Junos® OS Network Management Administration

Junos® OS
Network Management and Monitoring Guide
Modified: 2018-03-20
Copyright © 2018, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates in
the United States and other countries. All other trademarks may be property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
®
Junos OS Network Management and Monitoring Guide
Copyright © 2018 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
https://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that
EULA.
ii
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liii
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liii
Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liv
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liv
Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lv
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lv
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lvii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lviii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . lviii
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lviii
Part 1
Overview
Chapter 1
Network Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Understanding Device Management Functions in Junos OS . . . . . . . . . . . . . . . . . . 3
Understanding Device and Network Management Features . . . . . . . . . . . . . . . . . . 6
Understanding Network Management Implementation on the QFabric
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Understanding Tracing and Logging Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Junos Space Support for Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Overview of Junos Space Network Management . . . . . . . . . . . . . . . . . . . . . . . 12
Preparing the Device for Junos Space Management . . . . . . . . . . . . . . . . . . . . 13
Chapter 2
Network Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Diagnostic Tools Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
J-Web Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
CLI Diagnostic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Part 2
Operation, Administration, and Management Features
Chapter 3
Ethernet OAM Link Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Understanding Ethernet OAM Link Fault Management . . . . . . . . . . . . . . . . . . . . . 23
IEEE 802.3ah OAM Link-Fault Management Overview . . . . . . . . . . . . . . . . . . . . . 25
Configuring IEEE 802.3ah OAM Link-Fault Management . . . . . . . . . . . . . . . . . . . . 26
Enabling IEEE 802.3ah OAM Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configuring the OAM PDU Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuring the OAM PDU Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configuring an OAM Action Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configuring Threshold Values for Fault Events in an Action Profile . . . . . . . . . . . . 32
Applying an Action Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Copyright © 2018, Juniper Networks, Inc.
iii
Network Management and Monitoring Guide
Setting a Remote Interface into Loopback Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Monitoring the Loss of Link Adjacency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Monitoring Protocol Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Enabling Remote Loopback Support on the Local Interface . . . . . . . . . . . . . . . . . 37
Configuring Link Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Configuring Threshold Values for Local Fault Events on an Interface . . . . . . . . . . 39
Disabling the Sending of Link Event TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Detecting Remote Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Specifying the Actions to Be Taken for Link-Fault Management Events . . . . . . . . 42
Example: Configuring IEEE 802.3ah OAM Support on an Interface . . . . . . . . . . . . 43
Example: Configuring Ethernet OAM Connectivity Fault Management on EX
Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Configuring Ethernet OAM Link Fault Management (CLI Procedure) . . . . . . . . . . 49
Chapter 4
Ethernet OAM Connectivity Fault Management . . . . . . . . . . . . . . . . . . . . . . . 53
Understanding Ethernet OAM Connectivity Fault Management for an EX Series
Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Example: Configuring Ethernet OAM Connectivity Fault Management on EX
Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Configuring Ethernet OAM Connectivity Fault Management (CLI Procedure) . . . 59
Creating the Maintenance Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configuring the Maintenance Domain MIP Half Function . . . . . . . . . . . . . . . 60
Creating a Maintenance Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Configuring the Continuity Check Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Configuring a Maintenance Association End Point . . . . . . . . . . . . . . . . . . . . . 61
Configuring a Connectivity Fault Management Action Profile . . . . . . . . . . . . 62
Configuring the Linktrace Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Part 3
Uplink Failure Detection
Chapter 5
Uplink Failure Detection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Understanding Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Uplink Failure Detection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Failure Detection Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Chapter 6
Configuring Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuring Interfaces for Uplink Failure Detection (CLI Procedure) . . . . . . . . . . . 71
Verifying That Uplink Failure Detection Is Working Correctly . . . . . . . . . . . . . . . . . 72
Part 4
Network Monitoring Using SNMP
Chapter 7
SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Understanding SNMP Implementation in Junos OS . . . . . . . . . . . . . . . . . . . . . . . . 77
Understanding the Implementation of SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
SNMPv3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
SNMPv3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Loading MIB Files to a Network Management System . . . . . . . . . . . . . . . . . . . . . . 85
Show SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
iv
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Junos OS SNMP FAQ Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Junos OS SNMP FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Junos OS SNMP Support FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Junos OS MIBs FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Junos OS SNMP Configuration FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
SNMPv3 FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
SNMP Interaction with Juniper Networks Devices FAQs . . . . . . . . . . . . . . . . 104
SNMP Traps and Informs FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Junos OS Dual Routing Engine Configuration FAQs . . . . . . . . . . . . . . . . . . . . 112
SNMP Support for Routing Instances FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . 113
SNMP Counters FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Chapter 8
SNMP MIBs and Traps Supported by Junos OS . . . . . . . . . . . . . . . . . . . . . . . 117
Enterprise-Specific SNMP MIBs Supported by Junos OS . . . . . . . . . . . . . . . . . . . . 117
Standard SNMP MIBs Supported by Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Standard SNMP Traps Supported by Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Standard SNMP Version 1 Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Standard SNMP Version 2 Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Enterprise-Specific SNMP Traps Supported by Junos OS . . . . . . . . . . . . . . . . . . 156
Juniper Networks Enterprise-Specific SNMP Version 1 Traps . . . . . . . . . . . . 156
Juniper Networks Enterprise-Specific SNMP Version 2 Traps . . . . . . . . . . . . 162
Chapter 9
Configuring Basic SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Configuration Statements at the [edit snmp] Hierarchy Level . . . . . . . . . . . . . . . 172
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Optimizing the Network Management System Configuration for the Best
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Changing the Polling Method from Column-by-Column to Row-by-Row . . 180
Reducing the Number of Variable Bindings per PDU . . . . . . . . . . . . . . . . . . . 180
Increasing Timeout Values in Polling and Discovery Intervals . . . . . . . . . . . . 180
Reducing Incoming Packet Rate at the snmpd . . . . . . . . . . . . . . . . . . . . . . . 180
Configuring Options on Managed Devices for Better SNMP Response Time . . . . 181
Enabling the stats-cache-lifetime Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Filtering Out Duplicate SNMP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Excluding Interfaces That Are Slow in Responding to SNMP Queries . . . . . . 182
Configuring SNMP on Devices Running Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . 183
Configuring Basic Settings for SNMPv1 and SNMPv2 . . . . . . . . . . . . . . . . . . 183
Configuring Basic Settings for SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Configuring System Name, Location, Description, and Contact
Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Configuring the System Contact on a Device Running Junos OS . . . . . . . . . . . . . 186
Configuring the System Location for a Device Running Junos OS . . . . . . . . . . . . 187
Configuring the System Description on a Device Running Junos OS . . . . . . . . . . 188
Configuring SNMP Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Configuring a Different System Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Configuring the Commit Delay Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Filtering Duplicate SNMP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Configuring SNMP Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Configuring the SNMP Community String . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Examples: Configuring the SNMP Community String . . . . . . . . . . . . . . . . . . . . . . 196
Copyright © 2018, Juniper Networks, Inc.
v
Network Management and Monitoring Guide
Adding a Group of Clients to an SNMP Community . . . . . . . . . . . . . . . . . . . . . . . 196
Configuring a Proxy SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Configuring SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Configuring SNMP Trap Options and Groups on a Device Running Junos OS . . . 201
Configuring SNMP Trap Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Configuring the Source Address for SNMP Traps . . . . . . . . . . . . . . . . . . . . . 203
Configuring the Agent Address for SNMP Traps . . . . . . . . . . . . . . . . . . . . . . 205
Adding snmpTrapEnterprise Object Identifier to Standard SNMP Traps . . . 205
Configuring SNMP Trap Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
SNMP Traps Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
SNMP Traps Supported on QFX Series Standalone Switches and QFX Series
Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
SNMPv1 Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
SNMPv2 Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
SNMP Traps Supported on QFabric Systems . . . . . . . . . . . . . . . . . . . . . . . . . 217
Example: Configuring SNMP Trap Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Configuring the Interfaces on Which SNMP Requests Can Be Accepted . . . . . . . 221
Example: Configuring Secured Access List Checking . . . . . . . . . . . . . . . . . . . . . . 222
Filtering Interface Information Out of SNMP Get and GetNext Output . . . . . . . . 222
Configuring MIB Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Configuring Ping Proxy MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Understanding the Integrated Local Management Interface . . . . . . . . . . . . . . . . 225
Utility MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
SNMP MIBs Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
MIBs Supported on QFX Series Standalone Switches and QFX Series Virtual
Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
MIBs Supported on QFabric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
MIB Objects for the QFX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
QFX Series Standalone Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
QFabric Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
QFabric System QFX3100 Director Device . . . . . . . . . . . . . . . . . . . . . . . . . . 240
QFabric System QFX3008-I Interconnect Device . . . . . . . . . . . . . . . . . . . . . 241
QFabric System QFX3600-I Interconnect Device . . . . . . . . . . . . . . . . . . . . . 241
QFabric System Node Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Fabric Chassis MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Monitoring RMON MIB Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage . . . . . . . . 247
Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage . . . . . . . . 249
Example: Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Configuring Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Configuring Health Monitoring on Devices Running Junos OS . . . . . . . . . . . . . . . 255
Monitored Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Minimum Health Monitoring Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Configuring the Falling Threshold or Rising Threshold . . . . . . . . . . . . . . . . . 257
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Log Entries and Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Configuring RMON Alarms and Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Configuring an Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
vi
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Configuring an Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Chapter 10
Configuring SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Minimum SNMPv3 Configuration on a Device Running Junos OS . . . . . . . . . . . . 262
Example: SNMPv3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Creating SNMPv3 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Example: Creating SNMPv3 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Configuring the SNMPv3 Authentication Type . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Configuring MD5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Configuring SHA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Configuring No Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Configuring the SNMPv3 Encryption Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Configuring the Advanced Encryption Standard Algorithm . . . . . . . . . . . . . 270
Configuring the Data Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Configuring Triple DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Configuring No Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Defining Access Privileges for an SNMP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Configuring the Access Privileges Granted to a Group . . . . . . . . . . . . . . . . . . . . . 272
Configuring the Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring the Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring the Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Associating MIB Views with an SNMP User Group . . . . . . . . . . . . . . . . . . . . 274
Configuring the Notify View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Configuring the Read View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Configuring the Write View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Example: Configuring the Access Privileges Granted to a Group . . . . . . . . . . . . . 275
Assigning Security Model and Security Name to a Group . . . . . . . . . . . . . . . . . . 276
Configuring the Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Assigning Security Names to Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Configuring the Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Example: Security Group Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Configuring SNMPv3 Traps on a Device Running Junos OS . . . . . . . . . . . . . . . . . 278
Configuring the SNMPv3 Trap Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Example: Configuring SNMPv3 Trap Notification . . . . . . . . . . . . . . . . . . . . . . . . . 281
Configuring the Trap Notification Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Configuring the Trap Target Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Configuring the Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Configuring the Address Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Configuring the Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Configuring the Routing Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Configuring the Trap Target Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Applying Target Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Example: Configuring the Tag List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Defining and Configuring the Trap Target Parameters . . . . . . . . . . . . . . . . . . . . . 285
Applying the Trap Notification Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Configuring the Target Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Configuring the Message Processing Model . . . . . . . . . . . . . . . . . . . . . . 287
Configuring the Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Configuring the Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Copyright © 2018, Juniper Networks, Inc.
vii
Network Management and Monitoring Guide
Configuring the Security Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Configuring SNMP Informs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Configuring the Inform Notification Type and Target Address . . . . . . . . . . . . . . . 289
Example: Configuring the Inform Notification Type and Target Address . . . . . . . 291
Configuring the Remote Engine and Remote User . . . . . . . . . . . . . . . . . . . . . . . . 291
Example: Configuring the Remote Engine ID and Remote User . . . . . . . . . . . . . . 292
Configuring the Local Engine ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Configuring the SNMPv3 Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Configuring the Community Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Configuring the Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Configuring the Security Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Configuring the Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Example: Configuring an SNMPv3 Community . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Chapter 11
Configuring SNMP for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Understanding SNMP Support for Routing Instances . . . . . . . . . . . . . . . . . . . . . 303
SNMP MIBs Supported for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Support Classes for MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
SNMP Traps Supported for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Identifying a Routing Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Enabling SNMP Access over Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community . . . . . . . . 317
Example: Configuring Interface Settings for a Routing Instance . . . . . . . . . . . . . . 318
Configuring Access Lists for SNMP Access over Routing Instances . . . . . . . . . . . 320
Chapter 12
Configuring SNMP Remote Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
SNMP Remote Operations Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
SNMP Remote Operation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Setting SNMP Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Example: Setting SNMP Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Setting Trap Notification for Remote Operations . . . . . . . . . . . . . . . . . . . . . 323
Example: Setting Trap Notification for Remote Operations . . . . . . . . . . 323
Using Variable-Length String Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Example: Set Variable-Length String Indexes . . . . . . . . . . . . . . . . . . . . 323
Enabling Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Using the Ping MIB for Remote Monitoring Devices Running Junos OS . . . . . . . . 324
Starting a Ping Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Using Multiple Set Protocol Data Units (PDUs) . . . . . . . . . . . . . . . . . . . . . . 325
Using a Single Set PDU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Monitoring a Running Ping Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
pingResultsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
pingProbeHistoryTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Generating Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Gathering Ping Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Stopping a Ping Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Interpreting Ping Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS . . . 331
Starting a Traceroute Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Using Multiple Set PDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Using a Single Set PDU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
viii
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Monitoring a Running Traceroute Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
traceRouteResultsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
traceRouteProbeResultsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
traceRouteHopsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Generating Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Monitoring Traceroute Test Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Gathering Traceroute Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Stopping a Traceroute Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Interpreting Traceroute Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Chapter 13
Tracing SNMP Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance
on a Device Running Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Checking for MIB Objects Registered with the snmpd . . . . . . . . . . . . . . . . . 343
Tracking SNMP Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Monitoring SNMP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Checking CPU Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Checking Kernel and Packet Forwarding Engine Response . . . . . . . . . . . . . 348
Tracing SNMP Activity on a Device Running Junos OS . . . . . . . . . . . . . . . . . . . . . 349
Configuring the Number and Size of SNMP Log Files . . . . . . . . . . . . . . . . . . 350
Configuring Access to the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Configuring a Regular Expression for Lines to Be Logged . . . . . . . . . . . . . . . 351
Configuring the Trace Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Example: Tracing SNMP Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Part 5
Remote Monitoring (RMON) with SNMP Alarms and Events
Chapter 14
RMON Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Understanding RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
RMON Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Alarm Thresholds and Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Understanding RMON Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
alarmTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
jnxRmonAlarmTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Understanding RMON Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
eventTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Understanding RMON Alarms and Events Configuration . . . . . . . . . . . . . . . . . . . 361
RMON MIB Event, Alarm, Log, and History Control Tables . . . . . . . . . . . . . . . . . . 362
Minimum RMON Alarm and Event Entry Configuration . . . . . . . . . . . . . . . . . . . . 364
Configuring an RMON Alarm Entry and Its Attributes . . . . . . . . . . . . . . . . . . . . . 365
Configuring the Alarm Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Configuring the Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Configuring the Falling Event Index or Rising Event Index . . . . . . . . . . . . . . 366
Configuring the Falling Threshold or Rising Threshold . . . . . . . . . . . . . . . . . 366
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Configuring the Falling Threshold Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Configuring the Request Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Configuring the Sample Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Configuring the Startup Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Configuring the System Log Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Copyright © 2018, Juniper Networks, Inc.
ix
Network Management and Monitoring Guide
Configuring the Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Configuring an RMON Event Entry and Its Attributes . . . . . . . . . . . . . . . . . . . . . . 369
Example: Configuring an RMON Alarm and Event Entry . . . . . . . . . . . . . . . . . . . 370
Configuring RMON History Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Configuring RMON History Sampling Collection . . . . . . . . . . . . . . . . . . . . . . 371
Viewing and Clearing RMON History Statistics . . . . . . . . . . . . . . . . . . . . . . . . 371
Using alarmTable to Monitor MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Creating an Alarm Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Configuring the Alarm MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
alarmInterval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
alarmVariable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
alarmSampleType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
alarmValue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
alarmStartupAlarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
alarmRisingThreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
alarmFallingThreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
alarmOwner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
alarmRisingEventIndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
alarmFallingEventIndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Activating a New Row in alarmTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Modifying an Active Row in alarmTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Deactivating a Row in alarmTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Using eventTable to Log Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Creating an Event Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Configuring the MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
eventType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
eventCommunity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
eventOwner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
eventDescription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Activating a New Row in eventTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Deactivating a Row in eventTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Chapter 15
Using RMON to Monitor Network Service Quality . . . . . . . . . . . . . . . . . . . . 379
Understanding RMON for Monitoring Service Quality . . . . . . . . . . . . . . . . . . . . . 379
Setting Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
RMON Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
RMON Event Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
RMON Alarm Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Troubleshooting RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Understanding Measurement Points, Key Performance Indicators, and Baseline
Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Measurement Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Basic Key Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Setting Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Defining and Measuring Network Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Defining Network Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Monitoring the SLA and the Required Bandwidth . . . . . . . . . . . . . . . . . 386
Measuring Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Real-Time Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
x
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Measuring Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Measuring Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Measuring Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Inbound Firewall Filter Counters per Class . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Monitoring Output Bytes per Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Dropped Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Chapter 16
Health Monitoring with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Configuring Health Monitoring on Devices Running Junos OS . . . . . . . . . . . . . . . 405
Monitored Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Minimum Health Monitoring Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Configuring the Falling Threshold or Rising Threshold . . . . . . . . . . . . . . . . . 407
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Log Entries and Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Example: Configuring Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Part 6
Accounting Options, Source Class Usage, and Destination Class
Usage Options
Chapter 17
Accounting Options, Source Class Usage and Destination Class Usage
Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Accounting Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Understanding Source Class Usage and Destination Class Usage Options . . . . . 412
Chapter 18
Configuring Accounting Options, Source Class Usage and Destination
Class Usage Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Configuration Statements at the [edit accounting-options] Hierarchy Level . . . 415
Accounting Options Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Accounting Options—Full Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Minimum Accounting Options Configuration . . . . . . . . . . . . . . . . . . . . . . . . 420
Configuring Accounting-Data Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Configuring How Long Backup Files Are Retained . . . . . . . . . . . . . . . . . . . . . 425
Configuring the Maximum Size of the File . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Configuring Archive Sites for the Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Configuring Local Backup for Accounting Files . . . . . . . . . . . . . . . . . . . . . . . 426
Configuring Files to Be Compressed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Configuring the Maximum Number of Files . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Configuring the Storage Location of the File . . . . . . . . . . . . . . . . . . . . . . . . . 427
Configuring Files to Be Saved After a Change in Mastership . . . . . . . . . . . . 428
Configuring the Start Time for File Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Configuring the Transfer Interval of the File . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Managing Accounting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Configuring the Interface Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Configuring Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Configuring the File Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Configuring Cleared Statistics to be Reported in the Flat File . . . . . . . . . . . . 431
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Example: Configuring the Interface Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Copyright © 2018, Juniper Networks, Inc.
xi
Network Management and Monitoring Guide
Configuring the Filter Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Configuring the Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Configuring the File Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Example: Configuring a Filter Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Example: Configuring Interface-Specific Firewall Counters and Filter Profiles . . 436
Configuring SCU or DCU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Creating Prefix Route Filters in a Policy Statement . . . . . . . . . . . . . . . . . . . . 437
Applying the Policy to the Forwarding Table . . . . . . . . . . . . . . . . . . . . . . . . . 438
Enabling Accounting on Inbound and Outbound Interfaces . . . . . . . . . . . . . 438
Configuring SCU on a Virtual Loopback Tunnel Interface . . . . . . . . . . . . . . . . . . 439
Example: Configuring a Virtual Loopback Tunnel Interface on a Provider
Edge Router Equipped with a Tunnel PIC . . . . . . . . . . . . . . . . . . . . . . . . 439
Example: Mapping the VRF Instance Type to the Virtual Loopback Tunnel
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Example: Sending Traffic Received from the Virtual Loopback Interface Out
the Source Class Output Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Configuring Class Usage Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Configuring a Class Usage Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Configuring the File Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Creating a Class Usage Profile to Collect Source Class Usage Statistics . . . 442
Creating a Class Usage Profile to Collect Destination Class Usage
Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Configuring the MIB Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Configuring the File Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Configuring the MIB Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Configuring MIB Object Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Example: Configuring a MIB Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Configuring the Routing Engine Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Configuring Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Configuring the File Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Configuring the Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Example: Configuring a Routing Engine Profile . . . . . . . . . . . . . . . . . . . . . . . 446
Part 7
Monitoring Options
Chapter 19
Configuring Interface Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Alarm Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Alarm Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Alarm Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Alarm Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Interface Alarm Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
System Alarm Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Monitoring Active Alarms on a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Monitoring Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Example: Configuring Interface Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
xii
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Chapter 20
Configuring Real-Time Performance Monitoring . . . . . . . . . . . . . . . . . . . . . 463
RPM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
RPM Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Probe and Test Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Jitter Measurement with Hardware Timestamping . . . . . . . . . . . . . . . . . . . 465
RPM Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
RPM Thresholds and Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
RPM for BGP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Understanding Real-Time Performance Monitoring on Switches . . . . . . . . . . . . 467
RPM Packet Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Tests and Probe Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Hardware Timestamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Limitations of RPM on EX Series and QFX Series Switches . . . . . . . . . . . . . . 471
RPM Support for VPN Routing and Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . 472
RPM Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Two-Way Active Measurement Protocol (TWAMP) Overview . . . . . . . . . . . . . . . 477
Implementation of TWAMP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Benefits of TWAMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Guidelines for Configuring RPM Probes for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Configuring the Interface for RPM Timestamping for Client/Server on a Switch
(CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Directing RPM Probes to Select BGP Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
IPv6 RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Configuring IPv6 RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Tuning RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Monitoring RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Example: Configuring Basic RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Example: Configuring RPM Using TCP and UDP Probes . . . . . . . . . . . . . . . . . . . 493
Example: Configuring RPM Probes for BGP Monitoring . . . . . . . . . . . . . . . . . . . . 497
Viewing Real-Time Performance Monitoring Information . . . . . . . . . . . . . . . . . . 499
Chapter 21
Configuring IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
IP Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Understanding IP Monitoring Test Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Understanding IP Monitoring Through Redundant Ethernet Interface Link
Aggregation Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Example: Configuring IP Monitoring on SRX Series Devices . . . . . . . . . . . . . . . . 503
Example: Configuring IP Monitoring on SRX Series Devices . . . . . . . . . . . . . . . . 509
Example: Configuring Chassis Cluster Redundancy Group IP Address
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Copyright © 2018, Juniper Networks, Inc.
xiii
Network Management and Monitoring Guide
Chapter 22
Configuring sFlow Monitoring Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Overview of sFlow Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Understanding How to Use sFlow Technology for Network Monitoring on a MX
Series Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Benefits of sFlow Technology on a MX Series Router . . . . . . . . . . . . . . . . . . 521
Sampling Mechanism and Architecture of sFlow Technology on a MX Series
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Adaptive Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
sFlow Agent Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
sFlow Limitations on Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Understanding How to Use sFlow Technology for Network Monitoring on an EX
Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Sampling Mechanism and Architecture of sFlow Technology on EX Series
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Adaptive Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
sFlow Agent Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Example: Configuring sFlow Technology to Monitor Network Traffic on EX Series
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Example: Configuring sFlow Technology to Monitor Network Traffic on MX Series
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Configuring sFlow Technology for Network Monitoring (CLI Procedure) . . . . . . . 537
Understanding How to Use sFlow Technology for Network Monitoring on a
Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Sampling Mechanism and Architecture of sFlow Technology on
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Adaptive Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
sFlow Agent Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
sFlow Limitations on Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Configuring sFlow Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Example: Monitoring Network Traffic Using sFlow Technology . . . . . . . . . . . . . . 545
Chapter 23
Packet Flow Accelerator Diagnostics Software . . . . . . . . . . . . . . . . . . . . . . . 551
Understanding Packet Flow Accelerator Diagnostics Software and Other
Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
Understanding External and Internal Ports and Network Interface Card
Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Understanding Packet Flow Accelerator Diagnostics Software Tests and
Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Understanding the ikondiag Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Understanding Basic Functionality Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Understanding and Running Ethernet Tests and Scripts . . . . . . . . . . . . . . . 556
Understanding and Using Stress Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Understanding and Running PTP Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Understanding QFX-PFA-4Q Module LED Tests . . . . . . . . . . . . . . . . . . . . . . 563
Understanding Packet Flow Accelerator Diagnostics Utilities . . . . . . . . . . . 564
Sample Output for Packet Accelerator Diagnostics Software . . . . . . . . . . . 568
Installing Ethernet and PTP Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Installing Ethernet and PTP Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
xiv
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Installing Packet Flow Accelerator Diagnostics Software . . . . . . . . . . . . . . . . . . 576
Installing Packet Flow Accelerator Diagnostics Software . . . . . . . . . . . . . . . 576
Verifying That the QFX-PFA-4Q Expansion Module Is Installed . . . . . . . . . . 576
Downloading the Packet Flow Diagnostics Software . . . . . . . . . . . . . . . . . . 577
Copying the Packet Flow Diagnostics Software Package to the Switch . . . 578
Install the Packet Flow Diagnostics Software on the Switch . . . . . . . . . . . . 578
Configure the Guest VM Options to Launch the Guest VM on the Host . . . 580
Verifying That the Guest VM is Working . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Accessing the Guest VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Verifying That the FPGA Module Is Working . . . . . . . . . . . . . . . . . . . . . . . . . 584
Validating Connections Between QFX5100-24Q-AA Switch Network Ports
and QFX-PFA-4Q Module Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Uninstalling the Guest VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Part 8
Monitoring Common Security Features
Chapter 24
Displaying Real-Time Information from Device to Host . . . . . . . . . . . . . . . 593
Displaying Real-Time Monitoring Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Displaying Multicast Path Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Chapter 25
Monitoring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Monitoring Policy Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Monitoring Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Monitoring Route Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Monitoring RIP Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Monitoring OSPF Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Monitoring BGP Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Monitoring Security Events by Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Monitoring Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Monitoring Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Checking Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Monitoring Screen Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Monitoring IDP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Monitoring Flow Gate Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Monitoring Firewall Authentication Table . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Monitoring Firewall Authentication History . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Monitoring 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Chapter 26
Monitoring Application Layer Gateways Features . . . . . . . . . . . . . . . . . . . . 625
Monitoring H.323 ALG Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Monitoring MGCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Monitoring MGCP ALG Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Monitoring MGCP ALG Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Monitoring MGCP ALG Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Monitoring SCCP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Monitoring SCCP ALG Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Monitoring SCCP ALG Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Monitoring SIP ALGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Monitoring SIP ALG Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Monitoring SIP ALG Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Copyright © 2018, Juniper Networks, Inc.
xv
Network Management and Monitoring Guide
Monitoring SIP ALG Rate Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Monitoring SIP ALG Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Monitoring Voice ALG H.323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Monitoring Voice ALG MGCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
Monitoring Voice ALG SCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Monitoring Voice ALG SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Monitoring Voice ALG Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Chapter 27
Monitoring Interfaces and Switching Functions . . . . . . . . . . . . . . . . . . . . . . 651
Displaying Real-Time Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Monitoring Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Monitoring Ethernet Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
Monitoring GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
Monitoring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
Monitoring MPLS Traffic Engineering Information . . . . . . . . . . . . . . . . . . . . . . . . 657
Monitoring MPLS Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
Monitoring MPLS LSP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
Monitoring MPLS LSP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Monitoring RSVP Session Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Monitoring MPLS RSVP Interfaces Information . . . . . . . . . . . . . . . . . . . . . . 662
Monitoring PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Monitoring PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Monitoring Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Monitoring the WAN Acceleration Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Chapter 28
Monitoring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Monitoring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Monitoring Source NAT Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Monitoring Destination NAT Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Monitoring Static NAT Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
Monitoring NAT Incoming Table Information . . . . . . . . . . . . . . . . . . . . . . . . 680
Monitoring Interface NAT Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . 681
Chapter 29
Monitoring Events, Services and System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Monitoring DHCP Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Monitoring Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Monitoring the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
Monitoring System Properties for SRX Series Devices . . . . . . . . . . . . . . . . . 686
Monitoring Chassis Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
System Health Management for SRX Series Devices . . . . . . . . . . . . . . . . . . 690
Chapter 30
Monitoring Unified Threat Management Features . . . . . . . . . . . . . . . . . . . . 693
Monitoring Antivirus Scan Engine Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Monitoring Antivirus Scan Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694
Monitoring Antivirus Session Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Monitoring Content Filtering Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Monitoring Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
Threats Monitoring Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
Traffic Monitoring Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
Monitoring Web Filtering Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
xvi
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Chapter 31
Monitoring VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Monitoring VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Monitoring IKE Gateway Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Monitoring IPsec VPN—Phase I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Monitoring IPsec VPN—Phase II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
Monitoring IPsec VPN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
Part 9
Performance Management
Chapter 32
Ethernet Frame Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Understanding Ethernet Frame Delay Measurements on Switches . . . . . . . . . . . 721
Ethernet Frame Delay Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Types of Ethernet Frame Delay Measurements . . . . . . . . . . . . . . . . . . . . . . . 722
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Configuring MEP Interfaces on Switches to Support Ethernet Frame Delay
Measurements (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Configuring One-Way Ethernet Frame Delay Measurements on Switches (CLI
Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Configuring an Iterator Profile on a Switch (CLI Procedure) . . . . . . . . . . . . . . . . . 725
Triggering an Ethernet Frame Delay Measurement Session on a Switch . . . . . . . 726
Configuring Two-Way Ethernet Frame Delay Measurements on Switches (CLI
Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Chapter 33
Configuring Network Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Network Analytics Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Analytics Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730
Network Analytics Enhancements Overview . . . . . . . . . . . . . . . . . . . . . . . . . 731
Summary of CLI Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
Understanding Enhanced Network Analytics Streaming Data . . . . . . . . . . . . . . 736
Google Protocol Buffer (GPB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737
JavaScript Object Notation (JSON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
Comma-separated Values (CSV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740
Tab-separated Values (TSV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740
Queue Statistics Output for JSON, CSV, and TSV . . . . . . . . . . . . . . . . . . . . . 740
Traffic Statistics Output for JSON, CSV, and TSV . . . . . . . . . . . . . . . . . . . . . . 741
Understanding Enhanced Analytics Local File Output . . . . . . . . . . . . . . . . . . . . . 742
Understanding Network Analytics Streaming Data . . . . . . . . . . . . . . . . . . . . . . . 744
Understanding Network Analytics Configuration and Status . . . . . . . . . . . . . . . . 747
Prototype File for the Google Protocol Buffer Stream Format . . . . . . . . . . . . . . . 748
Configuring Queue Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Configuring Traffic Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
Configuring a Local File for Network Analytics Data . . . . . . . . . . . . . . . . . . . . . . . 752
Configuring a Remote Collector for Streaming Analytics Data . . . . . . . . . . . . . . . 753
Example: Configuring Network Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Example: Configuring Enhanced Network Analytics Features . . . . . . . . . . . . . . . 761
Copyright © 2018, Juniper Networks, Inc.
xvii
Network Management and Monitoring Guide
Part 10
Port Mirroring and Analyzers
Chapter 34
Overview of Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
Understanding Port Mirroring and Analyzers on EX2300, EX3400, and EX4300
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
Port Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776
Analyzer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Port Mirroring and Analyzer Terminologies . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Configuration Guidelines for Port Mirroring and Analyzers on EX2300,
EX3400, and EX4300 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
Understanding Port Mirroring on EX Series Switches . . . . . . . . . . . . . . . . . . . . . . 781
Port Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782
Port Mirroring Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783
Configuration Guidelines for Port Mirroring on the Switches . . . . . . . . . . . . 785
Understanding Port Mirroring on Routers with an Internet Processor II ASIC or T
Series Internet Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
Understanding Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Port Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
Port Mirroring Instance Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Port-Mirroring Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Port Mirroring and STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Port Mirroring Constraints and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Local and Remote Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Remote Port Mirroring Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Port Mirroring Constraints on OCX Series Switches . . . . . . . . . . . . . . . . 794
Understanding Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Port Mirroring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Port-Mirroring Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Understanding Layer 2 Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796
Understanding Layer 2 Port Mirroring Properties . . . . . . . . . . . . . . . . . . . . . . . . . 797
Packet-Selection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
Packet Address Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
Mirror Destination Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
Mirror-Once Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Application of Layer 2 Port Mirroring Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Restrictions on Layer 2 Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Port Mirroring Constraints and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
Local and Remote Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
Remote Port Mirroring Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Port Mirroring Constraints on OCX Series Switches . . . . . . . . . . . . . . . . . . . 805
Chapter 35
Configuring Port Mirroring Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Understanding Port Mirroring Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Analyzer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
Statistical Analyzer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
Default Analyzer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
Port Mirroring at a Group of Ports Bound to Multiple Statistical
Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
Port Mirroring Analyzer Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
xviii
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Configuration Guidelines for Port Mirroring Analyzers . . . . . . . . . . . . . . . . . . 811
Configuring Mirroring on EX9200 Switches to Analyze Traffic (CLI
Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
Configuring an Analyzer for Local Traffic Analysis . . . . . . . . . . . . . . . . . . . . . 814
Configuring an Analyzer for Remote Traffic Analysis . . . . . . . . . . . . . . . . . . . 815
Configuring a Statistical Analyzer for Local Traffic Analysis . . . . . . . . . . . . . 816
Configuring a Statistical Analyzer for Remote Traffic Analysis . . . . . . . . . . . 817
Binding Statistical Analyzers to Ports Grouped at the FPC Level . . . . . . . . . 818
Configuring an Analyzer with Multiple Destinations by Using Next-Hop
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
Defining a Next-Hop Group for Layer 2 Mirroring . . . . . . . . . . . . . . . . . . . . . . 819
Configuring Mirroring on EX4300 Switches to Analyze Traffic (CLI
Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820
Configuring an Analyzer for Local Traffic Analysis . . . . . . . . . . . . . . . . . . . . . 821
Configuring an Analyzer for Remote Traffic Analysis . . . . . . . . . . . . . . . . . . . 822
Configuring Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823
Configuring Port Mirroring to Analyze Traffic (CLI Procedure) . . . . . . . . . . . . . . . 824
Configuring Port Mirroring for Local Traffic Analysis . . . . . . . . . . . . . . . . . . . 825
Configuring Port Mirroring for Remote Traffic Analysis . . . . . . . . . . . . . . . . . 826
Filtering the Traffic Entering an Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
Verifying Input and Output for Port Mirroring Analyzers on EX Series
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
Example: Configuring Port Mirroring Analyzers for Local Monitoring of Employee
Resource Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830
Example: Configuring Port Mirroring for Remote Monitoring of Employee Resource
Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833
Example: Configuring Mirroring to Multiple Interfaces for Remote Monitoring of
Employee Resource Use on EX9200 Switches . . . . . . . . . . . . . . . . . . . . . . . 843
Example: Configuring Mirroring for Remote Monitoring of Employee Resource
Use Through a Transit Switch on EX9200 Switches . . . . . . . . . . . . . . . . . . . 852
Example: Configuring Mirroring for Local Monitoring of Employee Resource Use
on EX4300 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
Example: Configuring Mirroring for Remote Monitoring of Employee Resource
Use on EX4300 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866
Example: Configuring Mirroring for Remote Monitoring of Employee Resource
Use Through a Transit Switch on EX4300 Switches . . . . . . . . . . . . . . . . . . . 877
Chapter 36
Configuring Port Mirroring Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
Layer 2 Port Mirroring Global Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
Configuring the Global Instance of Layer 2 Port Mirroring . . . . . . . . . . . . . . . . . . 885
Layer 2 Port Mirroring Named Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888
Layer 2 Port Mirroring Named Instances Overview . . . . . . . . . . . . . . . . . . . . 888
Mirroring at Ports Grouped at the FPC Level . . . . . . . . . . . . . . . . . . . . . . . . . 889
Mirroring at Ports Grouped at the PIC Level . . . . . . . . . . . . . . . . . . . . . . . . . 889
Mirroring at a Group of Ports Bound to Multiple Named Instances . . . . . . . 890
Defining a Named Instance of Layer 2 Port Mirroring . . . . . . . . . . . . . . . . . . . . . 890
Disabling Layer 2 Port Mirroring Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
Configuring Inline Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895
Copyright © 2018, Juniper Networks, Inc.
xix
Network Management and Monitoring Guide
Chapter 37
Configuring Port Mirroring for Physical Interfaces . . . . . . . . . . . . . . . . . . . . 897
Precedence of Multiple Levels of Layer 2 Port Mirroring on a Physical
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897
Binding Layer 2 Port Mirroring to Ports Grouped at the FPC Level . . . . . . . . . . . 898
Binding Layer 2 Port Mirroring to Ports Grouped at the PIC Level . . . . . . . . . . . . 900
Examples: Layer 2 Port Mirroring at Multiple Levels of the Chassis . . . . . . . . . . . 902
Layer 2 Port Mirroring at the FPC Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903
Layer 2 Port Mirroring at the PIC Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903
Layer 2 Port Mirroring at the FPC and PIC Levels . . . . . . . . . . . . . . . . . . . . . 903
Configuring Layer 2 Port Mirroring Over GRE Interface . . . . . . . . . . . . . . . . . . . . 904
Example: Configuring Layer 2 Port Mirroring Over a GRE Interface . . . . . . . . . . . 905
Chapter 38
Configuring Port Mirroring for Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . 911
Layer 2 Port Mirroring Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912
Layer 2 Port Mirroring Firewall Filters Overview . . . . . . . . . . . . . . . . . . . . . . . 912
Mirroring of Packets Received or Sent on a Logical Interface . . . . . . . . . . . . 913
Mirroring of Packets Forwarded or Flooded to a VLAN . . . . . . . . . . . . . . . . . 913
Mirroring of Packets Forwarded or Flooded to a VPLS Routing Instance . . . 914
Defining a Layer 2 Port-Mirroring Firewall Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . 914
Defining a Layer 2 Port-Mirroring Firewall Filter . . . . . . . . . . . . . . . . . . . . . . . . . . 918
Configuring Protocol-Independent Firewall Filter for Port Mirroring . . . . . . . . . . . 921
Example: Mirroring Employee Web Traffic with a Firewall Filter . . . . . . . . . . . . . 923
Understanding Layer 2 Port Mirroring of PE Router Logical Interfaces . . . . . . . . 927
Understanding Layer 2 Port Mirroring of PE Router Aggregated Ethernet
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 928
Layer 2 Port Mirroring of PE Router or PE Switch Logical Interfaces . . . . . . . . . . 929
Layer 2 Port Mirroring of PE Router or PE Switch Aggregated Ethernet
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
Applying Layer 2 Port Mirroring to a Logical Interface . . . . . . . . . . . . . . . . . . . . . 932
Applying Layer 2 Port Mirroring to a Logical Interface . . . . . . . . . . . . . . . . . . . . . 935
Applying Layer 2 Port Mirroring to Traffic Forwarded or Flooded to a Bridge
Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938
Applying Layer 2 Port Mirroring to Traffic Forwarded or Flooded to a VPLS Routing
Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
Applying Layer 2 Port Mirroring to Traffic Forwarded or Flooded to a VPLS Routing
Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
Applying Layer 2 Port Mirroring to Traffic Forwarded or Flooded to a VLAN . . . . 945
Example: Layer 2 Port Mirroring at a Logical Interface . . . . . . . . . . . . . . . . . . . . . 947
Example: Layer 2 Port Mirroring at a Logical Interface . . . . . . . . . . . . . . . . . . . . . 949
Example: Layer 2 Port Mirroring for a Layer 2 VPN . . . . . . . . . . . . . . . . . . . . . . . . 952
Example: Layer 2 Port Mirroring for a Layer 2 VPN . . . . . . . . . . . . . . . . . . . . . . . . 954
Example: Layer 2 Port Mirroring for a Layer 2 VPN with LAG Links . . . . . . . . . . . 956
Example: Layer 2 Port Mirroring for a Layer 2 VPN with LAG Links . . . . . . . . . . . 959
xx
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Chapter 39
Configuring Port Mirroring for Multiple Destinations . . . . . . . . . . . . . . . . . . 963
Understanding Layer 2 Port Mirroring to Multiple Destinations Using Next-Hop
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
Defining a Next-Hop Group for Layer 2 Port Mirroring . . . . . . . . . . . . . . . . . . . . . 964
Defining a Next-Hop Group on MX Series Routers for Port Mirroring . . . . . . . . . 965
Example: Configuring Multiple Port Mirroring with Next-Hop Groups on M, MX
and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 968
Example: Layer 2 Port Mirroring to Multiple Destinations . . . . . . . . . . . . . . . . . . . 971
Chapter 40
Configuring Port Mirroring for Remote Destinations . . . . . . . . . . . . . . . . . . 977
Layer 2 Port Mirroring to Remote Destination by Using Destination as VLAN . . . 977
Configuration Layer 2 Port Mirroring to a Remote VLAN . . . . . . . . . . . . . . . . . . . . 977
Configuring Port Mirroring to a Remote VLAN . . . . . . . . . . . . . . . . . . . . . . . . 978
Example: Configuring Layer 2 Port Mirroring to Remote VLAN . . . . . . . . . . . . . . 980
Chapter 41
Configuring Port Mirroring Local and Remote Analysis . . . . . . . . . . . . . . . . 987
Configuring Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
Configuring Port Mirroring for Local Analysis . . . . . . . . . . . . . . . . . . . . . . . . 988
Configuring Port Mirroring for Remote Analysis . . . . . . . . . . . . . . . . . . . . . . 989
Filtering the Traffic Entering an Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 989
Examples: Configuring Port Mirroring for Local Analysis . . . . . . . . . . . . . . . . . . . 990
Example: Mirroring Employee Web Traffic with a Firewall Filter . . . . . . . . . . . . . 993
Example: Configuring Port Mirroring for Local Analysis . . . . . . . . . . . . . . . . . . . . 996
Example: Configuring Port Mirroring for Remote Analysis . . . . . . . . . . . . . . . . . . 1001
Chapter 42
Monitoring Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007
Displaying Layer 2 Port-Mirroring Instance Settings and Status . . . . . . . . . . . . 1007
Displaying Next-Hop Group Settings and Status . . . . . . . . . . . . . . . . . . . . . . . . 1007
Chapter 43
Troubleshooting Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009
Troubleshooting Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009
Port Mirroring Constraints and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . 1009
Local and Remote Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009
Remote Port Mirroring Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1011
Port Mirroring Constraints on OCX Series Switches . . . . . . . . . . . . . . . . 1011
Egress Port Mirroring with VLAN Translation . . . . . . . . . . . . . . . . . . . . . . . . 1012
Egress Port Mirroring with Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . 1012
Troubleshooting Port Mirroring Configuration Error Messages . . . . . . . . . . . . . . 1013
An Analyzer Configuration Returns a “Multiple interfaces cannot be
configured as a member of Analyzer output VLAN” Error Message . . . 1013
Part 11
System Log Messages
Chapter 44
Overview to System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
Junos OS System Log Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
Overview of Junos OS System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 1018
Junos OS System Log Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . 1018
Junos OS System Logging Facilities and Message Severity Levels . . . . . . . . . . . 1019
Junos OS Default System Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021
Junos OS Platform-Specific Default System Log Messages . . . . . . . . . . . . . . . . 1022
Copyright © 2018, Juniper Networks, Inc.
xxi
Network Management and Monitoring Guide
Interpreting Messages Generated in Standard Format . . . . . . . . . . . . . . . . . . . . 1023
Managing Host OS System Log and Core Files . . . . . . . . . . . . . . . . . . . . . . . . . . 1024
Viewing Log Files On the Host OS System . . . . . . . . . . . . . . . . . . . . . . . . . . 1025
Copying Log Files From the Host System To the Switch . . . . . . . . . . . . . . . 1025
Viewing Core Files On the Host OS System . . . . . . . . . . . . . . . . . . . . . . . . . 1025
Copying Core Files From the Host System To the Switch . . . . . . . . . . . . . . 1026
Cleaning Up Temporary Files on the Host OS . . . . . . . . . . . . . . . . . . . . . . . 1026
Chapter 45
Configuring System Logging for a Single-Chassis System . . . . . . . . . . . . 1027
Single-Chassis System Logging Configuration Overview . . . . . . . . . . . . . . . . . . 1027
Overview of Single-Chassis System Logging Configuration . . . . . . . . . . . . . . . . 1029
Junos OS System Log Configuration Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . 1031
Junos OS System Log Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . 1031
Junos OS Minimum System Logging Configuration . . . . . . . . . . . . . . . . . . . . . . 1032
Example: Configuring System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
Logging Messages in Structured-Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
Specifying Log File Size, Number, and Archiving Properties . . . . . . . . . . . . . . . . 1036
Including Priority Information in System Log Messages . . . . . . . . . . . . . . . . . . . 1038
System Log Facility Codes and Numerical Codes Reported in Priority
Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
Including the Year or Millisecond in Timestamps . . . . . . . . . . . . . . . . . . . . . . . . 1041
Using Regular Expressions to Refine the Set of Logged Messages . . . . . . . . . . 1042
Junos System Log Regular Expression Operators for the match Statement . . . 1044
Disabling the System Logging of a Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045
Examples: Configuring System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1046
Examples: Assigning an Alternative Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047
Chapter 46
Configuring System Logging for a TX Matrix or TX Matrix Plus Router . . 1049
Configuring System Logging for a TX Matrix Router . . . . . . . . . . . . . . . . . . . . . . 1049
Configuring System Logging for a TX Matrix Plus Router . . . . . . . . . . . . . . . . . . 1051
Configuring Message Forwarding to the TX Matrix Router . . . . . . . . . . . . . . . . . 1053
Configuring Message Forwarding to the TX Matrix Plus Router . . . . . . . . . . . . . 1054
Impact of Different Local and Forwarded Severity Levels on System Log
Messages on a TX Matrix Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1055
Messages Logged When the Local and Forwarded Severity Levels Are the
Same . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056
Messages Logged When the Local Severity Level Is Lower . . . . . . . . . . . . . 1056
Messages Logged When the Local Severity Level Is Higher . . . . . . . . . . . . . 1057
Impact of Different Local and Forwarded Severity Levels on System Log
Messages on a TX Matrix Plus Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1057
Messages Logged When the Local and Forwarded Severity Levels Are the
Same . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058
Messages Logged When the Local Severity Level Is Lower . . . . . . . . . . . . . 1058
Messages Logged When the Local Severity Level Is Higher . . . . . . . . . . . . 1059
Configuring Optional Features for Forwarded Messages on a TX Matrix
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060
Including Priority Information in Forwarded Messages . . . . . . . . . . . . . . . . 1060
Adding a Text String to Forwarded Messages . . . . . . . . . . . . . . . . . . . . . . . . 1061
xxii
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Using Regular Expressions to Refine the Set of Forwarded Messages . . . . 1061
Configuring Optional Features for Forwarded Messages on a TX Matrix Plus
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1061
Including Priority Information in Forwarded Messages . . . . . . . . . . . . . . . . 1062
Adding a Text String to Forwarded Messages . . . . . . . . . . . . . . . . . . . . . . . 1062
Using Regular Expressions to Refine the Set of Forwarded Messages . . . . 1063
Configuring System Logging Differently on Each T640 Router in a Routing
Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063
Configuring System Logging Differently on Each T1600 or T4000 Router in a
Routing Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064
Chapter 47
Directing System Log Messages to a Remote Destination . . . . . . . . . . . . 1067
Specifying the Facility and Severity of Messages to Include in the Log . . . . . . . 1067
Directing System Log Messages to a Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . 1069
Directing System Log Messages to a User Terminal . . . . . . . . . . . . . . . . . . . . . . 1070
Directing System Log Messages to the Console . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
Directing System Log Messages to a Remote Machine or the Other Routing
Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
Directing System Log Messages to a Remote Machine . . . . . . . . . . . . . . . . . . . . 1072
Specifying an Alternative Source Address for System Log Messages Directed to
a Remote Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073
Adding a Text String to System Log Messages Directed to a Remote
Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073
Changing the Alternative Facility Name for System Log Messages Directed to a
Remote Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074
Default Facilities for System Log Messages Directed to a Remote
Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1076
Alternate Facilities for System Log Messages Directed to a Remote
Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077
Examples: Assigning an Alternative Facility to System Log Messages Directed
to a Remote Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078
Directing Messages to a Remote Destination from the Routing Matrix Based on
the TX Matrix Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078
Directing Messages to a Remote Destination from the Routing Matrix Based on
a TX Matrix Plus Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1079
Chapter 48
Displaying System Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1083
Displaying a Log File from a Single-Chassis System . . . . . . . . . . . . . . . . . . . . . . 1083
Log File Sample Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1083
Displaying a Log File from a Routing Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085
Chapter 49
Displaying and Interpreting System Log Message Descriptions . . . . . . . 1087
Displaying and Interpreting System Log Message Descriptions . . . . . . . . . . . . . 1087
The message-source Field on a Single-Chassis System . . . . . . . . . . . . . . . . . . 1089
The message-source Field on a TX Matrix Platform . . . . . . . . . . . . . . . . . . . . . . 1089
The message-source Field on a T640 Routing Node in a Routing Matrix . . . . . . 1091
Interpreting Messages Generated in Standard Format by a Junos OS Process or
Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092
Interpreting Messages Generated in Standard Format by Services on a PIC . . . 1093
Copyright © 2018, Juniper Networks, Inc.
xxiii
Network Management and Monitoring Guide
Interpreting Messages Generated in Structured-Data Format . . . . . . . . . . . . . . 1094
Examples: Displaying System Log Message Descriptions . . . . . . . . . . . . . . . . . 1098
Chapter 50
Configuring System Logging for a Security Device . . . . . . . . . . . . . . . . . . . . 1101
Understanding System Logging for Security Devices . . . . . . . . . . . . . . . . . . . . . . 1101
Control Plane and Data Plane Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101
Redundant System Log Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102
Understanding Stream Logging for Security Devices . . . . . . . . . . . . . . . . . . . . . . 1102
Understanding Binary Format for Security Logs . . . . . . . . . . . . . . . . . . . . . . . . . 1103
Understanding On-Box Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . 1104
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104
Understanding On-box logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . 1106
On-Box Reporting Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1107
Chassis Cluster Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1108
Monitoring Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1108
Threats Monitoring Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1108
Traffic Monitoring Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113
Configuring On-Box Binary Security Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115
Configuring Off-Box Binary Security Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116
Sending System Log Messages to a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1118
Setting the System to Send All Log Messages Through eventd . . . . . . . . . . . . . . 1118
Setting the System to Stream Security Logs Through Revenue Ports . . . . . . . . . 1119
Chapter 51
Monitoring Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1123
Monitoring System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1123
Part 12
Network Management and Troubleshooting
Chapter 52
Monitoring and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1127
Pinging Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1127
Monitoring Traffic Through the Router or Switch . . . . . . . . . . . . . . . . . . . . . . . . . 1128
Displaying Real-Time Statistics About All Interfaces on the Router or
Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128
Displaying Real-Time Statistics About an Interface on the Router or
Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129
Chapter 53
Troubleshooting of System Performance with Resource Monitoring
Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1131
Resource Monitoring Usage Computation Overview . . . . . . . . . . . . . . . . . . . . . . 1131
Resource Monitoring and Usage Computation For Trio-Based Line
Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132
Resource Monitoring and Usage Computation For I-Chip-Based Line
Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132
Diagnosing and Debugging System Performance by Configuring Memory
Resource Usage Monitoring on MX Series Routers . . . . . . . . . . . . . . . . . . . . 1134
Troubleshooting the Mismatch of jnxNatObjects Values for MS-DPC and
MS-MIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136
Managed Objects for Ukernel Memory for a Packet Forwarding Engine in an FPC
Slot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1137
Managed Objects for Packet Forwarding Engine Memory Statistics Data . . . . . 1138
xxiv
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Managed Objects for Next-Hop, Jtree, and Firewall Filter Memory for a Packet
Forwarding Engine in an FPC Slot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1138
jnxPfeMemoryErrorsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139
pfeMemoryErrors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139
Chapter 54
Configuring Data Path Debugging and Trace Options . . . . . . . . . . . . . . . . . 1141
Understanding Data Path Debugging for SRX Series Devices . . . . . . . . . . . . . . . 1141
Understanding Security Debugging Using Trace Options . . . . . . . . . . . . . . . . . . 1142
Understanding Flow Debugging Using Trace Options . . . . . . . . . . . . . . . . . . . . . 1143
Debugging the Data Path (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1143
Setting Flow Debugging Trace Options (CLI Procedure) . . . . . . . . . . . . . . . . . . . 1144
Setting Security Trace Options (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 1145
Displaying Log and Trace Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146
Displaying Output for Security Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146
Displaying Multicast Trace Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1147
J-Web Traceroute Results and Output Summary . . . . . . . . . . . . . . . . . . . . . . . . 1148
Displaying a List of Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1149
Example: Configuring End-to-End Debugging on SRX Series Device . . . . . . . . . 1150
Chapter 55
Using MPLS to Diagnose LSPs, VPNs, and Layer 2 Circuits . . . . . . . . . . . . 1157
MPLS Connection Checking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157
Understanding Ping MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159
MPLS Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159
Loopback Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159
Source Address for Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1160
Using the ping Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1160
Pinging Layer 2 Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1162
Pinging Layer 2 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1163
Pinging Layer 3 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1165
Pinging RSVP-Signaled LSPs and LDP-Signaled LSPs . . . . . . . . . . . . . . . . . . . . 1166
Chapter 56
Using Packet Capture to Analyze Network Traffic . . . . . . . . . . . . . . . . . . . . 1169
Packet Capture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169
Packet Capture on Device Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1170
Firewall Filters for Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1171
Packet Capture Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1171
Analysis of Packet Capture Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1171
Example: Enabling Packet Capture on a Device . . . . . . . . . . . . . . . . . . . . . . . . . . 1172
Example: Configuring Packet Capture on an Interface . . . . . . . . . . . . . . . . . . . . . 1175
Example: Configuring a Firewall Filter for Packet Capture . . . . . . . . . . . . . . . . . . 1177
Example: Configuring Packet Capture for Datapath Debugging . . . . . . . . . . . . . 1179
Disabling Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1183
Deleting Packet Capture Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1183
Changing Encapsulation on Interfaces with Packet Capture Configured . . . . . . 1184
Displaying Packet Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1185
Copyright © 2018, Juniper Networks, Inc.
xxv
Network Management and Monitoring Guide
Chapter 57
Troubleshooting Security Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1191
Recovering the Root Password for SRX Series Devices . . . . . . . . . . . . . . . . . . . . 1191
Troubleshooting DNS Name Resolution in Logical System Security Policies
(Master Administrators Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1193
Troubleshooting the Link Services Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1193
Determine Which CoS Components Are Applied to the Constituent
Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194
Determine What Causes Jitter and Latency on the Multilink Bundle . . . . . . 1196
Determine If LFI and Load Balancing Are Working Correctly . . . . . . . . . . . . 1196
Determine Why Packets Are Dropped on a PVC Between a Juniper Networks
Device and a Third-Party Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203
Troubleshooting Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1204
Synchronizing Policies Between Routing Engine and Packet Forwarding
Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1204
Checking a Security Policy Commit Failure . . . . . . . . . . . . . . . . . . . . . . . . . 1204
Verifying a Security Policy Commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205
Debugging Policy Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205
Understanding Log Error Messages for Troubleshooting ISSU-Related
Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205
Chassisd Process Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1206
Understanding Common Error Handling for ISSU . . . . . . . . . . . . . . . . . . . . 1206
ISSU Support-Related Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209
Initial Validation Checks Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209
Installation-Related Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1210
Redundancy Group Failover Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1211
Kernel State Synchronization Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1211
Part 13
Configuration Statements
Chapter 58
Configuration Statements: Real-Time Performance Monitoring . . . . . . . 1215
data-fill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1216
data-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1217
destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1218
dscp-code-point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1219
hardware-timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1220
history-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1221
moving-average-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1222
one-way-hardware-timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1223
port (RPM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1224
probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1225
probe-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1226
probe-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1227
probe-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1228
probe-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229
probe-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1230
routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1231
routing-instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1232
rpm (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1233
rpm (Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1234
xxvi
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
source-address (Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1237
tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1238
test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1239
test-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1240
thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1241
traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1243
udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1245
Chapter 59
Configuration Statements: Ethernet OAM Link Fault Management . . . . 1247
action (OAM LFM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249
action (OAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249
action-profile (Applying to OAM CFM, for EX Series Switch Only) . . . . . . . . . . . 1250
action-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1251
age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1252
allow-remote-loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1253
apply-action-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1253
auto-discovery (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1254
calculation-weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1255
connectivity-fault-management (EX Series Switch Only) . . . . . . . . . . . . . . . . . 1256
continuity-check (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1258
cycle-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1259
delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1260
delay-variation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1261
ethernet (Protocols OAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1262
event (LFM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1268
event-thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1269
event-thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1270
fast-aps-switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1271
frame-error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1272
frame-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273
frame-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1274
frame-period-summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1275
frame-period-summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1276
hold-interval (OAM CFM, for EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . 1277
hold-interval (OAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1278
interface (OAM CFM, for EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . 1279
interface (OAM Link-Fault Management) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1280
interval (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1282
iteration-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1283
level (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1284
link-adjacency-loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1284
link-discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1285
link-down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1285
link-event-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1286
link-fault-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287
negotiation-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1288
no-allow-link-events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1288
oam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1289
path-database-size (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1291
Copyright © 2018, Juniper Networks, Inc.
xxvii
Network Management and Monitoring Guide
pdu-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1292
pdu-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1293
performance-monitoring (OAM LFM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294
protocol-down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1295
protocol-down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1295
remote-loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1296
remote-mep (EX Series Switch Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1297
send-critical-event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1297
sla-iterator-profiles (OAM LFM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1298
symbol-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1299
syslog (OAM Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1300
traceoptions (OAM LFM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1301
version-ipfix (Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1303
Chapter 60
Configuration Statements: sFlow Technology . . . . . . . . . . . . . . . . . . . . . . 1305
agent-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1306
collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1307
disable (sFlow Monitoring Technology) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1308
interfaces (sFlow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1309
polling-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1310
sample-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1311
sflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1312
source-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1313
traceoptions (sFlow Technology) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1314
udp-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1316
Chapter 61
Configuration Statements: Accounting Options, Source Class Usage and
Destination Class Usage Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1317
accounting-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319
allow-clear (Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1321
archive-sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1322
backup-on-failure (Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1323
class-usage-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1324
cleanup-interval (Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1325
compress (Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1326
counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1326
destination-classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1327
egress-stats (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1328
fields (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1330
fields (for Interface Profiles) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332
fields (for Routing Engine Profiles) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1333
file (Associating with a Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1334
file (Configuring a Log File) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1335
file (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1336
files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1337
filter-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1338
flat-file-profile (Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1339
format (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1341
general-param (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . 1342
ingress-stats (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . 1344
xxviii
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
interface-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1345
interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1346
interval (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1347
l2-stats (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1348
mib-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1349
mpls (Security Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1350
nonpersistent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351
object-names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1352
operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1353
overall-packet (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . . 1354
push-backup-to-master (Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . 1355
routing-engine-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1356
schema-version (Flat-File Accounting Options) . . . . . . . . . . . . . . . . . . . . . . . . . 1357
size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1358
source-classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1359
start-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1360
traceoptions (System Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1361
transfer-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1363
Chapter 62
Configuration Statements: Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . 1365
cluster (Chassis) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1366
global-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1368
global-weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1369
ip-monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1370
ip-monitoring (Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1372
next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1373
Chapter 63
Configuration Statements: Datapath Debug . . . . . . . . . . . . . . . . . . . . . . . . 1375
action-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1376
capture-file (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1378
datapath-debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1379
flow (Security Flow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1381
icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1383
maximum-capture-size (Datapath Debug) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1383
traceoptions (Security Datapath Debug) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1384
Chapter 64
Configuration Statements: Health Monitoring . . . . . . . . . . . . . . . . . . . . . . . 1387
falling-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1388
health-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1389
idp (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1390
routing-engine (SNMP Resource Level) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1391
interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1392
rising-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1393
Chapter 65
Configuration Statements: Remote Monitoring (RMON) . . . . . . . . . . . . . 1395
alarm (SNMP RMON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1396
community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1397
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1398
event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1399
falling-event-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1400
Copyright © 2018, Juniper Networks, Inc.
xxix
Network Management and Monitoring Guide
falling-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1401
falling-threshold-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1402
interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1403
request-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1404
rising-event-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1405
rising-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406
rmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406
sample-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1407
startup-alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1408
syslog-subtag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1409
type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1410
variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1411
Chapter 66
Configuration Statements: Resource Monitoring for Memory Regions . . 1413
free-fw-memory-watermark (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . 1414
free-heap-memory-watermark (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . 1415
free-nh-memory-watermark (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . 1416
high-cos-queue-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1417
high-threshold (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1418
no-load-throttle (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1418
no-logging (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1419
no-throttle (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1420
resource-category jtree (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1421
resource-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1422
subscribers-limit (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1424
traceoptions (Resource Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1425
Chapter 67
Configuration Statements: Security Alarms . . . . . . . . . . . . . . . . . . . . . . . . . 1427
decryption-failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1427
idp (Security Alarms) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1428
Chapter 68
Configuration Statements: Network Analytics . . . . . . . . . . . . . . . . . . . . . . 1429
address (Analytics Collector) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1430
analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1431
collector (Analytics) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1435
depth-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1436
export-profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1438
file (Analytics) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1440
interface (Export Profiles) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1442
interfaces (Analytics Resource) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1443
interfaces (Analytics) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1444
latency-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1446
local (Analytics Collector) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1447
queue-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1448
resource (Analytics) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1450
resource-profiles (Analytics) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1451
streaming-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1453
system (Analytics Resource) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1455
system (Export Profiles) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1456
traceoptions (Analytics) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1457
xxx
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
traffic-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1458
Chapter 69
Configuration Statements: SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1461
access (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1464
access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1465
address (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1466
address-mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1467
agent-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1468
alarm-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1469
alarm (SNMP RMON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1470
alarm-list-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1471
alarm-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1472
alarm-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1473
authentication-md5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1474
authentication-none . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1475
authentication-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1476
authentication-sha . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1477
authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1478
authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1479
bucket-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1480
categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1481
categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1482
client-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1483
client-list-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1484
clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1485
commit-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1486
community (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1487
community (RMON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1488
community-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1489
contact (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1490
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1491
description (RMON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1492
destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1493
engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1494
enterprise-oid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1495
event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1496
falling-event-index (RMON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1497
falling-threshold (Health Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1498
falling-threshold (RMON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1499
falling-threshold-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1500
filter-duplicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1501
filter-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1502
group (Defining Access Privileges for an SNMPv3 Group) . . . . . . . . . . . . . . . . . 1503
group (Configuring Group Name) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1504
health-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1505
history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1506
interface (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1507
interface (SNMP RMON History) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1508
interval (Health Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1509
Copyright © 2018, Juniper Networks, Inc.
xxxi
Network Management and Monitoring Guide
interval (SNMP RMON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1510
local-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1511
location (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1512
logical-system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1513
logical-system-trap-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1514
message-processing-model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1514
name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1515
nonvolatile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1516
notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1517
notify-filter (Applying to the Management Target) . . . . . . . . . . . . . . . . . . . . . . . 1518
notify-filter (Configuring the Profile Name) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1519
notify-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1520
oid (SNMPv3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1521
oid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1522
owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1523
parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1524
port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1525
privacy-3des . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1526
privacy-aes128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1527
privacy-des . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1528
privacy-none . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1529
privacy-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1530
proxy (snmp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1531
read-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1532
remote-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1533
request-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1534
retry-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1535
rising-event-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1536
rising-threshold (Health Monitor) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1537
rising-threshold (RMON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1538
rmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1539
routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1540
routing-instance-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1541
sample-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1542
security-level (Defining Access Privileges) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1543
security-level (Generating SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . . . . . 1544
security-model (Access Privileges) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1545
security-model (Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1546
security-model (SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1547
security-name (Community String) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1548
security-name (Security Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1549
security-name (SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1550
security-to-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1551
snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1552
snmp-community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1556
snmp-value-match-msmic (Services NAT Options) . . . . . . . . . . . . . . . . . . . . . 1557
source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1558
startup-alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1559
syslog-subtag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1560
xxxii
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
tag (Configuring Notification Targets) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1561
tag-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1562
target-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1563
target-parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1564
targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1565
timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1566
traceoptions (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1567
traceoptions (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1569
trap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1571
trap-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1573
type (RMON Notification) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1574
type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1575
user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1576
usm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1577
v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1579
vacm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1582
variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1583
version (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1584
view (Associating a MIB View with a Community) . . . . . . . . . . . . . . . . . . . . . . . 1585
view (Configuring a MIB View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1586
write-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1587
Chapter 70
Configuration Statements: SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1589
address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1591
address-mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1591
authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1592
authentication-md5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1593
authentication-none . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1594
authentication-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1595
authentication-sha . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1596
community-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1597
context (SNMPv3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1598
engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1599
group (Configuring Group Name) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1600
group (Defining Access Privileges for an SNMPv3 Group) . . . . . . . . . . . . . . . . . 1601
retry-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1602
timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1603
local-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1604
message-processing-model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1605
notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1606
notify-filter (Applying to the Management Target) . . . . . . . . . . . . . . . . . . . . . . . 1607
notify-filter (Configuring the Profile Name) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1608
notify-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1609
oid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1610
parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1611
port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1612
privacy-3des . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1613
privacy-aes128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1614
privacy-des . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1615
Copyright © 2018, Juniper Networks, Inc.
xxxiii
Network Management and Monitoring Guide
privacy-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1616
privacy-none . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1617
privacy-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1618
read-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1619
remote-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1620
routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1621
security-level (Defining Access Privileges) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1622
security-level (Generating SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . . . . . 1623
security-model (Access Privileges) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1624
security-model (Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1625
security-model (SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1626
security-name (Community String) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1627
security-name (Security Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1628
security-name (SNMP Notifications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1629
security-to-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1630
snmp-community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1631
tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1632
tag-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1633
target-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1634
target-parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1635
type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1636
user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1637
usm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1638
v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1640
vacm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1643
write-view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1644
Chapter 71
Configuration Statements: Uplink Failure Detection . . . . . . . . . . . . . . . . . 1645
action (Uplink Failure Detection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1645
group (Uplink Failure Detection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1646
link-to-disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1647
link-to-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1647
traceoptions (Uplink Failure Detection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1648
uplink-failure-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1649
Chapter 72
Cofiguration Statements: Port Mirroring andAnalyzers . . . . . . . . . . . . . . . 1651
analyzer (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1653
analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1655
bridge-domain (Analyzer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1657
disable (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1658
disable-all-instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1659
ethernet-switching (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1659
egress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1660
egress (Analyzer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1661
ethernet-switching-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1662
family (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1668
family (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1670
forwarding-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1672
inet (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1678
ingress (Analyzer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1679
xxxiv
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
ingress (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1680
ingress (vlans) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1681
input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1682
input (Analyzer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1683
input (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1684
instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1685
instance (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1686
interface (Analyzer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1688
interface (Next-Hop Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1689
interface (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1690
interface (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1691
ip-address (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1692
maximum-packet-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1693
mirror-once . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1695
next-hop-group (Analyzer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1695
next-hop-group (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1696
no-tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1697
no-tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1698
no-tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1698
no-filter-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1699
no-filter-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1699
output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1700
output (Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1701
output (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1702
output (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1703
port-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1704
rate (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1708
routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1709
routing-instance (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1709
run-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1710
vlan (Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1711
vlan (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1712
vlan (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1713
Chapter 73
Configuration Statements: TWAMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1715
twamp-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1716
twamp-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1718
Chapter 74
Configuration Statements: System Logging . . . . . . . . . . . . . . . . . . . . . . . . . 1721
allow-duplicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1723
archive (All System Log Files) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1724
archive (Individual System Log File) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1726
cache (Security Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1728
category (Security Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1729
console (System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1730
destination-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1731
event-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1732
exclude (Security Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1733
exclude-hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1734
explicit-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1735
Copyright © 2018, Juniper Networks, Inc.
xxxv
Network Management and Monitoring Guide
facility-override (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1736
file (Security Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1737
file (System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1738
files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1739
host (Security Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1740
host (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1741
limit (Security Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1743
log (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1744
log (Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1748
log-prefix (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1749
log-rotate-frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1750
match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1751
match-string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1752
mode (Security Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1753
no-remote-trace (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1754
pic-services-logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1755
port (Syslog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1756
rate-cap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1757
report (Security Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1758
security-log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1759
security-log-percent-full . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1760
severity (Security Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1761
size (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1762
stream (Security Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1763
structured-data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1765
syslog (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1766
system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1768
time-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1769
traceoptions (Security Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1771
tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1773
transport (Security Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1774
ukern-trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1775
user (System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1776
world-readable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1777
Chapter 75
Configuration Statement: App-Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1779
routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1780
Part 14
Operational Commands
Chapter 76
Operational Commands: General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1783
monitor traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1784
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1796
show pfe statistics bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1802
traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1807
Chapter 77
Operational Commands: Realtime Performance Monitoring . . . . . . . . . . 1813
show services rpm active-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1814
show services rpm history-results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1815
show services rpm probe-results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1819
xxxvi
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
Chapter 78
Operational Commands: Analyzers and Port Mirroring . . . . . . . . . . . . . . . 1829
show analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1830
Chapter 79
Operational Commands: sFlow Monitoring Technology . . . . . . . . . . . . . . 1833
show sflow . . . . . . . .
show sflow interface
show sflow collector
clear sflow collectors
Chapter 80
........
........
........
statistics
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1834
1836
1838
1839
Operational Commands: Ethernet OAM Connectivity Fault
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1841
clear oam ethernet connectivity-fault-management delay-statistics . . . . . . . . 1842
clear oam ethernet connectivity-fault-management sla-iterator-statistics . . . 1844
clear oam ethernet connectivity-fault-management statistics . . . . . . . . . . . . . 1845
monitor ethernet delay-measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1846
show oam ethernet connectivity-fault-management delay-statistics . . . . . . . . 1851
show oam ethernet connectivity-fault-management forwarding-state . . . . . . 1855
show oam ethernet connectivity-fault-management interfaces . . . . . . . . . . . . 1859
show oam ethernet connectivity-fault-management path-database . . . . . . . 1866
show oam ethernet connectivity-fault-management mep-database . . . . . . . 1869
show oam ethernet connectivity-fault-management mip . . . . . . . . . . . . . . . . . 1875
show oam ethernet connectivity-fault-management sla-iterator-statistics . . . 1877
Chapter 81
Operational Commands: Ethernet OAM Link Fault Management . . . . . . 1883
show oam ethernet link-fault-management . . . . . . . . . . . . . . . . . . . . . . . . . . . 1884
Chapter 82
Operational Commands: Uplink Failure Detection . . . . . . . . . . . . . . . . . . . 1889
show uplink-failure-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1890
Chapter 83
Operational Commands: RPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1893
show services rpm active-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1894
show services rpm history-results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1895
show services rpm probe-results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1899
Chapter 84
Operational Commands: SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1909
clear snmp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1910
request snmp spoof-trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1912
show snmp health-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1918
show snmp inform-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1925
show snmp mib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1927
show snmp rmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1930
show snmp rmon history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1935
show snmp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1939
show snmp v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1947
Chapter 85
Operational Commands: Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1951
show analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1952
Chapter 86
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1955
clear log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1956
clear security log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1957
clear security log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1959
Copyright © 2018, Juniper Networks, Inc.
xxxvii
Network Management and Monitoring Guide
clear security log stream file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1960
monitor list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1961
monitor start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1963
monitor stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1965
show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1966
show security log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1970
show security log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1973
show security log severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1975
show security log query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1976
Chapter 87
Monitoring Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1979
clear chassis cluster ip-monitoring failure-count . . . . . . . . . . . . . . . . . . . . . . . . . 1981
clear chassis cluster ip-monitoring failure-count ip-address . . . . . . . . . . . . . . . 1982
clear ilmi statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1983
clear interfaces statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1984
clear services rpm twamp server connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 1985
clear snmp history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1986
clear snmp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1987
request pppoe connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1989
request pppoe disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1990
request services ip-monitoring preempt-restore policy . . . . . . . . . . . . . . . . . . . 1991
request services rpm twamp start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1992
request services rpm twamp stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1993
request snmp spoof-trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1994
request support information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2000
show chassis alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2009
show chassis cluster ip-monitoring status redundancy-group . . . . . . . . . . . . . . 2011
show interfaces snmp-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2014
show interfaces summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2015
show ilmi statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2017
show security alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2020
show security datapath-debug capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2024
show security datapath-debug counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2025
show security monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2026
show security monitoring fpc fpc-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2028
show security monitoring performance session . . . . . . . . . . . . . . . . . . . . . . . . . 2031
show security monitoring performance spu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2032
show services ip-monitoring status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2034
show services rpm twamp client connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 2038
show services rpm twamp client history-results . . . . . . . . . . . . . . . . . . . . . . . . 2040
show services rpm twamp client probe-results . . . . . . . . . . . . . . . . . . . . . . . . . 2042
show services rpm twamp client session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2047
show services rpm twamp server connection . . . . . . . . . . . . . . . . . . . . . . . . . . 2049
show services rpm twamp server session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2051
show snmp health-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2053
show snmp inform-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2060
show snmp mib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2062
show snmp rmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2065
show snmp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2070
xxxviii
Copyright © 2018, Juniper Networks, Inc.
Table of Contents
show
show
show
show
show
Copyright © 2018, Juniper Networks, Inc.
snmp stats-response-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2078
snmp v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2080
system alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2083
system alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2084
system resource-monitor fpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2087
xxxix
Network Management and Monitoring Guide
xl
Copyright © 2018, Juniper Networks, Inc.
