.3.6.1.4.1.2636.4.9.0.4 – – All devices running Junos

Exceeded OS.

jnxPingEgressStdDevThreshold 1.3.6.1.4.1.2636.4.9.0.5 – – All devices running Junos

Exceeded OS.

jnxPingEgressJitterThreshold 1.3.6.1.4.1.2636.4.9.0.6 – – All devices running Junos

Exceeded OS.

jnxPingIngressThreshold 1.3.6.1.4.1.2636.4.9.0.7 – – All devices running Junos

Exceeded OS.

jnxPingIngressStddevThreshold 1.3.6.1.4.1.2636.4.9.0.8 – – All devices running Junos

Exceeded OS.

jnxPingIngressJitterThreshold 1.3.6.1.4.1.2636.4.9.0.9 – – All devices running Junos

Exceeded OS.

Routing Notifications
BFD bfdSessUp 1.3.6.1.4.1.2636. – – All devices running Junos
Experimental 5.3.1.0.1 OS.
MIB (jnx-bfd-
exp.mib)
bfdSessDown 1.3.6.1.4.1.2636.5.3.1.0.2 – – All devices running Junos
OS.

74 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
System
Logging
Severity
Source MIB Trap Name snmpTrapOID Level System Log Tag Supported On

BGP4 V2 MIB jnxBgpM2Established 1.3.6.1.4.1.2636.5.1.1.1.0.1 – – All devices running Junos

(jnx-bgpmib2. OS.
mib)
jnxBgpM2BackwardTransition 1.3.6.1.4.1.2636.5.1.1.1.0.2 – – All devices running Junos
OS.

DHCP MIB jnxJdhcpLocalServer 1.3.6.1.4.1.2636.3.61.61.1.3.1 – – All devices running Junos

(jnx-dhcp.mib) DuplicateClient OS.

jnxJdhcpLocalServer 1.3.6.1.4.1.2636.3.61.61.1.3.2 – – All devices running Junos

InterfaceLimitExceeded OS.

jnxJdhcpLocalServer 1.3.6.1.4.1.2636.3.61.61.1.3.3 – – All devices running Junos

InterfaceLimitAbated OS.

jnxJdhcpLocalServer Health 1.3.6.1.4.1.2636.3.61.61.1.3.4 – – All devices running Junos

OS.

jnxJdhcpRelayInterface 1.3.6.1.4.1.2636.3.61.61.2.3.1 – – All devices running Junos

LimitExceeded OS.

jnxJdhcpRelayInterface 1.3.6.1.4.1.2636.3.61.61.2.3.2 – – All devices running Junos

LimitAbated OS.

DHCPv6MIB jnxJdhcpv6LocalServer 1.3.6.1.4.1.2636.3.62.62.2.3.1 – – All devices running Junos

(jnx-dhcpv6. InterfaceLimitExceeded OS.
mib)

jnxJdhcpv6LocalServer 1.3.6.1.4.1.2636.3.62.62.2.3.2 – – All devices running Junos

InterfaceLimitAbated OS.

jnxJdhcpv6LocalServer Health 1.3.6.1.4.1.2636.3.62.62.2.3.3 – – All devices running Junos

OS.

LDP MIB jnxLdpLspUp 1.3.6.1.4.1.2636.4.4.0.1 – – M, T, and MX Series

(jnx-ldp.mib) routers.

jnxLdpLspDown 1.3.6.1.4.1.2636.4.4.0.2 – – M, T, and MX Series

routers.

jnxLdpSesUp 1.3.6.1.4.1.2636.4.4.0.3 – – M, T, and MX Series

routers.

jnxLdpSesDown 1.3.6.1.4.1.2636.4.4.0.4 – – M, T, and MX Series

routers.

Copyright © 2017, Juniper Networks, Inc. 75

Network Management Administration Guide

Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
System
Logging
Severity
Source MIB Trap Name snmpTrapOID Level System Log Tag Supported On

MPLS MIB mplsLspUp (Deprecated) 1.3.6.1.4.1.2636.3.2.4.1 – –

(jnx-mpls.mib)

mplsLspInfoUp 1.3.6.1.4.1.2636.3.2.0.1 – – M, T, and MX Series

routers.

mplsLspDown (Deprecated) 1.3.6.1.4.1.2636.3.2.4.2 – –

mplsLspInfoDown 1.3.6.1.4.1.2636.3.2.0.2 – – M, T, and MX Series

routers.

mplsLspChange (Deprecated) 1.3.6.1.4.1.2636.3.2.4.3 – –

mplsLspInfoChange 1.3.6.1.4.1.2636.3.2.0.3 – – M, T, and MX Series

routers.

mplsLspPathDown 1.3.6.1.4.1.2636.3.2.4.4 – –
(Deprecated)

mplsLspInfoPathDown 1.3.6.1.4.1.2636.3.2.0.4 – – M, T, and MX Series

routers.

mplsLspInfoPathUp 1.3.6.1.4.1.2636.3.2.0.5 – – M, T, and MX Series

routers.

VPN MIB jnxVpnIfUp 1.3.6.1.4.1.2636.3. – – M, T, and MX Series

(jnx-vpn.mib) 26.0.1 routers.

jnxVpnIfDown 1.3.6.1.4.1.2636.3. – – M, T, and MX Series

26.0.2 routers.

jnxVpnPwUp 1.3.6.1.4.1.2636.3. – – M, T, and MX Series

26.0.3 routers.

jnxVpnPwDown 1.3.6.1.4.1.2636.3.26.0.4 – – M, T, and MX Series

routers.

76 Copyright © 2017, Juniper Networks, Inc.

Chapter 4: SNMP MIBs and Traps Supported by Junos OS

Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
System
Logging
Severity
Source MIB Trap Name snmpTrapOID Level System Log Tag Supported On

AAA MIB jnxAccessAuthAddress 1.3.6.1.4.1.2636.3.51.1.0.5 – – SRX Series devices.

(jnx-user- PoolHighThreshold
aaa.mib)

jnxAccessAuthAddress 1.3.6.1.4.1.2636.3.51.1.0.6 – – SRX Series devices.

PoolAbateThreshold

jnxAccessAuthAddress 1.3.6.1.4.1.2636.3.51.1.0.7 – – SRX Series devices.

PoolOutOfAddresses

jnxAccessAuthAddress 1.3.6.1.4.1.2636.3.51.1.0.8 – – SRX Series devices.

PoolOutOfMemory

jnxAccessAuthService Up 1.3.6.1.4.1.2636.3.51. – – SRX Series devices.

1.0.1

jnxAccessAuthService Down 1.3.6.1.4.1.2636.3.51. – – SRX Series devices.

1.0.2

jnxAccessAuthServer Disabled 1.3.6.1.4.1.2636.3.51. – – SRX Series devices.

1.0.3

jnxAccessAuthServer Enabled 1.3.6.1.4.1.2636.3.51. – – SRX Series devices.

1.0.4

jnxJsFwAuthFailure 1.3.6.1.4.1.2636.3.39.1.2. – – SRX Series devices.

1.0.1

Access jnxJsFwAuthServiceUp 1.3.6.1.4.1.2636.3.39.1.2. – – SRX Series devices.

Authentication 1.0.2
Methods MIB
(jnx-js-auth.
jnxJsFwAuthServiceDown 1.3.6.1.4.1.2636.3.39.1.2. – – SRX Series devices.
mib)
1.0.3

jnxJsFwAuthCapacityExceeded 1.3.6.1.4.1.2636.3.39.1.2. – – SRX Series devices.

1.0.4

jnxJsNatAddrPool 1.3.6.1.4.1.2636.3.39.1.7. – – SRX Series devices.

ThresholdStatus 1.0.1

Network jnxNatAddrPoolUtil 1.3.6.1.4.1.2636.3.59.1.2.1 – – M Series and MX Series

Address routers
Translation
Resources–Monitoring
jnxNatTrapSrcPoolName 1.3.6.1.4.1.2636.3.59.1.2.2 – – M Series and MX Series
MIB
routers
(jnxNatMIB)

jnxNatAddrPoolThresholdStatus 1.3.6.1.4.1.2636.3.59.1.0.1 – – M Series and MX Series

routers

Copyright © 2017, Juniper Networks, Inc. 77

Network Management Administration Guide

Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
System
Logging
Severity
Source MIB Trap Name snmpTrapOID Level System Log Tag Supported On

Network jnxJsScreen Attack 1.3.6.1.4.1.2636.3.39.1.8. Warning RT_SCREEN_ICMP, SRX Series devices.

Address 1.0.1 RT_SCREEN_IP,
Translation RT_SCREEN_
MIB SESSION_LIMIT,
(jnx-js-nat.mib) RT_SCREEN_TCP,
RT_SCREEN_UDP

Security jnxJsScreenCfg Change 1.3.6.1.4.1.2636.3.39.1.8. – – SRX Series devices.

Screening 1.0.2
Objects MIB
(jnx-js-
screening.mib)

RMON Alarms
RMON MIB jnxRmonGetOk 1.3.6.1.4.1.2636.4. – – All devices running Junos
(jnx-rmon.mib) 3.0.2 OS.

SONET Alarms
SONET MIB jnxSonetAlarm Cleared 1.3.6.1.4.1.2636.4. – – Devices that run Junos OS
(jnx-sonet.mib) 6.0.2 and have SONET PICs
installed.

Related • Standard SNMP Traps Supported by Junos OS on page 57

Documentation
• Standard SNMP MIBs Supported by Junos OS on page 30

• Enterprise-Specific SNMP MIBs Supported by Junos OS on page 19

• Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 107

• Managing Traps and Informs

78 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 5

Loading MIB Files to a Network

Management System

• Loading MIB Files to a Network Management System on page 79

Loading MIB Files to a Network Management System

Supported Platforms ACX Series

For your network management system (NMS) to identify and understand the MIB objects
used by the Junos OS, you must first load the MIB files to your NMS using a MIB compiler.
A MIB compiler is a utility that parses the MIB information such as the MIB object name,
IDs, and data type for the NMS.

You can download the Junos MIB package from the Junos OS Enterprise MIBs index at
http://www.juniper.net/techpubs/en_US/release-independent/junos/mibs/mibs.html . The
Junos MIB package is available in .zip and .tar packages. You can download the appropriate
format based on your requirements.

The Junos MIB package contains two folders: StandardMibs and JuniperMibs. The
StandardMibs folder contains the standard MIBs and RFCs that are supported on devices
running the Junos OS, whereas the JuniperMibs folder contains the Juniper Networks
enterprise-specific MIBs.

To load MIB files that are required for managing and monitoring devices running the Junos
OS:

1. Go to the Junos OS Enterprise MIBs index page

(http://www.juniper.net/techpubs/en_US/release-independent/junos/mibs/mibs.html).

2. Click the TAR or ZIP link under the appropriate release heading to download the Junos
MIB package for that release.

3. Decompress the file (.tar or .zip) using an appropriate utility.

4. Load the standard MIB files (from the StandardMibs folder) in the following order:

Copyright © 2017, Juniper Networks, Inc. 79

Network Management Administration Guide

NOTE: Some of the MIB compilers that are commonly used have the
standard MIBs preloaded on them. If the standard MIBs are already loaded
on the MIB compiler that you are using, skip this step and proceed to Step
7.

a. mib-SNMPv2-SMI.txt

b. mib-SNMPv2-TC.txt

c. mib-IANAifType-MIB.txt

d. mib-IANA-RTPROTO-MIB.txt

e. mib-rfc1907.txt

f. mib-rfc2011a.txt

g. mib-rfc2012a.txt

h. mib-rfc2013a.txt

i. mib-rfc2863a.txt

5. Load the remaining standard MIB files.

NOTE: You must follow the order specified in this procedure, and ensure
that all standard MIBs are loaded before you load the enterprise-specific
MIBs. There might be dependencies that require a particular MIB to be
present on the compiler before loading some other MIB. You can find such
dependencies listed in the IMPORT section of the MIB file.

6. Load the Juniper Networks enterprise-specific SMI MIB, mib-jnx-smi.txt, and the
following optional SMI MIBs based on your requirements:

• mib-jnx-js-smi.txt—(Optional) For Juniper Security MIB tree objects

• mib-jnx-ex-smi.txt—(Optional) For EX Series Ethernet Switches

• mib-jnx-exp.txt—(Recommended) For Juniper Networks experimental MIB objects

7. Load the remaining enterprise-specific MIBs from the JuniperMibs folder.

TIP: While loading a MIB file, if the compiler returns an error message saying
that any of the objects is undefined, open the MIB file using a text editor and
ensure that all the MIB files listed in the IMPORT section are loaded on the
compiler. If any of the MIB files listed in the IMPORT section is not loaded on
the compiler, load that MIB file, and then try to load the MIB file that failed
to load.

For example, the enterprise-specific PING MIB, mib-jnx-ping.txt, has

dependencies on RFC 2925, DiSMAN-PING-MIB, mib-rfc2925a.txt. If you try
to load mib-jnx-ping.txt before loading mib-rfc2925a.txt, the compiler returns

80 Copyright © 2017, Juniper Networks, Inc.

Chapter 5: Loading MIB Files to a Network Management System

an error message saying that certain objects in mib-jnx-ping.txt are undefined.

Load mib-rfc2925a.txt, and then try to load mib-jnx-ping.txt. The
enterprise-specific PING MIB, mib-jnx-ping.txt, then loads without any issue.

Related • Standard SNMP MIBs Supported by Junos OS

Documentation
• Enterprise-Specific SNMP MIBs Supported by Junos OS on page 19

Copyright © 2017, Juniper Networks, Inc. 81

Network Management Administration Guide

82 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 6

Configuring SNMP

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

• Optimizing the Network Management System Configuration for the Best
Results on page 87
• Configuring Options on Managed Devices for Better SNMP Response Time on page 88
• Configuring SNMP on Devices Running Junos OS on page 90
• Configuring the System Contact on a Device Running Junos OS on page 94
• Configuring the System Location for a Device Running Junos OS on page 95
• Configuring the System Description on a Device Running Junos OS on page 95
• Configuring SNMP Details on page 96
• Configuring a Different System Name on page 97
• Configuring the Commit Delay Timer on page 98
• Filtering Duplicate SNMP Requests on page 98
• Configuring SNMP Communities on page 99
• Examples: Configuring the SNMP Community String on page 102
• Adding a Group of Clients to an SNMP Community on page 103
• Configuring a Proxy SNMP Agent on page 104
• Configuring SNMP Traps on page 105
• Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 107
• Configuring SNMP Trap Options on page 108
• Configuring SNMP Trap Groups on page 112
• Example: Configuring SNMP Trap Groups on page 114
• Configuring the Interfaces on Which SNMP Requests Can Be Accepted on page 114
• Example: Configuring Secured Access List Checking on page 115
• Filtering Interface Information Out of SNMP Get and GetNext Output on page 115
• Configuring MIB Views on page 116
• Configuring Ping Proxy MIB on page 118

Copyright © 2017, Juniper Networks, Inc. 83

Network Management Administration Guide

Configuration Statements at the [edit snmp] Hierarchy Level

Supported Platforms ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

This topic shows all possible configuration statements at the [edit snmp] hierarchy level
and their level in the configuration hierarchy. When you are configuring Junos OS, your
current hierarchy level is shown in the banner on the line preceding the user@host#
prompt.

[edit]
snmp {
alarm-management {
alarm-list-name list-name {
alarm-id id {
alarm-state state {
description alarm-description;
notification-id notification-id-of-alarm;
resource-prefix alarm-resource-prefix;
varbind-index varbind-index-in-alarm-varbind-list;
varbind-subtree alarm-varbind-subtree;
varbind-value alarm-varbind-value;
}
}
}
}
client-list client-list-name {
ip-addresses;
}
community community-name {
authorization authorization;
client-list-name client-list-name;
clients {
address <restrict>;
}
logical-system logical-system-name {
routing-instance routing-instance-name;
clients {
address <restrict>;
}
}
routing-instance routing-instance-name {
clients {
address <restrict>;
}
}
view view-name;
}
contact contact;
description description;
engine-id {
(local engine-id | use-default-ip-address | use-mac-address);
}
filter-duplicates;
interface [ interface-names ];

84 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

location location;
name name;
nonvolatile {
commit-delay seconds;
}
rmon {
alarm index {
description description;
falling-event-index index;
falling-threshold integer;
falling-threshold-interval seconds;
interval seconds;
request-type (get-next-request | get-request | walk-request);
rising-event-index index;
rising-threshold integer;
sample-type type;
startup-alarm alarm;
syslog-subtag syslog-subtag;
variable oid-variable;
}
event index {
community community-name;
description description;
type type;
}
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regular-expression>;
flag flag;
memory-trace;
no-remote-trace;
no-default-memory-trace;
}
trap-group group-name {
categories {
category;
}
destination-port port-number;
routing-instance instance;
logical-system logical-system-name;
targets {
address;
}
version (all | v1 | v2);
}
trap-options {
agent-address outgoing-interface;
source-address address;
enterprise-oid;
logical-system logical-system-name {
routing-instance routing-instance-name {
source-address address;
}
}
routing-instance routing-instance-name {

Copyright © 2017, Juniper Networks, Inc. 85

Network Management Administration Guide

source-address address;
}
}
v3 {
notify name {
tag tag-name;
type (trap | inform);
}
notify-filter profile-name {
oid oid (include | exclude);
}
snmp-community community-index {
community-name community-name;
security-name security-name;
tag tag-name;
}
target-address target-address-name {
address address;
address-mask address-mask;
logical-system logical-system;
port port-number;
retry-count number;
routing-instance instance;
tag-list tag-list;
target-parameters target-parameters-name;
timeout seconds;
}
target-parameters target-parameters-name {
notify-filter profile-name;
parameters {
message-processing-model (v1 | v2c | v3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
}
}
usm {
local-engine {
user username {
authentication-md5 {
authentication-password authentication-password;
}
authentication-none;
authentication-sha {
authentication-password authentication-password;
}
privacy-3des {
privacy-password privacy-password;
}
privacy-aes128 {
privacy-password privacy-password;
}
privacy-des {
privacy-password privacy-password;
}
privacy-none;

86 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

}
}
}
vacm {
access {
group group-name {
(default-context-prefix | context-prefix context-prefiix){
security-model (any | usm | v1 | v2c) {
security-level (authentication | none | privacy) {
notify-view view-name;
read-view view-name;
write-view view-name;
}
}
}
}
}
security-to-group {
security-model (usm | v1 | v2c) {
security-name security-name {
group group-name;
}
}
}
}
}
view view-name {
oid object-identifier (include | exclude);
}
}

Related • Understanding the SNMP Implementation in Junos OS

Documentation
• Configuring SNMP on a Device Running Junos OS

Optimizing the Network Management System Configuration for the Best Results

Supported Platforms ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX

You can modify your network management system configuration to optimize the response
time for SNMP queries. The following sections contain a few tips on how you can configure
the network management system:

• Changing the Polling Method from Column-by-Column to Row-by-Row on page 87

• Reducing the Number of Variable Bindings per PDU on page 88
• Increasing Timeout Values in Polling and Discovery Intervals on page 88
• Reducing Incoming Packet Rate at the snmpd on page 88

Changing the Polling Method from Column-by-Column to Row-by-Row

You can configure the network management system to use the row-by-row method for
SNMP data polling. It has been proven that the row-by-row and multiple

Copyright © 2017, Juniper Networks, Inc. 87

Network Management Administration Guide

row-by-multiple-row polling methods are more efficient than column-by-column polling.

By configuring the network management system to use the row-by-row data polling
method, you can ensure that data for only one interface is polled in a request instead of
a single request polling data for multiple interfaces, as is the case with column-by-column
polling. Row-by-row polling also reduces the risk of requests timing out.

Reducing the Number of Variable Bindings per PDU

By reducing the number of variable bindings per protocol data unit (PDU), you can improve
the response time for SNMP requests. A request that polls for data related to multiple
objects, which are mapped to different index entries, translates into multiple requests
at the device-end because the subagent might have to poll different modules to obtain
data that are linked to different index entries. The recommended method is to ensure
that a request has only objects that are linked to one index entry instead of multiple
objects linked to different index entries.

NOTE: If responses from a device are slow, avoid using the GetBulk option
for the device, because a GetBulk request might contain objects that are
linked to various index entries and might further increase the response time.

Increasing Timeout Values in Polling and Discovery Intervals

By increasing the timeout values for polling and discovery intervals, you can increase the
queuing time at the device end and reduce the number of throttle drops that occur
because of the request timing out.

Reducing Incoming Packet Rate at the snmpd

By reducing the frequency of sending SNMP requests to a device, you can reduce the risk
of SNMP requests piling up at any particular device. Apart from reducing the frequency
of sending SNMP requests to a device, you can also increase the polling interval, control
the use of GetNext requests, and reduce the number of polling stations per device.

Related • Understanding SNMP Implementation in Junos OS on page 13

Documentation
• Configuring SNMP on Devices Running Junos OS on page 90

• Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS on page 197

• Configuring Options on Managed Devices for Better SNMP Response Time on page 88

• Managing Traps and Informs

• Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage

Configuring Options on Managed Devices for Better SNMP Response Time

Supported Platforms ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX

88 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

The following sections contain information about configuration options on the managed
devices that can enhance SNMP performance:

• Enabling the stats-cache-lifetime Option on page 89

• Filtering Out Duplicate SNMP Requests on page 89
• Excluding Interfaces That Are Slow in Responding to SNMP Queries on page 89

Enabling the stats-cache-lifetime Option

The Junos OS provides you with an option to configure the length of time an SNMP request
stays active and queued so as to reduce the possibility of request drops during slow
response times. You can use the stats-cache-lifetime seconds option at the [edit snmp]
hierarchy level to specify the length of time that an SNMP request remains queued. The
recommended value for the stats-cache-lifetime option is in the range of 30 to 60 seconds.

NOTE: The set snmp stats-cache-lifetime seconds command is a hidden

command and is supported only on devices running Junos OS Release 9.3
and later.

Filtering Out Duplicate SNMP Requests

If a network management station retransmits a Get, GetNext, or GetBulk SNMP request
too frequently to a device, that request might interfere with the processing of previous
requests and slow down the response time of the agent. Filtering these duplicate requests
improves the response time of the SNMP agent. The Junos OS enables you to filter out
duplicate Get, GetNext, and GetBulk SNMP requests. The Junos OS uses the following
information to determine if an SNMP request is a duplicate:

• Source IP address of the SNMP request

• Source UDP port of the SNMP request

• Request ID of the SNMP request

NOTE: By default, filtering of duplicate SNMP requests is disabled on devices

running the Junos OS.

To enable filtering of duplicate SNMP requests on devices running the Junos OS, include
the filter-duplicates statement at the [edit snmp] hierarchy level:

[edit snmp]
filter-duplicates;

Excluding Interfaces That Are Slow in Responding to SNMP Queries

An interface that is slow in responding to SNMP requests for interface statistics can delay
kernel responses to SNMP requests. You can review the mib2d log file to find out how
long the kernel takes to respond to various SNMP requests. For more information about
reviewing the log file for kernel response data, see “Checking Kernel and Packet Forwarding

Copyright © 2017, Juniper Networks, Inc. 89

Network Management Administration Guide

Engine Response” under “Monitoring SNMP Activity and Tracking Problems That Affect
SNMP Performance on a Device Running Junos OS” on page 197. If you notice that a
particular interface is slow in responding, and think that it is slowing down the kernel
from responding to SNMP requests, exclude that interface from the SNMP queries to the
device. You can exclude an interface from the SNMP queries either by configuring the
filter-interface statement or by modifying the SNMP view settings.

The following example shows a sample configuration for excluding interfaces from the
SNMP Get, GetNext, and Set operations:

[edit]
snmp {
filter-interfaces {
interfaces { # exclude the specified interfaces
interface1;
interface2;
}
all-internal-interfaces; # exclude all internal interfaces
}
}

The following example shows the SNMP view configuration for excluding the interface
with an interface index (ifIndex) value of 312 from a request for information related to
the ifTable and ifXtable objects:

[edit snmp]
view test {
oid .1 include;
oid ifTable.1.*.312 exclude;
oid ifXTable.1.*.312 exclude
}

Alternatively, you can take the interface that is slow in responding offline.

Related • Understanding SNMP Implementation in Junos OS on page 13

Documentation
• Configuring SNMP on Devices Running Junos OS on page 90

• Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS on page 197

• Optimizing the Network Management System Configuration for the Best Results on
page 87

• Managing Traps and Informs

• Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage

Configuring SNMP on Devices Running Junos OS

Supported Platforms ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX

90 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

The following sections contain information about basic SNMP configuration and a few
examples of configuring the basic SNMP operations on devices running Junos OS:

• Configuring Basic Settings for SNMPv1 and SNMPv2 on page 91

• Configuring Basic Settings for SNMPv3 on page 91
• Configuring System Name, Location, Description, and Contact Information on page 93

Configuring Basic Settings for SNMPv1 and SNMPv2

By default, SNMP is not enabled on devices running Junos OS. To enable SNMP on devices
running Junos OS, include the community public statement at the [edit snmp] hierarchy
level.

Enabling SNMPv1 and [edit]

SNMPv2 Get and snmp {
GetNext Operations community public;
}

A community that is defined as public grants access to all MIB data to any client.

To enable SNMPv1 and SNMPv2 Set operations on the device, you must include the
following statements at the [edit snmp] hierarchy level:

Enabling SNMPv1 and [edit snmp]

SNMPv2 Set view all {
Operations oid .1;
}
community private {
view all;
authorization read-write;
}

The following example shows the basic minimum configuration for SNMPv1 and SNMPv2
traps on a device:

Configuring SNMPv1 [edit snmp]

and SNMPv2 Traps trap-group jnpr {
targets {
192.168.69.179;
}
}

Configuring Basic Settings for SNMPv3

The following example shows the minimum SNMPv3 configuration for enabling Get,
GetNext, and Set operations on a device (note that the configuration has authentication
set to md5 and privacy to none):

Enabling SNMPv3 Get, [edit snmp]

GetNext, and Set v3 {
Operations usm {
local-engine {
user jnpruser {
authentication-md5 {
authentication-key "$9$guaDiQFnAuOQzevMWx7ikqP"; ## SECRET-DATA

Copyright © 2017, Juniper Networks, Inc. 91

Network Management Administration Guide

}
privacy-none;
}
}
}
vacm {
security-to-group {
security-model usm {
security-name jnpruser {
group grpnm;
}
}
}
access {
group grpnm {
default-context-prefix {
security-model any {
security-level authentication {
read-view all;
write-view all;
}
}
}
}
}
}
}
view all {
oid .1;
}

The following example shows the basic configuration for SNMPv3 informs on a device
(the configuration has authentication and privacy set to none):

Configuring SNMPv3 [edit snmp]

Informs v3 {
usm {
remote-engine 00000063200133a2c0a845c3 {
user RU2_v3_sha_none {
authentication-none;
privacy-none;
}
}
}
vacm {
security-to-group {
security-model usm {
security-name RU2_v3_sha_none {
group g1_usm_auth;
}
}
}
access {
group g1_usm_auth {
default-context-prefix {
security-model usm {

92 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

security-level authentication {
read-view all;
write-view all;
notify-view all;
}
}
}
}
}
}
target-address TA2_v3_sha_none {
address 192.168.69.179;
tag-list tl1;
address-mask 255.255.252.0;
target-parameters TP2_v3_sha_none;
}
target-parameters TP2_v3_sha_none {
parameters {
message-processing-model v3;
security-model usm;
security-level none;
security-name RU2_v3_sha_none;
}
notify-filter nf1;
}
notify N1_all_tl1_informs {
type inform; # Replace inform with trap to convert informs to traps.
tag tl1;
}
notify-filter nf1 {
oid .1 include;
}
}
view all {
oid .1 include;
}

You can convert the SNMPv3 informs to traps by setting the value of the type statement
at the [edit snmp v3 notify N1_all_tl1_informs] hierarchy level to trap as shown in the
following example:

Converting Informs to user@host# set snmp v3 notify N1_all_tl1_informs type trap

Traps

Configuring System Name, Location, Description, and Contact Information

Junos OS enables you to include the name and location of the system, administrative
contact information, and a brief description of the system in the SNMP configuration.

NOTE: Always keep the name, location, contact, and description information
configured and updated for all your devices that are managed by SNMP.

Copyright © 2017, Juniper Networks, Inc. 93

Network Management Administration Guide

The following example shows a typical configuration.

TIP: Use quotation marks to enclose the system name, contact, location,
and description information that contain spaces.

[edit]
snmp {
name “snmp 001”; # Overrides the system name.
contact “Juniper Berry, (650) 555 1234”; # Specifies the name and phone number of
the administrator.
location “row 11, rack C”; # Specifies the location of the device.
description “M40 router with 8 FPCs” # Configures a description for the device.
}

Related • Understanding SNMP Implementation in Junos OS on page 13

Documentation
• Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS on page 197

• Optimizing the Network Management System Configuration for the Best Results on
page 87

• Configuring Options on Managed Devices for Better SNMP Response Time on page 88

• Managing Traps and Informs

• Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage

Configuring the System Contact on a Device Running Junos OS

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

You can specify an administrative contact for each system being managed by SNMP.
This name is placed into the MIB II sysContact object. To configure a contact name,
include the contact statement at the [edit snmp] hierarchy level:

[edit snmp]
contact contact;

If the name contains spaces, enclose it in quotation marks (" ").

To define a system contact name that contains spaces:

[edit]
snmp {
contact "Juniper Berry, (650) 555-1234";
}

Related • Configuring SNMP on a Device Running Junos OS

Documentation
• Configuring the System Location for a Device Running Junos OS on page 95

• Configuring the System Description on a Device Running Junos OS on page 95

• Configuring a Different System Name on page 97

94 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

Configuring the System Location for a Device Running Junos OS

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

You can specify the location of each system being managed by SNMP. This string is
placed into the MIB II sysLocation object. To configure a system location, include the
location statement at the [edit snmp] hierarchy level:

[edit snmp]
location location;

If the location contains spaces, enclose it in quotation marks (" ").

To specify the system location:

[edit]
snmp {
location "Row 11, Rack C";
}

Related • Configuring SNMP on a Device Running Junos OS

Documentation
• Configuring the System Contact on a Device Running Junos OS on page 94

• Configuring the System Description on a Device Running Junos OS on page 95

• Configuring a Different System Name on page 97

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

Configuring the System Description on a Device Running Junos OS

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

You can specify a description for each system being managed by SNMP. This string is
placed into the MIB II sysDescription object. To configure a description, include the
description statement at the [edit snmp] hierarchy level:

[edit snmp]
description description;

If the description contains spaces, enclose it in quotation marks (" ").

To specify the system description:

[edit]
snmp {
description "M40 router with 8 FPCs";
}

Related • Configuring SNMP on a Device Running Junos OS

Documentation
• Configuring the System Contact on a Device Running Junos OS on page 94

• Configuring the System Location for a Device Running Junos OS on page 95

Copyright © 2017, Juniper Networks, Inc. 95

Network Management Administration Guide

• Configuring a Different System Name on page 97

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

Configuring SNMP Details

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

You can use SNMP to store basic administrative details, such as a contact name and the
location of the device. Your management system can then retrieve this information
remotely, when you are troubleshooting an issue or performing an audit. In SNMP
terminology, these are the sysContact, sysDescription, and sysLocation objects found
within the system group of MIB-2 (as defined in RFC 1213, Management Information Base
for Network Management of TCP/IP-based internets: MIB-II). You can set initial values
directly in the Junos OS configuration for each system being managed by SNMP.

To set the system contact details:

1. Set the system contact details by including the contact statement at the [edit snmp]
hierarchy level, or in an appropriate configuration group as shown here.

This administrative contact is placed into the MIB II sysContact object.

If the name contains spaces, enclose it in quotation marks (" ").

[edit groups global snmp]

user@host# set contact contact

For example:

[edit groups global snmp]

user@host# set contact "Enterprise Support, (650) 555-1234"

2. Configure a system description.

This string is placed into the MIB II sysDescription object. If the description contains
spaces, enclose it in quotation marks (" ").

[edit groups global snmp]

user@host# set description description

For example:

[edit groups global snmp]

user@host# set description "M10i router with 8 FPCs"

3. Configure a system location.

This string is placed into the MIB II sysLocation object. If the location contains spaces,
enclose it in quotation marks (" ").

To specify the system location:

[edit]
snmp {
location "Row 11, Rack C";
}

[edit groups global snmp]

96 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

user@host# set location location

For example:

[edit groups global snmp]

user@host# set location "London Corporate Office, Lab 5, Row 11, Rack C"

4. At the top level of the configuration, apply the configuration group.

If you use a configuration group, you must apply it for it to take effect.

[edit]
user@host# set apply-groups global

5. Commit the configuration.

user@host# commit

6. To verify the configuration, enter the show snmp mib walk system operational-mode
command.

The show snmp mib walk system command performs a MIB walk through of the system
table (from MIB-2 as defined in RFC 1213). The SNMP agent in Junos OS responds by
printing each row in the table and its associated value. You can use the same command
to perform a MIB walk through any part of the MIB tree supported by the agent.

user@host> show snmp mib walk system

sysDescr.0 = M10i router with 8 FPCs
sysObjectID.0 = jnxProductNameM10i
sysUpTime.0 = 173676474
sysContact.0 = Enterprise Support, (650) 555-1234
sysName.0 = host
sysLocation.0 = London Corporate Office, Lab 5, Row 11, Rack C
sysServices.0 = 4

Related • Configuring SNMP Communities on page 99

Documentation
• Configuring SNMP Traps on page 105

• Configuring SNMP on a Device Running Junos OS

Configuring a Different System Name

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Junos OS enables you to override the system name by including the name statement at
the [edit snmp] hierarchy level:

[edit snmp]
name name;

If the name contains spaces, enclose it in quotation marks (" ").

To specify the system name override:

[edit]
snmp {
name "snmp 1";
}

Copyright © 2017, Juniper Networks, Inc. 97

Network Management Administration Guide

Related • Configuring SNMP on a Device Running Junos OS

Documentation
• Configuring the System Contact on a Device Running Junos OS on page 94

• Configuring the System Location for a Device Running Junos OS on page 95

• Configuring the System Description on a Device Running Junos OS on page 95

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

Configuring the Commit Delay Timer

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

When a router or switch first receives an SNMP nonvolatile Set request, a Junos OS XML
protocol session opens and prevents other users or applications from changing the
candidate configuration (equivalent to the command-line interface [CLI]
configure exclusive command). If the router does not receive new SNMP Set requests
within 5 seconds (the default value), the candidate configuration is committed and the
Junos OS XML protocol session closes (the configuration lock is released). If the router
receives new SNMP Set requests while the candidate configuration is being committed,
the SNMP Set request is rejected and an error is generated. If the router receives new
SNMP Set requests before 5 seconds have elapsed, the commit-delay timer (the length
of time between when the last SNMP request is received and the commit is requested)
resets to 5 seconds.

By default, the timer is set to 5 seconds. To configure the timer for the SNMP Set reply
and start of the commit, include the commit-delay statement at the
[edit snmp nonvolatile] hierarchy level:

[edit snmp nonvolatile]

commit-delay seconds;

seconds is the length of the time between when the SNMP request is received and the
commit is requested for the candidate configuration. For more information about the
configure exclusive command and locking the configuration, see the CLI User Guide.