List of Figures
Part 2
Operation, Administration, and Management Features
Chapter 4
Ethernet OAM Connectivity Fault Management . . . . . . . . . . . . . . . . . . . . . . . 53
Figure 1: Relationship Among MEPs, MIPs, and Maintenance Domain Levels . . . . 54
Part 3
Uplink Failure Detection
Chapter 5
Uplink Failure Detection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Figure 2: Uplink Failure Detection Configuration on Switches . . . . . . . . . . . . . . . . 68
Part 4
Network Monitoring Using SNMP
Chapter 7
SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Figure 3: SNMP Communication Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Chapter 10
Configuring SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Figure 4: Inform Request and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Chapter 11
Configuring SNMP for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Figure 5: SNMP Data for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Part 5
Remote Monitoring (RMON) with SNMP Alarms and Events
Chapter 14
RMON Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Figure 6: Setting Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Chapter 15
Using RMON to Monitor Network Service Quality . . . . . . . . . . . . . . . . . . . . 379
Figure 7: Setting Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Figure 8: Network Entry Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Figure 9: Regional Points of Presence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Figure 10: Measurements to Each Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Figure 11: Network Behavior During Congestion . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Part 7
Monitoring Options
Chapter 20
Configuring Real-Time Performance Monitoring . . . . . . . . . . . . . . . . . . . . . 463
Figure 12: RPM Timestamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Figure 13: Four Elements of TWAMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Figure 14: The Elements of TWAMP Implemented as Client and Server . . . . . . . 478
Figure 15: Sample RPM Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Chapter 21
Configuring IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Figure 16: IP Monitoring on an SRX Series Device Topology Example . . . . . . . . . 504
Copyright © 2018, Juniper Networks, Inc.
xli
Network Management and Monitoring Guide
Chapter 22
Configuring sFlow Monitoring Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Figure 17: sFlow Technology Monitoring System . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Figure 18: sFlow Technology Monitoring System . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Figure 19: sFlow Technology Monitoring System . . . . . . . . . . . . . . . . . . . . . . . . . 546
Chapter 23
Packet Flow Accelerator Diagnostics Software . . . . . . . . . . . . . . . . . . . . . . . 551
Figure 20: Ports on the QFX5100-24Q-AA switch and QFX-PFA-4Q module . . 552
Part 10
Port Mirroring and Analyzers
Chapter 35
Configuring Port Mirroring Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Figure 21: Network Topology for Local Port Mirroring Example . . . . . . . . . . . . . . . 831
Figure 22: Network Topology for Remote Port Mirroring and Analysis . . . . . . . . . 835
Figure 23: Remote Mirroring Example Network Topology Using Multiple VLAN
Member Interfaces in the Next-Hop Group . . . . . . . . . . . . . . . . . . . . . . . . . . 845
Figure 24: Network Monitoring for Remote Mirroring Through a Transit
Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
Figure 25: Network Topology for Local Mirroring Example . . . . . . . . . . . . . . . . . . 861
Figure 26: Remote Mirroring Network Topology Example . . . . . . . . . . . . . . . . . . 868
Figure 27: Remote Mirroring Through a Transit Switch Network–Sample
Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
Chapter 37
Configuring Port Mirroring for Physical Interfaces . . . . . . . . . . . . . . . . . . . . 897
Figure 28: Example Layer 2 Port Mirroring over GRE Interface . . . . . . . . . . . . . . . 905
Chapter 38
Configuring Port Mirroring for Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . 911
Figure 29: Network Topology for Local Port Mirroring Example . . . . . . . . . . . . . . 924
Chapter 39
Configuring Port Mirroring for Multiple Destinations . . . . . . . . . . . . . . . . . . 963
Figure 30: Active Flow Monitoring—Multiple Port Mirroring with Next-Hop Groups
Topology Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 968
Chapter 40
Configuring Port Mirroring for Remote Destinations . . . . . . . . . . . . . . . . . . 977
Figure 31: Remote Mirroring Network Topology Example . . . . . . . . . . . . . . . . . . . 981
Chapter 41
Configuring Port Mirroring Local and Remote Analysis . . . . . . . . . . . . . . . . 987
Figure 32: Network Topology for Local Port Mirroring Example . . . . . . . . . . . . . . 991
Figure 33: Network Topology for Local Port Mirroring Example . . . . . . . . . . . . . . 997
Part 12
Network Management and Troubleshooting
Chapter 57
Troubleshooting Security Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1191
Figure 34: PPP and MLPPP Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1199
xlii
Copyright © 2018, Juniper Networks, Inc.
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lvi
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lvi
Part 1
Overview
Chapter 1
Network Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Device Management Features in Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . 4
Table 4: Device and Network Management Features on the QFX Series, OCX
Series, and EX4600 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 2
Network Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 5: J-Web Interface Troubleshoot Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Table 6: CLI Diagnostic Command Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Part 4
Network Monitoring Using SNMP
Chapter 7
SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Table 7: Monitored Object Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Chapter 8
SNMP MIBs and Traps Supported by Junos OS . . . . . . . . . . . . . . . . . . . . . . . 117
Table 8: Enterprise-specific MIBs supported by Junos OS . . . . . . . . . . . . . . . . . . . 117
Table 9: Standard MIBs supported by Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Table 10: Standard Supported SNMP Version 1 Traps . . . . . . . . . . . . . . . . . . . . . . 149
Table 11: Standard Supported SNMP Version 2 Traps . . . . . . . . . . . . . . . . . . . . . . 152
Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 1
Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Table 13: Juniper Networks Enterprise-Specific Supported SNMP Version 2
Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Chapter 9
Configuring Basic SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Table 14: Standard SNMP Version 1 Traps Supported on QFX Series Standalone
Switches and QFX Series Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Table 15: Enterprise-Specific SNMPv1 Traps Supported on QFX Series Standalone
Switches and QFX Series Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Table 16: Standard SNMPv2 Traps Supported on QFX Series Standalone
Switches and QFX Series Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Table 17: Enterprise-Specific SNMPv2 Traps Supported on QFX Series Standalone
Switches and QFX Series Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Table 18: Standard SNMPv2 Traps Supported on QFabric Systems . . . . . . . . . . 218
Table 19: Enterprise-Specific SNMPv2 Traps Supported on QFabric Systems . . 219
Copyright © 2018, Juniper Networks, Inc.
xliii
Network Management and Monitoring Guide
Table 20: Standard MIBs Supported on QFX Series Standalone Switches and
QFX Series Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Table 21: Juniper Networks Enterprise-Specific MIBs Supported on QFX Series
Standalone Switches and QFX Series Virtual Chassis . . . . . . . . . . . . . . . . . 232
Table 22: Standard MIBs Supported on QFabric Systems . . . . . . . . . . . . . . . . . . 234
Table 23: Juniper Networks Enterprise-Specific MIBs Supported on QFabric
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Table 24: Fabric Chassis MIB Tables and Objects . . . . . . . . . . . . . . . . . . . . . . . . . 243
Table 25: Fabric Chassis MIB SNMPv2 Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Table 26: Monitored Object Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Chapter 10
Configuring SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Table 27: Values to Use in Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Chapter 11
Configuring SNMP for Routing Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Table 28: MIB Support for Routing Instances (Juniper Networks MIBs) . . . . . . . 304
Table 29: Class 1 MIB Objects (Standard and Juniper MIBs) . . . . . . . . . . . . . . . . 308
Table 30: Class 2 MIB Objects (Standard and Juniper MIBs) . . . . . . . . . . . . . . . . 312
Table 31: Class 3 MIB Objects (Standard and Juniper MIBs) . . . . . . . . . . . . . . . . . 313
Table 32: Class 4 MIB Objects (Standard and Juniper MIBs) . . . . . . . . . . . . . . . . 314
Chapter 12
Configuring SNMP Remote Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Table 33: Results in pingProbeHistoryTable: After the First Ping Test . . . . . . . . . 329
Table 34: Results in pingProbeHistoryTable: After the First Probe of the Second
Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Table 35: Results in pingProbeHistoryTable: After the Second Ping Test . . . . . . 330
Table 36: traceRouteProbeHistoryTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Chapter 13
Tracing SNMP Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Table 37: SNMP Tracing Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Part 5
Remote Monitoring (RMON) with SNMP Alarms and Events
Chapter 14
RMON Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Table 38: RMON Event Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Table 39: RMON Alarm Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Table 40: jnxRmon Alarm Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Table 41: RMON History Control Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Chapter 15
Using RMON to Monitor Network Service Quality . . . . . . . . . . . . . . . . . . . . 379
Table 42: RMON Event Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Table 43: RMON Alarm Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Table 44: jnxRmon Alarm Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Table 45: Real-Time Performance Monitoring Configuration Options . . . . . . . . 388
Table 46: Health Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Table 47: Counter Values for vlan-ccc Encapsulation . . . . . . . . . . . . . . . . . . . . . 396
Table 48: Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Table 49: Inbound Traffic Per Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Table 50: Inbound Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Table 51: Outbound Counters for ATM Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 401
Table 52: Outbound Counters for Non-ATM Interfaces . . . . . . . . . . . . . . . . . . . . 402
xliv
Copyright © 2018, Juniper Networks, Inc.
List of Tables
Table 53: Dropped Traffic Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Chapter 16
Health Monitoring with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Table 54: Monitored Object Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Part 6
Accounting Options, Source Class Usage, and Destination Class
Usage Options
Chapter 17
Accounting Options, Source Class Usage and Destination Class Usage
Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Table 55: Types of Accounting Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Part 7
Monitoring Options
Chapter 19
Configuring Interface Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Table 56: Interface Alarm Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Table 57: System Alarm Conditions and Corrective Actions . . . . . . . . . . . . . . . . 456
Table 58: Alarms Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Chapter 20
Configuring Real-Time Performance Monitoring . . . . . . . . . . . . . . . . . . . . . 463
Table 59: RPM Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Table 60: RPM Configuration Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Table 61: Summary of Key RPM Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Chapter 21
Configuring IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Table 62: Test Parameters and Default Values . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Table 63: Threshold Supported and Description . . . . . . . . . . . . . . . . . . . . . . . . . 503
Chapter 23
Packet Flow Accelerator Diagnostics Software . . . . . . . . . . . . . . . . . . . . . . . 551
Table 64: External and Internal Ports on the QFX5100-24Q-AA Switch and the
QFX-PFA-4Q Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Table 65: Base Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Table 66: Ethernet Tests and Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Table 67: 10-Gigabit Ethernet Channel Mappings on the QFX-PFA-4Q module
F-ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Table 68: 10-Gigabit Ethernet Channel Mappings on the QFX-PFA-4Q module
C-ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Table 69: Exact Connectivity Between C-Ports and A-Ports . . . . . . . . . . . . . . . . 559
Table 70: Stress Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Table 71: PTP Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Table 72: PTP Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Table 73: QFX-PFA-4Q Module LED Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Table 74: Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Table 75: Command-Line Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Table 76: File Format Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
Table 77: Dual In-Line Memory Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
Table 78: Validating Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Part 8
Monitoring Common Security Features
Chapter 24
Displaying Real-Time Information from Device to Host . . . . . . . . . . . . . . . 593
Copyright © 2018, Juniper Networks, Inc.
xlv
Network Management and Monitoring Guide
Table 79: CLI traceroute monitor Command Options . . . . . . . . . . . . . . . . . . . . . 593
Table 80: CLI traceroute monitor Command Output Summary . . . . . . . . . . . . . 594
Table 81: CLI mtrace from-source Command Options . . . . . . . . . . . . . . . . . . . . . 595
Table 82: CLI mtrace from-source Command Output Summary . . . . . . . . . . . . 597
Chapter 25
Monitoring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Table 83: Filtering Route Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Table 84: Summary of Key Routing Information Output Fields . . . . . . . . . . . . . . 601
Table 85: Summary of Key RIP Routing Output Fields . . . . . . . . . . . . . . . . . . . . . 603
Table 86: Summary of Key OSPF Routing Output Fields . . . . . . . . . . . . . . . . . . 604
Table 87: Summary of Key BGP Routing Output Fields . . . . . . . . . . . . . . . . . . . . 606
Table 88: View Policy Log Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Table 89: Policy Events Detail Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Table 90: Security Policies Monitoring Output Fields . . . . . . . . . . . . . . . . . . . . . . 610
Table 91: Check Policies Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Table 92: Summary of Key Screen Counters Output Fields . . . . . . . . . . . . . . . . . 615
Table 93: Summary of IDP Status Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 618
Table 94: Summary of Key Flow Gate Output Fields . . . . . . . . . . . . . . . . . . . . . . 619
Table 95: Summary of Key Firewall Authentication Table Output Fields . . . . . . 620
Table 96: Summary of Key Firewall Authentication History Output Fields . . . . . 622
Table 97: Summary of Dot1X Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Chapter 26
Monitoring Application Layer Gateways Features . . . . . . . . . . . . . . . . . . . . 625
Table 98: Summary of Key H.323 Counters Output Fields . . . . . . . . . . . . . . . . . . 625
Table 99: Summary of Key MGCP Calls Output Fields . . . . . . . . . . . . . . . . . . . . . 627
Table 100: Summary of Key MGCP Counters Output Fields . . . . . . . . . . . . . . . . 628
Table 101: Summary of Key MGCP Endpoints Output Fields . . . . . . . . . . . . . . . . 629
Table 102: Summary of Key SCCP Calls Output Fields . . . . . . . . . . . . . . . . . . . . 630
Table 103: Summary of Key SCCP Counters Output Fields . . . . . . . . . . . . . . . . . 630
Table 104: Summary of Key SIP Calls Output Fields . . . . . . . . . . . . . . . . . . . . . . 632
Table 105: Summary of Key SIP Counters Output Fields . . . . . . . . . . . . . . . . . . . 633
Table 106: Summary of Key SIP Rate Output Fields . . . . . . . . . . . . . . . . . . . . . . 635
Table 107: Summary of Key SIP Transactions Output Fields . . . . . . . . . . . . . . . . 635
Table 108: ALG H.323 Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Table 109: Voice ALG MGCP Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Table 110: Voice ALG SCCP Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Table 111: Voice ALG SIP Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Table 112: Voice ALG Summary Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . 649
Chapter 27
Monitoring Interfaces and Switching Functions . . . . . . . . . . . . . . . . . . . . . . 651
Table 113: CLI monitor interface Output Control Keys . . . . . . . . . . . . . . . . . . . . . . 652
Table 114: CLI monitor interface traffic Output Control Keys . . . . . . . . . . . . . . . . 652
Table 115: Address Pools Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Table 116: Summary of Ethernet Switching Output Fields . . . . . . . . . . . . . . . . . . 655
Table 117: GVRP Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
Table 118: Summary of Key MPLS Interface Information Output Fields . . . . . . . 658
Table 119: Summary of Key MPLS LSP Information Output Fields . . . . . . . . . . . 659
Table 120: Summary of Key MPLS LSP Statistics Output Fields . . . . . . . . . . . . . 660
Table 121: Summary of Key RSVP Session Information Output Fields . . . . . . . . . 661
Table 122: Summary of Key RSVP Interfaces Information Output Fields . . . . . . 662
xlvi
Copyright © 2018, Juniper Networks, Inc.
List of Tables
Table 123: Summary of Key PPPoE Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 664
Table 124: Spanning Tree Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Chapter 28
Monitoring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Table 125: Source NAT Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Table 126: Summary of Key Destination NAT Output Fields . . . . . . . . . . . . . . . . . 677
Table 127: Summary of Key Static NAT Output Fields . . . . . . . . . . . . . . . . . . . . . 679
Table 128: Summary of Key Incoming Table Output Fields . . . . . . . . . . . . . . . . . . 681
Table 129: Summary of Key Interface NAT Output Fields . . . . . . . . . . . . . . . . . . . 681
Chapter 29
Monitoring Events, Services and System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Table 130: Summary of Key DHCP Client Binding Output Fields . . . . . . . . . . . . . 683
Table 131: Events Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Chapter 30
Monitoring Unified Threat Management Features . . . . . . . . . . . . . . . . . . . . 693
Table 132: Statistics Tab Output in the Threats Report . . . . . . . . . . . . . . . . . . . . 698
Table 133: Activities Tab Output in the Threats Report . . . . . . . . . . . . . . . . . . . . . 701
Table 134: Traffic Report Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
Chapter 31
Monitoring VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Table 135: Summary of Key IKE SA Information Output Fields . . . . . . . . . . . . . . . 707
Table 136: IPsec VPN—Phase I Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Table 137: IPsec VPN—Phase II Monitoring Page . . . . . . . . . . . . . . . . . . . . . . . . . . 712
Table 138: Summary of Key IPsec VPN Information Output Fields . . . . . . . . . . . . 714
Part 9
Performance Management
Chapter 33
Configuring Network Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Table 139: Network Analytics CLI Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
Table 140: GPB Stream Format Message Header Information . . . . . . . . . . . . . . . 737
Table 141: Streamed Queue Statistics Data Output Fields . . . . . . . . . . . . . . . . . . 741
Table 142: Streamed Traffic Statistics Data Output Fields . . . . . . . . . . . . . . . . . . 741
Table 143: Output Fields for Queue Statistics in Local Analytics File . . . . . . . . . . 743
Table 144: Output Fields for Traffic Statistics in Local Analytics File . . . . . . . . . . 743
Table 145: Streamed Queue Statistics Data Output Fields . . . . . . . . . . . . . . . . . 745
Table 146: Streamed Traffic Statistics Data Output Fields . . . . . . . . . . . . . . . . . 746
Table 147: Configuration and Status Output in Junos OS Release 13.2X51-D10
and 13.2X50-D15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Part 10
Port Mirroring and Analyzers
Chapter 34
Overview of Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
Table 148: Mirroring Terminologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Table 149: Configuration Guidelines for Port Mirroring and Analyzers on EX2300,
EX3400, and EX4300 Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
Table 150: Port Mirroring Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783
Table 151: Configuration Guidelines for Port Mirroring . . . . . . . . . . . . . . . . . . . . . . 785
Table 152: Port Mirroring Terms and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Table 153: Port Mirroring Terms and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 796
Table 154: Application of Layer 2 Port Mirroring Types . . . . . . . . . . . . . . . . . . . . . 799
Chapter 35
Configuring Port Mirroring Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Copyright © 2018, Juniper Networks, Inc.
xlvii
Network Management and Monitoring Guide
Table 155: Analyzer Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
Table 156: Configuration Guidelines for Port Mirroring Analyzers . . . . . . . . . . . . . 811
Chapter 38
Configuring Port Mirroring for Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . 911
Table 157: Application of Layer 2 Port Mirroring Firewall Filters on PE Routers
and PE Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927
Table 158: Application of Layer 2 Port Mirroring Firewall Filters on PE Devices . . 930
Part 11
System Log Messages
Chapter 44
Overview to System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
Table 159: Junos OS System Logging Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . 1019
Table 160: System Log Message Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . 1020
Table 161: Default System Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1021
Table 162: Fields in Standard-Format Messages . . . . . . . . . . . . . . . . . . . . . . . . 1024
Chapter 45
Configuring System Logging for a Single-Chassis System . . . . . . . . . . . . 1027
Table 163: Minimum Configuration Statements for System Logging . . . . . . . . . 1032
Table 164: Facility Codes Reported in Priority Information . . . . . . . . . . . . . . . . . 1039
Table 165: Numerical Codes for Severity Levels Reported in Priority
Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1040
Table 166: Regular Expression Operators for the match Statement . . . . . . . . . 1043
Table 167: Regular Expression Operators for the match Statement . . . . . . . . . . 1044
Chapter 46
Configuring System Logging for a TX Matrix or TX Matrix Plus Router . . 1049
Table 168: Example: Local and Forwarded Severity Level Are Both info . . . . . . 1056
Table 169: Example: Local Severity Is notice, Forwarded Severity Is critical . . . 1057
Table 170: Example: Local Severity Is critical, Forwarded Severity Is notice . . . . 1057
Table 171: Example: Local and Forwarded Severity Level Are Both info . . . . . . . 1058
Table 172: Example: Local Severity Is notice, Forwarded Severity Is critical . . . . 1059
Table 173: Example: Local Severity Is critical, Forwarded Severity Is notice . . . . 1059
Chapter 47
Directing System Log Messages to a Remote Destination . . . . . . . . . . . . 1067
Table 174: Junos OS System Logging Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . 1068
Table 175: System Log Message Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . 1069
Table 176: Default Facilities for Messages Directed to a Remote Destination . . 1076
Table 177: Facilities for the facility-override Statement . . . . . . . . . . . . . . . . . . . . 1077
Chapter 49
Displaying and Interpreting System Log Message Descriptions . . . . . . . 1087
Table 178: Fields in System Log Message Descriptions . . . . . . . . . . . . . . . . . . . 1088
Table 179: Format of message-source Field in Messages Logged on TX Matrix
Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1090
Table 180: Format of message-source Field in Messages Logged on TX Matrix
Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1091
Table 181: Fields in Standard-Format Messages Generated by a Junos OS process
or Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092
Table 182: Fields in Messages Generated by a PIC . . . . . . . . . . . . . . . . . . . . . . . 1093
Table 183: Fields in Structured-Data Messages . . . . . . . . . . . . . . . . . . . . . . . . . 1095
Table 184: Facility and Severity Codes in the priority-code Field . . . . . . . . . . . . 1096
Table 185: Platform Identifiers in the platform Field . . . . . . . . . . . . . . . . . . . . . . 1097
Chapter 50
xlviii
Configuring System Logging for a Security Device . . . . . . . . . . . . . . . . . . . . 1101
Copyright © 2018, Juniper Networks, Inc.
List of Tables
Table 186: Statistics Tab Output in the Threats Report . . . . . . . . . . . . . . . . . . . . 1109
Table 187: Activities Tab Output in the Threats Report . . . . . . . . . . . . . . . . . . . . . 1111
Table 188: Traffic Report Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113
Part 12
Network Management and Troubleshooting
Chapter 52
Monitoring and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1127
Table 189: Output Control Keys for the monitor interface Command . . . . . . . . . 1130
Chapter 53
Troubleshooting of System Performance with Resource Monitoring
Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1131
Table 190: jnxPfeMemoryUKernTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1138
Table 191: jnxPfeMemory Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1138
Table 192: jnxPfeMemoryForwardingTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139
Table 193: jnxPfeMemoryErrorsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139
Table 194: pfeMemoryErrors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1140
Chapter 54
Configuring Data Path Debugging and Trace Options . . . . . . . . . . . . . . . . . 1141
Table 195: CLI mtrace monitor Command Output Summary . . . . . . . . . . . . . . . 1148
Table 196: J-Web Traceroute Results and Output Summary . . . . . . . . . . . . . . . 1148
Table 197: CLI traceroute Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 1149
Chapter 55
Using MPLS to Diagnose LSPs, VPNs, and Layer 2 Circuits . . . . . . . . . . . . 1157
Table 198: Options for Checking MPLS Connections . . . . . . . . . . . . . . . . . . . . . . 1158
Table 199: CLI ping Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1160
Table 200: CLI ping mpls l2circuit Command Options . . . . . . . . . . . . . . . . . . . . 1163
Table 201: CLI ping mpls l2vpn Command Options . . . . . . . . . . . . . . . . . . . . . . . 1164
Table 202: CLI ping mpls l3vpn Command Options . . . . . . . . . . . . . . . . . . . . . . 1165
Table 203: CLI ping mpls ldp and ping mpls lsp-end-point Command
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1166
Chapter 56
Using Packet Capture to Analyze Network Traffic . . . . . . . . . . . . . . . . . . . . 1169
Table 204: CLI monitor traffic Command Options . . . . . . . . . . . . . . . . . . . . . . . 1186
Table 205: CLI monitor traffic Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . 1187
Table 206: CLI monitor traffic Logical Operators . . . . . . . . . . . . . . . . . . . . . . . . . 1189
Table 207: CLI monitor traffic Arithmetic, Binary, and Relational Operators . . . 1189
Chapter 57
Troubleshooting Security Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1191
Table 208: CoS Components Applied on Multilink Bundles and Constituent
Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194
Table 209: PPP and MLPPP Encapsulation Overhead . . . . . . . . . . . . . . . . . . . . 1199
Table 210: Number of Packets Transmitted on a Queue . . . . . . . . . . . . . . . . . . . 1202
Table 211: ISSU-Related Errors and Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1206
Part 13
Configuration Statements
Chapter 72
Cofiguration Statements: Port Mirroring andAnalyzers . . . . . . . . . . . . . . . 1651
Table 212: Unified Forwarding Table Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1676
Part 14
Operational Commands
Chapter 76
Operational Commands: General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1783
Copyright © 2018, Juniper Networks, Inc.
xlix
Network Management and Monitoring Guide
Table 213: Match Conditions for the monitor traffic Command . . . . . . . . . . . . . 1786
Table 214: Logical Operators for the monitor traffic Command . . . . . . . . . . . . . 1788
Table 215: Arithmetic and Relational Operators for the monitor traffic
Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1789
Table 216: show pfe statistics bridge Output Fields . . . . . . . . . . . . . . . . . . . . . . 1802
Table 217: traceroute Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1809
Chapter 77
Operational Commands: Realtime Performance Monitoring . . . . . . . . . . 1813
Table 218: show services rpm active-servers Output Fields . . . . . . . . . . . . . . . . 1814
Table 219: show services rpm history-results Output Fields . . . . . . . . . . . . . . . . 1816
Table 220: show services rpm probe-results Output Fields . . . . . . . . . . . . . . . . 1820
Chapter 78
Operational Commands: Analyzers and Port Mirroring . . . . . . . . . . . . . . . 1829
Table 221: show analyzer Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1830
Chapter 79
Operational Commands: sFlow Monitoring Technology . . . . . . . . . . . . . . 1833
Table 222: show sflow Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1834
Table 223: show sflow interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 1836
Table 224: show sflow collector Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 1838
Chapter 80
Operational Commands: Ethernet OAM Connectivity Fault
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1841
Table 225: monitor ethernet delay-measurement one-way Output Fields . . . . 1848
Table 226: monitor ethernet delay-measurement two-way Output Fields . . . . 1848
Table 227: show oam ethernet connectivity-fault-management delay-statistics
and mep-statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1852
Table 228: show oam ethernet connectivity-fault-management forwarding-state
Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1855
Table 229: show oam ethernet connectivity-fault-management interfaces
Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1859
Table 230: show oam ethernet connectivity-fault-management linktrace
path-database Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1866
Table 231: show oam ethernet connectivity-fault-management mep-database
Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1870
Table 232: show oam ethernet connectivity-fault-management mip Output
Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1875
Table 233: show oam ethernet connectivity-fault-management
sla-iterator-statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1878
Chapter 81
Operational Commands: Ethernet OAM Link Fault Management . . . . . . 1883
Table 234: show oam ethernet link-fault-management Output Fields . . . . . . . 1884
Chapter 82
Operational Commands: Uplink Failure Detection . . . . . . . . . . . . . . . . . . . 1889
Table 235: show uplink-failure-detection Output Fields . . . . . . . . . . . . . . . . . . 1890
Chapter 83
Operational Commands: RPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1893
Table 236: show services rpm active-servers Output Fields . . . . . . . . . . . . . . . 1894
Table 237: show services rpm history-results Output Fields . . . . . . . . . . . . . . . 1896
Table 238: show services rpm probe-results Output Fields . . . . . . . . . . . . . . . . 1900
Chapter 84
Operational Commands: SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1909
Table 239: show snmp health-monitor Output Fields . . . . . . . . . . . . . . . . . . . . . 1918
l
Copyright © 2018, Juniper Networks, Inc.
List of Tables
Table 240: show snmp inform-statistics Output Fields . . . . . . . . . . . . . . . . . . . 1925
Table 241: show snmp mib Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1928
Table 242: show snmp rmon Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1931
Table 243: show smp rmon history Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 1935
Table 244: show snmp statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 1940
Table 245: show snmp statistics subagents Output Fields . . . . . . . . . . . . . . . . 1943
Table 246: show snmp v3 Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1948
Chapter 85
Operational Commands: Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1951
Table 247: show analyzer Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1952
Chapter 86
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1955
Table 248: monitor list Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1961
Table 249: monitor start Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1963
Table 250: show security log Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1971
Table 251: show security log file Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 1973
Table 252: show security log severity Output Fields . . . . . . . . . . . . . . . . . . . . . . 1975
Chapter 87
Monitoring Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1979
Table 253: Sample show Commands Called by the request support information
command on an MX Series Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2002
Table 254: Sample show Commands Called by the request support information
command on an EX Series 9200 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . 2003
Table 255: Sample show Commands Called by the request support information
command on SRX Series devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2003
Table 256: show chassis alarms Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 2009
Table 257: show chassis cluster ip-monitoring status Output Fields . . . . . . . . . 2011
Table 258: show chassis cluster ip-monitoring status redundancy group Reason
Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2012
Table 259: show interfaces summary Output Fields . . . . . . . . . . . . . . . . . . . . . . 2015
Table 260: show ilmi statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 2018
Table 261: show security alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2021
Table 262: show security monitoring fpc fpc-number Output Fields . . . . . . . . 2028
Table 263: show services ip-monitoring status Output Fields . . . . . . . . . . . . . . 2034
Table 264: show services rpm twamp client connection Output Fields . . . . . . 2038
Table 265: show services rpm twamp client history-results Output Fields . . . 2040
Table 266: show services twamp client probe-results Output Fields . . . . . . . . 2042
Table 267: show services rpm twamp client session Output Fields . . . . . . . . . 2047
Table 268: show services rpm twamp server connection Output Fields . . . . . 2049
Table 269: show services rpm twamp server session Output Fields . . . . . . . . . 2051
Table 270: show snmp health-monitor Output Fields . . . . . . . . . . . . . . . . . . . . 2053
Table 271: show snmp inform-statistics Output Fields . . . . . . . . . . . . . . . . . . . 2060
Table 272: show snmp mib Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2063
Table 273: show snmp rmon Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2066
Table 274: show snmp statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 2071
Table 275: show snmp statistics subagents Output Fields . . . . . . . . . . . . . . . . 2074
Table 276: show snmp stats-response-statistics Output Fields . . . . . . . . . . . . 2078
Table 277: show snmp v3 Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2081
Table 278: show system alarms Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 2085
Table 279: show system resource-monitor fpc Output Fields . . . . . . . . . . . . . . 2088
Copyright © 2018, Juniper Networks, Inc.
li
Network Management and Monitoring Guide
lii
Copyright © 2018, Juniper Networks, Inc.
About the Documentation
•
Documentation and Release Notes on page liii
•
Supported Platforms on page liii
•
Using the Examples in This Manual on page liv
•
Documentation Conventions on page lv
•
Documentation Feedback on page lvii
•
Requesting Technical Support on page lviii
Documentation and Release Notes
®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at https://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
•
ACX Series
•
M Series
•
MX Series
•
T Series
•
PTX Series
•
SRX Series
•
vSRX
•
QFX Series
•
EX Series
Copyright © 2018, Juniper Networks, Inc.
liii
Network Management and Monitoring Guide
Using the Examples in This Manual
If you want to use the examples in this manual, you can use the load merge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the load merge command.
If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1.
From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.
For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command:
[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete
liv
Copyright © 2018, Juniper Networks, Inc.
About the Documentation
Merging a Snippet
To merge a snippet, follow these steps:
1.
From the HTML or PDF version of the manual, copy a configuration snippet into a text
file, save the file with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file
ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.
commit {
file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:
[edit]
user@host# edit system scripts
[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the
load merge relative configuration mode command:
[edit system scripts]
user@host# load merge relative /var/tmp/ex-script-snippet.conf
load complete
For more information about the load command, see CLI Explorer.
Documentation Conventions
Table 1 on page lvi defines notice icons used in this guide.
Copyright © 2018, Juniper Networks, Inc.
lv
Network Management and Monitoring Guide
Table 1: Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Tip
Indicates helpful information.
Best practice
Alerts you to a recommended use or implementation.
Table 2 on page lvi defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this
Italic text like this
Italic text like this
lvi
Represents output that appears on the
terminal screen.
user@host> show chassis alarms
•
Introduces or emphasizes important
new terms.
•
•
Identifies guide names.
A policy term is a named structure
that defines match conditions and
actions.
•
Identifies RFC and Internet draft titles.
•
Junos OS CLI User Guide
•
RFC 1997, BGP Communities Attribute
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
No alarms currently active
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
Copyright © 2018, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention
Description
Examples
Text like this
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.
•
To configure a stub area, include the
stub statement at the [edit protocols
ospf area area-id] hierarchy level.
•
The console port is labeled CONSOLE.
< > (angle brackets)
Encloses optional keywords or variables.
stub <default-metric metric>;
| (pipe symbol)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the
same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Encloses a variable for which you can
substitute one or more values.
community name members [
community-ids ]
Indention and braces ( { } )
Identifies a level in the configuration
hierarchy.
; (semicolon)
Identifies a leaf statement at a
configuration hierarchy level.
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
GUI Conventions
Bold text like this
Represents graphical user interface (GUI)
items you click or select.
> (bold right angle bracket)
Separates levels in a hierarchy of menu
selections.
•
In the Logical Interfaces box, select
All Interfaces.
•
To cancel the configuration, click
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
•
Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at https://www.juniper.net/documentation/index.html, simply click the stars to rate the
content, and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
https://www.juniper.net/documentation/feedback/.
Copyright © 2018, Juniper Networks, Inc.
lvii
Network Management and Monitoring Guide
•
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•
Product warranties—For product warranty information, visit
https://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: https://www.juniper.net/customers/support/
•
Search for known bugs: https://prsearch.juniper.net/
•
Find product documentation: https://www.juniper.net/documentation/
•
Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
•
Download the latest versions of software and review release notes:
https://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
https://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum:
https://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: https://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
lviii
•
Use the Case Management tool in the CSC at https://www.juniper.net/cm/.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2018, Juniper Networks, Inc.
About the Documentation
For international or direct-dial options in countries without toll-free numbers, see
https://www.juniper.net/support/requesting-support.html.
Copyright © 2018, Juniper Networks, Inc.
lix
Network Management and Monitoring Guide
lx
Copyright © 2018, Juniper Networks, Inc.
PART 1
Overview
•
Network Management Overview on page 3
•
Network Monitoring Overview on page 15
Copyright © 2018, Juniper Networks, Inc.
1
Network Management and Monitoring Guide
2
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 1
Network Management Overview
•
Understanding Device Management Functions in Junos OS on page 3
•
Understanding Device and Network Management Features on page 6
•
Understanding Network Management Implementation on the QFabric
System on page 9
•
Understanding Tracing and Logging Operations on page 10
•
Junos Space Support for Network Management on page 12
Understanding Device Management Functions in Junos OS
Supported Platforms
ACX Series, M Series, MX Series, T Series
After you have installed a device into your network, you need to manage the device within
your network. Device management can be divided into five tasks:
•
Fault management—Monitor the device; detect and fix faults.
•
Configuration management—Configure device attributes.
•
Accounting management—Collect statistics for accounting purposes.
•
Performance management—Monitor and adjust device performance.
•
Security management—Control device access and authenticate users.
®
The Junos operating system (Junos OS) network management features work in
conjunction with an operations support system (OSS) to manage the devices within the
network. Junos OS can assist you in performing these management tasks, as described
in Table 3 on page 4.
Copyright © 2018, Juniper Networks, Inc.
3
Network Management and Monitoring Guide
Table 3: Device Management Features in Junos OS
Task
Junos OS Feature
Fault management
Monitor and see faults using:
Configuration
management
4
•
Operational mode commands—For more information about
operational mode commands, see the CLI Explorer.
•
SNMP MIBs—For more information about SNMP MIBs supported by
Junos OS, see ““Standard SNMP MIBs Supported by Junos OS” on
page 128” and ““Enterprise-Specific SNMP MIBs Supported by Junos
OS” on page 117.
•
Standard SNMP traps—For more information about standard SNMP
traps, see the “Standard SNMP Traps Supported by Junos OS” on
page 148.
•
Enterprise-specific SNMP traps—For more information about
enterprise-specific traps, see ““Enterprise-Specific SNMP Traps
Supported by Junos OS” on page 156”.
•
System log messages—For more information about how to configure
system log messages, see the Junos OS Administration Library. For
more information about how to view system log messages, see the
System Log Explorer.
•
Configure router attributes using the command-line interface (CLI),
the Junos XML management protocol, and the NETCONF XML
management protocol. For more information about configuring the
router using the CLI, see the Junos OS Administration Library. For more
information about configuring the router using the APIs, see the Junos
XML Management Protocol Guide and NETCONF XML Management
Protocol Guide.
•
Configuration Management MIB—For more information about the
Configuration Management MIB, see Configuration Management
MIB.
Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Network Management Overview
Table 3: Device Management Features in Junos OS (continued)
Task
Junos OS Feature
Accounting
management
Perform the following accounting-related tasks:
Performance
management
Security management
Copyright © 2018, Juniper Networks, Inc.
•
Collect statistics for interfaces, firewall filters, destination classes,
source classes, and the Routing Engine. For more information about
collecting statistics, see “Accounting Options Configuration” on
page 416.
•
Use interface-specific traffic statistics and other counters, available
in the Standard Interfaces MIB, Juniper Networks enterprise-specific
extensions to the Interfaces MIB, and media-specific MIBs, such as
the enterprise-specific ATM MIB.
•
Use per-ATM virtual circuit (VC) counters, available in the
enterprise-specific ATM MIB. For more information about the ATM
MIB, see ATM MIB.
•
Group source and destination prefixes into source classes and
destination classes and count packets for those classes. Collect
destination class and source class usage statistics. For more
information about classes, see “Destination Class Usage MIB” and
“Source Class Usage MIB”, “Configuring Class Usage Profiles” on
page 441, the Junos OS Network Interfaces Library for Routing Devices,
and the Junos OS Routing Protocols Library.
•
Count packets as part of a firewall filter. For more information about
firewall filter policies, see “Enterprise-Specific SNMP MIBs Supported
by Junos OS” on page 117 and the Junos OS Routing Protocols Library.
•
Sample traffic, collect the samples, and send the collection to a host
running the CAIDA cflowd utility. For more information about CAIDA
and cflowd, see the Junos OS Routing Protocols Library for Security
Devices.
Monitor performance in the following ways:
•
Use operational mode commands. For more information about
monitoring performance using operational mode commands, see
the CLI Explorer.
•
Use firewall filter. For more information about performance
monitoring using firewall filters, see the Junos OS Routing Protocols
Library.
•
Sample traffic, collect the samples, and send the samples to a host
running the CAIDA cflowd utility. For more information about CAIDA
and cflowd, see the Junos OS Routing Protocols Library.
•
Use the enterprise-specific Class-of-Service MIB. For more
information about this MIB, see Class-of-Service MIB.
Assure security in your network in the following ways:
•
Control access to the router and authenticate users. For more
information about access control and user authentication, see the
Junos OS Administration Library.
•
Control access to the router using SNMPv3 and SNMP over IPv6. For
more information, see “Configuring the Local Engine ID” on page 296
and “Tracing SNMP Activity on a Device Running Junos OS” on
page 349.
5
Network Management and Monitoring Guide
Related
Documentation
•
Understanding the Integrated Local Management Interface on page 225
•
Understanding the SNMP Implementation in Junos OS
•
Understanding Measurement Points, Key Performance Indicators, and Baseline Values
on page 383
•
Accounting Options Overview on page 411
Understanding Device and Network Management Features
Supported Platforms
EX4600, OCX1100, QFabric System, QFX Series
After you install a QFX Series product, OCX Series device, or EX4600 switch in your
network, you need to manage the device. The products support features that you use to
manage the device within the network, including the management of configuration,
system performance, fault monitoring, and remote access.
Table 4 on page 6 lists the device and network management features on the QFX Series,
OCX Series, and EX4600.
Table 4: Device and Network Management Features on the QFX Series, OCX Series, and EX4600
6
Feature
Typical Uses
Documentation
AI-Scripts and Advanced Insight Manager
(AIM)—Automatically detect and monitor
faults on the switch, and depending on the
configuration on the AIM application, send
notifications of potential problems, and
submit problem reports to Juniper Support
Systems.
Fault management
Advanced Insight Scripts (AI-Scripts)
Release Notes
Alarms and LEDs on the switch—Show status
of hardware components and indicate
warning or error conditions.
Fault management
Chassis Alarm Messages on a QFX3500
Device
Firewall filters—Control the packets that are
sent to and from the network, balance
network traffic, and optimize performance.
Performance management
•
Routing Policies, Firewall Filters, and
Traffic Policers Feature Guide
•
Overview of Firewall Filters
In-band management—Enables connection
to the switch using the same interfaces
through which customer traffic flows.
Communication between the switch and a
remote console is typically enabled using
SSH and Telnet services. SSH provides
secure encrypted communications, whereas
Telnet provides unencrypted, and therefore
less secure, access to the switch.
Remote access management
•
Configuring SSH Service for Remote
Access to the Router or Switch
•
Configuring Telnet Service for Remote
Access to a Router or Switch
Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Network Management Overview
Table 4: Device and Network Management Features on the QFX Series, OCX Series, and
EX4600 (continued)
Feature
Typical Uses
Documentation
Juniper Networks Junos OS automation
scripts—Configuration and operations
automation tools provided by Junos OS.
These tools include commit scripts, operation
scripts, event scripts, and event policies.
Commit scripts enforce custom configuration
rules, whereas operation scripts, event
policies, and event scripts automate network
troubleshooting and management.
•
Configuration management
Automation Scripting Feature Guide
•
Performance management
•
Fault management
Junos OS command-line interface (CLI)—
CLI configuration statements that enable you
to configure the switch based on your
networking requirements, such as security,
service, and performance.
•
Configuration management
•
Performance management
•
User access management
•
Remote access management
Junos Space software—Multipurpose
GUI-based network management system
that includes a base platform, the Network
Application Platform, and other optional
applications such as Ethernet Design, Service
Now, Service Insight, and Virtual Control.
•
Configuration management
•
Performance management
•
Junos XML API—XML representation of Junos
OS configuration statements and operational
mode commands. Junos XML configuration
tag elements are the content to which the
Junos XML protocol operations apply. Junos
XML operational tag elements are equivalent
in function to operational mode commands
in the CLI, which you can use to retrieve
status information for a device. The Junos
XML API also includes tag elements that are
the counterpart to Junos CLI configuration
statements.
NETCONF XML management
protocol—XML-based management protocol
that client applications use to request and
change configuration information on routing,
switching, and security platforms running
Junos OS. The NETCONF XML management
protocol defines basic operations that are
equivalent to Junos OS CLI configuration
mode commands. Client applications use
the protocol operations to display, edit, and
commit configuration statements (among
other operations), just as administrators use
CLI configuration mode commands such as
show, set, and commit to perform those
operations.
CLI User Guide
•
Junos Space Support for Network
Management on page 12
Fault management
•
Junos Space Network Application
Platform User Guide
•
Configuration management
•
•
Performance management
Junos XML API Configuration Developer
Reference
•
Fault management
•
Junos XML API Operational Developer
Reference
•
Configuration management
•
Performance management
NETCONF XML Management Protocol
Developer Guide
•
Fault management
NOTE: Junos Space does not support the
OCX Series.
Copyright © 2018, Juniper Networks, Inc.
7
Network Management and Monitoring Guide
Table 4: Device and Network Management Features on the QFX Series, OCX Series, and
EX4600 (continued)
Feature
Typical Uses
Documentation
Operational mode commands—May be used
to do the following:
•
Performance management
CLI Explorer
•
Fault management
•
Monitor switch performance. For example,
the show chassis routing-engine command
shows the CPU utilization of the Routing
Engine. High CPU utilization of the Routing
Engine can affect performance of the
switch.
•
View current activity and status of the
device or network. For example, you can
use the ping command to monitor and
diagnose connectivity problems, and the
traceroute command to locate points of
failure on the network.
•
Connecting a Device to a Network for
Out-of-Band Management
•
Connecting a QFX Series Device to a
Management Console
•
Configuring Console and Auxiliary Port
Properties
Out-of-band management—Enables
connection to the switch through a
management interface. Out-of-band
management is supported on two dedicated
management Ethernet interfaces as well as
on the console and auxiliary ports. The
management Ethernet interfaces connect
directly to the Routing Engine. No transit
traffic is allowed through the interfaces,
separating customer and management traffic
and ensuring that congestion or failures in
the transit network do not affect the
management of the switch.
Remote access management
SNMP Configuration Management
MIB—Provides notification for configuration
changes in the form of SNMP traps. Each trap
contains the time at which the configuration
change was committed, the name of the user
who made the change, and the method by
which the change was made. A history of the
last 32 configuration changes is kept in
jnxCmChgEventTable.
Configuration management
SNMP MIB Explorer
SNMP MIBs and traps—Enable the
monitoring of network devices from a central
location. Use SNMP requests such as get and
walk to monitor and view system activity.
Fault management
•
SNMP MIB Explorer
•
Understanding the Implementation of
SNMP on page 81
The QFX3500 switch supports SNMP Version
1 (v1), v2, and v3, and both standard and
Juniper Networks enterprise-specific MIBs
and traps.
8
Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Network Management Overview
Table 4: Device and Network Management Features on the QFX Series, OCX Series, and
EX4600 (continued)
Feature
Typical Uses
Documentation
System log messages—Log details of system
and user events, including errors. You can
specify the severity and type of system log
messages you wish to view or save, and
configure the output to be sent to local or
remote hosts.
•
Fault management
•
System Log Explorer
•
User access management
•
Overview of Junos OS System Log
Messages on page 1018
•
Overview of Single-Chassis System
Logging Configuration on page 1029
Understanding Network Management Implementation on the QFabric System
Supported Platforms
EX4600, QFabric System
This topic describes network management features on the QFabric system that are
implemented differently than on other devices running Junos OS.
The following network management features are supported on the QFabric system:
•
System log messages—The QFabric system monitors events that occur on its
component devices, distributes system log messages about those events to all external
system log message servers (hosts) that are configured, and archives the messages.
Component devices include Node devices, Interconnect devices, Director devices, and
the Virtual Chassis. You configure system log messages at the [edit system syslog]
hierarchy level. Use the show log filename operational mode command to view
messages.
•
Simple Network Management Protocol (SNMP) Version 1 (v1) and v2c—SNMP
monitors network devices from a central location. The SNMP implementation on the
QFabric system supports the basic SNMP architecture of Junos OS with some
limitations, including a reduced set of MIB objects, read-only access for SNMP
communities, and limited support for SNMP requests. You configure SNMP at the [edit
snmp] hierarchy level. Only the show snmp statistics operational mode command is
supported, but you can issue SNMP requests using external SNMP client applications.
•
Advanced Insight Solutions (AIS)—AIS provides tools and processes to automate
the delivery of support services for the QFabric system. AIS components include
Advanced Insight Scripts (AI-Scripts) and Advanced Insight Manager (AIM). You install
AI-Scripts using the request system scripts add operational mode command. However,
the jais-activate-scripts.slax file used during installation is preconfigured for the QFabric
system and cannot be changed.
NOTE: Do not install Junos Space and AIS on the control plane network
EX4200 switches or EX4200 Virtual Chassis in a QFX3000 QFabric system
Related
Documentation
•
Advanced Insight Scripts (AI-Scripts) Release Notes
•
Understanding Device and Network Management Features on page 6
Copyright © 2018, Juniper Networks, Inc.
9
Network Management and Monitoring Guide
•
Overview of Junos OS System Log Messages on page 1018
•
Understanding the Implementation of SNMP on the QFabric System
•
SNMP MIBs Support on page 226
Understanding Tracing and Logging Operations
Supported Platforms
EX4600, QFabric System, QFX Series
Tracing and logging operations enable you to track events that occur in the switch—both
normal operations and error conditions—and to track the packets that are generated by
or passed through the switch. The results of tracing and logging operations are placed
in files in the /var/log directory on the switch.
The Junos OS supports remote tracing for the following processes:
•
chassisd—Chassis-control process
•
eventd—Event-processing process
•
cosd—Class-of-service process
You configure remote tracing by using the tracing statement at the [edit system] hierarchy
level.
NOTE: The tracing statement is not supported on the QFX3000 QFabric
system.
If you enabled remote tracing but wish to disable it for specific processes on the switch,
use the no-remote-trace statement at the [edit process-name traceoptions] hierarchy
level. This feature does not alter local tracing functionality in any way, and logging files
are stored on the switch.
Logging operations use a system logging mechanism similar to the UNIX syslogd utility
to record systemwide, high-level operations, such as interfaces going up or down and
users logging in to or out of the switch. You configure these operations by using the syslog
statement at the [edit system] hierarchy level and by using the options statement at the
[edit ethernet-switching-options] hierarchy level.
Tracing operations record more detailed information about the operations of the switch,
including packet forwarding and routing information. To configure tracing operations,
use the traceoptions statement.
NOTE: The traceoptions statement is not supported on the QFX3000 QFabric
system.
You can define tracing operations in different portions of the switch configuration:
10
Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Network Management Overview
•
SNMP agent activity tracing operations—Define tracing of the activities of SNMP agents
on the switch. You configure SNMP agent activity tracing operations at the [edit snmp]
hierarchy level.
•
Global switching tracing operations—Define tracing for all switching operations. You
configure global switching tracing operations at the [edit ethernet-switching-options]
hierarchy level of the configuration.
•
Protocol-specific tracing operations—Define tracing for a specific routing protocol. You
configure protocol-specific tracing operations in the [edit protocols] hierarchy when
configuring the individual routing protocol. Protocol-specific tracing operations override
any equivalent operations that you specify in the global traceoptions statement. If
there are no equivalent operations, they supplement the global tracing options. If you
do not specify any protocol-specific tracing, the routing protocol inherits all the global
tracing operations.
•
Tracing operations within individual routing protocol entities—Some protocols allow
you to define more granular tracing operations. For example, in Border Gateway Protocol
(BGP), you can configure peer-specific tracing operations. These operations override
any equivalent BGP-wide operations or, if there are no equivalents, supplement them.
If you do not specify any peer-specific tracing operations, the peers inherit, first, all the
BGP-wide tracing operations and, second, the global tracing operations.
•
Interface tracing operations—Define tracing for individual interfaces and for the interface
process itself. You define interface tracing operations at the [edit interfaces] hierarchy
level of the configuration.
•
Remote tracing—To enable system-wide remote tracing, configure the
destination-override syslog host statement at the [edit system tracing] hierarchy level.
This specifies the remote host running the system log process (syslogd), which collects
the traces. Traces are written to files on the remote host in accordance with the syslogd
configuration in /etc/syslog.conf. By default, remote tracing is not configured.
To override the system-wide remote tracing configuration for a particular process,
include the no-remote-trace statement at the [edit process-name traceoptions] hierarchy.
When no-remote-trace is enabled, the process does local tracing.
To collect traces, use the local0 facility as the selector in the /etc/syslog.conf file on
the remote host. To separate traces from various processes into different files, include
the process name or trace-file name (if it is specified at the [edit process-name
traceoptions file] hierarchy level) in the Program field in the /etc/syslog.conf file. If your
system log server supports parsing hostname and program name, then you can separate
traces from the various processes.
NOTE: During a commit check, warnings about the traceoptions configuration
(for example, mismatch in trace file sizes or number of trace files) are not
displayed on the console. However, these warnings are logged in the system
log messages when the new configuration is committed.
Copyright © 2018, Juniper Networks, Inc.
11
Network Management and Monitoring Guide
Related
Documentation
•
Overview of Junos OS System Log Messages on page 1018
Junos Space Support for Network Management
Supported Platforms
EX4600, QFabric System, QFX Series
The Juniper Networks Junos Space application, running on a JA1500 appliance or a Junos
Space Virtual Appliance, is a comprehensive platform for building and deploying
applications for collaboration, productivity, and network infrastructure and operations
management. Junos Space provides a runtime environment implemented as a fabric of
virtual and physical appliances.
The following subsections describe Junos Space support for network management”
•
Overview of Junos Space Network Management on page 12
•
Preparing the Device for Junos Space Management on page 13
Overview of Junos Space Network Management
The Junos Space Network Management Platform software comprises various applications
for network management and configuration, including:
•
Junos Space Administration—Provides management of Junos Space fabric, databases,
licenses, applications, authentication servers, tags, permission labels, DMI schemas,
and troubleshooting.
•
Network Director—Provides unified management of supported Juniper Networks devices
in your network. By providing full network life cycle management, Network Director
simplifies the discovery, configuration, visualization, monitoring, and administration of
large networks.
•
Service Automation—Provides an end-to-end solution designed to streamline
operations and enable proactive network management for Junos OS devices. The
solution consists of Advanced Insight Scripts (AI-Scripts), Junos Space Service Now
and Service Insight applications, and Juniper Support Systems (JSS).
NOTE: Do not install Junos Space and AI-Scripts on the control plane
network EX4200 switches or EX4200 Virtual Chassis in a QFX3000 QFabric
system
Before you can use Junos Space Network Director to manage the QFX Series device, you
must ensure that the configuration on the device meets the requirements for all managed
devices. For example:
12
•
The device configuration has a static management IP address that is reachable from
the Junos Space server.
•
There is a user with full administrative privileges for Junos Space administration.
Copyright © 2018, Juniper Networks, Inc.
Chapter 1: Network Management Overview
•
SNMP is enabled (only if you plan on using SNMP as part of the device discovery).
•
In Junos Space, set up a default device management interface (DMI) schema for the
QFX Series device.
For more information about Network Director requirements, see the Network Director
Quick Start Guide at:
https://www.juniper.net/documentation/en_US/network-director1.5/information-products/
pathway-pages/index.html
For more information about Junos Space, go to:
https://www.juniper.net/documentation/en_US/release-independent/junos-space/index.html
Preparing the Device for Junos Space Management
Before you can use the Juniper Networks Junos Space application to manage the QFX
Series device, you must ensure that the configuration on the device meets the following
requirements for device discovery in Junos Space:
•
The device configuration has a static management IP address that is reachable from
the Junos Space server.
•
There is a user with full administrative privileges for Junos Space administration.
•
SNMP is enabled (only if you plan on using SNMP as part of the device discovery).
•
In Junos Space, set up a default device management interface (DMI) schema for the
QFX Series device.
NOTE: Do not install Junos Space and AI-Scripts (AIS) on the control plane
network EX4200 switches or EX4200 Virtual Chassis in a QFX3000 QFabric
system
To prepare the device before using Junos Space:
1.
Perform the initial configuration of the device through the console port using the Junos
OS CLI. This task includes the configuration of a static management IP address and
a user with root administrative privileges.
For the QFX3500 switch, see Configuring a QFX3500 Device as a Standalone Switch.
For the QFabric system, see QFabric System Initial and Default Configuration Information
and Performing the QFabric System Initial Setup on a QFX3100 Director Group.
2. (Optional) Configure SNMP if you plan on using SNMP to probe devices during device
discovery.
See “Configuring SNMP” on page 176.
3. (Optional) Enable SSH if you wish to use the Secure Console feature in Junos Space.
Copyright © 2018, Juniper Networks, Inc.
13
Network Management and Monitoring Guide
See Configuring SSH Service for Remote Access to the Router or Switch.
4. In Junos Space, set up a default DMI schema. For more information about managing
DMI schemas, see:
https://www.juniper.net/documentation/en_US/junos-space131./platform/information-products/pathway-pages/junos-space-administration-pwp.html
.
Related
Documentation
Related
Documentation
14
•
Configuring a QFX3500 Device as a Standalone Switch
•
QFabric System Initial and Default Configuration Information
•
Performing the QFabric System Initial Setup on a QFX3100 Director Group
•
Configuring SNMP on page 176
•
Configuring SSH Service for Remote Access to the Router or Switch
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 2
Network Monitoring Overview
•
Monitoring Overview on page 15
•
Diagnostic Tools Overview on page 16
Monitoring Overview
Supported Platforms
SRX Series, vSRX
Junos OS supports a suite of J-Web tools and CLI operational mode commands for
monitoring the system health and performance of your device. Monitoring tools and
commands display the current state of the device. To use the J-Web user interface and
CLI operational tools, you must have the appropriate access privileges.
You can use the J-Web Monitor option to monitor a device. J-Web results appear in the
browser.
You can also monitor the device with CLI operational mode commands. CLI command
output appears on the screen of your console or management device, or you can filter
the output to a file. For operational commands that display output, such as the show
commands, you can redirect the output into a filter or a file. When you display help about
these commands, one of the options listed is |, called a pipe, which allows you to filter
the command output.
For example, if you enter the show configuration command, the complete device
configuration appears on the screen. To limit the display to only those lines of the
configuration that contain address, enter the show configuration command using a pipe
into the match filter:
user@host> show configuration | match address
address-range low 192.168.3.2 high 192.168.3.254;
address-range low 192.168.71.71 high 192.168.71.254;
address 192.168.71.70/21;
address 192.168.2.1/24;
address 127.0.0.1/32;
For a complete list of the filters, type a command, followed by the pipe, followed by a
question mark (?):
user@host> show configuration | ?
Copyright © 2018, Juniper Networks, Inc.
15
Network Management and Monitoring Guide
Possible completions:
compare
Compare configuration changes with prior version
count
Count occurrences
display
Show additional kinds of information
except
Show only text that does not match a pattern
find
Search for first occurrence of pattern
hold
Hold text without exiting the prompt
last
Display end of output only
match
Show only text that matches a pattern
no-more
Don't paginate output
request
Make system-level requests
resolve
Resolve IP addresses
save
Save output text to file
trim
Trim specified number of columns from start of line
You can specify complex expressions as an option for the match and except filters.
NOTE: To filter the output of configuration mode commands, use the filter
commands provided for the operational mode commands. In configuration
mode, an additional filter is supported.
Related
Documentation
•
Monitoring Interfaces on page 656
•
Diagnostic Tools Overview on page 16
Diagnostic Tools Overview
Supported Platforms
SRX Series, vSRX
Juniper Networks devices support a suite of J-Web tools and CLI operational mode
commands for evaluating system health and performance. Diagnostic tools and
commands test the connectivity and reachability of hosts in the network.
•
Use the J-Web Diagnose options to diagnose a device. J-Web results appear in the
browser.
•
Use CLI operational mode commands to diagnose a device. CLI command output
appears on the screen of your console or management device, or you can filter the
output to a file.
To use the J-Web user interface and CLI operational tools, you must have the appropriate
access privileges.
This section contains the following topics:
16
•
J-Web Diagnostic Tools on page 17
•
CLI Diagnostic Commands on page 17
Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Network Monitoring Overview
J-Web Diagnostic Tools
The J-Web diagnostic tools consist of the options that appear when you select
Troubleshoot and Maintain in the task bar. Table 5 on page 17 describes the functions of
the Troubleshoot options.
Table 5: J-Web Interface Troubleshoot Options
Option
Function
Troubleshoot Options
Ping Host
Allows you to ping a remote host. You can configure advanced options for the ping operation.
Ping MPLS
Allows you to ping an MPLS endpoint using various options.
Traceroute
Allows you to trace a route between the device and a remote host. You can configure advanced options
for the traceroute operation.
Packet Capture
Allows you to capture and analyze router control traffic.
Maintain Options
Files
Allows you to manage log, temporary, and core files on the device.
Upgrade
Allows you to upgrade and manage Junos OS packages.
Licenses
Displays a summary of the licenses needed and used for each feature that requires a license. Allows you
to add licenses.
Reboot
Allows you to reboot the device at a specified time.
CLI Diagnostic Commands
The CLI commands available in operational mode allow you to perform the same
monitoring, troubleshooting, and management tasks you can perform with the J-Web
user interface. Instead of invoking the tools through a graphical interface, you use
operational mode commands to perform the tasks.
You can perform certain tasks only through the CLI. For example, you can use the mtrace
command to display trace information about a multicast path from a source to a receiver,
which is a feature available only through the CLI.
To view a list of top-level operational mode commands, type a question mark (?) at the
command-line prompt.
At the top level of operational mode are the broad groups of CLI diagnostic commands
listed in Table 6 on page 18.
Copyright © 2018, Juniper Networks, Inc.
17
Network Management and Monitoring Guide
Table 6: CLI Diagnostic Command Summary
Command
Function
Controlling the CLI Environment
Configures the CLI display.
set option
Diagnosis and Troubleshooting
clear
Clears statistics and protocol database information.
mtrace
Traces information about multicast paths from source to receiver.
monitor
Performs real-time debugging of various Junos OS components, including the
routing protocols and interfaces.
ping
Determines the reachability of a remote network host.
ping mpls
Determines the reachability of an MPLS endpoint using various options.
test
Tests the configuration and application of policy filters and AS path regular
expressions.
traceroute
Traces the route to a remote network host.
Connecting to Other Network Systems
ssh
Opens secure shell connections.
telnet
Opens Telnet sessions to other hosts on the network.
Management
copy
Copies files from one location on the device to another, from the device to a remote
system, or from a remote system to the device.
restart option
Restarts the various system processes, including the routing protocol, interface,
and SNMP processes.
request
Performs system-level operations, including stopping and rebooting the device
and loading Junos OS images.
start
Exits the CLI and starts a UNIX shell.
configuration
Enters configuration mode.
quit
Exits the CLI and returns to the UNIX shell.
Related
Documentation
18
•
MPLS Connection Checking Overview on page 1157
•
Understanding Ping MPLS on page 1159
•
Using the J-Web Ping Host Tool
Copyright © 2018, Juniper Networks, Inc.
Chapter 2: Network Monitoring Overview
•
Using the ping Command on page 1160
Copyright © 2018, Juniper Networks, Inc.
19
Network Management and Monitoring Guide
20
Copyright © 2018, Juniper Networks, Inc.
PART 2
Operation, Administration, and
Management Features
•
Ethernet OAM Link Fault Management on page 23
•
Ethernet OAM Connectivity Fault Management on page 53
Copyright © 2018, Juniper Networks, Inc.
21
Network Management and Monitoring Guide
22
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 3
Ethernet OAM Link Fault Management
•
Understanding Ethernet OAM Link Fault Management on page 23
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring an OAM Action Profile on page 30
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Configuring Link Discovery on page 38
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Example: Configuring Ethernet OAM Connectivity Fault Management on EX Series
Switches on page 44
•
Configuring Ethernet OAM Link Fault Management (CLI Procedure) on page 49
Understanding Ethernet OAM Link Fault Management
Supported Platforms
EX Series, NFX Series, QFX Series
Juniper Networks Junos operating system (Junos OS) for Juniper Networks allows the
Ethernet interfaces on these switches to support the IEEE 802.3ah standard for the
Operation, Administration, and Maintenance (OAM) of Ethernet in access networks. The
standard defines OAM link fault management (LFM). You can configure IEEE 802.3ah
Copyright © 2018, Juniper Networks, Inc.
23
Network Management and Monitoring Guide
OAM LFM on point-to-point Ethernet links that are connected either directly or through
Ethernet repeaters. The IEEE 802.3ah standard meets the requirement for OAM
capabilities even as Ethernet moves from being solely an enterprise technology to a WAN
and access technology, and the standard remains backward-compatible with existing
Ethernet technology.
Ethernet OAM provides the tools that network management software and network
managers can use to determine how a network of Ethernet links is functioning. Ethernet
OAM should:
•
Rely only on the media access control (MAC) address or virtual LAN identifier for
troubleshooting.
•
Work independently of the actual Ethernet transport and function over physical Ethernet
ports or a virtual service such as pseudowire.
•
Isolate faults over a flat (or single operator) network architecture or nested or
hierarchical (or multiprovider) networks.
The following OAM LFM features are supported:
•
Discovery and Link Monitoring
The discovery process is triggered automatically when OAM is enabled on the interface.
The discovery process permits Ethernet interfaces to discover and monitor the peer
on the link if it also supports the IEEE 802.3ah standard. You can specify the discovery
mode used for IEEE 802.3ah OAM support. In active mode, the interface discovers and
monitors the peer on the link if the peer also supports IEEE 802.3ah OAM functionality.
In passive mode, the peer initiates the discovery process. After the discovery process
has been initiated, both sides participate in discovery. The switch performs link
monitoring by sending periodic OAM protocol data units (PDUs) to advertise OAM
mode, configuration, and capabilities.
You can specify the number of OAM PDUs that an interface can miss before the link
between peers is considered down.
•
Remote Fault Detection
Remote fault detection uses flags and events. Flags are used to convey the following:
Link Fault means a loss of signal, Dying Gasp means an unrecoverable condition such
as a power failure, and Critical Event means an unspecified vendor-specific critical
event. You can specify the periodic OAM PDU sending interval for fault detection. The
switch uses the Event Notification OAM PDU to notify the remote OAM device when
a problem is detected. You can specify the action to be taken by the system when the
configured link-fault event occurs.
•
Remote Loopback Mode
Remote loopback mode ensures link quality between the switch and a remote peer
during installation or troubleshooting. In this mode, when the interface receives a frame
that is not an OAM PDU or a pause frame, it sends it back on the same interface on
which it was received. The link appears to be in the active state. You can use the returned
loopback acknowledgement to test delay, jitter, and throughput.
24
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
Junos OS can place a remote DTE into loopback mode (if remote loopback mode is
supported by the remote DTE). When you place a remote DTE into loopback mode,
the interface receives the remote loopback request and puts the interface into remote
loopback mode. When the interface is in remote loopback mode, all frames except
OAM PDUs are looped back without any changes made to the frames. OAM PDUs
continue to be sent and processed.
Related
Documentation
•
Configuring Ethernet OAM Link Fault Management (CLI Procedure) on page 49
•
Example: Configuring Ethernet OAM Link Fault Management
IEEE 802.3ah OAM Link-Fault Management Overview
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, T Series
Ethernet interfaces capable of running at 100 Mbps or faster on EX Series switches, PTX
Series, MX Series, M Series (except M5 and M10 routers), and T Series routers support
the IEEE 802.3ah standard for Operation, Administration, and Management (OAM). You
can configure IEEE 802.3ah OAM on Ethernet point-to-point direct links or links across
Ethernet repeaters. The IEEE 802.3ah standard meets the requirement for OAM
capabilities as Ethernet moves from being solely an enterprise technology to being a
WAN and access technology, as well as being backward-compatible with existing Ethernet
technology. Junos OS supports IEEE 802.3ah link-fault management.
The features of link-fault management are:
•
Discovery
•
Link monitoring
•
Remote fault detection
•
Remote loopback
Starting in Junos OS Release 17.3R1, the Ethernet link fault management daemon (lfmd)
runs on the backup Routing Engine as well when graceful Routing Engine switchover
(GRES) is configured.
The following features are not supported:
•
Ethernet running on top of a Layer 2 protocol, such as Ethernet over ATM, is not
supported in OAM configurations.
•
Remote loopback is not supported on the 10-Gigabit Ethernet LAN/WAN PIC with
SFP+.
•
The remote loopback feature mentioned in section 57.2.11 of IEEE 802.3ah is not
supported on T4000 routers.
NOTE: Aggregated Ethernet member links will now use the physical MAC
address as the source MAC address in 802.3ah OAM packets.
Copyright © 2018, Juniper Networks, Inc.
25
Network Management and Monitoring Guide
Release History Table
Related
Documentation
Release
Description
17.3R1
Starting in Junos OS Release 17.3R1, the Ethernet link fault management
daemon (lfmd) runs on the backup Routing Engine as well when graceful
Routing Engine switchover (GRES) is configured.
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Enabling Nonstop Routing for Ethernet Link Fault Management on Backup Routers
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Configuring IEEE 802.3ah OAM Link-Fault Management
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
You can configure threshold values for fault events that trigger the sending of link event
TLVs when the values exceed the threshold. To set threshold values for fault events on
an interface, include the event-thresholds statement at the [edit protocols oam ethernet
link-fault-management interface] hierarchy level.
You can also configure OAM threshold values within an action profile and apply the action
profile to multiple interfaces. To create an action profile, include the action-profile
statement at the [edit protocols oam ethernet link-fault-management] hierarchy level.
26
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
You can configure Ethernet OAM either on an aggregate interface or on each of its member
links. However, we recommend that you configure Ethernet OAM on the aggregate
interface, and this will internally enable Ethernet OAM on the member links.
To view OAM statistics, use the show oam ethernet link-fault-management operational
mode command. To clear OAM statistics, use the clear oam ethernet
link-fault-management statistics operational mode command. To clear link-fault
management state information and restart the link discovery process on Ethernet
interfaces, use the clear oam ethernet link-fault-management state operational mode
command. For more information about these commands, see the CLI Explorer.
Related
Documentation
•
event-thresholds on page 1270
•
action-profile
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Enabling IEEE 802.3ah OAM Support
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
To enable IEEE 802.3ah OAM support, include the interface statement at the [edit
protocols oam ethernet link-fault-management] hierarchy level:
[edit protocols oam ethernet link-fault-management interface interface-name]
Copyright © 2018, Juniper Networks, Inc.
27
Network Management and Monitoring Guide
When you enable IEEE 802.3ah OAM on a physical interface, the discovery process is
automatically triggered.
Related
Documentation
•
link-fault-management
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Configuring the OAM PDU Interval
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
Periodic OAM PDUs are sent to perform link monitoring.
You can specify the periodic OAM PDU sending interval for fault detection.
To configure the sending interval, include the pdu-interval statement at the [edit protocol
oam ethernet link-fault-management interface interface-name] hierarchy level:
[edit protocol oam ethernet link-fault-management interface interface-name]
pdu-interval interval;
The periodic OAM PDU interval range is from 100 through 1000 milliseconds. The default
sending interval is 1000 milliseconds.
28
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
Related
Documentation
•
pdu-interval on page 1292
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Configuring the OAM PDU Threshold
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
You can specify the number of OAM PDUs that an interface can miss before the link
between peers is considered down.
To configure the number of PDUs that can be missed from the peer, include the
pdu-threshold statement at the [edit protocol oam ethernet link-fault-management
interface interface-name] hierarchy level:
[edit protocol oam ethernet link-fault-management interface interface-name]
pdu-threshold threshold-value;
The threshold value range is from 3 through 10. The default is three PDUs.
Related
Documentation
•
pdu-threshold on page 1293
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
Copyright © 2018, Juniper Networks, Inc.
29
Network Management and Monitoring Guide
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Configuring an OAM Action Profile
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
You can create an action profile to define event fault flags and thresholds and the action
to be taken. You can then apply the action profile to one or more interfaces.
To configure an action profile, include the action-profile statement at the [edit protocols
oam ethernet link-fault-management] hierarchy level:
action-profile profile-name {
action {
syslog;
link-down;
send-critical-event;
}
event {
link-adjacency-loss;
link-event-rate {
frame-error count;
frame-period count;
frame-period-summary count;
symbol-period count;
}
protocol-down;
}
}
30
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
NOTE: Starting from Junos OS Release 14.2, whenever link-fault management
(LFM) with an action profile is configured to mark the interface as down (by
including the link-down statement at the [edit protocols oam ethernet
link-fault-management] hierarchy level), the port is placed in the blocked
state (STP state). In such a state of the interface, data traffic is not
transmitted out on that interface. Because the connectivity-fault management
(CFM) downstream maintenance MEPs come up on blocked ports, the CFM
sessions come up properly. However, the interface is down and the interface
status TLV does not contain the correct status. Only if you configure the port
status TLV, the actual status of the port is reflected. The interface status
TLV does not carry the actual state of the port.
Release History Table
Related
Documentation
Release
Description
14.2
Starting from Junos OS Release 14.2
•
action-profile on page 1251
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Copyright © 2018, Juniper Networks, Inc.
31
Network Management and Monitoring Guide
Configuring Threshold Values for Fault Events in an Action Profile
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
You can configure link event thresholds for received error events that trigger the action
specified in the action statement. You can then apply the action profile to one or more
interfaces.
To configure link event thresholds, include the link-event-rate statement at the [edit
protocols oam ethernet link-fault-management action-profile profile-name event] hierarchy
level:
link-event-rate {
frame-error count;
frame-period count;
frame-period-summary count;
symbol-period count;
}
Related
Documentation
32
•
link-event-rate
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
Applying an Action Profile
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
You can apply an action profile to one or more interfaces.
To apply an action profile to an interface, include the apply-action-profile statement at
the [edit protocols oam ethernet link-fault-management action-profile interface
interface-name] hierarchy level:
[edit protocol oam ethernet link-fault-management interface interface-name]
apply-action-profile profile-name;
Related
Documentation
•
apply-action-profile on page 1253
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Setting a Remote Interface into Loopback Mode
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
You can configure the software to set the remote DTE into loopback mode on the
following interfaces:
Copyright © 2018, Juniper Networks, Inc.
33
Network Management and Monitoring Guide
•
IQ2 and IQ2-E Gigabit Ethernet interfaces
•
Ethernet interfaces on the MX Series routers or EX Series switches
Junos OS can place a remote DTE into loopback mode (if remote-loopback mode is
supported by the remote DTE). When you place a remote DTE into loopback mode, the
interface receives the remote-loopback request and puts the interface into
remote-loopback mode. When the interface is in remote-loopback mode, all frames
except OAM PDUs are looped back without any changes made to the frames. OAM PDUs
continue to be sent to the management plane and processed.
To configure remote loopback, include the remote-loopback statement at the [edit
protocol oam ethernet link-fault-management interface interface-name] hierarchy level:
[edit protocol oam ethernet link-fault-management interface interface-name]
remote-loopback;
To take the remote DTE out of loopback mode, remove the remote-loopback statement
from the configuration.
Related
Documentation
34
•
remote-loopback
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
Monitoring the Loss of Link Adjacency
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
You can specify actions be taken when link adjacency is lost. When link adjacency is lost,
the system takes the action defined in the action statement of the action profile.
To configure the system to take action when link adjacency is lost, include the
link-adjacency-loss statement at the [edit protocols oam ethernet link-fault-management
action-profile profile-name event] hierarchy level:
[edit protocol oam ethernet link-fault-management action-profile profile-name]
link-adjacency-loss;
Related
Documentation
•
link-adjacency-loss
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Monitoring Protocol Status
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
The CCC-DOWN flag is associated with a circuit cross-connect (CCC) connection, Layer
2 circuit, and Layer 2 VPN, which send the CCC-DOWN status to the kernel. The
Copyright © 2018, Juniper Networks, Inc.
35
Network Management and Monitoring Guide
CCC-DOWN flag indicates that the CCC is down. The CCC-DOWN status is sent to the
kernel when the CCC connection, Layer 2 circuit, or Layer 2 VPN is down. This in turn,
brings down the CE-facing PE interface associated with the CCC connection, Layer 2
circuit, or Layer 2 VPN.
When the CCC-DOWN flag is signaled to the IEEE 802.3ah protocol, the system takes
the action defined in the action statement of the action profile. For additional information
about Layer 2 circuits, see the Junos OS Layer 2 Circuits Feature Guide, Junos OS VPNs
Configuration Guide.
To monitor the IEEE 802.3ah protocol, on the CE-facing PE interface, include the
protocol-down statement at the [edit protocols oam ethernet link-fault-management
action-profile profile-name event] hierarchy level:
1.
In configuration mode, go to the [edit protocols oam ethernet link-fault-management
action-profile profile-name event] hierarchy level.
[edit]
user@host# edit protocols oam ethernet link-fault-management action-profile
profile-name event
2. Include the protocol-down statement.
[edit protocols oam ethernet link-fault-management action-profile profile-name event]
user@host# set protocol-down
NOTE: If multiple events are specified in the action profile, all the events
must occur before the specified action is taken.
Related
Documentation
36
•
protocol-down on page 1295
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Enabling Remote Loopback Support on the Local Interface
Supported Platforms
ACX Series, EX Series, MX Series, T4000
You can allow a remote DTE to set a local interface into remote loopback mode on IQ2
and IQ2-E Gigabit Ethernet interfaces and all Ethernet interfaces on the MX Series routers
and EX Series switches. When a remote-loopback request is sent by a remote DTE, the
Junos OS places the local interface into loopback mode. When an interface is in loopback
mode, all frames except OAM PDUs are looped back without any changes to the frames.
OAM PDUs continue to be sent to the management plane and processed. By default, the
remote loopback feature is not enabled.
To enable remote loopback, include the allow-remote-loopback statement at the [edit
protocol oam ethernet link-fault-management interface interface-name negotiation-options]
hierarchy level:
[edit protocol oam ethernet link-fault-management interface interface-name
negotiation-options]
allow-remote-loopback;
NOTE: Activation of OAM remote loopback may result in data frame loss.
Related
Documentation
•
allow-remote-loopback
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
Copyright © 2018, Juniper Networks, Inc.
37
Network Management and Monitoring Guide
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Configuring Link Discovery
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
When the IEEE 802.3ah OAM protocol is enabled on a physical interface, the discovery
process is automatically triggered. The discovery process permits Ethernet interfaces to
discover and monitor the peer on the link if it also supports the IEEE 802.3ah standard.
You can specify the discovery mode used for IEEE 802.3ah OAM support. The discovery
process is triggered automatically when OAM IEEE 802.3ah functionality is enabled on
a port. Link monitoring is done when the interface sends periodic OAM PDUs.
To configure the discovery mode, include the link-discovery statement at the [edit protocol
oam ethernet link-fault-management interface interface-name] hierarchy level:
[edit protocol oam ethernet link-fault-management interface interface-name]
link-discovery (active | passive);
In active mode, the interface discovers and monitors the peer on the link if the peer also
supports IEEE 802.3ah OAM functionality. In passive mode, the peer initiates the discovery
process. After the discovery process has been initiated, both sides participate in discovery.
Related
Documentation
38
•
link-discovery
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Configuring Threshold Values for Local Fault Events on an Interface
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
You can configure threshold values on an interface for the local errors that trigger the
sending of link event TLVs.
To set the error threshold values for sending event TLVs, include the frame-error,
frame-period, frame-period-summary, and symbol-period statements at the [edit protocols
oam ethernet link-fault-management interface interface-name event-thresholds] hierarchy
level:
[edit protocol oam ethernet link-fault-management interface interface-name]
event-thresholds {
frame-error count;
frame-period count;
frame-period-summary count;
symbol-period count;
}
Related
Documentation
•
event-thresholds on page 1270
•
frame-error
•
frame-period on page 1274
•
frame-period-summary on page 1276
•
symbol-period
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
Copyright © 2018, Juniper Networks, Inc.
39
Network Management and Monitoring Guide
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Disabling the Sending of Link Event TLVs
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
You can disable the sending of link event TLVs.
To disable the monitoring and sending of PDUs containing link event TLVs in periodic
PDUs, include the no-allow-link-events statement at the [edit protocols oam ethernet
link-fault-management interface interface-name negotiation-options] hierarchy level:
[edit protocol oam ethernet link-fault-management interface interface-name
negotiation-options]
no-allow-link-events;
Related
Documentation
40
•
no-allow-link-events
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Detecting Remote Faults
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
Fault detection is either based on flags or fault event type, length, and values (TLVs)
received in OAM protocol data units (PDUs). Flags that trigger a link fault are:
•
Critical Event
•
Dying Gasp
•
Link Fault
The link event TLVs are sent by the remote DTE by means of event notification PDUs.
Link event TLVs are:
Related
Documentation
•
Errored Symbol Period Event
•
Errored Frame Event
•
Errored Frame Period Event
•
Errored Frame Seconds Summary Event
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
Copyright © 2018, Juniper Networks, Inc.
41
Network Management and Monitoring Guide
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Specifying the Actions to Be Taken for Link-Fault Management Events
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
You can specify the action to be taken by the system when the configured link-fault event
occurs. Multiple action profiles can be applied to a single interface. For each action-profile,
at least one event and one action must be specified. The actions are taken only when all
of the events in the action profile are true. If more than one action is specified, all the
actions are executed.
You might want to set a lower threshold for a specific action such as logging the error
and set a higher threshold for another action such as sending a critical event TLV.
To specify the action, include the action statement at the [edit protocols oam ethernet
link-fault-management action-profile profile-name] hierarchy level:
[edit protocol oam ethernet link-fault-management action-profile profile-name]
event {
link-adjacency-loss;
protocol-down;
}
action {
syslog;
link-down;
send-critical-event;
}
To create a system log entry when the link-fault event occurs, include the syslog
statement.
To administratively disable the link when the link-fault event occurs, include the link-down
statement.
To send IEEE 802.3ah link event TLVs in the OAM PDU when a link-fault event occurs,
include the send-critical-event statement.
NOTE: If multiple actions are specified in the action profile, all of the actions
are executed in no particular order.
42
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
Related
Documentation
•
action on page 1249
•
syslog on page 1300
•
link-down
•
send-critical-event on page 1297
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Example: Configuring IEEE 802.3ah OAM Support on an Interface on page 43
•
Ethernet Interfaces Feature Guide for Routing Devices
Example: Configuring IEEE 802.3ah OAM Support on an Interface
Supported Platforms
ACX Series, EX Series, M Series, MX Series, T4000
Configure 802.3ah OAM support on a 10-Gigabit Ethernet interface:
[edit]
protocols {
oam {
ethernet {
link-fault-management {
interface xe-0/0/0 {
link-discovery active;
pdu-interval 800;
pdu-threshold 4;
remote-loopback;
negotiation-options {
Copyright © 2018, Juniper Networks, Inc.
43
Network Management and Monitoring Guide
allow-remote-loopback;
}
event-thresholds {
frame-error 30;
frame-period 50;
frame-period summary 40;
symbol-period 20;
}
}
}
}
}
}
Related
Documentation
•
link-fault-management
•
IEEE 802.3ah OAM Link-Fault Management Overview on page 25
•
Configuring IEEE 802.3ah OAM Link-Fault Management on page 26
•
Enabling IEEE 802.3ah OAM Support on page 27
•
Configuring Link Discovery on page 38
•
Configuring the OAM PDU Interval on page 28
•
Configuring the OAM PDU Threshold on page 29
•
Configuring Threshold Values for Local Fault Events on an Interface on page 39
•
Disabling the Sending of Link Event TLVs on page 40
•
Detecting Remote Faults on page 41
•
Configuring an OAM Action Profile on page 30
•
Specifying the Actions to Be Taken for Link-Fault Management Events on page 42
•
Monitoring the Loss of Link Adjacency on page 35
•
Monitoring Protocol Status on page 35
•
Configuring Threshold Values for Fault Events in an Action Profile on page 32
•
Applying an Action Profile on page 33
•
Setting a Remote Interface into Loopback Mode on page 33
•
Enabling Remote Loopback Support on the Local Interface on page 37
•
Ethernet Interfaces Feature Guide for Routing Devices
Example: Configuring Ethernet OAM Connectivity Fault Management on EX Series
Switches
Supported Platforms
44
EX Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
Ethernet interfaces on EX Series switches and Junos OS for EX Series switches support
the IEEE 802.1ag standard for Operation, Administration, and Management (OAM). The
IEEE 802.1ag specification provides for Ethernet connectivity fault management (CFM).
This example describes how to enable and configure OAM CFM on a Gigabit Ethernet
interface:
•
Requirements on page 45
•
Overview and Topology on page 45
•
Configuring Ethernet OAM Connectivity Fault Management on Switch 1 on page 45
•
Configuring Ethernet OAM Connectivity Fault Management on Switch 2 on page 46
•
Verification on page 48
Requirements
This example uses the following hardware and software components:
•
Junos OS Release 10.2 or later for EX Series switches
•
Two EX Series switches connected by a point-to-point Gigabit Ethernet link
Overview and Topology
CFM can be used to monitor the physical link between two switches. In the following
example, two switches are connected by a point-to-point Gigabit Ethernet link. The link
between these two switches is monitored using CFM.
Configuring Ethernet OAM Connectivity Fault Management on Switch 1
CLI Quick
Configuration
To quickly configure Ethernet OAM CFM, copy the following commands and paste them
into the switch terminal window:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain]
set name-format character-string
set maintenance-domain private level 0
set maintenance-association private-ma
set continuity-check hold-interval 1s
Step-by-Step
Procedure
To enable and configure OAM CFM on switch 1:
1.
Specify the maintenance domain name format:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain]
user@switch1# set name-format character-string
2.
Specify the maintenance domain name and the maintenance domain level:
[edit protocols oam ethernet connectivity-fault-management]
user@switch1# set maintenance-domain private level 0
3.
Create a maintenance association:
Copyright © 2018, Juniper Networks, Inc.
45
Network Management and Monitoring Guide
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private]
user@switch1# set maintenance-association private-ma
4.
Enable the continuity check protocol and specify the continuity check hold interval:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private maintenance-association private-ma]
user@switch1# set continuity-check hold-interval 1s
5.
Configure the maintenance association end point (MEP):
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private maintenance-association private-ma]
user@switch1# set mep 100 interface ge-1/0/1 auto-discovery direction down
Results
Check the results of the configuration.
[edit]
user@switch1 > show
protocols {
oam {
ethernet {
connectivity-fault-management {
maintenance-domain private {
level 0;
maintenance-association private-ma {
continuity-check {
interval 1s;
}
mep 100 {
interface ge-1/0/1;
auto-discovery;
direction down;
}
}
}
}
}
Configuring Ethernet OAM Connectivity Fault Management on Switch 2
CLI Quick
Configuration
To quickly configure Ethernet OAM CFM, copy the following commands and paste them
into the switch terminal window:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain]
set name-format character-string
set maintenance-domain private level 0
set maintenance-association private-ma
set continuity-check hold-interval 1s
46
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
Step-by-Step
Procedure
The configuration on switch 2 mirrors that on switch 2.
1.
Specify the maintenance domain name format:
[edit protocols oam ethernet connectivity-fault-management]
user@switch2# set name-format character-string
2.
Specify the maintenance domain name and the maintenance domain level:
[edit protocols oam ethernet connectivity-fault-management]
user@switch2# set maintenance-domain private level 0
3.
Create a maintenance association:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private]
user@switch2# set maintenance-association private-ma
4.
Enable the continuity check protocol and specify the continuity check hold interval:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private maintenance-association private-ma]
user@switch2# set continuity-check hold-interval 1s
5.
Configure the maintenance association end point (MEP)
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private maintenance-association private-ma]
user@switch2# set mep 200 interface ge-0/2/5 auto-discovery direction down
Results
Check the results of the configuration.
[edit]
user@switch2 > show
protocols {
oam {
ethernet {
connectivity-fault-management {
maintenance-domain private {
level 0;
maintenance-association private-ma {
continuity-check {
interval 1s;
}
mep 200 {
interface ge-0/2/5;
auto-discovery;
direction down;
}
}
}
}
Copyright © 2018, Juniper Networks, Inc.
47
Network Management and Monitoring Guide
}
Verification
To confirm that the configuration is working properly, perform these tasks:
•
Verifying That OAM CFM Has Been Configured Properly on page 48
Verifying That OAM CFM Has Been Configured Properly
Purpose
Action
Verify that OAM CFM has been configured properly.
Use the show oam ethernet connectivity-fault-management interfaces detail command:
user@switch1# show oam ethernet connectivity-fault-management interfaces detail
Sample Output
Interface name: ge-1/0/1.0, Interface status: Active, Link status: Up
Maintenance domain name: private, Format: string, Level: 0
Maintenance association name: private-ma, Format: string
Continuity-check status: enabled, Interval: 1ms, Loss-threshold: 3 frames
MEP identifier: 100, Direction: down, MAC address: 00:90:69:0b:4b:94
MEP status: running
Defects:
Remote MEP not receiving CCM
: no
Erroneous CCM received
: yes
Cross-connect CCM received
: no
RDI sent by some MEP
: yes
Statistics:
CCMs sent
: 76
CCMs received out of sequence
: 0
LBMs sent
: 0
Valid in-order LBRs received
: 0
Valid out-of-order LBRs received
: 0
LBRs received with corrupted data
: 0
LBRs sent
: 0
LTMs sent
: 0
LTMs received
: 0
LTRs sent
: 0
LTRs received
: 0
Sequence number of next LTM request
: 0
Remote MEP count: 2
Identifier
MAC address
State
Interface
2001
00:90:69:0b:7f:71
ok
ge-0/2/5.0
Meaning
Related
Documentation
48
When the output displays that continuity-check status is enabled and displays details
of the remote MEP, it means that connectivity fault management (CFM) has been
configured properly.
•
Understanding Ethernet OAM Connectivity Fault Management for an EX Series Switch
on page 53
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
•
Junos OS Network Interfaces Configuration Guide
Configuring Ethernet OAM Link Fault Management (CLI Procedure)
Supported Platforms
EX Series, NFX Series
Ethernet OAM link fault management (LFM) can be used for physical link-level fault
detection and management. The IEEE 802.3ah LFM works across point-to-point Ethernet
links either directly or through repeaters.
To configure Ethernet OAM LFM using the CLI:
1.
Enable IEEE 802.3ah OAM support on an interface:
[edit protocols oam ethernet link-fault-management]
user@switch# set interface interface-name
NOTE: You can configure Ethernet OAM LFM on aggregated interfaces.
NOTE: The remaining steps are optional. You can choose which of these
features to configure for Ethernet OAM LFM on your switch.
2. Specify whether the interface or the peer initiates the discovery process by configuring
the link discovery mode to active or passive (active = interface initiates; passive = peer
initiates):
[edit protocols oam ethernet link-fault-management]
user@switch# set interface interface-name link-discovery active
3. Configure a periodic OAM PDU-sending interval (in milliseconds) for fault detection:
[edit protocols oam ethernet link-fault-management]
user@switch# set interface pdu-interval interval
4. Specify the number of OAM PDUs that an interface can miss before the link between
peers is considered down:
[edit protocols oam ethernet link-fault-management]
user@switch# set interface interface-name pdu-threshold threshold-value
5. Configure event threshold values on an interface for the local errors that trigger the
sending of link event TLVs:
•
Set the threshold value (in seconds) for sending frame-error events or taking the
action specified in the action profile:
[edit protocols oam ethernet link-fault-management]
user@switch# set interface interface-name event-thresholds frame-error count
Copyright © 2018, Juniper Networks, Inc.
49
Network Management and Monitoring Guide
•
Set the threshold value (in seconds) for sending frame-period events or taking the
action specified in the action profile:
[edit protocols oam ethernet link-fault-management]
user@switch# set interface interface-name event-thresholds frame-period count
•
Set the threshold value (in seconds) for sending frame-period-summary events or
taking the action specified in the action profile:
[edit protocols oam ethernet link-fault-management]
user@switch# set interface interface-name event-thresholds frame-period-summary count
•
Set the threshold value (in seconds) for sending symbol-period events or taking
the action specified in the action profile:
[edit protocols oam ethernet link-fault-management]
user@switch# set interface interface-name event-thresholds symbol-period count
NOTE: You can disable the sending of link event TLVs.
To disable the sending of link event TLVs:
[edit protocols oam ethernet link-fault-management]
user@switch# set interface interface-name negotiation-options no-allow-link-events
6. Create an action profile to define event fault flags and thresholds to be taken when
the link fault event occurs. Then apply the action profile to one or more interfaces.
(You can also apply multiple action profiles to a single interface.)
a. Name the action profile:
[edit protocols oam ethernet link-fault-management]
user@switch# set action-profile profile-name
b. Specify actions to be taken by the system when the link fault event occurs:
[edit protocols oam ethernet link-fault-management]
user@switch# set action-profile profile-name action syslog
user@switch# set action-profile profile-name action link-down
c. Specify events for the action profile:
[edit protocols oam ethernet link-fault-management]
user@switch# set action-profile profile-name event link-adjacency-loss
50
Copyright © 2018, Juniper Networks, Inc.
Chapter 3: Ethernet OAM Link Fault Management
NOTE: For each action profile, you must specify at least one link event
and one action. The actions are taken only when all of the events in the
action profile are true. If more than one action is specified, all actions are
executed. You can set a low threshold for a specific action such as logging
the error and set a high threshold for another action such as system logging.
7. Set a remote interface into loopback mode so that all frames except OAM PDUs are
looped back without any changes made to the frames. Set the remote DTE in loopback
mode (the remote DTE must support remote-loopback mode) and then enable remote
loopback support for the local interface.
[edit protocols oam ethernet link-fault-management]
user@switch# set interface interface-name remote-loopback
user@switch# set interface interface-name negotiation-options allow-remote-loopback
Related
Documentation
•
Example: Configuring Ethernet OAM Link Fault Management
•
Understanding Ethernet OAM Link Fault Management on page 23
Copyright © 2018, Juniper Networks, Inc.
51
Network Management and Monitoring Guide
52
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 4
Ethernet OAM Connectivity Fault
Management
•
Understanding Ethernet OAM Connectivity Fault Management for an EX Series
Switch on page 53
•
Example: Configuring Ethernet OAM Connectivity Fault Management on EX Series
Switches on page 54
•
Configuring Ethernet OAM Connectivity Fault Management (CLI Procedure) on page 59
Understanding Ethernet OAM Connectivity Fault Management for an EX Series Switch
Supported Platforms
EX Series
Ethernet interfaces on Juniper Networks EX Series Ethernet Switches and Juniper Networks
Junos operating system (Junos OS) for EX Series switches support the IEEE 802.1ag
standard for Operation, Administration, and Management (OAM). The IEEE 802.1ag
specification provides for Ethernet connectivity fault management (CFM). CFM monitors
Ethernet networks that might comprise one or more service instances for
network-compromising connectivity faults.
The major features of CFM are:
•
Fault monitoring using the continuity check protocol. This is a neighbor discovery and
health check protocol that discovers and maintains adjacencies at the VLAN or link
level.
•
Path discovery and fault verification using the linktrace protocol.
•
Fault isolation using the loopback protocol.
CFM partitions the service network into various administrative domains. For example,
operators, providers, and customers might be part of different administrative domains.
Each administrative domain is mapped into one maintenance domain providing enough
information to perform its own management, thus avoiding security breaches and making
end-to-end monitoring possible.
In a CFM maintenance domain, each service instance is called a maintenance association.
A maintenance association can be thought of as a full mesh of maintenance association
endpoints (MEPs) having similar characteristics. MEPs are active CFM entities generating
and responding to CFM protocol messages. There is also a maintenance intermediate
Copyright © 2018, Juniper Networks, Inc.
53
Network Management and Monitoring Guide
point (MIP), which is a CFM entity similar to the MEP, but more passive (MIPs only respond
to CFM messages).
Each maintenance domain is associated with a maintenance domain level from 0 through
7. Level allocation is based on the network hierarchy, where outer domains are assigned
a higher level than the inner domains. Configure customer end points to have the highest
maintenance domain level. The maintenance domain level is a mandatory parameter
that indicates the nesting relationships between various maintenance domains. The level
is embedded in each CFM frame. CFM messages within a given level are processed by
MEPs at that same level.
To enable CFM on an Ethernet interface, you must configure maintenance domains,
maintenance associations, and maintenance association end points (MEPs).
Figure 1 on page 54 shows the relationships among maintenance domains, maintenance
association end points (MEPs), and maintenance intermediate points (MIPs) configured
on a switch.
Figure 1: Relationship Among MEPs, MIPs, and Maintenance Domain
Levels
Related
Documentation
•
Configuring Ethernet OAM Connectivity Fault Management (CLI Procedure) on page 59
•
Junos OS Network Interfaces Configuration Guide
Example: Configuring Ethernet OAM Connectivity Fault Management on EX Series
Switches
Supported Platforms
EX Series
Ethernet interfaces on EX Series switches and Junos OS for EX Series switches support
the IEEE 802.1ag standard for Operation, Administration, and Management (OAM). The
IEEE 802.1ag specification provides for Ethernet connectivity fault management (CFM).
54
Copyright © 2018, Juniper Networks, Inc.
Chapter 4: Ethernet OAM Connectivity Fault Management
This example describes how to enable and configure OAM CFM on a Gigabit Ethernet
interface:
•
Requirements on page 55
•
Overview and Topology on page 55
•
Configuring Ethernet OAM Connectivity Fault Management on Switch 1 on page 55
•
Configuring Ethernet OAM Connectivity Fault Management on Switch 2 on page 56
•
Verification on page 58
Requirements
This example uses the following hardware and software components:
•
Junos OS Release 10.2 or later for EX Series switches
•
Two EX Series switches connected by a point-to-point Gigabit Ethernet link
Overview and Topology
CFM can be used to monitor the physical link between two switches. In the following
example, two switches are connected by a point-to-point Gigabit Ethernet link. The link
between these two switches is monitored using CFM.
Configuring Ethernet OAM Connectivity Fault Management on Switch 1
CLI Quick
Configuration
To quickly configure Ethernet OAM CFM, copy the following commands and paste them
into the switch terminal window:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain]
set name-format character-string
set maintenance-domain private level 0
set maintenance-association private-ma
set continuity-check hold-interval 1s
Step-by-Step
Procedure
To enable and configure OAM CFM on switch 1:
1.
Specify the maintenance domain name format:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain]
user@switch1# set name-format character-string
2.
Specify the maintenance domain name and the maintenance domain level:
[edit protocols oam ethernet connectivity-fault-management]
user@switch1# set maintenance-domain private level 0
3.
Create a maintenance association:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private]
user@switch1# set maintenance-association private-ma
Copyright © 2018, Juniper Networks, Inc.
55
Network Management and Monitoring Guide
4.
Enable the continuity check protocol and specify the continuity check hold interval:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private maintenance-association private-ma]
user@switch1# set continuity-check hold-interval 1s
5.
Configure the maintenance association end point (MEP):
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private maintenance-association private-ma]
user@switch1# set mep 100 interface ge-1/0/1 auto-discovery direction down
Results
Check the results of the configuration.
[edit]
user@switch1 > show
protocols {
oam {
ethernet {
connectivity-fault-management {
maintenance-domain private {
level 0;
maintenance-association private-ma {
continuity-check {
interval 1s;
}
mep 100 {
interface ge-1/0/1;
auto-discovery;
direction down;
}
}
}
}
}
Configuring Ethernet OAM Connectivity Fault Management on Switch 2
CLI Quick
Configuration
To quickly configure Ethernet OAM CFM, copy the following commands and paste them
into the switch terminal window:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain]
set name-format character-string
set maintenance-domain private level 0
set maintenance-association private-ma
set continuity-check hold-interval 1s
56
Copyright © 2018, Juniper Networks, Inc.
Chapter 4: Ethernet OAM Connectivity Fault Management
Step-by-Step
Procedure
The configuration on switch 2 mirrors that on switch 2.
1.
Specify the maintenance domain name format:
[edit protocols oam ethernet connectivity-fault-management]
user@switch2# set name-format character-string
2.
Specify the maintenance domain name and the maintenance domain level:
[edit protocols oam ethernet connectivity-fault-management]
user@switch2# set maintenance-domain private level 0
3.
Create a maintenance association:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private]
user@switch2# set maintenance-association private-ma
4.
Enable the continuity check protocol and specify the continuity check hold interval:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private maintenance-association private-ma]
user@switch2# set continuity-check hold-interval 1s
5.
Configure the maintenance association end point (MEP)
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
private maintenance-association private-ma]
user@switch2# set mep 200 interface ge-0/2/5 auto-discovery direction down
Results
Check the results of the configuration.
[edit]
user@switch2 > show
protocols {
oam {
ethernet {
connectivity-fault-management {
maintenance-domain private {
level 0;
maintenance-association private-ma {
continuity-check {
interval 1s;
}
mep 200 {
interface ge-0/2/5;
auto-discovery;
direction down;
}
}
}
}
Copyright © 2018, Juniper Networks, Inc.
57
Network Management and Monitoring Guide
}
Verification
To confirm that the configuration is working properly, perform these tasks:
•
Verifying That OAM CFM Has Been Configured Properly on page 58
Verifying That OAM CFM Has Been Configured Properly
Purpose
Action
Verify that OAM CFM has been configured properly.
Use the show oam ethernet connectivity-fault-management interfaces detail command:
user@switch1# show oam ethernet connectivity-fault-management interfaces detail
Sample Output
Interface name: ge-1/0/1.0, Interface status: Active, Link status: Up
Maintenance domain name: private, Format: string, Level: 0
Maintenance association name: private-ma, Format: string
Continuity-check status: enabled, Interval: 1ms, Loss-threshold: 3 frames
MEP identifier: 100, Direction: down, MAC address: 00:90:69:0b:4b:94
MEP status: running
Defects:
Remote MEP not receiving CCM
: no
Erroneous CCM received
: yes
Cross-connect CCM received
: no
RDI sent by some MEP
: yes
Statistics:
CCMs sent
: 76
CCMs received out of sequence
: 0
LBMs sent
: 0
Valid in-order LBRs received
: 0
Valid out-of-order LBRs received
: 0
LBRs received with corrupted data
: 0
LBRs sent
: 0
LTMs sent
: 0
LTMs received
: 0
LTRs sent
: 0
LTRs received
: 0
Sequence number of next LTM request
: 0
Remote MEP count: 2
Identifier
MAC address
State
Interface
2001
00:90:69:0b:7f:71
ok
ge-0/2/5.0
Meaning
Related
Documentation
58
When the output displays that continuity-check status is enabled and displays details
of the remote MEP, it means that connectivity fault management (CFM) has been
configured properly.
•
Understanding Ethernet OAM Connectivity Fault Management for an EX Series Switch
on page 53
Copyright © 2018, Juniper Networks, Inc.
Chapter 4: Ethernet OAM Connectivity Fault Management
•
Junos OS Network Interfaces Configuration Guide
Configuring Ethernet OAM Connectivity Fault Management (CLI Procedure)
Supported Platforms
EX Series
Ethernet interfaces on Juniper Networks EX Series Ethernet Switches and Juniper Networks
Junos OS for EX Series switches support the IEEE 802.1ag standard for Operation,
Administration, and Management (OAM). The IEEE 802.1ag specification provides for
Ethernet connectivity fault management (CFM).
This topic describes these tasks:
1.
Creating the Maintenance Domain on page 59
2. Configuring the Maintenance Domain MIP Half Function on page 60
3. Creating a Maintenance Association on page 60
4. Configuring the Continuity Check Protocol on page 60
5. Configuring a Maintenance Association End Point on page 61
6. Configuring a Connectivity Fault Management Action Profile on page 62
7. Configuring the Linktrace Protocol on page 63
Creating the Maintenance Domain
A maintenance domain comprises network entities such as operators, providers, and
customers. To enable connectivity fault management (CFM) on an Ethernet interface,
you must create a maintenance domains, maintenance associations, and MEPs.
To create a maintenance domain:
1.
Specify a name for the maintenance domain:
[edit protocols oam ethernet connectivity-fault-management]
user@switch# set maintenance-domain domain-name
2. Specify a format for the maintenance domain name. If you specify none, no name is
configured:
•
A plain ASCII character string
•
A domain name service (DNS) format
•
A media access control (MAC) address plus a two-octet identifier in the range 0
through 65,535
•
none
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name]
user@switch# set name-format format
For example, to specify the name format as MAC address plus a two-octet identifier:
Copyright © 2018, Juniper Networks, Inc.
59
Network Management and Monitoring Guide
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name]
user@switch# set name-format mac+2oct
3. Configure the maintenance domain level, which is used to indicate the nesting
relationship between this domain and other domains. Use a value from 0 through 7:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name]
user@switch# set level level
Configuring the Maintenance Domain MIP Half Function
MIP Half Function (MHF) divides the maintenance association intermediate point (MIP)
functionality into two unidirectional segments, improves visibility with minimal
configuration, and improves network coverage by increasing the number of points that
can be monitored. MHF extends monitoring capability by responding to loop-back and
link-trace messages to help isolate faults. Whenever a MIP is configured, the MIP half
function value for all maintenance domains and maintenance associations must be the
same.
To configure the MIP half function:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name]
user@switch# set mip-half-function (none | default | explicit)
Creating a Maintenance Association
In a CFM maintenance domain, each service instance is called a maintenance association.
To create a maintenance association:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name]
user@switch# set maintenance-association ma-name
Configuring the Continuity Check Protocol
The continuity check protocol is used for fault detection by a maintenance association
end point (MEP) within a maintenance association. The MEP periodically sends continuity
check multicast messages. The receiving MEPs use the continuity check messages (CCMs)
to build a MEP database of all MEPs in the maintenance association.
To configure the continuity check protocol:
60
Copyright © 2018, Juniper Networks, Inc.
Chapter 4: Ethernet OAM Connectivity Fault Management
1.
Enable the continuity check protocol:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name]
user@switch# set continuity-check
2. Specify the continuity check hold interval. The hold interval is the number of minutes
to wait before flushing the MEP database if no updates occur. The default value is 10
minutes.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name continuity-check]
user@switch# set hold-interval number
3. Specify the CCM interval. The interval is the time between the transmission of CCMs.
You can specify 10 minutes (10m), 1 minute (1m), 10 seconds (10s), 1 second (1s), 100
milliseconds (100ms), or 10 milliseconds (10ms).
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name continuity-check]
user@switch# set interval number
4. Specify the number of CCMs (that is, protocol data units) that can be lost before the
MEP is marked as down. The default number of protocol data units (PDUs) is 3.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name continuity-check]
user@switch# set loss-threshold number
Configuring a Maintenance Association End Point
To configure a maintenance association end point:
1.
Specify an ID for the MEP. The value can be from 1 through 8191.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name]
user@switch# set mep mep-id]
2. Enable maintenance endpoint automatic discovery if you want to have the MEP accept
continuity check messages (CCMs) from all remote MEPs of the same maintenance
association:
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name mep mep-id
user@switch# set auto-discovery
3. You can specify that CFM packets (CCMs) be transmitted only in one direction for the
MEP, that is, the direction be set as down so that CCMs are transmitted only out of
(not into) the interface configured on this MEP.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name mep mep-id]
user@switch# set direction down
Copyright © 2018, Juniper Networks, Inc.
61
Network Management and Monitoring Guide
4. Specify the logical interface to which the MEP is attached. It can be either an access
interface or a trunk interface. If you specify a trunk interface, the VLAN associated
with that interface must have a VLAN ID.
NOTE: You cannot associate an access interface that belongs to multiple
VLANs with the MEP.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name mep mep-id]
user@switch# set interface interface-name
5. You can configure a remote MEP from which CCMs are expected. If autodiscovery is
not enabled, the remote MEP must be configured under the mep statement. If the
remote MEP is not configured under the mep statement, the CCMs from the remote
MEP are treated as errors.
[edit protocols oam ethernet connectivity-fault-management maintenance-domain
domain-name maintenance-association ma-name mep mep-id]
user@switch# set remote-mep mep-id
Configuring a Connectivity Fault Management Action Profile
You can configure an action profile and specify the action to be taken when any of the
configured events occur. Alternatively, you can configure an action profile and specify
default actions when connectivity to a remote MEP fails.
To configure an action profile:
1.
Specify a name for an action profile:
[edit protocols oam ethernet connectivity-fault-management]
user@switch# set action-profile profile-name
2. Configure the action of the action profile:
[edit protocols oam ethernet connectivity-fault-management action-profile
profile-name]
user@switch# set action interface-down
3. Configure one or more events under the action profile, the occurrence of which will
trigger the corresponding action to be taken:
[edit protocols oam ethernet connectivity-fault-management action-profile
profile-name]
user@switch# set event event
See Junos OS Network Interfaces Configuration Guide
62
Copyright © 2018, Juniper Networks, Inc.
Chapter 4: Ethernet OAM Connectivity Fault Management
Configuring the Linktrace Protocol
The linktrace protocol is used for path discovery between a pair of maintenance points.
Linktrace messages are triggered by an administrator using the traceroute command to
verify the path between a pair of MEPs under the same maintenance association. Linktrace
messages can also be used to verify the path between a MEP and a MIP under the same
maintenance domain.
To configure the linktrace protocol:
1.
Configure the linktrace path age timer. If no response to a linktrace request is received,
the request and response entries are deleted after the age timer expires:
[edit protocols oam ethernet connectivity-fault-management]
user@switch# set linktrace age time
2. Configure the number of linktrace reply entries to be stored per linktrace request:
[edit protocols oam ethernet connectivity-fault-management]
user@switch# set linktrace path-database-size path-database-size
Related
Documentation
•
Example: Configuring Ethernet OAM Connectivity Fault Management on EX Series
Switches on page 44
•
Understanding Ethernet OAM Connectivity Fault Management for an EX Series Switch
on page 53
•
Junos OS Network Interfaces Configuration Guide
Copyright © 2018, Juniper Networks, Inc.
63
Network Management and Monitoring Guide
64
Copyright © 2018, Juniper Networks, Inc.
PART 3
Uplink Failure Detection
•
Uplink Failure Detection Overview on page 67
•
Configuring Uplink Failure Detection on page 71
Copyright © 2018, Juniper Networks, Inc.
65
Network Management and Monitoring Guide
66
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 5
Uplink Failure Detection Overview
•
Understanding Uplink Failure Detection on page 67
Understanding Uplink Failure Detection
Supported Platforms
EX Series
Uplink failure detection allows Juniper Networks EX Series Ethernet Switches to detect
link failure on uplink interfaces and to propagate the failure to the downlink interfaces
so that servers connected to those downlink interfaces can switch over to secondary
interfaces.
Uplink failure detection supports network adapter teaming and provides network
redundancy. In network adapter teaming, all the network interface cards (NICs) on a
server are configured in a primary or secondary relationship and share the same IP address.
When the primary link goes down, the server transparently shifts the connection to the
secondary link. With uplink failure detection, the switch monitors uplink interfaces for
link failures. When it detects a failure, it disables the downlink interfaces. When the server
detects disabled downlink interfaces, it switches over to the secondary link to help ensure
balanced traffic flow on switches.
This topic describes:
•
Uplink Failure Detection Overview on page 67
•
Failure Detection Pair on page 68
Uplink Failure Detection Overview
Uplink failure detection allows switches to monitor uplink interfaces to spot link failures.
When a switch detects a link failure, it automatically disables the downlink interfaces in
that group. The server that is connected to the disabled downlink interfaces triggers a
network-adapter failover to a secondary link to avoid any information drop.
Figure 2 on page 68 illustrates a typical setup for uplink failure detection.
Copyright © 2018, Juniper Networks, Inc.
67
Network Management and Monitoring Guide
Figure 2: Uplink Failure Detection Configuration on Switches
Switch
Switch
link-to-monitor
Switch 1
Switch 2
link-to-disable
Server
NIC
2
g040577
NIC
1
For uplink failure detection, you specify a group of uplink interfaces to be monitored and
downlink interfaces to be brought down when an uplink fails. The downlink interfaces
are bound to the uplink interfaces within the group. If all uplink interfaces in a group go
down, then the switch brings down all downlink interfaces within that group. If any uplink
interface returns to service, then the switch brings all downlink interfaces in that group
back to service.
NOTE: Routed VLAN interfaces (RVIs) cannot be configured as uplink
interfaces to be monitored.
The switch can monitor both physical-interface links and logical-interface links for uplink
failures, but you must put the two types of interfaces in separate groups.
NOTE: To detect failure of logical interfaces, the server must run some high
level protocol such as keepalives between the switch and the server.
Failure Detection Pair
Uplink failure detection requires that you create groups that contain uplink interfaces
and downlink interfaces. Each group includes one of each of the following:
•
68
A link-to-monitor interface—The link-to-monitor interfaces specify the uplink interfaces
the switch monitors. You can configure a maximum of 48 uplink interfaces as
link-to-monitor in a group.
Copyright © 2018, Juniper Networks, Inc.
Chapter 5: Uplink Failure Detection Overview
•
A link-to-disable interface—The link-to-disable interfaces specify the downlink
interfaces the switch disables when the switch detects an uplink failure. You can
configure a maximum of 48 downlink interfaces as link-to-disable in a group.
The link-to-disable interfaces are bound to the link-to-monitor interfaces within the
group. When a link-to-monitor interface returns to service, the switch automatically
enables all link-to-disable interfaces in the group.
Related
Documentation
•
Configuring Interfaces for Uplink Failure Detection (CLI Procedure) on page 71
Copyright © 2018, Juniper Networks, Inc.
69
Network Management and Monitoring Guide
70
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 6
Configuring Uplink Failure Detection
•
Configuring Interfaces for Uplink Failure Detection (CLI Procedure) on page 71
•
Verifying That Uplink Failure Detection Is Working Correctly on page 72
Configuring Interfaces for Uplink Failure Detection (CLI Procedure)
Supported Platforms
EX Series
You can configure uplink failure detection on EX Series switches to help ensure balanced
traffic flow. Using this feature, switches can monitor and detect link failure on uplink
interfaces and can propagate the failure to downlink interfaces so that servers connected
to those downlink interfaces can switch over to secondary interfaces.
Follow these configuration guidelines:
•
You can configure a maximum of 48 groups for each switch.
•
You can configure a maximum of 48 uplink interfaces and 48 downlink interfaces in
each group.
•
You can configure physical links and logical links in separate groups.
•
Ensure that all the interfaces in the group are up. If the interfaces are down, uplink
failure detection does not work.
NOTE: Routed VLAN interfaces (RVIs) cannot be configured as uplink
interfaces to be monitored.
To configure uplink failure detection on a switch:
1.
Specify a name for the group:
[edit protocols]
user@switch# set uplink-failure-detection group group-name
2. Add an uplink interface to the group:
[edit protocols]
user@switch# set uplink-failure-detection group group-name link-to-monitor interface-name
Copyright © 2018, Juniper Networks, Inc.
71
Network Management and Monitoring Guide
3. Repeat Step 2 for adding each uplink interface to the group.
NOTE: An interface can be configured as link-to-monitor in multiple groups.
4. Add a downlink interface to the group:
[edit protocols]
user@switch# set uplink-failure-detection group group-name link-to-disable interface-name
5. Repeat Step 4 for adding each downlink interface to the group.
NOTE: After you have configured a group, use the show
uplink-failure-detection group group-name command to verify that all
interfaces in the group are up.
Related
Documentation
•
Verifying That Uplink Failure Detection Is Working Correctly on page 72
•
Understanding Uplink Failure Detection on page 67
Verifying That Uplink Failure Detection Is Working Correctly
Supported Platforms
Purpose
72
EX Series
Verify that the switch disables the downlink interface when it detects an uplink failure.
Copyright © 2018, Juniper Networks, Inc.
Chapter 6: Configuring Uplink Failure Detection
Action
1.
View the current uplink-failure-detection status:
user@switch> show uplink-failure-detection
Group
: group1
Uplink
: ge-0/0/0*
Downlink
: ge-0/0/1*
Failure Action
: Inactive
NOTE: The asterisk (*) indicates that the link is up.
2. Disable the uplink interface:
[edit]
user@switch# set interface ge-0/0/0 disable
3. Save the configuration on the switch.
4. View the current uplink-failure-detection status:
user@switch> show uplink-failure-detection
Group
: group1
Uplink
: ge-0/0/0
Downlink
: ge-0/0/1
Failure Action
: Active
Meaning
The output in Step 1 shows that the uplink interface is up, and hence that the downlink
interface is also up, and that the status of Failure Action is Inactive.
The output in Step 4 shows that both the uplink and downlink interfaces are down and
that the status of Failure Action is changed to Active. This output shows that uplink failure
detection is working.
Related
Documentation
•
Configuring Interfaces for Uplink Failure Detection (CLI Procedure) on page 71
•
Understanding Uplink Failure Detection on page 67
Copyright © 2018, Juniper Networks, Inc.
73
Network Management and Monitoring Guide
74
Copyright © 2018, Juniper Networks, Inc.
PART 4
Network Monitoring Using SNMP
•
SNMP Overview on page 77
•
SNMP MIBs and Traps Supported by Junos OS on page 117
•
Configuring Basic SNMP on page 171
•
Configuring SNMPv3 on page 261
•
Configuring SNMP for Routing Instances on page 303
•
Configuring SNMP Remote Operations on page 321
•
Tracing SNMP Activity on page 343
Copyright © 2018, Juniper Networks, Inc.
75
Network Management and Monitoring Guide
76
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 7
SNMP Overview
•
Understanding SNMP Implementation in Junos OS on page 77
•
Understanding the Implementation of SNMP on page 81
•
SNMPv3 Overview on page 83
•
SNMPv3 Overview on page 84
•
Loading MIB Files to a Network Management System on page 85
•
Show SNMP on page 87
•
Junos OS SNMP FAQ Overview on page 89
•
Junos OS SNMP FAQs on page 89
Understanding SNMP Implementation in Junos OS
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX
Copyright © 2018, Juniper Networks, Inc.
77
Network Management and Monitoring Guide
Do you use a central network management system (NMS)? Most NMS’s use a version
of Simple Network Management Protocol (SNMP) that can monitor the status of Junos
OS devices that send unsolicited messages called traps. You can configure the IP address
of your NMS so that Junos OS can send its traps.
SNMP uses a very basic form of authentication called community strings to control access
between a manager and remote agents. Community strings are administrative names
used to group collections of devices (and the agents running on them) into common
management domains. If a manager and an agent share the same community, they can
talk to one another.
Many people associate SNMP community strings with passwords and keys because the
jobs they do are similar. As a result, SNMP communities are traditionally referred to as
strings. The community string is the first level of management authentication implemented
by the SNMP agent in Junos OS.
You might also want to configure remote logging on your device. Junos OS uses a system
log (syslog) mechanism similar to many Unix devices to forward log messages to a
specified log host address. This allows each of your devices to forward their messages
to one central host, making it easier to monitor the network as a whole. Syslog is a very
flexible and rich way of logging messages and is used by many device vendors to
supplement the information provided by SNMP traps.
A typical SNMP implementation includes three components:
•
Managed device
•
SNMP agent
•
Network management system (NMS)
A managed device is any device on a network, also known as a network element, that is
managed by the network management system. Routers and switches are common
examples of managed devices. The SNMP agent is the SNMP process that resides on
the managed device and communicates with the network management system. The
NMS is a combination of hardware and software that is used to monitor and administer
a network.
The SNMP data is stored in a highly-structured, hierarchical format known as a
management information base (MIB). The MIB structure is based on a tree structure,
which defines a grouping of objects into related sets. Each object in the MIB is associated
with an object identifier (OID), which names the object. The “leaf” in the tree structure
is the actual managed object instance, which represents a resource, event, or activity
that occurs in your network device.
The SNMP agent exchanges network management information with SNMP manager
software running on an NMS, or host. The agent responds to requests for information
and actions from the manager. The agent also controls access to the agent’s MIB, the
collection of objects that can be viewed or changed by the SNMP manager.
The SNMP manager collects information about network connectivity, activity, and events
by polling managed devices.
78
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
Communication between the agent and the manager occurs in one of the following
forms:
•
Get, GetBulk, and GetNext requests—The manager requests information from the agent.
The agent returns the information in a Get response message.
•
Set requests—The manager changes the value of a MIB object controlled by the agent.
The agent indicates status in a Set response message.
•
Traps notification—The agent sends traps to notify the manager of significant events
that occur on the network device.
The SNMP implementation in Junos OS contains:
•
A master SNMP agent (known as the SNMP process or snmpd) that resides on the
managed device and is managed by the NMS or host.
•
Various subagents that reside on different modules of Junos OS, such as the Routing
Engine, and are managed by the master SNMP agent (snmpd).
NOTE: By default, SNMP is not enabled on devices running Junos OS. For
information about enabling SNMP on a device running the Junos OS, see
“Configuring SNMP on Devices Running Junos OS” on page 183.
The SNMP implementation in Junos OS uses both standard (developed by the IETF and
documented in RFCs) and enterprise-specific (developed and supported by specific
vendors) MIBs.
In Junos OS, the management data is maintained by the snmpd at one level (for example,
snmpVacmMIB and snmpUsmMIB), and the subagents at the next level (for example,
routing MIBs and RMON MIBs). However, there is another level of data that is maintained
neither by the master agent nor by the subagents. In such cases, the data is maintained
by the Junos OS processes that share the data with the subagents when polled for SNMP
data. Interface-related MIBs and Firewall MIBs are good examples of data maintained
by Junos OS processes.
When a network mangement system polls the master agent for data, the master agent
immediately shares the data with the network mangement system if the requested data
is available with the master agent or one of the subagents. However, if the requested
data does not belong to those categories that are maintained by the master agent or the
subagents, the subagent polls the Junos OS kernel or the process that maintains that
data. On receiving the required data, the subagent passes the response back to the
master agent, which in turn passes it to the NMS.
Copyright © 2018, Juniper Networks, Inc.
79
Network Management and Monitoring Guide
The following illustration shows the communication flow among the NMS, SNMP process
(snmpd), SNMP subagents, and the Junos OS processes.
When a significant event, most often an error or a failure, occurs on a network device,
the SNMP agent sends notifications to the SNMP manager. The SNMP implementation
in Junos OS supports two types of notifications: traps and informs. Traps are unconfirmed
notifications, whereas informs are confirmed notifications. Informs are supported only
on devices that support SNMP version 3 (SNMPv3) configuration.
Junos OS supports trap queuing to ensure that traps are not lost because of temporary
unavailability of routes. Two types of queues, destination queues and a throttle queue,
are formed to ensure delivery of traps and to control the trap traffic.
Junos OS forms a destination queue when a trap to a particular destination is returned
because the host is not reachable, and adds the subsequent traps to the same destination
to the queue. Junos OS checks for availability of routes every 30 seconds and sends the
traps from the destination queue in a round-robin fashion.
If the trap delivery fails, the trap is added back to the queue, and the delivery attempt
counter and the next delivery attempt timer for the queue are reset. Subsequent attempts
occur at progressive intervals of 1 minute, 2 minutes, 4 minutes, and 8 minutes. The
maximum delay between the attempts is 8 minutes, and the maximum number of
attempts is 10. After 10 unsuccessful attempts, the destination queue and all the traps
in the queue are deleted.
Junos OS also has a throttle mechanism to control the number of traps (throttle threshold;
default value of 500 traps) sent during a particular time period (throttle interval; default
of 5 seconds) and to ensure consistency in trap traffic, especially when large number of
traps are generated because of interface status changes. The throttle interval period
begins when the first trap arrives at the throttle. All traps within the trap threshold are
processed, and the traps beyond the threshold limit are queued.
The maximum size of trap queues—that is, throttle queue and destination queue put
together—is 40,000. However, on EX Series Ethernet Switches, the maximum size of the
trap queue is 1,000. The maximum size of any one queue is 20,000 for devices other
than EX Series Switches. On EX Series Switches, the maximum size of one queue is 500.
When a trap is added to the throttle queue, or if the throttle queue has exceeded the
maximum size, the trap is added back on top of the destination queue, and all subsequent
80
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
attempts from the destination queue are stopped for a 30-second period, after which
the destination queue restarts sending the traps.
Related
Documentation
•
FAQ: SNMP Support on Junos OS
•
Configuring SNMP on Devices Running Junos OS on page 183
•
Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS on page 343
•
Optimizing the Network Management System Configuration for the Best Results on
page 179
•
Configuring Options on Managed Devices for Better SNMP Response Time on page 181
•
Managing Traps and Informs
•
Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage on page 247
Understanding the Implementation of SNMP
Supported Platforms
EX4600, QFabric System, QFX Series
The QFX Series products support the Simple Network Management Protocol (SNMP)
that is implemented in the Junos OS software.
NOTE: By default, SNMP is not enabled on devices running Junos OS. For
information on enabling SNMP on a device running Junos OS, see “Configuring
SNMP” on page 176.
A typical SNMP implementation includes the following components:
•
Network management system (NMS)—The NMS is a combination of hardware and
software that is used to monitor and administer a network. Software running on the
NMS includes the SNMP manager, which collects information about network
connectivity, activity, and events by polling the managed devices.
•
Managed device—A managed device (also called a network element) is any device
managed by the NMS. Routers and switches are common examples of managed
devices. The SNMP agent is the SNMP process that resides on the managed device
and communicates with the NMS.
•
SNMP agent—The SNMP agent exchanges network management information with
SNMP manager software running on an NMS, or host. The agent responds to requests
for information and actions from the manager. The agent also controls access to the
agent’s MIB, the collection of objects that can be viewed or changed by the SNMP
manager.
SNMP data is stored in a highly structured, hierarchical format known as a management
information base (MIB). The MIB structure is based on a tree structure, which defines a
grouping of objects into related sets. Each object in the MIB is associated with an object
identifier (OID), which names the object. The “leaf” in the tree structure is the actual
Copyright © 2018, Juniper Networks, Inc.
81
Network Management and Monitoring Guide
managed object instance, which represents a resource, event, or activity that occurs in
your network device. The SNMP implementation in Junos OS uses both standard
(developed by IETF and documented in RFCs) and Juniper Networks enterprise-specific
MIBs.
Communication between the agent and the manager occurs in one of the following
forms:
•
Get, GetBulk, and GetNext requests—The manager requests information from the agent;
the agent returns the information in a Get response message.
•
Set requests—The manager changes the value of a MIB object controlled by the agent;
the agent indicates status in a Set response message.
•
Traps notification—The agent sends traps to notify the manager of significant events
that occur on the network device.
The processes maintaining the SNMP management data include:
•
A master SNMP agent (known as SNMP process, or snmpd) that resides on the
managed device and is managed by the NMS or host.
•
Various subagents that reside on different modules of Junos OS, such as the Routing
Engine, and are managed by the master SNMP agent.
•
Junos OS processes that share data with the subagents when polled for SNMP data
(for example, interface-related MIBs).
When an NMS polls the master agent for data, the master agent immediately shares the
data with the NMS if the requested data is available from the master agent or one of the
subagents. However, if the requested data is not maintained by the master agent or
subagents, the subagent polls the Junos OS kernel or the process that maintains that
data. The Junos OS kernel may need to get the data from the Packet Forwarding Engine.
On receiving the required data, the subagent passes the response back on to the master
agent, which in turn passes it on to the NMS.
Figure 3 on page 82 shows the communication flow among the NMS, SNMP master agent
(snmpd), SNMP subagents, Junos OS kernel, and Packet Forwarding Engine.
Figure 3: SNMP Communication Flow
82
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
When a significant event, most often an error or a failure, occurs on a network device,
the SNMP agent sends notifications to the SNMP manager. SNMP notifications can be
sent as traps (unconfirmed notifications) or inform requests (confirmed notifications).
Junos OS supports trap queuing to ensure that traps are not lost because of temporary
unavailability of routes. Two types of queues, destination queues and a throttle queue,
are formed to ensure delivery of traps and control the trap traffic. On QFX Series products,
the maximum size of trap queues (throttle queue plus destination queue) is 40,960
traps. The maximum size of any one queue is 20,480 traps.
Junos OS forms a destination queue when a trap to a particular destination is returned
because the host is not reachable, and it adds the subsequent traps to the same
destination to the queue. Junos OS checks for availability of routes every 30 seconds,
and sends the traps from the destination queue in a round-robin fashion.
If the trap delivery fails, the trap is added back to the queue, and the delivery attempt
counter and the next delivery attempt timer for the queue are reset. Subsequent attempts
occur at progressive intervals of 1 minute, 2 minutes, 4 minutes, and 8 minutes. The
maximum delay between the attempts is 8 minutes, and the maximum number of
attempts is ten. After ten unsuccessful attempts, the destination queue and all the traps
in the queue are deleted.
Junos OS also has a throttle mechanism to control the number of traps (throttle threshold)
sent during a particular time period (throttle interval). The throttle mechanism ensures
consistency in trap traffic, especially when large numbers of traps are generated because
of interface status changes. The throttle interval period begins when the first trap arrives
at the throttle. All traps within the trap threshold are processed, and the traps beyond
the threshold limit are queued. The default throttle threshold is 500 traps, and the throttle
interval default is 5 seconds.
NOTE: You cannot configure trap queueing in Junos OS. You cannot view
information about trap queues except for what is provided in the system logs.
Related
Documentation
•
Configuring SNMP on page 176
•
SNMP MIBs Support on page 226
•
SNMP Traps Support on page 208
SNMPv3 Overview
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
In contrast to SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2), SNMP version
3 (SNMPv3) supports authentication and encryption. SNMPv3 uses the user-based
security model (USM) for message security and the view-based access control model
(VACM) for access control. USM specifies authentication and encryption. VACM specifies
access-control rules.
Copyright © 2018, Juniper Networks, Inc.
83
Network Management and Monitoring Guide
USM uses the concept of a user for which security parameters (levels of security,
authentication, privacy protocols, and keys) are configured for both the agent and the
manager. Messages sent using USM are better protected than messages sent with
community strings, where passwords are sent in the clear. With USM, messages
exchanged between the manager and the agent can have data integrity checking and
data origin authentication. USM protects against message delays and message replays
by using time indicators and request IDs. Encryption is also available.
To complement the USM, SNMPv3 uses the VACM, a highly granular access-control
model for SNMPv3 applications. Based on the concept of applying security policies to
the name of the groups querying the agent, the agent decides whether the group is
allowed to view or change specific MIB objects. VACM defines collections of data (called
views), groups of data users, and access statements that define which views a particular
group of users can use for reading, writing, or receiving traps.
Trap entries in SNMPv3 are created by configuring the notify, notify filter, target address,
and target parameters. The notify statement specifies the type of notification (trap) and
contains a single tag. The tag defines a set of target addresses to receive a trap. The
notify filter defines access to a collection of trap object identifiers (OIDs). The target
address defines a management application's address and other attributes to be used in
sending notifications. Target parameters define the message processing and security
parameters to be used in sending notifications to a particular management target.
To configure SNMPv3, perform the following tasks:
Related
Documentation
•
Creating SNMPv3 Users on page 266
•
Configuring MIB Views on page 223
•
Defining Access Privileges for an SNMP Group on page 271
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Configuring SNMP Informs on page 288
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
SNMPv3 Overview
Supported Platforms
EX4600, QFabric System, QFX Series
The QFX3500 switch supports SNMP version 3 (SNMPv3). SNMPv3 enhances the
functionality of SNMPv1 and SNMPv2c by supporting user authentication and data
encryption. SNMPv3 uses the user-based security model (USM) to provide security for
SNMP messages, and the view-based access control model (VACM) for user access
control.
SNMPv3 features include:
84
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
Related
Documentation
•
With USM, the SNMP messages between the SNMP manager and the agent can have
the message source authenticated and the data integrity checked. USM reduces
messaging delays and message replays by enforcing timeout limits and by checking
for duplicate message request IDs.
•
VACM complements USM by providing user access control for SNMP queries to the
agent. You define access privileges that you wish to extend to a group of one or more
users. Access privileges are determined by the security model parameters (usm, v1, or
v2) and security level parameters (authentication, privacy, or none). For each security
level, you must associate one MIB view for the group. Associating a MIB view with a
group grants the read, write, or notify permission to a set of MIB objects for the group.
•
You configure security parameters for each user, including the username, authentication
type and authentication password, and privacy type and privacy password. The
username given to each user is in a format that is dependent on the security model
configured for that user.
•
To ensure messaging security, another type of username, called the security name, is
included in the messaging data that is sent between the local SNMP server and the
destination SNMP server. Each user name is mapped to a security name, but the security
name is in a format that is independent of the security model.
•
Trap entries in SNMPv3 are created by configuring the notify, notify filter, target address,
and target parameters. The notify statement specifies the type of notification (trap)
and contains a single tag that defines a set of target addresses to receive a trap. The
notify filter defines access to a collection of trap object identifiers (OIDs). The target
address defines the address of an SNMP management application and other attributes
used in sending notifications. Target parameters define the message processing and
security parameters used in sending notifications to a particular target.
•
Assigning a Security Name to a Group
•
Configuring Access Privileges for a Group
•
Configuring SNMP Informs on page 288
•
Creating SNMPv3 Users on page 266
Loading MIB Files to a Network Management System
Supported Platforms
ACX Series
For your network management system (NMS) to identify and understand the MIB objects
used by the Junos OS, you must first load the MIB files to your NMS using a MIB compiler.
A MIB compiler is a utility that parses the MIB information such as the MIB object name,
IDs, and data type for the NMS.
You can download the Junos MIB package from the Junos OS Enterprise MIBs index at
https://www.juniper.net/documentation/en_US/release-independent/junos/mibs/mibs.html
. The Junos MIB package is available in .zip and .tar packages. You can download the
appropriate format based on your requirements.
Copyright © 2018, Juniper Networks, Inc.
85
Network Management and Monitoring Guide
The Junos MIB package contains two folders: StandardMibs and JuniperMibs. The
StandardMibs folder contains the standard MIBs and RFCs that are supported on devices
running the Junos OS, whereas the JuniperMibs folder contains the Juniper Networks
enterprise-specific MIBs.
To load MIB files that are required for managing and monitoring devices running the Junos
OS:
1.
Go to the SNMP MIB Explorer Download page for Juniper Networks SNMP MIB
packages (https://apps.juniper.net/mib-explorer/download.jsp#product=Junos%20OS).
2. Click the TAR or ZIP link under the appropriate release heading to download the Junos
MIB package for that release.
3. Decompress the file (.tar or .zip) using an appropriate utility.
4. Load the standard MIB files (from the StandardMibs folder) in the following order:
NOTE: Some of the MIB compilers that are commonly used have the
standard MIBs preloaded on them. If the standard MIBs are already loaded
on the MIB compiler that you are using, skip this step and proceed to Step
7.
a. mib-SNMPv2-SMI.txt
b. mib-SNMPv2-TC.txt
c. mib-IANAifType-MIB.txt
d. mib-IANA-RTPROTO-MIB.txt
e. mib-rfc1907.txt
f. mib-rfc2011a.txt
g. mib-rfc2012a.txt
h. mib-rfc2013a.txt
i.
mib-rfc2863a.txt
5. Load the remaining standard MIB files.
NOTE: You must follow the order specified in this procedure, and ensure
that all standard MIBs are loaded before you load the enterprise-specific
MIBs. There might be dependencies that require a particular MIB to be
present on the compiler before loading some other MIB. You can find such
dependencies listed in the IMPORT section of the MIB file.
86
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
6. Load the Juniper Networks enterprise-specific SMI MIB, mib-jnx-smi.txt, and the
following optional SMI MIBs based on your requirements:
•
mib-jnx-js-smi.txt—(Optional) For Juniper Security MIB tree objects
•
mib-jnx-ex-smi.txt—(Optional) For EX Series Ethernet Switches
•
mib-jnx-exp.txt—(Recommended) For Juniper Networks experimental MIB objects
7. Load the remaining enterprise-specific MIBs from the JuniperMibs folder.
TIP: While loading a MIB file, if the compiler returns an error message saying
that any of the objects is undefined, open the MIB file using a text editor and
ensure that all the MIB files listed in the IMPORT section are loaded on the
compiler. If any of the MIB files listed in the IMPORT section is not loaded on
the compiler, load that MIB file, and then try to load the MIB file that failed
to load.
For example, the enterprise-specific PING MIB, mib-jnx-ping.txt, has
dependencies on RFC 2925, DiSMAN-PING-MIB, mib-rfc2925a.txt. If you try
to load mib-jnx-ping.txt before loading mib-rfc2925a.txt, the compiler returns
an error message saying that certain objects in mib-jnx-ping.txt are undefined.
Load mib-rfc2925a.txt, and then try to load mib-jnx-ping.txt. The
enterprise-specific PING MIB, mib-jnx-ping.txt, then loads without any issue.
Related
Documentation
•
Standard SNMP MIBs Supported by Junos OS on page 128
•
Enterprise-Specific SNMP MIBs Supported by Junos OS on page 117
Show SNMP
Supported Platforms
EX4600, OCX1100, QFabric System
There are several commands that you can access in Junos OS operational mode to
monitor SNMP information. Some of the commands are:
•
show snmp health-monitor, which displays the health monitor log and alarm information.
•
show snmp mib, which displays information from the MIBs, such as device and system
information.
•
show snmp statistics, which displays SNMP statistics such as the number of packets,
silent drops, and invalid output values.
•
show snmp rmon, which displays the RMON alarm, event, history, and log information
The following example provides sample output from the show snmp health-monitor
command:
user@switch> show snmp health-monitor
Copyright © 2018, Juniper Networks, Inc.
87
Network Management and Monitoring Guide
Alarm
Index
Variable description
Value State
32768 Health Monitor: root file system utilization
jnxHrStoragePercentUsed.1
58 active
32769 Health Monitor: /config file system utilization
jnxHrStoragePercentUsed.2
0 active
32770 Health Monitor: RE 0 CPU utilization
jnxOperatingCPU.9.1.0.0
0 active
32773 Health Monitor: RE 0 Memory utilization
jnxOperatingBuffer.9.1.0.0
35 active
32775 Health Monitor: jkernel daemon CPU utilization
Init daemon
Chassis daemon
Firewall daemon
Interface daemon
SNMP daemon
MIB2 daemon
...
0
50
0
5
11
42
active
active
active
active
active
active
The following example provides sample output from the show snmp mib command:
user@switch> show snmp mib walk system
sysDescr.0
= Juniper Networks, Inc. qfx3500s internet router, kernel
JUNOS 11.1-20100926.0 #0: 2010-09-26 06:17:38 UTC builder@abc.example.net:
/volume/build/junos/11.1/production/20100926.0/obj-xlr/bsd/sys/compile/JUNIPER-xxxxx
Build date: 2010-09-26 06:00:10 U
sysObjectID.0 = jnxProductQFX3500
sysUpTime.0
= 24444184
sysContact.0 = J Smith
sysName.0
= Lab QFX3500
sysLocation.0 = Lab
sysServices.0 = 4
The following example provides sample output from the show snmp statistics command:
user@switch> show snmp statistics
SNMP statistics:
Input:
Packets: 0, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 0, Total set varbinds: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 0, Duplicate request drops: 0
Output:
Packets: 0, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
88
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 0, Traps: 0
Related
Documentation
•
health-monitor on page 1505
•
show snmp mib on page 1927
•
show snmp statistics on page 1939
Junos OS SNMP FAQ Overview
Supported Platforms
EX Series, M Series, MX Series, PTX Series, QFabric System, QFX Series, SRX Series, T Series
This document presents the most frequently asked questions about the features and
technologies used to implement SNMP services on Juniper Networks devices using the
Junos operating system.
SNMP enables users to monitor network devices from a central location. Many network
management systems (NMS) are based on SNMP, and support for this protocol is a key
feature of most network devices.
Juniper Networks provides many different platforms that support SNMP on the Junos OS.
The Junos OS includes an onboard SNMP agent that provides remote management
applications with access to detailed information about the devices on the network.
A typical SNMP implementation contains three components:
•
Managed devices – Such as routers and switches.
•
SNMP agent – Process that resides on a managed device and communicates with the
NMS.
•
NMS – Acombination of hardware and software used to monitor and administer the
network; network device that runs SNMP manager software. Also referred to as an
SNMP manager.
The SNMP agent exchanges network management information with the SNMP manager
(NMS). The agent responds to requests for information and actions from the manager.
The SNMP manager collects information about network connectivity, activity, and events
by polling managed devices.
SNMP implementation in the Junos OS uses a master SNMP agent (known as an SNMP
process or snmpd) that resides on the managed device. Various subagents reside on
different modules of the Junos OS as well (such as the Routing Engine), and these
subagents are managed by the snmpd.
Related
Documentation
•
Junos OS SNMP FAQs on page 89
Junos OS SNMP FAQs
Supported Platforms
EX Series, M Series, MX Series, PTX Series, QFabric System, QFX Series, SRX Series, T Series
Copyright © 2018, Juniper Networks, Inc.
89
Network Management and Monitoring Guide
This Frequently Asked Questions technology overview covers these SNMP-related areas:
•
Junos OS SNMP Support FAQs on page 90
•
Junos OS MIBs FAQs on page 91
•
Junos OS SNMP Configuration FAQs on page 98
•
SNMPv3 FAQs on page 102
•
SNMP Interaction with Juniper Networks Devices FAQs on page 104
•
SNMP Traps and Informs FAQs on page 106
•
Junos OS Dual Routing Engine Configuration FAQs on page 112
•
SNMP Support for Routing Instances FAQs on page 113
•
SNMP Counters FAQs on page 114
Junos OS SNMP Support FAQs
This section presents frequently asked questions and answers related to SNMP support
on Junos OS.
Which SNMP versions does Junos OS support?
Junos OS supports SNMP version 1 (SNMPv1), version 2 (SNMPv2c), and version 3
(SNMPv3). By default, SNMP is disabled on a Juniper Networks device.
Which ports (sockets) does SNMP use?
The default port for SNMP queries is port 161. The default port for SNMP traps and informs
is port 162. The port used for SNMP traps and informs is configurable, and you can
configure your system to use ports other than the default port 162. However, the SNMP
listening port will remain the same; this is established on the RFC.
Is SNMP support different among the Junos OS platforms?
No, SNMP support is not different among the Junos OS platforms. SNMP configuration,
interaction, and behavior are the same on any Junos OS device. The only difference that
might occur across platforms is MIB support.
See also SNMP MIB Explorer for a list of MIBs that are supported across the Junos OS
platforms.
Does Junos OS support the user-based security model (USM)?
Yes, Junos OS supports USM as part of its support for SNMPv3. SNMPv3 contains more
security measures than previous versions of SNMP, including providing a defined USM.
SNMPv3 USM provides message security through data integrity, data origin authentication,
message replay protection, and protection against disclosure of the message payload.
Does Junos OS support the view-based access control model (VACM)?
Yes, Junos OS supports VACM as part of its support for SNMPv3. SNMPv3 contains more
security measures than previous versions of SNMP, including providing a defined VACM.
90
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
SNMPv3 VACM determines whether a specific type of access (read or write) to the
management information is allowed.
Does Junos OS support SNMP informs?
Yes, Junos OS supports SNMP informs as part of its support for SNMPv3. SNMP informs
are confirmed notifications sent from SNMP agents to SNMP managers when significant
events occur on a network device. When an SNMP manager receives an inform, it sends
a response to the sender to verify receipt of the inform.
Can I provision or configure a device using SNMP on Junos OS?
No, provisioning or configuring a device using SNMP is not allowed on Junos OS.
Related
Documentation
Junos OS MIBs FAQs
This section presents frequently asked questions and answers related to Junos OS MIBs.
What is a MIB?
A management information base (MIB) is a table of definitions for managed objects in
a network device. MIBs are used by SNMP to maintain standard definitions of all of the
components and their operating conditions within a network device. Each object in the
MIB has an identifying code called an object identifier (OID).
MIBs are either standard or enterprise-specific. Standard MIBs are created by the Internet
Engineering Task Force (IETF) and documented in various RFCs. Enterprise-specific MIBs
are developed and supported by a specific equipment manufacturer.
For a list of supported standard MIBs, see “Standard SNMP MIBs Supported by Junos
OS” on page 128.
For a list of Juniper Networks enterprise-specific MIBs, see “Enterprise-Specific SNMP
MIBs Supported by Junos OS” on page 117.
Do MIB files reside on the Junos OS devices?
No, MIB files do not reside on the Junos OS devices. You must download the MIB files
from the Juniper Networks Technical Publications page for the required Junos OS release:
https://www.juniper.net/documentation/en_US/release-independent/junos/mibs/mibs.html
.
How do I compile and load the Junos OS MIBs onto an SNMP manager or NMS?
For your network management systems (NMSs) to identify and understand the MIB
objects used by Junos OS, you must first load the MIB files to your NMS using a MIB
compiler. A MIB compiler is a utility that parses the MIB information, such as the MIB
object names, IDs, and data types for the NMS.
Copyright © 2018, Juniper Networks, Inc.
91
Network Management and Monitoring Guide
You can download the Junos OS MIB package from the Enterprise-Specific MIBs and
Traps section at
https://www.juniper.net/documentation/en_US/release-independent/junos/mibs/mibs.html
or https://www.juniper.net/documentation/software/junos/index.html .
The Junos OS MIB package has two folders: StandardMibs, containing standard MIBs
supported on Juniper Networks devices, and JuniperMibs, containing Juniper Networks
enterprise-specific MIBs. You must have the required standard MIBs downloaded and
decompressed before downloading any enterprise-specific MIBs. There might be
dependencies that require a particular standard MIB to be present on the compiler before
loading a particular enterprise-specific MIB.
The Junos OS MIB package is available in .zip and .tar formats. Download the format
appropriate for your requirements.
Use the following steps to load MIB files for devices running Junos OS:
1.
Navigate to the appropriate Juniper Networks software download page and locate
the Enterprise MIBs link under the Enterprise-Specific MIBs and Traps section.
NOTE: Although the link is titled Enterprise MIBs, both standard MIBs and
enterprise-specific MIBs are available for download from this location.
2. Click the TAR or ZIP link to download the Junos OS MIB package.
3. Decompress the file (.tar or .zip) using an appropriate utility.
NOTE: Some commonly used MIB compilers are preloaded with standard
MIBs. You can skip Step 4 and Step 5 and proceed to Step 6 if you already
have the standard MIBs loaded on your system.
4. Load the standard MIB files from the StandardMibs folder.
Load the files in the following order:
a. mib-SNMPv2-SMI.txt
b. mib-SNMPv2-TC.txt
c. mib-IANAifType-MIB.txt
d. mib-IANA-RTPROTO-MIB.txt
e. mib-rfc1907.txt
f. mib-rfc2011a.txt
g. mib-rfc2012a.txt
92
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
h. mib-rfc2013a.txt
i.
mib-rfc2863a.txt
5. Load any remaining standard MIB files.
NOTE: You must follow the order specified in this procedure, and ensure
that all standard MIBs are loaded before you load the enterprise-specific
MIBs. There might be dependencies that require a particular standard MIB
to be present on the compiler before loading a particular enterprise-specific
MIB. Dependencies are listed in the IMPORT section of the MIB file.
6. After loading the standard MIBs, load the Juniper Networks enterprise-specific SMI
MIB, mib-jnx-smi.txt, and the following optional SMI MIBs based on your requirements:
•
mib-jnx-exp.txt—(Recommended) for Juniper Networks experimental MIB objects
•
mib-jnx-js-smi.txt—(Optional) for Juniper Security MIB tree objects
•
mib-jnx-ex-smi.txt—(Optional) for EX Series Ethernet Switches
7. Load any remaining desired enterprise-specific MIBs from the JuniperMibs folder.
TIP: While loading a MIB file, if the compiler returns an error message
indicating that any of the objects are undefined, open the MIB file using a
text editor and ensure that all the MIB files listed in the IMPORT section
are loaded on the compiler. If any of the MIB files listed in the IMPORT
section are not loaded on the compiler, load the missing file or files first,
then try to load the MIB file that failed.
The system might return an error if files are not loaded in a particular order.
What is SMI?
Structure of Management Information Version (SMI) is a subset of Abstract Syntax
Notation One (ASN.1), which describes the structure of objects. SMI is the notation syntax,
or “grammar”, that is the standard for writing MIBs.
Which versions of SMI does Junos OS support?
The Junos OS supports SMIv1 for SNMPv1 MIBs, and SMIv2 for SNMPv2c and enterprise
MIBs.
Does Junos OS support MIB II?
Yes, Junos OS supports MIB II, the second version of the MIB standard.
Copyright © 2018, Juniper Networks, Inc.
93
Network Management and Monitoring Guide
The features of MIB II include:
•
Additions that reflect new operational requirements.
•
Backward compatibility with the original MIBs and SNMP.
•
Improved support for multiprotocol entities.
•
Improved readability.
Refer to the relevant release documentation for a list of MIBs that are supported. Go to
https://www.juniper.net/documentation/software/junos/index.html .
Are the same MIBs supported across all Juniper Networks devices?
There are some common MIBs supported by all the Junos OS devices, such as the Interface
MIB (ifTable), System MIB, and Chassis MIB. Some MIBs are supported only by
functionalities on specific platforms. For example, the Bridge MIB is supported on the EX
Series Ethernet Switches and the SRX Series Services Gateways for the branch.
What is the system object identifier (SYSOID) of a device? How do I determine the
SYSOID of my device?
The jnx-chas-defines (Chassis Definitions for Router Model) MIB has a jnxProductName
branch for every Junos OS device. The system object ID of a device is identical to the
object ID of the jnxProductName for the platform. For example, for an M7i Multiservice
Edge Router, the jnxProductNameM7i is .1.3.6.1.4.1.2636.1.1.1.2.10 in the jnxProductName
branch, which is identical to the SYSOID of the M7i (.1.3.6.1.4.1.2636.1.1.1.2.10).
How can I determine if a MIB is supported on a platform? How can I determine which
MIBs are supported by a device?
MIBs device and platform support is listed on the Junos OS Technical Documentation.
See “Enterprise-Specific SNMP MIBs Supported by Junos OS” on page 117 and “Standard
SNMP MIBs Supported by Junos OS” on page 128 documents to view the list of MIBs and
supported Junos OS devices.
What can I do if the MIB OID query is not responding?
There can be various reasons why the MIB OID query stops responding. One reason could
be that the MIB itself is unresponsive. To verify that the MIB responds, use the show snmp
mib walk | get MIB name | MIB OID command:
•
If the MIB responds, the communication issue exists between the SNMP master and
SNMP agent. Possible reasons for this issue include network issues, an incorrect
community configuration, an incorrect SNMP configuration, and so on.
•
If the MIB does not respond, enable SNMP traceoptions to log PDUs and errors. All
incoming and outgoing SNMP PDUs are logged. Check the traceoptions output to see
if there are any errors.
If you continue to have problems with the MIB OID query, technical product support is
available through the Juniper Networks Technical Assistance Center (JTAC).
94
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
What is the enterprise branch number for Junos OS?
The enterprise branch number for Junos OS is 2636. Enterprise branch numbers are used
in SNMP MIB configurations, and they are also known as SMI network management
private enterprise codes.
Which MIB displays the hardware and chassis details on a Juniper Networks device?
The Chassis MIB (jnxchassis.mib) displays the hardware and chassis details for each
Juniper Networks device. It provides information about the router and its components.
The Chassis MIB objects represent each component and its status.
Which MIB objects can I query to determine the CPU and memory utilization of the
Routing Engine, Flexible PIC Concentrator (FPC), and PIC components on a device?
Query the Chassis MIB objects jnxOperatingMemory, jnxOperatingtBuffer, and
jnxOperatingCPU to find out the CPU and memory utilization of the hardware components
of a device.
Is the interface index (ifIndex) persistent?
The ifIndex is persistent when reboots occur if the Junos OS version remains the same,
meaning the values assigned to the interfaces in the ifIndex do not change.
When there is a software upgrade, the device tries to keep the ifIndex persistent on a
best effort basis. For Junos OS Release 10.0 and earlier, the ifIndex is not persistent when
there is a software upgrade to Junos OS Release 10.1 and later.
Is it possible to set the ifAdminStatus?
SNMP is not allowed to set the ifAdminStatus.
Which MIB objects support SNMP set operations?
The Junos OS SNMP set operations are supported in the following MIB tables and
variables:
•
snmpCommunityTable
•
eventTable
•
alarmTable
•
snmpTargetAddrExtTable
•
jnxPingCtlTable
•
pingCtlTable
•
traceRouteCtlTable
•
jnxTraceRouteCtlTable
•
sysContact.0
•
sysName.0
•
sysLocation.0
Copyright © 2018, Juniper Networks, Inc.
95
Network Management and Monitoring Guide
•
pingMaxConcurrentRequests.0
•
traceRouteMaxConcurrentRequests.0
•
usmUserSpinLock
•
usmUserOwnAuthKeyChange
•
usmUserPublic
•
vacmSecurityToGroupTable (vacmGroupName, vacmSecurityToGroupStorageType,
and vacmSecurityToGroupStatus)
•
vacmAccessTable (vacmAccessContextMatch, vacmAccessReadViewName,
vacmAccessWriteViewName, vacmAccessNotifyViewName, vacmAccessStorageType,
and vacmAccessStatus)
•
vacmViewSpinLock
•
vacmViewTreeFamilyTable (vacmViewTreeFamilyMask, vacmViewTreeFamilyType,
vacmViewTreeFamilyStorageType, and vacmViewTreeFamilyStatus)
Does Junos OS support remote monitoring (RMON)?
Yes, Junos OS supports RMON as defined in RFC 2819, Remote Network Monitoring
Management Information Base. However, remote monitoring version 2 (RMON 2) is not
supported.
Can I use SNMP to determine the health of the processes running on the Routing
Engine?
Yes, you can use SNMP to determine the health of the Routing Engine processes by
configuring the health monitoring feature. On Juniper Networks devices, RMON alarms
and events provide much of the infrastructure needed to reduce the polling overhead
from the NMS. However, you must set up the NMS to configure specific MIB objects into
RMON alarms. This often requires device-specific expertise and customizing the
monitoring application. Additionally, some MIB object instances that need monitoring
are set only at initialization, or they change at runtime and cannot be configured in
advance.