Related • Configuring SNMP on a Device Running Junos OS

Documentation
• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

Filtering Duplicate SNMP Requests

Supported Platforms PTX Series

By default, filtering duplicate get, getNext, and getBulk SNMP requests is disabled on
devices running Junos OS. If a network management station retransmits a Get, GetNext,
or GetBulk SNMP request too frequently to the router, that request might interfere with
the processing of previous requests and slow down the response time of the agent.
Filtering these duplicate requests improves the response time of the SNMP agent. Junos
OS uses the following information to determine if an SNMP request is a duplicate:

• Source IP address of the SNMP request

98 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

• Source UDP port of the SNMP request

• Request ID of the SNMP request

To filter duplicate SNMP requests, include the filter-duplicates statement at the

[edit snmp] hierarchy level:

[edit snmp]
filter-duplicates;

Related • Configuring SNMP on a Device Running Junos OS

Documentation
• Configuring the Interfaces on Which SNMP Requests Can Be Accepted on page 114

• Filtering Interface Information Out of SNMP Get and GetNext Output on page 115

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

Configuring SNMP Communities

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Configuring the SNMP agent in Junos OS is a straightforward task that shares many
familiar settings common to other managed devices in your network. For example, you
need to configure Junos OS with an SNMP community string and a destination for traps.
Community strings are administrative names that group collections of devices and the
agents that are running on them together into common management domains. If a
manager and an agent share the same community, they can communicate with each
other. An SNMP community defines the level of authorization granted to its members,
such as which MIB objects are available, which operations (read-only or read-write) are
valid for those objects, and which SNMP clients are authorized, based on their source IP
addresses.

The SNMP community string defines the relationship between an SNMP server system
and the client systems. This string acts like a password to control the clients’ access to
the server.

To create a read-only SNMP community:

1. Enter the SNMP community used in your network.

If the community name contains spaces, enclose it in quotation marks (" ").

Community names must be unique.

NOTE: You cannot configure the same community name at the [edit snmp
community] and [edit snmp v3 snmp-community community-index] hierarchy
levels.

[edit groups global]

user@host# set snmp community name

Copyright © 2017, Juniper Networks, Inc. 99

Network Management Administration Guide

This example uses the standard name public to create a community that gives limited
read-only access.

[edit groups global]

user@host# set snmp community public

2. Define the authorization level for the community.

The default authorization level for a community is read-only.

To allow Set requests within a community, you need to define that community as
authorization read-write. For Set requests, you also need to include the specific MIB
objects that are accessible with read-write privileges using the view statement. The
default view includes all supported MIB objects that are accessible with read-only
privileges. No MIB objects are accessible with read-write privileges. For more
information about the view statement, see “Configuring MIB Views” on page 116.

[edit groups global snmp community name]

user@host# set authorization authorization

This example confines the public community to read-only access. Any SNMP client
(for example, an SNMP management system) that belongs to the public community
can read MIB variables but cannot set (change) them.

[edit groups global snmp community public]

user@host# set authorization read-only

3. Define a list of clients in the community who are authorized to communicate with the
SNMP agent in Junos OS.

The clients statement lists the IP addresses of the clients (community members) that
are allowed to use this community. List the clients by IP address and prefix. Typically,
the list includes the SNMP network management system in your network or the address
of your management network. If no clients statement is present, all clients are allowed.
For address, you must specify an IPv4 or IPv6 address, not a hostname.

[edit groups global snmp community name]

user@host# set clients address

The following statement defines the hosts in the 192.168.1.0/24 network as being
authorized in the public community.

[edit groups global snmp community public]

user@host# set clients 192.168.1.0/24

4. Define the clients that are not authorized within the community by specifying their IP
address, followed by the restrict statement.

[edit groups global snmp community name]

user@host# set clients address resrict

The following statement defines all other hosts as being restricted from the public
community.

[edit groups global snmp community public]

user@host# set clients 0/0 restrict

5. At the top level of the configuration, apply the configuration group.

If you use a configuration group, you must apply it for it to take effect.

100 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

[edit]
user@host# set apply-groups global

6. Commit the configuration.

user@host# commit

To create a read-write SNMP community:

1. Enter the SNMP community used in your network.

[edit groups global]

user@host# set snmp community name

This example standard community string private to identify the community granted
read-write access to the SNMP agent running on the device.

[edit groups global]

user@host# set snmp community private

2. Define the authorization level for the community.

[edit groups global snmp community name]

user@host# set authorization authorization

[edit groups global snmp community public]

user@host# set authorization read-write

3. Define a list of clients in the community who are authorized to make changes to the
SNMP agent in Junos OS.

List the clients by IP address and prefix.

[edit groups global snmp community name]

user@host# set clients address

For example:

[edit groups global snmp community private]

user@host# set clients 192.168.1.15/24
user@host# set clients 192.168.1.18/24

4. Define the clients that are not authorized within the community by specifying their IP
address, followed by the restrict statement.

[edit groups global snmp community name]

user@host# set clients address resrict

The following statement defines all other hosts as being restricted from the public
community.

[edit groups global snmp community private]

user@host# set clients 0/0 restrict

5. At the top level of the configuration, apply the configuration group.

If you use a configuration group, you must apply it for it to take effect.

[edit]

Copyright © 2017, Juniper Networks, Inc. 101

Network Management Administration Guide

user@host# set apply-groups global

6. Commit the configuration.

user@host# commit

Related • Adding a Group of Clients to an SNMP Community on page 103

Documentation
• Configuring SNMP on a Device Running Junos OS

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

• Examples: Configuring the SNMP Community String on page 102

Examples: Configuring the SNMP Community String

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Grant read-only access to all clients. With the following configuration, the system responds
to SNMP Get, GetNext, and GetBulk requests that contain the community string public:

[edit]
snmp {
community public {
authorization read-only;
}
}

Grant all clients read-write access to the ping MIB and jnxPingMIB. With the following
configuration, the system responds to SNMP Get, GetNext, GetBulk, and Set requests
that contain the community string private and specify an OID contained in the ping MIB
or jnxPingMIB hierarchy:

[edit]
snmp {
view ping-mib-view {
oid pingMIB include;
oid jnxPingMIB include;
community private {
authorization read-write;
view ping-mib-view;
}
}
}

The following configuration allows read-only access to clients with IP addresses in the
range 1.2.3.4/24, and denies access to systems in the range fe80::1:2:3:4/64:

[edit]
snmp {
community field-service {
authorization read-only;
clients {
default restrict; # Restrict access to all SNMP clients not explicitly
# listed on the following lines.
1.2.3.4/24; # Allow access by all clients in 1.2.3.4/24 except
fe80::1:2:3:4/64 restrict;# fe80::1:2:3:4/64.

102 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

}
}
}

Related • Configuring SNMP Communities on page 99

Documentation

Adding a Group of Clients to an SNMP Community

Supported Platforms ACX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series, vSRX

Junos OS enables you to add one or more groups of clients to an SNMP community. You
can include the client-list-name name statement at the [edit snmp community
community-name] hierarchy level to add all the members of the client list or prefix list to
an SNMP community.

To define a list of clients, include the client-list statement followed by the IP addresses
of the clients at the [edit snmp] hierarchy level:

[edit snmp]
client-list client-list-name {
ip-addresses;
}

You can configure a prefix list at the [edit policy options] hierarchy level. Support for
prefix lists in the SNMP community configuration enables you to use a single list to
configure the SNMP and routing policies. For more information about the prefix-list
statement, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.

To add a client list or prefix list to an SNMP community, include the client-list-name
statement at the [edit snmp community community-name] hierarchy level:

[edit snmp community community-name]

client-list-name client-list-name;

NOTE: The client list and prefix list must not have the same name.

The following example shows how to define a client list:

[edit]
snmp {
client-list clentlist1 {
10.1.1.1/32;
10.2.2.2/32;
}
}

The following example shows how to add a client list to an SNMP community:

[edit]
snmp {
community community1 {
authorization read-only;
client-list-name clientlist1;

Copyright © 2017, Juniper Networks, Inc. 103

Network Management Administration Guide

}
}

The following example shows how to add a prefix list to an SNMP community:

[edit]
policy-options {
prefix-list prefixlist {
10.3.3.3/32;
10.5.5.5/32;
}
}
snmp {
community community2 {
client-list-name prefixlist;
}
}

Related • client-list
Documentation
• client-list-name

Configuring a Proxy SNMP Agent

Supported Platforms M Series, MX Series, T Series

Starting with Release 12.3, Junos OS enables you to assign one of the devices in the
network as a proxy SNMP agent through which the network management system (NMS)
can query other devices in the network. When you configure a proxy, you can specify the
names of devices to be managed through the proxy SNMP agent.

When the NMS queries the proxy SNMP agent, the NMS specifies the community name
(for SNMPv1 and SNMPv2) or the context and security name (for SNMPv3) associated
with the device from which it requires the information.

NOTE: If you have configured authentication and privacy methods and

passwords for SNMPv3, those parameters are also specified in the query for
SNMPv3 information.

To configure a proxy SNMP agent and specify devices to be managed by the proxy SNMP
agent, you can include the following configuration statements at the [edit snmp] hierarchy
level:

proxy proxy-name{
device-name device-name;
logical-system logical-system {
routing-instance routing-instance;
}
routing-instance routing-instance;
<version-v1 | version-v2c> {
snmp-community community-name;
no-default-comm-to-v3-config;
}

104 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

version-v3 {
security-name security-name;
context context-name;
}
}

• The proxy statement enables you to specify a unique name for the proxy configuration.

• The version-v1, version-v2c, and version-v3 statements enable you to specify the SNMP
version.

• The no-default-comm-to-v3-config statement is an optional statement at the [edit

snmp proxy proxy-name <version-v1 | version-v2c>] hierarchy level that when included
in the configuration requires you to manually configure the statements at the [edit
snmp v3 snmp-community community-name] and [edit snmp v3 vacm] hierarchy levels.

If the no-default-comm-to-v3-config statement is not included at the [edit snmp proxy

proxy-name <version-v1 | version-v2c>] hierarchy level, the [edit snmp v3
snmp-community community-name] and [edit snmp v3 vacm] hierarchy level
configurations are automatically initialized.

• The logical-system and routing-instance statements are optional statements that

enable you to specify logical system and routing instance names if you want to create
proxies for logical systems or routing instances on the device.

NOTE: Starting with Junos OS Release 15.2, you must configure interface
<interface-name> statement at the [edit snmp] hierarchy level for the proxy
SNMP agent.

NOTE: The community and security configuration for the proxy should match
the corresponding configuration on the device that is to be managed.

NOTE: Because the proxy SNMP agent does not have trap forwarding
capabilities, the devices that are managed by the proxy SNMP agent send
the traps directly to the network management system.

You can use the show snmp proxy operational mode command to view proxy details on
a device. The show snmp proxy command returns the proxy names, device names, SNMP
version, community/security, and context information.

Related • proxy (snmp) on page 717

Documentation

Configuring SNMP Traps

Supported Platforms M Series, MX Series, PTX Series, T Series

Copyright © 2017, Juniper Networks, Inc. 105

Network Management Administration Guide

Traps are unsolicited messages sent from an SNMP agent to remote network
management systems or trap receivers. Many enterprises use SNMP traps as part of a
fault-monitoring solution, in addition to system logging. In Junos OS, SNMP traps are not
forwarded by default, so you must configure a trap-group if you wish to use SNMP traps.

You can create and name a group of one or more types of SNMP traps and then define
which systems receive the group of SNMP traps.. The name of the trap group is embedded
in SNMP trap notification packets as one variable binding (varbind) known as the
community name.

To configure an SNMP trap:

1. Create a single, consistent source address that Junos OS applies to all outgoing traps
in your device.

A source address is useful, because although most Junos OS devices have a number
of outbound interfaces, using one source address helps a remote NMS to associate
the source of the traps with an individual device

[edit groups global snmp]

user@host# set trap-options source-address address

This example uses the IP address of the loopback interface (lo0) as the source address
for all the SNMP traps that originate from the device.

[edit groups global snmp]

user@host# set trap-options source-address lo0

2. Create a trap group in which you can list the types of traps to be forwarded and the
targets (addresses) of the receiving remote management systems.

[edit groups global snmp trap-group group-name]

user@host# set version (all | v1 | v2) targets address

This example creates a trap group called managers, allows SNMP version 2-formatted
notifications (traps) to be sent to the host at address 192.168.1.15. This statement
forwards all categories of traps.

[edit groups global snmp trap-group managers]

user@host# set version v2 targets 192.168.1.15

3. Define the specific subset of trap categories to be forwarded.

For a list of categories, see “Configuring SNMP Trap Groups” on page 112.

[edit groups global snmp trap-group group-name]

user@host# set categories category

The following statement configures the standard MIB-II authentication failures on

the agent (the device).

[edit groups global snmp trap-group managers]

user@host# set categories authentication

4. At the top level of the configuration, apply the configuration group.

If you use a configuration group, you must apply it for it to take effect.

[edit]
user@host# set apply-groups global

106 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

5. Commit the configuration.

user@host# commit

6. To verify the configuration, generate an authentication failure trap.

This means that the SNMP agent received a request with an unknown community.
Other traps types can also be spoofed as well.

This feature enables you to trigger SNMP traps from routers and ensure that they are
processed correctly within your existing network management infrastructure. This is
also useful for testing and debugging SNMP behavior on the switch or NMS.

Using the monitor traffic command, you can verify that the trap is sent to the network
management system.

user@host> request snmp spoof-trap spoof-trap authenticationFailure

Spoof-trap request result: trap sent successfully

Related • Adding a Group of Clients to an SNMP Community on page 103

Documentation
• Configuring SNMP on a Device Running Junos OS

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

• Examples: Configuring the SNMP Community String on page 102

Configuring SNMP Trap Options and Groups on a Device Running Junos OS

Supported Platforms ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Some carriers have more than one trap receiver that forwards traps to a central NMS.
This allows for more than one path for SNMP traps from a router to the central NMS
through different trap receivers. A device running Junos OS can be configured to send
the same copy of each SNMP trap to every trap receiver configured in the trap group.

The source address in the IP header of each SNMP trap packet is set to the address of
the outgoing interface by default. When a trap receiver forwards the packet to the central
NMS, the source address is preserved. The central NMS, looking only at the source address
of each SNMP trap packet, assumes that each SNMP trap came from a different source.

In reality, the SNMP traps came from the same router, but each left the router through
a different outgoing interface.

The statements discussed in the following sections are provided to allow the NMS to
recognize the duplicate traps and to distinguish SNMPv1 traps based on the outgoing
interface.

To configure SNMP trap options and trap groups, include the trap-options and trap-group
statements at the [edit snmp] hierarchy level:

[edit snmp]
trap-options {
agent-address outgoing-interface;
source-address address;
}

Copyright © 2017, Juniper Networks, Inc. 107

Network Management Administration Guide

trap-group group-name {
categories {
category;
}
destination-port port-number;
targets {
address;
}
version (all | v1 | v2);
}

Related • Configuring SNMP Trap Options on page 108

Documentation
• Configuring SNMP Trap Groups on page 112

• Configuring SNMP on a Device Running Junos OS

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

Configuring SNMP Trap Options

Supported Platforms M Series, MX Series, PTX Series, T Series

Using SNMP trap options, you can set the source address of every SNMP trap packet
sent by the router to a single address regardless of the outgoing interface. In addition,
you can set the agent address of the SNMPv1 traps. For more information about the
contents of SNMPv1 traps, see RFC 1157.

NOTE: SNMP cannot be associated with any routing instances other than
the master routing instance.

To configure SNMP trap options, include the trap-options statement at the [edit snmp]
hierarchy level:

[edit snmp]
trap-options {
agent-address outgoing-interface;
enterprise-oid
logical-system
routing-instance
source-address address;
}

You must also configure a trap group for the trap options to take effect. For information
about trap groups, see “Configuring SNMP Trap Groups” on page 112.

This topic contains the following sections:

• Configuring the Source Address for SNMP Traps on page 109

• Configuring the Agent Address for SNMP Traps on page 111
• Adding snmpTrapEnterprise Object Identifier to Standard SNMP Traps on page 111

108 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

Configuring the Source Address for SNMP Traps

You can configure the source address of trap packets in many ways: lo0, a valid IPv4
address or IPv6 address configured on one of the router interfaces, a logical-system
address, or the address of a routing-instance. The value lo0 indicates that the source
address of the SNMP trap packets is set to the lowest loopback address configured on
the interface lo0.

NOTE: If the source address is an invalid IPv4 or IPv6 address or is not

configured, SNMP traps are not generated.

You can configure the source address of trap packets in one of the following formats:

• A valid IPv4 address configured on one of the router interfaces

• A valid IPv6 address configured on one of the router interfaces

• lo0; that is, the lowest loopback address configured on the interface lo0

• A logical-system name

• A routing-instance name

A Valid IPv4 Address To specify a valid IPv4 interface address as the source address for SNMP traps on one
As the Source Address of the router interfaces, include the source-address statement at the [edit snmp
trap-options] hierarchy level:

[edit snmp trap-options]

source-address address;

address is a valid IPv4 address configured on one of the router interfaces.

A Valid IPv6 Address To specify a valid IPv6 interface address as the source address for SNMP traps on one
As the Source Address of the router interfaces, include the source-address statement at the [edit snmp
trap-options] hierarchy level:

[edit snmp trap-options]

source-address address;

address is a valid IPv6 address configured on one of the router interfaces.

The Lowest Loopback To specify the source address of the SNMP traps so that they use the lowest loopback
Address As the Source address configured on the interface lo0 as the source address, include the source-address
Address statement at the [edit snmp trap-options] hierarchy level:

[edit snmp trap-options]

source-address lo0;

To enable and configure the loopback address, include the address statement at the
[edit interfaces lo0 unit 0 family inet] hierarchy level:

[edit interfaces]
lo0 {
unit 0 {
family inet {

Copyright © 2017, Juniper Networks, Inc. 109

Network Management Administration Guide

address ip-address;
}
}
}

To configure the loopback address as the source address of trap packets:

[edit snmp]
trap-options {
source-address lo0;
}
trap-group "urgent-dispatcher" {
version v2;
categories link startup;
targets {
192.168.10.22;
172.17.1.2;
}
}
[edit interfaces]
lo0 {
unit 0 {
family inet {
address 10.0.0.1/32;
address 127.0.0.1/32;
}
}
}

In this example, the IP address 10.0.0.1 is the source address of every trap sent from this
router.

Logical System Name To specify a logical system name as the source address of SNMP traps, include the
as the Source Address logical-system logical-system-name statement at the [edit snmp trap-options] hierarchy
level.

For example, the following configuration sets logical system name ls1 as the source
address of SNMP traps:

[edit snmp]
trap-options{
logical-system ls1;
}

Routing Instance To specify a routing instance name as the source address of SNMP traps, include the
Name as the Source routing-instance routing-instance-name statement at the [edit snmp trap-options] hierarchy
Address level.

For example, the following configuration sets the routing instance name ri1 as the source
address for SNMP traps:

[edit snmp]
trap-options {
routing-instance ri1;
}

110 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

Configuring the Agent Address for SNMP Traps

The agent address is only available in SNMPv1 trap packets (see RFC 1157). By default,
the router’s default local address is not specified in the agent address field of the SNMPv1
trap. To configure the agent address, include the agent-address statement at the [edit
snmp trap-options] hierarchy level. Currently, the agent address can only be the address
of the outgoing interface:

[edit snmp]
trap-options {
agent-address outgoing-interface;
}

To configure the outgoing interface as the agent address:

[edit snmp]
trap-options {
agent-address outgoing-interface;
}
trap-group “ urgent-dispatcher” {
version v1;
categories link startup;
targets {
192.168.10.22;
172.17.1.2;
}
}

In this example, each SNMPv1 trap packet sent has its agent address value set to the IP
address of the outgoing interface.

Adding snmpTrapEnterprise Object Identifier to Standard SNMP Traps

The snmpTrapEnterprise object helps you identify the enterprise that has defined the
trap. Typically, the snmpTrapEnterprise object appears as the last varbind in
enterprise-specific SNMP version 2 traps. However, starting Release 10.0, Junos OS
enables you to add the snmpTrapEnterprise object identifier to standard SNMP traps as
well.

To add snmpTrapEnterprise to standard traps, include the enterprise-oid statement at

the [edit snmp trap-options] hierarchy level. If the enterprise-oid statement is not included
in the configuration, snmpTrapEnterprise is added only for enterprise-specific traps.

[edit snmp]
trap-options {
enterprise-oid;
}

Related • Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 107
Documentation
• Configuring SNMP Trap Groups on page 112

• Configuring SNMP on a Device Running Junos OS

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

Copyright © 2017, Juniper Networks, Inc. 111

Network Management Administration Guide

Configuring SNMP Trap Groups

Supported Platforms SRX Series, vSRX

You can create and name a group of one or more types of SNMP traps and then define
which systems receive the group of SNMP traps. The trap group must be configured for
SNMP traps to be sent. To create an SNMP trap group, include the trap-group statement
at the [edit snmp] hierarchy level:

[edit snmp]
trap-group group-name {
categories {
category;
}
destination-port port-number;
routing-instance instance;
targets {
address;
}
version (all | v1 | v2);
}

The trap group name can be any string and is embedded in the community name field
of the trap. To configure your own trap group port, include the destination-port statement.
The default destination port is port 162.

For each trap group that you define, you must include the target statement to define at
least one system as the recipient of the SNMP traps in the trap group. Specify the IPv4
or IPv6 address of each recipient, not its hostname.

Specify the types of traps the trap group can receive in the categories statement. For
information about the category to which the traps belong, see the “Standard SNMP Traps
Supported by Junos OS” on page 57 and “Enterprise-Specific SNMP Traps Supported by
Junos OS” on page 64 topics.

Specify the routing instance used by the trap group in the routing-instance statement.
All targets configured in the trap group use this routing instance.

A trap group can receive the following categories:

• authentication—Authentication failures

• chassis—Chassis or environment notifications

• configuration—Configuration notifications

• link—Link-related notifications (up-down transitions, DS-3 and DS-1 line status change,
IPv6 interface state change, and Passive Monitoring PIC overload)

NOTE: To send Passive Monitoring PIC overload interface traps, select the
link trap category.

• remote-operations—Remote operation notifications

112 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

• rmon-alarm—Alarm for RMON events

• routing—Routing protocol notifications

• sonet-alarms—SONET/SDH alarms

NOTE: If you omit the SONET/SDH subcategories, all SONET/SDH trap

alarm types are included in trap notifications.

• loss-of-light—Loss of light alarm notification

• pll-lock—PLL lock alarm notification

• loss-of-frame—Loss of frame alarm notification

• loss-of-signal—Loss of signal alarm notification

• severely-errored-frame—Severely errored frame alarm notification

• line-ais—Line alarm indication signal (AIS) alarm notification

• path-ais—Path AIS alarm notification

• loss-of-pointer—Loss of pointer alarm notification

• ber-defect—SONET/SDH bit error rate alarm defect notification

• ber-fault—SONET/SDH error rate alarm fault notification

• line-remote-defect-indication—Line remote defect indication alarm notification

• path-remote-defect-indication—Path remote defect indication alarm notification

• remote-error-indication—Remote error indication alarm notification

• unequipped—Unequipped alarm notification

• path-mismatch—Path mismatch alarm notification

• loss-of-cell—Loss of cell delineation alarm notification

• vt-ais—Virtual tributary (VT) AIS alarm notification

• vt-loss-of-pointer—VT loss of pointer alarm notification

• vt-remote-defect-indication—VT remote defect indication alarm notification

• vt-unequipped—VT unequipped alarm notification

• vt-label-mismatch—VT label mismatch error notification

• vt-loss-of-cell—VT loss of cell delineation notification

• startup—System warm and cold starts

• timing-events—Timing events and defects notification

• vrrp-events—Virtual Router Redundancy Protocol (VRRP) events such as new-master

or authentication failures

Copyright © 2017, Juniper Networks, Inc. 113

Network Management Administration Guide

• startup—System warm and cold starts

• vrrp-events—Virtual Router Redundancy Protocol (VRRP) events such as new-master

or authentication failures

If you include SONET/SDH subcategories, only those SONET/SDH trap alarm types are
included in trap notifications.

The version statement allows you to specify the SNMP version of the traps sent to targets
of the trap group. If you specify v1 only, SNMPv1 traps are sent. If you specify v2 only,
SNMPv2 traps are sent. If you specify all, both an SNMPv1 and an SNMPv2 trap are sent
for every trap condition. For more information about the version statement, see version
(SNMP).

Related • Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 107
Documentation
• Configuring SNMP Trap Options on page 108

• Configuring SNMP on a Device Running Junos OS

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

• Example: Configuring SNMP Trap Groups on page 114

Example: Configuring SNMP Trap Groups

Supported Platforms M Series, MX Series, PTX Series, T Series

Set up a trap notification list named urgent-dispatcher for link and startup traps. This list
is used to identify the network management hosts (1.2.3.4 and fe80::1:2:3:4) to which
traps generated by the local router should be sent. The name specified for a trap group
is used as the SNMP community string when the agent sends traps to the listed targets.

[edit]
snmp {
trap-group "urgent-dispatcher" {
version v2;
categories link startup;
targets {
1.2.3.4;
fe80::1:2:3:4;
}
}
}

Related • Configuring SNMP Trap Groups on page 112

Documentation
• Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 107

• Configuring SNMP Trap Options on page 108

Configuring the Interfaces on Which SNMP Requests Can Be Accepted

Supported Platforms M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series

114 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

By default, all router or switch interfaces have SNMP access privileges. To limit the access
through certain interfaces only, include the interface statement at the [edit snmp]
hierarchy level:

[edit snmp]
interface [ interface-names ];

Specify the names of any logical or physical interfaces that should have SNMP access
privileges. Any SNMP requests entering the router or switch from interfaces not listed
are discarded.

Related • Configuring SNMP on a Device Running Junos OS

Documentation
• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

• Example: Configuring Secured Access List Checking on page 115

Example: Configuring Secured Access List Checking

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

SNMP access privileges are granted to only devices on interfaces so-0/0/0 and at-1/0/1.
The following example does this by configuring a list of logical interfaces:

[edit]
snmp {
interface [ so-0/0/0.0 so-0/0/0.1 at-1/0/1.0 at-1/0/1.1 ];
}

The following example grants the same access by configuring a list of physical interfaces:

[edit]
snmp {
interface [ so-0/0/0 at-1/0/1 ];
}

Related • Configuring the Interfaces on Which SNMP Requests Can Be Accepted on page 114
Documentation
• Filtering Interface Information Out of SNMP Get and GetNext Output on page 115

• Configuring SNMP on a Device Running Junos OS

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

Filtering Interface Information Out of SNMP Get and GetNext Output

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Junos OS enables you to filter out information related to specific interfaces from the
output of SNMP Get and GetNext requests performed on interface-related MIBs such as
IF MIB, ATM MIB, RMON MIB, and the Juniper Networks enterprise-specific IF MIB.

Copyright © 2017, Juniper Networks, Inc. 115

Network Management Administration Guide

You can use the following options of the filter-interfaces statement at the [edit snmp]
hierarchy level to specify the interfaces that you want to exclude from SNMP Get and
GetNext queries:

• interfaces—Interfaces that match the specified regular expressions.

• all-internal-interfaces—Internal interfaces.

[edit]
snmp {
filter-interfaces {
interfaces {
interface-name 1;
interface-name 2;
}
all-internal-interfaces;
}
}

Starting with Release 12.1, Junos OS provides an except option (! operator) that enables
you to filter out all interfaces except those interfaces that match all the regular expressions
prefixed with the ! mark.

For example, to filter out all interfaces except the ge interfaces from the SNMP get and
get-next results, enter the following command:

[edit snmp]
user@host# set filter-interfaces interfaces “!^~ge-.*”
user@host# commit

When this is configured, Junos OS filters out all interfaces except the ge interfaces from
the SNMP get and get-next results.

NOTE: The ! mark is supported only as the first character of the regular
expression. If it appears anywhere else in a regular expression, Junos OS
considers the regular expression invalid, and returns an error.

However, note that these settings are limited to SNMP operations, and the users can
continue to access information related to the interfaces (including those hidden using
the filter-interfaces options) using the appropriate Junos OS command-line interface
(CLI) commands.

Related • Configuring the Interfaces on Which SNMP Requests Can Be Accepted on page 114
Documentation
• Configuring SNMP on a Device Running Junos OS

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

Configuring MIB Views

Supported Platforms ACX Series, EX4600, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series, vSRX

116 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

SNMPv3 defines the concept of MIB views in RFC 3415, View-based Access Control Model
(VACM) for the Simple Network Management Protocol (SNMP). MIB views provide an
agent better control over who can access specific branches and objects within its MIB
tree. A view consists of a name and a collection of SNMP object identifiers, which are
either explicitly included or excluded. Once defined, a view is then assigned to an SNMPv3
group or SNMPv1/v2c community (or multiple communities), automatically masking
which parts of the agent’s MIB tree members of the group or community can (or cannot)
access.

By default, an SNMP community grants read access and denies write access to all
supported MIB objects (even communities configured as authorization read-write). To
restrict or grant read or write access to a set of MIB objects, you must configure a MIB
view and associate the view with a community.

To configure MIB views, include the view statement at the [edit snmp] hierarchy level:

[edit snmp]
view view-name {
oid object-identifier (include | exclude);
}

The view statement defines a MIB view and identifies a group of MIB objects. Each MIB
object of a view has a common object identifier (OID) prefix. Each object identifier
represents a subtree of the MIB object hierarchy. The subtree can be represented either
by a sequence of dotted integers (such as 1.3.6.1.2.1.2) or by its subtree name (such as
interfaces). A configuration statement uses a view to specify a group of MIB objects on
which to define access. You can also use a wildcard character asterisk (*) to include
OIDs that match a particular pattern in the SNMP view. To enable a view, you must
associate the view with a community.

To remove an OID completely, use the delete view all oid oid-number command but omit
the include parameter.

[edit groups global snmp]

user@host# set view view-name oid object-identifier (include | exclude)

The following example creates a MIB view called ping-mib-view. The oid statement does
not require a dot at the beginning of the object identifier. The snmp view statement
includes the branch under the object identifier .1.3.6.1.2.1.80. This includes the entire
DISMAN-PINGMIB subtree (as defined in RFC 2925, Definitions of Managed Objects for
Remote Ping, Traceroute, and Lookup Operations), which effectively permits access to
any object under that branch.

[edit groups global snmp]

user@host# set view ping-mib-view oid 1.3.6.1.2.1.80 include

The following example adds a second branch in the same MIB view.

[edit groups global snmp]

user@host# set view ping-mib-view oid jnxPingMIB include

Assign a MIB view to a community that you want to control.

Copyright © 2017, Juniper Networks, Inc. 117

Network Management Administration Guide

To associate MIB views with a community, include the view statement at the [edit snmp
community community-name] hierarchy level:

[edit snmp community community-name]

view view-name;

For more information about the Ping MIB, see RFC 2925 and PING MIB.

Related • PING MIB

Documentation
• Configuring SNMP on a Device Running Junos OS

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

• Configuring Ping Proxy MIB on page 118

• view (Configuring a MIB View) on page 727

• view (Associating MIB View with a Community)

• oid on page 716

Configuring Ping Proxy MIB

Supported Platforms M Series, MX Series, PTX Series, T Series

Restrict the ping-mib community to read and write access of the Ping MIB and jnxpingMIB
only. Read or write access to any other MIB using this community is not allowed.

[edit snmp]
view ping-mib-view {
oid 1.3.6.1.2.1.80 include; #pingMIB
oid jnxPingMIB include; #jnxPingMIB
}
community ping-mib {
authorization read-write;
view ping-mib-view;
}

The following configuration prevents the no-ping-mib community from accessing Ping
MIB and jnxPingMIB objects. However, this configuration does not prevent the no-ping-mib
community from accessing any other MIB object that is supported on the device.

[edit snmp]
view no-ping-mib-view {
oid 1.3.6.1.2.1.80 exclude; # deny access to pingMIB objects
oid jnxPingMIB exclude; # deny access to jnxPingMIB objects
}
community no-ping-mib {
authorization read-write;
view ping-mib-view;
}

Related • Configuring SNMP on a Device Running Junos OS

Documentation
• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

• Configuring MIB Views on page 116

118 Copyright © 2017, Juniper Networks, Inc.

Chapter 6: Configuring SNMP

• view (Configuring a MIB View) on page 727

• oid on page 716

Copyright © 2017, Juniper Networks, Inc. 119

Network Management Administration Guide

120 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 7

Configuring SNMPv3

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

• Example: SNMPv3 Configuration on page 123
• Configuring the Local Engine ID on page 126
• Creating SNMPv3 Users on page 127
• Example: Creating SNMPv3 Users on page 128
• Configuring the SNMPv3 Authentication Type on page 128
• Configuring the SNMPv3 Encryption Type on page 130
• Defining Access Privileges for an SNMP Group on page 132
• Configuring the Access Privileges Granted to a Group on page 133
• Example: Configuring the Access Privileges Granted to a Group on page 136
• Assigning Security Model and Security Name to a Group on page 137
• Example: Security Group Configuration on page 138
• Configuring SNMPv3 Traps on a Device Running Junos OS on page 139
• Configuring the SNMPv3 Trap Notification on page 140
• Example: Configuring SNMPv3 Trap Notification on page 141
• Configuring the Trap Notification Filter on page 141
• Configuring the Trap Target Address on page 142
• Example: Configuring the Tag List on page 145
• Defining and Configuring the Trap Target Parameters on page 146
• Configuring SNMP Informs on page 149
• Configuring the Remote Engine and Remote User on page 150
• Example: Configuring the Remote Engine ID and Remote User on page 151
• Configuring the Inform Notification Type and Target Address on page 154
• Example: Configuring the Inform Notification Type and Target Address on page 155
• Configuring the SNMPv3 Community on page 156
• Example: Configuring an SNMPv3 Community on page 158

Copyright © 2017, Juniper Networks, Inc. 121

Network Management Administration Guide

Minimum SNMPv3 Configuration on a Device Running Junos OS

Supported Platforms ACX Series, EX4600, M Series, MX Series, PTX Series, QFabric System, QFX Series, T Series

To configure the minimum requirements for SNMPv3, include the following statements
at the [edit snmp v3] and [edit snmp] hierarchy levels:

NOTE: You must configure at least one view (notify, read, or write) at the
[edit snmp view-name] hierarchy level.