To address these issues, the health monitor extends the RMON alarm infrastructure to
provide predefined monitoring for a selected set of object instances, such as file system
usage, CPU usage, and memory usage, and includes support for unknown or dynamic
object instances, such as Junos OS software processes.
To display the health monitoring configuration, use the show snmp health-monitor
command:
user@host> show snmp health-monitor
interval 300;
rising-threshold 90;
falling-threshold 80;
When you configure the health monitor, monitoring information for certain object instances
is available, as shown in Table 7 on page 97.
96
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
Table 7: Monitored Object Instances
Object
Description
jnxHrStoragePercentUsed.1
Monitors the following file system on the router or switch: /dev/ad0s1a:
This is the root file system mounted on /.
jnxHrStoragePercentUsed.2
Monitors the following file system on the router or switch: /dev/ad0s1e:
This is the configuration file system mounted on /config.
jnxOperatingCPU (RE0)
Monitor CPU usage for Routing Engines RE0 and RE1. The index values assigned to the
Routing Engines depend on whether the Chassis MIB uses a zero-based or a ones-based
indexing scheme. Because the indexing scheme is configurable, the correct index is
determined whenever the router is initialized and when there is a configuration change.
If the router or switch has only one Routing Engine, the alarm entry monitoring RE1 is
removed after five failed attempts to obtain the CPU value.
jnxOperatingCPU (RE1)
jnxOperatingBuffer (RE0)
Monitor the amount of memory available on Routing Engines RE0 and RE1. Because
the indexing of this object is identical to that used for jnxOperatingCPU, index values
are adjusted depending on the indexing scheme used in the Chassis MIB. As with
jnxOperatingCPU, the alarm entry monitoring RE1 is removed if the router or switch
has only one Routing Engine.
jnxOperatingBuffer (RE1)
sysApplElmtRunCPU
Monitors the CPU usage for each Junos OS software process. Multiple instances of
the same process are monitored and indexed separately.
sysApplElmtRunMemory
Monitors the memory usage for each Junos OS software process. Multiple instances
of the same process are monitored and indexed separately.
The system log entries generated for any health monitor events, such as thresholds
crossed and errors, have a corresponding HEALTHMONITOR tag rather than a generic
SNMPD_RMON_EVENTLOG tag. However, the health monitor sends generic RMON
risingThreshold and fallingThreshold traps.
Are the Ping MIBs returned in decimal notation and ASCII?
Yes, both decimal notation and ASCII are supported, which is the standard implementation
in SNMP. All strings are ASCII encoded.
The following example displays the Ping MIB in hexadecimal notation:
pingCtlTargetAddress.2.69.72.9.116.99.112.115.97.109.112.108.101 = 0a fa 01 02
This translates to ASCII:
pingCtlTargetAddress."EH"."tcpsample" = 0a fa 01 02
2= length of the string
69=E
72=H
9=length of second string
116=t
99 =c
112=p
Copyright © 2018, Juniper Networks, Inc.
97
Network Management and Monitoring Guide
115=s
97=a
109=m
112 =p
108 =l
101 =e
As of Junos OS Release 9.6 and later, the Junos OS CLI returns ASCII values using the
command show snmp mib get | get-next | walk ascii.
The following example shows the output with the ASCII option:
user@host> show snmp mib walk pingCtlTargetAddress ascii
pingCtlTargetAddress."EH"."httpgetsample" = http://www.yahoo.com
pingCtlTargetAddress."p1"."t2" = 74 c5 b3 06
pingCtlTargetAddress."p1"."t3" = 74 c5 b2 0c
The following example shows the output without the ASCII option:
user@host> show snmp mib walk pingCtlTargetAddress
pingCtlTargetAddress.2.69.72.13.104.116.116.112.103.101.116.115.97.109.112.108.101
= http://www.yahoo.com
pingCtlTargetAddress.2.112.49.2.116.50 = 74 c5 b3 06
pingCtlTargetAddress.2.112.49.2.116.51 = 74 c5 b2 0c
You can convert decimal and ASCII values using a decimal ASCII chart like the one at
http://www.asciichart.com .
Is IPv6 supported by the Ping MIB for remote operations?
No, IPv6 is not supported.
Is there an SNMP MIB to show Address Resolution Protocol (ARP) table information?
Are both IP and MAC addresses displayed in the same table?
Yes, the Junos OS supports the standard MIB ipNetToMediaTable, which is described in
RFC 2011, SNMPv2 Management Information Base for the Internet Protocol using SMIv2.
This table is used for mapping IP addresses to their corresponding MAC addresses.
Related
Documentation
Junos OS SNMP Configuration FAQs
This section presents frequently asked questions and answers related to Junos OS SNMP
configuration.
Can the Junos OS be configured for SNMPv1 and SNMPv3 simultaneously?
Yes, SNMP has backward compatibility, meaning that all three versions can be enabled
simultaneously.
Can I filter specific SNMP queries on a device?
98
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
Yes, you can filter specific SNMP queries on a device using exclude and include statements.
The following example shows a configuration that blocks read-write operation on all
OIDs under .1.3.6.1.2.1.1 for the community test:
user@host# show snmp
view system-exclude {
oid .1.3.6.1.2.1.1 exclude;
oid .1 include;
}
community test {
view system-exclude;
authorization read-write;
}
Can I change the SNMP agent engine ID?
Yes, the SNMP agent engine ID can be changed to the MAC address of the device, the IP
address of the device, or any other desired value. Several examples are included here.
The following example shows how to use the MAC address of a device as the SNMP
agent engine ID:
user@host# show snmp
engine-id {
use-mac-address;
}
The following example shows how to use the IP address of a device as the SNMP agent
engine ID:
user@host# show snmp
engine-id {
use-default-ip-address;
}
The following example shows the use of a selected value, AA in this case, as the SNMP
agent engine ID of a device:
user@host# show snmp
engine-id {
local AA;
}
How can I configure a device with dual Routing Engines or a chassis cluster (SRX Series
Services Gateways) for continued communication during a switchover?
When configuring for continued communication, the SNMP configuration should be
identical between the Routing Engines. However, it is best to have separate Routing
Engine IDs configured for each Routing Engine, especially when using SNMPv3.
The following example shows the configuration of the Routing Engines in a dual Routing
Engine device. Notice that the Routing Engine IDs are set to the MAC addresses for each
Routing Engine:
user@host# show groups
re0 {
system {
Copyright © 2018, Juniper Networks, Inc.
99
Network Management and Monitoring Guide
host-name PE3-re0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 116.197.178.14/27;
address 116.197.178.29/27 {
master-only;
}
}
}
}
}
snmp {
engine-id {
use-mac-address;
}
}
}
re1 {
system {
host-name PE3-re1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 116.197.178.11/27;
address 116.197.178.29/27 {
master-only;
}
}
}
}
}
snmp {
engine-id {
use-mac-address;
}
}
}
The following is an example of an SNMPv3 configuration on a dual Routing Engine device:
user@host> show snmp name host1
v3 {
vacm {
security-to-group {
security-model usm {
security-name test123 {
group test1;
}
security-name juniper {
group test1;
}
100
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
}
}
access {
group test1 {
default-context-prefix {
security-model any {
security-level authentication {
read-view all;
}
}
}
context-prefix MGMT_10 {
security-model any {
security-level authentication {
read-view all;
}
}
}
}
}
}
target-address server1 {
address 116.197.178.20;
tag-list router1;
routing-instance MGMT_10;
target-parameters test;
}
target-parameters test {
parameters {
message-processing-model v3;
security-model usm;
security-level authentication;
security-name juniper;
}
notify-filter filter1;
}
notify server {
type trap;
tag router1;
}
notify-filter filter1 {
oid .1 include;
}
view all {
oid .1 include;
}
community public {
view all;
}
community comm1;
community comm2;
community comm3 {
view all;
authorization read-only;
logical-system LDP-VPLS {
routing-instance vpls-server1;
Copyright © 2018, Juniper Networks, Inc.
101
Network Management and Monitoring Guide
}
}
trap-group server1 {
targets {
116.197.179.22;
}
}
routing-instance-access;
traceoptions {
flag all;
}
}
How can I track SNMP activities?
SNMP trace operations track activity of SNMP agents and record the information in log
files.
A sample traceoptions configuration might look like this:
[edit snmp]
user@host# set traceoptions flag all
When the traceoptions flag all statement is included at the [edit snmp] hierarchy level,
the following log files are created:
Related
Documentation
•
snmpd
•
mib2d
•
rmopd
•
Junos OS SNMP Support FAQs on page 90
•
Junos OS MIBs FAQs on page 91
•
SNMPv3 FAQs on page 102
•
SNMP Interaction with Juniper Networks Devices FAQs on page 104
•
SNMP Traps and Informs FAQs on page 106
•
SNMP Support for Routing Instances FAQs on page 113
•
SNMP Counters FAQs on page 114
SNMPv3 FAQs
This section presents frequently asked questions and answers related to SNMPv3.
Why is SNMPv3 important?
SNMP v3 provides enhanced security compared to the other versions of SNMP. It provides
authentication and encryption of data. Enhanced security is important for managing
devices at remote sites from the management stations.
102
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
In my system, the MIB object snmpEngineBoots is not in sync between two Routing
Engines in a dual Routing Engine device. Is this normal behavior?
Yes, this is the expected behavior. Each Routing Engine runs its own SNMP process
(snmpd), allowing each Routing Engine to maintain its own engine boots. However, if
both routing engines have the same engine ID and the routing engine with lesser
snmpEngineBoots value is selected as the master routing engine during the switchover
process, the snmpEngineBoots value of the master routing engine is synchronized with
the snmpEngineBoots value of the other routing engine.
Do I need the SNMP manager engine object identifier (OID) for informs?
Yes, the engine OID of the SNMP manager is required for authentication, and informs do
not work without it.
I see the configuration of informs under the [edit snmp v3] hierarchy. Does this mean
I cannot use informs with SNMPv2c?
Informs can be used with SNMPv2c. The following example shows the basic configuration
for SNMPv3 informs on a device (note that the authentication and privacy is set to none):
[edit snmp]
v3 {
usm {
remote-engine 00000063000100a2c0a845b3 {
user RU2_v3_sha_none {
authentication-none;
privacy-none;
}
}
}
vacm {
security-to-group {
security-model usm {
security-name RU2_v3_sha_none {
group g1_usm_auth;
}
}
}
access {
group g1_usm_auth {
default-context-prefix {
security-model usm {
security-level authentication {
read-view all;
write-view all;
notify-view all;
}
}
}
}
}
}
target-address TA2_v3_sha_none {
address 192.168.69.179;
Copyright © 2018, Juniper Networks, Inc.
103
Network Management and Monitoring Guide
tag-list tl1;
address-mask 255.255.252.0;
target-parameters TP2_v3_sha_none;
}
target-parameters TP2_v3_sha_none {
parameters {
message-processing-model v3;
security-model usm;
security-level none;
security-name RU2_v3_sha_none;
}
notify-filter nf1;
}
notify N1_all_tl1_informs {
type inform; # Replace “inform” with “trap” to convert informs to traps.
tag tl1;
}
notify-filter nf1 {
oid .1 include;
}
view all {
oid .1 include;
}
}
You can convert the SNMPv3 informs to traps by setting the value of the type statement
at the [edit snmp v3 notify N1_all_tl1_informs] hierarchy level to trap as shown in the
following example:
user@host# set snmp v3 notify N1_all_tl1_informs type trap
Related
Documentation
SNMP Interaction with Juniper Networks Devices FAQs
This section presents frequently asked questions and answers related to how SNMP
interacts with Juniper Networks devices.
How frequently should a device be polled? What is a good polling rate?
It is difficult to give an absolute number for the rate of SNMP polls per second since the
rate depends on the following two factors:
•
The number of variable bindings in a protocol data unit (PDU)
•
The response time for an interface from the Packet Forwarding Engine
In a normal scenario where no delay is being introduced by the Packet Forwarding Engine
and there is one variable per PDU (a Get request), the response time is 130+ responses
per second. However, with multiple variables in an SNMP request PDU (30 to 40 for
GetBulk requests), the number of responses per second is much less. Because the Packet
Forwarding Engine load can vary for each system, there is greater variation in how
frequently a device should be polled.
104
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
Frequent polling of a large number of counters, especially statistics, can impact the
device. We recommend the following optimization on the SNMP managers:
•
Use the row-by-row polling method, not the column-by-column method.
•
Reduce the number of variable bindings per PDU.
•
Increase timeout values in polling and discovery intervals.
•
Reduce the incoming packet rate at the SNMP process (snmpd).
For better SNMP response on the device, the Junos OS does the following:
•
Filters out duplicate SNMP requests.
•
Excludes interfaces that are slow in response from SNMP queries.
One way to determine a rate limit is to note an increase in the Currently Active count from
the show snmp statistics extensive command.
The following is a sample output of the show snmp statistics extensive command:
user@host> show snmp statistics extensive
SNMP statistics:
Input:
Packets: 226656, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 1967606, Total set varbinds: 0,
Get requests: 18478, Get nexts: 75794, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 27084, Duplicate request drops: 0
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 0
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0
Output:
Packets: 226537, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 226155, Traps: 382
SA Control Blocks:
Total: 222984, Currently Active: 501, Max Active: 501,
Not found: 0, Timed Out: 0, Max Latency: 25
SA Registration:
Registers: 0, Deregisters: 0, Removes: 0
Trap Queue Stats:
Current queued: 0, Total queued: 0, Discards: 0, Overflows: 0
Trap Throttle Stats:
Current throttled: 0, Throttles needed: 0
Snmp Set Stats:
Commit pending failures: 0, Config lock failures: 0
Rpc failures: 0, Journal write failures: 0
Mgd connect failures: 0, General commit failures: 0
Copyright © 2018, Juniper Networks, Inc.
105
Network Management and Monitoring Guide
Does SNMP open dynamic UDP ports? Why?
The SNMP process opens two additional ports (sockets): one for IPv4 and one for IPv6.
This enables the SNMP process to send traps.
I am unable to perform a MIB walk on the ifIndex. Why is this?
Any variable bindings or values with an access level of not-accessible cannot be queried
directly because they are part of other variable bindings in the SNMP MIB table. The
ifIndex has an access level of not-accessible. Therefore, it cannot be accessed directly
because it is part of the variable bindings. However, the ifIndex can be accessed indirectly
through the variable bindings.
I see SNMP_IPC_READ_ERROR messages when the SNMP process restarts on my system
and also during Routing Engine switchover. Is this acceptable?
Yes, it is acceptable to see SNMP_IPC_READ_ERROR messages when the SNMP process
is restarted, the system reboots, or during a Routing Engine switchover. If all the processes
come up successfully and the SNMP operations are working properly, then these messages
can be ignored.
What is the source IP address used in the response PDUs for SNMP requests? Can this
be configured?
The source IP address used in the response PDUs for SNMP requests is the IP address
of the outgoing interface to reach the destination. The source IP address cannot be
configured for responses. It can only be configured for traps.
Related
Documentation
SNMP Traps and Informs FAQs
This section presents frequently asked questions and answers related to SNMP traps
and informs.
Does the Junos OS impose any rate limiting on SNMP trap generation?
The Junos OS implements a trap-queuing mechanism to limit the number of traps that
are generated and sent.
If a trap delivery fails, the trap is added back to the queue, and the delivery attempt
counter and the next delivery attempt timer for the queue are reset. Subsequent attempts
occur at progressive intervals of 1, 2, 4, and 8 minutes. The maximum delay between the
attempts is 8 minutes, and the maximum number of attempts is 10. After 10 unsuccessful
attempts, the destination queue and all traps in the queue are deleted.
Junos OS also has a throttle threshold mechanism to control the number of traps sent
(default 500 traps) during a particular throttle interval (default 5 seconds). This helps
ensure consistency in trap traffic, especially when a large number of traps are generated
due to interface status changes.
106
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
The throttle interval begins when the first trap arrives at the throttle. All traps within the
throttle threshold value are processed, and traps exceeding the threshold value are
queued. The maximum size of all trap queues (the throttle queue and the destination
queue) is 40,000 traps. The maximum size of any one queue is 20,000 traps. When a
trap is added to the throttle queue, or if the throttle queue has exceeded the maximum
size, the trap is moved to the top of the destination queue. Further attempts to send the
trap from the destination queue are stopped for a 30-second period, after which the
destination queue restarts sending the traps.
NOTE: For the Juniper Networks EX Series Ethernet Switch, the maximum
size of all trap queues (the throttle queue and the destination queue) is 1,000
traps. The maximum size for any one queue on the EX Series is 500 traps.
I did not see a trap when I had a syslog entry with a critical severity. Is this normal?
Can it be changed?
Not every syslog entry with critical severity is a trap. However, you can convert any syslog
entry to a trap using the event-options statement.
The following example shows how to configure a jnxSyslogTrap whenever an
rpd_ldp_nbrdown syslog entry message error occurs.
user@host> show event-options
policy snmptrap {
events rpd_ldp_nbrdown;
then {
raise-trap;
}
}
Are SNMP traps compliant with the Alarm Reporting Function (X.733) on the Junos
OS?
No, SNMP traps on the Junos OS are not X.733 compliant.
Can I set up filters for traps or informs?
Traps and informs can be filtered based on the trap category and the object identifier.
You can specify categories of traps to receive per host by using the categories statement
at the [edit snmp trap-group trap-group] hierarchy level. Use this option when you want
to monitor only specific modules of the Junos OS.
The following example shows a sample configuration for receiving only link, vrrp-events,
services, and otn-alarms traps:
[edit snmp]
trap-group jnpr {
categories {
link;
vrrp-events;
services;
otn-alarms;
}
Copyright © 2018, Juniper Networks, Inc.
107
Network Management and Monitoring Guide
targets {
192.168.69.179;
}
}
The Junos OS also has a more advanced filter option (notify-filter) for filtering specific
traps or a group of traps based on their object identifiers.
The SNMPv3 configuration also supports filtering of SNMPv1 and SNMPv2 traps and
excluding Juniper Networks enterprise-specific configuration management traps, as
shown in the following configuration example:
[edit snmp]
v3 {
vacm {
security-to-group {
security-model v2c {
security-name sn_v2c_trap {
group gr_v2c_trap;
}
}
}
access {
group gr_v2c_trap {
default-context-prefix {
security-model v2c {
security-level none {
read-view all;
notify-view all;
}
}
}
}
}
}
target-address TA_v2c_trap {
address 10.209.196.166;
port 9001;
tag-list tg1;
target-parameters TP_v2c_trap;
}
target-parameters TP_v2c_trap {
parameters {
message-processing-model v2c;
security-model v2c;
security-level none;
security-name sn_v2c_trap;
}
notify-filter nf1;
}
notify v2c_notify {
type trap;
tag tg1;
}
notify-filter nf1 {
oid .1.3.6.1.4.1.2636.4.5 exclude;
108
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
oid .1 include;
}
snmp-community index1 {
community-name "$9$tDLl01h7Nbw2axN"; ## SECRET-DATA
security-name sn_v2c_trap;
tag tg1;
}
view all {
oid .1 include;
}
}
Can I simulate traps on a device?
Yes, you can use the request snmp spoof-trap trap name command for simulating a trap
to the NMS that normally receives your device’s traps. You can also add required values
using the variable-bindings parameter.
The following example shows how to simulate a trap to the local NMS using variable
bindings:
user@host> request snmp spoof-trap linkDown variable-bindings "ifIndex[116]=116,
ifAdminStatus[116]=1 ,ifOperStatus[116]=2 , ifName[116]=ge-1/0/1"
How do I generate a warm start SNMPv1 trap?
When the SNMP process is restarted under normal conditions, a warm start trap is
generated if the system up time is more than 5 minutes. If the system up time is less than
5 minutes, a cold start trap is generated.
The NMS sees only the MIB OIDs and numbers, but not the names of the SNMP traps.
Why?
Before the NMS can recognize the SNMP trap details, such as the names of the traps, it
must first compile and understand the MIBs and then parse the MIB OIDs.
In the Junos OS, how can I determine to which category a trap belongs?
For a list of common traps and their categories, see “Enterprise-Specific SNMP Traps
Supported by Junos OS” on page 156.
Can I configure a trap to include the source IP address?
Yes, you can configure the source-address, routing-instance, or logical-instance name for
the source IP address using the trap-options command:
user@host> show snmp trap-options
source-address 10.1.1.1;
Can I create a custom trap?
Yes, you can use the jnxEventTrap event script to create customized traps as needed.
In the following example, a Junos OS operations (op) script is triggered when a
UI_COMMIT_NOT_CONFIRMED event is received. The Junos OS op script matches the
complete message of the event and generates an SNMP trap.
Copyright © 2018, Juniper Networks, Inc.
109
Network Management and Monitoring Guide
Example: Junos OS Op Script
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
param $event;
param $message;
match / {
/*
* trapm utilty wants the following characters in the value to be escaped
* '[', ']', ' ', '=', and ','
*/
var $event-escaped = {
call escape-string($text = $event, $vec = '[] =,');
}
var $message-escaped = {
call escape-string($text = $message, $vec = '[] =,');
}
<op-script-results> {
var $rpc = <request-snmp-spoof-trap> {
<trap> "jnxEventTrap";
<variable-bindings> "jnxEventTrapDescr[0]='Event-Trap' , "
_ "jnxEventAvAttribute[1]='event' , "
_ "jnxEventAvValue[1]='" _ $event-escaped _ "' , "
_ "jnxEventAvAttribute[2]='message' , "
_ "jnxEventAvValue[1]='" _ $message-escaped _ "'";
}
var $res = jcs:invoke($rpc);
}
}
template escape-string ($text, $vec) {
if (jcs:empty($vec)) {
expr $text;
} else {
var $index = 1;
var $from = substring($vec, $index, 1);
var $changed-value = {
call replace-string($text, $from) {
with $to = {
expr "\\";
expr $from;
}
}
}
call escape-string($text = $changed-value, $vec = substring($vec, $index
+ 1));
}
}
110
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
template replace-string ($text, $from, $to) {
if (contains($text, $from)) {
var $before = substring-before($text, $from);
var $after = substring-after($text, $from);
var $prefix = $before _ $to;
expr $before;
expr $to;
call replace-string($text = $after, $from, $to);
} else {
expr $text;
}
}
After creating your customized trap, you must configure a policy on your device to tell
the device what actions to take after it receives the trap.
Here is an example of a configured policy under the [edit event-options] hierarchy:
[edit event-options]
user@host> show
policy trap-on-event {
events UI_COMMIT_NOT_CONFIRMED;
attributes-match {
UI_COMMIT_NOT_CONFIRMED.message matches complete;
}
then {
event-script ev-syslog-trap.junos-op {
arguments {
event UI_COMMIT_NOT_CONFIRMED;
message "{$$.message}";
}
}
}
}
Can I disable link up and link down traps on interfaces?
Yes, link up and link down traps can be disabled in the interface configuration. To disable
the traps, use the no-traps statement at the [edit interfaces interface-name unit
logical-unit-number] and [edit logical-systems logical-system-name interfaces
interface-name unit logical-unit-number] hierarchies for physical and logical interfaces.
(traps | no-traps);
I see the link up traps on logical interfaces, but I do not see the link down traps. Is this
normal behavior?
For Ethernet and ATM types of interfaces, Junos OS does not send link down traps for a
logical interface if the physical interface is down to prevent flooding alarms for the same
root cause. However, when the physical interface and logical interfaces come back up,
Copyright © 2018, Juniper Networks, Inc.
111
Network Management and Monitoring Guide
traps are sent indicating link up. This is because the physical interface coming up does
not necessarily mean the logical interfaces are also coming up.
For SONET types of interfaces with PPP encapsulation, Junos OS does send link down
traps for a logical interface if the physical interface is down. When the physical interface
and logical interfaces come back up, traps are sent for both the physical and logical
interfaces indicating link up.
For SONET types of interfaces with HDLC encapsulation, Junos OS does not send link
down traps for a logical interface if the physical interface is down. When the physical
interface and logical interfaces come back up, traps are sent for both the physical and
logical interfaces indicating link up.
For channelize interfaces with PPP encapsulation, Junos OS does send link down traps
for a logical interface if the physical interface is down. When the physical interface and
logical interfaces come back up, traps are sent for both the physical and logical interfaces
indicating link up.
For channelize interfaces with HDLC encapsulation, Junos OS does not send link down
traps for a logical interface if the physical interface is down. When the physical interface
and logical interfaces come back up, traps are sent for both the physical and logical
interfaces indicating link up.
Related
Documentation
Junos OS Dual Routing Engine Configuration FAQs
This section presents frequently asked questions and answers related to the configuration
of dual Routing Engines.
The SNMP configuration should be identical between the Routing Engines when
configuring for continued communication. However, we recommend having separate
Routing Engine IDs configured for each Routing Engine, when using SNMPv3.
In my system, the MIB object snmpEngineBoots is not in sync between two Routing
Engines in a dual Routing Engine device. Is this normal behavior?
Yes. This is the normal behavior. Each Routing Engine runs its own SNMP process (snmpd)
agent, allowing each Routing Engine to maintain its own engine boots.
Is there a way to identify that an address belongs to RE0, RE1, or the master Routing
Engine management interface (fxp0) by looking at an SNMP walk?
No. When you do an SNMP walk on the device, it only displays the master Routing Engine
management interface address.
What is the best way to tell if the current IP address belongs to fxp0 or a Routing
Engine, from a CLI session?
112
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
Routing Engines are mapped with the fxp0 interface. This means that when you query
RE0, the ifTable reports the fxp0 interface address of RE0 only. Similarly, if you query
RE1, the ifTable reports the fxp0 interface address of RE1 only.
When there is a failover, the master hostname is changed since the hostname belongs
to the Routing Engine. Is this correct?
Yes. You can configure the same hostname or different hostnames. Either would work.
If only the master IP address is configured (for example, 192.168.2.5), and the sysDescr.0
object has the same string configured on both of the Routing Engines, then even after a
switchover, the sysDescr.0 object returns the same value. The following sample shows
the results you get by using the snmpget command:
bng-junos-pool02: /c/svivek/PR_BRANCH/src> snmpget -c jnpr -v2c 192.168.2.5
sysDescr.0 system.sysDescr.0 = foo
SNMP Support for Routing Instances FAQs
This section presents frequently asked questions and answers related to how SNMP
supports routing instances.
Can the SNMP manager access data for routing instances?
Yes, the Junos OS enables SNMP managers for all routing instances to request and
manage SNMP data related to the corresponding routing instances and logical system
networks.
Two different routing instance behaviors can occur, depending on where the clients
originate:
•
Clients from routing instances other than the default can access MIB objects and
perform SNMP operations only on the logical system networks to which they belong.
•
Clients from the default routing instance can access information related to all routing
instances and logical system networks.
Routing instances are identified by either the context field in SNMPv3 requests or encoded
in the community string in SNMPv1 or SNMPv2c requests.
When encoded in a community string, the routing instance name appears first and is
separated from the actual community string by the @ character.
To avoid conflicts with valid community strings that contain the @ character, the
community is parsed only if typical community string processing fails. For example, if a
routing instance named RI is configured, an SNMP request with RI@public is processed
within the context of the RI routing instance. Access control (including views, source
address restrictions, and access privileges) is applied according to the actual community
string (the set of data after the @ character—in this case public). However, if the
community string RI@public is configured, the PDU is processed according to that
community, and the embedded routing instance name is ignored.
Logical systems perform a subset of the actions of a physical router and have their own
unique routing tables, interfaces, policies, and routing instances. When a routing instance
Copyright © 2018, Juniper Networks, Inc.
113
Network Management and Monitoring Guide
is defined within a logical system, the logical system name must be encoded along with
the routing instance using a slash ( / ) to separate the two. For example, if the routing
instance RI is configured within the logical system LS, that routing instance must be
encoded within a community string as LS/RI@public. When a routing instance is configured
outside a logical system (within the default logical system), no logical system name, or
/ character, is needed.
Additionally, when a logical system is created, a default routing instance named default
is always created within the logical system. This name should be used when querying
data for that routing instance, for example LS/default@public. For SNMPv3 requests,
the name logical system/routing instance should be identified directly in the context field.
Can I access a list of all routing instances on a device?
Yes, you can access a list of all the routing instances on a device using the
vacmContextName object in the SNMP-VIEW-BASED-ACM MIB. In SNMP, each routing
instance becomes a VACM context; this is why the routing instances appear in the
vacmContextName object.
Can I access a default routing instance from a client in another logical router or routing
instance?
No, the SNMP agent can only access data of the logical router to which it is connected.
Related
Documentation
SNMP Counters FAQs
This section presents frequently asked questions and answers related to SNMP counters.
Which MIB should I use for interface counters?
Interface management over SNMP is based on two tables: the ifTable and its extension
the ifXTable. Both are described in RFC 1213, Management Information Base for Network
Management of TCP/IP-based internets: MIB-II and RFC 2233, The Interfaces Group MIB
using SMIv2.
Interfaces can have several layers, depending on the media, and each sublayer is
represented by a separate row in the table. The relationship between the higher layer
and lower layers is described in the ifStackTable.
The ifTable defines 32-bit counters for inbound and outbound octets
(ifInOctets/ifOutOctets), packets (ifInUcastPkts/ifOutUcastPkts, ifInNUcastPkts
/ifOutNUcastPkts), errors, and discards.
The ifXTable provides similar 64-bit counters, also called high capacity (HC) counters,
for inbound and outbound octets (ifHCInOctets/ifHCOutOctets) and inbound packets
(ifHCInUcastPkts).
When should 64-bit counters be used?
114
Copyright © 2018, Juniper Networks, Inc.
Chapter 7: SNMP Overview
It is always good to use 64-bit counters because they contain statistics for both low and
high capacity components.
Are the SNMP counters ifInOctets and ifOutOctets the same as the command reference
show interfaces statistics in and out counters?
Yes, these are the same, but only if SNMP is enabled when the router boots up. If you
power on a Juniper Networks device and then enable SNMP, the SNMP counters start
from 0. SNMP counters do not automatically receive their statistics from the show
command output. Similarly, using the clear statistics command does not clear the
statistics that the SNMP counters collected, which can cause a discrepancy in the data
that is seen by both processes.
Do the SNMP counters ifInOctets and ifOutOctets include the framing overhead for
Point-to-Point Protocol (PPP) and High-Level Data Link Control (HDLC)?
Yes.
Related
Documentation
Copyright © 2018, Juniper Networks, Inc.
115
Network Management and Monitoring Guide
116
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 8
SNMP MIBs and Traps Supported by
Junos OS
•
Enterprise-Specific SNMP MIBs Supported by Junos OS on page 117
•
Standard SNMP MIBs Supported by Junos OS on page 128
•
Standard SNMP Traps Supported by Junos OS on page 148
•
Enterprise-Specific SNMP Traps Supported by Junos OS on page 156
Enterprise-Specific SNMP MIBs Supported by Junos OS
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX
Junos OS supports the enterprise-specific MIBs listed in Table 8 on page 117. For
information about enterprise-specific SNMP MIB objects, see the SNMP MIB Explorer.
Table 8: Enterprise-specific MIBs supported by Junos OS
Enterprise-Specific MIB
Description
Platforms
AAA Objects MIB
Provides support for monitoring user
authentication, authorization, and
accounting through the RADIUS, LDAP,
SecurID, and local authentication
servers.
SRX Series and vSRX
Access Authentication Objects MIB
Provides support for monitoring firewall
authentication, including data about the
users trying to access firewall-protected
resources and the firewall authentication
service itself.
SRX Series and vSRX
Alarm MIB
Provides information about alarms from
the router chassis.
All platforms
Copyright © 2018, Juniper Networks, Inc.
117
Network Management and Monitoring Guide
Table 8: Enterprise-specific MIBs supported by Junos OS (continued)
Enterprise-Specific MIB
Description
Platforms
Analyzer MIB
Provides information about analyzer and
remote analyzer related to port mirroring
on the EX Series Ethernet Switches. Port
mirroring is a method used on enterprise
switches to monitor and analyze traffic
on the network. When port mirroring is
enabled, copies of all (or a sample set
of) packets are forwarded from one port
of the switch to another port on the
same switch (analyzer) or on another
switch (remote analyzer) where the
packet can be analyzed and studied.
EX Series, QFabric system, and QFX Series
Antivirus Objects MIB
Provides information about the antivirus
engine, antivirus scans, and antivirus
scan-related traps.
SRX Series and vSRX
ATM Class-of-Service MIB
Provides support for ATM interfaces and
virtual connections.
ACX Series, M Series, and T Series
ATM MIB
Provides support for monitoring
Asynchronous Transfer Mode, version 2
(ATM2) virtual circuit (VC)
class-of-service (CoS) configurations.
It also provides CoS queue statistics for
all VCs that have CoS configured.
M Series, SRX Series, T Series and vSRX
BGP4 V2 MIB
Provides support for monitoring BGP
peer-received prefix counters. It is based
upon similar objects in the MIB
documented in Internet draft
draft-ietf-idr-bgp4-mibv2-03.txt,
Definitions of Managed Objects for the
Fourth Version of BGP (BGP-4), Second
Version.
All platforms
Bidirectional Forwarding Detection MIB
Provides support for monitoring
Bidirectional Forwarding Detection
(BFD) sessions.
All platforms
Chassis Cluster MIB
Provides information about objects that
are used whenever the state of the
control link interfaces or fabric link
interfaces changes (up to down or down
to up) in a chassis cluster deployment.
SRX Series and vSRX
Chassis Definitions for Router Model MIB
Contains the object identifiers (OIDs)
that are used by the Chassis MIB to
identify platform and chassis
components. The Chassis MIB provides
information that changes often, whereas
the Chassis Definitions for Router Model
MIB provides information that changes
less often.
ACX Series, M Series, MX Series, PTX
Series, QFX Series, SRX550, SRX1500,
and T Series
118
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 8: Enterprise-specific MIBs supported by Junos OS (continued)
Enterprise-Specific MIB
Description
Platforms
Chassis MIBs
Provides support for environmental
monitoring (power supply state, board
voltages, fans, temperatures, and air
flow) and inventory support for the
chassis, System Control Board (SCB),
System and Switch Board (SSB),
Switching and Forwarding Module
(SFM), Switch Fabric Board (SFB),
Flexible PIC Concentrators (FPCs), and
PICs.
All platforms
Class-of-Service MIB
Provides support for monitoring
interface output queue statistics per
interface and per forwarding class.
ACX Series, EX Series, M Series, MX Series,
PTX Series, QFabric system, QFX Series,
SRX Series, T Series, and vSRX
Configuration Management MIB
Provides notification for configuration
changes as SNMP traps. Each trap
contains the time at which the
configuration change was committed,
the name of the user who made the
change, and the method by which the
change was made. A history of the last
32 configuration changes is kept in
jnxCmChgEventTable.
All platforms
Destination Class Usage MIB
Provides support for monitoring packet
counts based on the ingress and egress
points for traffic transiting your
networks. Ingress points are identified
by the input interface. Egress points are
identified by destination prefixes
grouped into one or more sets, known
as destination classes. One counter is
managed per interface per destination
class, up to a maximum of 16 counters
per interface.
EX Series, M Series, SRX Series, T Series,
and vSRX
DHCP MIB
Provides SNMP support (get and trap)
for DHCP local server and relay
configurations. It also provides support
for bindings and leases tables, and for
statistics.
M Series, MX Series, and T Series
DHCPv6 MIB
Provides SNMP support (get and trap)
for DHCPv6 local server and relay
configurations. It also provides support
for bindings and leases tables, and for
statistics.
M Series, MX Series, and T Series
Digital Optical Monitoring MIB
Provides support for the SNMP Get
request for statistics and SNMP Trap
notifications for alarms.
EX Series, M Series, MX Series, PTX Series,
and T Series
Copyright © 2018, Juniper Networks, Inc.
119
Network Management and Monitoring Guide
Table 8: Enterprise-specific MIBs supported by Junos OS (continued)
Enterprise-Specific MIB
Description
Platforms
DNS Objects MIB
Provides support for monitoring DNS
proxy queries, requests, responses, and
failures.
SRX Series and vSRX
Dynamic Flow Capture MIB
Provides support for monitoring the
operational status of dynamic flow
capture (DFC) PICs.
M Series and T Series
Ethernet MAC MIB
Monitors media access control (MAC)
statistics on Gigabit Ethernet intelligent
queuing (IQ) interfaces. It collects MAC
statistics; for example, inoctets,
inframes, outoctets, and outframes on
each source MAC address and virtual
LAN (VLAN) ID for each Ethernet port.
EX Series, M Series, MX Series, QFX Series,
SRX300, SRX320, SRX340, SRX550,
SRX1500 and T Series
Event MIB
Defines a generic trap that can be
generated using an op script or event
policy. This MIB provides the ability to
specify a system log string and raise a
trap if that system log string is found.
ACX Series, EX Series, M Series, MX Series,
PTX Series, QFabric system, QFX Series,
SRX1500, SRX300, SRX320, SRX340,
SRX550, and T Series
Experimental MIB
Contains object identifiers for
experimental MIBs.
ACX Series, M series, MX Series, and T
series
EX Series MAC Notification MIB
Contains Juniper Networks'
implementation of enterprise-specific
MIB for Ethernet Mac Stats for EX Series.
EX Series
EX Series SMI MIB
Contains the Structure of Management
Information for Juniper Networks EX
Series platforms.
EX Series
Firewall MIB
Provides support for monitoring firewall
filter counters. Routers must have the
Internet Processor II ASIC to perform
firewall monitoring.
ACX Series, EX Series, M Series, MX Series,
PTX Series, QFabric system, QFX Series,
SRX300, SRX320, SRX340, SRX550,
SRX1500 and T Series
Flow Collection Services MIB
Provides statistics on files, records,
memory, FTP, and error states of a
monitoring services interface. It also
provides SNMP traps for unavailable
destinations, unsuccessful file transfers,
flow overloading, and memory
overloading.
M Series and T Series
GRE Keepalive Monitoring MIB
Provides support for monitoring generic
routing encapsulation (GRE) keepalive
status. This MIB also provides an SNMP
trap when GRE keepalive status
changes.
SRX Series and vSRX instances
120
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 8: Enterprise-specific MIBs supported by Junos OS (continued)
Enterprise-Specific MIB
Description
Platforms
Host Resources MIB
Extends the hrStorageTable object,
providing a measure of the usage of each
file system on the router in percentage
format. Previously, the objects in the
hrStorageTable measured the usage in
allocation units—hrStorageUsed and
hrStorageAllocationUnits—only. Using
the percentage measurement, you can
more easily monitor and apply
thresholds on usage.
ACX Series, EX Series, M Series, MX Series,
QFX Series, SRX300, SRX320, SRX340,
SRX550, SRX1500 and T Series
Interface Accounting Forwarding Class
MIB
Extends the Juniper Enterprise Interface
MIB and provides support for monitoring
statistcs data for interface accounting
and IETF standardization.
M Series, MX Series, SRX Series, and vSRX
Interface MIB
Extends the standard ifTable (RFC
2863) with additional statistics and
Juniper Networks enterprise-specific
chassis information.
ACX Series, EX Series, M Series, MX Series,
PTX Series, QFabric system, QFX Series,
SRX300, SRX320, SRX340, SRX550,
SRX1500 and T Series
IP Forward MIB
Extends the standard IP Forwarding
Table MIB (RFC 4292) to include CIDR
forwarding information.
All platforms
IPsec Generic Flow Monitoring Object
MIB
Based on jnx-ipsec-monitor-mib, this MIB
provides support for monitoring IPsec
and IPsec VPN management objects.
SRX Series and vSRX
IPsec Monitoring MIB
Provides operational and statistical
information related to the IPsec and IKE
tunnels on Juniper Networks routers.
M Series, SRX Series, and T Series
IPsec VPN Objects MIB
Provides support for monitoring IPsec
and IPsec VPN management objects for
Juniper security product lines. This MIB
is an extension of
jnx-ipsec-flow-mon.mib.
SRX Series
IPv4 MIB
Provides additional Internet Protocol
version 4 (IPv4) address information,
supporting the assignment of identical
IPv4 addresses to separate interfaces.
All platforms
IPv6 and ICMPv6 MIB
Provides IPv6 and Internet Control
Message Protocol version 6 (ICMPv6)
statistics.
M series, MX Series, PTX Series, SRX
Series, T Series, and vSRX
Copyright © 2018, Juniper Networks, Inc.
121
Network Management and Monitoring Guide
Table 8: Enterprise-specific MIBs supported by Junos OS (continued)
Enterprise-Specific MIB
Description
Platforms
L2ALD MIB
Contains information about the Layer 2
Address Learning Daemon (L2ALD) and
related traps, such as the routing
instance MAC limit trap and the interface
MAC limit trap. This MIB also provides
VLAN information in the
jnxL2aldVlanTable table for Enhanced
Layer 2 Software (ELS) EX Series and
QFX Series switches.
EX Series, MX Series, QFX Series, and T
Series
NOTE: Non-ELS EX Series switches
support the VLAN MIB (jnxExVlanTable
table) for VLAN information instead of
this MIB. See the SNMP MIB Explorer.
L2CP MIB
Provides information about Layer 2
Control Protocols (L2CP) based
features. Currently, Junos OS supports
only the
jnxDot1dStpPortRootProtectEnabled,
jnxDot1dStpPortRootProtectState, and
MX Series
jnxPortRootProtectStateChangeTrap
objects.
L2TP MIB
Provides information about Layer 2
Transport Protocol (L2TP) tunnels and
sessions.
M Series, MX Series, and T Series
LDP MIB
Provides LDP statistics and defines LDP
label-switched path (LSP) notifications.
LDP traps support only IPv4 standards.
ACX Series, M Series, PTX Series, SRX
Series, and T Series
License MIB
Extends SNMP support to licensing
information, and introduces SNMP traps
that alert users when the licenses are
about to expire, expire, or when the total
number of users exceeds the number
specified in the license.
M Series, MX Series, SRX Series, and T
Series
Logical Systems MIB
Extend SNMP support to logical systems
security profile through various MIBs
defined under jnxLsysSecurityProfile.
SRX Series
MIMSTP MIB
Provides information about MSTP
instances (that is, routing instances of
type Virtual Switch/Layer 2 control, also
known as virtual contexts), MSTIs within
the MSTP instance, and VLANs
associated with the MSTI.
MX Series and T Series
122
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 8: Enterprise-specific MIBs supported by Junos OS (continued)
Enterprise-Specific MIB
Description
Platforms
MPLS LDP MIB
Contains object definitions as described
in RFC 3815, Definitions of Managed
Objects for the Multiprotocol Label
Switching (MPLS), Label Distribution
Protocol (LDP).
ACX Series, EX Series, M Series, MX Series,
PTX Series, QFX Series, and T Series
NOTE: Objects in the MPLS LDP MIB
were supported in earlier releases of
Junos OS as a proprietary LDP MIB
(mib-ldpmib.txt). Because the branch
used by the proprietary LDP
(mib-ldpmib.txt) conflicts with RFC 3812,
the proprietary LDP MIB (mib-ldpmib.txt)
has been deprecated and replaced by
the enterprise-specific MPLS LDP MIB
(mib-jnx-mpls-ldp.txt).
MPLS MIB
Provides MPLS information and defines
MPLS notifications.
ACX Series, EX Series, M Series, MX Series,
PTX Series, QFX Series, SRX Series, and
T Series
NOTE: To collect information about
MPLS statistics on transit routers, use
the enterprise-specific RSVP MIB
(mib-jnx-rsvp.txt) instead of the
enterprise-specific MPLS MIB
(mib-jnx-mpls.txt).
MVPN MIB
Contains objects that enable SNMP
manager to monitor MVPN connections
on the provider edge routers. The
enterprise-specific MVPN MIB is the
Juniper Networks extension of the IETF
standard MIBs defined in Internet draft
draft-ietf-l3vpn-mvpn-mib-03.txt,
MPLS/BGP Layer 3 VPN Multicast
Management Information Base.
All platforms
NAT Objects MIB
Provides support for monitoring network
address translation (NAT). .
EX Series and SRX Series
NAT Resources-Monitoring MIB
Provides support for monitoring NAT
pools usage and NAT rules. Notifications
of usage of NAT resources are also
provided by this MIB. This MIB is
currently supported on the Multiservices
PIC and Multiservices DPC on M Series
and MX Series routers only.
M Series and MX Series
OTN Interface Management MIB
Defines objects for managing Optical
Transport Network (OTN) interfaces on
devices running Junos OS.
M Series, MX series, PTX Series, and T
Series
Packet Forwarding Engine MIB
Provides notification statistics for Packet
Forwarding Engines.
ACX Series, EX Series, M Series, PTX
Series, SRX Series, and T Series
Copyright © 2018, Juniper Networks, Inc.
123
Network Management and Monitoring Guide
Table 8: Enterprise-specific MIBs supported by Junos OS (continued)
Enterprise-Specific MIB
Description
Platforms
Packet Mirror MIB
Enables you to capture and view packet
mirroring-related information. This MIB
is currently supported by Junos OS for
MX Series routers only. Packet mirroring
traps are an extension of the standard
SNMP implementation and are only
available to SNMPv3 users.
MX Series
PAE Extension MIB
Extends the standard IEEE802.1x PAE
Extension MIB, and contains information
for Static MAC Authentication.
EX Series
Passive Monitoring MIB
Performs traffic flow monitoring and
lawful interception of packets transiting
between two routers.
M Series and T Series
Ping MIB
Extends the standard Ping MIB control
table (RFC 2925). Items in this MIB are
created when entries are created in
pingCtlTable of the Ping MIB. Each item
is indexed exactly as it is in the Ping MIB.
ACX Series, EX Series, M Series, MX Series,
QFX Series, SRX Series, and T Series
Policy Objects MIB
Provides support for monitoring the
security policies that control the flow of
traffic from one zone to another.
SRX Series
Power Supply Unit MIB
Enables monitoring and managing of the
power supply on a device running Junos
OS.
EX Series and QFabric system
PPP MIB
Provides SNMP support for PPP-related
information such as the type of
authentication used, interface
characteristics, status, and statistics.
This MIB is supported on Common Edge
PPP process, jpppd.
M Series and MX Series
PPPoE MIB
Provides SNMP support for
PPPoE-related information such as the
type of authentication used, interface
characteristics, status, and statistics.
This MIB is supported on Common Edge
PPPoE process, jpppoed.
M Series and MX Series
Pseudowire ATM MIB
Extends the standard Pseudowire MIB,
and defines objects used for managing
the ATM pseudowires in Juniper
products. The enterprise-specific
Pseudowire ATM MIB is the Juniper
Networks implementation of RFC 5605,
Managed Objects for ATM over Packet
Switched Networks (PSNs).
M Series and MX Series
124
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 8: Enterprise-specific MIBs supported by Junos OS (continued)
Enterprise-Specific MIB
Description
Platforms
Pseudowire TDM MIB
Extends the standard Pseudowire MIB,
and contains information about
configuration and statistics for specific
pseudowire types. The
enterprise-specific Pseudowire TDM MIB
is the Juniper Networks implementation
of the standard Managed Objects for
TDM over Packet Switched Network MIB
(draft-ietf-pwe3-tdm-mib-08.txt).
ACX Series, M Series, and T Series
PTP MIB
Monitors the operation of PTP clocks
within the network.
MX Series
Real-Time Performance Monitoring MIB
Provides real-time performance-related
data and enables you to access jitter
measurements and calculations using
SNMP.
EX Series, M Series, MX Series, SRX Series,
and T Series
Reverse-Path-Forwarding MIB
Monitors statistics for traffic that is
rejected because of
reverse-path-forwarding (RPF)
processing.
All platforms
RMON Events and Alarms MIB
Supports the Junos OS extensions to the
standard Remote Monitoring (RMON)
Events and Alarms MIB (RFC 2819). The
extension augments alarmTable with
additional information about each
alarm. Two new traps are also defined
to indicate when problems are
encountered with an alarm.
All platforms
RSVP MIB
Provides information about RSVP-traffic
engineering sessions that correspond to
MPLS LSPs on transit routers in the
service provider core network.
ACX Series, M Series, MX Series, PTX
Series, and T Series
NOTE: To collect information about
MPLS statistics on transit routers, use
the enterprise-specific RSVP MIB
(mib-jnx-rsvp.txt) instead of the
enterprise-specific MPLS MIB
(mib-jnx-mpls.txt).
Security Interface Extension Objects MIB
Provides support for the security
management of interfaces.
EX Series, SRX Series, and vSRX
Security Screening Objects MIB
Defines the MIB for the Juniper Networks
Enterprise Firewall screen functionality.
SRX Series and vSRX
Services PIC MIB
Provides statistics for Adaptive Services
(AS) PICs and defines notifications for
AS PICs.
M Series and T Series
Copyright © 2018, Juniper Networks, Inc.
125
Network Management and Monitoring Guide
Table 8: Enterprise-specific MIBs supported by Junos OS (continued)
Enterprise-Specific MIB
Description
Platforms
SNMP IDP MIB
Contains Juniper Networks'
implementation of enterprise specific
MIB for IDP.
SRX Series and vSRX
SONET APS MIB
Monitors any SONET interface that
participates in Automatic Protection
Switching (APS).
M Series and T Series
SONET/SDH Interface Management MIB
Monitors the current alarm for each
SONET/SDH interface.
M Series and T Series
Source Class Usage MIB
Counts packets sent to customers by
performing a lookup on the IP source
address and the IP destination address.
The Source Class Usage (SCU) MIB
makes it possible to track traffic
originating from specific prefixes on the
provider core and destined for specific
prefixes on the customer edge.
M Series, T Series, and SRX Series
SPU Monitoring MIB
Provides support for monitoring SPUs
on SRX5600 and SRX5800 devices.
SRX Series and vSRX
Structure of Management Information
MIB
Explains how the Juniper Networks
enterprise-specific MIBs are structured.
ACX Series, EX Series, M Series, MX series,
QFX Series, SRX Series, T Series and vSRX
Structure of Management Information
MIB for EX Series Ethernet Switches
Defines a MIB branch for
switching-related MIB definitions for the
EX Series Ethernet Switches.
EX Series
Structure of Management Information
MIB for SRX Series
Contains object identifiers (OIDs) for the
security branch of the MIBs used in Junos
OS for SRX Series devices, services, and
traps.
SRX Series and vSRX
Subscriber MIB
Provides SNMP support for
subscriber-related information.
ACX Series, MX Series, and T Series
System Log MIB
Enables notification of an SNMP
trap-based application when an
important system log message occurs.
EX Series, M Series, MX Series, PTX Series,
QFX Series, SRX Series, and T Series
Traceroute MIB
Supports the Junos OS extensions of
traceroute and remote operations. Items
in this MIB are created when entries are
created in the traceRouteCtlTable of the
Traceroute MIB. Each item is indexed
exactly the same way as it is in the
Traceroute MIB.
EX Series, M Series, MX Series, SRX Series,
T Series, and vSRX
126
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 8: Enterprise-specific MIBs supported by Junos OS (continued)
Enterprise-Specific MIB
Description
Platforms
Tunnel Stats MIB
Supports monitoring of tunnel statistics
for IPV4 over IPV6 tunnels. This MIB
currently displays three counters: tunnel
count in rpd, tunnel count in Kernel, and
tunnel count in the Packet Forwarding
Engine.
all platforms
Utility MIB
Provides SNMP support for exposing the
Junos OS data and has tables that
contain information about each type of
data, such as integer and string.
EX Series, M Series, MX Series, QFabric
system, QFX Series, SRX Series, T Series,
and vSRX
Virtual Chassis MIB
Contains information about the virtual
chassis on the EX Series Ethernet
Switches and the MX Series.
EX Series and MX Series
VLAN MIB
Contains information about prestandard
IEEE 802.10 VLANs and their association
with LAN emulation clients.
EX Series and QFX Series
NOTE: For ELS EX Series switches and
QFX Series switches, VLAN information
is provided in the L2ALD MIB in the
jnxL2aldVlanTable table instead of in this
MIB. See theSNMP MIB Explorer for
details.
Non-ELS EX Series Ethernet switches
use the jnxExVlanTable table in this MIB
to provide VLAN configuration
information, and the jnxVlanTable table
in this MIB has been deprecated and is
no longer used.
VPLS MIBs
Provides information about generic,
BGP-based, and LDP-based VPLS, and
pseudowires associated with the VPLS
networks. The enterprise-specific VPLS
MIBs are Juniper Networks extensions
of the following IETF standard MIBs
defined in Internet draft
draft-ietf-l2vpn-vpls-mib-05.txt, and
are implemented as part of the
jnxExperiment branch:
•
M Series, MX Series, and T Series
VPLS-Generic-Draft-01-MIB
implemented as
mib-jnx-vpls-generic.txt
Copyright © 2018, Juniper Networks, Inc.
•
VPLS-BGP-Draft-01-MIB implemented
as mib-jnx-vpls-bgp.txt
•
VPLS-LDP-Draft-01-MIB implemented
as mib-jnx-vpls-ldp.txt
127
Network Management and Monitoring Guide
Table 8: Enterprise-specific MIBs supported by Junos OS (continued)
Enterprise-Specific MIB
Description
Platforms
VPN Certificate Objects MIB
Provides support for monitoring the local
and CA certificates loaded on the router.
EX Series, SRX Series, and vSRX
VPN MIB
Provides monitoring for Layer 3 VPNs,
Layer 2 VPNs, and virtual private LAN
service (VPLS) (read access only).
ACX Series, EX Series, M Series, MX Series,
and T Series
For information about enterprise-specific SNMP MIB objects, see the SNMP MIB Explorer.
Related
Documentation
•
Network Management and Monitoring Guide
•
Standard SNMP MIBs Supported by Junos OS on page 128
•
Enterprise-Specific SNMP Traps Supported by Junos OS on page 156
Standard SNMP MIBs Supported by Junos OS
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX
Junos OS supports the Standard MIBs listed in Table 9 on page 128.
NOTE: For details on SNMP MIB support on EX4600 switches, QFX Series
switches, and QFabric systems, see “SNMP MIBs Support” on page 226.
Table 9: Standard MIBs supported by Junos OS
Standard MIB
Exceptions
Platforms
IEEE 802.1ab section 12.1, Link
Layer Discovery Protocol (LLDP)
MIB
EX Series implementation of LLDP MIB supports both IPv4 and IPv6
configuration.
EX Series and MX
Series
128
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
IEEE, 802.3ad, Aggregation of
Multiple Link Segments
Supported tables and objects:
EX Series, M Series,
MX Series, PTX
Series, SRX Series,
T Series, and vSRX
•
dot3adAggPortTable, dot3adAggPortListTable, dot3adAggTable,
and dot3adAggPortStatsTable
NOTE: EX Series switches do not support the dot3adAggPortTable
and dot3adAggPortStatsTable.
•
dot3adAggPortDebugTable (only dot3adAggPortDebugRxState,
dot3adAggPortDebugMuxState,
dot3adAggPortDebugActorSyncTransitionCount,
dot3adAggPortDebugPartnerSyncTransitionCount,
dot3adAggPortDebugActorChangeCount, and
dot3adAggPortDebugPartnerChangeCount)
NOTE: EX Series switches do not support the
dot3adAggPortDebugTable.
•
IEEE, 802.1ag, Connectivity Fault
Management
Copyright © 2018, Juniper Networks, Inc.
dot3adTablesLastChanged
Supported tables and objects:
•
dot1agCfmMdTableNextIndex
•
dot1agCfmMdTable (except dot1agCfmMdMhfldPermission)
•
dot1agCfmMaNetTable
•
dot1agCfmMaMepListTable
•
dot1agCfmDefaultMdDefLevel
•
dot1agCfmDefaultMdDefMhfCreation
•
dot1agCfmMepTable (except dot1agCfmMepLbrBadMsdu,
dot1agCfmMepTransmitLbmVlanPriority,
dot1agCfmMepTransmitLbmVlanDropEnable,
dot1agCfmMepTransmitLtmFlags,
dot1agCfmMepPbbTeCanReportPbbTePresence,
dot1agCfmMepPbbTeTrafficMismatchDefect,
dot1agCfmMepPbbTransmitLbmLtmReverseVid,
dot1agCfmMepPbbTeMismatchAlarm,
dot1agCfmMepPbbTeLocalMismatchDefect, and
dot1agCfmMepPbbTeMismatchSinceReset)
•
dot1agCfmLtrTable (except dot1agCfmLtrChassisIdSubtype,
dot1agCfmLtrChassisId, dot1agCfmLtrManAddressDomain,
dot1agCfmLtrManAddress, dot1agCfmLtrIngressPortIdSubtype,
dot1agCfmLtrIngressPortId, dot1agCfmLtrEgressPortIdSubtype,
dot1agCfmLtrEgressPortId, and
dot1agCfmLtrOrganizationSpecificTlv)
•
dot1agCfmMepDbTable (except
dot1agCfmMebDbChassisIdSubtype, dot1agCfmMebDbChassisId,
dot1agCfmMebDbManAddressDomain, and
dot1agCfmMebDbManAddress)
EX Series, MX
Series, and QFX
Series
129
Network Management and Monitoring Guide
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
IEEE, 802.1ap, Management
Information Base (MIB) definitions
for VLAN Bridges
Supported tables and objects:
MX Series
•
ieee8021CfmStackTable
•
ieee8021CfmVlanTable
•
ieee8021CfmDefaultMdTable (except
ieee8021CfmDefaultMdIdPermission)
•
ieee8021CfmMaCompTable (except
ieee8021CfmMaCompIdPermission)
RFC 1155, Structure and
Identification of Management
Information for TCP/IP-based
Internets
No exceptions
All platforms
RFC 1157, A Simple Network
Management Protocol (SNMP)
No exceptions
All platforms
RFC 1195, Use of OSI IS-IS for
Routing in TCP/IP and Dual
Environments
Supported tables and objects:
All platforms
RFC 1212, Concise MIB Definitions
130
•
isisSystem
•
isisMANAreaAddr
•
isisAreaAddr
•
isisSysProtSupp
•
isisSummAddr
•
isisCirc
•
isisCircLevel
•
isisPacketCount
•
isisISAdj
•
isisISAdjAreaAddr
•
isisAdjIPAddr
•
isisISAdjProtSupp
•
isisRa
•
isisIPRA
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 1213, Management Information
Base for Network Management of
TCP/IP-Based Internets: MIB-II
Junos OS supports the following areas:
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
•
MIB II and its SNMP version 2 derivatives, including:
•
Statistics counters
•
IP, except for ipRouteTable, which has been replaced by
ipCidrRouteTable (RFC 2096, IP Forwarding Table MIB)
•
SNMP management
•
Interface management
•
SNMPv1 Get, GetNext requests, and version 2 GetBulk request
•
Junos OS-specific secured access list
•
Master configuration keywords
•
Reconfigurations upon SIGHUP
RFC 1215, A Convention for Defining
Traps for use with the SNMP
Junos OS supports only MIB II SNMP version 1 traps and version 2
notifications.
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 1406, Definitions of Managed
Objects for the DS1 and E1 Interface
Types
Junos OS supports T1 MIB.
ACX Series, M
Series, SRX Series,
and T Series
RFC 1407, Definitions of Managed
Objects for the DS3/E3 Interface
Type
Junos OS supports T3 MIB.
M Series and T
Series
RFC 1471, Definitions of Managed
Objects for the Link Control
Protocol of the Point-to-Point
Protocol
Supported tables and objects:
M Series, MX
Series, and PTX
Series
•
pppLcp 1 object
•
pppLinkStatustable table
•
pppLinkConfigTable table
RFC 1657, Definitions of Managed
Objects for the Fourth Version of
the Border Gateway Protocol
(BGP-4) using SMIv2
No exceptions
ACX Series, EX
Series, M Series,
MX Series, and T
Series
RFC 1695, Definitions of Managed
Objects for ATM Management
Version 8.0 Using SMIv2
No exceptions
ACX Series, M
Series, PTX Series,
and T Series
Copyright © 2018, Juniper Networks, Inc.
131
Network Management and Monitoring Guide
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 1850, OSPF Version 2
Management Information Base
Unsupported tables, objects, and traps:
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
•
ospfOriginateNewLsas object
•
ospfRxNewLsas object
•
The host table
•
ospfOriginateLSA trap
ospfLsdbOverflow trap
ospfLsdbApproachingOverflow trap
RFC 1901, Introduction to
Community-based SNMPv2
No exceptions
All platforms
RFC 2011, SNMPv2 Management
Information Base for the Internet
Protocol Using SMIv2
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, and T Series
RFC 2012, SNMPv2 Management
Information Base for the
Transmission Control Protocol
Using SMIv2
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 2013, SNMPv2 Management
Information Base for the User
Datagram Protocol Using SMIv2
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 2024, Definitions of Managed
Objects for Data Link Switching
Using SMIv2
Unsupported tables, objects, and traps with read-only access:
M Series, MX
Series, and T Series
•
dlswInterface object group
dlswSdlc object group
dlswDirLocateMacTable table
dlswDirNBTabletable
dlswDirLocateNBTable table
dlswCircuitDiscReasonLocal tabular object
dlswCircuitDiscReasonRemote tabular object
dlswDirMacCacheNextIndex scalar object
dlswDirNBCacheNextIndex scalar object
RFC 2096, IP Forwarding Table MIB
NOTE: RFC 2096 has been
replaced by RFC 4292. However,
Junos OS currently supports both
RFC 2096 and RFC 4292.
132
The ipCidrRouteTable has been extended to include the tunnel name
when the next hop is through an RSVP-signaled LSP.
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 2115, Management Information
Base for Frame Relay DTEs Using
SMIv2
Unsupported table and objects:
M Series, MX
Series, SRX Series,
and T Series
RFC 2233, The Interfaces Group
MIB Using SMIv2
•
frCircuitTable
•
frErrTable
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
Supported tables and objects:
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
NOTE: RFC 2233 has been
replaced by RFC 2863, IF MIB.
However, Junos OS supports both
RFC 2233 and RFC 2863.
RFC 2287, Definitions of
System-Level Managed Objects for
Applications
•
sysApplInstallPkgTable
•
sysApplInstallElmtTable
•
sysApplElmtRunTable
•
sysApplMapTable
RFC 2465, Management
Information Base for IP Version 6:
Textual Conventions and General
Group (except for IPv6 interface
statistics)
Junos OS does not support IPv6 interface statistics.
ACX Series, M
Series, MX Series,
PTX Series, SRX
Series, and T Series
RFC 2495, Definitions of Managed
Objects for the DS1, E1, DS2, and E2
Interface Types
Unsupported tables, objects, and traps:
ACX Series, M
Series, SRX Series,
and T Series
RFC 2515, Definitions of Managed
Objects for ATM Management
RFC 2570, Introduction to Version
3 of the Internet-standard Network
Management Framework
Copyright © 2018, Juniper Networks, Inc.
•
dsx1FarEndConfigTable
•
dsx1FarEndCurrentTable
•
dsx1FarEndIntervalTable
•
dsx1FarEndTotalTable
•
dsx1FracTable
Unsupported table and objects:
•
atmVpCrossConnectTable
•
atmVcCrossConnectTable
•
aal5VccTable
No exceptions
ACX Series, M
Series, and T Series
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
133
Network Management and Monitoring Guide
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 2571, An Architecture for
Describing SNMP Management
Frameworks (read-only access)
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 2578, Structure of
Management Information Version
2 (SMIv2)
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 2579, Textual Conventions for
SMIv2
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 2580, Conformance
Statements for SMIv2
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 2662, Definitions of Managed
Objects for ADSL Lines
No exceptions
M Series, MX
Series, SRX Series,
and T Series
NOTE: RFC 2571 has been
replaced by RFC 3411. However,
Junos OS supports both RFC 2571
and RFC 3411.
RFC 2572, Message Processing and
Dispatching for the Simple Network
Management Protocol (SNMP)
(read-only access)
NOTE: RFC 2572 has been
replaced by RFC 3412. However,
Junos OS supports both RFC 2572
and RFC 3412.
RFC 2576, Coexistence between
Version 1, Version 2, and Version 3
of the Internet-standard Network
Management Framework
NOTE: RFC 2576 has been
replaced by RFC 3584. However,
Junos OS supports both RFC 2576
and RFC 3584.
134
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 2665, Definitions of Managed
Objects for the Ethernet-like
Interface Types
For M Series, T Series, and MX Series, the SNMP counters do not
count the Ethernet header and frame check sequence (FCS).
Therefore, the Ethernet header bytes and the FCS bytes are not
included in the following four tables:
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
NOTE: The list of managed
objects specified in RFC 2665 has
been updated by RFC 3635 by
including information useful for
the management of 10-Gigabit per
second Ethernet interfaces.
•
ifInOctets
•
ifOutOctets
•
ifHCInOctets
•
ifHCOutOctets
However, the EX switches adhere to RFC 2665.
RFC 2787, Definitions of Managed
Objects for the Virtual Router
Redundancy Protocol
Unsupported table and objects:
•
vrrpStatsPacketLengthErrors
NOTE: Junos OS does not support this standard for row creation
and the Set operation.
RFC 2790, Host Resources MIB
Supported tables and objects:
•
hrStorageTable
NOTE: The file systems /, /config, /var, and /tmp always return
the same index number. When SNMP restarts, the index numbers
for the remaining file systems might change.
RFC 2819, Remote Network
Monitoring Management
Information Base
•
hrSystem group
•
hrSWInstalled group
•
hrProcessorTable
Supported tables and objects:
•
etherStatsTable (for Ethernet interfaces only), alarmTable,
eventTable, and logTable are supported on all devices running
Junos OS.
•
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
historyControlTable and etherHistoryTable (except
etherHistoryUtilization object) are supported only on EX Series
switches.
RFC 2863, The Interfaces Group
MIB
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
No exceptions
M Series, MX
Series, PTX Series,
SRX Series, and T
Series
NOTE: RFC 2863 replaces RFC
2233. However, Junos OS supports
both RFC 2233 and RFC 2863.
RFC 2864, The Inverted Stack
Table Extension to the Interfaces
Group MIB
Copyright © 2018, Juniper Networks, Inc.
135
Network Management and Monitoring Guide
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 2922, The Physical Topology
(PTOPO) MIB
Supported objects:
EX Series and SRX
Series
RFC 2925, Definitions of Managed
Objects for Remote Ping,
Traceroute, and Lookup Operations
•
ptopoConnDiscAlgorithm
•
ptopoConnAgentNetAddrType
•
ptopoConnAgentNetAddr
•
ptopoConnMultiMacSASeen
•
ptopoConnMultiNetSASeen
•
ptopoConnIsStatic
•
ptopoConnLastVerifyTime
•
ptopoConnRowStatus
Supported tables and objects:
•
pingCtlTable
•
pingResultsTable
•
pingProbeHistoryTable
•
pingMaxConcurrentRequests
•
traceRouteCtlTable
•
traceRouteResultsTable
•
traceRouteProbeHistoryTable
•
traceRouteHopsTable
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 2932, IPv4 Multicast Routing
MIB
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 2934, Protocol Independent
Multicast MIB for IPv4
Support for the pimNeighborLoss trap was added in Release 11.4.
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 2981, Event MIB
No exceptions
ACX Series, M
Series, MX Series,
PTX Series, and T
Series
RFC 3014, Notification Log MIB
No exceptions
ACX Series, M
Series, MX Series,
PTX Series, and T
Series
RFC 3019, IP Version 6
Management Information Base for
The Multicast Listener Discovery
Protocol
No exceptions
M Series, MX
Series, PTX Series,
SRX Series, and T
Series
NOTE: In Junos OS, RFC 2934 is
implemented based on a draft
version, pimmib.mib, of the now
standard RFC.
136
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 3410, Introduction and
Applicability Statements for
Internet-Standard Management
Framework
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 3411, An Architecture for
Describing Simple Network
Management Protocol (SNMP)
Management Frameworks
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 3413, Simple Network
Management Protocol (SNMP)
Applications
Unsupported tables and objects:
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 3414, User-based Security
Model (USM) for version 3 of the
Simple Network Management
Protocol (SNMPv3)
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 3415, View-based Access
Control Model (VACM) for the
Simple Network Management
Protocol (SNMP)
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 3416, Version 2 of the Protocol
Operations for the Simple Network
Management Protocol (SNMP)
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
NOTE: RFC 3411 replaces RFC
2571. However, Junos OS supports
both RFC 3411 and RFC 2571.
RFC 3412, Message Processing and
Dispatching for the Simple Network
Management Protocol (SNMP)
NOTE: RFC 3412 replaces RFC
2572. However, Junos OS supports
both RFC 3412 and RFC 2572.
•
Proxy MIB
NOTE: RFC 3416 replaces RFC
1905, which was supported in
earlier versions of Junos OS.
RFC 3417, Transport Mappings for
the Simple Network Management
Protocol (SNMP)
Copyright © 2018, Juniper Networks, Inc.
137
Network Management and Monitoring Guide
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 3418, Management
Information Base (MIB) for the
Simple Network Management
Protocol (SNMP)
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 3498, Definitions of Managed
Objects for Synchronous Optical
Network (SONET) Linear
Automatic Protection Switching
(APS) Architectures (implemented
under the Juniper Networks
enterprise branch [jnxExperiment])
No exceptions
M Series and T
Series
RFC 3584, Coexistence between
Version 1, Version 2, and Version 3
of the Internet-standard Network
Management Framework
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 3591 Managed Objects for the
Optical Interface Type
Supported tables and objects:
M Series, MX
Series, PTX Series,
and T Series
NOTE: RFC 3418 replaces RFC
1907, which was supported in
earlier versions of Junos OS.
•
optIfOTMnTable (except optIfOTMnOpticalReach,
optIfOTMnInterfaceType, and optIfOTMnOrder)
•
optIfOChConfigTable (except optIfOChDirectionality and
optIfOChCurrentStatus)
•
optIfOTUkConfigTable (except optIfOTUkTraceIdentifierAccepted,
optIfOTUkTIMDetMode, optIfOTUkTIMActEnabled,
optIfOTUkTraceIdentifierTransmitted, optIfOTUkDEGThr,
optIfOTUkDEGM, optIfOTUkSinkAdaptActive, and
optIfOTUkSourceAdaptActive)
•
optIfODUkConfigTable (except optIfODUkPositionSeqCurrentSize
and optIfODUkTtpPresent)
RFC 3592, Definitions of Managed
Objects for the Synchronous
Optical Network/Synchronous
Digital Hierarchy (SONET/SDH)
Interface Type
No exceptions
M Series, MX
Series, and T Series
RFC 3621, Power Ethernet MIB
No exceptions
EX Series
138
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 3635, Definitions of Managed
Objects for the Ethernet-like
Interface Types
Unsupported tables and objects:
MX Series
•
dot3StatsRateControlAbility
•
dot3StatsRateControlStatus in dot3StatsEntry table
NOTE: The values of the following objects in dot3HCStatsEntry table
will be always zero for both 32-bit counters and 64-bit counters:
RFC 3637, Definitions of Managed
Objects for the Ethernet WAN
Interface Sublayer
•
dot3HCStatsSymbolErrors
•
dotHCStatsInternalMacTransmitErrors
Unsupported tables and objects:
•
etherWisDeviceTable,
•
etherWisSectionCurrentTable
•
etherWisFarEndPathCurrentTable
M Series, MX
Series, PTX Series,
and T Series
RFC 3811, Definitions of Textual
Conventions (TCs) for
Multiprotocol Label Switching
(MPLS) Management
No exceptions
ACX Series, M
Series, MX Series,
PTX Series, SRX
Series, and T Series
RFC 3812, Multiprotocol Label
Switching (MPLS) Traffic
Engineering (TE) Management
Information Base (MIB) (read-only
access)
MPLS tunnels as interfaces are not supported.
ACX Series, M
Series, MX Series,
PTX Series, and T
Series
mplsTunnelCHopTable is supported on ingress routers only.
NOTE: The branch used by the proprietary LDP MIB (ldpmib.mib)
conflicts with RFC 3812. ldpmib.mib has been deprecated and
replaced by jnx-mpls-ldp.mib.
Unsupported tables and objects:
RFC 3813, Multiprotocol Label
Switching (MPLS) Label Switching
Router (LSR) Management
Information Base (MIB)
Copyright © 2018, Juniper Networks, Inc.
•
mplsTunnelResourceMeanRate in TunnelResource table
•
mplsTunnelResourceMaxBurstSize in TunnelResource table
•
mplsTunnelResourceMeanBurstSize in TunnelResource table
•
mplsTunnelResourceExBurstSize in TunnelResource table
•
mplsTunnelResourceWeight in TunnelResource table
•
mplsTunnelPerfTable
•
mplsTunnelCRLDPResTable
Unsupported tables and objects (read-only access):
•
mplsInterfacePerfTable
•
mplsInSegmentPerfTable
•
mplsOutSegmentPerfTable
•
mplsInSegmentMapTable
•
mplsXCUp
•
mplsXCDown
ACX Series, M
Series, MX Series,
PTX Series, SRX
Series, and T Series
139
Network Management and Monitoring Guide
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 3826, The Advanced
Encryption Standard (AES) Cipher
Algorithm in the SNMP User-based
Security Model
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 3877, Alarm Management
Information Base
•
Junos OS does not support the alarmActiveStatsTable.
MX Series
•
Traps that do not conform to the alarm model are not supported.
However, these traps can be redefined to conform to the alarm
model.
RFC 3896, Definitions of Managed
Objects for the DS3/E3 Interface
Type
Unsupported tables and objects:
RFC 4087, IP Tunnel MIB
•
dsx3FarEndConfigTable
•
dsx3FarEndCurrentTable
•
dsx3FarEndIntervalTable
•
dsx3FarEndTotalTable
•
dsx3FracTable
M Series and T
Series
Describes MIB objects in the following tables for managing tunnels
of any type over IPv4 and IPv6 networks:
•
M Series, MX
Series, and T Series
tunnelIfTable—Provides information about the tunnels known to
a router.
•
tunnelInetConfigTable—Assists dynamic creation of tunnels and
provides mapping from end-point addresses to the current
interface index value.
NOTE: Junos OS supports MAX-ACCESS of read-only for all the MIB
objects in tunnelIfTable and tunnelInetConfigTable tables.
RFC 4133, Entity MIB
RFC 4188, Definitions of Managed
Objects for Bridges
Unsupported tables and objects:
Only MX240,
MX480, and
MX960 routers,
and EX2200 and
EX3300 switches
•
entityLogicalGroup table
•
entPhysicalMfgDate and entPhysicalUris objects in
entityPhysical2Group table
•
entLPMappingTable and entPhysicalContainsTable in
entityMappingGroup table
•
entityNotoficationsGroup table
•
Supports 802.1D STP(1998)
•
Supported subtrees and objects:
•
dot1dStp subtree is supported on MX Series 3D Universal Edge
MX Series, EX
Series, and M
Series and T Series
Routers.
•
dot1dTpFdbAddress, dot1dTpFdbPort, and dot1dTpFdbStatus
objects from the dot1dTpFdbTable of the dot1dTp subtree are
supported on EX Series Ethernet Switches.
•
dot1dTpLearnedEntryDiscards and dot1dTpAgingTime objects
are supported on M Series and T Series routers.