[edit snmp]
view view-name {
oid object-identifier (include | exclude);
}
[edit snmp v3]
notify name {
tag tag-name;
}
notify-filter profile-name {
oid object-identifier (include | exclude);
}
snmp-community community-index {
security-name security-name;
}
target-address target-address-name {
address address;
target-parameters target-parameters-name;
}
target-parameters target-parameters-name {
notify-filter profile-name;
parameters {
message-processing-model (v1 | v2c | v3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
}
}
usm {
local-engine {
user username {
}
}
}
vacm {
access {
group group-name {
(default-context-prefix | context-prefix context-prefix){
security-model (any | usm | v1 | v2c) {
security-level (authentication | none | privacy) {
notify-view view-name;
read-view view-name;
write-view view-name;
}

122 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

}
}
}
}
security-to-group {
security-model (usm | v1 | v2c) {
security-name security-name {
group group-name;
}
}
}
}

Related • Creating SNMPv3 Users on page 127

Documentation
• Configuring MIB Views on page 116

• Defining Access Privileges for an SNMP Group on page 132

• Configuring SNMPv3 Traps on a Device Running Junos OS on page 139

• Configuring SNMP Informs on page 149

• Example: SNMPv3 Configuration on page 123

Example: SNMPv3 Configuration

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Define an SNMPv3 configuration:

[edit snmp]
engine-id {
use-mac-address;
}
view jnxAlarms {
oid 1.3.6.1.4.1.2636.3.4 include;
}
view interfaces {
oid 1.3.6.1.2.1.2 include;
}
view ping-mib {
oid 1.3.6.1.2.1.80 include;
}
[edit snmp v3]
notify n1 {
tag router1; # Identifies a set of target addresses
type trap;# Defines type of notification
}
notify n2 {
tag host1;
type trap;
}
notify-filter nf1 {
oid .1 include; # Defines which traps to send
} # In this case, includes all traps

Copyright © 2017, Juniper Networks, Inc. 123

Network Management Administration Guide

notify-filter nf2 {
oid 1.3.6.1.4.1 include; # Sends enterprise-specific traps only
}
notify-filter nf3 {
oid 1.3.6.1.2.1.1.5 include; # Sends BGP traps only
}
snmp-community index1 {
community-name "$9$JOZi.QF/AtOz3"; # SECRET-DATA
security-name john; # Matches the security name at the target parameters
tag host1; # Finds the addresses that are allowed to be used with
}
target-address ta1 {# Associates the target address with the group
# san-francisco.
address 10.1.1.1;
address-mask 255.255.255.0; # Defines the range of addresses
port 162;
tag-list router1;
target-parameters tp1; # Applies configured target parameters
}
target-address ta2 {
address 10.1.1.2;
address-mask 255.255.255.0;
port 162;
tag-list host1;
target-parameters tp2;
}
target-address ta3 {
address 10.1.1.3;
address-mask 255.255.255.0;
port 162;
tag-list “router1 host1”;
target-parameters tp3;
}
target-parameters tp1 { # Defines the target parameters
notify-filter nf1; # Specifies which notify filter to apply
parameters {
message-processing-model v1;
security-model v1;
security-level none;
security-name john; # Matches the security name configured at the
} # [edit snmp v3 snmp-community community-index hierarchy level.
}
target-parameters tp2 {
notify-filter nf2;
parameters {
message-processing-model v1;
security-model v1;
security-level none;
security-name john;
}
}
target-parameters tp3 {
notify-filter nf3;
parameters {
message-processing-model v1;
security-model v1;

124 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

security-level none;
security-name john;
}
}
usm {
local-engine { #Defines authentication and encryption for SNMPv3 users
user user1 {
authentication-md5 {
authentication-password authentication-password;
}
privacy-des {
privacy-password privacy-password;
}
}
user user2 {
authentication-sha {
authentication-password authentication-password;
}
privacy-none;
}
user user3 {
authentication-none;
privacy-none;
}
user user4 {
authentication-sha {
authentication-password authentication-password;
}
privacy-aes128 {
privacy-password privacy-password;
}
}
user user5 {
authentication-sha {
authentication-password authentication-password;
}
privacy-none;
}
}
}
vacm {
access {
group san-francisco { #Defines the access privileges for the group
default-context-prefix { # called san-francisco
security-model v1 {
security-level none {
notify-view ping-mib;
read-view interfaces;
write-view jnxAlarms;
}
}
}
}
}
security-to-group {
security-model v1 {

Copyright © 2017, Juniper Networks, Inc. 125

Network Management Administration Guide

security-name john { # Assigns john to the security group

group san-francisco; # called san-francisco
}
security-name bob {
group new-york;
}
security-name elizabeth {
group chicago;
}
}
}
}

Related • Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Documentation

Configuring the Local Engine ID

Supported Platforms ACX Series, EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

By default, the local engine ID uses the default IP address of the router. The local engine
ID is the administratively unique identifier for the SNMPv3 engine. This statement is
optional. To configure the local engine ID, include the engine-id statement at the [edit
snmp] hierarchy level:

[edit snmp]
engine-id {
(local engine-id-suffix | use-default-ip-address | use-mac-address);
}

• local engine-id-suffix—The engine ID suffix is explicitly configured.

• use-default-ip-address—The engine ID suffix is generated from the default IP address.

• use-mac-address—The SNMP engine identifier is generated from the Media Access

Control (MAC) address of the management interface on the router.

The local engine ID is defined as the administratively unique identifier of an SNMPv3

engine, and is used for identification, not for addressing. There are two parts of an engine
ID: prefix and suffix. The prefix is formatted according to the specifications defined in
RFC 3411, An Architecture for Describing Simple Network Management Protocol (SNMP)
Management Frameworks. You can configure the suffix here.

NOTE: SNMPv3 authentication and encryption keys are generated based on

the associated passwords and the engine ID. If you configure or change the
engine ID, you must commit the new engine ID before you configure SNMPv3
users. Otherwise the keys generated from the configured passwords are
based on the previous engine ID. For the engine ID, we recommend using the
master IP address of the device if the device has multiple routing engines
and has the master IP address configured. Alternatively, you can use the MAC
address of the management port if the device has only one Routing Engine.

126 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

Related • Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Documentation
• Example: SNMPv3 Configuration on page 123

Creating SNMPv3 Users

Supported Platforms ACX Series, EX4600, M Series, MX Series, PTX Series, QFX Series, T Series

For each SNMPv3 user, you can specify the username, authentication type, authentication
password, privacy type, and privacy password. After a user enters a password, a key
based on the engine ID and password is generated and is written to the configuration
file. After the generation of the key, the password is deleted from this configuration file.

NOTE: You can configure only one encryption type for each SNMPv3 user.

To create users, include the user statement at the [edit snmp v3 usm local-engine]
hierarchy level:

[edit snmp v3 usm local-engine]

user username;

username is the name that identifies the SNMPv3 user.

To configure user authentication and encryption, include the following statements at

the [edit snmp v3 usm local-engine user username] hierarchy level:

[edit snmp v3 usm local-engine user username]

authentication-md5 {
authentication-password authentication-password;
}
authentication-sha {
authentication-password authentication-password;
}
authentication-none;
privacy-aes128 {
privacy-password privacy-password;
}
privacy-des {
privacy-password privacy-password;
}
privacy-3des {
privacy-password privacy-password;
}
privacy-none;

Related • Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Documentation
• Example: Creating SNMPv3 Users on page 128

• Example: SNMPv3 Configuration on page 123

Copyright © 2017, Juniper Networks, Inc. 127

Network Management Administration Guide

Example: Creating SNMPv3 Users

Define SNMPv3 users:

[edit]
snmp {
v3 {
usm {
local-engine {
user user1 {
authentication-md5 {
authentication-password authentication-password;
}
privacy-des {
privacy-password password;
}
}
user user2 {
authentication-sha {
authentication-password authentication-password;
}
privacy-none;
}
user user3 {
authentication-none;
privacy-none;
}
user user4 {
authentication-md5 {
authentication-password authentication-password;
}
privacy-des {
privacy-password authentication-password;
}
}
user user5 {
authentication-sha {
authentication-password authentication-password;
}
privacy-aes128 {
privacy-password authentication-password;
}
}
}
}
}
}

Related • Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Documentation

Configuring the SNMPv3 Authentication Type

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

128 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

By default, in a Junos OS configuration the SNMPv3 authentication type is set to none.

This topic includes the following sections:

• Configuring MD5 Authentication on page 129

• Configuring SHA Authentication on page 129
• Configuring No Authentication on page 129

Configuring MD5 Authentication

To configure the message digest algorithm (MD5) as the authentication type for an
SNMPv3 user, include the authentication-md5 statement at the [edit snmp v3 usm
local-engine user username] hierarchy level:

[edit snmp v3 usm local-engine user username]

authentication-md5 {
authentication-password authentication-password;
}

authentication-password is the password used to generate the key used for authentication.

SNMPv3 has special requirements when you create plain-text passwords on a router or
switch:

• The password must be at least eight characters long.

• The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.

Configuring SHA Authentication

To configure the secure hash algorithm (SHA) as the authentication type for an SNMPv3
user, include the authentication-sha statement at the [edit snmp v3 usm local-engine user
username] hierarchy level:

[edit snmp v3 usm local-engine user username]

authentication-sha {
authentication-password authentication-password;
}

authentication-password is the password used to generate the key used for authentication.

SNMPv3 has special requirements when you create plain-text passwords on a router or
switch:

• The password must be at least eight characters long.

• The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.

Configuring No Authentication
To configure no authentication for an SNMPv3 user, include the authentication-none
statement at the [edit snmp v3 usm local-engine user username] hierarchy level:

[edit snmp v3 usm local-engine user username]

Copyright © 2017, Juniper Networks, Inc. 129

Network Management Administration Guide

authentication-none;

Related • Configuring the SNMPv3 Encryption Type on page 130

Documentation
• Defining Access Privileges for an SNMP Group on page 132

• Configuring the Access Privileges Granted to a Group on page 133

• Assigning Security Model and Security Name to a Group on page 137

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Configuring the SNMPv3 Encryption Type

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

By default, encryption is set to none.

NOTE: Before you configure encryption, you must configure MD5 or SHA
authentication.

Before you configure the privacy-des, privacy-3des and privacy-aes128

statements, you must install the jcrypto package, and either restart the SNMP
process or reboot the router.

This topic includes the following sections:

• Configuring the Advanced Encryption Standard Algorithm on page 130

• Configuring the Data Encryption Algorithm on page 131
• Configuring Triple DES on page 131
• Configuring No Encryption on page 131

Configuring the Advanced Encryption Standard Algorithm

To configure the Advanced Encryption Standard (AES) algorithm for an SNMPv3 user,
include the privacy-aes128 statement at the [edit snmp v3 usm local-engine user username]
hierarchy level:

[edit snmp v3 usm local-engine user username]

privacy-aes128 {
privacy-password privacy-password;
}

privacy-password is the password used to generate the key used for encryption.

SNMPv3 has special requirements when you create plain-text passwords on a router or
switch:

• The password must be at least eight characters long.

• The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.

130 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

Configuring the Data Encryption Algorithm

To configure the data encryption algorithm (DES) for an SNMPv3 user, include the
privacy-des statement at the [edit snmp v3 usm local-engine user username] hierarchy
level:

[edit snmp v3 usm local-engine user username]

privacy-des {
privacy-password privacy-password;
}

privacy-password is the password used to generate the key used for encryption.

SNMPv3 has special requirements when you create plain-text passwords on a router or
switch:

• The password must be at least eight characters long.

• The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.

Configuring Triple DES

To configure triple DES for an SNMPv3 user, include the privacy-3des statement at the
[edit snmp v3 usm local-engine user username] hierarchy level:

[edit snmp v3 usm local-engine user username]

privacy-3des {
privacy-password privacy-password;
}

privacy-password is the password used to generate the key used for encryption.

SNMPv3 has special requirements when you create plain-text passwords on a router or
switch:

• The password must be at least eight characters long.

• The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.

Configuring No Encryption
To configure no encryption for an SNMPv3 user, include the privacy-none statement at
the [edit snmp v3 usm local-engine user username] hierarchy level:

[edit snmp v3 usm local-engine user username]

privacy-none;

Related • Configuring the SNMPv3 Authentication Type on page 128

Documentation
• Defining Access Privileges for an SNMP Group on page 132

• Configuring the Access Privileges Granted to a Group on page 133

• Assigning Security Model and Security Name to a Group on page 137

Copyright © 2017, Juniper Networks, Inc. 131

Network Management Administration Guide

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Defining Access Privileges for an SNMP Group

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

The SNMP version 3 (SNMPv3) uses the view-based access control model (VACM),
which allows you to configure the access privileges granted to a group. Access is controlled
by filtering the MIB objects available for a specific operation through a predefined view.
You assign views to determine the objects that are visible for read, write, and notify
operations for a particular group, using a particular context, a particular security model
(v1, v2c, or usm), and particular security level (authenticated, privacy, or none). For
information about how to configure views, see “Configuring MIB Views” on page 116.

You define user access to management information at the [edit snmp v3 vacm] hierarchy
level. All access control within VACM operates on groups, which are collections of users
as defined by USM, or community strings as defined in the SNMPv1 and SNMPv2c security
models. The term security-name refers to these generic end users. The group to which a
specific security name belongs is configured at the [edit snmp v3 vacm security-to-group]
hierarchy level. That security name can be associated with a group defined at the [edit
snmp v3 vacm security-to-group] hierarchy level. A group identifies a collection of SNMP
users that share the same access policy. You then define the access privileges associated
with a group at the [edit snmp v3 vacm access] hierarchy level. Access privileges are
defined using views. For each group, you can apply different views depending on the
SNMP operation; for example, read (get, getNext, or getBulk) write (set), notifications,
the security level used (authentication, privacy, or none), and the security model (v1, v2c,
or usm) used within an SNMP request.

You configure members of a group with the security-name statement. For v3 packets
using USM, the security name is the same as the username. For SNMPv1 or SNMPv2c
packets, the security name is determined based on the community string. Security names
are specific to a security model. If you are also configuring VACM access policies for
SNMPv1 or SNMPv2c packets, you must assign security names to groups for each security
model (SNMPv1 or SNMPv2c) at the [edit snmp v3 vacm security-to-group] hierarchy
level. You must also associate a security name with an SNMP community at the [edit
snmp v3 snmp-community community-index] hierarchy level.

To configure the access privileges for an SNMP group, include statements at the [edit
snmp v3 vacm] hierarchy level:

[edit snmp v3 vacm]

access {
group group-name {
(default-context-prefix | context-prefix context-prefix){
security-model (any | usm | v1 | v2c) {
security-level (authentication | none | privacy) {
notify-view view-name;
read-view view-name;
write-view view-name;
}
}

132 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

}
}
}
security-to-group {
security-model (usm | v1 | v2c) {
security-name security-name {
group group-name;
}
}
}

Related • Configuring the SNMPv3 Authentication Type on page 128

Documentation
• Configuring the Access Privileges Granted to a Group on page 133

• Assigning Security Model and Security Name to a Group on page 137

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Configuring the Access Privileges Granted to a Group

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

This topic includes the following sections:

• Configuring the Group on page 133

• Configuring the Security Model on page 133
• Configuring the Security Level on page 134
• Associating MIB Views with an SNMP User Group on page 134

Configuring the Group

To configure the access privileges granted to a group, include the group statement at
the [edit snmp v3 vacm access] hierarchy level:

[edit snmp v3 vacm access]

group group-name;

group-name is a collection of SNMP users that belong to a common SNMP list that defines
an access policy. Users belonging to a particular SNMP group inherit all access privileges
granted to that group.

Configuring the Security Model

To configure the security model, include the security-model statement at the [edit snmp
v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix)]
hierarchy level:

[edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix

context-prefix)]
security-model (any | usm | v1 | v2c);

• any—Any security model

• usm—SNMPv3 security model

Copyright © 2017, Juniper Networks, Inc. 133

Network Management Administration Guide

• v1—SNMPV1 security model

• v2c—SNMPv2c security model

Configuring the Security Level

To configure the access privileges granted to packets with a particular security level,
include the security-level statement at the [edit snmp v3 vacm access group group-name
(default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 |
v2c)] hierarchy level:

[edit snmp v3 vacm access group group-name default-context-prefix security-model (any

• none—Provides no authentication and no encryption.

• authentication—Provides authentication but no encryption.

• privacy—Provides authentication and encryption.

NOTE: Access privileges are granted to all packets with a security level
equal to or greater than that configured. If you are configuring the SNMPv1
or SNMPv2c security model, use none as your security level. If you are
configuring the SNMPv3 security model (USM), use the authentication,
none, or privacy security level.

Associating MIB Views with an SNMP User Group

MIB views define access privileges for members of a group. Separate views can be applied
for each SNMP operation (read, write, and notify) within each security model (usm, v1,
and v2c) and each security level (authentication, none, and privacy) supported by SNMP.

[edit snmp v3 vacm accessgroup group-name (default-context-prefix | context-prefix

134 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

You must configure the MIB view at the [edit snmp view view-name] hierarchy
level. For information about how to configure MIB views, see “Configuring
MIB Views” on page 116.

This section describes the following topics related to this configuration:

• Configuring the Notify View on page 135

• Configuring the Read View on page 135
• Configuring the Write View on page 136

Configuring the Notify View

[edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix

view-name specifies the notify access, which is a list of notifications that can be sent to
each user in an SNMP group. A view name cannot exceed 32 characters.

Configuring the Read View

[edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix

view-name specifies read access for an SNMP user group. A view name cannot exceed
32 characters.

Copyright © 2017, Juniper Networks, Inc. 135

Network Management Administration Guide

Configuring the Write View

[edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix

view-name specifies write access for an SNMP user group. A view name cannot exceed
32 characters.

Related • Configuring the SNMPv3 Authentication Type on page 128

Documentation
• Defining Access Privileges for an SNMP Group on page 132

• Assigning Security Model and Security Name to a Group on page 137

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

• Example: Configuring the Access Privileges Granted to a Group on page 136

Example: Configuring the Access Privileges Granted to a Group

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Define access privileges:

[edit snmp v3 vacm]

access {
group group1 {
default-context-prefix {
security-model usm { #Define an SNMPv3 security model
security-level privacy {
notify-view nv1;
read-view rv1;
write-view wv1;
}
}
}
context-prefix lr1/ri1{ # routing instance ri1 in logical system lr1
security-model usm {
security-level privacy {
notify-view nv1;
read-view rv1;
write-view wv1;
}
}
}
}
group group2 {
default-context-prefix {
security-model usm { #Define an SNMPv3 security model

136 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

security-level authentication {
read-view rv2;
write-view wv2;
}
}
}
}
group group3 {
default-context-prefix {
security-model v1 { #Define an SNMPv3 security model
security-level none {
read-view rv3;
write-view wv3;
}
}
}
}
}

Related • Configuring the Access Privileges Granted to a Group on page 133

Documentation
• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Assigning Security Model and Security Name to a Group

Supported Platforms ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

To assign security names to groups, include the following statements at the [edit snmp
v3 vacm security-to-group] hierarchy level:

[edit snmp v3 vacm security-to-group]

security-model (usm | v1 | v2c) {
security-name security-name {
group group-name;
}
}

This topic includes the following sections:

• Configuring the Security Model on page 137

• Assigning Security Names to Groups on page 138
• Configuring the Group on page 138

Configuring the Security Model

To configure the security model, include the security-model statement at the [edit snmp
v3 vacm security-to-group] hierarchy level:

[edit snmp v3 vacm security-to-group]

security-model (usm | v1 | v2c);

• usm—SNMPv3 security model

• v1—SNMPv1 security model

• v2c—SNMPv2 security model

Copyright © 2017, Juniper Networks, Inc. 137

Network Management Administration Guide

Assigning Security Names to Groups

To associate a security name with an SNMPv3 user, or a v1 or v2 community string, include
the security-name statement at the [edit snmp v3 vacm security-to-group security-model
(usm | v1 | v2c)] hierarchy level:

[edit snmp v3 vacm security-to-group security-model (usm | v1 | v2c)]

security-name security-name;

For SNMPv3, the security-name is the username configured at the [edit snmp v3 usm
local-engine user username] hierarchy level. For SNMPv1 and SNMPv2c, the security name
is the community string configured at the [edit snmp v3 snmp-community community-index]
hierarchy level. For information about configuring usernames, see “Creating SNMPv3
Users” on page 127. For information about configuring a community string, see “Configuring
the SNMPv3 Community” on page 156.

NOTE: The USM security name is separate from the SNMPv1 and SNMPv2c
security name. If you support SNMPv1 and SNMPv2c in addition to SNMPv3,
you must configure separate security names within the security-to-group
configuration at the [edit snmp v3 vacm access] hierarchy level.

Configuring the Group

After you have created SNMPv3 users, or v1 or v2 security names, you associate them
with a group. A group is a set of security names belonging to a particular security model.
A group defines the access rights for all users belonging to it. Access rights define what
SNMP objects can be read, written to, or created. A group also defines what notifications
a user is allowed to receive.

If you already have a group that is configured with all of the view and access permissions
that you want to give a user, you can add the user to that group. If you want to give a user
view and access permissions that no other groups have, or if you do not have any groups
configured, create a group and add the user to it.

To configure the access privileges granted to a group, include the group statement at
the [edit snmp v3 vacm security-to-group security-model (usm | v1 | v2c) security-name
security-name] hierarchy level:

[edit snmp v3 vacm security-to-group security-model (usm | v1 | v2c) security-name

security-name]
group group-name;

group-name identifies a collection of SNMP security names that share the same access
policy. For more information about groups, see “Defining Access Privileges for an SNMP
Group” on page 132.

Example: Security Group Configuration

Supported Platforms M Series, MX Series, SRX Series, T Series, vSRX

138 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

Assign security names to groups:

vacm {
security-to-group {
security-model usm {
security-name user1 {
group group1;
}
security-name user2 {
group group2;
}
security-name user3 {
group group3;
}
}
}
}

Related • Assigning Security Model and Security Name to a Group on page 137
Documentation
• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Configuring SNMPv3 Traps on a Device Running Junos OS

Supported Platforms ACX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series

In SNMPv3, you create traps and informs by configuring the notify, target-address, and
target-parameters parameters. Traps are unconfirmed notifications, whereas informs
are confirmed notifications. This section describes how to configure SNMP traps. For
information about configuring SNMP informs, see “Configuring SNMP Informs” on page 149.

The target address defines a management application’s address and parameters to be

used in sending notifications. Target parameters define the message processing and
security parameters that are used in sending notifications to a particular management
target. SNMPv3 also lets you define SNMPv1 and SNMPv2c traps.

NOTE: When you configure SNMP traps, make sure your configured access
privileges allow the traps to be sent. Access privileges are configured at the
[edit snmp v3 vacm access] and [edit snmp v3 vacm security-to-group] hierarchy
levels.

To configure SNMP traps, include the following statements at the [edit snmp v3] hierarchy
level:

[edit snmp v3]

notify name {
tag tag-name;
type trap;
}
notify-filter name {
oid object-identifier (include | exclude);
}

Copyright © 2017, Juniper Networks, Inc. 139

Network Management Administration Guide

target-address target-address-name {
address address;
address-mask address-mask;
logical-system logical-system;
port port-number;
routing-instance instance;
tag-list tag-list;
target-parameters target-parameters-name;
}
target-parameters target-parameters-name {
notify-filter profile-name;
parameters {
message-processing-model (v1 | v2c | v3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
}
}

Related • Configuring the SNMPv3 Trap Notification on page 140

Documentation
• Configuring the Trap Notification Filter on page 141

• Configuring the Trap Target Address on page 142

• Defining and Configuring the Trap Target Parameters on page 146

• Configuring SNMP Informs on page 149

• Configuring the Remote Engine and Remote User on page 150

• Configuring the Inform Notification Type and Target Address on page 154

Configuring the SNMPv3 Trap Notification

Supported Platforms M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series

The notify statement specifies the type of notification (trap) and contains a single tag.
The tag defines a set of target addresses to receive a trap. The tag list contains one or
more tags and is configured at the [edit snmp v3 target-address target-address-name]
hierarchy level. If the tag list contains this tag, Junos OS sends a notification to all the
target addresses associated with this tag.

To configure the trap notifications, include the notify statement at the [edit snmp v3]
hierarchy level:

[edit snmp v3]

notify name {
tag tag-name;
type trap;
}

name is the name assigned to the notification.

140 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

tag-name defines the target addresses to which this notification is sent. This notification
is sent to all the target-addresses that have this tag in their tag list. The tag-name is not
included in the notification.

trap is the type of notification.

NOTE: Each notify entry name must be unique.

Junos OS supports two types of notification: trap and inform.

For information about how to configure the tag list, see “Configuring the Trap Target
Address” on page 144.

Related • Configuring SNMPv3 Traps on a Device Running Junos OS on page 139

Documentation
• Configuring the Trap Notification Filter on page 141

• Configuring the Trap Target Address on page 142

• Defining and Configuring the Trap Target Parameters on page 146

• Configuring SNMP Informs on page 149

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Example: Configuring SNMPv3 Trap Notification

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series

Specify three sets of destinations to send traps:

[edit snmp v3]

notify n1 {
tag router1;
type trap;
}
notify n2 {
tag router2;
type trap
}
notify n3 {
tag router3;
type trap;
}

Related • Configuring SNMPv3 Traps on a Device Running Junos OS on page 139

Documentation
• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Configuring the Trap Notification Filter

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Copyright © 2017, Juniper Networks, Inc. 141

Network Management Administration Guide

SNMPv3 uses the notify filter to define which traps (or which objects from which traps)
are sent to the network management system (NMS). The trap notification filter limits
the type of traps that are sent to the NMS.

Each object identifier represents a subtree of the MIB object hierarchy. The subtree can
be represented either by a sequence of dotted integers (such as 1.3.6.1.2.1.2) or by its
subtree name (such as interfaces). You can also use the wildcard character asterisk (*)
in the object identifier (OID) to specify object identifiers that match a particular pattern.

To configure the trap notifications filter, include the notify-filter statement at the
[edit snmp v3] hierarchy level:

[edit snmp v3]

notify-filter profile-name;

profile-name is the name assigned to the notify filter.

By default, the OID is set to include. To define access to traps (or objects from traps),
include the oid statement at the [edit snmp v3 notify-filter profile-name] hierarchy level:

[edit snmp v3 notify-filter profile-name]

oid oid (include | exclude);

oid is the object identifier. All MIB objects represented by this statement have the specified
OID as a prefix. It can be specified either by a sequence of dotted integers or by a subtree
name.

• include—Include the subtree of MIB objects represented by the specified OID.

• exclude—Exclude the subtree of MIB objects represented by the specified OID.

Related • Configuring SNMPv3 Traps on a Device Running Junos OS on page 139

Documentation
• Configuring the SNMPv3 Trap Notification on page 140

• Configuring the Trap Target Address on page 142

• Defining and Configuring the Trap Target Parameters on page 146

• Configuring SNMP Informs on page 149

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Configuring the Trap Target Address

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

The target address defines a management application’s address and parameters that
are used in sending notifications. It can also identify management stations that are
allowed to use specific community strings. When you receive a packet with a recognized
community string and a tag is associated with it, Junos OS looks up all the target addresses
with this tag and verifies that the source address of this packet matches one of the
configured target addresses.

142 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

NOTE: You must configure the address mask when you configure the SNMP
community.

To specify where you want the traps to be sent and define what SNMPv1 and SNMPv2cc
packets are allowed, include the target-address statement at the [edit snmp v3] hierarchy
level:

[edit snmp v3]

target-address target-address-name;

target-address-name is the string that identifies the target address.

To configure the target address properties, include the following statements at the [edit
snmp v3 target-address target-address-name] hierarchy level:

[edit snmp v3 target-address target-address-name]

address address;
address-mask address-mask;
logical-system logical-system;
port port-number;
routing-instance instance;
tag-list tag-list;
target-parameters target-parameters-name;

This section includes the following topics:

• Configuring the Address on page 143

• Configuring the Address Mask on page 143
• Configuring the Port on page 144
• Configuring the Routing Instance on page 144
• Configuring the Trap Target Address on page 144
• Applying Target Parameters on page 145

Configuring the Address

To configure the address, include the address statement at the [edit snmp v3
target-address target-address-name] hierarchy level:

[edit snmp v3 target-address target-address-name]

address address;

address is the SNMP target address.

Configuring the Address Mask

The address mask specifies a set of addresses that are allowed to use a community
string and verifies the source addresses for a group of target addresses.

To configure the address mask, include the address-mask statement at the [edit snmp
v3 target-address target-address-name] hierarchy level:

[edit snmp v3 target-address target-address-name]

address-mask address-mask;

Copyright © 2017, Juniper Networks, Inc. 143

Network Management Administration Guide

address-mask combined with the address defines a range of addresses. For information
about how to configure the community string, see “Configuring the SNMPv3 Community”
on page 156.

Configuring the Port

By default, the UDP port is set to 162. To configure a different port number, include the
port statement at the [edit snmp v3 target-address target-address-name] hierarchy level:

[edit snmp v3 target-address target-address-name]

port port-number;

port-number is the SNMP target port number.

Configuring the Routing Instance

Traps are sent over the default routing instance. To configure the routing instance for
sending traps, include the routing-instance statement at the [edit snmp v3 target-address
target-address-name] hierarchy level:

[edit snmp v3 target-address target-address-name]

routing-instance instance;

instance is the name of the routing instance. To configure a routing instance within a
logical system, specify the logical system name followed by the routing instance name.
Use a slash ( / ) to separate the two names (for example, test-lr/test-ri). To configure
the default routing instance on a logical system, specify the logical system name followed
by default (for example, test-lr/default).

Configuring the Trap Target Address

Each target-address statement can have one or more tags configured in its tag list. Each
tag can appear in more than one tag list. When a significant event occurs on the network
device, the tag list identifies the targets to which a notification is sent.

To configure the tag list, include the tag-list statement at the [edit snmp v3 target-address
target-address-name] hierarchy level:

[edit snmp v3 target-address target-address-name]

tag-list “tag-list”;

tag-list specifies one or more tags as a space-separated list enclosed within double
quotes.

For an example of tag list configuration, see “Example: Configuring the Tag List” on
page 145.

For information about how to specify a tag at the [edit snmp v3 notify notify-name]
hierarchy level, see “Configuring the SNMPv3 Trap Notification” on page 140.

NOTE: When you configure SNMP traps, make sure your configured access
privileges allow the traps to be sent. Configure access privileges at the [edit
snmp v3 vacm access] hierarchy level.

144 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

Applying Target Parameters

The target-parameters statement at the [edit snmp v3] hierarchy level applies the target
parameters configured at the [edit snmp v3 target-parameters target-parameters-name]
hierarchy level.

To reference configured target parameters, include the target-parameters statement at

the [edit snmp v3 target-address target-address-name] hierarchy level:

[edit snmp v3 target-address target-address-name]

target-parameters target-parameters-name;

target-parameters-name is the name associated with the message processing and security
parameters that are used in sending notifications to a particular management target.

Related • Configuring SNMPv3 Traps on a Device Running Junos OS on page 139

Documentation
• Configuring the SNMPv3 Trap Notification on page 140

• Configuring the Trap Notification Filter on page 141

• Defining and Configuring the Trap Target Parameters on page 146

• Configuring SNMP Informs on page 149

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

• Example: Configuring the Tag List on page 145

Example: Configuring the Tag List

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

In the following example, two tag entries (router1 and router2) are defined at the [edit
snmp v3 notify notify-name] hierarchy level. When an event triggers a notification, Junos
OS sends a trap to all target addresses that have router1 or router2 configured in their
target-address tag list. This results in the first two targets getting one trap each, and the
third target getting two traps.

[edit snmp v3]

notify n1 {
tag router1; # Identifies a set of target addresses
type trap; # Defines the type of notification
}
notify n2 {
tag router2;
type trap;
}
target-address ta1 {
address 10.1.1.1;
address-mask 255.255.255.0;
port 162;
tag-list router1;
target-parameters tp1;
}
target-address ta2 {

Copyright © 2017, Juniper Networks, Inc. 145

Network Management Administration Guide

address 10.1.1.2;
address-mask 255.255.255.0;
port 162;
tag-list router2;
target-parameters tp2;
}
target-address ta3 {
address 10.1.1.3;
address-mask 255.255.255.0;
port 162;
tag-list “router1 router2”; #Define multiple tags in the target address tag list
target-parameters tp3;
}

Related • Configuring SNMPv3 Traps on a Device Running Junos OS on page 139

Documentation
• Configuring the Trap Target Address on page 142

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Defining and Configuring the Trap Target Parameters

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Target parameters define the message processing and security parameters that are used
in sending notifications to a particular management target.

To define a set of target parameters, include the target-parameters statement at the

[edit snmp v3] hierarchy level:

[edit snmp v3]

target-parameters target-parameters-name;

target-parameters-name is the name assigned to the target parameters.

To configure target parameter properties, include the following statements at the [edit
snmp v3 target-parameters target-parameter-name] hierarchy level:

[edit snmp v3 target-parameters target-parameter-name]

notify-filter profile-name;
parameters {
message-processing-model (v1 | v2c | V3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
}

This topic includes the following sections:

• Applying the Trap Notification Filter on page 147

• Configuring the Target Parameters on page 147

146 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

Applying the Trap Notification Filter

To apply the trap notification filter, include the notify-filter statement at the [edit snmp
v3 target-parameters target-parameter-name] hierarchy level:

[edit snmp v3 target-parameters target-parameter-name]

notify-filter profile-name;

profile-name is the name of a configured notify filter. For information about configuring
notify filters, see “Configuring the Trap Notification Filter” on page 141.

Configuring the Target Parameters

To configure target parameter properties, include the following statements at the [edit
snmp v3 target-parameters target-parameter-name parameters] hierarchy level:

[edit snmp v3 target-parameters target-parameter-name parameters]

This section includes the following topics:

• Configuring the Message Processing Model on page 147

• Configuring the Security Model on page 147
• Configuring the Security Level on page 148
• Configuring the Security Name on page 148

Configuring the Message Processing Model

The message processing model defines which version of SNMP to use when generating
SNMP notifications. To configure the message processing model, include the
message-processing-model statement at the [edit snmp v3 target-parameters
target-parameter-name parameters] hierarchy level:

[edit snmp v3 target-parameters target-parameter-name parameters]

message-processing-model (v1 | v2c | v3);

• v1—SNMPv1 message processing model

• v2c—SNMPv2c message processing model

• v3—SNMPV3 message processing model

Configuring the Security Model

To define the security model to use when generating SNMP notifications, include the
security-model statement at the [edit snmp v3 target-parameters target-parameter-name
parameters] hierarchy level:

[edit snmp v3 target-parameters target-parameter-name parameters]

security-model (usm | v1 | v2c);

• usm—SNMPv3 security model

• v1—SNMPv1 security model

Copyright © 2017, Juniper Networks, Inc. 147

Network Management Administration Guide

• v2c—SNMPv2c security model

Configuring the Security Level

The security-level statement specifies whether the trap is authenticated and encrypted
before it is sent.

To configure the security level to use when generating SNMP notifications, include the
security-level statement at the [edit snmp v3 target-parameters target-parameter-name
parameters] hierarchy level:

[edit snmp v3 target-parameters target-parameter-name parameters]

security-level (authentication | none | privacy);

• authentication—Provides authentication but no encryption.

• none—No security. Provides no authentication and no encryption.

• privacy—Provides authentication and encryption.

NOTE: If you are configuring the SNMPv1 or SNMPV2c security model, use
none as your security level. If you are configuring the SNMPv3 (USM)
security model, use the authentication or privacy security level.

Configuring the Security Name

To configure the security name to use when generating SNMP notifications, include the
security-name statement at the [edit snmp v3 target-parameters target-parameter-name
parameters] hierarchy level:

[edit snmp v3 target-parameters target-parameter-name parameters]

security-name security-name;

If the USM security model is used, the security-name identifies the user that is used when
the notification is generated. If the v1 or v2c security models are used, security-name
identifies the SNMP community used when the notification is generated.

NOTE: The access privileges for the group associated with a security name
must allow this notification to be sent.

If you are using the v1 or v2 security models, the security name at the [edit
snmp v3 vacm security-to-group] hierarchy level must match the security
name at the [edit snmp v3 snmp-community community-index] hierarchy level.

Related • Configuring SNMPv3 Traps on a Device Running Junos OS on page 139

Documentation
• Configuring the SNMPv3 Trap Notification on page 140

• Configuring the Trap Notification Filter on page 141

• Configuring the Trap Target Address on page 142

148 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

• Configuring SNMP Informs on page 149

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Configuring SNMP Informs

Supported Platforms ACX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series, vSRX

Junos OS supports two types of notifications: traps and informs. With traps, the receiver
does not send any acknowledgment when it receives a trap. Therefore, the sender cannot
determine if the trap was received. A trap may be lost because a problem occurred during
transmission. To increase reliability, an inform is similar to a trap except that the inform
is stored and retransmitted at regular intervals until one of these conditions occurs:

• The receiver (target) of the inform returns an acknowledgment to the SNMP agent.

• A specified number of unsuccessful retransmissions have been attempted and the

agent discards the inform message.

If the sender never receives a response, the inform can be sent again. Thus, informs are
more likely to reach their intended destination than traps are. Informs use the same
communications channel as traps (same socket and port) but have different protocol
data unit (PDU) types.

Informs are more reliable than traps, but they consume more network, router, and switch
resources (see Figure 1 on page 149). Unlike a trap, an inform is held in memory until a
response is received or the timeout is reached. Also, traps are sent only once, whereas
an inform may be retried several times. Use informs when it is important that the SNMP
manager receive all notifications. However, if you are more concerned about network
traffic, or router and switch memory, use traps.

Figure 1: Inform Request and Response

For information about configuring SNMP traps, see “Configuring SNMPv3 Traps on a
Device Running Junos OS” on page 139.

Related • Configuring SNMPv3 Traps on a Device Running Junos OS on page 139

Documentation
• Configuring the Remote Engine and Remote User on page 150

• Configuring the Inform Notification Type and Target Address on page 154

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Copyright © 2017, Juniper Networks, Inc. 149

Network Management Administration Guide

Configuring the Remote Engine and Remote User

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

To send inform messages to an SNMPv3 user on a remote device, you must first specify
the engine identifier for the SNMP agent on the remote device where the user resides.
The remote engine ID is used to compute the security digest for authenticating and
encrypting packets sent to a user on the remote host. When sending an inform message,
the agent uses the credentials of the user configured on the remote engine (inform target).

To configure a remote engine and remote user to receive and respond to SNMP informs,
include the following statements at the [edit snmp v3] hierarchy level:

[edit snmp v3]

usm {
remote-engine engine-id {
user username {
authentication-md5 {
authentication-key key;
}
authentication-none;
authentication-sha {
authentication-key key;
}
privacy-3des {
privacy-key key;
}
privacy-aes128 {
privacy-key key;
}
privacy-des {
privacy-key key;
}
privacy-none;
}
}
}

For informs, remote-engine engine-id is the identifier for the SNMP agent on the remote
device where the user resides.

For informs, user username is the user on a remote SNMP engine who receives the informs.

Informs generated can be unauthenticated, authenticated, or authenticated_and_encrypted,

depending on the security level of the SNMPv3 user configured on the remote engine
(the inform receiver). The authentication key is used for generating message
authentication code (MAC). The privacy key is used to encrypt the inform PDU part of
the message.

Related • Configuring SNMPv3 Traps on a Device Running Junos OS on page 139

Documentation
• Configuring SNMP Informs on page 149

• Configuring the Inform Notification Type and Target Address on page 154

150 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

• Example: Configuring the Remote Engine ID and Remote User on page 151

Example: Configuring the Remote Engine ID and Remote User

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

This example shows how to configure a remote engine and remote user so you can receive
and respond to SNMP inform notifications. Inform notifications can be authenticated
and encrypted. They are also more reliable than traps, another type of notification that
Junos OS supports. Unlike traps, inform notifications are stored and retransmitted at
regular intervals until one of these conditions occurs:

• The target of the inform notification returns an acknowledgment to the SNMP agent.

• A specified number of unsuccessful retransmissions have been attempted.

• Requirements on page 151

• Overview on page 151
• Configuration on page 152
• Verification on page 153

Requirements
No special configuration beyond device initialization is required before configuring this
example.

This feature requires the use of plain-text passwords valid for SNMPv3. SNMPv3 has the
following special requirements when you create plain-text passwords on a router or
switch:

• The password must be at least eight characters long.

• The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.

Although quotation marks are not always required to enclose passwords, it is best to use
them. You need quotation marks if the password contains any spaces or possibly in the
case of certain special characters or punctuation.

Overview
Inform notifications are supported in SNMPv3 to increase reliability. For example, an
SNMP agent receiving an inform notification acknowledges the receipt.

For inform notifications, the remote engine ID identifies the SNMP agent on the remote
device where the user resides, and the username identifies the user on a remote SNMP
engine who receives the inform notifications.

Consider a scenario in which you have the values in Table 13 on page 152 to use in
configuring the remote engine ID and remote user in this example.

Copyright © 2017, Juniper Networks, Inc. 151

Network Management Administration Guide

Table 13: Values to Use in Example

Name of Variable Value

username u10

remote engine ID 800007E5804089071BC6D10A41

authentication type authentication-md5

authentication password qol67R%?

encryption type privacy-des

privacy password m*72Jl9v

Configuration
CLI Quick To quickly configure this example, copy the following commands and paste them into a
Configuration text file, remove any line breaks and change any details necessary to match your network
configuration, copy and paste these commands into the CLI at the [edit snmp v3] hierarchy
level, and then enter commit from configuration mode.

set usm remote-engine 800007E5804089071BC6D10A41 user u10 authentication-md5

authentication-key "qol67R%?"
set usm remote-engine 800007E5804089071BC6D10A41 user u10 privacy-des privacy-key
"m*72Jl9v"

Configuring the Remote Engine and Remote User

Step-by-Step The following example requires that you navigate to various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the Junos OS CLI User Guide.

To configure the remote engine ID and remote user:

1. Configure the remote engine ID, username, and authentication type and password.

[edit snmp v3]

user@host# set usm remote-engine 800007E5804089071BC6D10A41 user u10
authentication-md5 authentication-key "qol67R%?"

2. Configure the encryption type and privacy password.

You can configure only one encryption type per SNMPv3 user.

[edit snmp v3]

user@host# set usm remote-engine 800007E5804089071BC6D10A41 user u10
privacy-des privacy-key "m*72Jl9v"

152 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

Results

In configuration mode, confirm your configuration by entering the show command. If the
output does not display the intended configuration, repeat the instructions in this example
to correct the configuration.

[edit snmp v3]

user@ host# show
usm {
remote-engine 800007E5804089071BC6D10A41 {
user u10 {
authentication-md5 {
authentication-key "$9$Tz/teK8NdsLXk.f5n6p0ORev"; ## SECRET-DATA
}
privacy-des {
privacy-key "$9$/gyNCu1KvWdwYMWw2gJHkRhcrWx"; ## SECRET-DATA
}
}
}
}

After you have confirmed that the configuration is correct, enter commit from configuration
mode.

Verification

Verifying the Configuration of the Remote Engine ID and Username

Purpose Verify the status of the engine ID and user information.

Action Display information about the SNMPv3 engine ID and user.

user@host> show snmp v3

Local engine ID: 80 00 0a 4c 01 0a ff 03 e3
Engine boots: 3
Engine time: 769187 seconds
Max msg size: 65507 bytes

Engine ID: 80 00 07 e5 80 40 89 07 1b c6 d1 0a 41
User Auth/Priv Storage Status
u10 md5/des nonvolatile active

Meaning The output displays the following information:

• Local engine ID and detail about the engine

• Remote engine ID (labeled Engine ID)

• Username

• Authentication type and encryption (privacy) type that is configured for the user

Copyright © 2017, Juniper Networks, Inc. 153

Network Management Administration Guide

• Type of storage for the username, either nonvolatile (configuration saved) or volatile
(not saved)

• Status of the new user; only users with an active status can use SNMPv3

Related • show snmp v3 on page 880

Documentation
• Configuring the SNMPv3 Encryption Type on page 130

• Configuring the SNMPv3 Authentication Type on page 128

• Configuring SNMP Informs on page 149

• Configuring the Remote Engine and Remote User on page 150

Configuring the Inform Notification Type and Target Address

Supported Platforms ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series

To configure the inform notification type and target information, include the following
statements at the [edit snmp v3] hierarchy level:

[edit snmp v3]

notify name {
tag tag-name;
type (trap | inform);
}
target-address target-address-name {
address address;
address-mask address-mask;
logical-system logical-system;
port port-number;
retry-count number;
routing-instance instance;
tag-list tag-list;
target-parameters target-parameters-name;
timeout seconds;
}
target-parameters target-parameters-name {
notify-filter profile-name;
parameters {
message-processing-model (v1 | v2c | v3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
}
}

notify name is the name assigned to the notification. Each notify entry name must be
unique.

tag tag-name defines the target addresses that are sent this notification. The notification
is sent to all target addresses that have this tag in their tag list. The tag-name is not
included in the notification. For information about how to configure the tag list, see
“Configuring the Trap Target Address” on page 144.

154 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

type inform is the type of notification.

target-address target-address-name identifies the target address. The target address

defines a management application’s address and parameters that are used to respond
to informs.

timeout seconds is the number of seconds to wait for an acknowledgment. If no

acknowledgment is received within the timeout period, the inform is retransmitted. The
default timeout is 15 seconds.

retry-count number is the maximum number of times an inform is transmitted if no

acknowledgment is received. The default is 3. If no acknowledgment is received after
the inform is transmitted the maximum number of times, the inform message is discarded.

message-processing-model defines which version of SNMP to use when SNMP

notifications are generated. Informs require a v3 message processing model.

security-model defines the security model to use when SNMP notifications are generated.
Informs require a usm security model.

security-level specifies whether the inform is authenticated and encrypted before it is

sent. For the usm security model, the security level must be one of the following:

• authentication—Provides authentication but no encryption.

• privacy—Provides authentication and encryption.

security-name identifies the username that is used when generating the inform.

Related • Configuring SNMPv3 Traps on a Device Running Junos OS on page 139

Documentation
• Configuring SNMP Informs on page 149

• Configuring the Remote Engine and Remote User on page 150

• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

• Example: Configuring the Inform Notification Type and Target Address on page 155

Example: Configuring the Inform Notification Type and Target Address

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

In the following example, target 172.17.20.184 is configured to respond to informs. The

inform timeout is 30 seconds and the maximum retransmit count is 3. The inform is sent
to all targets in the tl1 list. The security model for the remote user is usm and the remote
engine username is u10.

[edit snmp v3]

notify n1 {
type inform;
tag tl1;

Copyright © 2017, Juniper Networks, Inc. 155

Network Management Administration Guide

}
notify-filter nf1 {
oid .1.3 include;
}
target-address ta1 {
address 172.17.20.184;
retry-count 3;
tag-list tl1;
address-mask 255.255.255.0;
target-parameters tp1;
timeout 30;
}
target-parameters tp1 {
parameters {
message-processing-model v3;
security-model usm;
security-level privacy;
security-name u10;
}
notify-filter nf1;
}

Related • Configuring the Inform Notification Type and Target Address on page 154
Documentation
• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

Configuring the SNMPv3 Community

Supported Platforms ACX Series, M Series, MX Series, PTX Series, QFabric System, QFX Series, T Series

The SNMP community defines the relationship between an SNMP server system and the
client systems. This statement is optional.

To configure the SNMP community, include the snmp-community statement at the [edit
snmp v3] hierarchy level:

[edit snmp v3]

snmp-community community-index;

community-index is the index for the SNMP community.

To configure the SNMP community properties, include the following statements at the
[edit snmp v3 snmp-community community-index] hierarchy level:

[edit snmp v3 snmp-community community-index]

community-name community-name;
context context-name;
security-name security-name;
tag tag-name;

This section includes the following topics:

• Configuring the Community Name on page 157

• Configuring the Context on page 157

156 Copyright © 2017, Juniper Networks, Inc.

Chapter 7: Configuring SNMPv3

• Configuring the Security Names on page 157

• Configuring the Tag on page 158

Configuring the Community Name

The community name defines the SNMP community. The SNMP community authorizes
SNMPv1 or SNMPv2c clients. The access privileges associated with the configured security
name define which MIB objects are available and the operations (read, write, or notify)
allowed on those objects.

To configure the SNMP community name, include the community-name statement at

the [edit snmp v3 snmp-community community-index] hierarchy level:

[edit snmp v3 snmp-community community-index]

community-name community-name;

community-name is the community string for an SNMPv1 or SNMPv2c community.

If unconfigured, it is the same as the community index.

If the community name contains spaces, enclose it in quotation marks (“ “).

NOTE: Community names must be unique. You cannot configure the same
community name at the [edit snmp community] and [edit snmp v3
snmp-community community-index] hierarchy levels. The configured
community name at the [edit snmp v3 snmp-community community-index]
hierarchy level is encrypted. You cannot view the community name after you
have configured it and committed your changes. In the command-line
interface (CLI), the community name is concealed.

Configuring the Context

An SNMP context defines a collection of management information that is accessible to
an SNMP entity. Typically, an SNMP entity has access to multiple contexts. A context
can be a physical or logical system, a collection of multiple systems, or even a subset of
a system. Each context in a management domain has a unique identifier.

To configure an SNMP context, include the context context-name statement at the [edit
snmp v3 snmp-community community-index] hierarchy level:

[edit snmp v3 snmp-community community-index]

context context-name;

NOTE: To query a routing instance or a logical system,

Configuring the Security Names

To assign a community string to a security name, include the security-name statement
at the [edit snmp v3 snmp-community community-index] hierarchy level:

[edit snmp v3 snmp-community community-index]

Copyright © 2017, Juniper Networks, Inc. 157

Network Management Administration Guide

security-name security-name;

security-name is used when access control is set up. The security-to-group configuration
at the [edit snmp v3 vacm] hierarchy level identifies the group.

NOTE: This security name must match the security name configured at the
[edit snmp v3 target-parameters target-parameters-name parameters] hierarchy
level when you configure traps.

Configuring the Tag

To configure the tag, include the tag statement at the [edit snmp v3 snmp-community
community-index] hierarchy level:

[edit snmp v3 snmp-community community-index]

tag tag-name;

tag-name identifies the address of managers that are allowed to use a community string.

Related • Creating SNMPv3 Users on page 127

Documentation
• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

• Example: Configuring an SNMPv3 Community on page 158

Example: Configuring an SNMPv3 Community

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Define an SNMP community:

[edit snmp v3]

snmp-community index1 {
community-name "$9$JOZi.QF/AtOz3"; # SECRET-DATA
security-name john;
tag router1; # Identifies managers that are allowed to use
# a community string
target-address ta1 {
address 10.1.1.1;
address-mask 255.255.255.0; # Defines the range of addresses
port 162;
tag-list router1;
target-parameters tp1; # Applies configured target parameters
}
}

Related • Configuring the SNMPv3 Community on page 156

Documentation
• Minimum SNMPv3 Configuration on a Device Running Junos OS on page 122

158 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 8

Configuring SNMP for Routing Instances

• Understanding SNMP Support for Routing Instances on page 159

• SNMP MIBs Supported for Routing Instances on page 160
• Support Classes for MIB Objects on page 170
• SNMP Traps Supported for Routing Instances on page 171
• Identifying a Routing Instance on page 172
• Enabling SNMP Access over Routing Instances on page 173
• Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 173
• Example: Configuring Interface Settings for a Routing Instance on page 174
• Configuring Access Lists for SNMP Access over Routing Instances on page 176

Understanding SNMP Support for Routing Instances

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Junos OS enables SNMP managers for all routing instances to request and manage SNMP
data related to the corresponding routing instances and logical system networks.

In Junos OS:

• Clients from routing instances other than the default can access MIB objects and
perform SNMP operations only on the logical system networks to which they belong.

• Clients from the default routing instance can access information related to all routing
instances and logical system networks.

Before Junos OS Release 8.4, only the SNMP manager in the default routing instance
(inet.0) had access to the MIB objects

With the increase in virtual private network (VPN) service offerings, this feature is useful
particularly for service providers who need to obtain SNMP data for specific routing
instances (see Figure 2 on page 160). Service providers can use this information for their
own management needs or export the data for use by their customers.

Copyright © 2017, Juniper Networks, Inc. 159

Network Management Administration Guide

Figure 2: SNMP Data for Routing Instances

If no routing instance is specified in the request, the SNMP agent operates as before:

• For nonrouting table objects, all instances are exposed.

• For routing table objects, only those associated with the default routing instance are
exposed.

NOTE: The actual protocol data units (PDUs) are still exchanged over the
default (inet.0) routing instance, but the data contents returned are dictated
by the routing instance specified in the request PDUs.

Related • Support Classes for MIB Objects on page 170

Documentation
• SNMP Traps Supported for Routing Instances on page 171

• Identifying a Routing Instance on page 172

• Enabling SNMP Access over Routing Instances on page 173

• Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 173

• Configuring Access Lists for SNMP Access over Routing Instances on page 176

SNMP MIBs Supported for Routing Instances

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Table 14 on page 160 shows enterprise-specific MIB objects supported by Junos OS and
provides notes detailing how they are handled when a routing instance is specified in an
SNMP request. An en dash (–) indicates that the item is not applicable.

Table 14: MIB Support for Routing Instances (Juniper Networks MIBs)
Object Support Class Description/Notes

jnxProducts(1) – Product Object IDs

160 Copyright © 2017, Juniper Networks, Inc.

Chapter 8: Configuring SNMP for Routing Instances

Table 14: MIB Support for Routing Instances (Juniper Networks

MIBs) (continued)
Object Support Class Description/Notes

jnxServices(2) – Services

jnxMibs(3) Class 3 Objects are exposed only for the default

logical system.
jnxBoxAnatomy(1)

mpls(2) Class 2 All instances within a logical system are

exposed. Data will not be segregated down
to the routing instance level.

ifJnx(3) Class 1 Only those logical interfaces (and their

parent physical interfaces) that belong to
a specific routing instance are exposed.

jnxAlarms(4) Class 3 Objects are exposed only for the default

logical system.

jnxFirewalls(5) Class 4 Data is not segregated by routing instance.

All instances are exposed.

jnxDCUs(6) Class 1 Only those logical interfaces (and their

parent physical interfaces) that belong to
a specific routing instance are exposed.

jnxPingMIB(7) Class 3 Objects are exposed only for the default

logical system.

jnxTraceRouteMIB(8) Class 3 Objects are exposed only for the default

logical system.

jnxATM(10) Class 1 Only those logical interfaces (and their

parent physical interfaces) that belong to
a specific routing instance are exposed.

jnxIpv6(11) Class 4 Data is not segregated by routing instance.

All instances are exposed.

jnxIpv4(12) Class 1 jnxIpv4AddrTable(1). Only those logical

interfaces (and their parent physical
interfaces) that belong to a specific routing
instance are exposed.

jnxRmon(13) Class 3 jnxRmonAlarmTable(1). Objects are

exposed only for the default logical
system.

jnxLdp(14) Class 2 jnxLdpTrapVars(1). All instances within a

logical system are exposed. Data will not
be segregated down to the routing
instance level.

Copyright © 2017, Juniper Networks, Inc. 161

Network Management Administration Guide

Table 14: MIB Support for Routing Instances (Juniper Networks

MIBs) (continued)
Object Support Class Description/Notes

jnxCos(15) Class 3 Objects are exposed only for the default

logical system.
jnxCosIfqStatsTable(1)
jnxCosFcTable(2)
jnxCosFcIdTable(3)
jnxCosQstatTable(4)

jnxScu(16) Class 1 Only those logical interfaces (and their

parent physical interfaces) that belong to
jnxScuStatsTable(1) a specific routing instance are exposed.

jnxRpf(17) Class 1 Only those logical interfaces (and their

parent physical interfaces) that belong to
jnxRpfStatsTable(1) a specific routing instance are exposed.

jnxCfgMgmt(18) Class 3 Objects are exposed only for the default

logical system.

jnxPMon(19) Class 1 Only those logical interfaces (and their

parent physical interfaces) that belong to
jnxPMonFlowTable(1) a specific routing instance are exposed.

jnxPMonErrorTable(2)

jnxPMonMemoryTable(3)

jnxSonet(20) Class 1 Only those logical interfaces (and their

parent physical interfaces) that belong to
jnxSonetAlarmTable(1) a specific routing instance are exposed.

jnxAtmCos(21) Class 1 Only those logical interfaces (and their

parent physical interfaces) that belong to
jnxCosAtmVcTable(1) a specific routing instance are exposed.

jnxCosAtmScTable(2)

jnxCosAtmVcQstatsTable(3)

jnxCosAtmTrunkTable(4)

ipSecFlowMonitorMIB(22) – –

jnxMac(23) Class 1 Only those logical interfaces (and their

parent physical interfaces) that belong to
jnxMacStats(1) a specific routing instance are exposed.

apsMIB(24) Class 3 Objects are exposed only for the default

logical system.

jnxChassisDefines(25) Class 3 Objects are exposed only for the default

logical system.

162 Copyright © 2017, Juniper Networks, Inc.

Chapter 8: Configuring SNMP for Routing Instances

Table 14: MIB Support for Routing Instances (Juniper Networks

MIBs) (continued)
Object Support Class Description/Notes

jnxVpnMIB(26) Class 2 All instances within a logical system are

exposed. Data will not be segregated down
to the routing instance level.

jnxSericesInfoMib(27) Class 1 Only those logical interfaces (and their

parent physical interfaces) that belong to
a specific routing instance are exposed.

jnxCollectorMIB(28) Class 1 Only those logical interfaces (and their

parent physical interfaces) that belong to
a specific routing instance are exposed.

jnxHistory(29) – –

jnxSpMIB(32) Class 3 Objects are exposed only for the default

logical system.

Table 15 on page 164 shows Class 1 MIB objects (standard and enterprise-specific MIBs)
supported by Junos OS. With Class 1 objects, only those logical interfaces (and their
parent physical interfaces) that belong to a specific routing instance are exposed.

Copyright © 2017, Juniper Networks, Inc. 163

Network Management Administration Guide

Table 15: Class 1 MIB Objects (Standard and Juniper MIBs)

Class MIB Objects

Class 1 802.3ad.mib (dot3adAgg) MIB objects:

dot3adAggTable

dot3adAggPortListTable

(dot3adAggPort)

dot3adAggPortTable

dot3adAggPortStatsTable

dot3adAggPortDebugTable

rfc2863a.mib ifTable

ifXTable

ifStackTable

rfc2011a.mib ipAddrTable

ipNetToMediaTable

rtmib.mib ipForward (ipCidrRouteTable)

rfc2665a.mib dot3StatsTable

dot3ControlTable

dot3PauseTable

rfc2495a.mib dsx1ConfigTable

dsx1CurrentTable

dsx1IntervalTable

dsx1TotalTable

dsx1FarEndCurrentTable

dsx1FarEndIntervalTable

dsx1FarEndTotalTable

dsx1FracTable ...

rfc2496a.mib dsx3 (dsx3ConfigTable)

rfc2115a.mib frDlcmiTable (and related MIB objects)

rfc3592.mib sonetMediumTable (and related MIB

objects)

164 Copyright © 2017, Juniper Networks, Inc.

Chapter 8: Configuring SNMP for Routing Instances

Table 15: Class 1 MIB Objects (Standard and Juniper MIBs) (continued)
Class MIB Objects

rfc3020.mib mfrMIB

mfrBundleTable

mfrMibBundleLinkObjects

mfrBundleIfIndexMappingTable

(and related MIB objects)

ospf2mib.mib All objects

ospf2trap.mib All objects

bgpmib.mib All objects

rfc2819a.mib Example: etherStatsTable

Copyright © 2017, Juniper Networks, Inc. 165

Network Management Administration Guide

Table 15: Class 1 MIB Objects (Standard and Juniper MIBs) (continued)
Class MIB Objects

Class 1 rfc2863a.mib Examples:

ifXtable

ifStackTable

rfc2665a.mib etherMIB

rfc2515a.mib atmMIB objects

Examples:

atmInterfaceConfTable

atmVplTable

atmVclTable

rfc2465.mib ip-v6mib

Examples:

ipv6IfTable

ipv6AddrPrefixTable

ipv6NetToMediaTable

ipv6RouteTable

rfc2787a.mib vrrp mib

rfc2932.mib ipMRouteMIB

ipMRouteStdMIB

mroutemib.mib ipMRoute1MIBObjects

isismib.mib isisMIB

pimmib.mib pimMIB

msdpmib.mib msdpmib

jnx-if-extensions.mib Examples:

ifJnxTable

ifChassisTable

jnx-dcu.mib jnxDCUs

jnx-atm.mib

166 Copyright © 2017, Juniper Networks, Inc.

Chapter 8: Configuring SNMP for Routing Instances

Table 15: Class 1 MIB Objects (Standard and Juniper MIBs) (continued)
Class MIB Objects

Examples:

jnxAtmIfTable

jnxAtmVCTable

jnxAtmVpTable

jnx-ipv4.mib jnxipv4

Example: jnxIpv4AddrTable

jnx-cos.mib Examples:

jnxCosIfqStatsTable

jnxCosQstatTable

jnx-scu.mib Example: jnxScuStatsTable

jnx-rpf.mib Example: jnxRpfStatsTable

jnx-pmon.mib Example: jnxPMonFlowTable

jnx-sonet.mib Example: jnxSonetAlarmTable

Class 1 jnx-atm-cos.mib Examples:

jnxCosAtmVcTable

jnxCosAtmVcScTable

jnxCosAtmVcQstatsTable

jnxCosAtmTrunkTable

jnx-mac.mib Example: jnxMacStatsTable

jnx-services.mib Example: jnxSvcFlowTableAggStatsTable

jnx-coll.mib jnxCollectorMIB

Examples:

jnxCollPicIfTable

jnxCollFileEntry

Table 16 on page 168 shows Class 2 MIB objects (standard and enterprise-specific MIBs)
supported by Junos OS. With Class 2 objects, all instances within a logical system are
exposed. Data will not be segregated down to the routing instance level.

Copyright © 2017, Juniper Networks, Inc. 167

Network Management Administration Guide

Table 16: Class 2 MIB Objects (Standard and Juniper MIBs)

Class MIB Objects

Class 2 rfc3813.mib mplsLsrStdMIB

Examples:

mplsInterfaceTable

mplsInSegmentTable

mplsOutSegmentTable

mplsLabelStackTable

mplsXCTable

(and related MIB objects)

igmpmib.mib igmpStdMIB

NOTE: The igmpmib.mib is the draft

version of the IGMP Standard MIB in the
experimental tree. Junos OS does not
support the original IGMP Standard MIB.

l3vpnmib.mib mplsVpnmib

jnx-mpls.mib Example: mplsLspList

jnx-ldp.mib jnxLdp

Example: jnxLdpStatsTable

jnx-vpn.mib jnxVpnMIB

jnx-bgpmib2.mib jnxBgpM2Experiment

Table 17 on page 169 shows Class 3 MIB objects (standard and enterprise-specific MIBs)
supported by Junos OS. With Class 3, objects are exposed only for the default logical
system.

168 Copyright © 2017, Juniper Networks, Inc.

Chapter 8: Configuring SNMP for Routing Instances

Table 17: Class 3 MIB Objects (Standard and Juniper MIBs)

Class MIB Objects

Class 3 rfc2819a.mib rmonEvents

alarmTable

logTable

eventTable

agentxMIB

rfc2925a.mib pingmib

rfc2925b.mib tracerouteMIB

jnxchassis.mib jnxBoxAnatomy

jnx-chassis-alarm.mib jnxAlarms

jnx-ping.mib jnxPingMIB

jnx-traceroute.mib jnxTraceRouteMIB

jnx-rmon.mib jnxRmonAlarmTable

jnx-cos.mib Example: jnxCosFcTable

jnx-cfgmgmt.mib Example: jnxCfgMgmt

jnx-sonetaps.mib apsMIBObjects

jnx-sp.mib jnxSpMIB

ggsn.mib ejnmobileipABmib

rfc1907.mib snmpModules

snmpModules Examples:

snmpMIB snmpFrameworkMIB

Table 18 on page 170 shows Class 4 MIB objects (standard and enterprise-specific MIBs)
supported by Junos OS. With Class 4 objects, data is not segregated by routing instance.
All instances are exposed.

Copyright © 2017, Juniper Networks, Inc. 169

Network Management Administration Guide

Table 18: Class 4 MIB Objects (Standard and Juniper MIBs)

Class MIB Objects

Class 4 system Example: sysORTable

rfc2011a.mib ip (ipDefaultTTL, ipInReceives)

icmp

rfc2012a.mib tcp

tcpConnTable

ipv6TcpConnTable

rfc2013a.mib udp

udpTable

ipv6UdpTable

rfc2790a.mib hrSystem

rfc2287a.mib sysApplOBJ

jnx-firewall.mib jnxFirewalls

jnx-ipv6.mib jnxIpv6

Related • Understanding SNMP Support for Routing Instances on page 159

Documentation
• Support Classes for MIB Objects on page 170

• SNMP Traps Supported for Routing Instances on page 171

Support Classes for MIB Objects

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

When a routing instance is specified, all routing-related MIB objects return data maintained
by the routing instance in the request. For all other MIB objects, the data returned is
segregated according to that routing instance. For example, only those interfaces assigned
to that routing instance (for example, the logical interfaces [ifls] as well as their
corresponding physical interfaces [ifds]) are exposed by the SNMP agent. Similarly,
objects with an unambiguous attachment to an interface (for example, addresses) are
segregated as well.

For those objects where the attachment is ambiguous (for example, objects in
sysApplMIB), no segregation is done and all instances are visible in all cases.

Another category of objects is visible only when no logical system is specified (only within
the default logical system) regardless of the routing instance within the default logical

170 Copyright © 2017, Juniper Networks, Inc.

Chapter 8: Configuring SNMP for Routing Instances

system. Objects in this category are Chassis MIB objects, objects in the SNMP group,
RMON alarm, event and log groups, Ping MIB objects, configuration management objects,
and V3 objects.

In summary, to support routing instances, MIB objects fall into one of the following
categories:

• Class 1—Data is segregated according to the routing instance in the request. This is the
most granular of the segregation classes.

• Class 2—Data is segregated according to the logical system specified in the request.
The same data is returned for all routing instances that belong to a particular logical
system. Typically, this applies to routing table objects where it is difficult to extract
routing instance information or where routing instances do not apply.

• Class 3—Data is exposed only for the default logical system. The same set of data is
returned for all routing instances that belong to the default logical system. If you specify
another logical system (not the default), no data is returned. Typically this class applies
to objects implemented in subagents that do not monitor logical system changes and
register their objects using only the default context (for example, Chassis MIB objects).

• Class 4—Data is not segregated by routing instance. The same data is returned for all
routing instances. Typically, this applies to objects implemented in subagents that
monitor logical system changes and register or deregister all their objects for each
logical system change. Objects whose values cannot be segregated by routing instance
fall into this class.

See “SNMP MIBs Supported for Routing Instances” on page 160 for a list of the objects
associated with each class.

Related • Understanding SNMP Support for Routing Instances on page 159

Documentation
• SNMP Traps Supported for Routing Instances on page 171

SNMP Traps Supported for Routing Instances

Supported Platforms M Series, MX Series, PTX Series, T Series

You can restrict the trap receivers from receiving traps that are not related to the logical
system networks to which they belong. To do this, include the logical-system-trap-filter
statement at the [edit snmp] hierarchy level:

[edit snmp]
logical-system-trap-filter;

If the logical-system-trap-filter statement is not included in the SNMP configuration, all

traps are forwarded to the configured routing instance destinations. However, even when
this statement is configured, the trap receiver associated with the default routing instance
will receive all SNMP traps.

When configured under the trap-group object, all v1 and v2c traps that apply to routing
instances (or interfaces belonging to a routing instance) have the routing instance name
encoded in the community string. The encoding is identical to that used in request PDUs.

Copyright © 2017, Juniper Networks, Inc. 171

Network Management Administration Guide

For traps configured under the v3 framework, the routing instance name is carried in the
context field when the v3 message processing model has been configured. For other
message processing models (v1 or v2c), the routing instance name is not carried in the
trap message header (and not encoded in the community string).

Related • Understanding SNMP Support for Routing Instances on page 159

Documentation
• Support Classes for MIB Objects on page 170

• SNMP MIBs Supported for Routing Instances on page 160

Identifying a Routing Instance

Supported Platforms ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

With this feature, routing instances are identified by either the context field in v3 requests
or encoded in the community string in v1 or v2c requests.

When encoded in a community string, the routing instance name appears first and is
separated from the actual community string by the @ character.

To avoid conflicts with valid community strings that contain the @ character, the
community is parsed only if typical community string processing fails. For example, if a
routing instance named RI is configured, an SNMP request with RI@public is processed
within the context of the RI routing instance. Access control (views, source address
restrictions, access privileges, and so on) is applied according to the actual community
string (the set of data after the @ character—in this case public). However, if the
community string RI@public is configured, the protocol data unit (PDU) is processed
according to that community and the embedded routing instance name is ignored.

Logical systems perform a subset of the actions of a physical router and have their own
unique routing tables, interfaces, policies, and routing instances. When a routing instance
is defined within a logical system, the logical system name must be encoded along with
the routing instance using a slash ( / ) to separate the two. For example, if the routing
instance RI is configured within the logical system LS, that routing instance must be
encoded within a community string as LS/RI@public. When a routing instance is configured
outside a logical system (within the default logical system), no logical system name (or
/ character) is needed.

Also, when a logical system is created, a default routing instance (named default) is
always created within the logical system. This name should be used when querying data
for that routing instance (for example, LS/default@public). For v3 requests, the name
logical system/routing instance should be identified directly in the context field.

NOTE: To identify a virtual LAN (VLAN) spanning-tree instance (VSTP on

MX Series 3D Universal Edge Routers), specify the routing instance name
followed by a double colon (::) and the VLAN ID. For example, to identify
VSTP instance for VLAN 10 in the global default routing instance, include
default::10@public in the context (SNMPv3) or community (SNMPv1 or v2)
string.

172 Copyright © 2017, Juniper Networks, Inc.

Chapter 8: Configuring SNMP for Routing Instances

Related • Understanding SNMP Support for Routing Instances on page 159

Documentation
• Enabling SNMP Access over Routing Instances on page 173

• Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 173

Enabling SNMP Access over Routing Instances

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

To enable SNMP managers in routing instances other than the default routing instance
to access SNMP information, include the routing-instance-access statement at the [edit
snmp] hierarchy level:

[edit snmp]
routing-instance-access;

If this statement is not included in the SNMP configuration, SNMP managers from routing
instances other than the default routing instance cannot access SNMP information.

Related • Understanding SNMP Support for Routing Instances on page 159

Documentation
• Identifying a Routing Instance on page 172

• Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 173

• Configuring Access Lists for SNMP Access over Routing Instances on page 176

Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

You can specify the routing instance along with the client information when you add a
client to an SNMP community. To specify the routing instance to which a client belongs,
include the routing-instance statement followed by the routing instance name and client
information in the SNMP configuration.

The following example shows the configuration statement to add routing instance test-ri
to SNMP community community1.

NOTE: Routing instances specified at the [edit snmp community

community-name] hierarchy level are added to the default logical system in
the community.