140
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 4268, Entity State MIB
No exceptions
Only MX240,
MX480, and
MX960 routers,
and EX2200 and
EX3300 switches
RFC 4273, Definitions of Managed
Objects for BGP-4
Supported tables and objects:
ACX Series, EX
Series, M Series,
MX Series, SRX
Series, and T Series
RFC 4292, IP Forwarding MIB
•
jnxBgpM2PrefixInPrefixesAccepted
•
jnxBgpM2PrefixInPrefixesRejected
Supported tables and objects:
•
inetCidrRouteTable
•
inetCidrRouteNumber
•
inetCidrRouteDiscards
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, and T Series
NOTE: Junos OS currently supports these MIB objects that will be
deprecated in future releases: ipCidrRouteTable, ipCidrRouteNumber,
and ipCidrRouteDiscards.
RFC 4293, Management
Information Base for the Internet
Protocol (IP)
Supports only the mandatory groups.
MX Series and EX
Series
RFC 4318, Definitions of Managed
Objects for Bridges with Rapid
Spanning Tree Protocol
Supports 802.1w and 802.1t extensions for RSTP.
EX Series, M Series,
MX Series, and T
Series
RFC 4363b, Q-Bridge VLAN MIB
No exceptions
MX Series and EX
Series
Copyright © 2018, Juniper Networks, Inc.
141
Network Management and Monitoring Guide
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 4382, MPLS/BGP Layer 3
Virtual Private Network (VPN) MIB
Supported tables and objects:
EX Series, M Series,
MX Series, PTX
Series, and T Series
•
mplsL3VpnActiveVrfs
•
mplsL3VpnConfiguredVrfs
•
mplsL3VpnConnectedInterfaces
•
mplsL3VpnVrfConfMidRteThresh
•
mplsL3VpnVrfConfHighRteThresh
•
mplsL3VpnIfConfRowStatus
•
mplsL3VpnIllLblRcvThrsh
•
mplsL3VpnNotificationEnable
•
mplsL3VpnVrfConfMaxPossRts
•
mplsL3VpnVrfConfRteMxThrshTime
•
mplsL3VpnVrfOperStatus
•
mplsL3VpnVrfPerfCurrNumRoutes
•
mplsL3VpnVrfPerfTable
•
mplsL3VpnVrfRteTable
•
mplsVpnVrfRTTable
•
mplsL3VpnVrfTable
•
mplsL3VpnIfConfTable
RFC 4444, IS-IS MIB
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
RFC 4668, RADIUS Accounting
Client Management Information
Base (MIB) for IPv6 (read-only
access)
No exceptions
MX Series
RFC 4670, RADIUS Accounting
Client Management Information
Base (MIB) (read-only access)
No exceptions
MX Series
RFC 4801, Definitions of Textual
Conventions for Generalized
Multiprotocol Label Switching
(GMPLS) Management Information
Base (MIB) (read-only access)
No exceptions
M Series, MX
Series, and T Series
142
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 4802, Generalized
Multiprotocol Label Switching
(GMPLS) Traffic Engineering (TE)
Management Information Base
(MIB) (read-only access)
Unsupported tables and objects:
M Series, MX
Series, and T Series
RFC 4803, Generalized
Multiprotocol Label Switching
(GMPLS) Label Switching Router
(LSR) Management Information
Base (MIB) (read-only access)
•
gmplsTunnelReversePerfTable
•
gmplsTeScalars
•
gmplsTunnelTable
•
gmplsTunnelARHopTable
•
gmplsTunnelCHopTable
•
gmplsTunnelErrorTable
Unsupported tables and objects:
•
gmplsLabelTable
•
gmplsOutsegmentTable
M Series, MX
Series, and T Series
NOTE: The tables in GMPLS TE
(RFC 4802) and LSR (RFC 4803)
MIBs are extensions of the
corresponding tables from the
MPLS TE (RFC 3812) and LSR
(RFC 3813) MIBs and use the same
index as the MPLS MIB tables.
RFC 5132, IP Multicast MIB
Unsupported table:
NOTE: This RFC obsoletes
RFC2932.
•
Copyright © 2018, Juniper Networks, Inc.
All platforms
ipMcastZoneTable
143
Network Management and Monitoring Guide
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 5643, Management
Information Base for OSPFv3
(read-only access)
Unsupported tables and objects:
M Series, MX
Series, PTX Series,
SRX Series, and T
Series
RFC 6527, Definitions of Managed
Objects for the Virtual Router
Redundancy Protocol Version 3
(VRRPv3)
144
•
ospfv3HostTable
•
ospfv3CfgNbrTable
•
ospfv3ExitOverflowInterval
•
ospfv3ReferenceBandwidth
•
ospfv3RestartSupport
•
ospfv3RestartInterval
•
ospfv3RestartStrictLsaChecking
•
ospfv3RestartStatus
•
ospfv3RestartAge
•
ospfv3RestartExitReason
•
ospfv3NotificationEnable
•
ospfv3StubRouterSupport
•
ospfv3StubRouterAdvertisement
•
ospfv3DiscontinuityTime
•
ospfv3RestartTime
•
ospfv3AreaNssaTranslatorRole
•
ospfv3AreaNssaTranslatorState
•
ospfv3AreaNssaTranslatorStabInterval
•
ospfv3AreaNssaTranslatorEvents
•
ospfv3AreaTEEnabled
•
ospfv3IfMetricValue
•
ospfv3IfDemandNbrProbe
•
Row creation
•
The Set operation
•
Unsupported tables and objects:
•
vrrpv3StatisticsRowDiscontinuityTime
•
vrrpv3StatisticsPacketLengthErrors
ACX Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
RFC 7420, Path Computation
Element Communication
The PCEP MIB module is limited to "read-only" access except for
pcePcepNotificationsMaxRate, which is used to throttle the rate at
which the implementation generates notifications. In the mentioned
tables only PCEP peer and PCEP session table will be supported in
this release.
MX Series and PTX
Series
For pcePcepPeerTable, the following members are not supported:
Copyright © 2018, Juniper Networks, Inc.
•
pcePcepPeerDiscontinuityTime TimeStamp,
•
pcePcepPeerLWMRspTime Unsigned32,
•
pcePcepPeerHWMRspTime Unsigned32,
•
pcePcepPeerNumPCReqSent Counter32,
•
pcePcepPeerNumPCReqRcvd Counter32,
•
pcePcepPeerNumPCRepSent Counter32,
•
pcePcepPeerNumPCRepRcvd Counter32,
•
pcePcepPeerAvgRspTime Unsigned32,
•
pcePcepPeerNumReqSent Counter32,
•
pcePcepPeerNumReqSentEroRcvd Counter32,
•
pcePcepPeerNumReqSentErrorRcvd Counter32,
•
pcePcepPeerNumReqSentTimeout Counter32,
•
pcePcepPeerNumReqSentPendRep Counter32,
•
pcePcepPeerNumReqSentCancelSent Counter32,
•
pcePcepPeerNumReqSentClosed Counter32,
•
pcePcepPeerNumReqRcvd Counter32,
•
pcePcepPeerNumPCNtfSent Counter32,
•
pcePcepPeerNumPCNtfRcvd Counter32,
•
pcePcepPeerNumSvecSent Counter32,
•
pcePcepPeerNumSvecReqSent Counter32,
•
pcePcepPeerNumSvecRcvd Counter32,
•
pcePcepPeerNumSvecReqRcvd Counter32,
•
pcePcepPeerNumReqRcvdPendRep Counter32,
•
pcePcepPeerNumReqRcvdEroSent Counter32,
•
pcePcepPeerNumReqRcvdNoPathSent Counter32,
•
pcePcepPeerNumReqRcvdCancelSent Counter32,
•
pcePcepPeerNumReqRcvdErrorSent Counter32,
•
pcePcepPeerNumReqRcvdCancelRcvd Counter32,
•
pcePcepPeerNumReqRcvdClosed Counter32,
•
pcePcepPeerNumRepRcvdUnknown Counter32,
•
pcePcepPeerNumReqRcvdUnknown Counter32,
•
pcePcepPeerNumReqSentNoPathRcvd Counter32,
•
pcePcepPeerNumReqSentCancelRcvd Counter32
145
Network Management and Monitoring Guide
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
For pcePcepSessTable, the following members are not supported:
ESO Consortium MIB, which can
be found at
http://www.snmp.com/eso/
NOTE: The ESO Consortium MIB
has been replaced by RFC 3826.
146
•
pcePcepSessNumPCReqSent Counter32,
•
pcePcepSessNumPCReqRcvd Counter32,
•
pcePcepSessKAHoldTimeRem Unsigned32,
•
pcePcepSessOverloaded TruthValue,
•
pcePcepSessOverloadTime Unsigned32,
•
pcePcepSessPeerOverloaded TruthValue,
•
pcePcepSessPeerOverloadTime Unsigned32,
•
pcePcepSessNumPCNtfSent Counter32,
•
pcePcepSessNumPCNtfRcvd Counter32,
•
pcePcepSessNumReqSent Counter32,
•
pcePcepSessNumReqSentPendRep Counter32,
•
pcePcepSessNumReqSentEroRcvd Counter32,
•
pcePcepSessNumReqSentNoPathRcvd Counter32,
•
pcePcepSessNumReqSentCancelRcvd Counter32,
•
pcePcepSessNumReqSentErrorRcvd Counter32,
•
pcePcepSessNumReqSentTimeout Counter32,
•
pcePcepSessNumReqSentCancelSent Counter32,
•
pcePcepSessAvgRspTime Unsigned32,
•
pcePcepSessLWMRspTime Unsigned32,
•
pcePcepSessHWMRspTime Unsigned32,
•
pcePcepSessNumSvecSent Counter32,
•
pcePcepSessNumSvecReqSent Counter32,
•
pcePcepSessNumReqRcvd Counter32,
•
pcePcepSessNumSvecRcvd Counter32,
•
pcePcepSessNumSvecReqRcvd Counter32,
•
pcePcepSessNumReqRcvdPendRep Counter32,
•
pcePcepSessNumReqRcvdEroSent Counter32,
•
pcePcepSessNumReqRcvdNoPathSent Counter32,
•
pcePcepSessNumReqRcvdCancelSent Counter32,
•
pcePcepSessNumReqRcvdErrorSent Counter32,
•
pcePcepSessNumReqRcvdCancelRcvd Counter32,
•
pcePcepSessNumRepRcvdUnknown Counter32,
•
pcePcepSessNumReqRcvdUnknown Counter32
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
Internet Assigned Numbers
Authority, IANAiftype Textual
Convention MIB
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
Internet draft
draft-ietf-atommib-sonetaps-mib-10.txt,
Definitions of Managed Objects for
SONET Linear APS Architectures
As defined under the Juniper Networks enterprise branch
[jnxExperiment] only
M Series, MX
Series, and T Series
Internet draft
draft-ieft-bfd-mib-02.txt,
Bidirectional Forwarding Detection
Management Information Base
(Represented by mib-jnx-bfd-exp.txt and implemented under the
Juniper Networks enterprise branch [jnxExperiment]. Read only.
Includes bfdSessUp and bfdSessDown traps. Does not support
bfdSessPerfTable and bfdSessMapTable.)
ACX Series, EX
Series, M Series,
MX Series, SRX
Series, and T Series
Internet draft
draft-ietf-idmr-igmp-mib-13.txt,
Internet Group Management
Protocol (IGMP) MIB
No exceptions
EX Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
Internet draft
draft-ietf-idmr-pim-mib-09.txt,
Protocol Independent Multicast
(PIM) MIB
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series
, and T Series
Internet draft
draft-ietf-isis-wg-mib-07.txt,
Management Information Base for
IS-IS
Unsupported tables and objects:
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
NOTE: Replaced with RFC 4444,
IS-IS MIB in Junos OS Release 11.3
and later.
•
isisISAdjTable
•
isisISAdjAreaAddrTable
•
isisISAdjIPAddrTable
•
isisISAdjProtSuppTable)
Internet draft
draft-ietf-l3vpn-mvpn-mib-03.txt,
MPLS/BGP Layer 3 VPN Multicast
Management Information Base
(Implemented under the Juniper Networks enterprise branch
[jnxExperiment]. OID for jnxMvpnExperiment is .1.3.6.1.4.1.2636.5.12.
Read only. Includes jnxMvpnNotifications traps.)
M Series, MX
Series, and T Series
Internet draft
draft-ietf-mpls-mldp-mib-02.txt,
Definitions of Managed Objects for
the LDP Point-to-Multipoint and
Multipoint-to-Multipoint Label
Switched Paths
Unsupported tables and objects:
M Series, MX
Series, PTX Series,
and T Series
Copyright © 2018, Juniper Networks, Inc.
•
mplsMldpInterfaceStatsTable
Also, the following fields of the mplsMldpFecUpstreamSessTable
are not implemented because these statistics are not currently
supported in LDP or PFE:
•
mplsMldpFecUpstreamSessPackets
•
mplsMldpFecUpstreamSessBytes
•
mplsMldpFecUpstreamSessDiscontinuityTime
147
Network Management and Monitoring Guide
Table 9: Standard MIBs supported by Junos OS (continued)
Standard MIB
Exceptions
Platforms
Internet draft
draft-ietf-mpls-p2mp-te-mib-09.txt,
P2MP MPLS-TE MIB (read-only
access)
Unsupported table:
ACX Series, M
Series, MX Series,
PTX Series, and T
Series
Internet draft
draft-ietf-ospf-ospfv3-mib-11.txt,
Management Information Base for
OSPFv3
Support for ospfv3NbrTable only.
M Series, MX
Series, PTX Series,
SRX Series, and T
Series
Internet draft
draft-ietf-ppvpn-mpls-vpn-mib-04.txt,
MPLS/BGP Virtual Private Network
Management Information Base
Using SMIv2
Supported tables and objects:
M Series, MX
Series, PTX Series,
and T Series
Internet draft
draft-reeder-snmpv3-usm-3desede-00.txt,
Extension to the User-Based
Security Model (USM) to Support
Triple-DES EDE in ‘Outside’ CBC
Mode
•
mplsTeP2mpTunnelBranchPerfTable
•
mplsVpnScalars
•
mplsVpnVrfTable
•
mplsVpnPerTable
•
mplsVpnVrfRouteTargetTable
No exceptions
ACX Series, EX
Series, M Series,
MX Series, PTX
Series, SRX Series,
and T Series
For information about standard SNMP MIB objects, see the SNMP MIB Explorer.
Related
Documentation
•
Enterprise-Specific SNMP MIBs Supported by Junos OS on page 117
•
Network Management and Monitoring Guide
Standard SNMP Traps Supported by Junos OS
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX
This topic provides the list of standard SNMPv1 and SNMPv2 traps supported by devices
running Junos OS. For more information about traps see SNMP MIB Explorer.
Standard SNMP Version 1 Traps
Table 10 on page 149 provides an overview of the standard traps for SNMPv1. The traps
are organized first by trap category and then by trap name, and include their enterprise
ID, generic trap number, and specific trap number. The system logging severity levels are
listed for those traps that have them with their corresponding system log tag. Traps that
do not have corresponding system logging severity levels are marked with an en dash
(–) in the table.
148
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
For more information about system log messages, see the System Log Explorer. For more
information about configuring system logging, see the Junos OS System Basics
Configuration Guide.
Table 10: Standard Supported SNMP Version 1 Traps
Defined in
Enterprise ID
Generic
Trap
Number
Specific
Trap
Number
System
Logging
Severity
Level
authenticationFailure
1.3.6.1.4.1.2636
4
0
coldStart
1.3.6.1.4.1.2636
0
warmStart
1.3.6.1.4.1.2636
linkDown
linkUp
Trap Name
Syslog Tag
Supported On
Notice
SNMPD_ TRAP_
GEN_FAILURE
All devices running
Junos OS.
0
Critical
SNMPD_TRAP_
COLD_START
All devices running
Junos OS.
1
0
Error
SNMPD_TRAP_
WARM_START
All devices running
Junos OS.
1.3.6.1.4.1.2636
2
0
Warning
SNMP_ TRAP_
LINK_DOWN
All devices running
Junos OS.
1.3.6.1.4.1.2636
3
0
Info
SNMP_TRAP_
LINK_UP
All devices running
Junos OS.
pingProbeFailed
1.3.6.1.2.1.80.0
6
1
Info
SNMP_TRAP _PING_
PROBE_ FAILED
All devices running
Junos OS.
pingTestFailed
1.3.6.1.2.1.80.0
6
2
Info
SNMP_TRAP_
PING_TEST _FAILED
All devices running
Junos OS.
pingTestCompleted
1.3.6.1.2.1.80.0
6
3
Info
SNMP_TRAP_
PING_TEST_
COMPLETED
All devices running
Junos OS.
traceRoutePathChange
1.3.6.1.2.1.81.0
6
1
Info
SNMP_TRAP_
TRACE_ROUTE_
PATH_CHANGE
All devices running
Junos OS.
traceRouteTestFailed
1.3.6.1.2.1.81.0
6
2
Info
SNMP_TRAP_
TRACE_ROUTE_
TEST_FAILED
All devices running
Junos OS.
traceRouteTestCompleted
1.3.6.1.2.1.81.0
6
3
Info
SNMP_TRAP_
TRACE_ROUTE_
TEST_COMPLETED
All devices running
Junos OS.
Startup Notifications
RFC 1215,
Conventions
for Defining
Traps for
Use with
the SNMP
Link Notifications
RFC 1215,
Conventions
for Defining
Traps for
Use with
the SNMP
Remote Operations Notifications
RFC 2925,
Definitions
of Managed
Objects for
Remote
Ping,
Traceroute,
and Lookup
Operations
RMON Alarms
Copyright © 2018, Juniper Networks, Inc.
149
Network Management and Monitoring Guide
Table 10: Standard Supported SNMP Version 1 Traps (continued)
Specific
Trap
Number
System
Logging
Severity
Level
Syslog Tag
Supported On
Defined in
Trap Name
Enterprise ID
Generic
Trap
Number
RFC 2819a,
RMON MIB
fallingAlarm
1.3.6.1.2.1.16
6
2
–
–
All devices running
Junos OS.
risingAlarm
1.3.6.1.2.1.16
6
1
–
–
All devices running
Junos OS.
bgpEstablished
1.3.6.1.2.1.15.7
6
1
–
–
M, T, MX, J, EX, and
SRX Series devices.
bgpBackwardTransition
1.3.6.1.2.1.15.7
6
2
–
–
M, T, MX, J, EX, and
SRX Series devices.
Routing Notifications
BGP 4 MIB
150
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 10: Standard Supported SNMP Version 1 Traps (continued)
Specific
Trap
Number
System
Logging
Severity
Level
Syslog Tag
Supported On
Defined in
Trap Name
Enterprise ID
Generic
Trap
Number
OSPF TRAP
MIB
ospfVirtIfStateChange
1.3.6.1.2.1.14.16.2
6
1
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfNbrStateChange
1.3.6.1.2.1.14.16.2
6
2
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfVirtNbrStateChange
1.3.6.1.2.1.14.16.2
6
3
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfIfConfigError
1.3.6.1.2.1.14.16.2
6
4
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfVirtIfConfigError
1.3.6.1.2.1.14.16.2
6
5
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfIfAuthFailure
1.3.6.1.2.1.14.16.2
6
6
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfVirtIfAuthFailure
1.3.6.1.2.1.14.16.2
6
7
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfIfRxBadPacket
1.3.6.1.2.1.14.16.2
6
8
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfVirtIfRxBadPacket
1.3.6.1.2.1.14.16.2
6
9
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfTxRetransmit
1.3.6.1.2.1.14.16.2
6
10
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfVirtIfTxRetransmit
1.3.6.1.2.1.14.16.2
6
11
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfMaxAgeLsa
1.3.6.1.2.1.14.16.2
6
13
–
–
M, T, MX, J, EX, and
SRX Series devices.
ospfIfStateChange
1.3.6.1.2.1.14.16.2
6
16
–
–
M, T, MX, J, EX, and
SRX Series devices.
1.3.6.1.2.1.68
6
1
Warning
VRRPD_NEW
MASTER_TRAP
All devices running
Junos OS.
VRRP Notifications
RFC 2787,
Definitions
of Managed
vrrpTrapNewMaster
Copyright © 2018, Juniper Networks, Inc.
151
Network Management and Monitoring Guide
Table 10: Standard Supported SNMP Version 1 Traps (continued)
Specific
Trap
Number
System
Logging
Severity
Level
Defined in
Trap Name
Enterprise ID
Generic
Trap
Number
Objects for
the Virtual
Router
Redundancy
Protocol
vrrpTrapAuthFailure
1.3.6.1.2.1.68
6
2
RFC 6527,
Definitions
of Managed
Objects for
the Virtual
Router
Redundancy
Protocol
Version 3
(VRRPv3)
vrrpv3NewMaster
1.3.6.1.2.1.207
6
vrrpv3ProtoError
1.3.6.1.2.1.207
6
Syslog Tag
Supported On
Warning
VRRPD_AUTH_
FAILURE_TRAP
All devices running
Junos OS.
1
Warning
VRRPD_NEW_MASTER
M and MX
2
Warning
VRRPD_V3_PROTO_ERROR
M and MX
Standard SNMP Version 2 Traps
Table 11 on page 152 provides an overview of the standard SNMPv2 traps supported by
the Junos OS. The traps are organized first by trap category and then by trap name and
include their snmpTrapOID. The system logging severity levels are listed for those traps
that have them with their corresponding system log tag. Traps that do not have
corresponding system logging severity levels are marked with an en dash (–) in the table.
Table 11: Standard Supported SNMP Version 2 Traps
Defined in
snmpTrapOID
System
Logging
Severity
Level
coldStart
1.3.6.1.6.3.1.1.5.1
warmStart
authenticationFailure
Trap Name
Syslog Tag
Supported On
Critical
SNMPD_TRAP_
COLD_START
All devices running
Junos OS.
1.3.6.1.6.3.1.1.5.2
Error
SNMPD_TRAP_
WARM_START
All devices running
Junos OS.
1.3.6.1.6.3.1.1.5.5
Notice
SNMPD_TRAP_
GEN_FAILURE
All devices running
Junos OS.
Startup Notifications
RFC 1907,
Management
Information Base
for Version 2 of
the Simple
Network
Management
Protocol
(SNMPv2)
Link Notifications
152
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 11: Standard Supported SNMP Version 2 Traps (continued)
Defined in
Trap Name
snmpTrapOID
System
Logging
Severity
Level
RFC 2863, The
Interfaces Group
MIB
linkDown
1.3.6.1.6.3.1.1.5.3
linkUp
Syslog Tag
Supported On
Warning
SNMP_TRAP_
LINK_DOWN
All devices running
Junos OS.
1.3.6.1.6.3.1.1.5.4
Info
SNMP_TRAP_
LINK_UP
All devices running
Junos OS.
pingProbeFailed
1.3.6.1.2.1.80.0.1
Info
SNMP_TRAP_
PING_PROBE_
FAILED
All devices running
Junos OS.
pingTestFailed
1.3.6.1.2.1.80.0.2
Info
SNMP_TRAP_PING_
TEST_FAILED
All devices running
Junos OS.
pingTestCompleted
1.3.6.1.2.1.80.0.3
Info
SNMP_TRAP_PING_
TEST_COMPLETED
All devices running
Junos OS.
traceRoutePathChange
1.3.6.1.2.1.81.0.1
Info
SNMP_TRAP_TRACE_
ROUTE_PATH_
CHANGE
All devices running
Junos OS.
traceRouteTestFailed
1.3.6.1.2.1.81.0.2
Info
SNMP_TRAP_TRACE_
ROUTE_TEST_FAILED
All devices running
Junos OS.
traceRouteTestCompleted
1.3.6.1.2.1.81.0.3
Info
SNMP_TRAP_TRACE_
ROUTE_TEST_
COMPLETED
All devices running
Junos OS.
fallingAlarm
1.3.6.1.2.1.16.0.1
–
–
All devices running
Junos OS.
risingAlarm
1.3.6.1.2.1.16.0.2
–
–
All devices running
Junos OS.
bgpEstablished
1.3.6.1.2.1.15.7.1
–
–
All devices running
Junos OS.
bgpBackwardTransition
1.3.6.1.2.1.15.7.2
–
–
All devices running
Junos OS.
Remote Operations Notifications
RFC 2925,
Definitions of
Managed Objects
for Remote Ping,
Traceroute, and
Lookup
Operations
RMON Alarms
RFC 2819a, RMON
MIB
Routing Notifications
BGP 4 MIB
Copyright © 2018, Juniper Networks, Inc.
153
Network Management and Monitoring Guide
Table 11: Standard Supported SNMP Version 2 Traps (continued)
Defined in
Trap Name
snmpTrapOID
System
Logging
Severity
Level
OSPF Trap MIB
ospfVirtIfStateChange
1.3.6.1.2.1.14.16.2.1
–
–
All devices running
Junos OS.
ospfNbrStateChange
1.3.6.1.2.1.14.16.2.2
–
–
All devices running
Junos OS.
ospfVirtNbrStateChange
1.3.6.1.2.1.14.16.2.3
–
–
All devices running
Junos OS.
ospfIfConfigError
1.3.6.1.2.1.14.16.2.4
–
–
All devices running
Junos OS.
ospfVirtIfConfigError
1.3.6.1.2.1.14.16.2.5
–
–
All devices running
Junos OS.
ospfIfAuthFailure
1.3.6.1.2.1.14.16.2.6
–
–
All devices running
Junos OS.
ospfVirtIfAuthFailure
1.3.6.1.2.1.14.16.2.7
–
–
All devices running
Junos OS.
ospfIfRxBadPacket
1.3.6.1.2.1.14.16.2.8
–
–
All devices running
Junos OS.
ospfVirtIfRxBadPacket
1.3.6.1.2.1.14.16.2.9
–
–
All devices running
Junos OS.
ospfTxRetransmit
1.3.6.1.2.1.14.16.2.10
–
–
All devices running
Junos OS.
ospfVirtIfTxRetransmit
1.3.6.1.2.1.14.16.2.11
–
–
All devices running
Junos OS.
ospfMaxAgeLsa
1.3.6.1.2.1.14.16.2.13
–
–
All devices running
Junos OS.
ospfIfStateChange
1.3.6.1.2.1.14.16.2.16
–
–
All devices running
Junos OS.
Syslog Tag
Supported On
MPLS Notifications
154
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 11: Standard Supported SNMP Version 2 Traps (continued)
Defined in
Trap Name
RFC 3812,
Multiprotocol
Label Switching
(MPLS) Traffic
Engineering (TE)
Management
Information Base
mplsTunnelUp
snmpTrapOID
System
Logging
Severity
Level
Syslog Tag
Supported On
mplsTunnelDown
mplsTunnelRerouted
mplsTunnelReoptimized
Entity State MIB Notifications
RFC 4268, Entity
State MIB
entStateOperEnabled
1.3.6.1.2.1.131.0.1
Notice
CHASSISD_SNMP_TRAP3
MX240, MX480, and
MX960
entStateOperDisabled
1.3.6.1.2.1.131.0.2
Notice
CHASSISD_SNMP_TRAP3
MX240, MX480, and
MX960
L3VPN Notifications
RFC 4382,
MPLS/BGP Layer
3 Virtual Private
Network (VPN)
mplsL3VpnVrfUp
mplsL3VpnVrfDown
mplsL3VpnVrf
RouteMidThresh
Exceeded
mplsL3VpnVrf
NumVrfRouteMax
ThreshExceeded
mplsL3VpnNum
VrfRouteMax
ThreshCleared
VRRP Notifications
RFC 2787,
Definitions of
Managed Objects
for the Virtual
Router
Redundancy
Protocol
vrrpTrapNewMaster
1.3.6.1.2.1.68.0.1
Warning
VRRPD_
NEWMASTER_ TRAP
All devices running
Junos OS.
vrrpTrapAuthFailure
1.3.6.1.2.1.68.0.2
Warning
VRRPD_AUTH_
FAILURE_ TRAP
All devices running
Junos OS.
Copyright © 2018, Juniper Networks, Inc.
155
Network Management and Monitoring Guide
Table 11: Standard Supported SNMP Version 2 Traps (continued)
Defined in
Trap Name
snmpTrapOID
System
Logging
Severity
Level
RFC 6527,
Definitions of
Managed Objects
for the Virtual
Router
Redundancy
Protocol Version 3
(VRRPv3)
vrrpv3NewMaster
1.3.6.1.2.1.207.0.1
Warning
VRRPD_NEW_MASTER
M and MX
vrrpv3ProtoError
1.3.6.1.2.1.207.0.2
Warning
VRRPD_V3_PROTO_ERROR
M and MX
Related
Documentation
Syslog Tag
Supported On
•
Enterprise-Specific SNMP Traps Supported by Junos OS on page 156
•
Enterprise-Specific SNMP MIBs Supported by Junos OS on page 117
•
Standard SNMP MIBs Supported by Junos OS on page 128
•
Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 201
•
Managing Traps and Informs
Enterprise-Specific SNMP Traps Supported by Junos OS
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, T Series
This topic provides the list of Juniper Networks enterprise-specific SNMPv1and SNMPv2
traps supported on devices running Junos OS. For more information about traps see
SNMP MIB Explorer.
•
Juniper Networks Enterprise-Specific SNMP Version 1 Traps on page 156
•
Juniper Networks Enterprise-Specific SNMP Version 2 Traps on page 162
Juniper Networks Enterprise-Specific SNMP Version 1 Traps
The Junos OS supports enterprise-specific SNMP version 1 traps shown in
Table 12 on page 157. The traps are organized first by trap category and then by trap name.
The system logging severity levels are listed for those traps that have them. Traps that
do not have corresponding system logging severity levels are marked with an en dash
(–).
For more information about system log messages, see the Junos OS System Log Reference
for Security Devices.
156
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 1 Traps
Defined in
Enterprise ID
Generic
Trap
Number
Specific
Trap
Number
System
Logging
Severity
Level
jnxPowerSupplyFailure
1.3.6.1.4.1.2636.4.1
6
1
jnxFanFailure
1.3.6.1.4.1.2636.4.1
6
jnxOverTemperature
1.3.6.1.4.1.2636.4.1
jnxRedundancySwitchOver
System
Log Tag
Supported
On
Warning
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
2
Critical
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
6
3
Alert
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
1.3.6.1.4.1.2636.4.1
6
4
Critical
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
jnxFruRemoval
1.3.6.1.4.1.2636.4.1
6
5
Notice
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
jnxFruInsertion
1.3.6.1.4.1.2636.4.1
6
6
Notice
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
jnxFruPowerOff
1.3.6.1.4.1.2636.4.1
6
7
Notice
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
jnxFruPowerOn
1.3.6.1.4.1.2636.4.1
6
8
Notice
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
jnxFruFailed
1.3.6.1.4.1.2636.4.1
6
9
Warning
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
jnxFruOffline
1.3.6.1.4.1.2636.4.1
6
10
Notice
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
jnxFruOnline
1.3.6.1.4.1.2636.4.1
6
11
Notice
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
jnxFruCheck
1.3.6.1.4.1.2636.4.1
6
12
Warning
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
Trap Name
Chassis Notifications (Alarm Conditions)
Chassis MIB
(jnx-chassis.
mib)
Copyright © 2018, Juniper Networks, Inc.
157
Network Management and Monitoring Guide
Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 1 Traps (continued)
Defined in
Specific
Trap
Number
System
Logging
Severity
Level
Trap Name
Enterprise ID
Generic
Trap
Number
jnxFEBSwitchover
1.3.6.1.4.1.2636.4.1
6
13
jnxHardDiskFailed
1.3.6.1.4.1.2636.4.1
6
jnxHardDiskMissing
1.3.6.1.4.1.2636.4.1
jnxPowerSupplyOk
System
Log Tag
Supported
On
Warning
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
14
Warning
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
6
15
Warning
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
1.3.6.1.4.1.2636.4.2
6
1
Critical
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
jnxFanOK
1.3.6.1.4.1.2636.4.2
6
2
Critical
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
jnxTemperatureOK
1.3.6.1.4.1.2636.4.2
6
3
Alert
CHASSISD_
SNMP_
TRAP
All devices
running Junos
OS.
jnxCmCfgChange
1.3.6.1.4.1.2636.4.5
6
1
–
–
All devices
running Junos
OS.
jnxCmRescueChange
1.3.6.1.4.1.2636.4.5
6
2
–
–
All devices
running Junos
OS.
Configuration Notifications
Configuration
Management
MIB (jnxconfigmgmt.
mib)
158
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 1 Traps (continued)
Defined in
Enterprise ID
Generic
Trap
Number
Specific
Trap
Number
System
Logging
Severity
Level
System
Log Tag
Supported
On
jnxCollUnavailableDest
1.3.6.1.4.1.2636.4.8
6
1
–
–
Devices that
run Junos OS
and have
collector PICs
installed.
jnxCollUnavailableDestCleared
1.3.6.1.4.1.2636.4.8
6
2
–
–
Devices that
run Junos OS
and have
collector PICs
installed.
jnxCollUnsuccessfulTransfer
1.3.6.1.4.1.2636.4.8
6
3
–
–
Devices that
run Junos OS
and have
collector PICs
installed.
jnxCollFlowOverload
1.3.6.1.4.1.2636.4.8
6
4
–
–
Devices that
run Junos OS
and have
collector PICs
installed.
jnxCollFlowOverloadCleared
1.3.6.1.4.1.2636.4.8
6
5
–
–
Devices that
run Junos OS
and have
collector PICs
installed.
jnxCollMemoryUnavailable
1.3.6.1.4.1.2636.4.8
6
6
–
–
Devices that
run Junos OS
and have
collector PICs
installed.
jnxCollMemoryAvailable
1.3.6.1.4.1.2636.4.8
6
7
–
–
Devices that
run Junos OS
and have
collector PICs
installed.
jnxCollFtpSwitchover
1.3.6.1.4.1.2636.4.8
6
8
–
–
Devices that
run Junos OS
and have
collector PICs
installed.
Trap Name
Link Notifications
Flow
Collection
Services MIB
(jnx-coll.mib)
Copyright © 2018, Juniper Networks, Inc.
159
Network Management and Monitoring Guide
Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 1 Traps (continued)
Generic
Trap
Number
Specific
Trap
Number
System
Logging
Severity
Level
System
Log Tag
Supported
On
Defined in
Trap Name
Enterprise ID
Passive
Monitoring
MIB
(jnx-pmon.mib)
jnxPMonOverloadSet
1.3.6.1.4.1.2636.
4.7.0.1
6
1
–
–
Devices that
run Junos OS
and have PICs
that support
passive
monitoring
installed.
jnxPMonOverloadCleared
1.3.6.1.4.1.2636.
4.7.0.2
6
2
–
–
Devices that
run Junos OS
and have PICs
that support
passive
monitoring
installed.
apsEventChannelMismatch
1.3.6.1.4.1.2636.
3.24.2
6
3
–
–
Devices that
run Junos OS
and have
SONET PICs
installed.
apsEventPSBF
1.3.6.1.4.1.2636.
3.24.2
6
4
–
–
Devices that
run Junos OS
and have
SONET PICs
installed.
apsEventFEPLF
1.3.6.1.4.1.2636.
3.24.2
6
5
–
–
Devices that
run Junos OS
and have
SONET PICs
installed.
jnxPingRttThresholdExceeded
1.3.6.1.4.1.2636.4.9
6
1
–
–
All devices
running Junos
OS.
jnxPingRttStdDevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9
6
2
–
–
All devices
running Junos
OS.
jnxPingRttJitterThreshold Exceeded
1.3.6.1.4.1.2636.4.9
6
3
–
–
All devices
running Junos
OS.
jnxPingEgressThreshold Exceeded
1.3.6.1.4.1.2636.4.9
6
4
–
–
All devices
running Junos
OS.
SONET APS
MIB (jnxsonetaps.
mib)
Remote Operations
PING MIB
(jnx-ping.mib)
160
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 1 Traps (continued)
Defined in
Specific
Trap
Number
System
Logging
Severity
Level
System
Log Tag
Supported
On
Trap Name
Enterprise ID
Generic
Trap
Number
jnxPingEgressStdDev
ThresholdExceeded
1.3.6.1.4.1.2636.4.9
6
5
–
–
All devices
running Junos
OS.
jnxPingEgressJitter
ThresholdExceeded
1.3.6.1.4.1.2636.4.9
6
6
–
–
All devices
running Junos
OS.
jnxPingIngressThreshold Exceeded
1.3.6.1.4.1.2636.4.9
6
7
–
–
All devices
running Junos
OS.
jnxPingIngressStddevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9
6
8
–
–
All devices
running Junos
OS.
jnxPingIngressJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9
6
9
–
–
All devices
running Junos
OS.
bfdSessUp
1.3.6.1.4.1.
2636.5.3.1
6
1
–
–
All devices
running Junos
OS.
bfdSessDown
1.3.6.1.4.1.
2636.5.3.1
6
2
–
–
All devices
running Junos
OS.
jnxLdpLspUp
1.3.6.1.4.1.2636.4.4
6
1
–
–
M, T, and MX
Series routers.
jnxLdpLspDown
1.3.6.1.4.1.2636.4.4
6
2
–
–
M, T, and MX
Series routers.
jnxLdpSesUp
1.3.6.1.4.1.2636.4.4
6
3
–
–
M, T, and MX
Series routers.
jnxLdpSesDown
1.3.6.1.4.1.2636.4.4
6
4
–
–
M, T, and MX
Series routers.
Routing Notifications
BFD
Experimental
MIB (jnx-bfdexp.mib)
LDP MIB
(jnx-ldp.mib)
Copyright © 2018, Juniper Networks, Inc.
161
Network Management and Monitoring Guide
Table 12: Juniper Networks Enterprise-Specific Supported SNMP Version 1 Traps (continued)
Specific
Trap
Number
System
Logging
Severity
Level
System
Log Tag
Defined in
Trap Name
Enterprise ID
Generic
Trap
Number
MPLS MIB
(jnx-mpls.mib)
mplsLspUp (Deprecated)
1.3.6.1.4.1.2636.3.2.4
6
1
–
–
mplsLspDown (Deprecated)
1.3.6.1.4.1.2636.3.2.4
6
2
–
–
mplsLspChange (Deprecated)
1.3.6.1.4.1.2636.3.2.4
6
3
–
–
mplsLspPathDown (Deprecated)
1.3.6.1.4.1.2636.3.2.4
6
4
–
–
jnxVpnIfUp
1.3.6.1.4.1.2636.
3.26
6
1
–
–
M, T, and MX
Series routers.
jnxVpnIfDown
1.3.6.1.4.1.2636.
3.26
6
2
–
–
M, T, and MX
Series routers.
jnxVpnPwUp
1.3.6.1.4.1.2636.
3.26
6
3
–
–
M, T, and MX
Series routers.
jnxVpnPwDown
1.3.6.1.4.1.2636.
3.26
6
4
–
–
M, T, and MX
Series routers.
jnxRmonAlarmGetFailure
1.3.6.1.4.1.2636.4.3
6
1
–
–
All devices
running Junos
OS.
jnxRmonGetOk
1.3.6.1.4.1.2636.4.3
6
2
–
–
All devices
running Junos
OS.
jnxSonetAlarmSet
1.3.6.1.4.1.2636.4.6
6
1
–
–
Devices that
run Junos OS
and have
SONET PICs
installed.
jnxSonetAlarmCleared
1.3.6.1.4.1.2636.4.6
6
2
–
–
Devices that
run Junos OS
and have
SONET PICs
installed.
VPN MIB
(jnx-vpn.mib)
Supported
On
RMON Alarms
RMON MIB
(jnx-rmon.
mib)
SONET Alarms
SONET MIB
(jnx-sonet.
mib)
Juniper Networks Enterprise-Specific SNMP Version 2 Traps
The Junos OS supports the enterprise-specific SNMP version 2 traps shown in
Table 13 on page 163. The traps are organized first by trap category and then by trap name.
162
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
The system logging severity levels are listed for those traps that have them. Traps that
do not have corresponding system logging severity levels are marked with an en dash
(–).
For more information about system messages, see the System Log Explorer. For more
information about configuring system logging, see the Junos OS Administration Library for
Routing Devices.
Table 13: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps
Source MIB
snmpTrapOID
System
Logging
Severity
Level
jnxPowerSupplyFailure
1.3.6.1.4.1.2636.4.1.1
jnxFanFailure
jnxOverTemperature
Trap Name
System Log Tag
Supported On
Alert
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
1.3.6.1.4.1.2636.4.1.2
Critical
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
1.3.6.1.4.1.2636.4.1.3
Critical
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
Chassis (Alarm Conditions) Notifications
Chassis MIB
(jnx-chassis.
mib)
jnxFruNotifAdminStatus
Notice
jnxFruNotifMismatch
Notice
jnxFruNotifOperStatus
Notice
jnxRedundancySwitchOver
1.3.6.1.4.1.2636.4.1.4
Critical
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
jnxFruRemoval
1.3.6.1.4.1.2636.4.1.5
Notice
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
jnxFruInsertion
1.3.6.1.4.1.2636.4.1.6
Notice
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
jnxFruPowerOff
1.3.6.1.4.1.2636.4.1.7
Notice
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
jnxFruPowerOn
1.3.6.1.4.1.2636.4.1.8
Notice
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
jnxFruFailed
1.3.6.1.4.1.2636.4.1.9
Warning
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
jnxFruOffline
1.3.6.1.4.1.2636.4.1.10
Notice
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
Copyright © 2018, Juniper Networks, Inc.
163
Network Management and Monitoring Guide
Table 13: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
Source MIB
Trap Name
snmpTrapOID
System
Logging
Severity
Level
jnxFruOnline
1.3.6.1.4.1.2636.4.1.11
jnxFruCheck
System Log Tag
Supported On
Notice
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
1.3.6.1.4.1.2636.4.1.12
Notice
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
jnxFEBSwitchover
1.3.6.1.4.1.2636.4.1.13
Notice
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
jnxHardDiskFailed
1.3.6.1.4.1.2636.4.1.14
Notice
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
jnxHardDiskMissing
1.3.6.1.4.1.2636.4.1.15
Notice
CHASSISD_ SNMP_
TRAP
All devices running Junos
OS.
jnxPowerSupplyOK
1.3.6.1.4.1.2636.4.2.1
Critical
CHASSISD_
SNMP_
TRAP
All devices running
Junos OS.
jnxFanOK
1.3.6.1.4.1.2636.4.2.2
Critical
CHASSISD_
SNMP_
TRAP
All devices running
Junos OS.
jnxTemperatureOK
1.3.6.1.4.1.2636.4.2.3
Alert
CHASSISD_
SNMP_
TRAP
All devices running
Junos OS.
jnxCmCfgChange
1.3.6.1.4.1.2636.4.5.0.1
–
–
All devices running Junos
OS.
jnxCmRescueChange
1.3.6.1.4.1.2636.4.5.0.2
–
–
All devices running Junos
OS.
Configuration Notifications
Configuration
Management
MIB (jnxcfgmgmt.mib)
Link Notifications
164
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 13: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
Source MIB
Trap Name
snmpTrapOID
System
Logging
Severity
Level
Flow
Collection
Services MIB
(jnx-coll.mib)
jnxCollUnavailableDest
1.3.6.1.4.1.2636.4.8.0.1
–
–
Devices that run Junos OS
and have collector PICs
installed.
jnxCollUnavailableDestCleared
1.3.6.1.4.1.2636.4.8.0.2
–
–
Devices that run Junos OS
and have collector PICs
installed.
jnxCollUnsuccessfulTransfer
1.3.6.1.4.1.2636.4.8.0.3
–
–
Devices that run Junos OS
and have collector PICs
installed.
jnxCollFlowOverload
1.3.6.1.4.1.2636.4.8.0.4
–
–
Devices that run Junos OS
and have collector PICs
installed.
jnxCollFlowOverloadCleared
1.3.6.1.4.1.2636.4.8.0.5
–
–
Devices that run Junos OS
and have collector PICs
installed.
jnxCollMemoryUnavailable
1.3.6.1.4.1.2636.4.8.0.6
–
–
Devices that run Junos OS
and have collector PICs
installed.
jnxCollMemoryAvailable
1.3.6.1.4.1.2636.4.8.0.7
–
–
Devices that run Junos OS
and have collector PICs
installed.
jnxCollFtpSwitchover
1.3.6.1.4.1.2636.4.8.0.8
–
–
Devices that run Junos OS
and have collector PICs
installed.
jnxPMonOverloadSet
1.3.6.1.4.1.2636.4.7.0.1
–
–
Devices that run Junos OS
and have PICs that
support passive
monitoring installed.
jnxPMonOverloadCleared
1.3.6.1.4.1.2636.4.7.0.2
–
–
Devices that run Junos OS
and have PICs that
support passive
monitoring installed.
PMON MIB
(jnx-pmon.mib)
Copyright © 2018, Juniper Networks, Inc.
System Log Tag
Supported On
165
Network Management and Monitoring Guide
Table 13: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
System
Logging
Severity
Level
System Log Tag
Supported On
Source MIB
Trap Name
snmpTrapOID
SONET APS
MIB (jnx-
apsEventChannelMismatch
1.3.6.1.4.1.2636.3.
24.2.0.3
–
–
Devices that run Junos OS
and have SONET PICs
installed.
apsEventPSBF
1.3.6.1.4.1.2636.3.
24.2.0.4
–
–
Devices that run Junos OS
and have SONET PICs
installed.
apsEventFEPLF
1.3.6.1.4.1.2636.3.
24.2.0.5
–
–
Devices that run Junos OS
and have SONET PICs
installed.
jnxPingRttThreshold Exceeded
1.3.6.1.4.1.2636.4.9.0.1
–
–
All devices running Junos
OS.
jnxPingRttStdDevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.2
–
–
All devices running Junos
OS.
jnxPingRttJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.3
–
–
All devices running Junos
OS.
jnxPingEgressThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.4
–
–
All devices running Junos
OS.
jnxPingEgressStdDevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.5
–
–
All devices running Junos
OS.
jnxPingEgressJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.6
–
–
All devices running Junos
OS.
jnxPingIngressThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.7
–
–
All devices running Junos
OS.
jnxPingIngressStddevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.8
–
–
All devices running Junos
OS.
jnxPingIngressJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.9
–
–
All devices running Junos
OS.
bfdSessUp
1.3.6.1.4.1.2636.
5.3.1.0.1
–
–
All devices running Junos
OS.
bfdSessDown
1.3.6.1.4.1.2636.5.3.1.0.2
–
–
All devices running Junos
OS.
sonetaps.mib)
Remote Operations Notifications
PING MIB
(jnx-ping.mib)
Routing Notifications
BFD
Experimental
MIB (jnx-bfdexp.mib)
166
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 13: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
Source MIB
Trap Name
snmpTrapOID
System
Logging
Severity
Level
BGP4 V2 MIB
(jnx-bgpmib2.
mib)
jnxBgpM2Established
1.3.6.1.4.1.2636.5.1.1.1.0.1
–
–
All devices running Junos
OS.
jnxBgpM2BackwardTransition
1.3.6.1.4.1.2636.5.1.1.1.0.2
–
–
All devices running Junos
OS.
jnxJdhcpLocalServer
DuplicateClient
1.3.6.1.4.1.2636.3.61.61.1.3.1
–
–
All devices running Junos
OS.
jnxJdhcpLocalServer
InterfaceLimitExceeded
1.3.6.1.4.1.2636.3.61.61.1.3.2
–
–
All devices running Junos
OS.
jnxJdhcpLocalServer
InterfaceLimitAbated
1.3.6.1.4.1.2636.3.61.61.1.3.3
–
–
All devices running Junos
OS.
jnxJdhcpLocalServer Health
1.3.6.1.4.1.2636.3.61.61.1.3.4
–
–
All devices running Junos
OS.
jnxJdhcpRelayInterface
LimitExceeded
1.3.6.1.4.1.2636.3.61.61.2.3.1
–
–
All devices running Junos
OS.
jnxJdhcpRelayInterface
LimitAbated
1.3.6.1.4.1.2636.3.61.61.2.3.2
–
–
All devices running Junos
OS.
jnxJdhcpv6LocalServer
InterfaceLimitExceeded
1.3.6.1.4.1.2636.3.62.62.2.3.1
–
–
All devices running Junos
OS.
jnxJdhcpv6LocalServer
InterfaceLimitAbated
1.3.6.1.4.1.2636.3.62.62.2.3.2
–
–
All devices running Junos
OS.
jnxJdhcpv6LocalServer Health
1.3.6.1.4.1.2636.3.62.62.2.3.3
–
–
All devices running Junos
OS.
jnxLdpLspUp
1.3.6.1.4.1.2636.4.4.0.1
–
–
M, T, and MX Series
routers.
jnxLdpLspDown
1.3.6.1.4.1.2636.4.4.0.2
–
–
M, T, and MX Series
routers.
jnxLdpSesUp
1.3.6.1.4.1.2636.4.4.0.3
–
–
M, T, and MX Series
routers.
jnxLdpSesDown
1.3.6.1.4.1.2636.4.4.0.4
–
–
M, T, and MX Series
routers.
DHCP MIB
(jnx-dhcp.mib)
DHCPv6MIB
(jnx-dhcpv6.
mib)
LDP MIB
(jnx-ldp.mib)
Copyright © 2018, Juniper Networks, Inc.
System Log Tag
Supported On
167
Network Management and Monitoring Guide
Table 13: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
Source MIB
Trap Name
snmpTrapOID
System
Logging
Severity
Level
MPLS MIB
(jnx-mpls.mib)
mplsLspUp (Deprecated)
1.3.6.1.4.1.2636.3.2.4.1
–
–
mplsLspInfoUp
1.3.6.1.4.1.2636.3.2.0.1
–
–
mplsLspDown (Deprecated)
1.3.6.1.4.1.2636.3.2.4.2
–
–
mplsLspInfoDown
1.3.6.1.4.1.2636.3.2.0.2
–
–
mplsLspChange (Deprecated)
1.3.6.1.4.1.2636.3.2.4.3
–
–
mplsLspInfoChange
1.3.6.1.4.1.2636.3.2.0.3
–
–
mplsLspPathDown
1.3.6.1.4.1.2636.3.2.4.4
–
–
mplsLspInfoPathDown
1.3.6.1.4.1.2636.3.2.0.4
–
–
mplsLspInfoPathUp
1.3.6.1.4.1.2636.3.2.0.5
–
–
M, T, and MX Series
routers.
VPN MIB
(jnx-vpn.mib)
jnxVpnIfUp
1.3.6.1.4.1.2636.3.
26.0.1
–
–
M, T, and MX Series
routers.
jnxVpnIfDown
1.3.6.1.4.1.2636.3.
26.0.2
–
–
M, T, and MX Series
routers.
jnxVpnPwUp
1.3.6.1.4.1.2636.3.
26.0.3
–
–
M, T, and MX Series
routers.
jnxVpnPwDown
1.3.6.1.4.1.2636.3.26.0.4
–
–
M, T, and MX Series
routers.
System Log Tag
Supported On
M, T, and MX Series
routers.
M, T, and MX Series
routers.
M, T, and MX Series
routers.
(Deprecated)
168
M, T, and MX Series
routers.
Copyright © 2018, Juniper Networks, Inc.
Chapter 8: SNMP MIBs and Traps Supported by Junos OS
Table 13: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
Source MIB
Trap Name
snmpTrapOID
System
Logging
Severity
Level
AAA MIB
(jnx-useraaa.mib)
jnxAccessAuthAddress
PoolHighThreshold
1.3.6.1.4.1.2636.3.51.1.0.5
–
–
SRX Series devices.
jnxAccessAuthAddress
PoolAbateThreshold
1.3.6.1.4.1.2636.3.51.1.0.6
–
–
SRX Series devices.
jnxAccessAuthAddress
PoolOutOfAddresses
1.3.6.1.4.1.2636.3.51.1.0.7
–
–
SRX Series devices.
jnxAccessAuthAddress
PoolOutOfMemory
1.3.6.1.4.1.2636.3.51.1.0.8
–
–
SRX Series devices.
jnxAccessAuthService Up
1.3.6.1.4.1.2636.3.51.
1.0.1
–
–
SRX Series devices.
jnxAccessAuthService Down
1.3.6.1.4.1.2636.3.51.
1.0.2
–
–
SRX Series devices.
jnxAccessAuthServer Disabled
1.3.6.1.4.1.2636.3.51.
1.0.3
–
–
SRX Series devices.
jnxAccessAuthServer Enabled
1.3.6.1.4.1.2636.3.51.
1.0.4
–
–
SRX Series devices.
jnxJsFwAuthFailure
1.3.6.1.4.1.2636.3.39.1.2.
1.0.1
–
–
SRX Series devices.
jnxJsFwAuthServiceUp
1.3.6.1.4.1.2636.3.39.1.2.
1.0.2
–
–
SRX Series devices.
jnxJsFwAuthServiceDown
1.3.6.1.4.1.2636.3.39.1.2.
1.0.3
–
–
SRX Series devices.
jnxJsFwAuthCapacityExceeded
1.3.6.1.4.1.2636.3.39.1.2.
1.0.4
–
–
SRX Series devices.
jnxJsNatAddrPool
ThresholdStatus
1.3.6.1.4.1.2636.3.39.1.7.
1.0.1
–
–
SRX Series devices.
jnxNatAddrPoolUtil
1.3.6.1.4.1.2636.3.59.1.2.1
–
–
M Series and MX Series
routers
jnxNatTrapSrcPoolName
1.3.6.1.4.1.2636.3.59.1.2.2
–
–
M Series and MX Series
routers
jnxNatAddrPoolThresholdStatus
1.3.6.1.4.1.2636.3.59.1.0.1
–
–
M Series and MX Series
routers
Access
Authentication
Methods MIB
(jnx-js-auth.
mib)
Network
Address
Translation
Resources–Monitoring
MIB
(jnxNatMIB)
Copyright © 2018, Juniper Networks, Inc.
System Log Tag
Supported On
169
Network Management and Monitoring Guide
Table 13: Juniper Networks Enterprise-Specific Supported SNMP Version 2 Traps (continued)
Source MIB
Trap Name
snmpTrapOID
Network
Address
Translation
MIB
(jnx-js-nat.mib)
jnxJsScreen Attack
1.3.6.1.4.1.2636.3.39.1.8.
1.0.1
Security
Screening
Objects MIB
(jnx-js-
jnxJsScreenCfg Change
System
Logging
Severity
Level
System Log Tag
Supported On
Warning
RT_SCREEN_ICMP,
RT_SCREEN_IP,
RT_SCREEN_
SESSION_LIMIT,
RT_SCREEN_TCP,
RT_SCREEN_UDP
SRX Series devices.
1.3.6.1.4.1.2636.3.39.1.8.
1.0.2
–
–
SRX Series devices.
jnxRmonGetOk
1.3.6.1.4.1.2636.4.
3.0.2
–
–
All devices running Junos
OS.
jnxSonetAlarm Cleared
1.3.6.1.4.1.2636.4.
6.0.2
–
–
Devices that run Junos OS
and have SONET PICs
installed.
screening.mib)
RMON Alarms
RMON MIB
(jnx-rmon.mib)
SONET Alarms
SONET MIB
(jnx-sonet.mib)
Related
Documentation
170
•
Standard SNMP Traps Supported by Junos OS on page 148
•
Standard SNMP MIBs Supported by Junos OS on page 128
•
Enterprise-Specific SNMP MIBs Supported by Junos OS on page 117
•
Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 201
•
Managing Traps and Informs
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 9
Configuring Basic SNMP
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
•
Configuring SNMP on page 176
•
Optimizing the Network Management System Configuration for the Best
Results on page 179
•
Configuring Options on Managed Devices for Better SNMP Response Time on page 181
•
Configuring SNMP on Devices Running Junos OS on page 183
•
Configuring the System Contact on a Device Running Junos OS on page 186
•
Configuring the System Location for a Device Running Junos OS on page 187
•
Configuring the System Description on a Device Running Junos OS on page 188
•
Configuring SNMP Details on page 188
•
Configuring a Different System Name on page 190
•
Configuring the Commit Delay Timer on page 190
•
Filtering Duplicate SNMP Requests on page 191
•
Configuring SNMP Communities on page 192
•
Configuring the SNMP Community String on page 195
•
Examples: Configuring the SNMP Community String on page 196
•
Adding a Group of Clients to an SNMP Community on page 196
•
Configuring a Proxy SNMP Agent on page 198
•
Configuring SNMP Traps on page 199
•
Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 201
•
Configuring SNMP Trap Options on page 202
•
Configuring SNMP Trap Groups on page 206
•
SNMP Traps Support on page 208
•
Example: Configuring SNMP Trap Groups on page 221
•
Configuring the Interfaces on Which SNMP Requests Can Be Accepted on page 221
•
Example: Configuring Secured Access List Checking on page 222
•
Filtering Interface Information Out of SNMP Get and GetNext Output on page 222
•
Configuring MIB Views on page 223
Copyright © 2018, Juniper Networks, Inc.
171
Network Management and Monitoring Guide
•
Configuring Ping Proxy MIB on page 225
•
Understanding the Integrated Local Management Interface on page 225
•
Utility MIB on page 226
•
SNMP MIBs Support on page 226
•
MIB Objects for the QFX Series on page 239
•
Fabric Chassis MIB on page 242
•
Monitoring RMON MIB Tables on page 246
•
Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage on page 247
•
Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage on page 249
•
Example: Configuring SNMP on page 251
•
Configuring Health Monitoring on page 254
•
Configuring Health Monitoring on Devices Running Junos OS on page 255
•
Configuring RMON Alarms and Events on page 258
Configuration Statements at the [edit snmp] Hierarchy Level
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
This topic shows all possible configuration statements at the [edit snmp] hierarchy level
and their level in the configuration hierarchy. When you are configuring Junos OS, your
current hierarchy level is shown in the banner on the line preceding the user@host#
prompt.
[edit]
snmp {
alarm-management {
alarm-list-name list-name {
alarm-id id {
alarm-state state {
description alarm-description;
notification-id notification-id-of-alarm;
resource-prefix alarm-resource-prefix;
varbind-index varbind-index-in-alarm-varbind-list;
varbind-subtree alarm-varbind-subtree;
varbind-value alarm-varbind-value;
}
}
}
}
client-list client-list-name {
ip-addresses;
}
community community-name {
authorization authorization;
client-list-name client-list-name;
clients {
address <restrict>;
}
logical-system logical-system-name {
172
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
routing-instance routing-instance-name;
clients {
address <restrict>;
}
}
routing-instance routing-instance-name {
clients {
address <restrict>;
}
}
view view-name;
}
contact contact;
description description;
engine-id {
(local engine-id | use-default-ip-address | use-mac-address);
}
filter-duplicates;
interface [ interface-names ];
location location;
name name;
nonvolatile {
commit-delay seconds;
}
rmon {
alarm index {
description description;
falling-event-index index;
falling-threshold integer;
falling-threshold-interval seconds;
interval seconds;
request-type (get-next-request | get-request | walk-request);
rising-event-index index;
rising-threshold integer;
sample-type type;
startup-alarm alarm;
syslog-subtag syslog-subtag;
variable oid-variable;
}
event index {
community community-name;
description description;
type type;
}
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regular-expression>;
flag flag;
memory-trace;
no-remote-trace;
no-default-memory-trace;
}
trap-group group-name {
categories {
category;
Copyright © 2018, Juniper Networks, Inc.
173
Network Management and Monitoring Guide
}
destination-port port-number;
routing-instance instance;
logical-system logical-system-name;
targets {
address;
}
version (all | v1 | v2);
}
trap-options {
agent-address outgoing-interface;
source-address address;
enterprise-oid;
logical-system logical-system-name {
routing-instance routing-instance-name {
source-address address;
}
}
routing-instance routing-instance-name {
source-address address;
}
}
v3 {
notify name {
tag tag-name;
type (trap | inform);
}
notify-filter profile-name {
oid oid (include | exclude);
}
snmp-community community-index {
community-name community-name;
security-name security-name;
tag tag-name;
}
target-address target-address-name {
address address;
address-mask address-mask;
logical-system logical-system;
port port-number;
retry-count number;
routing-instance instance;
tag-list tag-list;
target-parameters target-parameters-name;
timeout seconds;
}
target-parameters target-parameters-name {
notify-filter profile-name;
parameters {
message-processing-model (v1 | v2c | v3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
}
}
usm {
174
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
local-engine {
user username {
authentication-md5 {
authentication-password authentication-password;
}
authentication-none;
authentication-sha {
authentication-password authentication-password;
}
privacy-3des {
privacy-password privacy-password;
}
privacy-aes128 {
privacy-password privacy-password;
}
privacy-des {
privacy-password privacy-password;
}
privacy-none;
}
}
}
vacm {
access {
group group-name {
(default-context-prefix | context-prefix context-prefiix){
security-model (any | usm | v1 | v2c) {
security-level (authentication | none | privacy) {
notify-view view-name;
read-view view-name;
write-view view-name;
}
}
}
}
}
security-to-group {
security-model (usm | v1 | v2c) {
security-name security-name {
group group-name;
}
}
}
}
}
view view-name {
oid object-identifier (include | exclude);
}
}
Related
Documentation
•
Understanding the SNMP Implementation in Junos OS
•
Configuring SNMP on a Device Running Junos OS
Copyright © 2018, Juniper Networks, Inc.
175
Network Management and Monitoring Guide
Configuring SNMP
Supported Platforms
EX4600, OCX1100, QFabric System, QFX Series
SNMP is implemented in the Junos OS Software running on the QFX Series and OCX
Series products. By default, SNMP is not enabled. To enable SNMP, you must include
the SNMP configuration statements at the [edit] hierarchy level.
To configure the minimum requirements for SNMP, include the following statements at
the [edit] hierarchy level of the configuration:
[edit]
snmp {
community public;
}
To configure complete SNMP features, include the following statements at the [edit]
hierarchy level of the configuration:
snmp {
client-list client-list-name {
ip-addresses;
}
community community-name {
authorization authorization;
client-list-name client-list-name;
clients {
address restrict;
}
logical-system logical-system-name {
routing-instance routing-instance-name {
clients {
addresses;
}
}
}
routing-instance routing-instance-name {
clients {
addresses;
}
}
view view-name;
}
contact contact;
description description;
filter-duplicates;
filter-interfaces;
health-monitor {
falling-threshold integer;
interval seconds;
rising-threshold integer;
}
interface [ interface-names ];
location location;
name name;
176
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
nonvolatile {
commit-delay seconds;
}
rmon {
alarm index {
description description;
falling-event-index index;
falling-threshold integer;
falling-threshold-interval seconds;
interval seconds;
request-type;
rising-event-index index;
rising-threshold integer;
sample-type (absolute-value | delta-value);
startup-alarm (falling-alarm | rising-alarm | rising-or-falling alarm);
syslog-subtag syslog-subtag;
variable oid-variable;
}
event index {
community community-name;
description description;
type type;
}
history history-index {
bucket-size number;
interface interface-name;
interval seconds;
owner owner-name;
}
}
traceoptions {
file filename <files number> <size size> <world-readable | no-world-readable> <match
regular-expression>;
flag flag;
}
trap-group group-name {
categories {
category;
}
destination-port port-number;
routing-instance routing-instance-name;
targets {
address;
}
version (all | v1 | v2);
}
trap-options {
agent-address outgoing-interface;
source-address address;
}
v3 {
notify name {
tag tag-name;
type trap;
}
notify-filter profile-name {
Copyright © 2018, Juniper Networks, Inc.
177
Network Management and Monitoring Guide
oid object-identifier (include | exclude);
}
snmp-community community-index {
community-name community-name;
security-name security-name;
tag tag-name;
}
target-address target-address-name {
address address;
address-mask address-mask;
logical-system logical-system;
port port-number;
retry-count number;
routing-instance routing-instance-name;
tag-list tag-list;
target-parameters target-parameters-name;
timeout seconds;
}
target-parameters target-parameters-name {
notify-filter profile-name;
parameters {
message-processing-model (v1 | v2c | V3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
}
}
usm {
local-engine {
user username {
authentication-sha {
authentication-password authentication-password;
}
authentication-md5 {
authentication-password authentication-password;
}
authentication-none;
privacy-aes128 {
privacy-password privacy-password;
}
privacy-des {
privacy-password privacy-password;
}
privacy-3des {
privacy-password privacy-password;
}
privacy-none;
}
}
remote-engine engine-id {
user username {
authentication-sha {
authentication-password authentication-password;
}
authentication-md5 {
authentication-password authentication-password;
178
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
}
authentication-none;
privacy-aes128 {
privacy-password privacy-password;
}
privacy-des {
privacy-password privacy-password;
}
privacy-3des {
privacy-password privacy-password;
}
privacy-none {
privacy-password privacy-password;
}
}
}
}
vacm {
access {
group group-name {
(default-context-prefix | context-prefix context-prefix) {
security-model (any | usm | v1 | v2c) {
security-level (authentication | none | privacy) {
notify-view view-name;
read-view view-name;
write-view view-name;
}
}
}
}
}
security-to-group {
security-model (usm | v1 | v2c) {
security-name security-name {
group group-name;
}
}
}
}
}
view view-name {
oid object-identifier (include | exclude);
}
}
Related
Documentation
•
Understanding the Implementation of SNMP on page 81
•
snmp on page 1552
Optimizing the Network Management System Configuration for the Best Results
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX
Copyright © 2018, Juniper Networks, Inc.
179
Network Management and Monitoring Guide
You can modify your network management system configuration to optimize the response
time for SNMP queries. The following sections contain a few tips on how you can configure
the network management system:
•
Changing the Polling Method from Column-by-Column to Row-by-Row on page 180
•
Reducing the Number of Variable Bindings per PDU on page 180
•
Increasing Timeout Values in Polling and Discovery Intervals on page 180
•
Reducing Incoming Packet Rate at the snmpd on page 180
Changing the Polling Method from Column-by-Column to Row-by-Row
You can configure the network management system to use the row-by-row method for
SNMP data polling. It has been proven that the row-by-row and multiple
row-by-multiple-row polling methods are more efficient than column-by-column polling.
By configuring the network management system to use the row-by-row data polling
method, you can ensure that data for only one interface is polled in a request instead of
a single request polling data for multiple interfaces, as is the case with column-by-column
polling. Row-by-row polling also reduces the risk of requests timing out.
Reducing the Number of Variable Bindings per PDU
By reducing the number of variable bindings per protocol data unit (PDU), you can improve
the response time for SNMP requests. A request that polls for data related to multiple
objects, which are mapped to different index entries, translates into multiple requests
at the device-end because the subagent might have to poll different modules to obtain
data that are linked to different index entries. The recommended method is to ensure
that a request has only objects that are linked to one index entry instead of multiple
objects linked to different index entries.
NOTE: If responses from a device are slow, avoid using the GetBulk option
for the device, because a GetBulk request might contain objects that are
linked to various index entries and might further increase the response time.
Increasing Timeout Values in Polling and Discovery Intervals
By increasing the timeout values for polling and discovery intervals, you can increase the
queuing time at the device end and reduce the number of throttle drops that occur
because of the request timing out.
Reducing Incoming Packet Rate at the snmpd
By reducing the frequency of sending SNMP requests to a device, you can reduce the risk
of SNMP requests piling up at any particular device. Apart from reducing the frequency
of sending SNMP requests to a device, you can also increase the polling interval, control
the use of GetNext requests, and reduce the number of polling stations per device.
Related
Documentation
180
•
Understanding SNMP Implementation in Junos OS on page 77
•
Configuring SNMP on Devices Running Junos OS on page 183
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
•
Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS on page 343
•
Configuring Options on Managed Devices for Better SNMP Response Time on page 181
•
Managing Traps and Informs
•
Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage on page 247
Configuring Options on Managed Devices for Better SNMP Response Time
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX
The following sections contain information about configuration options on the managed
devices that can enhance SNMP performance:
•
Enabling the stats-cache-lifetime Option on page 181
•
Filtering Out Duplicate SNMP Requests on page 181
•
Excluding Interfaces That Are Slow in Responding to SNMP Queries on page 182
Enabling the stats-cache-lifetime Option
The Junos OS provides you with an option to configure the length of time an SNMP request
stays active and queued so as to reduce the possibility of request drops during slow
response times. You can use the stats-cache-lifetime seconds option at the [edit snmp]
hierarchy level to specify the length of time that an SNMP request remains queued. The
recommended value for the stats-cache-lifetime option is in the range of 30 to 60 seconds.
NOTE: The set snmp stats-cache-lifetime seconds command is a hidden
command and is supported only on devices running Junos OS Release 9.3
and later.
Filtering Out Duplicate SNMP Requests
If a network management station retransmits a Get, GetNext, or GetBulk SNMP request
too frequently to a device, that request might interfere with the processing of previous
requests and slow down the response time of the agent. Filtering these duplicate requests
improves the response time of the SNMP agent. The Junos OS enables you to filter out
duplicate Get, GetNext, and GetBulk SNMP requests. The Junos OS uses the following
information to determine if an SNMP request is a duplicate:
•
Source IP address of the SNMP request
•
Source UDP port of the SNMP request
•
Request ID of the SNMP request
Copyright © 2018, Juniper Networks, Inc.
181
Network Management and Monitoring Guide
NOTE: By default, filtering of duplicate SNMP requests is disabled on devices
running the Junos OS.
To enable filtering of duplicate SNMP requests on devices running the Junos OS, include
the filter-duplicates statement at the [edit snmp] hierarchy level:
[edit snmp]
filter-duplicates;
Excluding Interfaces That Are Slow in Responding to SNMP Queries
An interface that is slow in responding to SNMP requests for interface statistics can delay
kernel responses to SNMP requests. You can review the mib2d log file to find out how
long the kernel takes to respond to various SNMP requests. For more information about
reviewing the log file for kernel response data, see “Checking Kernel and Packet Forwarding
Engine Response” under “Monitoring SNMP Activity and Tracking Problems That Affect
SNMP Performance on a Device Running Junos OS” on page 343. If you notice that a
particular interface is slow in responding, and think that it is slowing down the kernel
from responding to SNMP requests, exclude that interface from the SNMP queries to the
device. You can exclude an interface from the SNMP queries either by configuring the
filter-interface statement or by modifying the SNMP view settings.
The following example shows a sample configuration for excluding interfaces from the
SNMP Get, GetNext, and Set operations:
[edit]
snmp {
filter-interfaces {
interfaces { # exclude the specified interfaces
interface1;
interface2;
}
all-internal-interfaces; # exclude all internal interfaces
}
}
The following example shows the SNMP view configuration for excluding the interface
with an interface index (ifIndex) value of 312 from a request for information related to
the ifTable and ifXtable objects:
[edit snmp]
view test {
oid .1 include;
oid ifTable.1.*.312 exclude;
oid ifXTable.1.*.312 exclude
}
Alternatively, you can take the interface that is slow in responding offline.
Related
Documentation
182
•
Understanding SNMP Implementation in Junos OS on page 77
•
Configuring SNMP on Devices Running Junos OS on page 183
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
•
Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS on page 343
•
Optimizing the Network Management System Configuration for the Best Results on
page 179
•
Managing Traps and Informs
•
Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage on page 247
Configuring SNMP on Devices Running Junos OS
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX
The following sections contain information about basic SNMP configuration and a few
examples of configuring the basic SNMP operations on devices running Junos OS:
•
Configuring Basic Settings for SNMPv1 and SNMPv2 on page 183
•
Configuring Basic Settings for SNMPv3 on page 184
•
Configuring System Name, Location, Description, and Contact Information on page 186
Configuring Basic Settings for SNMPv1 and SNMPv2
By default, SNMP is not enabled on devices running Junos OS. To enable SNMP on devices
running Junos OS, include the community public statement at the [edit snmp] hierarchy
level.
Enabling SNMPv1 and
SNMPv2 Get and
GetNext Operations
[edit]
snmp {
community public;
}
A community that is defined as public grants access to all MIB data to any client.
To enable SNMPv1 and SNMPv2 Set operations on the device, you must include the
following statements at the [edit snmp] hierarchy level:
Enabling SNMPv1 and
SNMPv2 Set
Operations
[edit snmp]
view all {
oid .1;
}
community private {
view all;
authorization read-write;
}
The following example shows the basic minimum configuration for SNMPv1 and SNMPv2
traps on a device:
Configuring SNMPv1
and SNMPv2 Traps
[edit snmp]
trap-group jnpr {
targets {
Copyright © 2018, Juniper Networks, Inc.
183
Network Management and Monitoring Guide
192.168.69.179;
}
}
Configuring Basic Settings for SNMPv3
The following example shows the minimum SNMPv3 configuration for enabling Get,
GetNext, and Set operations on a device (note that the configuration has authentication
set to md5 and privacy to none):
Enabling SNMPv3 Get,
GetNext, and Set
Operations
[edit snmp]
v3 {
usm {
local-engine {
user jnpruser {
authentication-md5 {
authentication-key "$9$guaDiQFnAuOQzevMWx7ikqP"; ## SECRET-DATA
}
privacy-none;
}
}
}
vacm {
security-to-group {
security-model usm {
security-name jnpruser {
group grpnm;
}
}
}
access {
group grpnm {
default-context-prefix {
security-model any {
security-level authentication {
read-view all;
write-view all;
}
}
}
}
}
}
}
view all {
oid .1;
}
The following example shows the basic configuration for SNMPv3 informs on a device
(the configuration has authentication and privacy set to none):
Configuring SNMPv3
Informs
184
[edit snmp]
v3 {
usm {
remote-engine 00000063200133a2c0a845c3 {
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
user RU2_v3_sha_none {
authentication-none;
privacy-none;
}
}
}
vacm {
security-to-group {
security-model usm {
security-name RU2_v3_sha_none {
group g1_usm_auth;
}
}
}
access {
group g1_usm_auth {
default-context-prefix {
security-model usm {
security-level authentication {
read-view all;
write-view all;
notify-view all;
}
}
}
}
}
}
target-address TA2_v3_sha_none {
address 192.168.69.179;
tag-list tl1;
address-mask 255.255.252.0;
target-parameters TP2_v3_sha_none;
}
target-parameters TP2_v3_sha_none {
parameters {
message-processing-model v3;
security-model usm;
security-level none;
security-name RU2_v3_sha_none;
}
notify-filter nf1;
}
notify N1_all_tl1_informs {
type inform; # Replace inform with trap to convert informs to traps.
tag tl1;
}
notify-filter nf1 {
oid .1 include;
}
}
view all {
oid .1 include;
}
Copyright © 2018, Juniper Networks, Inc.
185
Network Management and Monitoring Guide
You can convert the SNMPv3 informs to traps by setting the value of the type statement
at the [edit snmp v3 notify N1_all_tl1_informs] hierarchy level to trap as shown in the
following example:
Converting Informs to
Traps
user@host# set snmp v3 notify N1_all_tl1_informs type trap
Configuring System Name, Location, Description, and Contact Information
Junos OS enables you to include the name and location of the system, administrative
contact information, and a brief description of the system in the SNMP configuration.
NOTE: Always keep the name, location, contact, and description information
configured and updated for all your devices that are managed by SNMP.
The following example shows a typical configuration.
TIP: Use quotation marks to enclose the system name, contact, location,
and description information that contain spaces.
[edit]
snmp {
name “snmp 001”; # Overrides the system name.
contact “Juniper Berry, (650) 555 1234”; # Specifies the name and phone number of
the administrator.
location “row 11, rack C”; # Specifies the location of the device.
description “M40 router with 8 FPCs” # Configures a description for the device.
}
Related
Documentation
•
Understanding SNMP Implementation in Junos OS on page 77
•
Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS on page 343
•
Optimizing the Network Management System Configuration for the Best Results on
page 179
•
Configuring Options on Managed Devices for Better SNMP Response Time on page 181
•
Managing Traps and Informs
•
Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage on page 247
Configuring the System Contact on a Device Running Junos OS
Supported Platforms
186
ACX Series, M Series, MX Series, PTX Series, T Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
You can specify an administrative contact for each system being managed by SNMP.
This name is placed into the MIB II sysContact object. To configure a contact name,
include the contact statement at the [edit snmp] hierarchy level:
[edit snmp]
contact contact;
If the name contains spaces, enclose it in quotation marks (" ").
To define a system contact name that contains spaces:
[edit]
snmp {
contact "Juniper Berry, (650) 555-1234";
}
Related
Documentation
•
Configuring SNMP on a Device Running Junos OS
•
Configuring the System Location for a Device Running Junos OS on page 187
•
Configuring the System Description on a Device Running Junos OS on page 188
•
Configuring a Different System Name on page 190
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Configuring the System Location for a Device Running Junos OS
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
You can specify the location of each system being managed by SNMP. This string is
placed into the MIB II sysLocation object. To configure a system location, include the
location statement at the [edit snmp] hierarchy level:
[edit snmp]
location location;
If the location contains spaces, enclose it in quotation marks (" ").
To specify the system location:
[edit]
snmp {
location "Row 11, Rack C";
}
Related
Documentation
•
Configuring SNMP on a Device Running Junos OS
•
Configuring the System Contact on a Device Running Junos OS on page 186
•
Configuring the System Description on a Device Running Junos OS on page 188
•
Configuring a Different System Name on page 190
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Copyright © 2018, Juniper Networks, Inc.
187
Network Management and Monitoring Guide
Configuring the System Description on a Device Running Junos OS
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
You can specify a description for each system being managed by SNMP. This string is
placed into the MIB II sysDescription object. To configure a description, include the
description statement at the [edit snmp] hierarchy level:
[edit snmp]
description description;
If the description contains spaces, enclose it in quotation marks (" ").
To specify the system description:
[edit]
snmp {
description "M40 router with 8 FPCs";
}
Related
Documentation
•
Configuring SNMP on a Device Running Junos OS
•
Configuring the System Contact on a Device Running Junos OS on page 186
•
Configuring the System Location for a Device Running Junos OS on page 187
•
Configuring a Different System Name on page 190
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Configuring SNMP Details
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
You can use SNMP to store basic administrative details, such as a contact name and the
location of the device. Your management system can then retrieve this information
remotely, when you are troubleshooting an issue or performing an audit. In SNMP
terminology, these are the sysContact, sysDescription, and sysLocation objects found
within the system group of MIB-2 (as defined in RFC 1213, Management Information Base
for Network Management of TCP/IP-based internets: MIB-II). You can set initial values
directly in the Junos OS configuration for each system being managed by SNMP.
To set the system contact details:
1.
Set the system contact details by including the contact statement at the [edit snmp]
hierarchy level, or in an appropriate configuration group as shown here.
This administrative contact is placed into the MIB II sysContact object.
If the name contains spaces, enclose it in quotation marks (" ").
[edit groups global snmp]
user@host# set contact contact
For example:
188
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
[edit groups global snmp]
user@host# set contact "Enterprise Support, (650) 555-1234"
2. Configure a system description.
This string is placed into the MIB II sysDescription object. If the description contains
spaces, enclose it in quotation marks (" ").
[edit groups global snmp]
user@host# set description description
For example:
[edit groups global snmp]
user@host# set description "M10i router with 8 FPCs"
3. Configure a system location.
This string is placed into the MIB II sysLocation object. If the location contains spaces,
enclose it in quotation marks (" ").
To specify the system location:
[edit]
snmp {
location "Row 11, Rack C";
}
[edit groups global snmp]
user@host# set location location
For example:
[edit groups global snmp]
user@host# set location "London Corporate Office, Lab 5, Row 11, Rack C"
4. At the top level of the configuration, apply the configuration group.
If you use a configuration group, you must apply it for it to take effect.
[edit]
user@host# set apply-groups global
5. Commit the configuration.
user@host# commit
6. To verify the configuration, enter the show snmp mib walk system operational-mode
command.
The show snmp mib walk system command performs a MIB walk through of the system
table (from MIB-2 as defined in RFC 1213). The SNMP agent in Junos OS responds by
printing each row in the table and its associated value. You can use the same command
to perform a MIB walk through any part of the MIB tree supported by the agent.
user@host> show snmp mib walk system
Copyright © 2018, Juniper Networks, Inc.
189
Network Management and Monitoring Guide
sysDescr.0
sysObjectID.0
sysUpTime.0
sysContact.0
sysName.0
sysLocation.0
sysServices.0
Related
Documentation
=
=
=
=
=
=
=
M10i router with 8 FPCs
jnxProductNameM10i
173676474
Enterprise Support, (650) 555-1234
host
London Corporate Office, Lab 5, Row 11, Rack C
4
•
Configuring SNMP Communities on page 192
•
Configuring SNMP Traps on page 199
•
Configuring SNMP on a Device Running Junos OS
Configuring a Different System Name
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
Junos OS enables you to override the system name by including the name statement at
the [edit snmp] hierarchy level:
[edit snmp]
name name;
If the name contains spaces, enclose it in quotation marks (" ").
To specify the system name override:
[edit]
snmp {
name "snmp 1";
}
Related
Documentation
•
Configuring SNMP on a Device Running Junos OS
•
Configuring the System Contact on a Device Running Junos OS on page 186
•
Configuring the System Location for a Device Running Junos OS on page 187
•
Configuring the System Description on a Device Running Junos OS on page 188
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Configuring the Commit Delay Timer
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
When a router or switch first receives an SNMP nonvolatile Set request, a Junos OS XML
protocol session opens and prevents other users or applications from changing the
candidate configuration (equivalent to the command-line interface [CLI]
configure exclusive command). If the router does not receive new SNMP Set requests
within 5 seconds (the default value), the candidate configuration is committed and the
Junos OS XML protocol session closes (the configuration lock is released). If the router
receives new SNMP Set requests while the candidate configuration is being committed,
190
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
the SNMP Set request is rejected and an error is generated. If the router receives new
SNMP Set requests before 5 seconds have elapsed, the commit-delay timer (the length
of time between when the last SNMP request is received and the commit is requested)
resets to 5 seconds.
By default, the timer is set to 5 seconds. To configure the timer for the SNMP Set reply
and start of the commit, include the commit-delay statement at the
[edit snmp nonvolatile] hierarchy level:
[edit snmp nonvolatile]
commit-delay seconds;
seconds is the length of the time between when the SNMP request is received and the
commit is requested for the candidate configuration. For more information about the
configure exclusive command and locking the configuration, see the CLI User Guide.
Related
Documentation
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Filtering Duplicate SNMP Requests
Supported Platforms
PTX Series
By default, filtering duplicate get, getNext, and getBulk SNMP requests is disabled on
devices running Junos OS. If a network management station retransmits a Get, GetNext,
or GetBulk SNMP request too frequently to the router, that request might interfere with
the processing of previous requests and slow down the response time of the agent.
Filtering these duplicate requests improves the response time of the SNMP agent. Junos
OS uses the following information to determine if an SNMP request is a duplicate:
•
Source IP address of the SNMP request
•
Source UDP port of the SNMP request
•
Request ID of the SNMP request
To filter duplicate SNMP requests, include the filter-duplicates statement at the
[edit snmp] hierarchy level:
[edit snmp]
filter-duplicates;
Related
Documentation
•
Configuring SNMP on a Device Running Junos OS
•
Configuring the Interfaces on Which SNMP Requests Can Be Accepted on page 221
•
Filtering Interface Information Out of SNMP Get and GetNext Output on page 222
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Copyright © 2018, Juniper Networks, Inc.
191
Network Management and Monitoring Guide
Configuring SNMP Communities
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
Configuring the SNMP agent in Junos OS is a straightforward task that shares many
familiar settings common to other managed devices in your network. For example, you
need to configure Junos OS with an SNMP community string and a destination for traps.
Community strings are administrative names that group collections of devices and the
agents that are running on them together into common management domains. If a
manager and an agent share the same community, they can communicate with each
other. An SNMP community defines the level of authorization granted to its members,
such as which MIB objects are available, which operations (read-only or read-write) are
valid for those objects, and which SNMP clients are authorized, based on their source IP
addresses.
The SNMP community string defines the relationship between an SNMP server system
and the client systems. This string acts like a password to control the clients’ access to
the server.
To create a read-only SNMP community:
1.
Enter the SNMP community used in your network.
If the community name contains spaces, enclose it in quotation marks (" ").
Community names must be unique.
NOTE: You cannot configure the same community name at the [edit snmp
community] and [edit snmp v3 snmp-community community-index] hierarchy
levels.
[edit groups global]
user@host# set snmp community name
This example uses the standard name public to create a community that gives limited
read-only access.
[edit groups global]
user@host# set snmp community public
2. Define the authorization level for the community.
The default authorization level for a community is read-only.
To allow Set requests within a community, you need to define that community as
authorization read-write. For Set requests, you also need to include the specific MIB
objects that are accessible with read-write privileges using the view statement. The
default view includes all supported MIB objects that are accessible with read-only
privileges. No MIB objects are accessible with read-write privileges. For more
information about the view statement, see “Configuring MIB Views” on page 223.
[edit groups global snmp community name]
192
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
user@host# set authorization authorization
This example confines the public community to read-only access. Any SNMP client
(for example, an SNMP management system) that belongs to the public community
can read MIB variables but cannot set (change) them.
[edit groups global snmp community public]
user@host# set authorization read-only
3. Define a list of clients in the community who are authorized to communicate with the
SNMP agent in Junos OS.
The clients statement lists the IP addresses of the clients (community members) that
are allowed to use this community. List the clients by IP address and prefix. Typically,
the list includes the SNMP network management system in your network or the address
of your management network. If no clients statement is present, all clients are allowed.
For address, you must specify an IPv4 or IPv6 address, not a hostname.
[edit groups global snmp community name]
user@host# set clients address
The following statement defines the hosts in the 192.168.1.0/24 network as being
authorized in the public community.
[edit groups global snmp community public]
user@host# set clients 192.168.1.0/24
4. Define the clients that are not authorized within the community by specifying their IP
address, followed by the restrict statement.
[edit groups global snmp community name]
user@host# set clients address resrict
The following statement defines all other hosts as being restricted from the public
community.
[edit groups global snmp community public]
user@host# set clients 0/0 restrict
5. At the top level of the configuration, apply the configuration group.
If you use a configuration group, you must apply it for it to take effect.
[edit]
user@host# set apply-groups global
6. Commit the configuration.
user@host# commit
To create a read-write SNMP community:
1.
Enter the SNMP community used in your network.
[edit groups global]
user@host# set snmp community name
Copyright © 2018, Juniper Networks, Inc.
193
Network Management and Monitoring Guide
This example standard community string private to identify the community granted
read-write access to the SNMP agent running on the device.
[edit groups global]
user@host# set snmp community private
2. Define the authorization level for the community.
[edit groups global snmp community name]
user@host# set authorization authorization
This example confines the public community to read-only access. Any SNMP client
(for example, an SNMP management system) that belongs to the public community
can read MIB variables but cannot set (change) them.
[edit groups global snmp community public]
user@host# set authorization read-write
3. Define a list of clients in the community who are authorized to make changes to the
SNMP agent in Junos OS.
List the clients by IP address and prefix.
[edit groups global snmp community name]
user@host# set clients address
For example:
[edit groups global snmp community private]
user@host# set clients 192.168.1.15/24
user@host# set clients 192.168.1.18/24
4. Define the clients that are not authorized within the community by specifying their IP
address, followed by the restrict statement.
[edit groups global snmp community name]
user@host# set clients address resrict
The following statement defines all other hosts as being restricted from the public
community.
[edit groups global snmp community private]
user@host# set clients 0/0 restrict
5. At the top level of the configuration, apply the configuration group.
If you use a configuration group, you must apply it for it to take effect.
[edit]
user@host# set apply-groups global
6. Commit the configuration.
user@host# commit
194
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Related
Documentation
•
Adding a Group of Clients to an SNMP Community on page 196
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
•
Examples: Configuring the SNMP Community String on page 196
Configuring the SNMP Community String
Supported Platforms
EX4600, QFabric System, QFX Series
The SNMP community string defines the relationship between an SNMP server system
and the client systems. This string acts like a password to control the clients’ access to
the server. To configure a community string in a Junos OS configuration, include the
community statement at the [edit snmp] hierarchy level:
[edit snmp]
community name {
authorization authorization;
clients {
default restrict;
address restrict;
}
viewview-name;
}
If the community name contains spaces, enclose it in quotation marks (" ").
The default authorization level for a community is read-only. To allow Set requests within
a community, you need to define that community as authorization read-write. For Set
requests, you also need to include the specific MIB objects that are accessible with
read-write privileges using the view statement. The default view includes all supported
MIB objects that are accessible with read-only privileges; no MIB objects are accessible
with read-write privileges. For more information about the view statement, see
“Configuring MIB Views” on page 223.
The clients statement lists the IP addresses of the clients (community members) that
are allowed to use this community. If no clients statement is present, all clients are
allowed. For address, you must specify an IPv4 address, not a hostname. Include the
default restrict option to deny access to all SNMP clients for which access is not explicitly
granted. We recommend that you always include the default restrict option to limit SNMP
client access to the local switch.
NOTE: Community names must be unique within each SNMP system.
Related
Documentation
•
Configuring SNMP on page 176
Copyright © 2018, Juniper Networks, Inc.
195
Network Management and Monitoring Guide
Examples: Configuring the SNMP Community String
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
Grant read-only access to all clients. With the following configuration, the system responds
to SNMP Get, GetNext, and GetBulk requests that contain the community string public:
[edit]
snmp {
community public {
authorization read-only;
}
}
Grant all clients read-write access to the ping MIB and jnxPingMIB. With the following
configuration, the system responds to SNMP Get, GetNext, GetBulk, and Set requests
that contain the community string private and specify an OID contained in the ping MIB
or jnxPingMIB hierarchy:
[edit]
snmp {
view ping-mib-view {
oid pingMIB include;
oid jnxPingMIB include;
community private {
authorization read-write;
view ping-mib-view;
}
}
}
The following configuration allows read-only access to clients with IP addresses in the
range 1.2.3.4/24, and denies access to systems in the range fe80::1:2:3:4/64:
[edit]
snmp {
community field-service {
authorization read-only;
clients {
default restrict; # Restrict access to all SNMP clients not explicitly
# listed on the following lines.
1.2.3.4/24; # Allow access by all clients in 1.2.3.4/24 except
fe80::1:2:3:4/64 restrict;# fe80::1:2:3:4/64.
}
}
}
Related
Documentation
•
Configuring SNMP Communities on page 192
Adding a Group of Clients to an SNMP Community
Supported Platforms
196
ACX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series, vSRX
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Junos OS enables you to add one or more groups of clients to an SNMP community. You
can include the client-list-name name statement at the [edit snmp community
community-name] hierarchy level to add all the members of the client list or prefix list to
an SNMP community.
To define a list of clients, include the client-list statement followed by the IP addresses
of the clients at the [edit snmp] hierarchy level:
[edit snmp]
client-list client-list-name {
ip-addresses;
}
You can configure a prefix list at the [edit policy options] hierarchy level. Support for
prefix lists in the SNMP community configuration enables you to use a single list to
configure the SNMP and routing policies. For more information about the prefix-list
statement, see the Routing Policies, Firewall Filters, and Traffic Policers Feature Guide.
To add a client list or prefix list to an SNMP community, include the client-list-name
statement at the [edit snmp community community-name] hierarchy level:
[edit snmp community community-name]
client-list-name client-list-name;
NOTE: The client list and prefix list must not have the same name.
The following example shows how to define a client list:
[edit]
snmp {
client-list clentlist1 {
10.1.1.1/32;
10.2.2.2/32;
}
}
The following example shows how to add a client list to an SNMP community:
[edit]
snmp {
community community1 {
authorization read-only;
client-list-name clientlist1;
}
}
The following example shows how to add a prefix list to an SNMP community:
[edit]
policy-options {
prefix-list prefixlist {
10.3.3.3/32;
10.5.5.5/32;
}
}
Copyright © 2018, Juniper Networks, Inc.
197
Network Management and Monitoring Guide
snmp {
community community2 {
client-list-name prefixlist;
}
}
Related
Documentation
•
client-list on page 1483
•
client-list-name on page 1484
Configuring a Proxy SNMP Agent
Supported Platforms
M Series, MX Series, T Series
Starting with Release 12.3, Junos OS enables you to assign one of the devices in the
network as a proxy SNMP agent through which the network management system (NMS)
can query other devices in the network. When you configure a proxy, you can specify the
names of devices to be managed through the proxy SNMP agent.
When the NMS queries the proxy SNMP agent, the NMS specifies the community name
(for SNMPv1 and SNMPv2) or the context and security name (for SNMPv3) associated
with the device from which it requires the information.
NOTE: If you have configured authentication and privacy methods and
passwords for SNMPv3, those parameters are also specified in the query for
SNMPv3 information.
To configure a proxy SNMP agent and specify devices to be managed by the proxy SNMP
agent, you can include the following configuration statements at the [edit snmp] hierarchy
level:
proxy proxy-name{
device-name device-name;
logical-system logical-system {
routing-instance routing-instance;
}
routing-instance routing-instance;
<version-v1 | version-v2c> {
snmp-community community-name;
no-default-comm-to-v3-config;
}
version-v3 {
security-name security-name;
context context-name;
}
}
198
•
The proxy statement enables you to specify a unique name for the proxy configuration.
•
The version-v1, version-v2c, and version-v3 statements enable you to specify the SNMP
version.
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
•
The no-default-comm-to-v3-config statement is an optional statement at the [edit
snmp proxy proxy-name <version-v1 | version-v2c>] hierarchy level that when included
in the configuration requires you to manually configure the statements at the [edit
snmp v3 snmp-community community-name] and [edit snmp v3 vacm] hierarchy levels.
If the no-default-comm-to-v3-config statement is not included at the [edit snmp proxy
proxy-name <version-v1 | version-v2c>] hierarchy level, the [edit snmp v3
snmp-community community-name] and [edit snmp v3 vacm] hierarchy level
configurations are automatically initialized.
•
The logical-system and routing-instance statements are optional statements that
enable you to specify logical system and routing instance names if you want to create
proxies for logical systems or routing instances on the device.
NOTE: Starting with Junos OS Release 15.2, you must configure interface
<interface-name> statement at the [edit snmp] hierarchy level for the proxy
SNMP agent.
NOTE: The community and security configuration for the proxy should match
the corresponding configuration on the device that is to be managed.
NOTE: Because the proxy SNMP agent does not have trap forwarding
capabilities, the devices that are managed by the proxy SNMP agent send
the traps directly to the network management system.
You can use the show snmp proxy operational mode command to view proxy details on
a device. The show snmp proxy command returns the proxy names, device names, SNMP
version, community/security, and context information.
Related
Documentation
•
proxy (snmp) on page 1531
Configuring SNMP Traps
Supported Platforms
M Series, MX Series, PTX Series, T Series
Traps are unsolicited messages sent from an SNMP agent to remote network
management systems or trap receivers. Many enterprises use SNMP traps as part of a
fault-monitoring solution, in addition to system logging. In Junos OS, SNMP traps are not
forwarded by default, so you must configure a trap-group if you wish to use SNMP traps.
You can create and name a group of one or more types of SNMP traps and then define
which systems receive the group of SNMP traps.. The name of the trap group is embedded
in SNMP trap notification packets as one variable binding (varbind) known as the
community name.
Copyright © 2018, Juniper Networks, Inc.
199
Network Management and Monitoring Guide
To configure an SNMP trap:
1.
Create a single, consistent source address that Junos OS applies to all outgoing traps
in your device.
A source address is useful, because although most Junos OS devices have a number
of outbound interfaces, using one source address helps a remote NMS to associate
the source of the traps with an individual device
[edit groups global snmp]
user@host# set trap-options source-address address
This example uses the IP address of the loopback interface (lo0) as the source address
for all the SNMP traps that originate from the device.
[edit groups global snmp]
user@host# set trap-options source-address lo0
2. Create a trap group in which you can list the types of traps to be forwarded and the
targets (addresses) of the receiving remote management systems.
[edit groups global snmp trap-group group-name]
user@host# set version (all | v1 | v2) targets address
This example creates a trap group called managers, allows SNMP version 2-formatted
notifications (traps) to be sent to the host at address 192.168.1.15. This statement
forwards all categories of traps.
[edit groups global snmp trap-group managers]
user@host# set version v2 targets 192.168.1.15
3. Define the specific subset of trap categories to be forwarded.
For a list of categories, see “Configuring SNMP Trap Groups” on page 206.
[edit groups global snmp trap-group group-name]
user@host# set categories category
The following statement configures the standard MIB-II authentication failures on
the agent (the device).
[edit groups global snmp trap-group managers]
user@host# set categories authentication
4. At the top level of the configuration, apply the configuration group.
If you use a configuration group, you must apply it for it to take effect.
[edit]
user@host# set apply-groups global
5. Commit the configuration.
user@host# commit
6. To verify the configuration, generate an authentication failure trap.
200
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
This means that the SNMP agent received a request with an unknown community.
Other traps types can also be spoofed as well.
This feature enables you to trigger SNMP traps from routers and ensure that they are
processed correctly within your existing network management infrastructure. This is
also useful for testing and debugging SNMP behavior on the switch or NMS.
Using the monitor traffic command, you can verify that the trap is sent to the network
management system.
user@host> request snmp spoof-trap authenticationFailure
Spoof-trap request result: trap sent successfully
Related
Documentation
•
Adding a Group of Clients to an SNMP Community on page 196
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
•
Examples: Configuring the SNMP Community String on page 196
Configuring SNMP Trap Options and Groups on a Device Running Junos OS
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
Some carriers have more than one trap receiver that forwards traps to a central NMS.
This allows for more than one path for SNMP traps from a router to the central NMS
through different trap receivers. A device running Junos OS can be configured to send
the same copy of each SNMP trap to every trap receiver configured in the trap group.
The source address in the IP header of each SNMP trap packet is set to the address of
the outgoing interface by default. When a trap receiver forwards the packet to the central
NMS, the source address is preserved. The central NMS, looking only at the source address
of each SNMP trap packet, assumes that each SNMP trap came from a different source.
In reality, the SNMP traps came from the same router, but each left the router through
a different outgoing interface.
The statements discussed in the following sections are provided to allow the NMS to
recognize the duplicate traps and to distinguish SNMPv1 traps based on the outgoing
interface.
To configure SNMP trap options and trap groups, include the trap-options and trap-group
statements at the [edit snmp] hierarchy level:
[edit snmp]
trap-options {
agent-address outgoing-interface;
source-address address;
}
trap-group group-name {
categories {
category;
Copyright © 2018, Juniper Networks, Inc.
201
Network Management and Monitoring Guide
}
destination-port port-number;
targets {
address;
}
version (all | v1 | v2);
}
Related
Documentation
•
Configuring SNMP Trap Options on page 202
•
Configuring SNMP Trap Groups on page 206
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Configuring SNMP Trap Options
Supported Platforms
M Series, MX Series, PTX Series, T Series
Using SNMP trap options, you can set the source address of every SNMP trap packet
sent by the router to a single address regardless of the outgoing interface. In addition,
you can set the agent address of the SNMPv1 traps. For more information about the
contents of SNMPv1 traps, see RFC 1157.
NOTE: SNMP cannot be associated with any routing instances other than
the master routing instance.
To configure SNMP trap options, include the trap-options statement at the [edit snmp]
hierarchy level:
[edit snmp]
trap-options {
agent-address outgoing-interface;
context-oid;
enterprise-oid;
logical-system logical-system-name {
routing-instance routing-instance-name {
source-address address;
}
}
routing-instance routing-instance-name {
source-address address;
}
}
You must also configure a trap group for the trap options to take effect. For information
about trap groups, see “Configuring SNMP Trap Groups” on page 206.
202
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
This topic contains the following sections:
•
Configuring the Source Address for SNMP Traps on page 203
•
Configuring the Agent Address for SNMP Traps on page 205
•
Adding snmpTrapEnterprise Object Identifier to Standard SNMP Traps on page 205
Configuring the Source Address for SNMP Traps
You can configure the source address of trap packets in many ways: lo0, a valid IPv4
address or IPv6 address configured on one of the router interfaces, a logical-system
address, or the address of a routing-instance. The value lo0 indicates that the source
address of the SNMP trap packets is set to the lowest loopback address configured on
the interface lo0.
NOTE: If the source address is an invalid IPv4 or IPv6 address or is not
configured, SNMP traps are not generated.
You can configure the source address of trap packets in one of the following formats:
A Valid IPv4 Address
As the Source Address
•
A valid IPv4 address configured on one of the router interfaces
•
A valid IPv6 address configured on one of the router interfaces
•
lo0; that is, the lowest loopback address configured on the interface lo0
•
A logical-system name
•
A routing-instance name
To specify a valid IPv4 interface address as the source address for SNMP traps on one
of the router interfaces, include the source-address statement at the [edit snmp
trap-options] hierarchy level:
[edit snmp trap-options]
source-address address;
address is a valid IPv4 address configured on one of the router interfaces.
A Valid IPv6 Address
As the Source Address
To specify a valid IPv6 interface address as the source address for SNMP traps on one
of the router interfaces, include the source-address statement at the [edit snmp
trap-options] hierarchy level:
[edit snmp trap-options]
source-address address;
address is a valid IPv6 address configured on one of the router interfaces.
The Lowest Loopback
Address As the Source
Address
To specify the source address of the SNMP traps so that they use the lowest loopback
address configured on the interface lo0 as the source address, include the source-address
statement at the [edit snmp trap-options] hierarchy level:
[edit snmp trap-options]
source-address lo0;
Copyright © 2018, Juniper Networks, Inc.
203
Network Management and Monitoring Guide
To enable and configure the loopback address, include the address statement at the
[edit interfaces lo0 unit 0 family inet] hierarchy level:
[edit interfaces]
lo0 {
unit 0 {
family inet {
address ip-address;
}
}
}
To configure the loopback address as the source address of trap packets:
[edit snmp]
trap-options {
source-address lo0;
}
trap-group "urgent-dispatcher" {
version v2;
categories link startup;
targets {
192.168.10.22;
172.17.1.2;
}
}
[edit interfaces]
lo0 {
unit 0 {
family inet {
address 10.0.0.1/32;
address 127.0.0.1/32;
}
}
}
In this example, the IP address 10.0.0.1 is the source address of every trap sent from this
router.
Logical System Name
as the Source Address
To specify a logical system name as the source address of SNMP traps, include the
logical-system logical-system-name statement at the [edit snmp trap-options] hierarchy
level.
For example, the following configuration sets logical system name ls1 as the source
address of SNMP traps:
[edit snmp]
trap-options{
logical-system ls1;
}
204
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Routing Instance
Name as the Source
Address
To specify a routing instance name as the source address of SNMP traps, include the
routing-instance routing-instance-name statement at the [edit snmp trap-options] hierarchy
level.
For example, the following configuration sets the routing instance name ri1 as the source
address for SNMP traps:
[edit snmp]
trap-options {
routing-instance ri1;
}
Configuring the Agent Address for SNMP Traps
The agent address is only available in SNMPv1 trap packets (see RFC 1157). By default,
the router’s default local address is not specified in the agent address field of the SNMPv1
trap. To configure the agent address, include the agent-address statement at the [edit
snmp trap-options] hierarchy level. Currently, the agent address can only be the address
of the outgoing interface:
[edit snmp]
trap-options {
agent-address outgoing-interface;
}
To configure the outgoing interface as the agent address:
[edit snmp]
trap-options {
agent-address outgoing-interface;
}
trap-group “ urgent-dispatcher” {
version v1;
categories link startup;
targets {
192.168.10.22;
172.17.1.2;
}
}
In this example, each SNMPv1 trap packet sent has its agent address value set to the IP
address of the outgoing interface.
Adding snmpTrapEnterprise Object Identifier to Standard SNMP Traps
The snmpTrapEnterprise object helps you identify the enterprise that has defined the
trap. Typically, the snmpTrapEnterprise object appears as the last varbind in
enterprise-specific SNMP version 2 traps. However, starting Release 10.0, Junos OS
enables you to add the snmpTrapEnterprise object identifier to standard SNMP traps as
well.
To add snmpTrapEnterprise to standard traps, include the enterprise-oid statement at
the [edit snmp trap-options] hierarchy level. If the enterprise-oid statement is not included
in the configuration, snmpTrapEnterprise is added only for enterprise-specific traps.
[edit snmp]
Copyright © 2018, Juniper Networks, Inc.
205
Network Management and Monitoring Guide
trap-options {
enterprise-oid;
}
Related
Documentation
•
Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 201
•
Configuring SNMP Trap Groups on page 206
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Configuring SNMP Trap Groups
Supported Platforms
SRX Series, vSRX
You can create and name a group of one or more types of SNMP traps and then define
which systems receive the group of SNMP traps. The trap group must be configured for
SNMP traps to be sent. To create an SNMP trap group, include the trap-group statement
at the [edit snmp] hierarchy level:
[edit snmp]
trap-group group-name {
categories {
category;
}
destination-port port-number;
routing-instance instance;
targets {
address;
}
version (all | v1 | v2);
}
The trap group name can be any string and is embedded in the community name field
of the trap. To configure your own trap group port, include the destination-port statement.
The default destination port is port 162.
For each trap group that you define, you must include the target statement to define at
least one system as the recipient of the SNMP traps in the trap group. Specify the IPv4
or IPv6 address of each recipient, not its hostname.
Specify the types of traps the trap group can receive in the categories statement. For
information about the category to which the traps belong, see the “Standard SNMP Traps
Supported by Junos OS” on page 148 and “Enterprise-Specific SNMP Traps Supported by
Junos OS” on page 156 topics.
Specify the routing instance used by the trap group in the routing-instance statement.
All targets configured in the trap group use this routing instance.
A trap group can receive the following categories:
206
•
authentication—Authentication failures
•
chassis—Chassis or environment notifications
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
•
configuration—Configuration notifications
•
link—Link-related notifications (up-down transitions, DS-3 and DS-1 line status change,
IPv6 interface state change, and Passive Monitoring PIC overload)
NOTE: To send Passive Monitoring PIC overload interface traps, select the
link trap category.
•
remote-operations—Remote operation notifications
•
rmon-alarm—Alarm for RMON events
•
routing—Routing protocol notifications
•
sonet-alarms—SONET/SDH alarms
NOTE: If you omit the SONET/SDH subcategories, all SONET/SDH trap
alarm types are included in trap notifications.
•
loss-of-light—Loss of light alarm notification
•
pll-lock—PLL lock alarm notification
•
loss-of-frame—Loss of frame alarm notification
•
loss-of-signal—Loss of signal alarm notification
•
severely-errored-frame—Severely errored frame alarm notification
•
line-ais—Line alarm indication signal (AIS) alarm notification
•
path-ais—Path AIS alarm notification
•
loss-of-pointer—Loss of pointer alarm notification
•
ber-defect—SONET/SDH bit error rate alarm defect notification
•
ber-fault—SONET/SDH error rate alarm fault notification
•
line-remote-defect-indication—Line remote defect indication alarm notification
•
path-remote-defect-indication—Path remote defect indication alarm notification
•
remote-error-indication—Remote error indication alarm notification
•
unequipped—Unequipped alarm notification
•
path-mismatch—Path mismatch alarm notification
•
loss-of-cell—Loss of cell delineation alarm notification
•
vt-ais—Virtual tributary (VT) AIS alarm notification
•
vt-loss-of-pointer—VT loss of pointer alarm notification
•
vt-remote-defect-indication—VT remote defect indication alarm notification
•
vt-unequipped—VT unequipped alarm notification
Copyright © 2018, Juniper Networks, Inc.
207
Network Management and Monitoring Guide
•
vt-label-mismatch—VT label mismatch error notification
•
vt-loss-of-cell—VT loss of cell delineation notification
•
startup—System warm and cold starts
•
timing-events—Timing events and defects notification
•
vrrp-events—Virtual Router Redundancy Protocol (VRRP) events such as new-master
or authentication failures
•
startup—System warm and cold starts
•
vrrp-events—Virtual Router Redundancy Protocol (VRRP) events such as new-master
or authentication failures
If you include SONET/SDH subcategories, only those SONET/SDH trap alarm types are
included in trap notifications.
The version statement allows you to specify the SNMP version of the traps sent to targets
of the trap group. If you specify v1 only, SNMPv1 traps are sent. If you specify v2 only,
SNMPv2 traps are sent. If you specify all, both an SNMPv1 and an SNMPv2 trap are sent
for every trap condition. For more information about the version statement, see version
(SNMP).
Related
Documentation
•
Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 201
•
Configuring SNMP Trap Options on page 202
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
•
Example: Configuring SNMP Trap Groups on page 221
SNMP Traps Support
Supported Platforms
EX4600, QFabric System, QFX Series
The QFX Series standalone switches, QFX Series Virtual Chassis, and QFabric systems
support standard SNMP traps and Juniper Networks enterprise-specific traps.
For more information, see:
•
SNMP Traps Supported on QFX Series Standalone Switches and QFX Series Virtual
Chassis on page 208
•
SNMP Traps Supported on QFabric Systems on page 217
SNMP Traps Supported on QFX Series Standalone Switches and QFX Series Virtual Chassis
QFX Series standalone switches and QFX Series Virtual Chassis support SNMPv1 and v2
traps. For more information, see:
208
•
SNMPv1 Traps on page 209
•
SNMPv2 Traps on page 213
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
SNMPv1 Traps
QFX Series standalone switches and QFX Series Virtual Chassis support both standard
SNMPv1 traps and Juniper Networks enterprise-specific SNMPv1 traps. See:
•
Table 14 on page 209 for standard SNMPv1 traps.
•
Table 15 on page 211 for enterprise-specific SNMPv1 traps.
The traps are organized first by trap category and then by trap name. The system logging
severity levels are listed for those traps that have them. Traps that do not have
corresponding system logging severity levels are marked with an en dash (–).
Table 14: Standard SNMP Version 1 Traps Supported on QFX Series Standalone Switches
and QFX Series Virtual Chassis
Defined in
Specific
Trap
Number
System
Logging
Severity
Level
Trap Name
Enterprise ID
Generic
Trap
Number
linkDown
1.3.6.1.4.1.2636
2
0
Warning
SNMP_ TRAP_
LINK_DOWN
linkUp
1.3.6.1.4.1.2636
3
0
Info
SNMP_TRAP_
LINK_UP
pingProbeFailed
1.3.6.1.2.1.80.0
6
1
Info
SNMP_TRAP _PING_
PROBE_ FAILED
pingTestFailed
1.3.6.1.2.1.80.0
6
2
Info
SNMP_TRAP_
PING_TEST _FAILED
pingTestCompleted
1.3.6.1.2.1.80.0
6
3
Info
SNMP_TRAP_
PING_TEST_
COMPLETED
traceRoutePathChange
1.3.6.1.2.1.81.0
6
1
Info
SNMP_TRAP_
TRACE_ROUTE_
PATH_CHANGE
traceRouteTestFailed
1.3.6.1.2.1.81.0
6
2
Info
SNMP_TRAP_
TRACE_ROUTE_
TEST_FAILED
traceRouteTestCompleted
1.3.6.1.2.1.81.0
6
3
Info
SNMP_TRAP_
TRACE_ROUTE_
TEST_COMPLETED
Syslog Tag
Link Notifications
RFC 1215,
Conventions for
Defining Traps for
Use with the
SNMP
Remote Operations Notifications
RFC 2925,
Definitions of
Managed Objects
for Remote Ping,
Traceroute, and
Lookup
Operations
RMON Alarms
Copyright © 2018, Juniper Networks, Inc.
209
Network Management and Monitoring Guide
Table 14: Standard SNMP Version 1 Traps Supported on QFX Series Standalone Switches
and QFX Series Virtual Chassis (continued)
Specific
Trap
Number
System
Logging
Severity
Level
Syslog Tag
Defined in
Trap Name
Enterprise ID
Generic
Trap
Number
RFC 2819a, RMON
MIB
fallingAlarm
1.3.6.1.2.1.16
6
2
–
–
risingAlarm
1.3.6.1.2.1.16
6
1
–
–
bgpEstablished
1.3.6.1.2.1.15.7
6
1
–
–
bgpBackwardTransition
1.3.6.1.2.1.15.7
6
2
–
–
ospfVirtIfStateChange
1.3.6.1.2.1.14.16.2
6
1
–
–
ospfNbrStateChange
1.3.6.1.2.1.14.16.2
6
2
–
–
ospfVirtNbrStateChange
1.3.6.1.2.1.14.16.2
6
3
–
–
ospfIfConfigError
1.3.6.1.2.1.14.16.2
6
4
–
–
ospfVirtIfConfigError
1.3.6.1.2.1.14.16.2
6
5
–
–
ospfIfAuthFailure
1.3.6.1.2.1.14.16.2
6
6
–
–
ospfVirtIfAuthFailure
1.3.6.1.2.1.14.16.2
6
7
–
–
ospfIfRxBadPacket
1.3.6.1.2.1.14.16.2
6
8
–
–
ospfVirtIfRxBadPacket
1.3.6.1.2.1.14.16.2
6
9
–
–
ospfTxRetransmit
1.3.6.1.2.1.14.16.2
6
10
–
–
ospfVirtIfTxRetransmit
1.3.6.1.2.1.14.16.2
6
11
–
–
ospfMaxAgeLsa
1.3.6.1.2.1.14.16.2
6
13
–
–
ospfIfStateChange
1.3.6.1.2.1.14.16.2
6
16
–
–
authenticationFailure
1.3.6.1.4.1.2636
4
0
Notice
SNMPD_ TRAP_
GEN_FAILURE
coldStart
1.3.6.1.4.1.2636
0
0
Critical
SNMPD_TRAP_
COLD_START
Routing Notifications
BGP 4 MIB
OSPF TRAP MIB
Startup Notifications
RFC 1215,
Conventions for
Defining Traps for
Use with the
SNMP
210
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 14: Standard SNMP Version 1 Traps Supported on QFX Series Standalone Switches
and QFX Series Virtual Chassis (continued)
Defined in
Specific
Trap
Number
System
Logging
Severity
Level
Trap Name
Enterprise ID
Generic
Trap
Number
warmStart
1.3.6.1.4.1.2636
1
0
Error
SNMPD_TRAP_
WARM_START
vrrpTrapNewMaster
1.3.6.1.2.1.68
6
1
Warning
VRRPD_NEW
MASTER_TRAP
vrrpTrapAuthFailure
1.3.6.1.2.1.68
6
2
Warning
VRRPD_AUTH_
FAILURE_TRAP
Syslog Tag
VRRP Notifications
RFC 2787,
Definitions of
Managed Objects
for the Virtual
Router
Redundancy
Protocol
Table 15: Enterprise-Specific SNMPv1 Traps Supported on QFX Series Standalone Switches and
QFX Series Virtual Chassis
Defined in
Enterprise ID
Generic
Trap
Number
Specific
Trap
Number
System
Logging
Severity
Level
jnxPowerSupplyFailure
1.3.6.1.4.1.2636.4.1
6
1
Warning
CHASSISD_
SNMP_ TRAP
jnxFanFailure
1.3.6.1.4.1.26361
6
2
Critical
CHASSISD_
SNMP_ TRAP
jnxOverTemperature
11.4.1.2636.4.1
6
3
Alert
CHASSISD_
SNMP_ TRAP
jnxFruRemoval
1.3.6.1.4.1.2636.4.1
6
5
Notice
CHASSISD_
SNMP_ TRAP
jnxFruInsertion
1.3.6.1.4.1.2636.4.1
6
6
Notice
CHASSISD_
SNMP_ TRAP
jnxFruPowerOff
1.3.6.1.4.1.2636.4.1
6
7
Notice
CHASSISD_
SNMP_ TRAP
jnxFruPowerOn
1.3.6.1.4.1.2636.4.1
6
8
Notice
CHASSISD_
SNMP_ TRAP
jnxFruFailed
1.3.6.1.4.1.2636.4.1
6
9
Warning
CHASSISD_
SNMP_ TRAP
Trap Name
System Log Tag
Chassis Notifications (Alarm Conditions)
Chassis MIB
(jnx-chassis. mib)
Copyright © 2018, Juniper Networks, Inc.
211
Network Management and Monitoring Guide
Table 15: Enterprise-Specific SNMPv1 Traps Supported on QFX Series Standalone Switches and
QFX Series Virtual Chassis (continued)
Defined in
Specific
Trap
Number
System
Logging
Severity
Level
Trap Name
Enterprise ID
Generic
Trap
Number
jnxFruOffline
1.3.6.1.4.1.2636.4.1
6
10
Notice
CHASSISD_
SNMP_ TRAP
jnxFruOnline
1.3.6.1.4.1.2636.4.1
6
11
Notice
CHASSISD_
SNMP_ TRAP
jnxFruCheck
1.3.6.1.4.1.2636.4.1
6
12
Warning
CHASSISD_
SNMP_ TRAP
jnxPowerSupplyOk
1.3.6.1.4.1.2636.4.2
6
1
Critical
CHASSISD_
SNMP_ TRAP
jnxFanOK
1.3.6.1.4.1.2636.4.2
6
2
Critical
CHASSISD_
SNMP_ TRAP
jnxTemperatureOK
1.3.6.1.4.1.2636.4.2
6
3
Alert
CHASSISD_
SNMP_ TRAP
jnxCmCfgChange
1.3.6.1.4.1.2636.4.5
6
1
–
–
jnxCmRescueChange
1.3.6.1.4.1.2636.4.5
6
2
–
–
jnxPingRttThresholdExceeded
1.3.6.1.4.1.2636.4.9
6
1
–
–
jnxPingRttStdDevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9
6
2
–
–
jnxPingRttJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9
6
3
–
–
jnxPingEgressThreshold
Exceeded
1.3.6.1.4.1.2636.4.9
6
4
–
–
jnxPingEgressStdDev
ThresholdExceeded
1.3.6.1.4.1.2636.4.9
6
5
–
–
jnxPingEgressJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9
6
6
–
–
jnxPingIngressThreshold
Exceeded
1.3.6.1.4.1.2636.4.9
6
7
–
–
System Log Tag
Configuration Notifications
Configuration
Management MIB
(jnx- configmgmt.
mib)
Remote Operations
Ping MIB
(jnx-ping.mib)
212
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 15: Enterprise-Specific SNMPv1 Traps Supported on QFX Series Standalone Switches and
QFX Series Virtual Chassis (continued)
Defined in
Specific
Trap
Number
System
Logging
Severity
Level
System Log Tag
Trap Name
Enterprise ID
Generic
Trap
Number
jnxPingIngressStddevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9
6
8
–
–
jnxPingIngressJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9
6
9
–
–
jnxRmonAlarmGetFailure
1.3.6.1.4.1.2636.4.3
6
1
–
–
jnxRmonGetOk
1.3.6.1.4.1.2636.4.3
6
2
–
–
RMON Alarms
RMON MIB
(jnx-rmon. mib)
SNMPv2 Traps
•
Table 16 on page 213 lists the standard SNMP traps
•
Table 17 on page 215 lists the Juniper Networks enterprise-specific traps
Table 16: Standard SNMPv2 Traps Supported on QFX Series Standalone Switches and
QFX Series Virtual Chassis
Defined in
Trap Name
SNMP Trap OID
System
Logging
Severity
Level
linkDown
1.3.6.1.6.3.1.1.5.3
Warning
SNMP_TRAP_
LINK_DOWN
linkUp
1.3.6.1.6.3.1.1.5.4
Info
SNMP_TRAP_ LINK_UP
pingProbeFailed
1.3.6.1.2.1.80.0.1
Info
SNMP_TRAP_
PING_PROBE_ FAILED
pingTestFailed
1.3.6.1.2.1.80.0.2
Info
SNMP_TRAP_PING_
TEST_FAILED
pingTestCompleted
1.3.6.1.2.1.80.0.3
Info
SNMP_TRAP_PING_
TEST_COMPLETED
traceRoutePathChange
1.3.6.1.2.1.81.0.1
Info
SNMP_TRAP_TRACE_
ROUTE_PATH_
CHANGE
Syslog Tag
Link Notifications
RFC 2863, The Interfaces
Group MIB
Remote Operations Notifications
RFC 2925, Definitions of
Managed Objects for
Remote Ping, Traceroute,
and Lookup Operations
Copyright © 2018, Juniper Networks, Inc.
213
Network Management and Monitoring Guide
Table 16: Standard SNMPv2 Traps Supported on QFX Series Standalone Switches and
QFX Series Virtual Chassis (continued)
Defined in
Trap Name
SNMP Trap OID
System
Logging
Severity
Level
traceRouteTestFailed
1.3.6.1.2.1.81.0.2
Info
SNMP_TRAP_TRACE_
ROUTE_TEST_FAILED
traceRouteTestCompleted
1.3.6.1.2.1.81.0.3
Info
SNMP_TRAP_TRACE_
ROUTE_TEST_
COMPLETED
fallingAlarm
1.3.6.1.2.1.16.0.1
–
–
risingAlarm
1.3.6.1.2.1.16.0.2
–
–
bgpEstablished
1.3.6.1.2.1.15.7.1
–
–
bgpBackwardTransition
1.3.6.1.2.1.15.7.2
–
–
ospfVirtIfStateChange
1.3.6.1.2.1.14.16.2.1
–
–
ospfNbrStateChange
1.3.6.1.2.1.14.16.2.2
–
–
ospfVirtNbrStateChange
1.3.6.1.2.1.14.16.2.3
–
–
ospfIfConfigError
1.3.6.1.2.1.14.16.2.4
–
–
ospfVirtIfConfigError
1.3.6.1.2.1.14.16.2.5
–
–
ospfIfAuthFailure
1.3.6.1.2.1.14.16.2.6
–
–
ospfVirtIfAuthFailure
1.3.6.1.2.1.14.16.2.7
–
–
ospfIfRxBadPacket
1.3.6.1.2.1.14.16.2.8
–
–
ospfVirtIfRxBadPacket
1.3.6.1.2.1.14.16.2.9
–
–
ospfTxRetransmit
1.3.6.1.2.1.14.16.2.10
–
–
ospfVirtIfTxRetransmit
1.3.6.1.2.1.14.16.2.11
–
–
ospfMaxAgeLsa
1.3.6.1.2.1.14.16.2.13
–
–
ospfIfStateChange
1.3.6.1.2.1.14.16.2.16
–
–
Syslog Tag
RMON Alarms
RFC 2819a, RMON MIB
Routing Notifications
BGP 4 MIB
OSPF Trap MIB
214
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 16: Standard SNMPv2 Traps Supported on QFX Series Standalone Switches and
QFX Series Virtual Chassis (continued)
Defined in
Trap Name
SNMP Trap OID
System
Logging
Severity
Level
coldStart
1.3.6.1.6.3.1.1.5.1
Critical
SNMPD_TRAP_
COLD_START
warmStart
1.3.6.1.6.3.1.1.5.2
Error
SNMPD_TRAP_
WARM_START
authenticationFailure
1.3.6.1.6.3.1.1.5.5
Notice
SNMPD_TRAP_
GEN_FAILURE
vrrpTrapNewMaster
1.3.6.1.2.1.68.0.1
Warning
VRRPD_ NEWMASTER_
TRAP
vrrpTrapAuthFailure
1.3.6.1.2.1.68.0.2
Warning
VRRPD_AUTH_
FAILURE_ TRAP
Syslog Tag
Startup Notifications
RFC 1907, Management
Information Base for
Version 2 of the Simple
Network Management
Protocol (SNMPv2)
VRRP Notifications
RFC 2787, Definitions of
Managed Objects for the
Virtual Router Redundancy
Protocol
Table 17: Enterprise-Specific SNMPv2 Traps Supported on QFX Series Standalone Switches
and QFX Series Virtual Chassis
Source MIB
SNMP Trap OID
System
Logging
Severity
Level
jnxPowerSupplyFailure
1.3.6.1.4.1.2636.4.1.1
Alert
CHASSISD_ SNMP_
TRAP
jnxFanFailure
1.3.6.1.4.1.2636.4.1.2
Critical
CHASSISD_ SNMP_
TRAP
jnxOverTemperature
1.3.6.1.4.1.2636.4.1.3
Critical
CHASSISD_ SNMP_
TRAP
jnxFruRemoval
1.3.6.1.4.1.2636.4.1.5
Notice
CHASSISD_ SNMP_
TRAP
jnxFruInsertion
1.3.6.1.4.1.2636.4.1.6
Notice
CHASSISD_ SNMP_
TRAP
jnxFruPowerOff
1.3.6.1.4.1.2636.4.1.7
Notice
CHASSISD_ SNMP_
TRAP
Trap Name
System Log Tag
Chassis (Alarm Conditions) Notifications
Chassis MIB
(mib-jnx-chassis)
Copyright © 2018, Juniper Networks, Inc.
215
Network Management and Monitoring Guide
Table 17: Enterprise-Specific SNMPv2 Traps Supported on QFX Series Standalone Switches
and QFX Series Virtual Chassis (continued)
Source MIB
Trap Name
SNMP Trap OID
System
Logging
Severity
Level
jnxFruPowerOn
1.3.6.1.4.1.2636.4.1.8
Notice
CHASSISD_ SNMP_
TRAP
jnxFruFailed
1.3.6.1.4.1.2636.4.1.9
Warning
CHASSISD_ SNMP_
TRAP
jnxFruOffline
1.3.6.1.4.1.2636.4.1.10
Notice
CHASSISD_ SNMP_
TRAP
jnxFruOnline
1.3.6.1.4.1.2636.4.1.11
Notice
CHASSISD_ SNMP_
TRAP
jnxFruCheck
1.3.6.1.4.1.2636.4.1.12
Notice
CHASSISD_ SNMP_
TRAP
jnxPowerSupplyOK
1.3.6.1.4.1.2636.4.2.1
Critical
CHASSISD_ SNMP_
TRAP
jnxFanOK
1.3.6.1.4.1.2636.4.2.2
Critical
CHASSISD_ SNMP_
TRAP
jnxTemperatureOK
1.3.6.1.4.1.2636.4.2.3
Alert
CHASSISD_ SNMP_
TRAP
jnxCmCfgChange
1.3.6.1.4.1.2636.4.5.0.1
–
–
jnxCmRescueChange
1.3.6.1.4.1.2636.4.5.0.2
–
–
System Log Tag
Configuration Notifications
Configuration
Management MIB
(mib-jnx-cfgmgmt)
Remote Operations Notifications
216
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 17: Enterprise-Specific SNMPv2 Traps Supported on QFX Series Standalone Switches
and QFX Series Virtual Chassis (continued)
Source MIB
Trap Name
SNMP Trap OID
System
Logging
Severity
Level
Ping MIB
(mib-jnx-ping)
jnxPingRttThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.1
–
–
jnxPingRttStdDevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.2
–
–
jnxPingRttJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.3
–
–
jnxPingEgressThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.4
–
–
jnxPingEgressStdDevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.5
–
–
jnxPingEgressJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.6
–
–
jnxPingIngressThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.7
–
–
jnxPingIngressStddevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.8
–
–
jnxPingIngressJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.9
–
–
jnxRmonAlarmGetFailure
1.3.6.1.4.1.2636.4. 3.0.1
–
–
jnxRmonGetOk
1.3.6.1.4.1.2636.4. 3.0.2
–
–
System Log Tag
RMON Alarms
RMON MIB
(mib-jnx-rmon)
SNMP Traps Supported on QFabric Systems
QFabric systems support standard SNMPv2 traps and Juniper Networks enterprise-specific
SNMPv2 traps.
NOTE: QFabric systems do not support SNMPv1 traps.
For more information, see:
•
Table 18 on page 218 for standard SNMPv2 traps
Copyright © 2018, Juniper Networks, Inc.
217
Network Management and Monitoring Guide
•
Table 19 on page 219 for Juniper Networks enterprise-specific SNMPv2 traps
Table 18: Standard SNMPv2 Traps Supported on QFabric Systems
Defined in
Trap Name
SNMP Trap OID
System
Logging
Severity
Level
linkDown
1.3.6.1.6.3.1.1.5.3
Warning
SNMP_TRAP_
LINK_DOWN
linkUp
1.3.6.1.6.3.1.1.5.4
Info
SNMP_TRAP_ LINK_UP
coldStart
1.3.6.1.6.3.1.1.5.1
Critical
SNMPD_TRAP_
COLD_START
warmStart
1.3.6.1.6.3.1.1.5.2
Error
SNMPD_TRAP_
WARM_START
authenticationFailure
1.3.6.1.6.3.1.1.5.5
Notice
SNMPD_TRAP_
GEN_FAILURE
Syslog Tag
Link Notifications
RFC 2863, The Interfaces
Group MIB
Startup Notifications
RFC 1907, Management
Information Base for
Version 2 of the Simple
Network Management
Protocol (SNMPv2)
218
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 19: Enterprise-Specific SNMPv2 Traps Supported on QFabric Systems
Source MIB
Trap Name
SNMP Trap OID
Fabric Chassis MIB
(mib-jnx-fabricchassis)
Fabric Chassis (Alarm Conditions) Notifications
System
Logging
Severity
Level
System Log Tag
jnxFabricPowerSupplyFailure
1.3.6.1.4.1.2636.4.19.1
Warning
–
jnxFabricFanFailure
1.3.6.1.4.1.2636.4.19.2
Critical
–
jnxFabricOverTemperature
1.3.6.1.4.1.2636.4.19.3
Alert
–
jnxFabricRedundancySwitchover
1.3.6.1.4.1.2636.4.19.4
Notice
–
jnxFabricFruRemoval
1.3.6.1.4.1.2636.4.19.5
Notice
–
jnxFabricFruInsertion
1.3.6.1.4.1.2636.4.19.6
Notice
–
jnxFabricFruPowerOff
1.3.6.1.4.1.2636.4.19.7
Notice
–
jnxFabricFruPowerOn
1.3.6.1.4.1.2636.4.19.8
Notice
–
jnxFabricFruFailed
1.3.6.1.4.1.2636.4.19.9
Warning
–
jnxFabricFruOffline
1.3.6.1.4.1.2636.4.19.10
Notice
–
jnxFabricFruOnline
1.3.6.1.4.1.2636.4.19.11
Notice
–
jnxFabricFruCheck
1.3.6.1.4.1.2636.4.19.12
Warning
–
jnxFabricFEBSwitchover
1.3.6.1.4.1.2636.4.19.13
Warning
–
jnxFabricHardDiskFailed
1.3.6.1.4.1.2636.4.19.14
Warning
–
jnxFabricHardDiskMissing
1.3.6.1.4.1.2636.4.19.15
Warning
–
jnxFabricBootFromBackup
1.3.6.1.4.1.2636.4.19.16
Warning
–
Fabric Chassis (Alarm Cleared Conditions) Notifications
jnxFabricPowerSupplyOK
1.3.6.1.4.1.2636.4.20.1
Critical
–
jnxFabricFanOK
1.3.6.1.4.1.2636.4.20.2
Critical
–
jnxFabricTemperatureOK
1.3.6.1.4.1.2636.4.20.3
Alert
–
jnxFabricFruOK
1.3.6.1.4.1.2636.4.20.4
–
–
Copyright © 2018, Juniper Networks, Inc.
219
Network Management and Monitoring Guide
Table 19: Enterprise-Specific SNMPv2 Traps Supported on QFabric Systems (continued)
SNMP Trap OID
System
Logging
Severity
Level
System Log Tag
jnxQFabricDownloadIssued
1.3.6.1.4.1.2636.3.42.1.0.1
–
–
jnxQFabricDownloadFailed
1.3.6.1.4.1.2636.3.42.1.0.2
–
–
jnxQFabricDownloadSucceeded
1.3.6.1.4.1.2636.3.42.1.0.3
–
–
jnxQFabricUpgradeIssued
1.3.6.1.4.1.2636.3.42.1.0.4
–
–
jnxQFabricUpgradeFailed
1.3.6.1.4.1.2636.3.42.1.0.5
–
–
jnxQFabricUpgradeSucceeded
1.3.6.1.4.1.2636.3.42.1.0.6
–
–
jnxCmCfgChange
1.3.6.1.4.1.2636.4.5.0.1
–
–
jnxCmRescueChange
1.3.6.1.4.1.2636.4.5.0.2
–
–
jnxPingRttThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.1
–
–
jnxPingRttStdDevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.2
–
–
jnxPingRttJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.3
–
–
jnxPingEgressThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.4
–
–
jnxPingEgressStdDevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.5
–
–
jnxPingEgressJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.6
–
–
jnxPingIngressThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.7
–
–
jnxPingIngressStddevThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.8
–
–
jnxPingIngressJitterThreshold
Exceeded
1.3.6.1.4.1.2636.4.9.0.9
–
–
Source MIB
Trap Name
QFabric MIB
(mib-jnx-qf-smi)
QFabric MIB Notifications
Configuration Notifications
Configuration
Management MIB
(mib-jnx-cfgmgmt)
Remote Operations Notifications
Ping MIB
(mib-jnx-ping)
220
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Related
Documentation
•
SNMP MIB Explorer
•
Understanding the Implementation of SNMP on page 81
•
Understanding the Implementation of SNMP on the QFabric System
•
SNMP MIBs Support on page 226
Example: Configuring SNMP Trap Groups
Supported Platforms
M Series, MX Series, PTX Series, T Series
Set up a trap notification list named urgent-dispatcher for link and startup traps. This list
is used to identify the network management hosts (1.2.3.4 and fe80::1:2:3:4) to which
traps generated by the local router should be sent. The name specified for a trap group
is used as the SNMP community string when the agent sends traps to the listed targets.
[edit]
snmp {
trap-group "urgent-dispatcher" {
version v2;
categories link startup;
targets {
1.2.3.4;
fe80::1:2:3:4;
}
}
}
Related
Documentation
•
Configuring SNMP Trap Groups on page 206
•
Configuring SNMP Trap Options and Groups on a Device Running Junos OS on page 201
•
Configuring SNMP Trap Options on page 202
Configuring the Interfaces on Which SNMP Requests Can Be Accepted
Supported Platforms
M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series
By default, all router or switch interfaces have SNMP access privileges. To limit the access
through certain interfaces only, include the interface statement at the [edit snmp]
hierarchy level:
[edit snmp]
interface [ interface-names ];
Specify the names of any logical or physical interfaces that should have SNMP access
privileges. Any SNMP requests entering the router or switch from interfaces not listed
are discarded.
Related
Documentation
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Copyright © 2018, Juniper Networks, Inc.
221
Network Management and Monitoring Guide
•
Example: Configuring Secured Access List Checking on page 222
Example: Configuring Secured Access List Checking
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
SNMP access privileges are granted to only devices on interfaces so-0/0/0 and at-1/0/1.
The following example does this by configuring a list of logical interfaces:
[edit]
snmp {
interface [ so-0/0/0.0 so-0/0/0.1 at-1/0/1.0 at-1/0/1.1 ];
}
The following example grants the same access by configuring a list of physical interfaces:
[edit]
snmp {
interface [ so-0/0/0 at-1/0/1 ];
}
Related
Documentation
•
Configuring the Interfaces on Which SNMP Requests Can Be Accepted on page 221
•
Filtering Interface Information Out of SNMP Get and GetNext Output on page 222
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Filtering Interface Information Out of SNMP Get and GetNext Output
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
Junos OS enables you to filter out information related to specific interfaces from the
output of SNMP Get and GetNext requests performed on interface-related MIBs such as
IF MIB, ATM MIB, RMON MIB, and the Juniper Networks enterprise-specific IF MIB.
You can use the following options of the filter-interfaces statement at the [edit snmp]
hierarchy level to specify the interfaces that you want to exclude from SNMP Get and
GetNext queries:
•
interfaces—Interfaces that match the specified regular expressions.
•
all-internal-interfaces—Internal interfaces.
[edit]
snmp {
filter-interfaces {
interfaces {
interface-name 1;
interface-name 2;
}
all-internal-interfaces;
}
222
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
}
Starting with Release 12.1, Junos OS provides an except option (! operator) that enables
you to filter out all interfaces except those interfaces that match all the regular expressions
prefixed with the ! mark.
For example, to filter out all interfaces except the ge interfaces from the SNMP get and
get-next results, enter the following command:
[edit snmp]
user@host# set filter-interfaces interfaces “!^~ge-.*”
user@host# commit
When this is configured, Junos OS filters out all interfaces except the ge interfaces from
the SNMP get and get-next results.
NOTE: The ! mark is supported only as the first character of the regular
expression. If it appears anywhere else in a regular expression, Junos OS
considers the regular expression invalid, and returns an error.
However, note that these settings are limited to SNMP operations, and the users can
continue to access information related to the interfaces (including those hidden using
the filter-interfaces options) using the appropriate Junos OS command-line interface
(CLI) commands.
Related
Documentation
•
Configuring the Interfaces on Which SNMP Requests Can Be Accepted on page 221
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Configuring MIB Views
Supported Platforms
ACX Series, EX4600, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series, vSRX
SNMPv3 defines the concept of MIB views in RFC 3415, View-based Access Control Model
(VACM) for the Simple Network Management Protocol (SNMP). MIB views provide an
agent better control over who can access specific branches and objects within its MIB
tree. A view consists of a name and a collection of SNMP object identifiers, which are
either explicitly included or excluded. Once defined, a view is then assigned to an SNMPv3
group or SNMPv1/v2c community (or multiple communities), automatically masking
which parts of the agent’s MIB tree members of the group or community can (or cannot)
access.
By default, an SNMP community grants read access and denies write access to all
supported MIB objects (even communities configured as authorization read-write). To
restrict or grant read or write access to a set of MIB objects, you must configure a MIB
view and associate the view with a community.
Copyright © 2018, Juniper Networks, Inc.
223
Network Management and Monitoring Guide
To configure MIB views, include the view statement at the [edit snmp] hierarchy level:
[edit snmp]
view view-name {
oid object-identifier (include | exclude);
}
The view statement defines a MIB view and identifies a group of MIB objects. Each MIB
object of a view has a common object identifier (OID) prefix. Each object identifier
represents a subtree of the MIB object hierarchy. The subtree can be represented either
by a sequence of dotted integers (such as 1.3.6.1.2.1.2) or by its subtree name (such as
interfaces). A configuration statement uses a view to specify a group of MIB objects on
which to define access. You can also use a wildcard character asterisk (*) to include
OIDs that match a particular pattern in the SNMP view. To enable a view, you must
associate the view with a community.
To remove an OID completely, use the delete view all oid oid-number command but omit
the include parameter.
[edit groups global snmp]
user@host# set view view-name oid object-identifier (include | exclude)
The following example creates a MIB view called ping-mib-view. The oid statement does
not require a dot at the beginning of the object identifier. The snmp view statement
includes the branch under the object identifier .1.3.6.1.2.1.80. This includes the entire
DISMAN-PINGMIB subtree (as defined in RFC 2925, Definitions of Managed Objects for
Remote Ping, Traceroute, and Lookup Operations), which effectively permits access to
any object under that branch.
[edit groups global snmp]
user@host# set view ping-mib-view oid 1.3.6.1.2.1.80 include
The following example adds a second branch in the same MIB view.
[edit groups global snmp]
user@host# set view ping-mib-view oid jnxPingMIB include
Assign a MIB view to a community that you want to control.
To associate MIB views with a community, include the view statement at the [edit snmp
community community-name] hierarchy level:
[edit snmp community community-name]
view view-name;
For more information about the Ping MIB, see RFC 2925 and PING MIB.
Related
Documentation
224
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
•
Configuring Ping Proxy MIB on page 225
•
view (Configuring a MIB View) on page 1586
•
view on page 1585
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
•
oid on page 1522
Configuring Ping Proxy MIB
Supported Platforms
M Series, MX Series, PTX Series, T Series
Restrict the ping-mib community to read and write access of the Ping MIB and jnxpingMIB
only. Read or write access to any other MIB using this community is not allowed.
[edit snmp]
view ping-mib-view {
oid 1.3.6.1.2.1.80 include; #pingMIB
oid jnxPingMIB include; #jnxPingMIB
}
community ping-mib {
authorization read-write;
view ping-mib-view;
}
The following configuration prevents the no-ping-mib community from accessing Ping
MIB and jnxPingMIB objects. However, this configuration does not prevent the no-ping-mib
community from accessing any other MIB object that is supported on the device.
[edit snmp]
view no-ping-mib-view {
oid 1.3.6.1.2.1.80 exclude; # deny access to pingMIB objects
oid jnxPingMIB exclude; # deny access to jnxPingMIB objects
}
community no-ping-mib {
authorization read-write;
view ping-mib-view;
}
Related
Documentation
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
•
Configuring MIB Views on page 223
•
view (Configuring a MIB View) on page 1586
•
oid on page 1522
Understanding the Integrated Local Management Interface
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
The Integrated Local Management Interface (ILMI) provides a mechanism for
Asynchronous Transfer Mode (ATM)-attached devices, such as hosts, routers, and ATM
switches, to transfer management information. ILMI provides bidirectional exchange of
management information between two ATM interfaces across a physical connection.
ILMI information is exchanged over a direct encapsulation of SNMP version 1 (RFC 1157,
A Simple Network Management Protocol) over ATM Adaptation Layer 5 (AAL5) using a
virtual path identifier/virtual channel identifier (VPI/VCI) value (VPI=0, VCI=16).
Copyright © 2018, Juniper Networks, Inc.
225
Network Management and Monitoring Guide
Junos OS supports only two ILMI MIB variables: atmfMYIPNmAddress and
atmfPortMyIfname. For ATM1 and ATM2 intelligent queuing (IQ) interfaces, you can
configure ILMI to communicate directly with an attached ATM switch to enable querying
of the switch’s IP address and port number.
For more information about the ILMI MIB, see atmfMYIPNmAddress or atmfPortMyIfname
in the SNMP MIB Explorer.
Related
Documentation
•
Understanding Device Management Functions in Junos OS on page 3
Utility MIB
Supported Platforms
EX4600, QFabric System, QFX Series
The Juniper Networks enterprise-specific Utility MIB, whose object ID is {jnxUtilMibRoot 1},
defines objects for counters, integers, and strings. The Utility MIB contains one table for
each of the following five data types:
•
32-bit counters
•
64-bit counters
•
Signed integers
•
Unsigned integers
•
Octet strings
Each data type has an arbitrary ASCII name, which is defined when the data is populated,
and a timestamp that shows the last time when the data instance was modified. For a
downloadable version of this MIB, see Routing Policies, Firewall Filters, and Traffic Policers
Feature Guide.
For information about the enterprise-specific Utility MIB objects, see the following topics:
Related
Documentation
•
jnxUtilCounter32Table
•
jnxUtilCounter64Table
•
jnxUtilIntegerTable
•
jnxUtilUintTable
•
jnxUtilStringTable
•
Enterprise-Specific SNMP MIBs Supported by Junos OS on page 117
•
Standard SNMP MIBs Supported by Junos OS on page 128
•
Understanding the Implementation of SNMP on the QFabric System
SNMP MIBs Support
Supported Platforms
226
EX4600, OCX1100, QFabric System, QFX Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
The QFX Series standalone switches, QFX Series Virtual Chassis, and QFabric systems
support standard MIBs and Juniper Networks enterprise-specific MIBs.
NOTE: For information about enterprise-specific SNMP MIB objects, see the
SNMP MIB Explorer. You can use SNMP MIB Explorer to view information about
various MIBs, MIB objects, and SNMP notifications supported on Juniper
Networks devices
For more information, see:
•
MIBs Supported on QFX Series Standalone Switches and QFX Series Virtual
Chassis on page 227
•
MIBs Supported on QFabric Systems on page 234
MIBs Supported on QFX Series Standalone Switches and QFX Series Virtual Chassis
The QFX Series standalone switches and QFX Series Virtual Chassis support both standard
MIBs and Juniper Networks enterprise-specific MIBs. For more information, see:
•
Table 20 on page 227 for standard MIBs.
•
Table 21 on page 232 for Juniper Networks enterprise-specific MIBs.
Table 20: Standard MIBs Supported on QFX Series Standalone Switches and QFX Series Virtual
Chassis
RFC
Additional Information
IEEE 802.1ab section 12.1, Link Layer Discovery
Protocol (LLDP) MIB
Supported tables and objects:
IEEE 802.3ad, Aggregation of Multiple Link
Segments
Copyright © 2018, Juniper Networks, Inc.
•
lldpRemManAddrOID
•
lldpLocManAddrOID
•
lldpReinitDelay
•
lldpNotificationInterval
•
lldpStatsRxPortFramesDiscardedTotal
•
lldpStatsRxPortFramesError
•
lldpStatsRxPortTLVsDiscardedTotal
•
lldpStatsRxPortTLVsUnrecognizedTotal
•
lldpStatsRxPortAgeoutsTotal
The following tables and objects are supported:
•
dot3adAggPortTable, dot3adAggPortListTable, dot3adAggTable, and
dot3adAggPortStatsTable
•
dot3adAggPortDebugTable (only dot3adAggPortDebugRxState,
dot3adAggPortDebugMuxState,
dot3adAggPortDebugActorSyncTransitionCount,
dot3adAggPortDebugPartnerSyncTransitionCount,
dot3adAggPortDebugActorChangeCount, and
dot3adAggPortDebugPartnerChangeCount)
•
dot3adTablesLastChanged
227
Network Management and Monitoring Guide
Table 20: Standard MIBs Supported on QFX Series Standalone Switches and QFX Series Virtual
Chassis (continued)
RFC
Additional Information
RFC 1155, Structure and Identification of
Management Information for TCP/IP-based
Internets
—
RFC 1157, A Simple Network Management
Protocol (SNMP)
—
RFC 1212, Concise MIB Definitions
—
RFC 1213, Management Information Base for
Network Management of TCP/IP-Based
Internets: MIB-II
The following areas are supported:
•
MIB II and its SNMP version 2 derivatives, including:
•
Statistics counters
•
IP, except for ipRouteTable, which has been replaced by ipCidrRouteTable
(RFC 2096, IP Forwarding Table MIB)
•
ipAddrTable
•
SNMP management
•
Interface management
•
SNMPv1 Get, GetNext requests, and SNMPv2 GetBulk request
•
Junos OS-specific secured access list
•
Master configuration keywords
•
Reconfigurations upon SIGHUP
RFC 1215, A Convention for Defining Traps for
use with the SNMP
Support is limited to MIB II SNMP version 1 traps and version 2 notifications.
RFC 1286, Definitions of Managed Objects for
Bridges
—
RFC 1657, Definitions of Managed Objects for
the Fourth Version of the Border Gateway
Protocol (BGP-4) using SMIv2
—
RFC 1850, OSPF Version 2 Management
Information Base
The following table, objects, and traps are not supported:
•
Host Table
•
ospfOriginateNewLsas and ospfRxNewLsas objects
•
ospfOriginateLSA, ospfLsdbOverflow, and ospfLsdbApproachingOverflow
traps
RFC 1901, Introduction to Community-based
SNMPv2
—
RFC 1905, Protocol Operations for Version 2
of the Simple Network Management Protocol
(SNMPv2)
—
228
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 20: Standard MIBs Supported on QFX Series Standalone Switches and QFX Series Virtual
Chassis (continued)
RFC
Additional Information
RFC 1907, Management Information Base for
Version 2 of the Simple Network Management
Protocol (SNMPv2)
—
RFC 2011, SNMPv2 Management Information
Base for the Internet Protocol Using SMIv2
—
RFC 2012, SNMPv2 Management Information
Base for the Transmission Control Protocol
Using SMIv2
—
RFC 2013, SNMPv2 Management Information
Base for the User Datagram Protocol Using
SMIv2
—
RFC 2233, The Interfaces Group MIB Using
SMIv2
NOTE: RFC 2233 has been replaced by RFC 2863. However, Junos OS supports
both RFC 2233 and RFC 2863.
RFC 2287, Definitions of System-Level
Managed Objects for Applications
The following objects are supported:
•
sysApplInstallPkgTable
•
sysApplInstallElmtTable
•
sysApplElmtRunTable
•
sysApplMapTable
RFC 2570, Introduction to Version 3 of the
Internet-standard Network Management
Framework
—
RFC 2571, An Architecture for Describing SNMP
Management Frameworks (read-only access)
NOTE: RFC 2571 has been replaced by RFC 3411. However, Junos OS supports
both RFC 2571 and RFC 3411.
RFC 2572, Message Processing and
Dispatching for the Simple Network
Management Protocol (SNMP) (read-only
access)
NOTE: RFC 2572 has been replaced by RFC 3412. However, Junos OS supports
both RFC 2572 and RFC 3412.
RFC 2576, Coexistence between Version 1,
Version 2, and Version 3 of the
Internet-standard Network Management
Framework
NOTE: RFC 2576 has been replaced by RFC 3584. However, Junos OS supports
both RFC 2576 and RFC 3584.
RFC 2578, Structure of Management
Information Version 2 (SMIv2)
—
RFC 2579, Textual Conventions for SMIv2
—
RFC 2580, Conformance Statements for
SMIv2
—
Copyright © 2018, Juniper Networks, Inc.
229
Network Management and Monitoring Guide
Table 20: Standard MIBs Supported on QFX Series Standalone Switches and QFX Series Virtual
Chassis (continued)
RFC
Additional Information
RFC 2665, Definitions of Managed Objects for
the Ethernet-like Interface Types
—
RFC 2787, Definitions of Managed Objects for
the Virtual Router Redundancy Protocol
Support does not include row creation, the Set operation, and the
vrrpStatsPacketLengthErrors object.
RFC 2790, Host Resources MIB
Support is limited to the following objects:
RFC 2819, Remote Network Monitoring
Management Information Base
•
Only hrStorageTable. The file systems /, /config, /var, and /tmp always
return the same index number. When SNMP restarts, the index numbers for
the remaining file systems might change.
•
Only the objects of the hrSystem and hrSWInstalled groups.
The following objects are supported:
•
etherStatsTable (for Ethernet interfaces only), alarmTable, eventTable, and
logTable.
•
historyControlTable and etherHistoryTable (except the etherHistoryUtilization
object).
RFC 2863, The Interfaces Group MIB
NOTE: RFC 2233 has been replaced by RFC 2863. However, Junos OS supports
both RFC 2233 and RFC 2863.
RFC 2932, IPv4 Multicast Routing MIB
—
RFC 2933, Internet Group Management
Protocol (IGMP) MIB
—
RFC 2934, Protocol Independent Multicast
MIB for IPv4
In Junos OS, RFC 2934 is implemented based on a draft version, pimmib.mib, of
the now standard RFC.