[edit snmp]
community community1 {
clients {
10.209.152.33/32;
}
routing-instance test-ri {
clients {
10.19.19.1/32;

Copyright © 2017, Juniper Networks, Inc. 173

Network Management Administration Guide

}
}
}

If the routing instance is defined within a logical system, include the routing-instance
statement at the [edit snmp community community-name logical-system
logical-system-name] hierarchy level, as in the following example:

[edit snmp]
community community1 {
clients {
10.209.152.33/32;
}
logical-system test-LS {
routing-instance test-ri {
clients {
10.19.19.1/32;
}
}
}
}

Related • Understanding SNMP Support for Routing Instances on page 159

Documentation
• Identifying a Routing Instance on page 172

• Enabling SNMP Access over Routing Instances on page 173

• Configuring Access Lists for SNMP Access over Routing Instances on page 176

• Example: Configuring Interface Settings for a Routing Instance on page 174

Example: Configuring Interface Settings for a Routing Instance

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

This example shows an 802.3ad ae0 interface configuration allocated to a routing instance
named INFrtd:

[edit chassis]
aggregated-devices {
ethernet {
device-count 5;
}
}
[edit interfaces ae0]
vlan-tagging;
aggregated-ether-options {
minimum-links 2;
link-speed 100m;
}
unit 0 {
vlan-id 100;
family inet {
address 10.1.0.1/24;
}
}

174 Copyright © 2017, Juniper Networks, Inc.

Chapter 8: Configuring SNMP for Routing Instances

[edit interfaces fe-1/1/0]

fastether-options {
802.3ad ae0;
}
[edit interfaces fe-1/1/1]
fastether-options {
802.3ad ae0;
}
[edit routing-instances]
INFrtd {
instance-type virtual-router;
interface fe-1/1/0.0;
interface fe-1/1/1.0;
interface fe-1/1/5.0;
interface ae0.0;
protocols {
ospf {
area 0.0.0.0 {
interface all;
}
}
}
}

The following snmpwalk command shows how to retrieve SNMP-related information

from router1 and the 802.3ae bundle interface belonging to routing instance INFrtd with
the SNMP community public:

router# snmpwalk -Os router1 INFrtd@public dot3adAggTable

dot3adAggMACAddress.59 = 0:90:69:92:93:f0
dot3adAggMACAddress.65 = 0:90:69:92:93:f0
dot3adAggActorSystemPriority.59 = 0
dot3adAggActorSystemPriority.65 = 0
dot3adAggActorSystemID.59 = 0:0:0:0:0:0
dot3adAggActorSystemID.65 = 0:0:0:0:0:0
dot3adAggAggregateOrIndividual.59 = true(1)
dot3adAggAggregateOrIndividual.65 = true(1)
dot3adAggActorAdminKey.59 = 0
dot3adAggActorAdminKey.65 = 0
dot3adAggActorOperKey.59 = 0
dot3adAggActorOperKey.65 = 0
dot3adAggPartnerSystemID.59 = 0:0:0:0:0:0
dot3adAggPartnerSystemID.65 = 0:0:0:0:0:0
dot3adAggPartnerSystemPriority.59 = 0
dot3adAggPartnerSystemPriority.65 = 0
dot3adAggPartnerOperKey.59 = 0
dot3adAggPartnerOperKey.65 = 0
dot3adAggCollectorMaxDelay.59 = 0
dot3adAggCollectorMaxDelay.65 = 0

Related • Understanding SNMP Support for Routing Instances on page 159

Documentation
• Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 173

Copyright © 2017, Juniper Networks, Inc. 175

Network Management Administration Guide

Configuring Access Lists for SNMP Access over Routing Instances

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

You can create and maintain access lists to manage access to SNMP information. Access
list configuration enables you to allow or deny SNMP access to clients of a specific routing
instance.

The following example shows how to create an access list:

[edit snmp]
routing-instance-access {
access-list {
ri1 restrict;
ls1/default;
ls1/ri2;
ls1*;
}
}

The configuration given in the example:

• Restricts clients in ri1 from accessing SNMP information.

• Allows clients in ls1/default, ls1/ri2, and all other routing instances with names starting
with ls1 to access SNMP information.

You can use the wildcard character (*) to represent a string in the routing instance name.

NOTE: You cannot restrict the SNMP manager of the default routing instance
from accessing SNMP information.

Related • Understanding SNMP Support for Routing Instances on page 159

Documentation
• Enabling SNMP Access over Routing Instances on page 173

• Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 173

176 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 9

Configuring SNMP Remote Operations

• SNMP Remote Operations Overview on page 177

• Using the Ping MIB for Remote Monitoring Devices Running Junos OS on page 180
• Starting a Ping Test on page 180
• Monitoring a Running Ping Test on page 182
• Gathering Ping Test Results on page 184
• Stopping a Ping Test on page 186
• Interpreting Ping Variables on page 186
• Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 187
• Starting a Traceroute Test on page 187
• Monitoring a Running Traceroute Test on page 189
• Monitoring Traceroute Test Completion on page 193
• Gathering Traceroute Test Results on page 194
• Stopping a Traceroute Test on page 195
• Interpreting Traceroute Variables on page 196

SNMP Remote Operations Overview

Supported Platforms ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

A SNMP remote operation is any process on the router that can be controlled remotely
using SNMP. Junos OS currently provides support for two SNMP remote operations: the
Ping MIB and Traceroute MIB, defined in RFC 2925. Using these MIBs, an SNMP client in
the network management system (NMS) can:

• Start a series of operations on a router

• Receive notification when the operations are complete

• Gather the results of each operation

Junos OS also provides extended functionality to these MIBs in the Juniper Networks
enterprise-specific extensions jnxPingMIB and jnxTraceRouteMIB. For more information
about jnxPingMIB and jnxTraceRouteMIB, see PING MIB and Traceroute MIB.

Copyright © 2017, Juniper Networks, Inc. 177

Network Management Administration Guide

This topic covers the following sections:

• SNMP Remote Operation Requirements on page 178

• Setting SNMP Views on page 178
• Setting Trap Notification for Remote Operations on page 179
• Using Variable-Length String Indexes on page 179
• Enabling Logging on page 180

SNMP Remote Operation Requirements

To use SNMP remote operations, you should be experienced with SNMP conventions.
You must also configure Junos OS to allow the use of the remote operation MIBs.

Setting SNMP Views

All remote operation MIBs supported by Junos OS require that the SNMP clients have
read-write privileges. The default SNMP configuration of Junos OS does not provide
clients with a community string with such privileges.

To set read-write privileges for an SNMP community string, include the following
statements at the [edit snmp] hierarchy level:

[edit snmp]
community community-name {
authorization authorization;
view view-name;
}
view view-name {
oid object-identifier (include | exclude);
}

Example: Setting SNMP Views

To create a community named remote-community that grants SNMP clients read-write
access to the Ping MIB, jnxPing MIB, Traceroute MIB, and jnxTraceRoute MIB, include the
following statements at the [edit snmp] hierarchy level:

snmp {
view remote-view {
oid 1.3.6.1.2.1.80 include; # pingMIB
oid 1.3.6.1.4.1.2636.3.7 include; # jnxPingMIB
oid 1.3.6.1.2.1.81 include; # traceRouteMIB
oid 1.3.6.1.4.1.2636.3.8 include; # jnxTraceRouteMIB
}
community remote-community {
view remote-view;
authorization read-write;
}
}

For more information about the community statement, see “Configuring SNMP
Communities” on page 99 and community (SNMP).

178 Copyright © 2017, Juniper Networks, Inc.

Chapter 9: Configuring SNMP Remote Operations

For more information about the view statement, see “Configuring MIB Views” on page 116,
view (Associating a MIB View with a Community), and view (Configuring a MIB View).

Setting Trap Notification for Remote Operations

In addition to configuring the remote operations MIB for trap notification, you must also
configure Junos OS. You must specify a target host for remote operations traps.

To configure trap notification for SNMP remote operations, include the categories and
targets statements at the [edit snmp trap-group group-name] hierarchy level:

[edit snmp trap-group group-name]

categories {
category;
}
targets {
address;
}
}

Example: Setting Trap Notification for Remote Operations

Specify 172.17.12.213 as a target host for all remote operation traps:

snmp {
trap-group remote-traps {
categories remote-operations;
targets {
172.17.12.213;
}
}
}

For more information about trap groups, see “Configuring SNMP Trap Groups” on page 112.

Using Variable-Length String Indexes

All tabular objects in the remote operations MIBs supported by Junos OS are indexed by
two variables of type SnmpAdminString. For more information about SnmpAdminString,
see RFC 2571.

Junos OS does not handle SnmpAdminString any differently from the octet string variable
type. However, the indexes are defined as variable length. When a variable length string
is used as an index, the length of the string must be included as part of the object identifier
(OID).

Example: Set Variable-Length String Indexes

To reference the pingCtlTargetAddress variable of a row in pingCtlTable where

pingCtlOwnerIndex is bob and pingCtlTestName is test, use the following object identifier
(OID):
pingMIB.pingObjects.pingCtlTable.pingCtlEntry.pingCtlTargetAddress."bob"."test"
1.3.6.1.2.1.80.1.2.1.4.3.98.111.98.4.116.101.115.116

For more information about the definition of the Ping MIB, see RFC 2925.

Copyright © 2017, Juniper Networks, Inc. 179

Network Management Administration Guide

Enabling Logging
The SNMP error code returned in response to SNMP requests can only provide a generic
description of the problem. The error descriptions logged by the remote operations
process can often provide more detailed information about the problem and help you
to solve the problem faster. This logging is not enabled by default. To enable logging,
include the flag general statement at the [edit snmp traceoptions] hierarchy level:

[edit]
snmp {
traceoptions {
flag general;
}
}

For more information about traceoptions, see “Tracing SNMP Activity on a Device Running
Junos OS” on page 203.

If the remote operations process receives an SNMP request that it cannot accommodate,
the error is logged in the /var/log/rmopd file. To monitor this log file, issue the monitor
start rmopd command in operational mode of the command-line interface (CLI).

Related • Using the Ping MIB for Remote Monitoring Devices Running Junos OS on page 180
Documentation
• Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 187

Using the Ping MIB for Remote Monitoring Devices Running Junos OS

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

A ping test is used to determine whether packets sent from the local host reach the
designated host and are returned. If the designated host can be reached, the ping test
provides the approximate round-trip time for the packets. Ping test results are stored in
pingResultsTable and pingProbeHistoryTable.

RFC 2925 is the authoritative description of the Ping MIB in detail and provides the ASN.1
MIB definition of the Ping MIB.

Related • SNMP Remote Operations Overview on page 177

Documentation
• Starting a Ping Test on page 180

• Monitoring a Running Ping Test on page 182

• Gathering Ping Test Results on page 184

• Stopping a Ping Test on page 186

• Interpreting Ping Variables on page 186

Starting a Ping Test

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Chapter 9: Configuring SNMP Remote Operations

Before you start a ping test, configure a Ping MIB view. This allows SNMP Set requests
on pingMIB. To start a ping test, create a row in pingCtlTable and set pingCtlAdminStatus
to enabled. The minimum information that must be specified before setting
pingCtlAdminStatus to enabled is:

• pingCtlOwnerIndexSnmpAdminString

• pingCtlTestNameSnmpAdminString

• pingCtlTargetAddressInetAddress

• pingCtlTargetAddressTypeInetAddressType

• pingCtlRowStatusRowStatus

For all other values, defaults are chosen unless otherwise specified. pingCtlOwnerIndex
and pingCtlTestName are used as the index, so their values are specified as part of the
object identifier (OID). To create a row, set pingCtlRowStatus to createAndWait or
createAndGo on a row that does not already exist. A value of active for pingCtlRowStatus
indicates that all necessary information has been supplied and the test can begin;
pingCtlAdminStatus can be set to enabled. An SNMP Set request that sets
pingCtlRowStatus to active will fail if the necessary information in the row is not specified
or is inconsistent. For information about how to configure a view, see “Setting SNMP
Views” on page 178.

There are two ways to start a ping test:

• Using Multiple Set Protocol Data Units (PDUs) on page 181

• Using a Single Set PDU on page 181

Using Multiple Set Protocol Data Units (PDUs)

You can use multiple Set request PDUs (multiple PDUs, with one or more varbinds each)
and set the following variables in this order to start the test:

• pingCtlRowStatus to createAndWait

• All appropriate test variables

• pingCtlRowStatus to active

Junos OS now verifies that all necessary information to run a test has been specified.

• pingCtlAdminStatus to enabled

Using a Single Set PDU

You can use a single Set request PDU (one PDU, with multiple varbinds) to set the
following variables to start the test:

• pingCtlRowStatus to createAndGo

• All appropriate test variables

• pingCtlAdminStatus to enabled

Network Management Administration Guide

Monitoring a Running Ping Test

When pingCtlAdminStatus is successfully set to enabled, the following is done before

the acknowledgment of the SNMP Set request is sent back to the client:

• pingResultsEntry is created if it does not already exist.

• pingResultsOperStatus transitions to enabled.

For more information, see the following sections:

• pingResultsTable on page 182

• pingProbeHistoryTable on page 183
• Generating Traps on page 184

pingResultsTable
While the test is running, pingResultsEntry keeps track of the status of the test. The value
of pingResultsOperStatus is enabled while the test is running and disabled when it has
stopped.

The value of pingCtlAdminStatus remains enabled until you set it to disabled. Thus, to
get the status of the test, you must examine pingResultsOperStatus.

The pingCtlFrequency variable can be used to schedule many tests for one pingCtlEntry.
After a test ends normally (you did not stop the test) and the pingCtlFrequency number
of seconds has elapsed, the test is started again just as if you had set pingCtlAdminStatus
to enabled. If you intervene at any time between repeated tests (you set
pingCtlAdminStatus to disabled or pingCtlRowStatus to notInService), the repeat feature
is disabled until another test is started and ends normally. A value of 0 for
pingCtlFrequency indicates this repeat feature is not active.

pingResultsIpTgtAddr and pingResultsIpTgtAddrType are set to the value of the resolved

destination address when the value of pingCtlTargetAddressType is dns. When a test
starts successfully and pingResultsOperStatus transitions to enabled:

• pingResultsIpTgtAddr is set to null-string.

• pingResultsIpTgtAddrType is set to unknown.

pingResultsIpTgtAddr and pingResultsIpTgtAddrType are not set until

pingCtlTargetAddress can be resolved to a numeric address. To retrieve these values,
poll pingResultsIpTgtAddrType for any value other than unknown after successfully setting
pingCtlAdminStatus to enabled.

At the start of a test, pingResultsSentProbes is initialized to 1 and the first probe is sent.
pingResultsSentProbes increases by 1 each time a probe is sent.

As the test runs, every pingCtlTimeOut seconds, the following occur:

• pingProbeHistoryStatus for the corresponding pingProbeHistoryEntry in

pingProbeHistoryTable is set to requestTimedOut.

Chapter 9: Configuring SNMP Remote Operations

• A pingProbeFailed trap is generated, if necessary.

• An attempt is made to send the next probe.

NOTE: No more than one outstanding probe exists for each test.

For every probe, you can receive one of the following results:

• The target host acknowledges the probe with a response.

• The probe times out; there is no response from the target host acknowledging the
probe.

• The probe could not be sent.

Each probe result is recorded in pingProbeHistoryTable. For more information about

pingProbeHistoryTable, see “pingProbeHistoryTable” on page 183.

When a response is received from the target host acknowledging the current probe:

• pingResultsProbeResponses increases by 1.

• The following variables are updated:

• pingResultsMinRtt—Minimum round-trip time

• pingResultsMaxRtt—Maximum round-trip time

• pingResultsAverageRtt—Average round-trip time

• pingResultsRttSumOfSquares—Sum of squares of round-trip times

• pingResultsLastGoodProbe—Timestamp of the last response

NOTE: Only probes that result in a response from the target host
contribute to the calculation of the round-trip time (RTT) variables.

When a response to the last probe is received or the last probe has timed out, the test is
complete.

pingProbeHistoryTable
An entry in pingProbeHistoryTable (pingProbeHistoryEntry) represents a probe result and
is indexed by three variables:

• The first two variables, pingCtlOwnerIndex and pingCtlTestName, are the same ones
used for pingCtlTable, which identifies the test.

• The third variable, pingProbeHistoryIndex, is a counter to uniquely identify each probe

result.

Network Management Administration Guide

The maximum number of pingProbeHistoryTable entries created for a given test is limited
by pingCtlMaxRows. If pingCtlMaxRows is set to 0, no pingProbeHistoryTable entries are
created for that test.

Each time a probe result is determined, a pingProbeHistoryEntry is created and added to

pingProbeHistoryTable. pingProbeHistoryIndex of the new pingProbeHistoryEntry is 1
greater than the last pingProbeHistoryEntry added to pingProbeHistoryTable for that test.
pingProbeHistoryIndex is set to 1 if this is the first entry in the table. The same test can be
run multiple times, so this index keeps growing.

If pingProbeHistoryIndex of the last pingProbeHistoryEntry added is 0xFFFFFFFF, the next

pingProbeHistoryEntry added has pingProbeHistoryIndex set to 1.

The following are recorded for each probe result:

• pingProbeHistoryResponse—Time to live (TTL)

• pingProbeHistoryStatus—What happened and why

• pingProbeHistoryLastRC—Return code (RC) value of ICMP packet

• pingProbeHistoryTime—Timestamp when probe result was determined

When a probe cannot be sent, pingProbeHistoryResponse is set to 0. When a probe times

out, pingProbeHistoryResponse is set to the difference between the time when the probe
was discovered to be timed out and the time when the probe was sent.

Generating Traps
For any trap to be generated, the appropriate bit of pingCtlTrapGeneration must be set.
You must also configure a trap group to receive remote operations. A trap is generated
under the following conditions:

• A pingProbeFailed trap is generated every time pingCtlTrapProbeFailureFilter number

of consecutive probes fail during the test.

• A pingTestFailed trap is generated when the test completes and at least

pingCtlTrapTestFailureFilter number of probes fail.

• A pingTestCompleted trap is generated when the test completes and fewer than
pingCtlTrapTestFailureFilter probes fail.

NOTE: A probe is considered a failure when pingProbeHistoryStatus of the

probe result is anything besides responseReceived.

For information about how to configure a trap group to receive remote operations, see
“Configuring SNMP Trap Groups” on page 112 and “Example: Setting Trap Notification
for Remote Operations” on page 179.

Gathering Ping Test Results

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Chapter 9: Configuring SNMP Remote Operations

You can either poll pingResultsOperStatus to find out when the test is complete or request
that a trap be sent when the test is complete. For more information about
pingResultsOperStatus, see “pingResultsTable” on page 182. For more information about
Ping MIB traps, see “Generating Traps” on page 184.

The statistics calculated and then stored in pingResultsTable include:

• pingResultsMinRtt—Minimum round-trip time

• pingResultsMaxRtt—Maximum round-trip time

• pingResultsAverageRtt—Average round-trip time

• pingResultsProbeResponses—Number of responses received

• pingResultsSentProbes—Number of attempts to send probes

• pingResultsRttSumOfSquares—Sum of squares of round-trip times

• pingResultsLastGoodProbe—Timestamp of the last response

You can also consult pingProbeHistoryTable for more detailed information about each
probe. The index used for pingProbeHistoryTable starts at 1, goes to 0xFFFFFFFF, and
wraps to 1 again.

For example, if pingCtlProbeCount is 15 and pingCtlMaxRows is 5, then upon completion

of the first run of this test, pingProbeHistoryTable contains probes like those in
Table 19 on page 185.

Table 19: Results in pingProbeHistoryTable: After the First Ping Test

pingProbeHistoryIndex Probe Result

11 Result of 11th probe from run 1

12 Result of 12th probe from run 1

13 Result of 13th probe from run 1

14 Result of 14th probe from run 1

15 Result of 15th probe from run 1

Upon completion of the first probe of the second run of this test, pingProbeHistoryTable
will contain probes like those in Table 20 on page 185.

Table 20: Results in pingProbeHistoryTable: After the First Probe of the

Second Test
pingProbeHistoryIndex Probe Result

12 Result of 12th probe from run 1

13 Result of 13th probe from run 1

Network Management Administration Guide

Table 20: Results in pingProbeHistoryTable: After the First Probe of the

Second Test (continued)
pingProbeHistoryIndex Probe Result

14 Result of 14th probe from run 1

15 Result of 15th probe from run 1

16 Result of 1st probe from run 2

Upon completion of the second run of this test, pingProbeHistoryTable will contain probes
like those in Table 21 on page 186.

Table 21: Results in pingProbeHistoryTable: After the Second Ping Test

pingProbeHistoryIndex Probe Result

26 Result of 11th probe from run 2

27 Result of 12th probe from run 2

28 Result of 13th probe from run 2

29 Result of 14th probe from run 2

30 Result of 15th probe from run 2

History entries can be deleted from the MIB in two ways:

• More history entries for a given test are added and the number of history entries exceeds
pingCtlMaxRows. The oldest history entries are deleted to make room for the new ones.

• You delete the entire test by setting pingCtlRowStatus to destroy.

Stopping a Ping Test

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

To stop an active test, set pingCtlAdminStatus to disabled. To stop the test and remove
its pingCtlEntry, pingResultsEntry, and any pingHistoryEntry objects from the MIB, set
pingCtlRowStatus to destroy.

Interpreting Ping Variables

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

This section clarifies the ranges for the following variables that are not explicitly specified
in the Ping MIB:

Chapter 9: Configuring SNMP Remote Operations

• pingCtlDataSize—The value of this variable represents the total size of the payload (in
bytes) of an outgoing probe packet. This payload includes the timestamp (8 bytes)
that is used to time the probe. This is consistent with the definition of pingCtlDataSize
(maximum value of 65,507) and the standard ping application.

If the value of pingCtlDataSize is between 0 and 8 inclusive, it is ignored and the payload
is 8 bytes (the timestamp). The Ping MIB assumes all probes are timed, so the payload
must always include the timestamp.

For example, if you wish to add an additional 4 bytes of payload to the packet, you
must set pingCtlDataSize to 12.

• pingCtlDataFill—The first 8 bytes of the data segment of the packet is for the timestamp.
After that, the pingCtlDataFill pattern is used in repetition. The default pattern (when
pingCtlDataFill is not specified) is (00, 01, 02, 03 ... FF, 00, 01, 02, 03 ... FF, ...).

• pingCtlMaxRows—The maximum value is 255.

• pingMaxConcurrentRequests—The maximum value is 500.

• pingCtlTrapProbeFailureFilter and pingCtlTrapTestFailureFilter—A value of 0 for

pingCtlTrapProbeFailureFilter or pingCtlTrapTestFailureFilter is not well defined by the
Ping MIB. If pingCtlTrapProbeFailureFilter is 0, pingProbeFailed traps will not be
generated for the test under any circumstances. If pingCtlTrapTestFailureFilter is 0,
pingTestFailed traps will not be generated for the test under any circumstances.

Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS

Supported Platforms ACX Series, M Series, MX Series, QFX Series, SRX Series, T Series

A traceroute test approximates the path packets take from the local host to the remote
host.

RFC 2925 is the authoritative description of the Traceroute MIB in detail and provides
the ASN.1 MIB definition of the Traceroute MIB.

Related • SNMP Remote Operations Overview on page 177

Documentation
• Starting a Traceroute Test on page 187

• Monitoring a Running Traceroute Test on page 189

• Monitoring Traceroute Test Completion on page 193

• Gathering Traceroute Test Results on page 194

• Stopping a Traceroute Test on page 195

• Interpreting Traceroute Variables on page 196

Starting a Traceroute Test

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

Network Management Administration Guide

Before you start a traceroute test, configure a Traceroute MIB view. This allows SNMP
Set requests on tracerouteMIB. To start a test, create a row in traceRouteCtlTable and
set traceRouteCtlAdminStatus to enabled. You must specify at least the following before
setting traceRouteCtlAdminStatus to enabled:

• traceRouteCtlOwnerIndexSnmpAdminString

• traceRouteCtlTestNameSnmpAdminString

• traceRouteCtlTargetAddressInetAddress

• traceRouteCtlRowStatusRowStatus

For all other values, defaults are chosen unless otherwise specified.
traceRouteCtlOwnerIndex and traceRouteCtlTestName are used as the index, so their
values are specified as part of the OID. To create a row, set traceRouteCtlRowStatus to
createAndWait or createAndGo on a row that does not already exist. A value of active for
traceRouteCtlRowStatus indicates that all necessary information has been specified and
the test can begin; traceRouteCtlAdminStatus can be set to enabled. An SNMP Set request
that sets traceRouteCtlRowStatus to active will fail if the necessary information in the
row is not specified or is inconsistent. For information about how to configure a view, see
“Setting SNMP Views” on page 178.

There are two ways to start a traceroute test:

• Using Multiple Set PDUs on page 188

• Using a Single Set PDU on page 188

Using Multiple Set PDUs

You can use multiple Set request PDUs (multiple PDUs, with one or more varbinds each)
and set the following variables in this order to start the test:

• traceRouteCtlRowStatus to createAndWait

• All appropriate test variables

• traceRouteCtlRowStatus to active

The Junos OS now verifies that all necessary information to run a test has been specified.

• traceRouteCtlAdminStatus to enabled

Using a Single Set PDU

You can use a single Set request PDU (one PDU, with multiple varbinds) to set the
following variables to start the test:

• traceRouteCtlRowStatus to createAndGo

• All appropriate test variables

• traceRouteCtlAdminStatus to enabled

Chapter 9: Configuring SNMP Remote Operations

Related • Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 187
Documentation
• Monitoring a Running Traceroute Test on page 189

• SNMP Remote Operations Overview on page 177

• Monitoring Traceroute Test Completion on page 193

• Gathering Traceroute Test Results on page 194

• Stopping a Traceroute Test on page 195

• Interpreting Traceroute Variables on page 196

Monitoring a Running Traceroute Test

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

When traceRouteCtlAdminStatus is successfully set to enabled, the following is done

before the acknowledgment of the SNMP Set request is sent back to the client:

• traceRouteResultsEntry is created if it does not already exist.

• traceRouteResultsOperStatus transitions to enabled.

For more information, see the following sections:

• traceRouteResultsTable on page 189

• traceRouteProbeResultsTable on page 190
• traceRouteHopsTable on page 191
• Generating Traps on page 192

traceRouteResultsTable
While the test is running, this traceRouteResultsTable keeps track of the status of the
test. The value of traceRouteResultsOperStatus is enabled while the test is running and
disabled when it has stopped.

The value of traceRouteCtlAdminStatus remains enabled until you set it to disabled. Thus,
to get the status of the test, you must examine traceRouteResultsOperStatus.

The traceRouteCtlFrequency variable can be used to schedule many tests for one
traceRouteCtlEntry. After a test ends normally (you did not stop the test) and
traceRouteCtlFrequency number of seconds has elapsed, the test is started again just as
if you had set traceRouteCtlAdminStatus to enabled. If you intervene at any time between
repeated tests (you set traceRouteCtlAdminStatus to disabled or traceRouteCtlRowStatus
to notInService), the repeat feature is disabled until another test is started and ends
normally. A value of 0 for traceRouteCtlFrequency indicates this repeat feature is not
active.

traceRouteResultsIpTgtAddr and traceRouteResultsIpTgtAddrType are set to the value

of the resolved destination address when the value of traceRouteCtlTargetAddressType

Network Management Administration Guide

is dns. When a test starts successfully and traceRouteResultsOperStatus transitions to

enabled:

• traceRouteResultsIpTgtAddr is set to null-string.

• traceRouteResultsIpTgtAddrType is set to unknown.

traceRouteResultsIpTgtAddr and traceRouteResultsIpTgtAddrType are not set until

traceRouteCtlTargetAddress can be resolved to a numeric address. To retrieve these
values, poll traceRouteResultsIpTgtAddrType for any value other than unknown after
successfully setting traceRouteCtlAdminStatus to enabled.

At the start of a test, traceRouteResultsCurHopCount is initialized to traceRouteCtlInitialTtl,

and traceRouteResultsCurProbeCount is initialized to 1. Each time a probe result is
determined, traceRouteResultsCurProbeCount increases by 1. While the test is running,
the value of traceRouteResultsCurProbeCount reflects the current outstanding probe for
which results have not yet been determined.

The traceRouteCtlProbesPerHop number of probes is sent for each time-to-live (TTL)

value. When the result of the last probe for the current hop is determined, provided that
the current hop is not the destination hop, traceRouteResultsCurHopCount increases by
1, and traceRouteResultsCurProbeCount resets to 1.

At the start of a test, if this is the first time this test has been run for this traceRouteCtlEntry,
traceRouteResultsTestAttempts and traceRouteResultsTestSuccesses are initialized to
0.

At the end of each test execution, traceRouteResultsOperStatus transitions to disabled,

and traceRouteResultsTestAttempts increases by 1. If the test was successful in
determining the full path to the target, traceRouteResultsTestSuccesses increases by 1,
and traceRouteResultsLastGoodPath is set to the current time.

traceRouteProbeResultsTable
Each entry in traceRouteProbeHistoryTable is indexed by five variables:

• The first two variables, traceRouteCtlOwnerIndex and traceRouteCtlTestName, are the

same ones used for traceRouteCtlTable and to identify the test.

• The third variable, traceRouteProbeHistoryIndex, is a counter, starting from 1 and

wrapping at FFFFFFFF. The maximum number of entries is limited by
traceRouteCtlMaxRows.

• The fourth variable, traceRouteProbeHistoryHopIndex, indicates which hop this probe

is for (the actual time-to-live or TTL value). Thus, the first traceRouteCtlProbesPerHop
number of entries created when a test starts have a value of traceRouteCtlInitialTtl for
traceRouteProbeHistoryHopIndex.

• The fifth variable, traceRouteProbeHistoryProbeIndex, is the probe for the current hop.
It ranges from 1 to traceRouteCtlProbesPerHop.

While a test is running, as soon as a probe result is determined, the next probe is sent. A
maximum of traceRouteCtlTimeOut seconds elapses before a probe is marked with

Chapter 9: Configuring SNMP Remote Operations

status requestTimedOut and the next probe is sent. There is never more than one
outstanding probe per traceroute test. Any probe result coming back after a probe times
out is ignored.

Each probe can:

• Result in a response from a host acknowledging the probe

• Time out with no response from a host acknowledging the probe

• Fail to be sent

Each probe status is recorded in traceRouteProbeHistoryTable with

traceRouteProbeHistoryStatus set accordingly.

Probes that result in a response from a host record the following data:

• traceRouteProbeHistoryResponse—Round-trip time (RTT)

• traceRouteProbeHistoryHAddrType—The type of HAddr (next argument)

• traceRouteProbeHistoryHAddr—The address of the hop

All probes, regardless of whether a response for the probe is received, have the following
recorded:

• traceRouteProbeHistoryStatus—What happened and why

• traceRouteProbeHistoryLastRC—Return code (RC) value of the ICMP packet

• traceRouteProbeHistoryTime—Timestamp when the probe result was determined

When a probe cannot be sent, traceRouteProbeHistoryResponse is set to 0. When a probe

times out, traceRouteProbeHistoryResponse is set to the difference between the time
when the probe was discovered to be timed out and the time when the probe was sent.

traceRouteHopsTable
Entries in traceRouteHopsTable are indexed by three variables:

• The first two, traceRouteCtlOwnerIndex and traceRouteCtlTestName, are the same

ones used for traceRouteCtlTable and identify the test.

• The third variable, traceRouteHopsHopIndex, indicates the current hop, which starts
at 1 (not traceRouteCtlInitialTtl).

When a test starts, all entries in traceRouteHopsTable with the given

traceRouteCtlOwnerIndex and traceRouteCtlTestName are deleted. Entries in this table
are only created if traceRouteCtlCreateHopsEntries is set to true.

A new traceRouteHopsEntry is created each time the first probe result for a given TTL is
determined. The new entry is created whether or not the first probe reaches a host. The
value of traceRouteHopsHopIndex is increased by 1 for this new entry.

Network Management Administration Guide

NOTE: Any traceRouteHopsEntry can lack a value for

traceRouteHopsIpTgtAddress if there are no responses to the probes with the
given TTL.

Each time a probe reaches a host, the IP address of that host is available in the probe
result. If the value of traceRouteHopsIpTgtAddress of the current traceRouteHopsEntry
is not set, then the value of traceRouteHopsIpTgtAddress is set to this IP address. If the
value of traceRouteHopsIpTgtAddress of the current traceRouteHopsEntry is the same
as the IP address, then the value does not change. If the value of
traceRouteHopsIpTgtAddress of the current traceRouteHopsEntry is different from this
IP address, indicating a path change, a new traceRouteHopsEntry is created with:

• traceRouteHopsHopIndex variable increased by 1

• traceRouteHopsIpTgtAddress set to the IP address

NOTE: A new entry for a test is added to traceRouteHopsTable each time

a new TTL value is used or the path changes. Thus, the number of entries
for a test may exceed the number of different TTL values used.

When a probe result is determined, the value traceRouteHopsSentProbes of the current

traceRouteHopsEntry increases by 1. When a probe result is determined, and the probe
reaches a host:

• The value traceRouteHopsProbeResponses of the current traceRouteHopsEntry is

increased by 1.

• The following variables are updated:

• traceRouteResultsMinRtt—Minimum round-trip time

• traceRouteResultsMaxRtt—Maximum round-trip time

• traceRouteResultsAverageRtt—Average round-trip time

• traceRouteResultsRttSumOfSquares—Sum of squares of round-trip times

• traceRouteResultsLastGoodProbe—Timestamp of the last response

NOTE: Only probes that reach a host affect the round-trip time values.

Generating Traps
For any trap to be generated, the appropriate bit of traceRouteCtlTrapGeneration must
be set. You must also configure a trap group to receive remote operations. Traps are
generated under the following conditions:

Chapter 9: Configuring SNMP Remote Operations

• traceRouteHopsIpTgtAddress of the current probe is different from the last probe with
the same TTL value (traceRoutePathChange).

• A path to the target could not be determined (traceRouteTestFailed).

A path to the target was determined (traceRouteTestCompleted).

Monitoring Traceroute Test Completion

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

When a test is complete, traceRouteResultsOperStatus transitions from enabled to

disabled. This transition occurs in the following situations:

• The test ends successfully. A probe result indicates that the destination has been
reached. In this case, the current hop is the last hop. The rest of the probes for this hop
are sent. When the last probe result for the current hop is determined, the test ends.

• traceRouteCtlMaxTtl threshold is exceeded. The destination is never reached. The test

ends after the number of probes with TTL value equal to traceRouteCtlMaxttl have
been sent.

• traceRouteCtlMaxFailures threshold is exceeded. The number of consecutive probes

that end with status requestTimedOut exceeds traceRouteCtlMaxFailures.

• You end the test. You set traceRouteCtlAdminStatus to disabled or delete the row by
setting traceRouteCtlRowStatus to destroy.

• You misconfigured the traceroute test. A value or variable you specified in

traceRouteCtlTable is incorrect and will not allow a single probe to be sent. Because
of the nature of the data, this error could not be determined until the test was started;
that is, until after traceRouteResultsOperStatus transitioned to enabled. When this
occurs, one entry is added to traceRouteProbeHistoryTable with
traceRouteProbeHistoryStatus set to the appropriate error code.

If traceRouteCtlTrapGeneration is set properly, either the traceRouteTestFailed or

traceRouteTestCompleted trap is generated.

Related • Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 187
Documentation
• Monitoring a Running Traceroute Test on page 189

• SNMP Remote Operations Overview on page 177

• Starting a Traceroute Test on page 187

• Gathering Traceroute Test Results on page 194

• Stopping a Traceroute Test on page 195

• Interpreting Traceroute Variables on page 196

Network Management Administration Guide

Gathering Traceroute Test Results

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

You can either poll traceRouteResultsOperStatus to find out when the test is complete
or request that a trap be sent when the test is complete. For more information about
traceResultsOperStatus, see “traceRouteResultsTable” on page 189. For more information
about Traceroute MIB traps, see the Generating Traps section in “Monitoring a Running
Traceroute Test” on page 189.

Statistics are calculated on a per-hop basis and then stored in traceRouteHopsTable.

They include the following for each hop:

• traceRouteHopsIpTgtAddressType—Address type of host at this hop

• traceRouteHopsIpTgtAddress—Address of host at this hop

• traceRouteHopsMinRtt—Minimum round-trip time

• traceRouteHopsMaxRtt—Maximum round-trip time

• traceRouteHopsAverageRtt—Average round-trip time

• traceRouteHopsRttSumOfSquares—Sum of squares of round-trip times

• traceRouteHopsSentProbes—Number of attempts to send probes

• traceRouteHopsProbeResponses—Number of responses received

• traceRouteHopsLastGoodProbe—Timestamp of last response

You can also consult traceRouteProbeHistoryTable for more detailed information about
each probe. The index used for traceRouteProbeHistoryTable starts at 1, goes to
0xFFFFFFFF, and wraps to 1 again.

For example, assume the following:

• traceRouteCtlMaxRows is 10.

• traceRouteCtlProbesPerHop is 5.

• There are eight hops to the target (the target being number eight).

• Each probe sent results in a response from a host (the number of probes sent is not
limited by traceRouteCtlMaxFailures).

In this test, 40 probes are sent. At the end of the test, traceRouteProbeHistoryTable would
have a history of probes like those in Table 22 on page 194.

Table 22: traceRouteProbeHistoryTable

HistoryIndex HistoryHopIndex HistoryProbeIndex

31 7 1

32 7 2

Chapter 9: Configuring SNMP Remote Operations

Table 22: traceRouteProbeHistoryTable (continued)

HistoryIndex HistoryHopIndex HistoryProbeIndex

33 7 3

34 7 4

35 7 5

36 8 1

37 8 2

38 8 3

39 8 4

40 8 5

Related • Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 187
Documentation
• Monitoring a Running Traceroute Test on page 189

• SNMP Remote Operations Overview on page 177

• Starting a Traceroute Test on page 187

• Monitoring Traceroute Test Completion on page 193

• Stopping a Traceroute Test on page 195

• Interpreting Traceroute Variables on page 196

Stopping a Traceroute Test

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

To stop an active test, set traceRouteCtlAdminStatus to disabled. To stop a test and

remove its traceRouteCtlEntry, traceRouteResultsEntry, traceRouteProbeHistoryEntry,
and traceRouteProbeHistoryEntry objects from the MIB, set traceRouteCtlRowStatus to
destroy.

Related • Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 187
Documentation
• Monitoring a Running Traceroute Test on page 189

• SNMP Remote Operations Overview on page 177

• Starting a Traceroute Test on page 187

• Monitoring Traceroute Test Completion on page 193

• Gathering Traceroute Test Results on page 194

Network Management Administration Guide

• Interpreting Traceroute Variables on page 196

Interpreting Traceroute Variables

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

This topic contains information about the ranges for the following variables that are not
explicitly specified in the Traceroute MIB:

• traceRouteCtlMaxRows—The maximum value for traceRouteCtlMaxRows is 2550. This

represents the maximum TTL (255) multiplied by the maximum for
traceRouteCtlProbesPerHop (10). Therefore, the traceRouteProbeHistoryTable
accommodates one complete test at the maximum values for one traceRouteCtlEntry.
Usually, the maximum values are not used and the traceRouteProbeHistoryTable is
able to accommodate the complete history for many tests for the same
traceRouteCtlEntry.

• traceRouteMaxConcurrentRequests—The maximum value is 50. If a test is running, it

has one outstanding probe. traceRouteMaxConcurrentRequests represents the maximum
number of traceroute tests that have traceRouteResultsOperStatus with a value of
enabled. Any attempt to start a test with traceRouteMaxConcurrentRequests tests
running will result in the creation of one probe with traceRouteProbeHistoryStatus set
to maxConcurrentLimitReached and that test will end immediately.

• traceRouteCtlTable—The maximum number of entries allowed in this table is 100. Any

attempt to create a 101st entry will result in a BAD_VALUE message for SNMPv1 and a
RESOURCE_UNAVAILABLE message for SNMPv2.

Related • Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 187
Documentation
• Monitoring a Running Traceroute Test on page 189

• SNMP Remote Operations Overview on page 177

• Starting a Traceroute Test on page 187

• Monitoring Traceroute Test Completion on page 193

• Gathering Traceroute Test Results on page 194

• Stopping a Traceroute Test on page 195

CHAPTER 10

Tracing SNMP Activity

• Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS on page 197
• Tracing SNMP Activity on a Device Running Junos OS on page 203
• Example: Tracing SNMP Activity on page 206

Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS

Supported Platforms ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX

The following sections contain information about monitoring the SNMP activity on devices
running the Junos OS and identifying problems that might impact the SNMP performance
on devices running Junos OS:

• Checking for MIB Objects Registered with the snmpd on page 197
• Tracking SNMP Activity on page 199
• Monitoring SNMP Statistics on page 200
• Checking CPU Utilization on page 201
• Checking Kernel and Packet Forwarding Engine Response on page 202

Checking for MIB Objects Registered with the snmpd

For the SNMP process to be able to access data related to a MIB object, the MIB object
must be registered with the snmpd. When an SNMP subagent comes online, it tries to
register the associated MIB objects with the snmpd. The snmpd maintains a mapping of
the objects and the subagents with which the objects are associated. However, the
registration attempt fails occasionally, and the objects remain unregistered with the
snmpd until the next time the subagent restarts and successfully registers the objects.

When a network management system polls for data related to objects that are not
registered with the snmpd, the snmpd returns either a noSuchName error (for SNMPv1
objects) or a noSuchObject error (for SNMPv2 objects).

Network Management Administration Guide

You can use the following commands to check for MIB objects that are registered with
the snmpd:

• show snmp registered-objects—Creates a /var/log/snmp_reg_objs file that contains

the list of registered objects and their mapping to various subagents.

• file show /var/log/snmp_reg_objs—Displays the contents of the /var/log/snmp_reg_objs

file.

The following example shows the steps for creating and displaying the
/var/log/snmp_reg_objs file:

user@host> show snmp registered-objects

user@host> file show /var/log/snmp_reg_objs
--------------------------------------------------------------
Registered MIB Objects
root_name =
--------------------------------------------------------------
.1.2.840.10006.300.43.1.1.1.1.2 (dot3adAggMACAddress) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.3 (dot3adAggActorSystemPriority) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.4 (dot3adAggActorSystemID) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.5 (dot3adAggAggregateOrIndividual)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.6 (dot3adAggActorAdminKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.7 (dot3adAggActorOperKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.8 (dot3adAggPartnerSystemID) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.9 (dot3adAggPartnerSystemPriority)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.10 (dot3adAggPartnerOperKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.11 (dot3adAggCollectorMaxDelay) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.2.1.1 (dot3adAggPortListPorts) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.2 (dot3adAggPortActorSystemPriority)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.3 (dot3adAggPortActorSystemID) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.4 (dot3adAggPortActorAdminKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.5 (dot3adAggPortActorOperKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.6 (dot3adAggPortPartnerAdminSystemPriority)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.7 (dot3adAggPortPartnerOperSystemPriority)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.8 (dot3adAggPortPartnerAdminSystemID)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.9 (dot3adAggPortPartnerOperSystemID)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.10 (dot3adAggPortPartnerAdminKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.11 (dot3adAggPortPartnerOperKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.12 (dot3adAggPortSelectedAggID) (/var/run/mib2d-11)
---(more)---

NOTE: The /var/log/snmp_reg_objs file contains only those objects that are
associated with the Junos OS processes that are up and running and registered
with the snmpd, at the time of executing the show snmp registered-objects
command. If a MIB object related to a Junos OS process that is up and running
is not shown in the list of registered objects, you might want to restart the
software process to retry object registration with the snmpd.

Chapter 10: Tracing SNMP Activity

Tracking SNMP Activity

SNMP tracing operations track activity of SNMP agents and record the information in
log files. The logged event descriptions provide detailed information to help you solve
problems faster. By default, Junos OS does not trace any SNMP activity. To enable
tracking of SNMP activities on a device running Junos OS, include the traceoptions
statement at the [edit snmp] hierarchy level.

A sample traceoptions configuration might look like:

[edit snmp]
set traceoptions flag all;

When the traceoptions flag all statement is included at the [edit snmp] hierarchy level,
the following log files are created:

• snmpd

• mib2d

• rmopd

You can use the show log log-filename operational mode command to view the contents
of the log file. In the snmpd log file (see the following example), a sequence of >>>
represents an incoming packet, whereas a sequence of <<< represents an outgoing
packet. Note that the request response pair might not follow any sequence if there are
multiple network management systems polling the device at the same time. You can
use the source and request ID combinations to match requests and responses. However,
note that no response log is created in the log file if the SNMP master agent or the SNMP
subagent has not responded to a request.

A careful analysis of the request-response time can help you identify and understand
delayed responses.

Reviewing a Log File

The following example shows the output for the show log snmpd command:

user@host> show log snmpd

Apr 12 06:40:03 snmpd[7ee783df] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Apr 12 06:40:03 snmpd[7ee783df] >>> Get-Bulk-Request
Apr 12 06:40:03 snmpd[7ee783df] >>> Source: 10.209.63.42
Apr 12 06:40:03 snmpd[7ee783df] >>> Destination: 10.209.2.242
Apr 12 06:40:03 snmpd[7ee783df] >>> Version: SNMPv2
Apr 12 06:40:03 snmpd[7ee783df] >>> Request_id: 0x7ee783df
Apr 12 06:40:03 snmpd[7ee783df] >>> Community: public
Apr 12 06:40:03 snmpd[7ee783df] >>> Non-repeaters: 0
Apr 12 06:40:03 snmpd[7ee783df] >>> Max-repetitions: 10
Apr 12 06:40:03 snmpd[7ee783df] >>> OID : jnxContentsType.6.1.2.0
Apr 12 06:40:03 snmpd[7ee783df] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Apr 12 06:40:03 snmpd[7ee783df] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Apr 12 06:40:03 snmpd[7ee783df] <<< Get-Response
Apr 12 06:40:03 snmpd[7ee783df] <<< Source: 10.209.63.42
Apr 12 06:40:03 snmpd[7ee783df] <<< Destination: 10.209.2.242
Apr 12 06:40:03 snmpd[7ee783df] <<< Version: SNMPv2
Apr 12 06:40:03 snmpd[7ee783df] <<< Request_id: 0x7ee783df
Apr 12 06:40:03 snmpd[7ee783df] <<< Community: public

Network Management Administration Guide

Apr 12 06:40:03 snmpd[7ee783df] <<< Error: status=0 / vb_index=0

Apr 12 06:40:03 snmpd[7ee783df] <<<
Apr 12 06:40:03 snmpd[7ee783df] <<< OID : jnxContentsType.7.1.0.0
Apr 12 06:40:03 snmpd[7ee783df] <<< type : Object
Apr 12 06:40:03 snmpd[7ee783df] <<< value: jnxM10iFPC.0
Apr 12 06:40:03 snmpd[7ee783df] <<<
Apr 12 06:40:03 snmpd[7ee783df] <<< OID : jnxContentsType.7.1.1.0
Apr 12 06:40:03 snmpd[7ee783df] <<< type : Object
Apr 12 06:40:03 snmpd[7ee783df] <<< value: jnxChassisTempSensor.0
Apr 12 06:40:03 snmpd[7ee783df] <<<
Apr 12 06:40:03 snmpd[7ee783df] <<< OID : jnxContentsType.7.2.0.0
Apr 12 06:40:03 snmpd[7ee783df] <<< type : Object
Apr 12 06:40:03 snmpd[7ee783df] <<< value: jnxM10iFPC.0
Apr 12 06:40:03 snmpd[7ee783df] <<<
Apr 12 06:40:03 snmpd[7ee783df] <<< OID : jnxContentsType.7.2.1.0
Apr 12 06:40:03 snmpd[7ee783df] <<< type : Object
Apr 12 06:40:03 snmpd[7ee783df] <<< value: jnxChassisTempSensor.0
Apr 12 06:40:03 snmpd[7ee783df] <<<
Apr 12 06:40:03 snmpd[7ee783df] <<< OID : jnxContentsType.9.1.0.0
Apr 12 06:40:03 snmpd[7ee783df] <<< type : Object
Apr 12 06:40:03 snmpd[7ee783df] <<< value: jnxM10iRE.0
Apr 12 06:40:03 snmpd[7ee783df] <<<
Apr 12 06:40:03 snmpd[7ee783df] <<< OID : jnxContentsType.9.1.1.0
Apr 12 06:40:03 snmpd[7ee783df] <<< type : Object
Apr 12 06:40:03 snmpd[7ee783df] <<< value: jnxPCMCIACard.0
Apr 12 06:40:03 snmpd[7ee783df] <<<
Apr 12 06:40:03 snmpd[7ee783df] <<< OID : jnxContentsType.9.2.0.0
Apr 12 06:40:03 snmpd[7ee783df] <<< type : Object
Apr 12 06:40:03 snmpd[7ee783df] <<< value: jnxM10iRE.0
Apr 12 06:40:03 snmpd[7ee783df] <<<
Apr 12 06:40:03 snmpd[7ee783df] <<< OID : jnxContentsType.9.2.1.0
Apr 12 06:40:03 snmpd[7ee783df] <<< type : Object
Apr 12 06:40:03 snmpd[7ee783df] <<< value: jnxPCMCIACard.0
Apr 12 06:40:03 snmpd[7ee783df] <<<
Apr 12 06:40:03 snmpd[7ee783df] <<< OID : jnxContentsType.12.1.0.0
Apr 12 06:40:03 snmpd[7ee783df] <<< type : Object
Apr 12 06:40:03 snmpd[7ee783df] <<< value: jnxM10iHCM.0
Apr 12 06:40:03 snmpd[7ee783df] <<<
Apr 12 06:40:03 snmpd[7ee783df] <<< OID : jnxContentsType.12.2.0.0
Apr 12 06:40:03 snmpd[7ee783df] <<< type : Object
Apr 12 06:40:03 snmpd[7ee783df] <<< value: jnxM10iHCM.0
Apr 12 06:40:03 snmpd[7ee783df] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Apr 12 06:40:03 snmpd[7ee783e0] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Apr 12 06:40:03 snmpd[7ee783e0] >>> Get-Bulk-Request
Apr 12 06:40:03 snmpd[7ee783e0] >>> Source: 10.209.63.42
Apr 12 06:40:03 snmpd[7ee783e0] >>> Destination: 10.209.2.242
Apr 12 06:40:03 snmpd[7ee783e0] >>> Version: SNMPv2
Apr 12 06:40:03 snmpd[7ee783e0] >>> Request_id: 0x7ee783e0
Apr 12 06:40:03 snmpd[7ee783e0] >>> Community: public
Apr 12 06:40:03 snmpd[7ee783e0] >>> Non-repeaters: 0
Apr 12 06:40:03 snmpd[7ee783e0] >>> Max-repetitions: 10
Apr 12 06:40:03 snmpd[7ee783e0] >>> OID : jnxContentsType.12.2.0.0
Apr 12 06:40:03 snmpd[7ee783e0] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
……
……

Monitoring SNMP Statistics

The show snmp statistics extensive operational mode command provides you with an
option to review SNMP traffic, including traps, on a device. Output for the show snmp

Chapter 10: Tracing SNMP Activity

statistics extensive command shows real-time values and can be used to monitor values
such as throttle drops, currently active, max active, not found, time out, max latency,
current queued, total queued, and overflows. You can identify slowness in SNMP
responses by monitoring the currently active count, because a constant increase in the
currently active count is directly linked to slow or no response to SNMP requests.

Sample Output for the show snmp statistics extensive Command

user@host> show snmp statistics extensive
SNMP statistics:
Input:
Packets: 226656, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 1967606, Total set varbinds: 0,
Get requests: 18478, Get nexts: 75794, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 27084, Duplicate request drops: 0
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 0
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0
Output:
Packets: 226537, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 226155, Traps: 382
SA Control Blocks:
Total: 222984, Currently Active: 501, Max Active: 501,
Not found: 0, Timed Out: 0, Max Latency: 25
SA Registration:
Registers: 0, Deregisters: 0, Removes: 0
Trap Queue Stats:
Current queued: 0, Total queued: 0, Discards: 0, Overflows: 0
Trap Throttle Stats:
Current throttled: 0, Throttles needed: 0
Snmp Set Stats:
Commit pending failures: 0, Config lock failures: 0
Rpc failures: 0, Journal write failures: 0
Mgd connect failures: 0, General commit failures: 0

Checking CPU Utilization

High CPU usage of the software processes that are being queried, such as snmpd or
mib2d, is another factor that can lead to slow response or no response. You can use the
show system processes extensive operational mode command to check the CPU usage
levels of the Junos OS processes.

Sample Output of show system processes extensive Command

user@host> show system processes extensive
last pid: 1415; load averages: 0.00, 0.00, 0.00 up 0+02:20:54 10:26:25
117 processes: 2 running, 98 sleeping, 17 waiting

Mem: 180M Active, 54M Inact, 39M Wired, 195M Cache, 69M Buf, 272M Free
Swap: 1536M Total, 1536M Free

Network Management Administration Guide

PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
11 root 1 171 52 0K 12K RUN 132:09 95.21% idle
1184 root 1 97 0 35580K 9324K select 4:16 1.61% chassisd
177 root 1 -8 0 0K 12K mdwait 0:51 0.00% md7
119 root 1 -8 0 0K 12K mdwait 0:20 0.00% md4
13 root 1 -20 -139 0K 12K WAIT 0:16 0.00% swi7: clock sio
1373 root 1 96 0 15008K 12712K select 0:09 0.00% snmpd
1371 root 1 96 0 9520K 5032K select 0:08 0.00% jdiameterd
12 root 1 -40 -159 0K 12K WAIT 0:07 0.00% swi2: net
1375 root 2 96 0 15016K 5812K select 0:06 0.00% pfed
49 root 1 -8 0 0K 12K mdwait 0:05 0.00% md0
1345 root 1 96 0 10088K 4480K select 0:05 0.00% l2ald
1181 root 1 96 0 1608K 908K select 0:05 0.00% bslockd
23 root 1 -68 -187 0K 12K WAIT 0:04 0.00% irq10: fxp1
30 root 1 171 52 0K 12K pgzero 0:04 0.00% pagezero
1344 root 1 4 0 39704K 11444K kqread 0:03 0.00% rpd
1205 root 1 96 0 3152K 912K select 0:03 0.00% license-check
1372 root 1 96 0 28364K 6696K select 0:03 0.00% dcd
1374 root 1 96 0 11764K 7632K select 0:02 0.00% mib2d
1405 user 1 96 0 15892K 11132K select 0:02 0.00% cli
139 root 1 -8 0 0K 12K mdwait 0:02 0.00% md5
22 root 1 -80 -199 0K 12K WAIT 0:02 0.00% irq9: cbb1 fxp0
1185 root 1 96 0 4472K 2036K select 0:02 0.00% alarmd
4 root 1 -8 0 0K 12K - 0:02 0.00% g_down
3 root 1 -8 0 0K 12K - 0:02 0.00% g_up
43 root 1 -16 0 0K 12K psleep 0:02 0.00% vmkmemdaemon
1377 root 1 96 0 3776K 2256K select 0:01 0.00% irsd
48 root 1 -16 0 0K 12K - 0:01 0.00% schedcpu
99 root 1 -8 0 0K 12K mdwait 0:01 0.00% md3
953 root 1 96 0 4168K 2428K select 0:01 0.00% eventd
1364 root 1 96 0 4872K 2808K select 0:01 0.00% cfmd
15 root 1 -16 0 0K 12K - 0:01 0.00% yarrow
1350 root 1 96 0 31580K 7248K select 0:01 0.00% cosd
1378 root 1 96 0 19776K 6292K select 0:01 0.00% lpdfd

...

Checking Kernel and Packet Forwarding Engine Response

As mentioned in “Understanding SNMP Implementation in Junos OS” on page 13, some
SNMP MIB data are maintained by the kernel or Packet Forwarding Engine. For such data
to be available for the network management system, the kernel has to provide the required
information to the SNMP subagent in mib2d. A slow response from the kernel can cause
a delay in mib2d returning the data to the network management system. Junos OS adds
an entry in the mib2d log file every time that an interface takes more than 10,000
microseconds to respond to a request for interface statistics. You can use the show log
log-filename | grep “kernel response time” command to find out the response time taken
by the kernel.

Checking the Kernel Response Time

user@host> show log mib2d | grep “kernel response time”
Aug 17 22:39:37 == kernel response time for
COS_IPVPN_DEFAULT_OUTPUT-t1-7/3/0:10:27.0-o: 9.126471 sec, range
(0.000007, 11.000806)

Aug 17 22:39:53 == kernel response time for

Chapter 10: Tracing SNMP Activity

COS_IPVPN_DEFAULT_INPUT-t1-7/2/0:5:15.0-i: 5.387321 sec, range

(0.000007, 11.000806)

Aug 17 22:39:53 == kernel response time for ct1-6/1/0:9:15: 0.695406

sec, range (0.000007, 11.000806)

Aug 17 22:40:04 == kernel response time for t1-6/3/0:6:19: 1.878542

sec, range (0.000007, 11.000806)

Aug 17 22:40:22 == kernel response time for lsq-7/0/0: 2.556592 sec,

range (0.000007, 11.000806)

Related • Understanding SNMP Implementation in Junos OS on page 13

Documentation
• Configuring SNMP on Devices Running Junos OS on page 90

• Optimizing the Network Management System Configuration for the Best Results on
page 87

• Configuring Options on Managed Devices for Better SNMP Response Time on page 88

• Managing Traps and Informs

• Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage

Tracing SNMP Activity on a Device Running Junos OS

Supported Platforms ACX Series, EX4600, M Series, MX Series, PTX Series, QFX Series, T Series

SNMP tracing operations track activity for SNMP agents and record the information in
log files. The logged error descriptions provide detailed information to help you solve
problems faster.

By default, Junos OS does not trace any SNMP activity. If you include the traceoptions
statement at the [edit snmp] hierarchy level, the default tracing behavior is:

• Important activities are logged in files located in the /var/log directory. Each log is
named after the SNMP agent that generates it. Currently, the following log files are
created in the /var/log directory when the traceoptions statement is used:

• chassisd

• craftd

• ilmid

• mib2d

• rmopd

• serviced

• snmpd

• When a trace file named filename reaches its maximum size, it is renamed filename.0,
then filename.1, and so on, until the maximum number of trace files is reached. Then
the oldest trace file is overwritten. (For more information about how log files are created,
see the System Log Explorer.)

Network Management Administration Guide

• Log files can be accessed only by the user who configured the tracing operation.

You cannot change the directory (/var/log) in which trace files are located. However,
you can customize the other trace file settings by including the following statements at
the [edit snmp] hierarchy level:

[edit snmp]
traceoptions {
file <files number> <match regular-expression> <size size> <world-readable |
no-world-readable>;
flag flag;
memory-trace;
no-remote-trace;
no-default-memory-trace;
}

These statements are described in the following sections:

• Configuring the Number and Size of SNMP Log Files on page 204
• Configuring Access to the Log File on page 204
• Configuring a Regular Expression for Lines to Be Logged on page 205
• Configuring the Trace Operations on page 205

Configuring the Number and Size of SNMP Log Files

By default, when the trace file reaches 128 kilobytes (KB) in size, it is renamed filename.0,
then filename.1, and so on, until there are three trace files. Then the oldest trace file
(filename.2) is overwritten.

You can configure the limits on the number and size of trace files by including the following
statements at the [edit snmp traceoptions] hierarchy level:

[edit snmp traceoptions]

file files number size size;

For example, set the maximum file size to 2 MB, and the maximum number of files to 20.
When the file that receives the output of the tracing operation (filename) reaches 2 MB,
filename is renamed filename.0, and a new file called filename is created. When the new
filename reaches 2 MB, filename.0 is renamed filename.1 and filename is renamed
filename.0. This process repeats until there are 20 trace files. Then the oldest file
(filename.19) is overwritten by the newest file (filename.0).

The number of files can be from 2 through 1000 files. The file size of each file can be from
10 KB through 1 gigabyte (GB).

Configuring Access to the Log File

By default, log files can be accessed only by the user who configured the tracing operation.

To specify that any user can read all log files, include the file world-readable statement
at the [edit snmp traceoptions] hierarchy level:

[edit snmp traceoptions]

file world-readable;

Chapter 10: Tracing SNMP Activity

To explicitly set the default behavior, include the file no-world-readable statement at the
[edit snmp traceoptions] hierarchy level:

[edit snmp traceoptions]

file no-world-readable;

Configuring a Regular Expression for Lines to Be Logged

By default, the trace operation output includes all lines relevant to the logged activities.

You can refine the output by including the match statement at the [edit snmp traceoptions
file filename] hierarchy level and specifying a regular expression (regex) to be matched:

[edit snmp traceoptions]

file filename match regular-expression;

Configuring the Trace Operations

By default, only important activities are logged. You can specify which trace operations
are to be logged by including the following flag statement (with one or more tracing
flags) at the [edit snmp traceoptions] hierarchy level:

[edit snmp traceoptions]

flag {
all;
configuration;
database;
events;
general;
interface-stats;
nonvolatile-sets;
pdu;
policy;
protocol-timeouts;
routing-socket;
server;
subagent;
timer;
varbind-error;
}

Table 23 on page 205 describes the meaning of the SNMP tracing flags.

Table 23: SNMP Tracing Flags

Flag Description Default Setting

all Log all operations. Off

configuration Log reading of the configuration at the Off

[edit snmp] hierarchy level.

database Log events involving storage and retrieval in the Off

events database.

events Log important events. Off

Network Management Administration Guide

Table 23: SNMP Tracing Flags (continued)

Flag Description Default Setting

general Log general events. Off

interface-stats Log physical and logical interface statistics. Off

nonvolatile-set Log nonvolatile SNMP set request handling. Off

pdu Log SNMP request and response packets. Off

policy Log policy processing. Off

protocol-timeouts Log SNMP response timeouts. Off

routing-socket Log routing socket calls. Off

server Log communication with processes that are Off

generating events.

subagent Log subagent restarts. Off

timer Log internal timer events. Off

varbind-error Log variable binding errors. Off

To display the end of the log for an agent, issue the show log agentd | last operational
mode command:

[edit]
user@host# run show log agentd | last

where agent is the name of an SNMP agent.

Related • Configuring SNMP on a Device Running Junos OS

Documentation
• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

• Example: Tracing SNMP Activity on page 206

• Configuring SNMP

Example: Tracing SNMP Activity

Supported Platforms M Series, MX Series, PTX Series, T Series

Trace information about SNMP packets:

[edit]
snmp {
traceoptions {
file size 10k files 5;
flag pdu;

Chapter 10: Tracing SNMP Activity

flag protocol-timeouts;
flag varbind-error;
}
}

Related • Configuring SNMP on a Device Running Junos OS

Documentation
• Tracing SNMP Activity on a Device Running Junos OS on page 203

• Configuration Statements at the [edit snmp] Hierarchy Level on page 84

Network Management Administration Guide

CHAPTER 11

SNMP FAQs

• Junos OS SNMP FAQ Overview on page 209

• Junos OS SNMP FAQs on page 210

Junos OS SNMP FAQ Overview

Supported Platforms EX Series, M Series, MX Series, PTX Series, QFabric System, QFX Series, SRX Series, T Series

This document presents the most frequently asked questions about the features and
technologies used to implement SNMP services on Juniper Networks devices using the
Junos operating system.

SNMP enables users to monitor network devices from a central location. Many network
management systems (NMS) are based on SNMP, and support for this protocol is a key
feature of most network devices.

Juniper Networks provides many different platforms that support SNMP on the Junos OS.
The Junos OS includes an onboard SNMP agent that provides remote management
applications with access to detailed information about the devices on the network.

A typical SNMP implementation contains three components:

• Managed devices – Such as routers and switches.

• SNMP agent – Process that resides on a managed device and communicates with the
NMS.

• NMS – Acombination of hardware and software used to monitor and administer the
network; network device that runs SNMP manager software. Also referred to as an
SNMP manager.

The SNMP agent exchanges network management information with the SNMP manager
(NMS). The agent responds to requests for information and actions from the manager.
The SNMP manager collects information about network connectivity, activity, and events
by polling managed devices.

SNMP implementation in the Junos OS uses a master SNMP agent (known as an SNMP
process or snmpd) that resides on the managed device. Various subagents reside on
different modules of the Junos OS as well (such as the Routing Engine), and these
subagents are managed by the snmpd.

Network Management Administration Guide

Related • Junos OS SNMP FAQs on page 210

Documentation

Junos OS SNMP FAQs

Supported Platforms EX Series, M Series, MX Series, PTX Series, QFabric System, QFX Series, SRX Series, T Series

This Frequently Asked Questions technology overview covers these SNMP-related areas:

• Junos OS SNMP Support FAQs on page 210

• Junos OS MIBs FAQs on page 211
• Junos OS SNMP Configuration FAQs on page 218
• SNMPv3 FAQs on page 222
• SNMP Interaction with Juniper Networks Devices FAQs on page 224
• SNMP Traps and Informs FAQs on page 226
• Junos OS Dual Routing Engine Configuration FAQs on page 232
• SNMP Support for Routing Instances FAQs on page 233
• SNMP Counters FAQs on page 234

Junos OS SNMP Support FAQs

This section presents frequently asked questions and answers related to SNMP support
on Junos OS.

Which SNMP versions does Junos OS support?

Junos OS supports SNMP version 1 (SNMPv1), version 2 (SNMPv2c), and version 3

(SNMPv3). By default, SNMP is disabled on a Juniper Networks device.

Which ports (sockets) does SNMP use?

The default port for SNMP queries is port 161. The default port for SNMP traps and informs
is port 162. The ports used by SNMP are configurable, and you can configure your system
to use ports other than the defaults.

Is SNMP support different among the Junos OS platforms?

No, SNMP support is not different among the Junos OS platforms. SNMP configuration,
interaction, and behavior are the same on any Junos OS device. The only difference that
might occur across platforms is MIB support.

See also SNMP MIB Explorer for a list of MIBs that are supported across the Junos OS
platforms.

Does Junos OS support the user-based security model (USM)?

Yes, Junos OS supports USM as part of its support for SNMPv3. SNMPv3 contains more
security measures than previous versions of SNMP, including providing a defined USM.
SNMPv3 USM provides message security through data integrity, data origin authentication,
message replay protection, and protection against disclosure of the message payload.

Chapter 11: SNMP FAQs

Does Junos OS support the view-based access control model (VACM)?

Yes, Junos OS supports VACM as part of its support for SNMPv3. SNMPv3 contains more
security measures than previous versions of SNMP, including providing a defined VACM.
SNMPv3 VACM determines whether a specific type of access (read or write) to the
management information is allowed.

Does Junos OS support SNMP informs?

Yes, Junos OS supports SNMP informs as part of its support for SNMPv3. SNMP informs
are confirmed notifications sent from SNMP agents to SNMP managers when significant
events occur on a network device. When an SNMP manager receives an inform, it sends
a response to the sender to verify receipt of the inform.

Can I provision or configure a device using SNMP on Junos OS?

No, provisioning or configuring a device using SNMP is not allowed on Junos OS.

Related
Documentation

Junos OS MIBs FAQs

This section presents frequently asked questions and answers related to Junos OS MIBs.

What is a MIB?

A management information base (MIB) is a table of definitions for managed objects in

a network device. MIBs are used by SNMP to maintain standard definitions of all of the
components and their operating conditions within a network device. Each object in the
MIB has an identifying code called an object identifier (OID).

MIBs are either standard or enterprise-specific. Standard MIBs are created by the Internet
Engineering Task Force (IETF) and documented in various RFCs. Enterprise-specific MIBs
are developed and supported by a specific equipment manufacturer.

For a list of supported standard MIBs, see “Standard SNMP MIBs Supported by Junos
OS” on page 30.

For a list of Juniper Networks enterprise-specific MIBs, see “Enterprise-Specific SNMP

MIBs Supported by Junos OS” on page 19.

Do MIB files reside on the Junos OS devices?

No, MIB files do not reside on the Junos OS devices. You must download the MIB files
from the Juniper Networks Technical Publications page for the required Junos OS release:
http://www.juniper.net/techpubs/en_US/release-independent/junos/mibs/mibs.html .

How do I compile and load the Junos OS MIBs onto an SNMP manager or NMS?

For your network management systems (NMSs) to identify and understand the MIB
objects used by Junos OS, you must first load the MIB files to your NMS using a MIB

Network Management Administration Guide

compiler. A MIB compiler is a utility that parses the MIB information, such as the MIB
object names, IDs, and data types for the NMS.

You can download the Junos OS MIB package from the Enterprise-Specific MIBs and
Traps section at
http://www.juniper.net/techpubs/en_US/release-independent/junos/mibs/mibs.html or
http://www.juniper.net/techpubs/software/junos/index.html .

The Junos OS MIB package has two folders: StandardMibs, containing standard MIBs
supported on Juniper Networks devices, and JuniperMibs, containing Juniper Networks
enterprise-specific MIBs. You must have the required standard MIBs downloaded and
decompressed before downloading any enterprise-specific MIBs. There might be
dependencies that require a particular standard MIB to be present on the compiler before
loading a particular enterprise-specific MIB.

The Junos OS MIB package is available in .zip and .tar formats. Download the format
appropriate for your requirements.

Use the following steps to load MIB files for devices running Junos OS:

1. Navigate to the appropriate Juniper Networks software download page and locate
the Enterprise MIBs link under the Enterprise-Specific MIBs and Traps section.

NOTE: Although the link is titled Enterprise MIBs, both standard MIBs and
enterprise-specific MIBs are available for download from this location.

2. Click the TAR or ZIP link to download the Junos OS MIB package.

3. Decompress the file (.tar or .zip) using an appropriate utility.

NOTE: Some commonly used MIB compilers are preloaded with standard
MIBs. You can skip Step 4 and Step 5 and proceed to Step 6 if you already
have the standard MIBs loaded on your system.

4. Load the standard MIB files from the StandardMibs folder.

Load the files in the following order:

a. mib-SNMPv2-SMI.txt

b. mib-SNMPv2-TC.txt

c. mib-IANAifType-MIB.txt

d. mib-IANA-RTPROTO-MIB.txt

e. mib-rfc1907.txt

f. mib-rfc2011a.txt

g. mib-rfc2012a.txt

Chapter 11: SNMP FAQs

h. mib-rfc2013a.txt

i. mib-rfc2863a.txt

5. Load any remaining standard MIB files.

NOTE: You must follow the order specified in this procedure, and ensure
that all standard MIBs are loaded before you load the enterprise-specific
MIBs. There might be dependencies that require a particular standard MIB
to be present on the compiler before loading a particular enterprise-specific
MIB. Dependencies are listed in the IMPORT section of the MIB file.