RFC 3410, Introduction and Applicability
Statements for Internet Standard
Management Framework
—
RFC 3411, An Architecture for Describing
Simple Network Management Protocol
(SNMP) Management Frameworks
NOTE: RFC 3411 replaces RFC 2571. However, Junos OS supports both RFC 3411
and RFC 2571.
RFC 3412, Message Processing and
Dispatching for the Simple Network
Management Protocol (SNMP)
NOTE: RFC 3412 replaces RFC 2572. However, Junos OS supports both RFC 3412
and RFC 2572.
RFC 3413, Simple Network Management
Protocol (SNMP) Applications
All MIBs are supported except for the Proxy MIB.
RFC 3414, User-based Security Model (USM)
for version 3 of the Simple Network
Management Protocol (SNMPv3)
—
230
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 20: Standard MIBs Supported on QFX Series Standalone Switches and QFX Series Virtual
Chassis (continued)
RFC
Additional Information
RFC 3415, View-based Access Control Model
(VACM) for the Simple Network Management
Protocol (SNMP)
—
RFC 3416, Version 2 of the Protocol Operations
for the Simple Network Management Protocol
(SNMP)
NOTE: RFC 3416 replaces RFC 1905, which was supported in earlier versions of
Junos OS.
RFC 3417, Transport Mappings for the Simple
Network Management Protocol (SNMP)
—
RFC 3418, Management Information Base
(MIB) for the Simple Network Management
Protocol (SNMP)
NOTE: RFC 3418 replaces RFC 1907, which was supported in earlier versions of
Junos OS.
RFC 3584, Coexistence between Version 1,
Version 2, and Version 3 of the
Internet-standard Network Management
Framework
—
RFC 3826, The Advanced Encryption Standard
(AES) Cipher Algorithm in the SNMP
User-based Security Model
—
RFC 4188, Definitions of Managed Objects for
Bridges
The QFX3500 and QFX3600 switches support 802.1D STP (1998) and the
following subtrees and objects only:
•
dot1dTp subtree—dot1dTpFdbAddress, dot1dTpFdbPort, and
dot1dTpFdbStatus objects from the dot1dTpFdbTable table.
•
dot1dBase subtree—dot1dBasePort and dot1dBasePortIfIndex objects from
the dot1dBasePortTable table.
NOTE: On QFX3500 and QFX3600 switches, the dot1dTpFdbTable table is
populated only with MAC addresses learned on the default VLAN. To see the
MAC addresses of all VLANs, specify the dot1qTpFdbTable table (RFC 4363b,
Q-Bridge VLAN MIB) when you issue the show snmp mib walk command.
Not supported on OCX Series devices.
RFC 4293, Management Information Base for
the Internet Protocol (IP)
Supports the ipAddrTable table only.
RFC 4318, Definitions of Managed Objects for
Bridges with Rapid Spanning Tree Protocol
Supports 802.1w and 802.1t extensions for RSTP.
Not supported on OCX Series devices.
Copyright © 2018, Juniper Networks, Inc.
231
Network Management and Monitoring Guide
Table 20: Standard MIBs Supported on QFX Series Standalone Switches and QFX Series Virtual
Chassis (continued)
RFC
Additional Information
RFC 4363b, Q-Bridge VLAN MIB
NOTE: On QFX3500 and QFX3600 switches, the dot1dTpFdbTable table (RFC
4188, Definitions of Managed Objects for Bridges) is populated only with MAC
addresses learned on the default VLAN. To see the MAC addresses of all VLANs,
specify the dot1qTpFdbTable table (in this MIB) when you issue the show snmp
mib walk command.
Not supported on OCX Series devices.
RFC 4444, IS-IS MIB
—
Internet Assigned Numbers Authority,
IANAiftype Textual Convention MIB
(referenced by RFC 2233)
See http://www.iana.org/assignments/ianaiftype-mib .
Internet draft
draft-reeder-snmpv3-usm-3desede-00.txt,
Extension to the User-Based Security Model
(USM) to Support Triple-DES EDE in ‘Outside’
CBC Mode
—
Internet draft
draft-ietf-idmr-igmp-mib-13.txt, Internet
Group Management Protocol (IGMP) MIB
—
ESO Consortium MIB
NOTE: The ESO Consortium MIB has been replaced by RFC 3826. See
http://www.snmp.com/eso/.
Table 21: Juniper Networks Enterprise-Specific MIBs Supported on QFX Series Standalone
Switches and QFX Series Virtual Chassis
MIB
Description
Alarm MIB (mib-jnx-chassis-alarm)
Provides support for alarms from the switch.
Analyzer MIB (mib-jnx-analyzer)
Contains analyzer and remote analyzer data related to port mirroring.
Not supported on OCX Series devices.
Chassis MIB (mib-jnx-chassis)
Provides support for environmental monitoring (power supply state, board voltages, fans,
temperatures, and airflow) and inventory support for the chassis, Flexible PIC
Concentrators (FPCs), and PICs.
NOTE: The jnxLEDTable table has been deprecated.
Chassis Definitions for Router
Model MIB (mib-jnx-chas-defines)
232
Contains the object identifiers (OIDs) that are used by the Chassis MIB to identify routing
and switching platforms and chassis components. The Chassis MIB provides information
that changes often, whereas the Chassis Definitions for Router Model MIB provides
information that changes less often.
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 21: Juniper Networks Enterprise-Specific MIBs Supported on QFX Series Standalone
Switches and QFX Series Virtual Chassis (continued)
MIB
Description
Class-of-Service MIB (mib-jnx-cos)
Provides support for monitoring interface output queue statistics per interface and per
forwarding class.
Configuration Management MIB
(mib-jnx-cfgmgmt)
Provides notification for configuration changes and rescue configuration changes in the
form of SNMP traps. Each trap contains the time at which the configuration change was
committed, the name of the user who made the change, and the method by which the
change was made.
A history of the last 32 configuration changes is kept in jnxCmChgEventTable.
Ethernet MAC MIB (mib-jnx-mac)
Monitors media access control (MAC) statistics on Gigabit Ethernet intelligent queuing
(IQ) interfaces. It collects MAC statistics; for example, inoctets, inframes, outoctets, and
outframes on each source MAC address and virtual LAN (VLAN) ID for each Ethernet port.
Not supported on OCX Series devices.
Event MIB (mib-jnx-event)
Defines a generic trap that can be generated using an operations script or event policy.
This MIB provides the ability to specify a system log string and raise a trap if that system
log string is found.
In Junos OS release 13.2X51-D10 or later, if you configured an event policy to raise a trap
when a new SNMP trap target is added, the SNMPD_TRAP_TARGET_ADD_NOTICE trap
is generated with information about the new target.
Firewall MIB (mib-jnx-firewall)
Provides support for monitoring firewall filter counters.
Host Resources MIB
(mib-jnx-hostresources)
Extends the hrStorageTable object, providing a measure of the usage of each file system
on the switch as a percentage. Previously, the objects in the hrStorageTable measured
the usage in allocation units—hrStorageUsed and hrStorageAllocationUnits—only. Using
the percentage measurement, you can more easily monitor and apply thresholds on usage.
Interface MIB (Extensions)
(mib-jnx-if-extensions)
Extends the standard ifTable (RFC 2863) with additional statistics and Juniper Networks
enterprise-specific chassis information in the ifJnxTable and ifChassisTable tables.
L2ALD MIB (mib-jnx-l2ald)
Provides information about Layer 2 Address Learning and related traps, such as the routing
instance MAC limit trap and interface MAC limit trap. This MIB also provides VLAN
information in the jnxL2aldVlanTable table for Enhanced Layer 2 Software (ELS) EX Series
and QFX Series switches.
NOTE: Non-ELS EX Series switches use the VLAN MIB (jnxExVlanTable) for VLAN
information instead of this MIB.
MPLS MIB (mib-jnx-mpls)
Provides MPLS information and defines MPLS notifications.
NOTE: This MIB is not supported on the QFX5100 switch.
MPLS LDP MIB (mib-jnx-mpls-ldp)
Contains object definitions as described in RFC 3815, Definitions of Managed Objects for
the Multiprotocol Label Switching (MPLS), Label Distribution Protocol (LDP).
NOTE: This MIB is not supported on the QFX5100 switch.
Copyright © 2018, Juniper Networks, Inc.
233
Network Management and Monitoring Guide
Table 21: Juniper Networks Enterprise-Specific MIBs Supported on QFX Series Standalone
Switches and QFX Series Virtual Chassis (continued)
MIB
Description
Ping MIB (mib-jnx-ping)
Extends the standard Ping MIB control table (RFC 2925). Items in this MIB are created
when entries are created in pingCtlTable of the Ping MIB. Each item is indexed exactly as
it is in the Ping MIB.
RMON Events and Alarms MIB
(mib-jnx-rmon)
Supports Junos OS extensions to the standard Remote Monitoring (RMON) Events and
Alarms MIB (RFC 2819). The extension augments the alarmTable object with additional
information about each alarm. Two additional traps are also defined to indicate when
problems are encountered with an alarm.
Structure of Management
Information MIB (mib-jnx-smi)
Explains how the Juniper Networks enterprise-specific MIBs are structured.
System Log MIB (mib-jnx-syslog)
Enables notification of an SNMP trap-based application when an important system log
message occurs.
Utility MIB (mib-jnx-util)
Provides you with SNMP MIB container objects of the following types: 32-bit counters,
64-bit counters, signed integers, unsigned integers, and octet strings. You can use these
objects to store data that can be retrieved using other SNMP operations.
VLAN MIB (mib-jnx-vlan)
Contains information about prestandard IEEE 802.10 VLANs and their association with
LAN emulation clients.
NOTE: For ELS EX Series switches and QFX Series switches, VLAN information is available
in the L2ALD MIB in the jnxL2aldVlanTable table instead of in the VLAN MIB For non-ELS
EX Series switches, VLAN information is provided in the VLAN MIB in the jnxExVlanTable
table.
Not supported on OCX Series devices.
MIBs Supported on QFabric Systems
The QFabric systems support both standard MIBs and Juniper Networks enterprise-specific
MIBs. For more information, see:
•
Table 22 on page 234 for standard MIBs.
•
Table 23 on page 238 for Juniper Networks enterprise-specific MIBs.
Table 22: Standard MIBs Supported on QFabric Systems
RFC
Additional Information
RFC 1155, Structure and Identification of
Management Information for TCP/IP-based
Internets
—
RFC 1157, A Simple Network Management
Protocol (SNMP)
—
RFC 1212, Concise MIB Definitions
—
234
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 22: Standard MIBs Supported on QFabric Systems (continued)
RFC
Additional Information
RFC 1213, Management Information Base for
Network Management of TCP/IP-Based
Internets: MIB-II
The following areas are supported:
•
MIB II and its SNMP version 2 derivatives, including:
•
Statistics counters
•
IP, except for ipRouteTable, which has been replaced by ipCidrRouteTable
(RFC 2096, IP Forwarding Table MIB)
•
ipAddrTable
•
SNMP management
•
Interface management
•
SNMPv1 Get, GetNext requests, and version 2 GetBulk request
•
Junos OS-specific secured access list
•
Master configuration keywords
•
Reconfigurations upon SIGHUP
RFC 1215, A Convention for Defining Traps for
use with the SNMP
Support is limited to MIB II SNMP version 1 traps and version 2 notifications.
RFC 1286, Definitions of Managed Objects for
Bridges
—
RFC 1901, Introduction to Community-based
SNMPv2
—
RFC 1905, Protocol Operations for Version 2
of the Simple Network Management Protocol
(SNMPv2)
—
RFC 1907, Management Information Base for
Version 2 of the Simple Network Management
Protocol (SNMPv2)
—
RFC 2011, SNMPv2 Management Information
Base for the Internet Protocol Using SMIv2
NOTE: On the QFabric system, for the SNMP mibwalk request to work, you must
configure the IP address of at least one interface besides the management
Ethernet interfaces (me0 and me1) in the Director group.
RFC 2012, SNMPv2 Management Information
Base for the Transmission Control Protocol
Using SMIv2
—
RFC 2013, SNMPv2 Management Information
Base for the User Datagram Protocol Using
SMIv2
—
RFC 2233, The Interfaces Group MIB Using
SMIv2
NOTE: RFC 2233 has been replaced by RFC 2863. However, Junos OS supports
both RFC 2233 and RFC 2863.
NOTE: The QFabric system supports the following objects only: ifNumber,
ifTable, and ifxTable.
Copyright © 2018, Juniper Networks, Inc.
235
Network Management and Monitoring Guide
Table 22: Standard MIBs Supported on QFabric Systems (continued)
RFC
Additional Information
RFC 2571, An Architecture for Describing SNMP
Management Frameworks (read-only access)
NOTE: RFC 2571 has been replaced by RFC 3411. However, Junos OS supports
both RFC 2571 and RFC 3411.
RFC 2572, Message Processing and
Dispatching for the Simple Network
Management Protocol (SNMP) (read-only
access)
NOTE: RFC 2572 has been replaced by RFC 3412. However, Junos OS supports
both RFC 2572 and RFC 3412.
RFC 2576, Coexistence between Version 1,
Version 2, and Version 3 of the
Internet-standard Network Management
Framework
NOTE: RFC 2576 has been replaced by RFC 3584. However, Junos OS supports
both RFC 2576 and RFC 3584.
RFC 2578, Structure of Management
Information Version 2 (SMIv2)
—
RFC 2579, Textual Conventions for SMIv2
—
RFC 2580, Conformance Statements for
SMIv2
—
RFC 2665, Definitions of Managed Objects for
the Ethernet-like Interface Types
The QFabric system supports the following tables only:
•
dot3StatsTable—There is one row with statistics for each Ethernet-like
interface in the QFabric system. The dot3StatsIndex is an interface index that
is unique across the system.
•
dot3ControlTable—There is one row in this table for each Ethernet-like
interface in the QFabric system that implements the MAC control sublayer.
OIDs supported are dot3ControlFunctionsSupported and
dot3ControlInUnknownOpcode.
•
dot3PauseTable—There is one row in this table for each Ethernet-like interface
in the QFabric system that supports the MAC control PAUSE function. OIDs
supported are dot3PauseAdminMode, dot3PauseOperMode,
dot3InPauseFrames, and dot3OutPauseFrames.
NOTE: Scalar variables are not supported on the QFabric system.
RFC 2863, The Interfaces Group MIB
NOTE: RFC 2233 has been replaced by RFC 2863. However, Junos OS supports
both RFC 2233 and RFC 2863.
NOTE: The QFabric system supports the following objects only: ifNumber,
ifTable, and ifxTable.
RFC 2933, Internet Group Management
Protocol (IGMP) MIB
—
RFC 3410, Introduction and Applicability
Statements for Internet Standard
Management Framework
—
236
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 22: Standard MIBs Supported on QFabric Systems (continued)
RFC
Additional Information
RFC 3411, An Architecture for Describing
Simple Network Management Protocol
(SNMP) Management Frameworks
NOTE: RFC 3411 replaces RFC 2571. However, Junos OS supports both RFC 3411
and RFC 2571.
RFC 3412, Message Processing and
Dispatching for the Simple Network
Management Protocol (SNMP)
NOTE: RFC 3412 replaces RFC 2572. However, Junos OS supports both RFC
3412 and RFC 2572.
RFC 3416, Version 2 of the Protocol Operations
for the Simple Network Management Protocol
(SNMP)
NOTE: RFC 3416 replaces RFC 1905, which was supported in earlier versions of
Junos OS.
RFC 3417, Transport Mappings for the Simple
Network Management Protocol (SNMP)
—
RFC 3418, Management Information Base
(MIB) for the Simple Network Management
Protocol (SNMP)
NOTE: RFC 3418 replaces RFC 1907, which was supported in earlier versions of
Junos OS.
RFC 3584, Coexistence between Version 1,
Version 2, and Version 3 of the
Internet-standard Network Management
Framework
—
RFC 4188, Definitions of Managed Objects for
Bridges
The QFabric system support is limited to the following objects:
•
Under the dot1dBase OID, the dot1dBasePortTable table supports only the
first two columns in the table: dot1dBasePort and dot1dBasePortIfIndex.
•
The system does not implement the optional traps supporting
dot1dNotifications (dot1dBridge 0).
•
Under the dot1dStp OID, supports only the dot1dStpPortTable table. Does
not support the scalar variables under dot1dStp.
•
The system does not support scalar variables under dot1dTp, but under that,
the dot1dTpFdbTable table is supported (dot1dBridge 4).
•
For OIDS with tables support only, scalar values that are returned by the SNMP
agent may not be meaningful and are therefore not recommended for use.
Not supported on OCX Series devices.
RFC 4293, Management Information Base for
the Internet Protocol (IP)
Supports the ipAddrTable table only.
On the QFabric system, supported objects in the ipAddrTable table include:
ipAdEntAddr, ipAdEntIfIndex, ipAdEntNetMask, ipAdEntBcastAddr, and
ipAdEntReasmMaxSize.
NOTE: On the QFabric system, for the SNMP mibwalk request to work, you must
configure the IP address of at least one interface besides the management
Ethernet interfaces (me0 and me1) in the Director group.
Copyright © 2018, Juniper Networks, Inc.
237
Network Management and Monitoring Guide
Table 22: Standard MIBs Supported on QFabric Systems (continued)
RFC
Additional Information
RFC 4363b, Q-Bridge VLAN MIB
The QFabric system supports the following tables only:
•
dot1qTpFdbTable
•
dot1qVlanStaticTable
•
dot1qPortVlanTable
•
dot1qFdbTable
Not supported on OCX Series devices.
NOTE: QFabric-specific MIBs are not supported on OCX Series devices.
Table 23: Juniper Networks Enterprise-Specific MIBs Supported on QFabric Systems
MIB
Description
Analyzer MIB (mib-jnx-analyzer)
Contains analyzer and remote analyzer data related to port mirroring.
The QFabric system supports:
•
Analyzer table—jnxAnalyzerName, jnxMirroringRatio, jnxLossPriority.
•
Analyzer input table—jnxAnalyzerInputValue, jnxAnalyzerInputOption,
jnxAnalyzerInputType.
•
Analyzer output table—jnx AnalyzerOutputValue, jnxAnalyzerOutputType.
Chassis MIB (mib-jnx-chassis)
NOTE: The Chassis MIB has been deprecated for the QFabric system. We recommend
that you use the Fabric Chassis MIB (mib-jnx-fabric-chassis) for information about the
QFabric system.
Class-of-Service MIB (mib-jnx-cos)
Provides support for monitoring interface output queue statistics per interface and per
forwarding class.
The QFabric system supports the following tables and objects:
•
Jnxcosifstatflagtable—jnxCosIfstatFlags and jnxCosIfIndex.
•
Jnxcosqstattable—jnxCosQstatTxedPkts, jnxCosQstatTxedPktRate,
jnxCosQstatTxedBytes, and jnxCosQstatTxedByteRate.
•
Jnxcosfcidtable—jnxCosFcIdToFcName.
•
Jnxcosfctable—jnxCosFcQueueNr.
The QFabric system does not support any traps for this MIB.
238
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 23: Juniper Networks Enterprise-Specific MIBs Supported on QFabric Systems (continued)
MIB
Description
Configuration Management MIB
(mib-jnx-cfgmgmt)
Provides notification for configuration changes and rescue configuration changes in the
form of SNMP traps. Each trap contains the time at which the configuration change was
committed, the name of the user who made the change, and the method by which the
change was made.
A history of the last 32 configuration changes is kept in jnxCmChgEventTable.
NOTE: On the QFabric system, these conditions apply:
•
All scalar variables under the jnxCmCfgChg table are supported.
•
Supported scalar OIDs are jnxCmCfgChgLatestIndex, jnxCmCfgChgLatestTime,
jnxCmCfgChgLatestDate, jnxCmCfgChgLatestSource, jnxCmCfgChgLatestUser, and
jnxCmCfgChgMaxEventEntries.
•
Scalar variables under the jnxCmRescueChg table are not supported.
Fabric Chassis MIB
(mib-jnx-fabric-chassis)
Provides hardware information about the QFabric system and its component devices.
This MIB is based on the Juniper Networks enterprise-specific Chassis MIB but adds another
level of indexing that provides information for QFabric system component devices.
Interface MIB (Extensions)
(mib-jnx-if-extensions)
Extends the standard ifTable (RFC 2863) with additional statistics and Juniper Networks
enterprise-specific chassis information in the ifJnxTable and ifChassisTable tables.
NOTE: On the QFabric system, scalar variables are not supported.
Power Supply Unit MIB
(mib-jnx-power-supply-unit)
Provides support for environmental monitoring of the power supply unit for the Interconnect
device of the QFabric system.
NOTE: On the QFabric system, scalar variables for the jnxPsuObjects 1 object ID in the
jnxPsuScalars table are not supported.
QFabric MIB (jnx-qf-smi)
Explains how the Juniper Networks enterprise-specific QFabric MIBs are structured. Defines
the MIB objects that are reported by the QFabric system and the contents of the traps
that can be issued by the QFabric system.
Utility MIB (mib-jnx-util)
Provides you with SNMP MIB container objects of the following types: 32-bit counters,
64-bit counters, signed integers, unsigned integers, and octet strings. You can use these
objects to store data that can be retrieved using other SNMP operations.
Related
Documentation
•
SNMP MIB Explorer
•
Understanding the Implementation of SNMP on page 81
•
Understanding the Implementation of SNMP on the QFabric System
•
SNMP Traps Support on page 208
MIB Objects for the QFX Series
Supported Platforms
EX4600, OCX1100, QFabric System, QFX Series
Copyright © 2018, Juniper Networks, Inc.
239
Network Management and Monitoring Guide
This topic lists the Juniper Networks enterprise-specific SNMP Chassis MIB definition
objects for the QFX Series:
•
QFX Series Standalone Switches on page 240
•
QFabric Systems on page 240
•
QFabric System QFX3100 Director Device on page 240
•
QFabric System QFX3008-I Interconnect Device on page 241
•
QFabric System QFX3600-I Interconnect Device on page 241
•
QFabric System Node Devices on page 241
QFX Series Standalone Switches
jnxProductLineQFXSwitch
OBJECT IDENTIFIER ::= {
jnxProductNameQFXSwitch
OBJECT IDENTIFIER ::=
jnxProductModelQFXSwitch
OBJECT IDENTIFIER ::=
jnxProductVariationQFXSwitch OBJECT IDENTIFIER ::=
jnxProductQFX3500s
OBJECT IDENTIFIER ::=
jnxProductQFX360016QS
OBJECT IDENTIFIER ::=
jnxProductQFX350048T4QS
OBJECT IDENTIFIER ::=
jnxProductQFX510024Q
OBJECT IDENTIFIER ::=
jnxProductQFX510048S6Q
OBJECT IDENTIFIER ::=
jnxProductLine
82 }
{ jnxProductName
82 }
{ jnxProductModel
82 }
{ jnxProductVariation 82 }
{ jnxProductVariationQFXSwitch
{ jnxProductVariationQFXSwitch
{ jnxProductVariationQFXSwitch
{ jnxProductVariationQFXSwitch
{ jnxProductVariationQFXSwitch
jnxChassisQFXSwitch
OBJECT IDENTIFIER ::= { jnxChassis
jnxSlotQFXSwitch
jnxQFXSwitchSlotFPC
jnxQFXSwitchSlotHM
jnxQFXSwitchSlotPower
jnxQFXSwitchSlotFan
jnxQFXSwitchSlotFPB
OBJECT
OBJECT
OBJECT
OBJECT
OBJECT
OBJECT
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
::=
::=
::=
::=
::=
::=
{
{
{
{
{
{
1
2
3
4
5
}
}
}
}
}
82 }
jnxSlot
jnxSlotQFXSwitch
jnxSlotQFXSwitch
jnxSlotQFXSwitch
jnxSlotQFXSwitch
jnxSlotQFXSwitch
82 }
}
}
}
}
}
1
2
3
4
5
jnxMediaCardSpaceQFXSwitch
OBJECT IDENTIFIER ::= { jnxMediaCardSpace
82 }
jnxQFXSwitchMediaCardSpacePIC OBJECT IDENTIFIER ::= { jnxMediaCardSpaceQFXSwitch 1 }
QFabric Systems
jnxProductLineQFX3000
OBJECT IDENTIFIER ::= { jnxProductLine 84 }
jnxProductNameQFX3000
OBJECT IDENTIFIER ::= { jnxProductName 84 }
jnxProductModelQFX3000
OBJECT IDENTIFIER ::= { jnxProductModel 84 }
jnxProductVariationQFX3000
OBJECT IDENTIFIER ::= { jnxProductVariation 84 }
jnxProductQFX3000-G
OBJECT IDENTIFIER ::= { jnxProductVariationQFX3000 1 }
jnxProductQFX3000-M
OBJECT IDENTIFIER ::= { jnxProductVariationQFX3000 2 }
jnxChassisQFX3000
OBJECT IDENTIFIER ::= { jnxChassis
84 }
QFabric System QFX3100 Director Device
jnxProductLineQFX3100 OBJECT IDENTIFIER ::= { jnxProductLine
100 }
jnxProductNameQFX3100 OBJECT IDENTIFIER ::= { jnxProductName
100 }
jnxProductModelQFX3100 OBJECT IDENTIFIER ::= { jnxProductModel
100 }
jnxProductVariationQFX3100 OBJECT IDENTIFIER ::= { jnxProductVariation 100 }
jnxChassisQFX3100
OBJECT IDENTIFIER ::= { jnxChassis
100 }
jnxSlotQFX3100
jnxQFX3100SlotCPU
jnxQFX3100SlotMemory
240
OBJECT IDENTIFIER ::= { jnxSlot
OBJECT IDENTIFIER ::= { jnxSlotQFX3100
OBJECT IDENTIFIER ::= { jnxSlotQFX3100
100 }
1 }
2 }
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
jnxQFX3100SlotPower
jnxQFX3100SlotFan
jnxQFX3100SlotHardDisk
jnxQFX3100SlotNIC
OBJECT
OBJECT
OBJECT
OBJECT
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
::=
::=
::=
::=
{
{
{
{
jnxSlotQFX3100
jnxSlotQFX3100
jnxSlotQFX3100
jnxSlotQFX3100
3
4
5
6
}
}
}
}
QFabric System QFX3008-I Interconnect Device
jnxProductLineQFXInterconnect OBJECT IDENTIFIER ::= { jnxProductLine
60 }
jnxProductNameQFXInterconnect OBJECT IDENTIFIER ::= { jnxProductName
60 }
jnxProductModelQFXInterconnect OBJECT IDENTIFIER ::= { jnxProductModel
60 }
jnxProductVariationQFXInterconnect OBJECT IDENTIFIER ::= { jnxProductVariation 60 }
jnxProductQFX3008
OBJECT IDENTIFIER ::= { jnxProductVariationQFXInterconnect 1 }
jnxProductQFXC083008
OBJECT IDENTIFIER ::= { jnxProductVariationQFXInterconnect 2 }
jnxProductQFX3008I
OBJECT IDENTIFIER ::= { jnxProductVariationQFXInterconnect 3 }
jnxChassisQFXInterconnect
OBJECT IDENTIFIER ::= { jnxChassis
jnxSlotQFXInterconnect
jnxQFXInterconnectSlotFPC
jnxQFXInterconnectSlotHM
jnxQFXInterconnectSlotPower
jnxQFXInterconnectSlotFan
jnxQFXInterconnectSlotCBD
jnxQFXInterconnectSlotFPB
OBJECT
OBJECT
OBJECT
OBJECT
OBJECT
OBJECT
OBJECT
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
::=
::=
::=
::=
::=
::=
::=
{
{
{
{
{
{
{
60 }
jnxSlot
60 }
jnxSlotQFXInterconnect
1 }
jnxSlotQFXInterconnect
2 }
jnxSlotQFXInterconnect
3 }
jnxSlotQFXInterconnect
4 }
jnxSlotQFXInterconnect
5 }
jnxSlotQFXInterconnect
6 }
jnxMediaCardSpaceQFXInterconnect
OBJECT IDENTIFIER ::= { jnxMediaCardSpace
60 }
jnxQFXInterconnectMediaCardSpacePIC OBJECT IDENTIFIER ::= { jnxMediaCardSpaceQFXInterconnect 1 }
jnxMidplaneQFXInterconnect
OBJECT IDENTIFIER ::= { jnxBackplane
60 }
QFabric System QFX3600-I Interconnect Device
jnxProductLineQFXMInterconnect OBJECT IDENTIFIER ::= { jnxProductLine
91 }
jnxProductNameQFXMInterconnect OBJECT IDENTIFIER ::= { jnxProductName
91 }
jnxProductModelQFXMInterconnect OBJECT IDENTIFIER ::= { jnxProductModel
91 }
jnxProductVariationQFXMInterconnect OBJECT IDENTIFIER ::= { jnxProductVariation 91 }
jnxProductQFX3600I
OBJECT IDENTIFIER ::= { jnxProductVariationQFXMInterconnect 1 }
jnxChassisQFXMInterconnect
OBJECT IDENTIFIER ::= { jnxChassis
jnxSlotQFXMInterconnect
jnxQFXMInterconnectSlotFPC
jnxQFXMInterconnectSlotHM
jnxQFXMInterconnectSlotPower
jnxQFXMInterconnectSlotFan
jnxQFXMInterconnectSlotFPB
OBJECT
OBJECT
OBJECT
OBJECT
OBJECT
OBJECT
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
::=
::=
::=
::=
::=
::=
{
{
{
{
{
{
91 }
jnxSlot
91 }
jnxSlotQFXMInterconnect
jnxSlotQFXMInterconnect
jnxSlotQFXMInterconnect
jnxSlotQFXMInterconnect
jnxSlotQFXMInterconnect
1
2
3
4
5
}
}
}
}
}
jnxMediaCardSpaceQFXMInterconnect
OBJECT IDENTIFIER ::= { jnxMediaCardSpace
91 }
jnxQFXMInterconnectMediaCardSpacePIC OBJECT IDENTIFIER ::= { jnxMediaCardSpaceQFXMInterconnect 1 }
QFabric System Node Devices
jnxProductLineQFXNode
OBJECT IDENTIFIER ::= {
jnxProductNameQFXNode
OBJECT IDENTIFIER ::=
jnxProductModelQFXNode
OBJECT IDENTIFIER ::=
jnxProductVariationQFXNode OBJECT IDENTIFIER ::=
jnxProductQFX3500
OBJECT IDENTIFIER ::=
jnxProductQFX360016Q
OBJECT IDENTIFIER ::=
Copyright © 2018, Juniper Networks, Inc.
jnxProductLine
61 }
{ jnxProductName
61 }
{ jnxProductModel
61 }
{ jnxProductVariation 61 }
{ jnxProductVariationQFXNode 1 }
{ jnxProductVariationQFXNode 3 }
241
Network Management and Monitoring Guide
jnxChassisQFXNode
OBJECT IDENTIFIER ::= { jnxChassis
jnxSlotQFXNode
jnxQFXNodeSlotFPC
jnxQFXNodeSlotHM
jnxQFXNodeSlotPower
jnxQFXNodeSlotFan
jnxQFXNodeSlotFPB
OBJECT
OBJECT
OBJECT
OBJECT
OBJECT
OBJECT
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
IDENTIFIER
::=
::=
::=
::=
::=
::=
{
{
{
{
{
{
jnxSlot
jnxSlotQFXNode
jnxSlotQFXNode
jnxSlotQFXNode
jnxSlotQFXNode
jnxSlotQFXNode
61 }
61 }
1
2
3
4
5
}
}
}
}
}
jnxMediaCardSpaceQFXNode
OBJECT IDENTIFIER ::= { jnxMediaCardSpace
61 }
jnxQFXNodeMediaCardSpacePIC OBJECT IDENTIFIER ::= { jnxMediaCardSpaceQFXNode 1 }
Related
Documentation
•
Understanding the Implementation of SNMP on the QFabric System
•
Fabric Chassis MIB on page 242
Fabric Chassis MIB
Supported Platforms
QFabric System
The Juniper Networks enterprise-specific SNMP Fabric Chassis MIB
(mib-jnx-fabric-chassis) provides hardware information about the QFabric system and
its component devices in a single MIB. The Fabric Chassis MIB is based on the Juniper
Networks enterprise-specific Chassis MIB that provides information for individual devices.
Unlike the Chassis MIB, the Fabric Chassis MIB represents the QFabric system component
devices as part of the QFabric system. Only the information from the Fabric Chassis MIB
(and not from individual Chassis MIBs) is available to SNMP management clients of the
QFabric system.
The Fabric Chassis MIB uses the basic information structure of the Chassis MIB, but adds
another level of indexing that provides detailed information about QFabric system devices.
Each physical device in a QFabric system (such as a Node device or an Interconnect
device) is represented with its hardware components, including the power supply, fans,
and front and rear cards.
As in other SNMP systems, the SNMP manager resides on the network management
system (NMS) of the network to which the QFabric system belongs. The SNMP agent
(snmpd) resides in the QFabric system Director software and is responsible for receiving
and distributing all traps as well as responding to all queries from the SNMP manager.
In addition, there is an SNMP subagent running in the Routing Engine of each Node group
and Interconnect device. The SNMP subagent manages the information about the
component device, and that information is communicated to the SNMP agent in the
Director software as needed. Traps that are generated by a Node device are sent to the
SNMP agent in the Director software, which in turn processes and sends them to the
target IP addresses that are defined in the SNMP configuration.
Table 24 on page 243 describes the tables and objects in the Fabric Chassis MIB.
242
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 24: Fabric Chassis MIB Tables and Objects
Table or Object Name
Root OID
Description
Tables with Counterparts in the Chassis MIB
jnxFabricContainersTable
jnxFabricContentsTable
jnxFabricFilledTable
1.3.6.1.4.1.2636.3.42.2.2.2
1.3.6.1.4.1.2636.3.42.2.2.3
1.3.6.1.4.1.2636.3.42.2.2.4
Provides information about different types of containers in
QFabric system devices.
•
Containers for Interconnect devices include fan trays,
power supply units, control boards, and so on.
•
Containers for Node devices include fan trays, power
supply units, Flexible PIC Concentrator (FPC), PICs, and
so on.
•
Containers for the Director devices include CPU, memory,
fan trays, power supply units, and hard disks. The
containers have a non-hierarchical or flat structure, and
components in them are organized as siblings to each
other.
Contains contents that are present across all devices
represented in the jnxFabricDeviceTable object. This table
includes all field replaceable units (FRUs) and non-FRUs
for QFabric system devices.
•
Contents in the Interconnect devices include fan trays and
control boards.
•
Contents in the Node devices include fan trays and power
supply units.
•
Contents in the Director devices include CPUs, memory,
fan trays, power supply units, and hard disks, but do not
include network interface cards (NICs).
Shows the status of containers in QFabric devices. The
jnxFabricFilledState object represents the state of the
component: (1) unknown, (2) empty, or (3) filled.
NOTE: The jnxFabricFilledTable object does not contain
information about the Director group.
jnxFabricOperatingTable
1.3.6.1.4.1.2636.3.42.2.2.5
Represents different operating parameters for the contents
that are populated in the jnxFabricContentsTable object.
•
Contents in each Node device and Interconnect device
include fan trays, power supply units, FPC, PIC, and
Routing Engine.
•
Contents in the Director device include CPUs, memory,
fan trays, power supply units, and hard disks, but do not
include network interface cards (NICs).
The jnxFabricOperatingState object provides the state of
the device: (1) unknown, (2) running, (3) ready, (4) reset,
(5) runningAtFullSpeed (for fans only), (6) down, (6) off
(for power supply units), or (7) standby.
Copyright © 2018, Juniper Networks, Inc.
243
Network Management and Monitoring Guide
Table 24: Fabric Chassis MIB Tables and Objects (continued)
Table or Object Name
Root OID
Description
jnxFabricRedundancyTable
1.3.6.1.4.1.2636.3.42.2.2.6
Represents the redundancy information that is available at
different subsystem levels across the QFabric system.
Information about the Routing Engines in Node devices is
included, but there are no corresponding entries for
Interconnect devices in this table. The
jnxFabricRedundancyState object indicates the state of the
subsystem: (1) unknown, (2) master, (3) backup, or (4)
disabled.
NOTE: Information about redundant Director devices, virtual
machines (VMs) within Director groups, and Virtual Chassis
devices is not available at this time.
jnxFabricFruTable
1.3.6.1.4.1.2636.3.42.2.2.7
Contains all FRUs for the QFabric system in the
jnxFabricDeviceTable table. The FRUs are listed regardless
of whether or not they are installed or online. The
jnxFabricFruState object represents the state of the FRU,
including online, offline, or empty, and so on. This table also
contains information about each FRU, such as name, type,
temperature, time last powered on, and time last powered
off.
NOTE: The jnxFabricFruTable table does not include
network interface cards (NICs) on Director devices.
Table Specific to the Fabric Chassis MIB
jnxFabricDeviceTable
1.3.6.1.4.1.2636.3.42.2.2.1
Contains information about all devices in the QFabric system.
This table organizes scalar variables represented in the
Chassis MIB into a table format for the QFabric system
component devices. Columns in this table include device
information such as model, device alias, and serial number.
The jnxFabricDeviceIndex identifies each QFabric system
device (Node device, Interconnect device, and Director
device).
NOTE: At this time, information about the Virtual Chassis
is not available.
NOTE: The following objects are not supported:
•
jnxFabricDeviceEntryRevision
•
jnxFabricDeviceEntryFirmwareRevision
•
jnxFabricDeviceEntryKernelMemoryUsedPercent
Scalar Variables
244
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 24: Fabric Chassis MIB Tables and Objects (continued)
Table or Object Name
Root OID
Description
The following scalar variables
are supported:
1.3.6.1.4.1.2636.3.42.2.1
Describe the QFabric system as a whole.
NOTE: The jnxFabricFirmwareRevision scalar variable is not
supported at this time.
•
jnxFabricClass
•
jnxFabricDescr
•
jnxFabricSerialNo
•
jnxFabricRevision
•
jnxFabricLastInstalled
•
jnxFabricContentsLastChange
•
jnxFabricFilledLastChange
Table 25 on page 245 describes the SNMPv2 traps that are defined in the Fabric Chassis
MIB.
NOTE: Only SNMPv2 traps are supported on the QFabric system.
Table 25: Fabric Chassis MIB SNMPv2 Traps
Trap Group and Name
Root OID
Description
jnxFabricChassisTraps group—Includes the following
traps:
1.3.6.1.4.1.2636.4.19
Indicates an alarm condition.
•
jnxFabricPowerSupplyFailure
•
jnxFabricFanFailure
•
jnxFabricOverTemperature
•
jnxFabricRedundancySwitchover
•
jnxFabricFruRemoval
•
jnxFabricFruInsertion
•
jnxFabricFruPowerOff
•
jnxFabricFruPowerOn
•
jnxFabricFruFailed
•
jnxFabricFruOffline
•
jnxFabricFruOnline
•
jnxFabricFruCheck
•
jnxFabricFEBSwitchover
•
jnxFabricHardDiskFailed
•
jnxFabricHardDiskMissing
•
jnxFabricBootFromBackup
•
jnxFabricHighPower
Copyright © 2018, Juniper Networks, Inc.
NOTE: Hardware events on the
Director group are detected by
scanning. As a result, a trap may not
be generated until up to 30 seconds
after the event has occurred.
NOTE: The software does not
distinguish between the fan removal
and fan failure events on the Director
group. In each case, both the
jnxFabricFanFailure and
jnxFabricFruFailed traps are
generated.
245
Network Management and Monitoring Guide
Table 25: Fabric Chassis MIB SNMPv2 Traps (continued)
Trap Group and Name
Root OID
Description
jnxFabricChassisOKTraps group—Includes the following
traps:
1.3.6.1.4.1.2636.4.20
Indicates an alarm cleared condition.
•
jnxFabricPowerSupplyOK
•
jnxFabricFanOK
•
jnxFabricTemperatureOK
•
jnxFabricFruOK
•
jnxFabricHighPowerCleared
For more information, see the Fabric Chassis MIB at:
https://www.juniper.net/documentation/en_US/junos13.1/topics/reference/mibs/mib-jnx-fabric-chassis.txt
Related
Documentation
•
Understanding the Implementation of SNMP on the QFabric System
•
Chassis MIBs
Monitoring RMON MIB Tables
Supported Platforms
Purpose
Action
EX4600, QFX Series
Monitor remote monitoring (RMON) alarm, event, and log tables.
To display the RMON tables:
user@switch> show snmp rmon
Alarm
Index Variable description
5 monitor
jnxOperatingCPU.9.1.0.0
Value State
5 falling threshold
Event
Index Type
Last Event
1 log and trap
2010-07-10 11:34:17 PDT
Event Index: 1
Description: Event 1 triggered by Alarm 5, rising threshold (90) crossed,
(variable: jnxOperatingCPU.9.1.0.0, value: 100)
Time: 2010-07-10 11:34:07 PDT
Description: Event 1 triggered by Alarm 5, falling threshold (75) crossed,
(variable: jnxOperatingCPU.9.1.0.0, value: 5)
Time: 2010-07-10 11:34:17 PDT
Meaning
246
The display shows that an alarm has been defined to monitor jnxRmon MIB object
jnxOperatingCPU, which represents the CPU utilization of the Routing Engine. The alarm
is configured to generate an event that sends an SNMP trap and adds an entry to the
logTable in the RMON MIB. The log table shows that two occurrences of the event have
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
been generated—one for rising above a threshold of 90 percent, and one for falling below
a threshold of 75 percent.
Related
Documentation
•
Configuring RMON Alarms and Events on page 258
•
show snmp rmon on page 1930
•
show snmp rmon history on page 1935
•
clear snmp statistics on page 1910
•
clear snmp history on page 1986
Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage
Supported Platforms
EX4600, M Series, MX Series, QFabric System, QFX Series, T Series
Even though the Junos OS has built-in performance metrics and monitoring options, you
might need to have customized performance metrics. To make it easier for you to monitor
such customized data through a standard monitoring system, the Junos OS provides you
with an enterprise-specific Utility MIB that can store such data and thus extend SNMP
support for managing and monitoring the data of your choice.
The enterprise-specific Utility MIB provides you with container objects of the following
types: 32-bit counters, 64-bit counters, signed integers, unsigned integers, and octet strings.
You can use these container MIB objects to store the data that are otherwise not
supported for SNMP operations. You can populate data for these objects either by using
CLI commands or with the help of Op scripts and an RPC API that can invoke the CLI
commands.
The following CLI commands enable you to set and clear Utility MIB object values:
•
request snmp utility-mib set instance name object-type <counter | counter 64 | integer
| string | unsigned integer> object-value value
•
request snmp utility-mib clear instance name object-type <counter | counter 64 | integer
| string | unsigned integer>
The instance name option of the request snmp utility-mib <set | clear> command specifies
the name of the data instance and is the main identifier of the data. The object-type
<counter | counter 64 | integer | string | unsigned integer> option enables you specify the
object type, and the object-value value option enables you to set the value of the object.
To automate the process of populating Utility MIB data, you can use a combination of
an event policy and event script. The following examples show the configuration for an
event policy to run show system buffers every hour and to store the show system buffers
data in Utility MIB objects by running an event script (check-mbufs.slax).
Copyright © 2018, Juniper Networks, Inc.
247
Network Management and Monitoring Guide
Event Policy
Configuration
To configure an event policy that runs the show system buffers command every hour and
invokes check-mbufs.slax to store the show system buffers data into Utility MIB objects,
include the following statements at the [edit] hierarchy level:
event-options {
generate-event {
1-HOUR time-interval 3600;
}
policy MBUFS {
events 1-HOUR;
then {
event-script check-mbufs.slax; # script stored at /var/db/scripts/event/
}
}
event-script {
file check-mbufs.slax;
}
}
check-mbufs.slax
Script
The following example shows the check-mbufs.slax script that is stored under
/var/db/scripts/event/:
------ script START -----version 1.0;
ns
ns
ns
ns
junos
xnm =
jcs =
ext =
= "http://xml.juniper.net/junos/*/junos";
"http://xml.juniper.net/xnm/1.1/xnm";
"http://xml.juniper.net/junos/commit-scripts/1.0";
"http://xmlsoft.org/XSLT/namespace";
match / {
<op-script-results>{
var $cmd = <command> "show system buffers";
var $out = jcs:invoke($cmd);
var $lines = jcs:break_lines($out);
for-each ($lines) {
if (contains(., "current/peak/max")) {
var $pattern = "([0-9]+)/([0-9]+)/([0-9]+) mbufs";
var $split = jcs:regex($pattern, .);
var $result = $split[2];
var $rpc = <request-snmp-utility-mib-set> {
<object-type> "integer";
<instance> "current-mbufs";
<object-value> $result;
}
var $res = jcs:invoke($rpc);
}
}
}
}
------ script END ------
248
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
You can run the following command to check the data stored in the Utility MIB as a result
of the event policy and script shown in the preceding examples:
user@host> show snmp mib walk jnxUtilData ascii jnxUtilIntegerValue."current-mbufs"
= 0 jnxUtilIntegerTime."current-mbufs" = 07 da 05 0c 03 14 2c 00 2d 07 00
user@caramels>
NOTE: The show snmp mib walk command is not available on the QFabric
system, but you can use external SNMP client applications to perform this
operation.
Related
Documentation
•
Understanding SNMP Implementation in Junos OS on page 77
•
Configuring SNMP on Devices Running Junos OS on page 183
•
Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS on page 343
•
Optimizing the Network Management System Configuration for the Best Results on
page 179
•
Configuring Options on Managed Devices for Better SNMP Response Time on page 181
•
Managing Traps and Informs
•
Understanding the Implementation of SNMP on the QFabric System
Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage
Supported Platforms
SRX Series
Even though Junos OS includes built-in performance metrics and monitoring options,
you might need to have customized performance metrics. To make it easier for you to
monitor such customized data through a standard monitoring system, Junos OS provides
you with an enterprise-specific Utility MIB that can store such data and thus extend SNMP
support for managing and monitoring the data of your choice.
The enterprise-specific Utility MIB provides you with container objects of the following
types: 32-bit counters, 64-bit counters, signed integers, unsigned integers, and octet strings.
You can use these container MIB objects to store the data that are otherwise not
supported for SNMP operations. You can populate data for these objects either by using
CLI commands or with the help of Op scripts and an RPC API that can invoke the CLI
commands.
The following CLI commands enable you to set and clear Utility MIB object values:
•
request snmp utility-mib set instance name object-type <counter | counter 64 | integer
| string | unsigned integer> object-value value
•
request snmp utility-mib clear instance name object-type <counter | counter 64 | integer
| string | unsigned integer>
Copyright © 2018, Juniper Networks, Inc.
249
Network Management and Monitoring Guide
The instance name option of the request snmp utility-mib <set | clear> command specifies
the name of the data instance and is the main identifier of the data. The object-type
<counter | counter 64 | integer | string | unsigned integer> option enables you specify the
object type, and the object-value value option enables you to set the value of the object.
To automate the process of populating Utility MIB data, you can use a combination of
an event policy and event script. The following examples show the configuration for an
event policy to run show system buffers every hour and to store the show system buffers
data in Utility MIB objects by running an event script (check-mbufs.slax).
Event Policy
Configuration
To configure an event policy that runs the show system buffers command every hour and
invokes check-mbufs.slax to store the show system buffers data into Utility MIB objects,
include the following statements at the [edit] hierarchy level:
event-options {
generate-event {
1-HOUR time-interval 3600;
}
policy MBUFS {
events 1-HOUR;
then {
event-script check-mbufs.slax; # script stored at /var/db/scripts/event/
}
}
event-script {
file check-mbufs.slax;
}
}
check-mbufs.slax
Script
The following example shows the check-mbufs.slax script that is stored under
/var/db/scripts/event/:
------ script START -----version 1.0;
ns
ns
ns
ns
junos
xnm =
jcs =
ext =
= "http://xml.juniper.net/junos/*/junos";
"http://xml.juniper.net/xnm/1.1/xnm";
"http://xml.juniper.net/junos/commit-scripts/1.0";
"http://xmlsoft.org/XSLT/namespace";
match / {
<op-script-results>{
var $cmd = <command> "show system buffers";
var $out = jcs:invoke($cmd);
var $lines = jcs:break_lines($out);
for-each ($lines) {
if (contains(., "current/peak/max")) {
var $pattern = "([0-9]+)/([0-9]+)/([0-9]+) mbufs";
var $split = jcs:regex($pattern, .);
var $result = $split[2];
var $rpc = <request-snmp-utility-mib-set> {
<object-type> "integer";
<instance> "current-mbufs";
250
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
<object-value> $result;
}
var $res = jcs:invoke($rpc);
}
}
}
}
------ script END ------
You can run the following command to check the data stored in the Utility MIB as a result
of the event policy and script shown in the preceding examples:
user@host> show snmp mib walk jnxUtilData ascii jnxUtilIntegerValue."current-mbufs"
= 0 jnxUtilIntegerTime."current-mbufs" = 07 da 05 0c 03 14 2c 00 2d 07 00
user@host>
Related
Documentation
•
Managing Traps and Informs
Example: Configuring SNMP
Supported Platforms
QFabric System
By default, SNMP is disabled on devices running Junos OS. This example describes the
steps for configuring SNMP on the QFabric system.
•
Requirements on page 251
•
Overview on page 251
•
Configuration on page 252
Requirements
This example uses the following hardware and software components:
•
Junos OS Release 12.2
•
Network management system (NMS) (running the SNMP manager)
•
QFabric system (running the SNMP agent) with multiple Node devices
Overview
Because SNMP is disabled by default on devices running Junos OS, you must enable
SNMP on your device by including configuration statements at the [edit snmp] hierarchy
level. At a minimum, you must configure the community public statement. The community
defined as public grants read-only access to MIB data to any client.
If no clients statement is configured, all clients are allowed. We recommend that you
always include the restrict option to limit SNMP client access to the switch.
The network topology in this example includes an NMS, a QFabric system with four Node
devices, and external SNMP servers that are configured for receiving traps.
Copyright © 2018, Juniper Networks, Inc.
251
Network Management and Monitoring Guide
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set snmp name “snmp qfabric” description “qfabric0 switch”
set snmp location “Lab 4 Row 11” contact “qfabric-admin@qfabric0”
set snmp community public authorization read-only
set snmp client-list list0 192.168.0.0/24
set snmp community public client-list-name list0
set snmp community public clients 192.170.0.0/24 restrict
set snmp trap-group “qf-traps” destination-port 155 targets 192.168.0.100
Step-by-Step
Procedure
The following example requires that you navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
To configure SNMP on the QFabric system:
NOTE: If the name, description, location, contact, or community name
contains spaces, enclose the text in quotation marks (" ").
1.
Configure the SNMP system name:
[edit snmp]
user@switch# set name “snmp qfabric”
2.
Specify a description.
[edit snmp]
user@switch# set description “qfabric0 system”
This string is placed into the MIB II sysDescription object.
3.
Specify the physical location of the QFabric system.
[edit snmp]
user@switch# set location “Lab 4 Row 11”
This string is placed into the MIB II sysLocation object.
4.
Specify an administrative contact for the SNMP system.
[edit snmp]
user@switch# set contact “qfabric-admin@qfabric0”
This name is placed into the MIB II sysContact object.
252
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
5.
Specify a unique SNMP community name and the read-only authorization level.
NOTE: The read-write option is not supported on the QFabric system.
[edit snmp]
user@switch# set community public authorization read-only
6.
Create a client list with a set of IP addresses that can use the SNMP community.
[edit snmp]
user@switch# set client-list list0 192.168.0.0/24
user@switch# set community public client-list-name list0
7.
Specify IP addresses of clients that are restricted from using the community.
[edit snmp]
user@switch# set community public clients 198.51.100.0/24 restrict
8.
Configure a trap group, destination port, and a target to receive the SNMP traps in
the trap group.
[edit snmp]
user@switch# set trap-group “qf-traps” destination-port 155 targets 192.168.0.100
NOTE: You do not need to include the destination-port statement if you
use the default port 162.
The trap group qf-traps is configured to send traps to 192.168.0.100.
Results
From configuration mode, confirm your configuration by entering the show command. If
the output does not display the intended configuration, repeat the instructions in this
example to correct the configuration.
[edit]
user@switch# show
snmp {
name "snmp qfabric";
description "qfabric0 system";
location "Lab 4 Row 11";
contact "qfabric-admin@qfabric0";
client-list list0 {
192.168.0.0/24;
}
community public {
authorization read-only;
clients {
198.51.100.0/24 restrict;
Copyright © 2018, Juniper Networks, Inc.
253
Network Management and Monitoring Guide
}
}
trap-group qf-traps {
destination-port 155;
targets {
192.168.0.100;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Related
Documentation
•
Understanding the Implementation of SNMP on the QFabric System
•
snmp on page 1552
Configuring Health Monitoring
Supported Platforms
EX4600, OCX1100, QFX Series
This topic describes how to configure the health monitor feature for QFX Series and OCX
Series devices.
The health monitor feature extends the SNMP RMON alarm infrastructure to provide
predefined monitoring for a selected set of object instances (such as file system usage,
CPU usage, and memory usage) and dynamic object instances (such as Junos OS
processes).
To configure health monitoring:
1.
Configure the health monitor:
[edit snmp]
user@switch# set health-monitor
2. Configure the falling threshold:
[edit snmp]
user@switch# set health-monitor falling-threshold percentage
For example:
user@switch# set health-monitor falling-threshold 85
3. Configure the rising threshold:
[edit snmp]
user@switch# set health-monitor rising-threshold percentage
For example:
user@switch# set health-monitor rising-threshold 75
4. Configure the interval:
254
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
[edit snmp]
user@switch# set health-monitor interval seconds
For example:
user@switch# set health-monitor interval 600
Related
Documentation
•
Understanding Health Monitoring
•
falling-threshold on page 1498
•
interval (Health Monitor) on page 1509
•
rising-threshold (Health Monitor) on page 1537
Configuring Health Monitoring on Devices Running Junos OS
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series
As the number of devices managed by a typical network management system (NMS)
grows and the complexity of the devices themselves increases, it becomes increasingly
impractical for the NMS to use polling to monitor the devices. A more scalable approach
is to rely on network devices to notify the NMS when something requires attention.
On Juniper Networks routers, RMON alarms and events provide much of the infrastructure
needed to reduce the polling overhead from the NMS. However, with this approach, you
must set up the NMS to configure specific MIB objects into RMON alarms. This often
requires device-specific expertise and customizing of the monitoring application. In
addition, some MIB object instances that need monitoring are set only at initialization or
change at runtime and cannot be configured in advance.
To address these issues, the health monitor extends the RMON alarm infrastructure to
provide predefined monitoring for a selected set of object instances (for file system
usage, CPU usage, and memory usage) and includes support for unknown or dynamic
object instances (such as Junos OS processes).
Health monitoring is designed to minimize user configuration requirements. To configure
health monitoring entries, include the health-monitor statement at the [edit snmp]
hierarchy level:
[edit snmp]
health-monitor {
falling-threshold percentage;
interval seconds;
rising-threshold percentage;
idp {
falling-threshold percentage;
interval seconds;
rising-threshold percentage;
}
}
Configuring monitoring events at the [edit snmp health-monitor] hierarchy level sets
polling intervals for the overall system health. If you set these same options at the [edit
Copyright © 2018, Juniper Networks, Inc.
255
Network Management and Monitoring Guide
snmp health-monitor idp] hierarchy level, an SNMP event is generated by the device if
the percentage of dataplane memory utilized by the intrusion detection and prevention
(IDP) system rises above or falls below your settings.
You can use the show snmp health-monitor operational command to view information
about health monitor alarms and logs.
This topic describes the minimum required configuration and discusses the following
tasks for configuring the health monitor:
•
Monitored Objects on page 256
•
Minimum Health Monitoring Configuration on page 257
•
Configuring the Falling Threshold or Rising Threshold on page 257
•
Configuring the Interval on page 257
•
Log Entries and Traps on page 258
Monitored Objects
When you configure the health monitor, monitoring information for certain object instances
is available, as shown in Table 26 on page 256.
Table 26: Monitored Object Instances
Object
Description
n
jxHrStoragePercentUsed1.
Monitors the following file system on the router or switch:
/dev/ad0s1a:
This is the root file system mounted on /.
n
jxHrStoragePercentUsed2
.
Monitors the following file system on the router or switch:
/dev/ad0s1e:
This is the configuration file system mounted on /config.
jnxOperatingCPU
(RE0)
jnxOperatingCPU
(RE1)
jnxOperatingBuffer
(RE0)
jnxOperatingBuffer
(RE1)
sysApplElmtRunCPU
256
Monitors CPU usage for Routing Engines (RE0 and RE1). The index values assigned
to Routing Engines depend on whether the Chassis MIB uses a zero-based or
ones-based indexing scheme. Because the indexing scheme is configurable, the
proper index is determined when the router or switch is initialized and when there
is a configuration change. If the router or switch has only one Routing Engine, the
alarm entry monitoring RE1 is removed after five failed attempts to obtain the CPU
value.
Monitors the amount of memory available on Routing Engines (RE0 and RE1).
Because the indexing of this object is identical to that used for jnxOperatingCPU,
index values are adjusted depending on the indexing scheme used in the Chassis
MIB. As with jnxOperatingCPU, the alarm entry monitoring RE1 is removed if the
router or switch has only one Routing Engine.
Monitors the CPU usage for each Junos OS process (also called daemon). Multiple
instances of the same process are monitored and indexed separately.
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
Table 26: Monitored Object Instances (continued)
Object
Description
sysAppE
lm
l tRunMemory
Monitors the memory usage for each Junos OS process. Multiple instances of the
same process are monitored and indexed separately.
Minimum Health Monitoring Configuration
To enable health monitoring on the router or switch, include the health-monitor statement
at the [edit snmp] hierarchy level:
[edit snmp]
health-monitor;
Configuring the Falling Threshold or Rising Threshold
The falling threshold is the lower threshold (expressed as a percentage of the maximum
possible value) for the monitored variable. When the current sampled value is less than
or equal to this threshold, and the value at the last sampling interval is greater than this
threshold, a single event is generated. A single event is also generated if the first sample
after this entry becomes valid is less than or equal to this threshold. After a falling event
is generated, another falling event cannot be generated until the sampled value rises
above this threshold and reaches the rising threshold. You must specify the falling
threshold as a percentage of the maximum possible value. The default is 70 percent.
By default, the rising threshold is 80 percent of the maximum possible value for the
monitored object instance. The rising threshold is the upper threshold for the monitored
variable. When the current sampled value is greater than or equal to this threshold, and
the value at the last sampling interval is less than this threshold, a single event is
generated. A single event is also generated if the first sample after this entry becomes
valid is greater than or equal to this threshold. After a rising event is generated, another
rising event cannot be generated until the sampled value falls below this threshold and
reaches the falling threshold. You must specify the rising threshold as a percentage of
the maximum possible value for the monitored variable.
To configure the falling threshold or rising threshold, include the falling-threshold or
rising-threshold statement at the [edit snmp health-monitor] hierarchy level:
[edit snmp health-monitor]
falling-threshold percentage;
rising-threshold percentage;
percentage can be a value from 1 through 100.
The falling and rising thresholds apply to all object instances monitored by the health
monitor.
Configuring the Interval
The interval represents the period of time, in seconds, over which the object instance is
sampled and compared with the rising and falling thresholds.
Copyright © 2018, Juniper Networks, Inc.
257
Network Management and Monitoring Guide
To configure the interval, include the interval statement and specify the number of seconds
at the [edit snmp health-monitor] hierarchy level:
[edit snmp health-monitor]
interval seconds;
seconds can be a value from 1 through 2147483647. The default is 300 seconds
(5 minutes).
Log Entries and Traps
The system log entries generated for any health monitor events (thresholds crossed,
errors, and so on) have a corresponding HEALTHMONITOR tag rather than a generic
SNMPD_RMON_EVENTLOG tag. However, the health monitor sends generic RMON
risingThreshold and fallingThreshold traps.
Related
Documentation
•
Understanding RMON Alarms and Events Configuration on page 361
•
Configuring an RMON Alarm Entry and Its Attributes on page 365
•
Configuring an RMON Event Entry and Its Attributes on page 369
•
Example: Configuring Health Monitoring on page 408
•
Understanding Device Management Functions in Junos OS on page 3
•
health-monitor on page 1389
Configuring RMON Alarms and Events
Supported Platforms
EX4600, QFX Series
The Junos OS supports the Remote Network Monitoring (RMON) MIB (RFC 2819), which
allows a management device to monitor the values of MIB objects, or variables, against
configured thresholds. When the value of a variable crosses a threshold, an alarm and
its corresponding event are generated. The event can be logged and can generate an
SNMP trap.
To configure RMON alarms and events using the CLI, perform these tasks:
1.
Configuring SNMP on page 258
2. Configuring an Event on page 259
3. Configuring an Alarm on page 260
Configuring SNMP
To configure SNMP:
1.
Grant read-only access to all SNMP clients:
[edit snmp]
user@switch# set community community-name authorization authorization
For example:
258
Copyright © 2018, Juniper Networks, Inc.
Chapter 9: Configuring Basic SNMP
[edit snmp]
user@switch# set community public authorization read-only
2. Grant read-write access to the RMON and jnx-rmon MIBs:
[edit snmp]
user@switch# set view view-name oid object-identifier include
user@switch# set view view-name oid object-identifier include
user@switch# set community community-name authorization authorization view view-name
For example:
[edit snmp]
user@switch# set view rmon-mib-view oid .1.3.6.1.2.1.16 include
user@switch# set view rmon-mib-view oid .1.3.6.1.4.1.2636.13 include
user@switch# set community private authorization read-write view rmon-mib-view
OIDs 1.3.6.1.2.1.16 and 1.3.6.1.4.1.2636.13 correspond to the RMON and jnxRmon MIBs.
3. Configure an SNMP trap group:
[edit snmp]
user@switch# set trap-group group-name categories category
user@switch# set trap-group group-name targets address
For example:
[edit snmp]
user@switch# set trap-group rmon-trap-group categories rmon-alarm
user@switch# set trap-group rmon-trap-group targets 192.168.5.5
The trap group rmon-trap-group is configured to send RMON traps to 192.168.5.5.
Configuring an Event
To configure an event:
1.
Configure an event index, community name, and type:
[edit snmp rmon]
user@switch# set event index community community-name typetype
For example:
[edit snmp rmon]
user@switch# set event 1 community rmon-trap-group type log-and-trap
The event community corresponds to the SNMP trap group and is not the same as
an SNMP community. This event generates an SNMP trap and adds an entry to the
logTable in the RMON MIB.
2. Configure a description for the event:
[edit snmp rmon]
Copyright © 2018, Juniper Networks, Inc.
259
Network Management and Monitoring Guide
user@switch# set event index description description
For example:
[edit snmp rmon]
user@switch# set event 1 description “rmon event”
Configuring an Alarm
To configure an alarm:
1.
Configure an alarm index, the variable to monitor, the rising and falling thresholds,
and the corresponding rising and falling events:
[edit snmp rmon]
user@switch# set alarm index variable oid-variable falling-threshold integer rising-threshold
integer rising-event-index index falling-event-index index
For example:
[edit snmp rmon]
user@switch# set alarm 5 variable .1.3.6.1.4.1.2636.3.1.13.1.8.9.1.0.0 falling-threshold 75
rising-threshold 90 rising-event-index 1 falling-event-index 1
The variable .1.3.6.1.4.1.2636.3.1.13.1.8.9.1.0.0 corresponds to the jnxRmon MIB object
jnxOperatingCPU, which represents the CPU utilization of the Routing Engine. The
falling and rising threshold integers are 75 and 90. The rising and falling events both
generate the same event (event index 1).
2. Configure the sample interval and type and the alarm type:
[edit snmp rmon]
user@switch# set alarm index interval seconds sample-type (absolute-value | delta-value)
startup-alarm (falling-alarm | rising-alarm | rising-or-falling-alarm)
For example:
[edit snmp rmon]
user@switch# set alarm 5 interval 30 sample-type absolute-value
startup-alarm rising-or-falling-alarm
The absolute value of the monitored variable is sampled every 30 seconds. The initial
alarm can occur because of rising above the rising threshold or falling below the falling
threshold.
Related
Documentation
260
•
Configuring SNMP on page 176
•
Juniper Networks Enterprise-Specific MIBs
•
Monitoring RMON MIB Tables on page 246
•
RMON MIB Event, Alarm, Log, and History Control Tables on page 362
•
Understanding RMON on page 357
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 10
Configuring SNMPv3
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
•
Example: SNMPv3 Configuration on page 263
•
Creating SNMPv3 Users on page 266
•
Example: Creating SNMPv3 Users on page 267
•
Configuring the SNMPv3 Authentication Type on page 268
•
Configuring the SNMPv3 Encryption Type on page 269
•
Defining Access Privileges for an SNMP Group on page 271
•
Configuring the Access Privileges Granted to a Group on page 272
•
Example: Configuring the Access Privileges Granted to a Group on page 275
•
Assigning Security Model and Security Name to a Group on page 276
•
Example: Security Group Configuration on page 278
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Configuring the SNMPv3 Trap Notification on page 280
•
Example: Configuring SNMPv3 Trap Notification on page 281
•
Configuring the Trap Notification Filter on page 281
•
Configuring the Trap Target Address on page 282
•
Example: Configuring the Tag List on page 285
•
Defining and Configuring the Trap Target Parameters on page 285
•
Configuring SNMP Informs on page 288
•
Configuring the Inform Notification Type and Target Address on page 289
•
Example: Configuring the Inform Notification Type and Target Address on page 291
•
Configuring the Remote Engine and Remote User on page 291
•
Example: Configuring the Remote Engine ID and Remote User on page 292
•
Configuring the Local Engine ID on page 296
•
Configuring the SNMPv3 Community on page 296
•
Example: Configuring an SNMPv3 Community on page 298
Copyright © 2018, Juniper Networks, Inc.
261
Network Management and Monitoring Guide
Minimum SNMPv3 Configuration on a Device Running Junos OS
Supported Platforms
ACX Series, EX4600, M Series, MX Series, PTX Series, QFabric System, QFX Series, T Series
To configure the minimum requirements for SNMPv3, include the following statements
at the [edit snmp v3] and [edit snmp] hierarchy levels:
NOTE: You must configure at least one view (notify, read, or write) at the
[edit snmp view-name] hierarchy level.
[edit snmp]
view view-name {
oid object-identifier (include | exclude);
}
[edit snmp v3]
notify name {
tag tag-name;
}
notify-filter profile-name {
oid object-identifier (include | exclude);
}
snmp-community community-index {
security-name security-name;
}
target-address target-address-name {
address address;
target-parameters target-parameters-name;
}
target-parameters target-parameters-name {
notify-filter profile-name;
parameters {
message-processing-model (v1 | v2c | v3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
}
}
usm {
local-engine {
user username {
}
}
}
vacm {
access {
group group-name {
(default-context-prefix | context-prefix context-prefix){
security-model (any | usm | v1 | v2c) {
security-level (authentication | none | privacy) {
notify-view view-name;
read-view view-name;
write-view view-name;
}
262
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
}
}
}
}
security-to-group {
security-model (usm | v1 | v2c) {
security-name security-name {
group group-name;
}
}
}
}
Related
Documentation
•
Creating SNMPv3 Users on page 266
•
Configuring MIB Views on page 223
•
Defining Access Privileges for an SNMP Group on page 271
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Configuring SNMP Informs on page 288
•
Example: SNMPv3 Configuration on page 263
Example: SNMPv3 Configuration
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
Define an SNMPv3 configuration:
[edit snmp]
engine-id {
use-mac-address;
}
view jnxAlarms {
oid 1.3.6.1.4.1.2636.3.4 include;
}
view interfaces {
oid 1.3.6.1.2.1.2 include;
}
view ping-mib {
oid 1.3.6.1.2.1.80 include;
}
[edit snmp v3]
notify n1 {
tag router1; # Identifies a set of target addresses
type trap;# Defines type of notification
}
notify n2 {
tag host1;
type trap;
}
notify-filter nf1 {
oid .1 include; # Defines which traps to send
} # In this case, includes all traps
Copyright © 2018, Juniper Networks, Inc.
263
Network Management and Monitoring Guide
notify-filter nf2 {
oid 1.3.6.1.4.1 include; # Sends enterprise-specific traps only
}
notify-filter nf3 {
oid 1.3.6.1.2.1.1.5 include; # Sends BGP traps only
}
snmp-community index1 {
community-name "$9$JOZi.QF/AtOz3"; # SECRET-DATA
security-name john; # Matches the security name at the target parameters
tag host1; # Finds the addresses that are allowed to be used with
}
target-address ta1 {# Associates the target address with the group
# san-francisco.
address 10.1.1.1;
address-mask 255.255.255.0; # Defines the range of addresses
port 162;
tag-list router1;
target-parameters tp1; # Applies configured target parameters
}
target-address ta2 {
address 10.1.1.2;
address-mask 255.255.255.0;
port 162;
tag-list host1;
target-parameters tp2;
}
target-address ta3 {
address 10.1.1.3;
address-mask 255.255.255.0;
port 162;
tag-list “router1 host1”;
target-parameters tp3;
}
target-parameters tp1 { # Defines the target parameters
notify-filter nf1; # Specifies which notify filter to apply
parameters {
message-processing-model v1;
security-model v1;
security-level none;
security-name john; # Matches the security name configured at the
} # [edit snmp v3 snmp-community community-index hierarchy level.
}
target-parameters tp2 {
notify-filter nf2;
parameters {
message-processing-model v1;
security-model v1;
security-level none;
security-name john;
}
}
target-parameters tp3 {
notify-filter nf3;
parameters {
message-processing-model v1;
security-model v1;
264
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
security-level none;
security-name john;
}
}
usm {
local-engine { # Defines authentication and encryption for SNMPv3 users
user john { # security-name john is defined here
authentication-md5 {
authentication-password authentication-password;
}
privacy-des {
privacy-password privacy-password;
}
}
user bob { # security-name bob is defined here
authentication-sha {
authentication-password authentication-password;
}
privacy-none;
}
user julia { # security-name julia is defined here
authentication-none;
privacy-none;
}
user lauren { # security-name lauren is defined here
authentication-sha {
authentication-password authentication-password;
}
privacy-aes128 {
privacy-password privacy-password;
}
}
user richard { # security-name richard is defined here
authentication-sha {
authentication-password authentication-password;
}
privacy-none;
}
}
}
vacm {
access {
group san-francisco { #Defines the access privileges for the group
default-context-prefix { # called san-francisco
security-model v1 {
security-level none {
notify-view ping-mib;
read-view interfaces;
write-view jnxAlarms;
}
}
}
}
}
security-to-group {
security-model v1 {
Copyright © 2018, Juniper Networks, Inc.
265
Network Management and Monitoring Guide
security-name john { # Assigns john to security group san-fancisco
group san-francisco;
}
security-name bob { # Assigns bob to security group new-york
group new-york;
}
security-name julia {# Assigns julia to security group chicago
group chicago;
}
security-name lauren {# Assigns lauren to security group paris
group paris;
}
security-name richard {# Assigns richard to security group geneva
group geneva;
}
}
}
}
Related
Documentation
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Creating SNMPv3 Users
Supported Platforms
ACX Series, EX4600, M Series, MX Series, PTX Series, QFX Series, T Series
For each SNMPv3 user, you can specify the username, authentication type, authentication
password, privacy type, and privacy password. After a user enters a password, a key
based on the engine ID and password is generated and is written to the configuration
file. After the generation of the key, the password is deleted from this configuration file.
NOTE: You can configure only one encryption type for each SNMPv3 user.
To create users, include the user statement at the [edit snmp v3 usm local-engine]
hierarchy level:
[edit snmp v3 usm local-engine]
user username;
username is the name that identifies the SNMPv3 user.
To configure user authentication and encryption, include the following statements at
the [edit snmp v3 usm local-engine user username] hierarchy level:
[edit snmp v3 usm local-engine user username]
authentication-md5 {
authentication-password authentication-password;
}
authentication-sha {
authentication-password authentication-password;
}
authentication-none;
privacy-aes128 {
266
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
privacy-password privacy-password;
}
privacy-des {
privacy-password privacy-password;
}
privacy-3des {
privacy-password privacy-password;
}
privacy-none;
Related
Documentation
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
•
Example: Creating SNMPv3 Users on page 267
•
Example: SNMPv3 Configuration on page 263
Example: Creating SNMPv3 Users
Define SNMPv3 users:
[edit]
snmp {
v3 {
usm {
local-engine {
user user1 {
authentication-md5 {
authentication-password authentication-password;
}
privacy-des {
privacy-password password;
}
}
user user2 {
authentication-sha {
authentication-password authentication-password;
}
privacy-none;
}
user user3 {
authentication-none;
privacy-none;
}
user user4 {
authentication-md5 {
authentication-password authentication-password;
}
privacy-des {
privacy-password authentication-password;
}
}
user user5 {
authentication-sha {
authentication-password authentication-password;
}
Copyright © 2018, Juniper Networks, Inc.
267
Network Management and Monitoring Guide
privacy-aes128 {
privacy-password authentication-password;
}
}
}
}
}
}
Related
Documentation
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Configuring the SNMPv3 Authentication Type
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
By default, in a Junos OS configuration the SNMPv3 authentication type is set to none.
This topic includes the following sections:
•
Configuring MD5 Authentication on page 268
•
Configuring SHA Authentication on page 268
•
Configuring No Authentication on page 269
Configuring MD5 Authentication
To configure the message digest algorithm (MD5) as the authentication type for an
SNMPv3 user, include the authentication-md5 statement at the [edit snmp v3 usm
local-engine user username] hierarchy level:
[edit snmp v3 usm local-engine user username]
authentication-md5 {
authentication-password authentication-password;
}
authentication-password is the password used to generate the key used for authentication.
SNMPv3 has special requirements when you create plain-text passwords on a router or
switch:
•
The password must be at least eight characters long.
•
The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.
Configuring SHA Authentication
To configure the secure hash algorithm (SHA) as the authentication type for an SNMPv3
user, include the authentication-sha statement at the [edit snmp v3 usm local-engine user
username] hierarchy level:
[edit snmp v3 usm local-engine user username]
authentication-sha {
authentication-password authentication-password;
}
268
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
authentication-password is the password used to generate the key used for authentication.
SNMPv3 has special requirements when you create plain-text passwords on a router or
switch:
•
The password must be at least eight characters long.
•
The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.
Configuring No Authentication
To configure no authentication for an SNMPv3 user, include the authentication-none
statement at the [edit snmp v3 usm local-engine user username] hierarchy level:
[edit snmp v3 usm local-engine user username]
authentication-none;
Related
Documentation
•
Configuring the SNMPv3 Encryption Type on page 269
•
Defining Access Privileges for an SNMP Group on page 271
•
Configuring the Access Privileges Granted to a Group on page 272
•
Assigning Security Model and Security Name to a Group on page 276
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Configuring the SNMPv3 Encryption Type
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
By default, encryption is set to none.