6. After loading the standard MIBs, load the Juniper Networks enterprise-specific SMI
MIB, mib-jnx-smi.txt, and the following optional SMI MIBs based on your requirements:

• mib-jnx-exp.txt—(Recommended) for Juniper Networks experimental MIB objects

• mib-jnx-js-smi.txt—(Optional) for Juniper Security MIB tree objects

• mib-jnx-ex-smi.txt—(Optional) for EX Series Ethernet Switches

7. Load any remaining desired enterprise-specific MIBs from the JuniperMibs folder.

TIP: While loading a MIB file, if the compiler returns an error message
indicating that any of the objects are undefined, open the MIB file using a
text editor and ensure that all the MIB files listed in the IMPORT section
are loaded on the compiler. If any of the MIB files listed in the IMPORT
section are not loaded on the compiler, load the missing file or files first,
then try to load the MIB file that failed.

The system might return an error if files are not loaded in a particular order.

What is SMI?

Structure of Management Information Version (SMI) is a subset of Abstract Syntax

Notation One (ASN.1), which describes the structure of objects. SMI is the notation syntax,
or “grammar”, that is the standard for writing MIBs.

Which versions of SMI does Junos OS support?

The Junos OS supports SMIv1 for SNMPv1 MIBs, and SMIv2 for SNMPv2c and enterprise
MIBs.

Does Junos OS support MIB II?

Yes, Junos OS supports MIB II, the second version of the MIB standard.

The features of MIB II include:

• Additions that reflect new operational requirements.

• Backward compatibility with the original MIBs and SNMP.

Network Management Administration Guide

• Improved support for multiprotocol entities.

• Improved readability.

Refer to the relevant release documentation for a list of MIBs that are supported. Go to
http://www.juniper.net/techpubs/software/junos/index.html .

Are the same MIBs supported across all Juniper Networks devices?

There are some common MIBs supported by all the Junos OS devices, such as the Interface
MIB (ifTable), System MIB, and Chassis MIB. Some MIBs are supported only by
functionalities on specific platforms. For example, the Bridge MIB is supported on the EX
Series Ethernet Switches and the SRX Series Services Gateways for the branch.

What is the system object identifier (SYSOID) of a device? How do I determine the
SYSOID of my device?

The jnx-chas-defines (Chassis Definitions for Router Model) MIB has a jnxProductName
branch for every Junos OS device. The system object ID of a device is identical to the
object ID of the jnxProductName for the platform. For example, for an M7i Multiservice
Edge Router, the jnxProductNameM7i is .1.3.6.1.4.1.2636.1.1.1.2.10 in the jnxProductName
branch, which is identical to the SYSOID of the M7i (.1.3.6.1.4.1.2636.1.1.1.2.10).

How can I determine if a MIB is supported on a platform? How can I determine which
MIBs are supported by a device?

MIBs device and platform support is listed on the Junos OS Technical Documentation.
See “Enterprise-Specific SNMP MIBs Supported by Junos OS” on page 19 and “Standard
SNMP MIBs Supported by Junos OS” on page 30 documents to view the list of MIBs and
supported Junos OS devices.

What can I do if the MIB OID query is not responding?

There can be various reasons why the MIB OID query stops responding. One reason could
be that the MIB itself is unresponsive. To verify that the MIB responds, use the show snmp
mib walk | get MIB name | MIB OID command:

• If the MIB responds, the communication issue exists between the SNMP master and
SNMP agent. Possible reasons for this issue include network issues, an incorrect
community configuration, an incorrect SNMP configuration, and so on.

• If the MIB does not respond, enable SNMP traceoptions to log PDUs and errors. All
incoming and outgoing SNMP PDUs are logged. Check the traceoptions output to see
if there are any errors.

If you continue to have problems with the MIB OID query, technical product support is
available through the Juniper Networks Technical Assistance Center (JTAC).

What is the enterprise branch number for Junos OS?

The enterprise branch number for Junos OS is 2636. Enterprise branch numbers are used
in SNMP MIB configurations, and they are also known as SMI network management
private enterprise codes.

Chapter 11: SNMP FAQs

Which MIB displays the hardware and chassis details on a Juniper Networks device?

The Chassis MIB (jnxchassis.mib) displays the hardware and chassis details for each
Juniper Networks device. It provides information about the router and its components.
The Chassis MIB objects represent each component and its status.

Which MIB objects can I query to determine the CPU and memory utilization of the
Routing Engine, Flexible PIC Concentrator (FPC), and PIC components on a device?

Query the Chassis MIB objects jnxOperatingMemory, jnxOperatingtBuffer, and

jnxOperatingCPU to find out the CPU and memory utilization of the hardware components
of a device.

Is the interface index (ifIndex) persistent?

The ifIndex is persistent when reboots occur if the Junos OS version remains the same,
meaning the values assigned to the interfaces in the ifIndex do not change.

When there is a software upgrade, the device tries to keep the ifIndex persistent on a
best effort basis. For Junos OS Release 10.0 and earlier, the ifIndex is not persistent when
there is a software upgrade to Junos OS Release 10.1 and later.

Is it possible to set the ifAdminStatus?

SNMP is not allowed to set the ifAdminStatus.

Which MIB objects support SNMP set operations?

The Junos OS SNMP set operations are supported in the following MIB tables and
variables:

• snmpCommunityTable

• eventTable

• alarmTable

• snmpTargetAddrExtTable

• jnxPingCtlTable

• pingCtlTable

• traceRouteCtlTable

• jnxTraceRouteCtlTable

• sysContact.0

• sysName.0

• sysLocation.0

• pingMaxConcurrentRequests.0

• traceRouteMaxConcurrentRequests.0

• usmUserSpinLock

Network Management Administration Guide

• usmUserOwnAuthKeyChange

• usmUserPublic

• vacmSecurityToGroupTable (vacmGroupName, vacmSecurityToGroupStorageType,

and vacmSecurityToGroupStatus)

• vacmAccessTable (vacmAccessContextMatch, vacmAccessReadViewName,

vacmAccessWriteViewName, vacmAccessNotifyViewName, vacmAccessStorageType,
and vacmAccessStatus)

• vacmViewSpinLock

• vacmViewTreeFamilyTable (vacmViewTreeFamilyMask, vacmViewTreeFamilyType,

vacmViewTreeFamilyStorageType, and vacmViewTreeFamilyStatus)

Does Junos OS support remote monitoring (RMON)?

Yes, Junos OS supports RMON as defined in RFC 2819, Remote Network Monitoring
Management Information Base. However, remote monitoring version 2 (RMON 2) is not
supported.

Can I use SNMP to determine the health of the processes running on the Routing
Engine?

Yes, you can use SNMP to determine the health of the Routing Engine processes by
configuring the health monitoring feature. On Juniper Networks devices, RMON alarms
and events provide much of the infrastructure needed to reduce the polling overhead
from the NMS. However, you must set up the NMS to configure specific MIB objects into
RMON alarms. This often requires device-specific expertise and customizing the
monitoring application. Additionally, some MIB object instances that need monitoring
are set only at initialization, or they change at runtime and cannot be configured in
advance.

To address these issues, the health monitor extends the RMON alarm infrastructure to
provide predefined monitoring for a selected set of object instances, such as file system
usage, CPU usage, and memory usage, and includes support for unknown or dynamic
object instances, such as Junos OS software processes.

To display the health monitoring configuration, use the show snmp health-monitor
command:

user@host> show snmp health-monitor

interval 300;
rising-threshold 90;
falling-threshold 80;

When you configure the health monitor, monitoring information for certain object instances
is available, as shown in Table 24 on page 217.

Chapter 11: SNMP FAQs

Table 24: Monitored Object Instances

Object Description

jnxHrStoragePercentUsed.1 Monitors the following file system on the router or switch: /dev/ad0s1a:

This is the root file system mounted on /.

jnxHrStoragePercentUsed.2 Monitors the following file system on the router or switch: /dev/ad0s1e:

This is the configuration file system mounted on /config.

jnxOperatingCPU (RE0) Monitor CPU usage for Routing Engines RE0 and RE1. The index values assigned to the
Routing Engines depend on whether the Chassis MIB uses a zero-based or a ones-based
indexing scheme. Because the indexing scheme is configurable, the correct index is
jnxOperatingCPU (RE1)
determined whenever the router is initialized and when there is a configuration change.
If the router or switch has only one Routing Engine, the alarm entry monitoring RE1 is
removed after five failed attempts to obtain the CPU value.

jnxOperatingBuffer (RE0) Monitor the amount of memory available on Routing Engines RE0 and RE1. Because
the indexing of this object is identical to that used for jnxOperatingCPU, index values
are adjusted depending on the indexing scheme used in the Chassis MIB. As with
jnxOperatingBuffer (RE1)
jnxOperatingCPU, the alarm entry monitoring RE1 is removed if the router or switch
has only one Routing Engine.

sysApplElmtRunCPU Monitors the CPU usage for each Junos OS software process. Multiple instances of
the same process are monitored and indexed separately.

sysApplElmtRunMemory Monitors the memory usage for each Junos OS software process. Multiple instances
of the same process are monitored and indexed separately.

The system log entries generated for any health monitor events, such as thresholds
crossed and errors, have a corresponding HEALTHMONITOR tag rather than a generic
SNMPD_RMON_EVENTLOG tag. However, the health monitor sends generic RMON
risingThreshold and fallingThreshold traps.

Are the Ping MIBs returned in decimal notation and ASCII?

Yes, both decimal notation and ASCII are supported, which is the standard implementation
in SNMP. All strings are ASCII encoded.

The following example displays the Ping MIB in hexadecimal notation:

pingCtlTargetAddress.2.69.72.9.116.99.112.115.97.109.112.108.101 = 0a fa 01 02

This translates to ASCII:

pingCtlTargetAddress."EH"."tcpsample" = 0a fa 01 02
2= length of the string
69=E
72=H
9=length of second string
116=t
99 =c
112=p
115=s

Network Management Administration Guide

97=a
109=m
112 =p
108 =l
101 =e

As of Junos OS Release 9.6 and later, the Junos OS CLI returns ASCII values using the
command show snmp mib get | get-next | walk ascii.

The following example shows the output with the ASCII option:

user@host> show snmp mib walk pingCtlTargetAddress ascii

pingCtlTargetAddress."EH"."httpgetsample" = http://www.yahoo.com
pingCtlTargetAddress."p1"."t2" = 74 c5 b3 06
pingCtlTargetAddress."p1"."t3" = 74 c5 b2 0c

The following example shows the output without the ASCII option:

user@host> show snmp mib walk pingCtlTargetAddress

pingCtlTargetAddress.2.69.72.13.104.116.116.112.103.101.116.115.97.109.112.108.101
= http://www.yahoo.com
pingCtlTargetAddress.2.112.49.2.116.50 = 74 c5 b3 06
pingCtlTargetAddress.2.112.49.2.116.51 = 74 c5 b2 0c

You can convert decimal and ASCII values using a decimal ASCII chart like the one at
http://www.asciichart.com .

Is IPv6 supported by the Ping MIB for remote operations?

No, IPv6 is not supported.

Is there an SNMP MIB to show Address Resolution Protocol (ARP) table information?
Are both IP and MAC addresses displayed in the same table?

Yes, the Junos OS supports the standard MIB ipNetToMediaTable, which is described in
RFC 2011, SNMPv2 Management Information Base for the Internet Protocol using SMIv2.
This table is used for mapping IP addresses to their corresponding MAC addresses.

Related
Documentation

Junos OS SNMP Configuration FAQs

This section presents frequently asked questions and answers related to Junos OS SNMP
configuration.

Can the Junos OS be configured for SNMPv1 and SNMPv3 simultaneously?

Yes, SNMP has backward compatibility, meaning that all three versions can be enabled
simultaneously.

Can I filter specific SNMP queries on a device?

Yes, you can filter specific SNMP queries on a device using exclude and include statements.

Chapter 11: SNMP FAQs

The following example shows a configuration that blocks read-write operation on all
OIDs under .1.3.6.1.2.1.1 for the community test:

user@host# show snmp

view system-exclude {
oid .1.3.6.1.2.1.1 exclude;
oid .1 include;
}
community test {
view system-exclude;
authorization read-write;
}

Can I change the SNMP agent engine ID?

Yes, the SNMP agent engine ID can be changed to the MAC address of the device, the IP
address of the device, or any other desired value. Several examples are included here.

The following example shows how to use the MAC address of a device as the SNMP
agent engine ID:

user@host# show snmp

engine-id {
use-mac-address;
}

The following example shows how to use the IP address of a device as the SNMP agent
engine ID:

user@host# show snmp

engine-id {
use-default-ip-address;
}

The following example shows the use of a selected value, AA in this case, as the SNMP
agent engine ID of a device:

user@host# show snmp

engine-id {
local AA;
}

How can I configure a device with dual Routing Engines or a chassis cluster (SRX Series
Services Gateways) for continued communication during a switchover?

When configuring for continued communication, the SNMP configuration should be

identical between the Routing Engines. However, it is best to have separate Routing
Engine IDs configured for each Routing Engine, especially when using SNMPv3.

The following example shows the configuration of the Routing Engines in a dual Routing
Engine device. Notice that the Routing Engine IDs are set to the MAC addresses for each
Routing Engine:

user@host# show groups

re0 {
system {
host-name PE3-re0;
}

Network Management Administration Guide

interfaces {
fxp0 {
unit 0 {
family inet {
address 116.197.178.14/27;
address 116.197.178.29/27 {
master-only;
}
}
}
}
}
snmp {
engine-id {
use-mac-address;
}
}
}
re1 {
system {
host-name PE3-re1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 116.197.178.11/27;
address 116.197.178.29/27 {
master-only;
}
}
}
}
}
snmp {
engine-id {
use-mac-address;
}
}
}

The following is an example of an SNMPv3 configuration on a dual Routing Engine device:

user@host> show snmp name host1

v3 {
vacm {
security-to-group {
security-model usm {
security-name test123 {
group test1;
}
security-name juniper {
group test1;
}
}
}

Chapter 11: SNMP FAQs

access {
group test1 {
default-context-prefix {
security-model any {
security-level authentication {
read-view all;
}
}
}
context-prefix MGMT_10 {
security-model any {
security-level authentication {
read-view all;
}
}
}
}
}
}
target-address server1 {
address 116.197.178.20;
tag-list router1;
routing-instance MGMT_10;
target-parameters test;
}
target-parameters test {
parameters {
message-processing-model v3;
security-model usm;
security-level authentication;
security-name juniper;
}
notify-filter filter1;
}
notify server {
type trap;
tag router1;
}
notify-filter filter1 {
oid .1 include;
}
view all {
oid .1 include;
}
community public {
view all;
}
community comm1;
community comm2;
community comm3 {
view all;
authorization read-only;
logical-system LDP-VPLS {
routing-instance vpls-server1;
}
}

Network Management Administration Guide

trap-group server1 {
targets {
116.197.179.22;
}
}
routing-instance-access;
traceoptions {
flag all;
}
}

How can I track SNMP activities?

SNMP trace operations track activity of SNMP agents and record the information in log
files.

A sample traceoptions configuration might look like this:

[edit snmp]
user@host# set traceoptions flag all

When the traceoptions flag all statement is included at the [edit snmp] hierarchy level,
the following log files are created:

• snmpd

• mib2d

• rmopd

Related • Junos OS SNMP Support FAQs on page 210

Documentation
• Junos OS MIBs FAQs on page 211

• SNMPv3 FAQs on page 222

• SNMP Interaction with Juniper Networks Devices FAQs on page 224

• SNMP Traps and Informs FAQs on page 226

• SNMP Support for Routing Instances FAQs on page 233

• SNMP Counters FAQs on page 234

SNMPv3 FAQs
This section presents frequently asked questions and answers related to SNMPv3.

Why is SNMPv3 important?

SNMP v3 provides enhanced security compared to the other versions of SNMP. It provides
authentication and encryption of data. Enhanced security is important for managing
devices at remote sites from the management stations.

In my system, the MIB object snmpEngineBoots is not in sync between two Routing
Engines in a dual Routing Engine device. Is this normal behavior?

Chapter 11: SNMP FAQs

Yes, this is the expected behavior. Each Routing Engine runs its own SNMP process
(snmpd), allowing each Routing Engine to maintain its own engine boots. However, if
both routing engines have the same engine ID and the routing engine with lesser
snmpEngineBoots value is selected as the master routing engine during the switchover
process, the snmpEngineBoots value of the master routing engine is synchronized with
the snmpEngineBoots value of the other routing engine.

Do I need the SNMP manager engine object identifier (OID) for informs?

Yes, the engine OID of the SNMP manager is required for authentication, and informs do
not work without it.

I see the configuration of informs under the [edit snmp v3] hierarchy. Does this mean
I cannot use informs with SNMPv2c?

Informs can be used with SNMPv2c. The following example shows the basic configuration
for SNMPv3 informs on a device (note that the authentication and privacy is set to none):

[edit snmp]
v3 {
usm {
remote-engine 00000063000100a2c0a845b3 {
user RU2_v3_sha_none {
authentication-none;
privacy-none;
}
}
}
vacm {
security-to-group {
security-model usm {
security-name RU2_v3_sha_none {
group g1_usm_auth;
}
}
}
access {
group g1_usm_auth {
default-context-prefix {
security-model usm {
security-level authentication {
read-view all;
write-view all;
notify-view all;
}
}
}
}
}
}
target-address TA2_v3_sha_none {
address 192.168.69.179;
tag-list tl1;
address-mask 255.255.252.0;
target-parameters TP2_v3_sha_none;

Network Management Administration Guide

}
target-parameters TP2_v3_sha_none {
parameters {
message-processing-model v3;
security-model usm;
security-level none;
security-name RU2_v3_sha_none;
}
notify-filter nf1;
}
notify N1_all_tl1_informs {
type inform; # Replace “inform” with “trap” to convert informs to traps.
tag tl1;
}
notify-filter nf1 {
oid .1 include;
}
view all {
oid .1 include;
}
}

You can convert the SNMPv3 informs to traps by setting the value of the type statement
at the [edit snmp v3 notify N1_all_tl1_informs] hierarchy level to trap as shown in the
following example:

user@host# set snmp v3 notify N1_all_tl1_informs type trap

Related
Documentation

SNMP Interaction with Juniper Networks Devices FAQs

This section presents frequently asked questions and answers related to how SNMP
interacts with Juniper Networks devices.

How frequently should a device be polled? What is a good polling rate?

It is difficult to give an absolute number for the rate of SNMP polls per second since the
rate depends on the following two factors:

• The number of variable bindings in a protocol data unit (PDU)

• The response time for an interface from the Packet Forwarding Engine

In a normal scenario where no delay is being introduced by the Packet Forwarding Engine
and there is one variable per PDU (a Get request), the response time is 130+ responses
per second. However, with multiple variables in an SNMP request PDU (30 to 40 for
GetBulk requests), the number of responses per second is much less. Because the Packet
Forwarding Engine load can vary for each system, there is greater variation in how
frequently a device should be polled.

Chapter 11: SNMP FAQs

Frequent polling of a large number of counters, especially statistics, can impact the
device. We recommend the following optimization on the SNMP managers:

• Use the row-by-row polling method, not the column-by-column method.

• Reduce the number of variable bindings per PDU.

• Increase timeout values in polling and discovery intervals.

• Reduce the incoming packet rate at the SNMP process (snmpd).

For better SNMP response on the device, the Junos OS does the following:

• Filters out duplicate SNMP requests.

• Excludes interfaces that are slow in response from SNMP queries.

One way to determine a rate limit is to note an increase in the Currently Active count from
the show snmp statistics extensive command.

The following is a sample output of the show snmp statistics extensive command:

user@host> show snmp statistics extensive

SNMP statistics:
Input:
Packets: 226656, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 1967606, Total set varbinds: 0,
Get requests: 18478, Get nexts: 75794, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 27084, Duplicate request drops: 0
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 0
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0
Output:
Packets: 226537, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 226155, Traps: 382
SA Control Blocks:
Total: 222984, Currently Active: 501, Max Active: 501,
Not found: 0, Timed Out: 0, Max Latency: 25
SA Registration:
Registers: 0, Deregisters: 0, Removes: 0
Trap Queue Stats:
Current queued: 0, Total queued: 0, Discards: 0, Overflows: 0
Trap Throttle Stats:
Current throttled: 0, Throttles needed: 0
Snmp Set Stats:
Commit pending failures: 0, Config lock failures: 0
Rpc failures: 0, Journal write failures: 0
Mgd connect failures: 0, General commit failures: 0

Does SNMP open dynamic UDP ports? Why?

Network Management Administration Guide

The SNMP process opens two additional ports (sockets): one for IPv4 and one for IPv6.
This enables the SNMP process to send traps.

I am unable to perform a MIB walk on the ifIndex. Why is this?

Any variable bindings or values with an access level of not-accessible cannot be queried
directly because they are part of other variable bindings in the SNMP MIB table. The
ifIndex has an access level of not-accessible. Therefore, it cannot be accessed directly
because it is part of the variable bindings. However, the ifIndex can be accessed indirectly
through the variable bindings.

I see SNMP_IPC_READ_ERROR messages when the SNMP process restarts on my system

and also during Routing Engine switchover. Is this acceptable?

Yes, it is acceptable to see SNMP_IPC_READ_ERROR messages when the SNMP process

is restarted, the system reboots, or during a Routing Engine switchover. If all the processes
come up successfully and the SNMP operations are working properly, then these messages
can be ignored.

What is the source IP address used in the response PDUs for SNMP requests? Can this
be configured?

The source IP address used in the response PDUs for SNMP requests is the IP address
of the outgoing interface to reach the destination. The source IP address cannot be
configured for responses. It can only be configured for traps.

Related
Documentation

SNMP Traps and Informs FAQs

This section presents frequently asked questions and answers related to SNMP traps
and informs.

Does the Junos OS impose any rate limiting on SNMP trap generation?

The Junos OS implements a trap-queuing mechanism to limit the number of traps that
are generated and sent.

If a trap delivery fails, the trap is added back to the queue, and the delivery attempt
counter and the next delivery attempt timer for the queue are reset. Subsequent attempts
occur at progressive intervals of 1, 2, 4, and 8 minutes. The maximum delay between the
attempts is 8 minutes, and the maximum number of attempts is 10. After 10 unsuccessful
attempts, the destination queue and all traps in the queue are deleted.

Junos OS also has a throttle threshold mechanism to control the number of traps sent
(default 500 traps) during a particular throttle interval (default 5 seconds). This helps
ensure consistency in trap traffic, especially when a large number of traps are generated
due to interface status changes.

The throttle interval begins when the first trap arrives at the throttle. All traps within the
throttle threshold value are processed, and traps exceeding the threshold value are
queued. The maximum size of all trap queues (the throttle queue and the destination

Chapter 11: SNMP FAQs

queue) is 40,000 traps. The maximum size of any one queue is 20,000 traps. When a
trap is added to the throttle queue, or if the throttle queue has exceeded the maximum
size, the trap is moved to the top of the destination queue. Further attempts to send the
trap from the destination queue are stopped for a 30-second period, after which the
destination queue restarts sending the traps.

NOTE: For the Juniper Networks EX Series Ethernet Switch, the maximum
size of all trap queues (the throttle queue and the destination queue) is 1,000
traps. The maximum size for any one queue on the EX Series is 500 traps.

I did not see a trap when I had a syslog entry with a critical severity. Is this normal?
Can it be changed?

Not every syslog entry with critical severity is a trap. However, you can convert any syslog
entry to a trap using the event-options statement.

The following example shows how to configure a jnxSyslogTrap whenever an

rpd_ldp_nbrdown syslog entry message error occurs.

user@host> show event-options

policy snmptrap {
events rpd_ldp_nbrdown;
then {
raise-trap;
}
}

Are SNMP traps compliant with the Alarm Reporting Function (X.733) on the Junos
OS?

No, SNMP traps on the Junos OS are not X.733 compliant.

Can I set up filters for traps or informs?

Traps and informs can be filtered based on the trap category and the object identifier.
You can specify categories of traps to receive per host by using the categories statement
at the [edit snmp trap-group trap-group] hierarchy level. Use this option when you want
to monitor only specific modules of the Junos OS.

The following example shows a sample configuration for receiving only link, vrrp-events,
services, and otn-alarms traps:

[edit snmp]
trap-group jnpr {
categories {
link;
vrrp-events;
services;
otn-alarms;
}
targets {
192.168.69.179;
}

Network Management Administration Guide

The Junos OS also has a more advanced filter option (notify-filter) for filtering specific
traps or a group of traps based on their object identifiers.

The SNMPv3 configuration also supports filtering of SNMPv1 and SNMPv2 traps and
excluding Juniper Networks enterprise-specific configuration management traps, as
shown in the following configuration example:

[edit snmp]
v3 {
vacm {
security-to-group {
security-model v2c {
security-name sn_v2c_trap {
group gr_v2c_trap;
}
}
}
access {
group gr_v2c_trap {
default-context-prefix {
security-model v2c {
security-level none {
read-view all;
notify-view all;
}
}
}
}
}
}
target-address TA_v2c_trap {
address 10.209.196.166;
port 9001;
tag-list tg1;
target-parameters TP_v2c_trap;
}
target-parameters TP_v2c_trap {
parameters {
message-processing-model v2c;
security-model v2c;
security-level none;
security-name sn_v2c_trap;
}
notify-filter nf1;
}
notify v2c_notify {
type trap;
tag tg1;
}
notify-filter nf1 {
oid .1.3.6.1.4.1.2636.4.5 exclude;
oid .1 include;
}
snmp-community index1 {

Chapter 11: SNMP FAQs

community-name "$9$tDLl01h7Nbw2axN"; ## SECRET-DATA

security-name sn_v2c_trap;
tag tg1;
}
view all {
oid .1 include;
}
}

Can I simulate traps on a device?

Yes, you can use the request snmp spoof-trap trap name command for simulating a trap
to the NMS that normally receives your device’s traps. You can also add required values
using the variable-bindings parameter.

The following example shows how to simulate a trap to the local NMS using variable
bindings:

user@host> request snmp spoof-trap linkDown variable-bindings "ifIndex[116]=116,

ifAdminStatus[116]=1 ,ifOperStatus[116]=2 , ifName[116]=ge-1/0/1"

How do I generate a warm start SNMPv1 trap?

When the SNMP process is restarted under normal conditions, a warm start trap is
generated if the system up time is more than 5 minutes. If the system up time is less than
5 minutes, a cold start trap is generated.

The NMS sees only the MIB OIDs and numbers, but not the names of the SNMP traps.
Why?

Before the NMS can recognize the SNMP trap details, such as the names of the traps, it
must first compile and understand the MIBs and then parse the MIB OIDs.

In the Junos OS, how can I determine to which category a trap belongs?

For a list of common traps and their categories, see Juniper Networks Enterprise-Specific
SNMP Version 1 Traps and Juniper Networks Enterprise-Specific SNMP Version 2 Traps
documents.

Can I configure a trap to include the source IP address?

Yes, you can configure the source-address, routing-instance, or logical-instance name for
the source IP address using the trap-options command:

user@host> show snmp trap-options

source-address 10.1.1.1;

Can I create a custom trap?

Yes, you can use the jnxEventTrap event script to create customized traps as needed.

In the following example, a Junos OS operations (op) script is triggered when a

UI_COMMIT_NOT_CONFIRMED event is received. The Junos OS op script matches the
complete message of the event and generates an SNMP trap.

Network Management Administration Guide

Example: Junos OS Op Script

version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

param $event;
param $message;

match / {

/*
* trapm utilty wants the following characters in the value to be escaped
* '[', ']', ' ', '=', and ','
*/
var $event-escaped = {
call escape-string($text = $event, $vec = '[] =,');
}

var $message-escaped = {
call escape-string($text = $message, $vec = '[] =,');
}

<op-script-results> {
var $rpc = <request-snmp-spoof-trap> {
<trap> "jnxEventTrap";
<variable-bindings> "jnxEventTrapDescr[0]='Event-Trap' , "
_ "jnxEventAvAttribute[1]='event' , "
_ "jnxEventAvValue[1]='" _ $event-escaped _ "' , "
_ "jnxEventAvAttribute[2]='message' , "
_ "jnxEventAvValue[1]='" _ $message-escaped _ "'";
}

var $res = jcs:invoke($rpc);

}
}

template escape-string ($text, $vec) {

if (jcs:empty($vec)) {
expr $text;

} else {
var $index = 1;
var $from = substring($vec, $index, 1);
var $changed-value = {
call replace-string($text, $from) {
with $to = {
expr "\\";
expr $from;
}
}
}

call escape-string($text = $changed-value, $vec = substring($vec, $index

+ 1));
}
}

Chapter 11: SNMP FAQs

template replace-string ($text, $from, $to) {

if (contains($text, $from)) {
var $before = substring-before($text, $from);
var $after = substring-after($text, $from);
var $prefix = $before _ $to;

expr $before;
expr $to;
call replace-string($text = $after, $from, $to);

} else {
expr $text;
}
}

After creating your customized trap, you must configure a policy on your device to tell
the device what actions to take after it receives the trap.

Here is an example of a configured policy under the [edit event-options] hierarchy:

[edit event-options]
user@host> show
policy trap-on-event {
events UI_COMMIT_NOT_CONFIRMED;
attributes-match {
UI_COMMIT_NOT_CONFIRMED.message matches complete;
}
then {
event-script ev-syslog-trap.junos-op {
arguments {
event UI_COMMIT_NOT_CONFIRMED;
message "{$$.message}";
}
}
}
}

Can I disable link up and link down traps on interfaces?

Yes, link up and link down traps can be disabled in the interface configuration. To disable
the traps, use the no-traps statement at the [edit interfaces interface-name unit
logical-unit-number] and [edit logical-systems logical-system-name interfaces
interface-name unit logical-unit-number] hierarchies for physical and logical interfaces.

(traps | no-traps);

I see the link up traps on logical interfaces, but I do not see the link down traps. Is this
normal behavior?

For Ethernet and ATM types of interfaces, Junos OS does not send link down traps for a
logical interface if the physical interface is down to prevent flooding alarms for the same
root cause. However, when the physical interface and logical interfaces come back up,
traps are sent indicating link up. This is because the physical interface coming up does
not necessarily mean the logical interfaces are also coming up.

Network Management Administration Guide

For SONET types of interfaces with PPP encapsulation, Junos OS does send link down
traps for a logical interface if the physical interface is down. When the physical interface
and logical interfaces come back up, traps are sent for both the physical and logical
interfaces indicating link up.

For SONET types of interfaces with HDLC encapsulation, Junos OS does not send link
down traps for a logical interface if the physical interface is down. When the physical
interface and logical interfaces come back up, traps are sent for both the physical and
logical interfaces indicating link up.

For channelize interfaces with PPP encapsulation, Junos OS does send link down traps
for a logical interface if the physical interface is down. When the physical interface and
logical interfaces come back up, traps are sent for both the physical and logical interfaces
indicating link up.

For channelize interfaces with HDLC encapsulation, Junos OS does not send link down
traps for a logical interface if the physical interface is down. When the physical interface
and logical interfaces come back up, traps are sent for both the physical and logical
interfaces indicating link up.

Related
Documentation

Junos OS Dual Routing Engine Configuration FAQs

This section presents frequently asked questions and answers related to the configuration
of dual Routing Engines.

The SNMP configuration should be identical between the Routing Engines when
configuring for continued communication. However, we recommend having separate
Routing Engine IDs configured for each Routing Engine, when using SNMPv3.

In my system, the MIB object snmpEngineBoots is not in sync between two Routing
Engines in a dual Routing Engine device. Is this normal behavior?

Yes. This is the normal behavior. Each Routing Engine runs its own SNMP process (snmpd)
agent, allowing each Routing Engine to maintain its own engine boots.

Is there a way to identify that an address belongs to RE0, RE1, or the master Routing
Engine management interface (fxp0) by looking at an SNMP walk?

No. When you do an SNMP walk on the device, it only displays the master Routing Engine
management interface address.

What is the best way to tell if the current IP address belongs to fxp0 or a Routing
Engine, from a CLI session?

Routing Engines are mapped with the fxp0 interface. This means that when you query
RE0, the ifTable reports the fxp0 interface address of RE0 only. Similarly, if you query
RE1, the ifTable reports the fxp0 interface address of RE1 only.

When there is a failover, the master hostname is changed since the hostname belongs
to the Routing Engine. Is this correct?

Chapter 11: SNMP FAQs

Yes. You can configure the same hostname or different hostnames. Either would work.

If only the master IP address is configured (for example, 192.168.2.5), and the sysDescr.0
object has the same string configured on both of the Routing Engines, then even after a
switchover, the sysDescr.0 object returns the same value. The following sample shows
the results you get by using the snmpget command:

bng-junos-pool02: /c/svivek/PR_BRANCH/src> snmpget -c jnpr -v2c 192.168.2.5

sysDescr.0 system.sysDescr.0 = foo

SNMP Support for Routing Instances FAQs

This section presents frequently asked questions and answers related to how SNMP
supports routing instances.

Can the SNMP manager access data for routing instances?

Yes, the Junos OS enables SNMP managers for all routing instances to request and
manage SNMP data related to the corresponding routing instances and logical system
networks.

Two different routing instance behaviors can occur, depending on where the clients
originate:

• Clients from routing instances other than the default can access MIB objects and
perform SNMP operations only on the logical system networks to which they belong.

• Clients from the default routing instance can access information related to all routing
instances and logical system networks.

Routing instances are identified by either the context field in SNMPv3 requests or encoded
in the community string in SNMPv1 or SNMPv2c requests.

When encoded in a community string, the routing instance name appears first and is
separated from the actual community string by the @ character.

To avoid conflicts with valid community strings that contain the @ character, the
community is parsed only if typical community string processing fails. For example, if a
routing instance named RI is configured, an SNMP request with RI@public is processed
within the context of the RI routing instance. Access control (including views, source
address restrictions, and access privileges) is applied according to the actual community
string (the set of data after the @ character—in this case public). However, if the
community string RI@public is configured, the PDU is processed according to that
community, and the embedded routing instance name is ignored.

Network Management Administration Guide

Additionally, when a logical system is created, a default routing instance named default
is always created within the logical system. This name should be used when querying
data for that routing instance, for example LS/default@public. For SNMPv3 requests,
the name logical system/routing instance should be identified directly in the context field.

Can I access a list of all routing instances on a device?

Yes, you can access a list of all the routing instances on a device using the
vacmContextName object in the SNMP-VIEW-BASED-ACM MIB. In SNMP, each routing
instance becomes a VACM context; this is why the routing instances appear in the
vacmContextName object.

Can I access a default routing instance from a client in another logical router or routing
instance?

No, the SNMP agent can only access data of the logical router to which it is connected.

Related
Documentation

SNMP Counters FAQs

This section presents frequently asked questions and answers related to SNMP counters.

Which MIB should I use for interface counters?

Interface management over SNMP is based on two tables: the ifTable and its extension
the ifXTable. Both are described in RFC 1213, Management Information Base for Network
Management of TCP/IP-based internets: MIB-II and RFC 2233, The Interfaces Group MIB
using SMIv2.

Interfaces can have several layers, depending on the media, and each sublayer is
represented by a separate row in the table. The relationship between the higher layer
and lower layers is described in the ifStackTable.

The ifTable defines 32-bit counters for inbound and outbound octets
(ifInOctets/ifOutOctets), packets (ifInUcastPkts/ifOutUcastPkts, ifInNUcastPkts
/ifOutNUcastPkts), errors, and discards.

The ifXTable provides similar 64-bit counters, also called high capacity (HC) counters,
for inbound and outbound octets (ifHCInOctets/ifHCOutOctets) and inbound packets
(ifHCInUcastPkts).

When should 64-bit counters be used?

It is always good to use 64-bit counters because they contain statistics for both low and
high capacity components.

Are the SNMP counters ifInOctets and ifOutOctets the same as the command reference
show interfaces statistics in and out counters?

Yes, these are the same, but only if SNMP is enabled when the router boots up. If you
power on a Juniper Networks device and then enable SNMP, the SNMP counters start

Chapter 11: SNMP FAQs

from 0. SNMP counters do not automatically receive their statistics from the show
command output. Similarly, using the clear statistics command does not clear the
statistics that the SNMP counters collected, which can cause a discrepancy in the data
that is seen by both processes.

Do the SNMP counters ifInOctets and ifOutOctets include the framing overhead for
Point-to-Point Protocol (PPP) and High-Level Data Link Control (HDLC)?

Yes.

Related
Documentation

Network Management Administration Guide

PART 3

Remote Monitoring (RMON) with SNMP

• RMON Overview on page 239
• Configuring RMON Alarms and Events on page 243
• Monitoring RMON Alarms and Events on page 251
• Using RMON to Monitor Network Service Quality on page 257

Network Management Administration Guide

CHAPTER 12

RMON Overview

• Understanding RMON Alarms on page 239

• Understanding RMON Events on page 241

Understanding RMON Alarms

Supported Platforms ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series

An RMON alarm identifies:

• A specific MIB object that is monitored.

• The frequency of sampling.

• The method of sampling.

• The thresholds against which the monitored values are compared.

An RMON alarm can also identify a specific eventTable entry to be triggered when a
threshold is crossed.

Configuration and operational values are defined in alarmTable in RFC 2819. Additional
operational values are defined in Juniper Networks enterprise-specific extensions to
alarmTable (jnxRmonAlarmTable).

This topic covers the following sections:

• alarmTable on page 239

• jnxRmonAlarmTable on page 240

alarmTable
alarmTable in the RMON MIB allows you to monitor and poll the following:

• alarmIndex—The index value for alarmTable that identifies a specific entry.

• alarmInterval—The interval, in seconds, over which data is sampled and compared

with the rising and falling thresholds.

• alarmVariable—The MIB variable that is monitored by the alarm entry.

• alarmSampleType—The method of sampling the selected variable and calculating the

value to be compared against the thresholds.

Network Management Administration Guide

• alarmValue—The value of the variable during the last sampling period. This value is
compared with the rising and falling thresholds.

• alarmStartupAlarm—The alarm sent when the entry is first activated.

• alarmRisingThreshold—The upper threshold for the sampled variable.

• alarmFallingThreshold—The lower threshold for the sampled variable.

• alarmRisingEventIndex—The eventTable entry used when a rising threshold is crossed.

• alarmFallingEventIndex—The eventTable entry used when a falling threshold is crossed.

• alarmStatus—Method for adding and removing entries from the table. It can also be
used to change the state of an entry to allow modifications.

NOTE: If this object is not set to valid, the associated event alarm does not
take any action.

jnxRmonAlarmTable
The jnxRmonAlarmTable is a Juniper Networks enterprise-specific extension to alarmTable.
It provides additional operational information and includes the following objects:

• jnxRmonAlarmGetFailCnt—The number of times the internal Get request for the variable
monitored by this entry has failed.

• jnxRmonAlarmGetFailTime—The value of sysUpTime when an internal Get request for

the variable monitored by this entry last failed.

• jnxRmonAlarmGetFailReason—The reason an internal Get request for the variable

monitored by this entry last failed.

• jnxRmonAlarmGetOkTime—The value of sysUpTime when an internal Get request for

the variable monitored by this entry succeeded and the entry left the getFailure state.

• jnxRmonAlarmState—The current state of this RMON alarm entry.

To view the Juniper Networks enterprise-specific extensions to the RMON Events and
Alarms and Event MIB, see
http://www.juniper.net/techpubs/en_US/junos16.1/topics/reference/mibs/mib-jnx-rmon.txt.

For more information about the Juniper Networks enterprise-specific extensions to the
RMON Events and Alarms MIB, see “RMON Events and Alarms MIB” in the Network
Management Administration Guide.

Related • Understanding RMON Events on page 241

Documentation
• Configuring an RMON Alarm Entry and Its Attributes on page 244

• Using alarmTable to Monitor MIB Objects on page 251

Chapter 12: RMON Overview

Understanding RMON Events

Supported Platforms ACX Series, M Series, MX Series, SRX Series, T Series

An RMON event allows you to log the crossing of thresholds of other MIB objects. It is
defined in eventTable for the RMON MIB.

This section covers the following topics:

• eventTable on page 241

eventTable
eventTable contains the following objects:

• eventIndex—An index that uniquely identifies an entry in eventTable. Each entry defines
one event that is generated when the appropriate conditions occur.

• eventDescription—A comment describing the event entry.

• eventType—Type of notification that the probe makes about this event.

• eventCommunity—Trap group used if an SNMP trap is to be sent. If eventCommunity

is not configured, a trap is sent to each trap group configured with the rmon-alarm
category.

• eventLastTimeSent—Value of sysUpTime when this event entry last generated an

event.

• eventOwner—Any text string specified by the creating management application or the

command-line interface (CLI). Typically, it is used to identify a network manager (or
application) and can be used for fine access control between participating management
applications.

• eventStatus—Status of this event entry.

NOTE: If this object is not set to valid, no action is taken by the associated
event entry. When this object is set to valid, all previous log entries
associated with this entry (if any) are deleted.

Related • Understanding RMON Alarms on page 239

Documentation
• Configuring an RMON Event Entry and Its Attributes on page 248

Network Management Administration Guide

CHAPTER 13

Configuring RMON Alarms and Events

• Understanding RMON Alarms and Events Configuration on page 243

• Minimum RMON Alarm and Event Entry Configuration on page 244
• Configuring an RMON Alarm Entry and Its Attributes on page 244
• Configuring an RMON Event Entry and Its Attributes on page 248
• Example: Configuring an RMON Alarm and Event Entry on page 249

Understanding RMON Alarms and Events Configuration

Supported Platforms ACX Series, M Series, MX Series, SRX Series, T Series

Junos OS supports monitoring routers from remote devices. These values are measured
against thresholds and trigger events when the thresholds are crossed. You configure
remote monitoring (RMON) alarm and event entries to monitor the value of a MIB object.

To configure RMON alarm and event entries, you include statements at the [edit snmp]
hierarchy level of the configuration:

[edit snmp]
rmon {
alarm index {
description text-description;
falling-event-index index;
falling-threshold integer;
falling-threshold-interval seconds;
interval seconds;
rising-event-index index;
rising-threshold integer;
request-type (get-next-request | get-request | walk-request);
sample-type (absolute-value | delta-value);
startup-alarm (falling-alarm | rising-alarm | rising-or-falling-alarm);
syslog-subtag syslog-subtag;
variable oid-variable;
event index {
community community-name;
description description;
type type;
}
}
}

Network Management Administration Guide

Related • Understanding RMON Alarms on page 239

Documentation
• Understanding RMON Events on page 241

• Configuring an RMON Alarm Entry and Its Attributes on page 244

• Configuring an RMON Event Entry and Its Attributes on page 248

Minimum RMON Alarm and Event Entry Configuration

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

To enable RMON on the router, you must configure an alarm entry and an event entry.
To do this, include the following statements at the [edit snmp rmon] hierarchy level:

[edit snmp rmon]

alarm index {
rising-event-index index;
rising-threshold integer;
sample-type type;
variable oid-variable;
}
event index;

Related • Understanding RMON Alarms and Events Configuration on page 243

Documentation
• Configuring an RMON Alarm Entry and Its Attributes on page 244

• Configuring an RMON Event Entry and Its Attributes on page 248

Configuring an RMON Alarm Entry and Its Attributes

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series

An alarm entry monitors the value of a MIB variable. You can configure how often the
value is sampled, the type of sampling to perform, and what event to trigger if a threshold
is crossed.

This section discusses the following topics:

• Configuring the Alarm Entry on page 245

• Configuring the Description on page 245
• Configuring the Falling Event Index or Rising Event Index on page 245
• Configuring the Falling Threshold or Rising Threshold on page 246
• Configuring the Interval on page 246
• Configuring the Falling Threshold Interval on page 246
• Configuring the Request Type on page 247
• Configuring the Sample Type on page 247
• Configuring the Startup Alarm on page 247

Chapter 13: Configuring RMON Alarms and Events

• Configuring the System Log Tag on page 248

• Configuring the Variable on page 248

Configuring the Alarm Entry

An alarm entry monitors the value of a MIB variable. The rising-event-index,
rising-threshold, sample-type, and variable statements are mandatory. All other
statements are optional.

To configure the alarm entry, include the alarm statement and specify an index at the
[edit snmp rmon] hierarchy level:

[edit snmp rmon]

alarm index {
description description;
falling-event-index index;
falling-threshold integer;
falling-threshold-interval seconds;
interval seconds;
rising-event-index index;
rising-threshold integer;
sample-type (absolute-value | delta-value);
startup-alarm (falling-alarm | rising alarm | rising-or-falling-alarm);
variable oid-variable;
}

index is an integer that identifies an alarm or event entry.

Configuring the Description

The description is a text string that identifies the alarm entry.

To configure the description, include the description statement and a description of the
alarm entry at the [edit snmp rmon alarm index] hierarchy level:

[edit snmp rmon alarm index]

description description;

Configuring the Falling Event Index or Rising Event Index

The falling event index identifies the event entry that is triggered when a falling threshold
is crossed. The rising event index identifies the event entry that is triggered when a rising
threshold is crossed.

To configure the falling event index or rising event index, include the falling-event-index
or rising-event-index statement and specify an index at the [edit snmp rmon alarm index]
hierarchy level:

[edit snmp rmon alarm index]

falling-event-index index;
rising-event-index index;

index can be from 0 through 65,535. The default for both the falling and rising event index
is 0.

Network Management Administration Guide

Configuring the Falling Threshold or Rising Threshold

The falling threshold is the lower threshold for the monitored variable. When the current
sampled value is less than or equal to this threshold, and the value at the last sampling
interval is greater than this threshold, a single event is generated. A single event is also
generated if the first sample after this entry becomes valid is less than or equal to this
threshold, and the associated startup alarm is equal to falling-alarm or
rising-or-falling-alarm. After a falling event is generated, another falling event cannot be
generated until the sampled value rises above this threshold and reaches the rising
threshold. You must specify the falling threshold as an integer. Its default is 20 percent
less than the rising threshold.

By default, the rising threshold is 0. The rising threshold is the upper threshold for the
monitored variable. When the current sampled value is greater than or equal to this
threshold, and the value at the last sampling interval is less than this threshold, a single
event is generated. A single event is also generated if the first sample after this entry
becomes valid is greater than or equal to this threshold, and the associated startup-alarm
is equal to rising-alarm or rising-or-falling-alarm. After a rising event is generated, another
rising event cannot be generated until the sampled value falls below this threshold and
reaches the falling threshold. You must specify the rising threshold as an integer.

To configure the falling threshold or rising threshold, include the falling-threshold or

rising-threshold statement at the [edit snmp rmon alarm index] hierarchy level:

[edit snmp rmon alarm index]

falling-threshold integer;
rising-threshold integer;

integer can be a value from -2,147,483,647 through 2,147,483,647.

Configuring the Interval

The interval represents the period of time, in seconds, over which the monitored variable
is sampled and compared with the rising and falling thresholds.

To configure the interval, include the interval statement and specify the number of seconds
at the [edit snmp rmon alarm index] hierarchy level:

[edit snmp rmon alarm index]

interval seconds;

seconds can be a value from 1 through 2,147,483,647. The default is 60 seconds.

Configuring the Falling Threshold Interval

The falling threshold interval represents the interval between samples when the rising
threshold is crossed. Once the alarm crosses the falling threshold, the regular sampling
interval is used.

NOTE: You cannot configure the falling threshold interval for alarms that
have the request type set to walk-request.

Chapter 13: Configuring RMON Alarms and Events

To configure the falling threshold interval, include the falling-threshold interval statement
at the [edit snmp rmon alarm index] hierarchy level and specify the number of seconds:

[edit snmp rmon alarm index]

falling-threshold-interval seconds;

seconds can be a value from 1 through 2,147,483,647. The default is 60 seconds.

Configuring the Request Type

By default an RMON alarm can monitor only one object instance (as specified in the
configuration). You can configure a request-type statement to extend the scope of the
RMON alarm to include all object instances belonging to a MIB branch or to include the
next object instance after the instance specified in the configuration.

To configure the request type, include the request-type statement at the [edit snmp rmon
alarm index] hierarchy level and specify get-next-request, get-request, or walk-request:

[edit snmp rmon alarm index]

request-type (get-next-request | get-request | walk-request);

walk extends the RMON alarm configuration to all object instances belonging to a MIB
branch. next extends the RMON alarm configuration to include the next object instance
after the instance specified in the configuration.

Configuring the Sample Type

The sample type identifies the method of sampling the selected variable and calculating
the value to be compared against the thresholds. If the value of this object is
absolute-value, the value of the selected variable is compared directly with the thresholds
at the end of the sampling interval. If the value of this object is delta-value, the value of
the selected variable at the last sample is subtracted from the current value, and the
difference is compared with the thresholds.

To configure the sample type, include the sample-type statement and specify the type
of sample at the [edit snmp rmon alarm index] hierarchy level:

[edit snmp rmon alarm index]

sample-type (absolute-value | delta-value);

• absolute-value—Actual value of the selected variable is compared against the

thresholds.

• delta-value—Difference between samples of the selected variable is compared against

the thresholds.

Configuring the Startup Alarm

The startup alarm identifies the type of alarm that can be sent when this entry is first
activated. You can specify it as falling-alarm, rising-alarm, or rising-or-falling-alarm.

To configure the startup alarm, include the startup-alarm statement and specify the type
of alarm at the [edit snmp rmon alarm index] hierarchy level:

[edit snmp rmon alarm index]

startup-alarm (falling-alarm | rising-alarm | rising-or-falling-alarm);

Network Management Administration Guide

• falling-alarm—Generated if the first sample after the alarm entry becomes active is
less than or equal to the falling threshold.

• rising-alarm—Generated if the first sample after the alarm entry becomes active is
greater than or equal to the rising threshold.

• rising-or-falling-alarm—Generated if the first sample after the alarm entry becomes

active satisfies either of the corresponding thresholds.

The default is rising-or-falling-alarm.

Configuring the System Log Tag

The syslog-subtag statement specifies the tag to be added to the system log message.
You can specify a string of not more than 80 uppercase characters as the system log
tag.

To configure the system log tag, include the syslog-subtag statement at the [edit snmp
rmon alarm index] hierarchy level:

[edit snmp rmon alarm index]

syslog-subtag syslog-subtag;

Configuring the Variable

The variable identifies the MIB object that is being monitored.

To configure the variable, include the variable statement and specify the object identifier
or object name at the [edit snmp rmon alarm index] hierarchy level:

[edit snmp rmon alarm index]

variable oid-variable;

oid-variable is a dotted decimal (for example, 1.3.6.1.2.1.2.1.2.2.1.10.1) or MIB object name

(for example, ifInOctets.1).

Configuring an RMON Event Entry and Its Attributes

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series

An event entry generates a notification for an alarm entry when its rising or falling threshold
is crossed. You can configure the type of notification that is generated. To configure the
event entry, include the event statement at the [edit snmp rmon] hierarchy level. All
statements except the event statement are optional.

[edit snmp rmon]

event index {
community community-name;
description description;
type type;
}

index identifies an entry event.

community-name is the trap group that is used when generating a trap. If that trap group
has the rmon-alarm trap category configured, a trap is sent to all the targets configured
for that trap group. The community string in the trap matches the name of the trap group.

Chapter 13: Configuring RMON Alarms and Events

If nothing is configured, all the trap groups are examined, and traps are sent using each
group with the rmon-alarm category set.

description is a text string that identifies the entry.

The type variable of an event entry specifies where the event is to be logged. You can
specify the type as one of the following:

• log—Adds the event entry to the logTable.

• log-and-trap—Sends an SNMP trap and creates a log entry.

• none—Sends no notification.

• snmptrap—Sends an SNMP trap.

The default for the event entry type is log-and-trap.

Related • Understanding RMON Alarms and Events Configuration on page 243

Documentation
• Understanding RMON Alarms on page 239

• Understanding RMON Events on page 241

• Configuring an RMON Alarm Entry and Its Attributes on page 244

• Example: Configuring an RMON Alarm and Event Entry on page 249

Example: Configuring an RMON Alarm and Event Entry

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series

Configure an RMON alarm and event entry:

[edit snmp]
rmon {
alarm 100 {
description “input traffic on fxp0”;
falling-event-index 100;
falling-threshold 10000;
interval 60;
rising-event-index 100;
rising-threshold 100000;
sample-type delta-value;
startup-alarm rising-or-falling-alarm;
variable ifInOctets.1;
}
event 100 {
community bedrock;
description” emergency events”;
type log-and-trap;
}
}

Related • Understanding RMON Alarms and Events Configuration on page 243

Documentation
• Configuring an RMON Alarm Entry and Its Attributes on page 244

Network Management Administration Guide

• Configuring an RMON Event Entry and Its Attributes on page 248

CHAPTER 14

Monitoring RMON Alarms and Events

• Using alarmTable to Monitor MIB Objects on page 251

• Using eventTable to Log Alarms on page 254

Using alarmTable to Monitor MIB Objects

Supported Platforms LN Series, M Series, MX Series, T Series

To use alarmTable to monitor a MIB object, perform the following tasks:

• Creating an Alarm Entry on page 251

• Configuring the Alarm MIB Objects on page 251
• Activating a New Row in alarmTable on page 254
• Modifying an Active Row in alarmTable on page 254
• Deactivating a Row in alarmTable on page 254

Creating an Alarm Entry

To create an alarm entry, first create a new row in alarmTable using the alarmStatus
object. For example, create alarm #1 using the UCD command-line utilities:
snmpset -Os -v2c router community alarmStatus.1 i createRequest

Configuring the Alarm MIB Objects

Once you have created the new row in alarmTable, configure the following Alarm MIB
objects:

NOTE: Other than alarmStatus, you cannot modify any of the objects in the
entry if the associated alarmStatus object is set to valid.

• alarmInterval on page 252

• alarmVariable on page 252
• alarmSampleType on page 252
• alarmValue on page 252
• alarmStartupAlarm on page 252

Network Management Administration Guide

• alarmRisingThreshold on page 253

• alarmFallingThreshold on page 253
• alarmOwner on page 253
• alarmRisingEventIndex on page 253
• alarmFallingEventIndex on page 253

alarmInterval

The interval, in seconds, over which data is sampled and compared with the rising and
falling thresholds. For example, to set alarmInterval for alarm #1 to 30 seconds, use the
following SNMP Set request:

snmpset -Os -v2c router community alarmInterval.1 i 30

alarmVariable

The object identifier of the variable to be sampled. During a Set request, if the supplied
variable name is not available in the selected MIB view, a badValue error is returned. If at
any time the variable name of an established alarmEntry is no longer available in the
selected MIB view, the probe changes the status of alarmVariable to invalid. For example,
to identify ifInOctets.61 as the variable to be monitored, use the following SNMP Set
request:
snmpset -Os -v2c router community alarmVariable.1 o .1.3.6.1.2.1.2.2.1.10.61

alarmSampleType

The method of sampling the selected variable and calculating the value to be compared
against the thresholds. If the value of this object is absoluteValue, the value of the selected
variable is compared directly with the thresholds at the end of the sampling interval. If
the value of this object is deltaValue, the value of the selected variable at the last sample
is subtracted from the current value, and the difference is compared with the thresholds.
For example, to set alarmSampleType for alarm #1 to deltaValue, use the following SNMP
Set request:

snmpset -Os -v2c router community alarmSampleType.1 i deltaValue

alarmValue

The value of the variable during the last sampling period. This value is compared with
the rising and falling thresholds. If the sample type is deltaValue, this value equals the
difference between the samples at the beginning and end of the period. If the sample
type is absoluteValue, this value equals the sampled value at the end of the period.

alarmStartupAlarm

An alarm that is sent when this entry is first set to valid. If the first sample after this entry
becomes valid is greater than or equal to risingThreshold, and alarmStartupAlarm is equal
to risingAlarm or risingOrFallingAlarm, then a single rising alarm is generated. If the first
sample after this entry becomes valid is less than or equal to fallingThreshold and
alarmStartupAlarm is equal to fallingAlarm or risingOrFallingAlarm, then a single falling

Chapter 14: Monitoring RMON Alarms and Events

alarm is generated. For example, to set alarmStartupAlarm for alarm #1 to

risingOrFallingAlarm, use the following SNMP Set request:

snmpset -Os -v2c router community alarmStartupAlarm.1 i risingOrFallingAlarm

alarmRisingThreshold

A threshold for the sampled variable. When the current sampled value is greater than or
equal to this threshold, and the value at the last sampling interval is less than this
threshold, a single event is generated. A single event is also generated if the first sample
after this entry becomes valid is greater than or equal to this threshold, and the associated
alarmStartupAlarm is equal to risingAlarm or risingOrFallingAlarm. After a rising event is
generated, another rising event cannot be generated until the sampled value falls below
this threshold and reaches alarmFallingThreshold. For example, to set
alarmRisingThreshold for alarm #1 to 100000, use the following SNMP Set request:

snmpset -Os -v2c router community alarmRisingThreshold.1 i 100000

alarmFallingThreshold

A threshold for the sampled variable. When the current sampled value is less than or
equal to this threshold, and the value at the last sampling interval is greater than this
threshold, a single event is generated. A single event is also generated if the first sample
after this entry becomes valid is less than or equal to this threshold, and the associated
alarmStartupAlarm is equal to fallingAlarm or risingOrFallingAlarm. After a falling event
is generated, another falling event cannot be generated until the sampled value rises
above this threshold and reaches alarmRisingThreshold. For example, to set
alarmFallingThreshold for alarm #1 to 10000, use the following SNMP Set request:

snmpset -Os -v2c router community alarmFallingThreshold.1 i 10000

alarmOwner

Any text string specified by the creating management application or the command-line
interface (CLI). Typically, it is used to identify a network manager (or application) and
can be used for fine access control between participating management applications.

alarmRisingEventIndex

The index of the eventEntry object that is used when a rising threshold is crossed. If there
is no corresponding entry in eventTable, then no association exists. If this value is zero,
no associated event is generated because zero is not a valid event index. For example,
to set alarmRisingEventIndex for alarm #1 to 10, use the following SNMP Set request:

snmpset -Os -v2c router community alarmRisingEventIndex.1 i 10

alarmFallingEventIndex

The index of the eventEntry object that is used when a falling threshold is crossed. If there
is no corresponding entry in eventTable, then no association exists. If this value is zero,
no associated event is generated because zero is not a valid event index. For example,
to set alarmFallingEventIndex for alarm #1 to 10, use the following SNMP Set request:

snmpset -Os -v2c router community alarmFallingEventIndex.1 i 10

Network Management Administration Guide

Activating a New Row in alarmTable

To activate a new row in alarmTable, set alarmStatus to valid using an SNMP Set request:

snmpset -Os -v2c router community alarmStatus.1 i valid

Modifying an Active Row in alarmTable

To modify an active row, first set alarmStatus to underCreation using an SNMP Set request:

snmpset -Os -v2c router community alarmStatus.1 i underCreation

Then change the row contents using an SNMP Set request:

snmpset -Os -v2c router community alarmFallingThreshold.1 i 1000

Finally, activate the row by setting alarmStatus to valid using an SNMP Set request:

snmpset -Os -v2c router community alarmStatus.1 i valid

Deactivating a Row in alarmTable

To deactivate a row in alarmTable, set alarmStatus to invalid using an SNMP Set request:

snmpset -Os -v2c router community alarmStatus.1 i invalid

Related • Understanding RMON Alarms on page 239

Documentation
• Understanding RMON Events on page 241

• Configuring an RMON Alarm Entry and Its Attributes on page 244

Using eventTable to Log Alarms

Supported Platforms ACX Series, M Series, MX Series, PTX Series, T Series

To use eventTable to log alarms, perform the following tasks:

• Creating an Event Entry on page 254

• Configuring the MIB Objects on page 255
• Activating a New Row in eventTable on page 256
• Deactivating a Row in eventTable on page 256

Creating an Event Entry

The RMON eventTable controls the generation of notifications from the router.
Notifications can be logs (entries to logTable and syslogs) or SNMP traps. Each event
entry can be configured to generate any combination of these notifications (or no
notification). When an event specifies that an SNMP trap is to be generated, the trap
group that is used when sending the trap is specified by the value of the associated
eventCommunity object. Consequently, the community in the trap message will match
the value specified by eventCommunity. If nothing is configured for eventCommunity, a
trap is sent using each trap group that has the rmon-alarm category configured.

Chapter 14: Monitoring RMON Alarms and Events

Configuring the MIB Objects

Once you have created the new row in eventTable, set the following objects:

NOTE: The eventType object is required. All other objects are optional.

• eventType on page 255

• eventCommunity on page 255
• eventOwner on page 255
• eventDescription on page 256

eventType

The type of notification that the router generates when the event is triggered.

This object can be set to the following values:

• log—Adds the event entry to logTable.

• log-and-trap—Sends an SNMP trap and creates a log entry.

• none—Sends no notification.

• snmptrap—Sends an SNMP trap.

For example, to set eventType for event #1 to log-and-trap, use the following SNMP Set
request:
snmpset -Os -v2c router community eventType.1 i log-and-trap

eventCommunity

The trap group that is used when generating a trap (if eventType is configured to send
traps). If that trap group has the rmon-alarm trap category configured, a trap is sent to
all the targets configured for that trap group. The community string in the trap matches
the name of the trap group (and hence, the value of eventCommunity). If nothing is
configured, traps are sent to each group with the rmon-alarm category set. For example,
to set eventCommunity for event #1 to boy-elroy, use the following SNMP Set request:

snmpset -Os -v2c router community eventCommunity.1 s "boy-elroy"

NOTE: The eventCommunity object is optional. If you do not set this object,
then the field is left blank.

eventOwner

Network Management Administration Guide

For example, to set eventOwner for event #1 to george jetson, use the following SNMP
Set request:

snmpset -Os -v2c router community eventOwner.1 s "george jetson"

NOTE: The eventOwner object is optional. If you do not set this object, then
the field is left blank.

eventDescription

Any text string specified by the creating management application or the command-line
interface (CLI). The use of this string is application dependent.

For example, to set eventDescription for event #1 to spacelys sprockets, use the following
SNMP Set request:

snmpset -Os -v2c router community eventDescription.1 s "spacelys sprockets"

NOTE: The eventDescription object is optional. If you do not set this object,
then the field is left blank.

Activating a New Row in eventTable

To activate the new row in eventTable, set eventStatus to valid using an SNMP Set request
such as:
snmpset -Os -v2c router community eventStatus.1 i valid

Deactivating a Row in eventTable

To deactivate a row in eventTable, set eventStatus to invalid using an SNMP Set request
such as:
snmpset -Os -v2c router community eventStatus.1 i invalid

Related • Understanding RMON Alarms on page 239

Documentation
• Understanding RMON Events on page 241

• Configuring an RMON Event Entry and Its Attributes on page 248

CHAPTER 15

Using RMON to Monitor Network Service

Quality

• Understanding RMON for Monitoring Service Quality on page 257

• Understanding Measurement Points, Key Performance Indicators, and Baseline
Values on page 261
• Defining and Measuring Network Availability on page 262
• Measuring Health on page 268
• Measuring Performance on page 274

Understanding RMON for Monitoring Service Quality

Supported Platforms ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series

Health and performance monitoring can benefit from the remote monitoring of SNMP
variables by the local SNMP agents running on each router. The SNMP agents compare
MIB values against predefined thresholds and generate exception alarms without the
need for polling by a central SNMP management platform. This is an effective mechanism
for proactive management, as long as the thresholds have baselines determined and set
correctly. For more information, see RFC 2819, Remote Network Monitoring MIB.

This topic includes the following sections:

• Setting Thresholds on page 257

• RMON Command-Line Interface on page 258
• RMON Event Table on page 259
• RMON Alarm Table on page 259
• Troubleshooting RMON on page 260

Setting Thresholds
By setting a rising and a falling threshold for a monitored variable, you can be alerted
whenever the value of the variable falls outside of the allowable operational range. (See
Figure 3 on page 258.)

Network Management Administration Guide

Figure 3: Setting Thresholds

Events are only generated when the threshold is first crossed in any one direction rather
than after each sample period. For example, if a rising threshold crossing event is raised,
no more threshold crossing events will occur until a corresponding falling event. This
considerably reduces the quantity of alarms that are produced by the system, making it
easier for operations staff to react when alarms do occur.

To configure remote monitoring, specify the following pieces of information:

• The variable to be monitored (by its SNMP object identifier)

• The length of time between each inspection

• A rising threshold

• A falling threshold

• A rising event

• A falling event

Before you can successfully configure remote monitoring, you should identify what
variables need to be monitored and their allowable operational range. This requires some
period of baselining to determine the allowable operational ranges. An initial baseline
period of at least three months is not unusual when first identifying the operational ranges
and defining thresholds, but baseline monitoring should continue over the life span of
each monitored variable.

RMON Command-Line Interface

Junos OS provides two mechanisms you use to control the Remote Monitoring agent on
the router: command-line interface (CLI) and SNMP. To configure an RMON entry using
the CLI, include the following statements at the [edit snmp] hierarchy level:

rmon {
alarm index {
description;
falling-event-index;
falling-threshold;
intervals;
rising-event-index;

Chapter 15: Using RMON to Monitor Network Service Quality

rising-threshold;
sample-type (absolute-value | delta-value);
startup-alarm (falling | rising | rising-or-falling);
variable;
}
event index {
community;
description;
type (log | trap | log-and-trap | none);
}
}

If you do not have CLI access, you can configure remote monitoring using the SNMP
Manager or management application, assuming SNMP access has been granted. (See
Table 25 on page 259.) To configure RMON using SNMP, perform SNMP Set requests to
the RMON event and alarm tables.

RMON Event Table

Set up an event for each type that you want to generate. For example, you could have
two generic events, rising and falling, or many different events for each variable that is
being monitored (for example, temperature rising event, temperature falling event, firewall
hit event, interface utilization event, and so on). Once the events have been configured,
you do not need to update them.

Table 25: RMON Event Table

Field Description

eventDescription Text description of this event

eventType Type of event (for example, log, trap, or log and trap)

eventCommunity Trap group to which to send this event (as defined in the Junos OS
configuration, which is not the same as the community)

eventOwner Entity (for example, manager) that created this event

eventStatus Status of this row (for example, valid, invalid, or createRequest)

RMON Alarm Table

The RMON alarm table stores the SNMP object identifiers (including their instances) of
the variables that are being monitored, together with any rising and falling thresholds
and their corresponding event indexes. To create an RMON request, specify the fields
shown in Table 26 on page 259.

Table 26: RMON Alarm Table

Field Description

alarmStatus Status of this row (for example, valid, invalid, or createRequest)

Network Management Administration Guide

Table 26: RMON Alarm Table (continued)

Field Description

alarmInterval Sampling period (in seconds) of the monitored variable

alarmVariable OID (and instance) of the variable to be monitored

alarmValue Actual value of the sampled variable

alarmSampleType Sample type (absolute or delta changes)

alarmStartupAlarm Initial alarm (rising, falling, or either)

alarmRisingThreshold Rising threshold against which to compare the value

alarmFallingThreshold Falling threshold against which to compare the value

alarmRisingEventIndex Index (row) of the rising event in the event table

alarmFallingEventIndex Index (row) of the falling event in the event table

Both the alarmStatus and eventStatus fields are entryStatus primitives, as defined in RFC
2579, Textual Conventions for SMIv2.

Troubleshooting RMON
You troubleshoot the RMON agent, rmopd, that runs on the router by inspecting the
contents of the Juniper Networks enterprise RMON MIB, jnxRmon, which provides the
extensions listed in Table 27 on page 260 to the RFC 2819 alarmTable.

Table 27: jnxRmon Alarm Extensions

Field Description

jnxRmonAlarmGetFailCnt Number of times the internal Get request for the variable failed

jnxRmonAlarmGetFailTime Value of sysUpTime when the last failure occurred

jnxRmonAlarmGetFailReason Reason why the Get request failed

jnxRmonAlarmGetOkTime Value of sysUpTime when the variable moved out of failure state

jnxRmonAlarmState Status of this alarm entry

Monitoring the extensions in this table provides clues as to why remote alarms may not
behave as expected.

Related • Understanding Measurement Points, Key Performance Indicators, and Baseline Values
Documentation on page 261

Chapter 15: Using RMON to Monitor Network Service Quality

Understanding Measurement Points, Key Performance Indicators, and Baseline Values

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series

This chapter topic provides guidelines for monitoring the service quality of an IP network.
It describes how service providers and network administrators can use information
provided by Juniper Networks routers to monitor network performance and capacity. You
should have a thorough understanding of the SNMP and the associated MIB supported
by Junos OS.

NOTE: For a good introduction to the process of monitoring an IP network,

see RFC 2330, Framework for IP Performance Metrics.

This topic contains the following sections:

• Measurement Points on page 261

• Basic Key Performance Indicators on page 262
• Setting Baselines on page 262

Measurement Points
Defining the measurement points where metrics are measured is equally as important
as defining the metrics themselves. This section describes measurement points within
the context of this chapter and helps identify where measurements can be taken from
a service provider network. It is important to understand exactly where a measurement
point is. Measurement points are vital to understanding the implication of what the actual
measurement means.

An IP network consists of a collection of routers connected by physical links that are all
running the Internet Protocol. You can view the network as a collection of routers with
an ingress (entry) point and an egress (exit) point. See Figure 4 on page 261.

• Network-centric measurements are taken at measurement points that most closely

map to the ingress and egress points for the network itself. For example, to measure
delay across the provider network from Site A to Site B, the measurement points should
be the ingress point to the provider network at Site A and the egress point at Site B.

• Router-centric measurements are taken directly from the routers themselves, but be
careful to ensure that the correct router subcomponents have been identified in
advance.

Figure 4: Network Entry Points

Network Management Administration Guide

NOTE: Figure 4 on page 261 does not show the client networks at customer
premises, but they would be located on either side of the ingress and egress
points. Although this chapter does not discuss how to measure network
services as perceived by these client networks, you can use measurements
taken for the service provider network as input into such calculations.

Basic Key Performance Indicators

For example, you could monitor a service provider network for three basic key performance
indicators (KPIs):

• Availability measures the “reachability” of one measurement point from another

measurement point at the network layer (for example, using ICMP ping). The underlying
routing and transport infrastructure of the provider network will support the availability
measurements, with failures highlighted as unavailability.

• Health measures the number and type of errors that are occurring on the provider
network, and can consist of both router-centric and network-centric measurements,
such as hardware failures or packet loss.

• Performance of the provider network measures how well it can support IP services (for
example, in terms of delay or utilization).

Setting Baselines
How well is the provider network performing? We recommend an initial three-month
period of monitoring to identify a network’s normal operational parameters. With this
information, you can recognize exceptions and identify abnormal behavior. You should
continue baseline monitoring for the lifetime of each measured metric. Over time, you
must be able to recognize performance trends and growth patterns.

Within the context of this chapter, many of the metrics identified do not have an allowable
operational range associated with them. In most cases, you cannot identify the allowable
operational range until you have determined a baseline for the actual variable on a specific
network.