NOTE: Before you configure encryption, you must configure MD5 or SHA
authentication.
Before you configure the privacy-des, privacy-3des and privacy-aes128
statements, you must install the jcrypto package, and either restart the SNMP
process or reboot the router.
This topic includes the following sections:
•
Configuring the Advanced Encryption Standard Algorithm on page 270
•
Configuring the Data Encryption Algorithm on page 270
•
Configuring Triple DES on page 270
•
Configuring No Encryption on page 271
Copyright © 2018, Juniper Networks, Inc.
269
Network Management and Monitoring Guide
Configuring the Advanced Encryption Standard Algorithm
To configure the Advanced Encryption Standard (AES) algorithm for an SNMPv3 user,
include the privacy-aes128 statement at the [edit snmp v3 usm local-engine user username]
hierarchy level:
[edit snmp v3 usm local-engine user username]
privacy-aes128 {
privacy-password privacy-password;
}
privacy-password is the password used to generate the key used for encryption.
SNMPv3 has special requirements when you create plain-text passwords on a router or
switch:
•
The password must be at least eight characters long.
•
The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.
Configuring the Data Encryption Algorithm
To configure the data encryption algorithm (DES) for an SNMPv3 user, include the
privacy-des statement at the [edit snmp v3 usm local-engine user username] hierarchy
level:
[edit snmp v3 usm local-engine user username]
privacy-des {
privacy-password privacy-password;
}
privacy-password is the password used to generate the key used for encryption.
SNMPv3 has special requirements when you create plain-text passwords on a router or
switch:
•
The password must be at least eight characters long.
•
The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.
Configuring Triple DES
To configure triple DES for an SNMPv3 user, include the privacy-3des statement at the
[edit snmp v3 usm local-engine user username] hierarchy level:
[edit snmp v3 usm local-engine user username]
privacy-3des {
privacy-password privacy-password;
}
privacy-password is the password used to generate the key used for encryption.
SNMPv3 has special requirements when you create plain-text passwords on a router or
switch:
270
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
•
The password must be at least eight characters long.
•
The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.
Configuring No Encryption
To configure no encryption for an SNMPv3 user, include the privacy-none statement at
the [edit snmp v3 usm local-engine user username] hierarchy level:
[edit snmp v3 usm local-engine user username]
privacy-none;
Related
Documentation
•
Configuring the SNMPv3 Authentication Type on page 268
•
Defining Access Privileges for an SNMP Group on page 271
•
Configuring the Access Privileges Granted to a Group on page 272
•
Assigning Security Model and Security Name to a Group on page 276
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Defining Access Privileges for an SNMP Group
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
The SNMP version 3 (SNMPv3) uses the view-based access control model (VACM),
which allows you to configure the access privileges granted to a group. Access is controlled
by filtering the MIB objects available for a specific operation through a predefined view.
You assign views to determine the objects that are visible for read, write, and notify
operations for a particular group, using a particular context, a particular security model
(v1, v2c, or usm), and particular security level (authenticated, privacy, or none). For
information about how to configure views, see “Configuring MIB Views” on page 223.
You define user access to management information at the [edit snmp v3 vacm] hierarchy
level. All access control within VACM operates on groups, which are collections of users
as defined by USM, or community strings as defined in the SNMPv1 and SNMPv2c security
models. The term security-name refers to these generic end users. The group to which a
specific security name belongs is configured at the [edit snmp v3 vacm security-to-group]
hierarchy level. That security name can be associated with a group defined at the [edit
snmp v3 vacm security-to-group] hierarchy level. A group identifies a collection of SNMP
users that share the same access policy. You then define the access privileges associated
with a group at the [edit snmp v3 vacm access] hierarchy level. Access privileges are
defined using views. For each group, you can apply different views depending on the
SNMP operation; for example, read (get, getNext, or getBulk) write (set), notifications,
the security level used (authentication, privacy, or none), and the security model (v1, v2c,
or usm) used within an SNMP request.
You configure members of a group with the security-name statement. For v3 packets
using USM, the security name is the same as the username. For SNMPv1 or SNMPv2c
packets, the security name is determined based on the community string. Security names
Copyright © 2018, Juniper Networks, Inc.
271
Network Management and Monitoring Guide
are specific to a security model. If you are also configuring VACM access policies for
SNMPv1 or SNMPv2c packets, you must assign security names to groups for each security
model (SNMPv1 or SNMPv2c) at the [edit snmp v3 vacm security-to-group] hierarchy
level. You must also associate a security name with an SNMP community at the [edit
snmp v3 snmp-community community-index] hierarchy level.
To configure the access privileges for an SNMP group, include statements at the [edit
snmp v3 vacm] hierarchy level:
[edit snmp v3 vacm]
access {
group group-name {
(default-context-prefix | context-prefix context-prefix){
security-model (any | usm | v1 | v2c) {
security-level (authentication | none | privacy) {
notify-view view-name;
read-view view-name;
write-view view-name;
}
}
}
}
}
security-to-group {
security-model (usm | v1 | v2c) {
security-name security-name {
group group-name;
}
}
}
Related
Documentation
•
Configuring the SNMPv3 Authentication Type on page 268
•
Configuring the Access Privileges Granted to a Group on page 272
•
Assigning Security Model and Security Name to a Group on page 276
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Configuring the Access Privileges Granted to a Group
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
This topic includes the following sections:
272
•
Configuring the Group on page 273
•
Configuring the Security Model on page 273
•
Configuring the Security Level on page 273
•
Associating MIB Views with an SNMP User Group on page 274
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
Configuring the Group
To configure the access privileges granted to a group, include the group statement at
the [edit snmp v3 vacm access] hierarchy level:
[edit snmp v3 vacm access]
group group-name;
group-name is a collection of SNMP users that belong to a common SNMP list that defines
an access policy. Users belonging to a particular SNMP group inherit all access privileges
granted to that group.
Configuring the Security Model
To configure the security model, include the security-model statement at the [edit snmp
v3 vacm access group group-name (default-context-prefix | context-prefix context-prefix)]
hierarchy level:
[edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix
context-prefix)]
security-model (any | usm | v1 | v2c);
•
any—Any security model
•
usm—SNMPv3 security model
•
v1—SNMPV1 security model
•
v2c—SNMPv2c security model
Configuring the Security Level
To configure the access privileges granted to packets with a particular security level,
include the security-level statement at the [edit snmp v3 vacm access group group-name
(default-context-prefix | context-prefix context-prefix) security-model (any | usm | v1 |
v2c)] hierarchy level:
[edit snmp v3 vacm access group group-name default-context-prefix security-model (any
| usm | v1 | v2c)]
security-level (authentication | none | privacy);
•
none—Provides no authentication and no encryption.
•
authentication—Provides authentication but no encryption.
•
privacy—Provides authentication and encryption.
NOTE: Access privileges are granted to all packets with a security level
equal to or greater than that configured. If you are configuring the SNMPv1
or SNMPv2c security model, use none as your security level. If you are
configuring the SNMPv3 security model (USM), use the authentication,
none, or privacy security level.
See Also
•
Configuring the SNMPv3 Authentication Type on page 268
Copyright © 2018, Juniper Networks, Inc.
273
Network Management and Monitoring Guide
•
Defining Access Privileges for an SNMP Group on page 271
•
Assigning Security Model and Security Name to a Group on page 276
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Associating MIB Views with an SNMP User Group
MIB views define access privileges for members of a group. Separate views can be applied
for each SNMP operation (read, write, and notify) within each security model (usm, v1,
and v2c) and each security level (authentication, none, and privacy) supported by SNMP.
To associate MIB views with an SNMP user group, include the following statements at
the [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix
context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none |
privacy)] hierarchy level:
[edit snmp v3 vacm accessgroup group-name (default-context-prefix | context-prefix
context-prefix)security-model (any | usm | v1 | v2c) security-level (authentication | none
| privacy)]
notify-view view-name;
read-view view-name;
write-view view-name;
NOTE: You must associate at least one view (notify, read, or write) at the
[edit snmp v3 vacm access group group-name (default-context-prefix |
context-prefix context-prefix) security-model (any | usm | v1 | v2c) security-level
(authentication | none | privacy)] hierarchy level.
You must configure the MIB view at the [edit snmp view view-name] hierarchy
level. For information about how to configure MIB views, see “Configuring
MIB Views” on page 223.
This section describes the following topics related to this configuration:
•
Configuring the Notify View on page 274
•
Configuring the Read View on page 275
•
Configuring the Write View on page 275
Configuring the Notify View
To associate notify access with an SNMP user group, include the notify-view statement
at the [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix
context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none |
privacy)] hierarchy level:
[edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix
context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none
| privacy)]
notify-view view-name;
274
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
view-name specifies the notify access, which is a list of notifications that can be sent to
each user in an SNMP group. A view name cannot exceed 32 characters.
Configuring the Read View
To associate a read view with an SNMP group, include the read-view statement at the
[edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix
context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none |
privacy)] hierarchy level:
[edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix
context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none
| privacy)]
read-view view-name;
view-name specifies read access for an SNMP user group. A view name cannot exceed
32 characters.
Configuring the Write View
To associate a write view with an SNMP user group, include the write-view statement at
the [edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix
context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none |
privacy)] hierarchy level:
[edit snmp v3 vacm access group group-name (default-context-prefix | context-prefix
context-prefix) security-model (any | usm | v1 | v2c) security-level (authentication | none
| privacy)]
write-view view-name;
view-name specifies write access for an SNMP user group. A view name cannot exceed
32 characters.
Related
Documentation
•
Configuring the SNMPv3 Authentication Type on page 268
•
Defining Access Privileges for an SNMP Group on page 271
•
Assigning Security Model and Security Name to a Group on page 276
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
•
Example: Configuring the Access Privileges Granted to a Group on page 275
Example: Configuring the Access Privileges Granted to a Group
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
Define access privileges:
[edit snmp v3 vacm]
access {
group group1 {
default-context-prefix {
security-model usm {
security-level privacy {
notify-view nv1;
read-view rv1;
Copyright © 2018, Juniper Networks, Inc.
#Define an SNMPv3 security model
275
Network Management and Monitoring Guide
write-view wv1;
}
}
}
context-prefix lr1/ri1{ # routing instance ri1 in logical system lr1
security-model usm {
security-level privacy {
notify-view nv1;
read-view rv1;
write-view wv1;
}
}
}
}
group group2 {
default-context-prefix {
security-model usm {
#Define an SNMPv3 security model
security-level authentication {
read-view rv2;
write-view wv2;
}
}
}
}
group group3 {
default-context-prefix {
security-model v1 {
#Define an SNMPv3 security model
security-level none {
read-view rv3;
write-view wv3;
}
}
}
}
}
Related
Documentation
•
Configuring the Access Privileges Granted to a Group on page 272
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Assigning Security Model and Security Name to a Group
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
To assign security names to groups, include the following statements at the [edit snmp
v3 vacm security-to-group] hierarchy level:
[edit snmp v3 vacm security-to-group]
security-model (usm | v1 | v2c) {
security-name security-name {
group group-name;
}
}
276
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
This topic includes the following sections:
•
Configuring the Security Model on page 277
•
Assigning Security Names to Groups on page 277
•
Configuring the Group on page 277
Configuring the Security Model
To configure the security model, include the security-model statement at the [edit snmp
v3 vacm security-to-group] hierarchy level:
[edit snmp v3 vacm security-to-group]
security-model (usm | v1 | v2c);
•
usm—SNMPv3 security model
•
v1—SNMPv1 security model
•
v2c—SNMPv2 security model
Assigning Security Names to Groups
To associate a security name with an SNMPv3 user, or a v1 or v2 community string, include
the security-name statement at the [edit snmp v3 vacm security-to-group security-model
(usm | v1 | v2c)] hierarchy level:
[edit snmp v3 vacm security-to-group security-model (usm | v1 | v2c)]
security-name security-name;
For SNMPv3, the security-name is the username configured at the [edit snmp v3 usm
local-engine user username] hierarchy level. For SNMPv1 and SNMPv2c, the security name
is the community string configured at the [edit snmp v3 snmp-community community-index]
hierarchy level. For information about configuring usernames, see “Creating SNMPv3
Users” on page 266. For information about configuring a community string, see “Configuring
the SNMPv3 Community” on page 296.
NOTE: The USM security name is separate from the SNMPv1 and SNMPv2c
security name. If you support SNMPv1 and SNMPv2c in addition to SNMPv3,
you must configure separate security names within the security-to-group
configuration at the [edit snmp v3 vacm access] hierarchy level.
Configuring the Group
After you have created SNMPv3 users, or v1 or v2 security names, you associate them
with a group. A group is a set of security names belonging to a particular security model.
A group defines the access rights for all users belonging to it. Access rights define what
SNMP objects can be read, written to, or created. A group also defines what notifications
a user is allowed to receive.
If you already have a group that is configured with all of the view and access permissions
that you want to give a user, you can add the user to that group. If you want to give a user
Copyright © 2018, Juniper Networks, Inc.
277
Network Management and Monitoring Guide
view and access permissions that no other groups have, or if you do not have any groups
configured, create a group and add the user to it.
To configure the access privileges granted to a group, include the group statement at
the [edit snmp v3 vacm security-to-group security-model (usm | v1 | v2c) security-name
security-name] hierarchy level:
[edit snmp v3 vacm security-to-group security-model (usm | v1 | v2c) security-name
security-name]
group group-name;
group-name identifies a collection of SNMP security names that share the same access
policy. For more information about groups, see “Defining Access Privileges for an SNMP
Group” on page 271.
See Also
•
Configuring the SNMPv3 Authentication Type on page 268
•
Defining Access Privileges for an SNMP Group on page 271
•
Configuring the Access Privileges Granted to a Group on page 272
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
•
Example: Security Group Configuration on page 278
Example: Security Group Configuration
Supported Platforms
M Series, MX Series, SRX Series, T Series, vSRX
Assign security names to groups:
vacm {
security-to-group {
security-model usm {
security-name user1 {
group group1;
}
security-name user2 {
group group2;
}
security-name user3 {
group group3;
}
}
}
}
Related
Documentation
•
Assigning Security Model and Security Name to a Group on page 276
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Configuring SNMPv3 Traps on a Device Running Junos OS
Supported Platforms
278
ACX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
In SNMPv3, you create traps and informs by configuring the notify, target-address, and
target-parameters parameters. Traps are unconfirmed notifications, whereas informs
are confirmed notifications. This section describes how to configure SNMP traps. For
information about configuring SNMP informs, see “Configuring SNMP Informs” on page 288.
The target address defines a management application’s address and parameters to be
used in sending notifications. Target parameters define the message processing and
security parameters that are used in sending notifications to a particular management
target. SNMPv3 also lets you define SNMPv1 and SNMPv2c traps.
NOTE: When you configure SNMP traps, make sure your configured access
privileges allow the traps to be sent. Access privileges are configured at the
[edit snmp v3 vacm access] and [edit snmp v3 vacm security-to-group] hierarchy
levels.
To configure SNMP traps, include the following statements at the [edit snmp v3] hierarchy
level:
[edit snmp v3]
notify name {
tag tag-name;
type trap;
}
notify-filter name {
oid object-identifier (include | exclude);
}
target-address target-address-name {
address address;
address-mask address-mask;
logical-system logical-system;
port port-number;
routing-instance instance;
tag-list tag-list;
target-parameters target-parameters-name;
}
target-parameters target-parameters-name {
notify-filter profile-name;
parameters {
message-processing-model (v1 | v2c | v3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
}
}
Related
Documentation
•
Configuring the SNMPv3 Trap Notification on page 280
•
Configuring the Trap Notification Filter on page 281
•
Configuring the Trap Target Address on page 282
•
Defining and Configuring the Trap Target Parameters on page 285
Copyright © 2018, Juniper Networks, Inc.
279
Network Management and Monitoring Guide
•
Configuring SNMP Informs on page 288
•
Configuring the Remote Engine and Remote User on page 291
•
Configuring the Inform Notification Type and Target Address on page 289
Configuring the SNMPv3 Trap Notification
Supported Platforms
M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series
The notify statement specifies the type of notification (trap) and contains a single tag.
The tag defines a set of target addresses to receive a trap. The tag list contains one or
more tags and is configured at the [edit snmp v3 target-address target-address-name]
hierarchy level. If the tag list contains this tag, Junos OS sends a notification to all the
target addresses associated with this tag.
To configure the trap notifications, include the notify statement at the [edit snmp v3]
hierarchy level:
[edit snmp v3]
notify name {
tag tag-name;
type trap;
}
name is the name assigned to the notification.
tag-name defines the target addresses to which this notification is sent. This notification
is sent to all the target-addresses that have this tag in their tag list. The tag-name is not
included in the notification.
trap is the type of notification.
NOTE: Each notify entry name must be unique.
Junos OS supports two types of notification: trap and inform.
For information about how to configure the tag list, see “Configuring the Trap Target
Address” on page 284.
Related
Documentation
280
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Configuring the Trap Notification Filter on page 281
•
Configuring the Trap Target Address on page 282
•
Defining and Configuring the Trap Target Parameters on page 285
•
Configuring SNMP Informs on page 288
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
Example: Configuring SNMPv3 Trap Notification
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series
Specify three sets of destinations to send traps:
[edit snmp v3]
notify n1 {
tag router1;
type trap;
}
notify n2 {
tag router2;
type trap
}
notify n3 {
tag router3;
type trap;
}
Related
Documentation
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Configuring the Trap Notification Filter
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
SNMPv3 uses the notify filter to define which traps (or which objects from which traps)
are sent to the network management system (NMS). The trap notification filter limits
the type of traps that are sent to the NMS.
Each object identifier represents a subtree of the MIB object hierarchy. The subtree can
be represented either by a sequence of dotted integers (such as 1.3.6.1.2.1.2) or by its
subtree name (such as interfaces). You can also use the wildcard character asterisk (*)
in the object identifier (OID) to specify object identifiers that match a particular pattern.
To configure the trap notifications filter, include the notify-filter statement at the
[edit snmp v3] hierarchy level:
[edit snmp v3]
notify-filter profile-name;
profile-name is the name assigned to the notify filter.
By default, the OID is set to include. To define access to traps (or objects from traps),
include the oid statement at the [edit snmp v3 notify-filter profile-name] hierarchy level:
[edit snmp v3 notify-filter profile-name]
oid oid (include | exclude);
oid is the object identifier. All MIB objects represented by this statement have the specified
OID as a prefix. It can be specified either by a sequence of dotted integers or by a subtree
name.
Copyright © 2018, Juniper Networks, Inc.
281
Network Management and Monitoring Guide
Related
Documentation
•
include—Include the subtree of MIB objects represented by the specified OID.
•
exclude—Exclude the subtree of MIB objects represented by the specified OID.
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Configuring the SNMPv3 Trap Notification on page 280
•
Configuring the Trap Target Address on page 282
•
Defining and Configuring the Trap Target Parameters on page 285
•
Configuring SNMP Informs on page 288
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Configuring the Trap Target Address
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
The target address defines a management application’s address and parameters that
are used in sending notifications. It can also identify management stations that are
allowed to use specific community strings. When you receive a packet with a recognized
community string and a tag is associated with it, Junos OS looks up all the target addresses
with this tag and verifies that the source address of this packet matches one of the
configured target addresses.
NOTE: You must configure the address mask when you configure the SNMP
community.
To specify where you want the traps to be sent and define what SNMPv1 and SNMPv2cc
packets are allowed, include the target-address statement at the [edit snmp v3] hierarchy
level:
[edit snmp v3]
target-address target-address-name;
target-address-name is the string that identifies the target address.
To configure the target address properties, include the following statements at the [edit
snmp v3 target-address target-address-name] hierarchy level:
[edit snmp v3 target-address target-address-name]
address address;
address-mask address-mask;
logical-system logical-system;
port port-number;
routing-instance instance;
tag-list tag-list;
target-parameters target-parameters-name;
282
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
This section includes the following topics:
•
Configuring the Address on page 283
•
Configuring the Address Mask on page 283
•
Configuring the Port on page 283
•
Configuring the Routing Instance on page 283
•
Configuring the Trap Target Address on page 284
•
Applying Target Parameters on page 284
Configuring the Address
To configure the address, include the address statement at the [edit snmp v3
target-address target-address-name] hierarchy level:
[edit snmp v3 target-address target-address-name]
address address;
address is the SNMP target address.
Configuring the Address Mask
The address mask specifies a set of addresses that are allowed to use a community
string and verifies the source addresses for a group of target addresses.
To configure the address mask, include the address-mask statement at the [edit snmp
v3 target-address target-address-name] hierarchy level:
[edit snmp v3 target-address target-address-name]
address-mask address-mask;
address-mask combined with the address defines a range of addresses. For information
about how to configure the community string, see “Configuring the SNMPv3 Community”
on page 296.
Configuring the Port
By default, the UDP port is set to 162. To configure a different port number, include the
port statement at the [edit snmp v3 target-address target-address-name] hierarchy level:
[edit snmp v3 target-address target-address-name]
port port-number;
port-number is the SNMP target port number.
Configuring the Routing Instance
Traps are sent over the default routing instance. To configure the routing instance for
sending traps, include the routing-instance statement at the [edit snmp v3 target-address
target-address-name] hierarchy level:
[edit snmp v3 target-address target-address-name]
routing-instance instance;
instance is the name of the routing instance. To configure a routing instance within a
logical system, specify the logical system name followed by the routing instance name.
Copyright © 2018, Juniper Networks, Inc.
283
Network Management and Monitoring Guide
Use a slash ( / ) to separate the two names (for example, test-lr/test-ri). To configure
the default routing instance on a logical system, specify the logical system name followed
by default (for example, test-lr/default).
Configuring the Trap Target Address
Each target-address statement can have one or more tags configured in its tag list. Each
tag can appear in more than one tag list. When a significant event occurs on the network
device, the tag list identifies the targets to which a notification is sent.
To configure the tag list, include the tag-list statement at the [edit snmp v3 target-address
target-address-name] hierarchy level:
[edit snmp v3 target-address target-address-name]
tag-list “tag-list”;
tag-list specifies one or more tags as a space-separated list enclosed within double
quotes.
For an example of tag list configuration, see “Example: Configuring the Tag List” on
page 285.
For information about how to specify a tag at the [edit snmp v3 notify notify-name]
hierarchy level, see “Configuring the SNMPv3 Trap Notification” on page 280.
NOTE: When you configure SNMP traps, make sure your configured access
privileges allow the traps to be sent. Configure access privileges at the [edit
snmp v3 vacm access] hierarchy level.
Applying Target Parameters
The target-parameters statement at the [edit snmp v3] hierarchy level applies the target
parameters configured at the [edit snmp v3 target-parameters target-parameters-name]
hierarchy level.
To reference configured target parameters, include the target-parameters statement at
the [edit snmp v3 target-address target-address-name] hierarchy level:
[edit snmp v3 target-address target-address-name]
target-parameters target-parameters-name;
target-parameters-name is the name associated with the message processing and security
parameters that are used in sending notifications to a particular management target.
Related
Documentation
284
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Configuring the SNMPv3 Trap Notification on page 280
•
Configuring the Trap Notification Filter on page 281
•
Defining and Configuring the Trap Target Parameters on page 285
•
Configuring SNMP Informs on page 288
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
•
Example: Configuring the Tag List on page 285
Example: Configuring the Tag List
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
In the following example, two tag entries (router1 and router2) are defined at the [edit
snmp v3 notify notify-name] hierarchy level. When an event triggers a notification, Junos
OS sends a trap to all target addresses that have router1 or router2 configured in their
target-address tag list. This results in the first two targets getting one trap each, and the
third target getting two traps.
[edit snmp v3]
notify n1 {
tag router1; # Identifies a set of target addresses
type trap; # Defines the type of notification
}
notify n2 {
tag router2;
type trap;
}
target-address ta1 {
address 10.1.1.1;
address-mask 255.255.255.0;
port 162;
tag-list router1;
target-parameters tp1;
}
target-address ta2 {
address 10.1.1.2;
address-mask 255.255.255.0;
port 162;
tag-list router2;
target-parameters tp2;
}
target-address ta3 {
address 10.1.1.3;
address-mask 255.255.255.0;
port 162;
tag-list “router1 router2”; #Define multiple tags in the target address tag list
target-parameters tp3;
}
Related
Documentation
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Configuring the Trap Target Address on page 282
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Defining and Configuring the Trap Target Parameters
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
Copyright © 2018, Juniper Networks, Inc.
285
Network Management and Monitoring Guide
Target parameters define the message processing and security parameters that are used
in sending notifications to a particular management target.
To define a set of target parameters, include the target-parameters statement at the
[edit snmp v3] hierarchy level:
[edit snmp v3]
target-parameters target-parameters-name;
target-parameters-name is the name assigned to the target parameters.
To configure target parameter properties, include the following statements at the [edit
snmp v3 target-parameters target-parameter-name] hierarchy level:
[edit snmp v3 target-parameters target-parameter-name]
notify-filter profile-name;
parameters {
message-processing-model (v1 | v2c | V3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
}
This topic includes the following sections:
•
Applying the Trap Notification Filter on page 286
•
Configuring the Target Parameters on page 286
Applying the Trap Notification Filter
To apply the trap notification filter, include the notify-filter statement at the [edit snmp
v3 target-parameters target-parameter-name] hierarchy level:
[edit snmp v3 target-parameters target-parameter-name]
notify-filter profile-name;
profile-name is the name of a configured notify filter. For information about configuring
notify filters, see “Configuring the Trap Notification Filter” on page 281.
Configuring the Target Parameters
To configure target parameter properties, include the following statements at the [edit
snmp v3 target-parameters target-parameter-name parameters] hierarchy level:
[edit snmp v3 target-parameters target-parameter-name parameters]
message-processing-model (v1 | v2c | v3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
This section includes the following topics:
286
•
Configuring the Message Processing Model on page 287
•
Configuring the Security Model on page 287
•
Configuring the Security Level on page 287
•
Configuring the Security Name on page 288
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
Configuring the Message Processing Model
The message processing model defines which version of SNMP to use when generating
SNMP notifications. To configure the message processing model, include the
message-processing-model statement at the [edit snmp v3 target-parameters
target-parameter-name parameters] hierarchy level:
[edit snmp v3 target-parameters target-parameter-name parameters]
message-processing-model (v1 | v2c | v3);
•
v1—SNMPv1 message processing model
•
v2c—SNMPv2c message processing model
•
v3—SNMPV3 message processing model
Configuring the Security Model
To define the security model to use when generating SNMP notifications, include the
security-model statement at the [edit snmp v3 target-parameters target-parameter-name
parameters] hierarchy level:
[edit snmp v3 target-parameters target-parameter-name parameters]
security-model (usm | v1 | v2c);
•
usm—SNMPv3 security model
•
v1—SNMPv1 security model
•
v2c—SNMPv2c security model
Configuring the Security Level
The security-level statement specifies whether the trap is authenticated and encrypted
before it is sent.
To configure the security level to use when generating SNMP notifications, include the
security-level statement at the [edit snmp v3 target-parameters target-parameter-name
parameters] hierarchy level:
[edit snmp v3 target-parameters target-parameter-name parameters]
security-level (authentication | none | privacy);
•
authentication—Provides authentication but no encryption.
•
none—No security. Provides no authentication and no encryption.
•
privacy—Provides authentication and encryption.
NOTE: If you are configuring the SNMPv1 or SNMPV2c security model, use
none as your security level. If you are configuring the SNMPv3 (USM)
security model, use the authentication or privacy security level.
Copyright © 2018, Juniper Networks, Inc.
287
Network Management and Monitoring Guide
Configuring the Security Name
To configure the security name to use when generating SNMP notifications, include the
security-name statement at the [edit snmp v3 target-parameters target-parameter-name
parameters] hierarchy level:
[edit snmp v3 target-parameters target-parameter-name parameters]
security-name security-name;
If the USM security model is used, the security-name identifies the user that is used when
the notification is generated. If the v1 or v2c security models are used, security-name
identifies the SNMP community used when the notification is generated.
NOTE: The access privileges for the group associated with a security name
must allow this notification to be sent.
If you are using the v1 or v2 security models, the security name at the [edit
snmp v3 vacm security-to-group] hierarchy level must match the security
name at the [edit snmp v3 snmp-community community-index] hierarchy level.
Related
Documentation
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Configuring the SNMPv3 Trap Notification on page 280
•
Configuring the Trap Notification Filter on page 281
•
Configuring the Trap Target Address on page 282
•
Configuring SNMP Informs on page 288
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Configuring SNMP Informs
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series, vSRX
Junos OS supports two types of notifications: traps and informs. With traps, the receiver
does not send any acknowledgment when it receives a trap. Therefore, the sender cannot
determine if the trap was received. A trap may be lost because a problem occurred during
transmission. To increase reliability, an inform is similar to a trap except that the inform
is stored and retransmitted at regular intervals until one of these conditions occurs:
•
The receiver (target) of the inform returns an acknowledgment to the SNMP agent.
•
A specified number of unsuccessful retransmissions have been attempted and the
agent discards the inform message.
If the sender never receives a response, the inform can be sent again. Thus, informs are
more likely to reach their intended destination than traps are. Informs use the same
communications channel as traps (same socket and port) but have different protocol
data unit (PDU) types.
288
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
Informs are more reliable than traps, but they consume more network, router, and switch
resources (see Figure 4 on page 289). Unlike a trap, an inform is held in memory until a
response is received or the timeout is reached. Also, traps are sent only once, whereas
an inform may be retried several times. Use informs when it is important that the SNMP
manager receive all notifications. However, if you are more concerned about network
traffic, or router and switch memory, use traps.
Figure 4: Inform Request and Response
For information about configuring SNMP traps, see “Configuring SNMPv3 Traps on a
Device Running Junos OS” on page 278.
Related
Documentation
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Configuring the Remote Engine and Remote User on page 291
•
Configuring the Inform Notification Type and Target Address on page 289
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Configuring the Inform Notification Type and Target Address
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series
To configure the inform notification type and target information, include the following
statements at the [edit snmp v3] hierarchy level:
[edit snmp v3]
notify name {
tag tag-name;
type (trap | inform);
}
target-address target-address-name {
address address;
address-mask address-mask;
logical-system logical-system;
port port-number;
retry-count number;
routing-instance instance;
tag-list tag-list;
target-parameters target-parameters-name;
timeout seconds;
}
target-parameters target-parameters-name {
notify-filter profile-name;
Copyright © 2018, Juniper Networks, Inc.
289
Network Management and Monitoring Guide
parameters {
message-processing-model (v1 | v2c | v3);
security-level (authentication | none | privacy);
security-model (usm | v1 | v2c);
security-name security-name;
}
}
notify name is the name assigned to the notification. Each notify entry name must be
unique.
tag tag-name defines the target addresses that are sent this notification. The notification
is sent to all target addresses that have this tag in their tag list. The tag-name is not
included in the notification. For information about how to configure the tag list, see
“Configuring the Trap Target Address” on page 284.
type inform is the type of notification.
target-address target-address-name identifies the target address. The target address
defines a management application’s address and parameters that are used to respond
to informs.
timeout seconds is the number of seconds to wait for an acknowledgment. If no
acknowledgment is received within the timeout period, the inform is retransmitted. The
default timeout is 15 seconds.
retry-count number is the maximum number of times an inform is transmitted if no
acknowledgment is received. The default is 3. If no acknowledgment is received after
the inform is transmitted the maximum number of times, the inform message is discarded.
message-processing-model defines which version of SNMP to use when SNMP
notifications are generated. Informs require a v3 message processing model.
security-model defines the security model to use when SNMP notifications are generated.
Informs require a usm security model.
security-model defines the security model to use when SNMP notifications are generated.
Informs require a usm security model.
security-level specifies whether the inform is authenticated and encrypted before it is
sent. For the usm security model, the security level must be one of the following:
•
authentication—Provides authentication but no encryption.
•
privacy—Provides authentication and encryption.
security-name identifies the username that is used when generating the inform.
Related
Documentation
290
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Configuring SNMP Informs on page 288
•
Configuring the Remote Engine and Remote User on page 291
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
•
Example: Configuring the Inform Notification Type and Target Address on page 291
Example: Configuring the Inform Notification Type and Target Address
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
In the following example, target 172.17.20.184 is configured to respond to informs. The
inform timeout is 30 seconds and the maximum retransmit count is 3. The inform is sent
to all targets in the tl1 list. The security model for the remote user is usm and the remote
engine username is u10.
[edit snmp v3]
notify n1 {
type inform;
tag tl1;
}
notify-filter nf1 {
oid .1.3 include;
}
target-address ta1 {
address 172.17.20.184;
retry-count 3;
tag-list tl1;
address-mask 255.255.255.0;
target-parameters tp1;
timeout 30;
}
target-parameters tp1 {
parameters {
message-processing-model v3;
security-model usm;
security-level privacy;
security-name u10;
}
notify-filter nf1;
}
Related
Documentation
•
Configuring the Inform Notification Type and Target Address on page 289
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Configuring the Remote Engine and Remote User
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
To send inform messages to an SNMPv3 user on a remote device, you must first specify
the engine identifier for the SNMP agent on the remote device where the user resides.
The remote engine ID is used to compute the security digest for authenticating and
encrypting packets sent to a user on the remote host. When sending an inform message,
the agent uses the credentials of the user configured on the remote engine (inform target).
Copyright © 2018, Juniper Networks, Inc.
291
Network Management and Monitoring Guide
To configure a remote engine and remote user to receive and respond to SNMP informs,
include the following statements at the [edit snmp v3] hierarchy level:
[edit snmp v3]
usm {
remote-engine engine-id {
user username {
authentication-md5 {
authentication-key key;
}
authentication-none;
authentication-sha {
authentication-key key;
}
privacy-3des {
privacy-key key;
}
privacy-aes128 {
privacy-key key;
}
privacy-des {
privacy-key key;
}
privacy-none;
}
}
}
For informs, remote-engine engine-id is the identifier for the SNMP agent on the remote
device where the user resides.
For informs, user username is the user on a remote SNMP engine who receives the informs.
Informs generated can be unauthenticated, authenticated, or authenticated_and_encrypted,
depending on the security level of the SNMPv3 user configured on the remote engine
(the inform receiver). The authentication key is used for generating message
authentication code (MAC). The privacy key is used to encrypt the inform PDU part of
the message.
Related
Documentation
•
Configuring SNMPv3 Traps on a Device Running Junos OS on page 278
•
Configuring SNMP Informs on page 288
•
Configuring the Inform Notification Type and Target Address on page 289
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
•
Example: Configuring the Remote Engine ID and Remote User on page 292
Example: Configuring the Remote Engine ID and Remote User
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
This example shows how to configure a remote engine and remote user so you can receive
and respond to SNMP inform notifications. Inform notifications can be authenticated
292
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
and encrypted. They are also more reliable than traps, another type of notification that
Junos OS supports. Unlike traps, inform notifications are stored and retransmitted at
regular intervals until one of these conditions occurs:
•
The target of the inform notification returns an acknowledgment to the SNMP agent.
•
A specified number of unsuccessful retransmissions have been attempted.
•
Requirements on page 293
•
Overview on page 293
•
Configuration on page 294
•
Verification on page 295
Requirements
No special configuration beyond device initialization is required before configuring this
example.
This feature requires the use of plain-text passwords valid for SNMPv3. SNMPv3 has the
following special requirements when you create plain-text passwords on a router or
switch:
•
The password must be at least eight characters long.
•
The password can include alphabetic, numeric, and special characters, but it cannot
include control characters.
Although quotation marks are not always required to enclose passwords, it is best to use
them. You need quotation marks if the password contains any spaces or possibly in the
case of certain special characters or punctuation.
Overview
Inform notifications are supported in SNMPv3 to increase reliability. For example, an
SNMP agent receiving an inform notification acknowledges the receipt.
For inform notifications, the remote engine ID identifies the SNMP agent on the remote
device where the user resides, and the username identifies the user on a remote SNMP
engine who receives the inform notifications.
Consider a scenario in which you have the values in Table 27 on page 293 to use in
configuring the remote engine ID and remote user in this example.
Table 27: Values to Use in Example
Name of Variable
Value
username
u10
remote engine ID
800007E5804089071BC6D10A41
authentication type
authentication-md5
Copyright © 2018, Juniper Networks, Inc.
293
Network Management and Monitoring Guide
Table 27: Values to Use in Example (continued)
Name of Variable
Value
authentication password
qol67R%?
encryption type
privacy-des
privacy password
m*72Jl9v
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands and paste them into a
text file, remove any line breaks and change any details necessary to match your network
configuration, copy and paste these commands into the CLI at the [edit snmp v3] hierarchy
level, and then enter commit from configuration mode.
set usm remote-engine 800007E5804089071BC6D10A41 user u10 authentication-md5
authentication-key "qol67R%?"
set usm remote-engine 800007E5804089071BC6D10A41 user u10 privacy-des privacy-key
"m*72Jl9v"
Configuring the Remote Engine and Remote User
Step-by-Step
Procedure
The following example requires that you navigate to various levels in the configuration
hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the Junos OS CLI User Guide.
To configure the remote engine ID and remote user:
1.
Configure the remote engine ID, username, and authentication type and password.
[edit snmp v3]
user@host# set usm remote-engine 800007E5804089071BC6D10A41 user u10
authentication-md5 authentication-key "qol67R%?"
2.
Configure the encryption type and privacy password.
You can configure only one encryption type per SNMPv3 user.
[edit snmp v3]
user@host# set usm remote-engine 800007E5804089071BC6D10A41 user u10
privacy-des privacy-key "m*72Jl9v"
Results
In configuration mode, confirm your configuration by entering the show command. If the
output does not display the intended configuration, repeat the instructions in this example
to correct the configuration.
[edit snmp v3]
user@ host# show
294
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
usm {
remote-engine 800007E5804089071BC6D10A41 {
user u10 {
authentication-md5 {
authentication-key "$9$Tz/teK8NdsLXk.f5n6p0ORev"; ## SECRET-DATA
}
privacy-des {
privacy-key "$9$/gyNCu1KvWdwYMWw2gJHkRhcrWx"; ## SECRET-DATA
}
}
}
}
After you have confirmed that the configuration is correct, enter commit from configuration
mode.
Verification
Verifying the Configuration of the Remote Engine ID and Username
Purpose
Action
Verify the status of the engine ID and user information.
Display information about the SNMPv3 engine ID and user.
user@host> show snmp v3
Local engine ID: 80 00 0a 4c 01 0a ff 03 e3
Engine boots:
3
Engine time:
769187 seconds
Max msg size:
65507 bytes
Engine ID: 80 00 07 e5 80 40 89 07 1b c6 d1 0a 41
User
Auth/Priv
Storage
u10
md5/des
nonvolatile
Meaning
Related
Documentation
Status
active
The output displays the following information:
•
Local engine ID and detail about the engine
•
Remote engine ID (labeled Engine ID)
•
Username
•
Authentication type and encryption (privacy) type that is configured for the user
•
Type of storage for the username, either nonvolatile (configuration saved) or volatile
(not saved)
•
Status of the new user; only users with an active status can use SNMPv3
•
show snmp v3 on page 1947
•
Configuring the SNMPv3 Encryption Type on page 269
Copyright © 2018, Juniper Networks, Inc.
295
Network Management and Monitoring Guide
•
Configuring the SNMPv3 Authentication Type on page 268
•
Configuring SNMP Informs on page 288
•
Configuring the Remote Engine and Remote User on page 291
Configuring the Local Engine ID
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
By default, the local engine ID uses the default IP address of the router. The local engine
ID is the administratively unique identifier for the SNMPv3 engine. This statement is
optional. To configure the local engine ID, include the engine-id statement at the [edit
snmp] hierarchy level:
[edit snmp]
engine-id {
(local engine-id-suffix | use-default-ip-address | use-mac-address);
}
•
local engine-id-suffix—The engine ID suffix is explicitly configured.
•
use-default-ip-address—The engine ID suffix is generated from the default IP address.
•
use-mac-address—The SNMP engine identifier is generated from the Media Access
Control (MAC) address of the management interface on the router.
The local engine ID is defined as the administratively unique identifier of an SNMPv3
engine, and is used for identification, not for addressing. There are two parts of an engine
ID: prefix and suffix. The prefix is formatted according to the specifications defined in
RFC 3411, An Architecture for Describing Simple Network Management Protocol (SNMP)
Management Frameworks. You can configure the suffix here.
NOTE: SNMPv3 authentication and encryption keys are generated based on
the associated passwords and the engine ID. If you configure or change the
engine ID, you must commit the new engine ID before you configure SNMPv3
users. Otherwise the keys generated from the configured passwords are
based on the previous engine ID. For the engine ID, we recommend using the
master IP address of the device if the device has multiple routing engines
and has the master IP address configured. Alternatively, you can use the MAC
address of the management port if the device has only one Routing Engine.
Related
Documentation
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
•
Example: SNMPv3 Configuration on page 263
Configuring the SNMPv3 Community
Supported Platforms
296
ACX Series, M Series, MX Series, PTX Series, QFabric System, QFX Series, T Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
The SNMP community defines the relationship between an SNMP server system and the
client systems. This statement is optional.
To configure the SNMP community, include the snmp-community statement at the [edit
snmp v3] hierarchy level:
[edit snmp v3]
snmp-community community-index;
community-index is the index for the SNMP community.
To configure the SNMP community properties, include the following statements at the
[edit snmp v3 snmp-community community-index] hierarchy level:
[edit snmp v3 snmp-community community-index]
community-name community-name;
context context-name;
security-name security-name;
tag tag-name;
This section includes the following topics:
•
Configuring the Community Name on page 297
•
Configuring the Context on page 298
•
Configuring the Security Names on page 298
•
Configuring the Tag on page 298
Configuring the Community Name
The community name defines the SNMP community. The SNMP community authorizes
SNMPv1 or SNMPv2c clients. The access privileges associated with the configured security
name define which MIB objects are available and the operations (read, write, or notify)
allowed on those objects.
To configure the SNMP community name, include the community-name statement at
the [edit snmp v3 snmp-community community-index] hierarchy level:
[edit snmp v3 snmp-community community-index]
community-name community-name;
community-name is the community string for an SNMPv1 or SNMPv2c community.
If unconfigured, it is the same as the community index.
If the community name contains spaces, enclose it in quotation marks (“ “).
NOTE: Community names must be unique. You cannot configure the same
community name at the [edit snmp community] and [edit snmp v3
snmp-community community-index] hierarchy levels. The configured
community name at the [edit snmp v3 snmp-community community-index]
hierarchy level is encrypted. You cannot view the community name after you
have configured it and committed your changes. In the command-line
interface (CLI), the community name is concealed.
Copyright © 2018, Juniper Networks, Inc.
297
Network Management and Monitoring Guide
Configuring the Context
An SNMP context defines a collection of management information that is accessible to
an SNMP entity. Typically, an SNMP entity has access to multiple contexts. A context
can be a physical or logical system, a collection of multiple systems, or even a subset of
a system. Each context in a management domain has a unique identifier.
To configure an SNMP context, include the context context-name statement at the [edit
snmp v3 snmp-community community-index] hierarchy level:
[edit snmp v3 snmp-community community-index]
context context-name;
NOTE: To query a routing instance or a logical system,
Configuring the Security Names
To assign a community string to a security name, include the security-name statement
at the [edit snmp v3 snmp-community community-index] hierarchy level:
[edit snmp v3 snmp-community community-index]
security-name security-name;
security-name is used when access control is set up. The security-to-group configuration
at the [edit snmp v3 vacm] hierarchy level identifies the group.
NOTE: This security name must match the security name configured at the
[edit snmp v3 target-parameters target-parameters-name parameters] hierarchy
level when you configure traps.
Configuring the Tag
To configure the tag, include the tag statement at the [edit snmp v3 snmp-community
community-index] hierarchy level:
[edit snmp v3 snmp-community community-index]
tag tag-name;
tag-name identifies the address of managers that are allowed to use a community string.
Related
Documentation
•
Creating SNMPv3 Users on page 266
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
•
Example: Configuring an SNMPv3 Community on page 298
Example: Configuring an SNMPv3 Community
Supported Platforms
298
ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
This example shows how to configure an SNMPv3 community.
•
Requirements on page 299
•
Overview on page 299
•
Configuration on page 299
•
Verification on page 301
Requirements
No special configuration beyond device initialization is required before configuring this
example.
Overview
This example demonstrates how to create an SNMPv3 community. Define the SNMP
community name, specify security name to perform the access control, and define tag
name which identifies the address of managers that are allowed to use a community
string. The target address defines a management application's address and parameters
that are used in sending notifications.
When the device receives a packet with a recognized community string and a tag is
associated with that packet, the Junos software looks up all the target addresses with
this tag and verifies that the source address of this packet matches one of the configured
target addresses.
Specify where you want the traps to be sent and define what SNMPv1 and SNMPv2c
packets are allowed. Specify target address name that identifies the target address,
define the target address, mask range of address, port number, tag list, and target
parameter.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit snmp v3] hierarchy
level, and then enter commit from configuration mode.
set snmp-community index1 community-name "public"
set snmp-community index1 security-name john
set snmp-community index1 tag router1
set target-address ta1 address 10.1.1.1
set target-address ta1 address-mask 255.255.255.0
set target-address ta1 port 162
set target-address ta1 tag-list router1
set target-address ta1 target-parameters tp1
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
1.
Configure the SNMP community name.
Copyright © 2018, Juniper Networks, Inc.
299
Network Management and Monitoring Guide
[edit snmp v3]
user@host# set snmp-community index1 community-name "public"
NOTE: The SNMP community name must be unique.
2.
Configure the security name to perform access control.
[edit snmp v3]
user@host# set snmp-community index1 security-name john
3.
Define the tag name. The tag name identifies the address of managers that are
allowed to use a community string.
[edit snmp v3]
user@host# set snmp-community index1 tag router1
4.
Configure SNMP target address.
[edit snmp v3]
user@host# set target-address ta1 address 10.1.1.1
5.
Configure the mask range of the address for the community string access control.
[edit snmp v3]
user@host#set target-address ta1 address-mask 255.255.255.0
6.
Configure SNMPv3 target port number.
[edit snmp v3]
user@host#set target-address ta1 port 162
7.
Configure SNMPv3 tag list to select the target addresses.
[edit snmp v3]
user@host#set target-address ta1 tag-list router1
8.
Configure SNMPv3 target parameter name in the target parameter table.
[edit snmp v3]
user@host#set target-address ta1 target-parameters tp1
Results
From configuration mode, confirm your configuration by entering the show snmp v3
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example.
[edit]
user@host# show snmp v3
300
Copyright © 2018, Juniper Networks, Inc.
Chapter 10: Configuring SNMPv3
target-address ta1 {
address 10.1.1.1;
port 162;
tag-list router1;
address-mask 255.255.255.0;
target-parameters tp1;
}
snmp-community index1 {
community-name "$9$JOZi.QF/AtOz3"; ## SECRET-DATA
security-name john;
tag router1;
}
Verification
Verifying SNMPv3 community
Purpose
Action
Verify if SNMPv3 community is enabled.
To verify SNMPv3 community configuration, enter show snmp v3 community command.
If the output does not display the intended configuration, repeat the instructions in this
example to correct the configuration.
Community
index1
Meaning
Related
Documentation
Security
john
Context
Tag
router1
Storage
nonvolatile
Status
active
The output displays the information about SNMPv3 community being enabled on the
system.
•
Configuring the SNMPv3 Community on page 296
•
Minimum SNMPv3 Configuration on a Device Running Junos OS on page 262
Copyright © 2018, Juniper Networks, Inc.
301
Network Management and Monitoring Guide
302
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 11
Configuring SNMP for Routing Instances
•
Understanding SNMP Support for Routing Instances on page 303
•
SNMP MIBs Supported for Routing Instances on page 304
•
Support Classes for MIB Objects on page 314
•
SNMP Traps Supported for Routing Instances on page 315
•
Identifying a Routing Instance on page 316
•
Enabling SNMP Access over Routing Instances on page 317
•
Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 317
•
Example: Configuring Interface Settings for a Routing Instance on page 318
•
Configuring Access Lists for SNMP Access over Routing Instances on page 320
Understanding SNMP Support for Routing Instances
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, T Series
Junos OS enables SNMP managers for all routing instances to request and manage SNMP
data related to the corresponding routing instances and logical system networks.
In Junos OS:
•
Clients from routing instances other than the default can access MIB objects and
perform SNMP operations only on the logical system networks to which they belong.
•
Clients from the default routing instance can access information related to all routing
instances and logical system networks.
Before Junos OS Release 8.4, only the SNMP manager in the default routing instance
(inet.0) had access to the MIB objects
With the increase in virtual private network (VPN) service offerings, this feature is useful
particularly for service providers who need to obtain SNMP data for specific routing
instances (see Figure 5 on page 304). Service providers can use this information for their
own management needs or export the data for use by their customers.
Copyright © 2018, Juniper Networks, Inc.
303
Network Management and Monitoring Guide
Figure 5: SNMP Data for Routing Instances
If no routing instance is specified in the request, the SNMP agent operates as before:
•
For nonrouting table objects, all instances are exposed.
•
For routing table objects, only those associated with the default routing instance are
exposed.
NOTE: The actual protocol data units (PDUs) are still exchanged over the
default (inet.0) routing instance, but the data contents returned are
dictated by the routing instance specified in the request PDUs.
Related
Documentation
•
Support Classes for MIB Objects on page 314
•
SNMP Traps Supported for Routing Instances on page 315
•
Identifying a Routing Instance on page 316
•
Enabling SNMP Access over Routing Instances on page 317
•
Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 317
•
Configuring Access Lists for SNMP Access over Routing Instances on page 320
SNMP MIBs Supported for Routing Instances
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
Table 28 on page 304 shows enterprise-specific MIB objects supported by Junos OS and
provides notes detailing how they are handled when a routing instance is specified in an
SNMP request. An en dash (–) indicates that the item is not applicable.
Table 28: MIB Support for Routing Instances (Juniper Networks MIBs)
304
Object
Support Class
Description/Notes
jnxProducts(1)
–
Product Object IDs
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Configuring SNMP for Routing Instances
Table 28: MIB Support for Routing Instances (Juniper Networks
MIBs) (continued)
Object
Support Class
Description/Notes
jnxServices(2)
–
Services
jnxMibs(3)
Class 3
Objects are exposed only for the default
logical system.
mpls(2)
Class 2
All instances within a logical system are
exposed. Data will not be segregated down
to the routing instance level.
ifJnx(3)
Class 1
Only those logical interfaces (and their
parent physical interfaces) that belong to
a specific routing instance are exposed.
jnxAlarms(4)
Class 3
Objects are exposed only for the default
logical system.
jnxFirewalls(5)
Class 4
Data is not segregated by routing instance.
All instances are exposed.
jnxDCUs(6)
Class 1
Only those logical interfaces (and their
parent physical interfaces) that belong to
a specific routing instance are exposed.
jnxPingMIB(7)
Class 3
Objects are exposed only for the default
logical system.
jnxTraceRouteMIB(8)
Class 3
Objects are exposed only for the default
logical system.
jnxATM(10)
Class 1
Only those logical interfaces (and their
parent physical interfaces) that belong to
a specific routing instance are exposed.
jnxIpv6(11)
Class 4
Data is not segregated by routing instance.
All instances are exposed.
jnxIpv4(12)
Class 1
jnxIpv4AddrTable(1). Only those logical
interfaces (and their parent physical
interfaces) that belong to a specific routing
instance are exposed.
jnxRmon(13)
Class 3
jnxRmonAlarmTable(1). Objects are
exposed only for the default logical
system.
jnxLdp(14)
Class 2
jnxLdpTrapVars(1). All instances within a
logical system are exposed. Data will not
be segregated down to the routing
instance level.
jnxBoxAnatomy(1)
Copyright © 2018, Juniper Networks, Inc.
305
Network Management and Monitoring Guide
Table 28: MIB Support for Routing Instances (Juniper Networks
MIBs) (continued)
Object
Support Class
Description/Notes
jnxCos(15)
Class 3
Objects are exposed only for the default
logical system.
Class 1
Only those logical interfaces (and their
parent physical interfaces) that belong to
a specific routing instance are exposed.
Class 1
Only those logical interfaces (and their
parent physical interfaces) that belong to
a specific routing instance are exposed.
jnxCfgMgmt(18)
Class 3
Objects are exposed only for the default
logical system.
jnxPMon(19)
Class 1
Only those logical interfaces (and their
parent physical interfaces) that belong to
a specific routing instance are exposed.
Class 1
Only those logical interfaces (and their
parent physical interfaces) that belong to
a specific routing instance are exposed.
Class 1
Only those logical interfaces (and their
parent physical interfaces) that belong to
a specific routing instance are exposed.
ipSecFlowMonitorMIB(22)
–
–
jnxMac(23)
Class 1
Only those logical interfaces (and their
parent physical interfaces) that belong to
a specific routing instance are exposed.
apsMIB(24)
Class 3
Objects are exposed only for the default
logical system.
jnxChassisDefines(25)
Class 3
Objects are exposed only for the default
logical system.
jnxCosIfqStatsTable(1)
jnxCosFcTable(2)
jnxCosFcIdTable(3)
jnxCosQstatTable(4)
jnxScu(16)
jnxScuStatsTable(1)
jnxRpf(17)
jnxRpfStatsTable(1)
jnxPMonFlowTable(1)
jnxPMonErrorTable(2)
jnxPMonMemoryTable(3)
jnxSonet(20)
jnxSonetAlarmTable(1)
jnxAtmCos(21)
jnxCosAtmVcTable(1)
jnxCosAtmScTable(2)
jnxCosAtmVcQstatsTable(3)
jnxCosAtmTrunkTable(4)
jnxMacStats(1)
306
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Configuring SNMP for Routing Instances
Table 28: MIB Support for Routing Instances (Juniper Networks
MIBs) (continued)
Object
Support Class
Description/Notes
jnxVpnMIB(26)
Class 2
All instances within a logical system are
exposed. Data will not be segregated down
to the routing instance level.
jnxSericesInfoMib(27)
Class 1
Only those logical interfaces (and their
parent physical interfaces) that belong to
a specific routing instance are exposed.
jnxCollectorMIB(28)
Class 1
Only those logical interfaces (and their
parent physical interfaces) that belong to
a specific routing instance are exposed.
jnxHistory(29)
–
–
jnxSpMIB(32)
Class 3
Objects are exposed only for the default
logical system.
Table 29 on page 308 shows Class 1 MIB objects (standard and enterprise-specific MIBs)
supported by Junos OS. With Class 1 objects, only those logical interfaces (and their
parent physical interfaces) that belong to a specific routing instance are exposed.
Copyright © 2018, Juniper Networks, Inc.
307
Network Management and Monitoring Guide
Table 29: Class 1 MIB Objects (Standard and Juniper MIBs)
Class
MIB
Objects
Class 1
802.3ad.mib
(dot3adAgg) MIB objects:
dot3adAggTable
dot3adAggPortListTable
(dot3adAggPort)
dot3adAggPortTable
dot3adAggPortStatsTable
dot3adAggPortDebugTable
rfc2863a.mib
ifTable
ifXTable
ifStackTable
rfc2011a.mib
ipAddrTable
ipNetToMediaTable
rtmib.mib
ipForward (ipCidrRouteTable)
rfc2665a.mib
dot3StatsTable
dot3ControlTable
dot3PauseTable
rfc2495a.mib
dsx1ConfigTable
dsx1CurrentTable
dsx1IntervalTable
dsx1TotalTable
dsx1FarEndCurrentTable
dsx1FarEndIntervalTable
dsx1FarEndTotalTable
dsx1FracTable ...
308
rfc2496a.mib
dsx3 (dsx3ConfigTable)
rfc2115a.mib
frDlcmiTable (and related MIB objects)
rfc3592.mib
sonetMediumTable (and related MIB
objects)
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Configuring SNMP for Routing Instances
Table 29: Class 1 MIB Objects (Standard and Juniper MIBs) (continued)
Class
MIB
Objects
rfc3020.mib
mfrMIB
mfrBundleTable
mfrMibBundleLinkObjects
mfrBundleIfIndexMappingTable
(and related MIB objects)
Copyright © 2018, Juniper Networks, Inc.
ospf2mib.mib
All objects
ospf2trap.mib
All objects
bgpmib.mib
All objects
rfc2819a.mib
Example: etherStatsTable
309
Network Management and Monitoring Guide
Table 29: Class 1 MIB Objects (Standard and Juniper MIBs) (continued)
Class
MIB
Objects
Class 1
rfc2863a.mib
Examples:
ifXtable
ifStackTable
rfc2665a.mib
etherMIB
rfc2515a.mib
atmMIB objects
Examples:
atmInterfaceConfTable
atmVplTable
atmVclTable
rfc2465.mib
ip-v6mib
Examples:
ipv6IfTable
ipv6AddrPrefixTable
ipv6NetToMediaTable
ipv6RouteTable
rfc2787a.mib
vrrp mib
rfc2932.mib
ipMRouteMIB
ipMRouteStdMIB
mroutemib.mib
ipMRoute1MIBObjects
isismib.mib
isisMIB
pimmib.mib
pimMIB
msdpmib.mib
msdpmib
jnx-if-extensions.mib
Examples:
ifJnxTable
ifChassisTable
jnx-dcu.mib
jnxDCUs
jnx-atm.mib
310
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Configuring SNMP for Routing Instances
Table 29: Class 1 MIB Objects (Standard and Juniper MIBs) (continued)
Class
MIB
Objects
Examples:
jnxAtmIfTable
jnxAtmVCTable
jnxAtmVpTable
jnx-ipv4.mib
jnxipv4
Example: jnxIpv4AddrTable
jnx-cos.mib
Examples:
jnxCosIfqStatsTable
jnxCosQstatTable
Class 1
jnx-scu.mib
Example: jnxScuStatsTable
jnx-rpf.mib
Example: jnxRpfStatsTable
jnx-pmon.mib
Example: jnxPMonFlowTable
jnx-sonet.mib
Example: jnxSonetAlarmTable
jnx-atm-cos.mib
Examples:
jnxCosAtmVcTable
jnxCosAtmVcScTable
jnxCosAtmVcQstatsTable
jnxCosAtmTrunkTable
jnx-mac.mib
Example: jnxMacStatsTable
jnx-services.mib
Example: jnxSvcFlowTableAggStatsTable
jnx-coll.mib
jnxCollectorMIB
Examples:
jnxCollPicIfTable
jnxCollFileEntry
Table 30 on page 312 shows Class 2 MIB objects (standard and enterprise-specific MIBs)
supported by Junos OS. With Class 2 objects, all instances within a logical system are
exposed. Data will not be segregated down to the routing instance level.
Copyright © 2018, Juniper Networks, Inc.
311
Network Management and Monitoring Guide
Table 30: Class 2 MIB Objects (Standard and Juniper MIBs)
Class
MIB
Objects
Class 2
rfc3813.mib
mplsLsrStdMIB
Examples:
mplsInterfaceTable
mplsInSegmentTable
mplsOutSegmentTable
mplsLabelStackTable
mplsXCTable
(and related MIB objects)
igmpmib.mib
igmpStdMIB
NOTE: The igmpmib.mib is the draft
version of the IGMP Standard MIB in the
experimental tree. Junos OS does not
support the original IGMP Standard MIB.
l3vpnmib.mib
mplsVpnmib
jnx-mpls.mib
Example: mplsLspList
jnx-ldp.mib
jnxLdp
Example: jnxLdpStatsTable
jnx-vpn.mib
jnxVpnMIB
jnx-bgpmib2.mib
jnxBgpM2Experiment
Table 31 on page 313 shows Class 3 MIB objects (standard and enterprise-specific MIBs)
supported by Junos OS. With Class 3, objects are exposed only for the default logical
system.
312
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Configuring SNMP for Routing Instances
Table 31: Class 3 MIB Objects (Standard and Juniper MIBs)
Class
MIB
Objects
Class 3
rfc2819a.mib
rmonEvents
alarmTable
logTable
eventTable
agentxMIB
rfc2925a.mib
pingmib
rfc2925b.mib
tracerouteMIB
jnxchassis.mib
jnxBoxAnatomy
jnx-chassis-alarm.mib
jnxAlarms
jnx-ping.mib
jnxPingMIB
jnx-traceroute.mib
jnxTraceRouteMIB
jnx-rmon.mib
jnxRmonAlarmTable
jnx-cos.mib
Example: jnxCosFcTable
jnx-cfgmgmt.mib
Example: jnxCfgMgmt
jnx-sonetaps.mib
apsMIBObjects
jnx-sp.mib
jnxSpMIB
ggsn.mib
ejnmobileipABmib
rfc1907.mib
snmpModules
snmpModules
Examples:
snmpMIB snmpFrameworkMIB
Table 32 on page 314 shows Class 4 MIB objects (standard and enterprise-specific MIBs)
supported by Junos OS. With Class 4 objects, data is not segregated by routing instance.
All instances are exposed.
Copyright © 2018, Juniper Networks, Inc.
313
Network Management and Monitoring Guide
Table 32: Class 4 MIB Objects (Standard and Juniper MIBs)
Class
MIB
Objects
Class 4
system
Example: sysORTable
rfc2011a.mib
ip (ipDefaultTTL, ipInReceives)
icmp
rfc2012a.mib
tcp
tcpConnTable
ipv6TcpConnTable
rfc2013a.mib
udp
udpTable
ipv6UdpTable
Related
Documentation
rfc2790a.mib
hrSystem
rfc2287a.mib
sysApplOBJ
jnx-firewall.mib
jnxFirewalls
jnx-ipv6.mib
jnxIpv6
•
Understanding SNMP Support for Routing Instances on page 303
•
Support Classes for MIB Objects on page 314
•
SNMP Traps Supported for Routing Instances on page 315
Support Classes for MIB Objects
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
When a routing instance is specified, all routing-related MIB objects return data maintained
by the routing instance in the request. For all other MIB objects, the data returned is
segregated according to that routing instance. For example, only those interfaces assigned
to that routing instance (for example, the logical interfaces [ifls] as well as their
corresponding physical interfaces [ifds]) are exposed by the SNMP agent. Similarly,
objects with an unambiguous attachment to an interface (for example, addresses) are
segregated as well.
For those objects where the attachment is ambiguous (for example, objects in
sysApplMIB), no segregation is done and all instances are visible in all cases.
Another category of objects is visible only when no logical system is specified (only within
the default logical system) regardless of the routing instance within the default logical
314
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Configuring SNMP for Routing Instances
system. Objects in this category are Chassis MIB objects, objects in the SNMP group,
RMON alarm, event and log groups, Ping MIB objects, configuration management objects,
and V3 objects.
In summary, to support routing instances, MIB objects fall into one of the following
categories:
•
Class 1—Data is segregated according to the routing instance in the request. This is the
most granular of the segregation classes.
•
Class 2—Data is segregated according to the logical system specified in the request.
The same data is returned for all routing instances that belong to a particular logical
system. Typically, this applies to routing table objects where it is difficult to extract
routing instance information or where routing instances do not apply.
•
Class 3—Data is exposed only for the default logical system. The same set of data is
returned for all routing instances that belong to the default logical system. If you specify
another logical system (not the default), no data is returned. Typically this class applies
to objects implemented in subagents that do not monitor logical system changes and
register their objects using only the default context (for example, Chassis MIB objects).
•
Class 4—Data is not segregated by routing instance. The same data is returned for all
routing instances. Typically, this applies to objects implemented in subagents that
monitor logical system changes and register or deregister all their objects for each
logical system change. Objects whose values cannot be segregated by routing instance
fall into this class.
See “SNMP MIBs Supported for Routing Instances” on page 304 for a list of the objects
associated with each class.
Related
Documentation
•
Understanding SNMP Support for Routing Instances on page 303
•
SNMP Traps Supported for Routing Instances on page 315
SNMP Traps Supported for Routing Instances
Supported Platforms
M Series, MX Series, PTX Series, T Series
You can restrict the trap receivers from receiving traps that are not related to the logical
system networks to which they belong. To do this, include the logical-system-trap-filter
statement at the [edit snmp] hierarchy level:
[edit snmp]
logical-system-trap-filter;
If the logical-system-trap-filter statement is not included in the SNMP configuration, all
traps are forwarded to the configured routing instance destinations. However, even when
this statement is configured, the trap receiver associated with the default routing instance
will receive all SNMP traps.
When configured under the trap-group object, all v1 and v2c traps that apply to routing
instances (or interfaces belonging to a routing instance) have the routing instance name
encoded in the community string. The encoding is identical to that used in request PDUs.
Copyright © 2018, Juniper Networks, Inc.
315
Network Management and Monitoring Guide
For traps configured under the v3 framework, the routing instance name is carried in the
context field when the v3 message processing model has been configured. For other
message processing models (v1 or v2c), the routing instance name is not carried in the
trap message header (and not encoded in the community string).
Related
Documentation
•
Understanding SNMP Support for Routing Instances on page 303
•
Support Classes for MIB Objects on page 314
•
SNMP MIBs Supported for Routing Instances on page 304
Identifying a Routing Instance
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
With this feature, routing instances are identified by either the context field in v3 requests
or encoded in the community string in v1 or v2c requests.
When encoded in a community string, the routing instance name appears first and is
separated from the actual community string by the @ character.
To avoid conflicts with valid community strings that contain the @ character, the
community is parsed only if typical community string processing fails. For example, if a
routing instance named RI is configured, an SNMP request with RI@public is processed
within the context of the RI routing instance. Access control (views, source address
restrictions, access privileges, and so on) is applied according to the actual community
string (the set of data after the @ character—in this case public). However, if the
community string RI@public is configured, the protocol data unit (PDU) is processed
according to that community and the embedded routing instance name is ignored.
Logical systems perform a subset of the actions of a physical router and have their own
unique routing tables, interfaces, policies, and routing instances. When a routing instance
is defined within a logical system, the logical system name must be encoded along with
the routing instance using a slash ( / ) to separate the two. For example, if the routing
instance RI is configured within the logical system LS, that routing instance must be
encoded within a community string as LS/RI@public. When a routing instance is configured
outside a logical system (within the default logical system), no logical system name (or
/ character) is needed.
Also, when a logical system is created, a default routing instance (named default) is
always created within the logical system. This name should be used when querying data
for that routing instance (for example, LS/default@public). For v3 requests, the name
logical system/routing instance should be identified directly in the context field.
316
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Configuring SNMP for Routing Instances
NOTE: To identify a virtual LAN (VLAN) spanning-tree instance (VSTP on
MX Series 3D Universal Edge Routers), specify the routing instance name
followed by a double colon (::) and the VLAN ID. For example, to identify
VSTP instance for VLAN 10 in the global default routing instance, include
default::10@public in the context (SNMPv3) or community (SNMPv1 or v2)
string.
Related
Documentation
•
Understanding SNMP Support for Routing Instances on page 303
•
Enabling SNMP Access over Routing Instances on page 317
•
Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 317
Enabling SNMP Access over Routing Instances
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, T Series
To enable SNMP managers in routing instances other than the default routing instance
to access SNMP information, include the routing-instance-access statement at the [edit
snmp] hierarchy level:
[edit snmp]
routing-instance-access;
If this statement is not included in the SNMP configuration, SNMP managers from routing
instances other than the default routing instance cannot access SNMP information. This
setting applies to requests for any version of SNMP (SNMP v1, v2, or v3).
Related
Documentation
•
Understanding SNMP Support for Routing Instances on page 303
•
Identifying a Routing Instance on page 316
•
Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 317
•
Configuring Access Lists for SNMP Access over Routing Instances on page 320
Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, T Series
You can specify the routing instance along with the client information when you add a
client to an SNMP community. To specify the routing instance to which a client belongs,
include the routing-instance statement followed by the routing instance name and client
information in the SNMP configuration.
The following example shows the configuration statement to add routing instance test-ri
to SNMP community community1.
Copyright © 2018, Juniper Networks, Inc.
317
Network Management and Monitoring Guide
NOTE: Routing instances specified at the [edit snmp community
community-name] hierarchy level are added to the default logical system in
the community.
[edit snmp]
community community1 {
clients {
10.209.152.33/32;
}
routing-instance test-ri {
clients {
10.19.19.1/32;
}
}
}
If the routing instance is defined within a logical system, include the routing-instance
statement at the [edit snmp community community-name logical-system
logical-system-name] hierarchy level, as in the following example:
[edit snmp]
community community1 {
clients {
10.209.152.33/32;
}
logical-system test-LS {
routing-instance test-ri {
clients {
10.19.19.1/32;
}
}
}
}
Related
Documentation
•
Understanding SNMP Support for Routing Instances on page 303
•
Identifying a Routing Instance on page 316
•
Enabling SNMP Access over Routing Instances on page 317
•
Configuring Access Lists for SNMP Access over Routing Instances on page 320
•
Example: Configuring Interface Settings for a Routing Instance on page 318
Example: Configuring Interface Settings for a Routing Instance
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
This example shows an 802.3ad ae0 interface configuration allocated to a routing instance
named INFrtd:
[edit chassis]
aggregated-devices {
ethernet {
318
Copyright © 2018, Juniper Networks, Inc.
Chapter 11: Configuring SNMP for Routing Instances
device-count 5;
}
}
[edit interfaces ae0]
vlan-tagging;
aggregated-ether-options {
minimum-links 2;
link-speed 100m;
}
unit 0 {
vlan-id 100;
family inet {
address 10.1.0.1/24;
}
}
[edit interfaces fe-1/1/0]
fastether-options {
802.3ad ae0;
}
[edit interfaces fe-1/1/1]
fastether-options {
802.3ad ae0;
}
[edit routing-instances]
INFrtd {
instance-type virtual-router;
interface fe-1/1/0.0;
interface fe-1/1/1.0;
interface fe-1/1/5.0;
interface ae0.0;
protocols {
ospf {
area 0.0.0.0 {
interface all;
}
}
}
}
The following snmpwalk command shows how to retrieve SNMP-related information
from router1 and the 802.3ae bundle interface belonging to routing instance INFrtd with
the SNMP community public:
router# snmpwalk -Os router1 INFrtd@public dot3adAggTable
dot3adAggMACAddress.59 = 0:90:69:92:93:f0
dot3adAggMACAddress.65 = 0:90:69:92:93:f0
dot3adAggActorSystemPriority.59 = 0
dot3adAggActorSystemPriority.65 = 0
dot3adAggActorSystemID.59 = 0:0:0:0:0:0
dot3adAggActorSystemID.65 = 0:0:0:0:0:0
dot3adAggAggregateOrIndividual.59 = true(1)
dot3adAggAggregateOrIndividual.65 = true(1)
dot3adAggActorAdminKey.59 = 0
dot3adAggActorAdminKey.65 = 0
dot3adAggActorOperKey.59 = 0
dot3adAggActorOperKey.65 = 0
Copyright © 2018, Juniper Networks, Inc.
319
Network Management and Monitoring Guide
dot3adAggPartnerSystemID.59 = 0:0:0:0:0:0
dot3adAggPartnerSystemID.65 = 0:0:0:0:0:0
dot3adAggPartnerSystemPriority.59 = 0
dot3adAggPartnerSystemPriority.65 = 0
dot3adAggPartnerOperKey.59 = 0
dot3adAggPartnerOperKey.65 = 0
dot3adAggCollectorMaxDelay.59 = 0
dot3adAggCollectorMaxDelay.65 = 0
Related
Documentation
•
Understanding SNMP Support for Routing Instances on page 303
•
Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 317
Configuring Access Lists for SNMP Access over Routing Instances
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, T Series
You can create and maintain access lists to manage access to SNMP information. Access
list configuration enables you to allow or deny SNMP access to clients of a specific routing
instance, and applies to requests for any version of SNMP.
The following example shows how to create an access list:
[edit snmp]
routing-instance-access {
access-list {
ri1 restrict;
ls1/default;
ls1/ri2;
ls1*;
}
}
The configuration given in the example:
•
Restricts clients in ri1 from accessing SNMP information.
•
Allows clients in ls1/default, ls1/ri2, and all other routing instances with names starting
with ls1 to access SNMP information.
You can use the wildcard character (*) to represent a string in the routing instance name.
NOTE: You cannot restrict the SNMP manager of the default routing instance
from accessing SNMP information.
Related
Documentation
320
•
Understanding SNMP Support for Routing Instances on page 303
•
Enabling SNMP Access over Routing Instances on page 317
•
Specifying a Routing Instance in an SNMPv1 or SNMPv2c Community on page 317
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 12
Configuring SNMP Remote Operations
•
SNMP Remote Operations Overview on page 321
•
Using the Ping MIB for Remote Monitoring Devices Running Junos OS on page 324
•
Starting a Ping Test on page 325
•
Monitoring a Running Ping Test on page 326
•
Gathering Ping Test Results on page 329
•
Stopping a Ping Test on page 330
•
Interpreting Ping Variables on page 330
•
Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 331
•
Starting a Traceroute Test on page 332
•
Monitoring a Running Traceroute Test on page 333
•
Monitoring Traceroute Test Completion on page 337
•
Gathering Traceroute Test Results on page 338
•
Stopping a Traceroute Test on page 339
•
Interpreting Traceroute Variables on page 340
SNMP Remote Operations Overview
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
A SNMP remote operation is any process on the router that can be controlled remotely
using SNMP. Junos OS currently provides support for two SNMP remote operations: the
Ping MIB and Traceroute MIB, defined in RFC 2925. Using these MIBs, an SNMP client in
the network management system (NMS) can:
•
Start a series of operations on a router
•
Receive notification when the operations are complete
•
Gather the results of each operation
Junos OS also provides extended functionality to these MIBs in the Juniper Networks
enterprise-specific extensions jnxPingMIB and jnxTraceRouteMIB. For more information
about jnxPingMIB and jnxTraceRouteMIB, see PING MIB and Traceroute MIB.
Copyright © 2018, Juniper Networks, Inc.
321
Network Management and Monitoring Guide
This topic covers the following sections:
•
SNMP Remote Operation Requirements on page 322
•
Setting SNMP Views on page 322
•
Setting Trap Notification for Remote Operations on page 323
•
Using Variable-Length String Indexes on page 323
•
Enabling Logging on page 324
SNMP Remote Operation Requirements
To use SNMP remote operations, you should be experienced with SNMP conventions.
You must also configure Junos OS to allow the use of the remote operation MIBs.
Setting SNMP Views
All remote operation MIBs supported by Junos OS require that the SNMP clients have
read-write privileges. The default SNMP configuration of Junos OS does not provide
clients with a community string with such privileges.
To set read-write privileges for an SNMP community string, include the following
statements at the [edit snmp] hierarchy level:
[edit snmp]
community community-name {
authorization authorization;
view view-name;
}
view view-name {
oid object-identifier (include | exclude);
}
Example: Setting SNMP Views
To create a community named remote-community that grants SNMP clients read-write
access to the Ping MIB, jnxPing MIB, Traceroute MIB, and jnxTraceRoute MIB, include the
following statements at the [edit snmp] hierarchy level:
snmp {
view remote-view {
oid 1.3.6.1.2.1.80 include; # pingMIB
oid 1.3.6.1.4.1.2636.3.7 include; # jnxPingMIB
oid 1.3.6.1.2.1.81 include; # traceRouteMIB
oid 1.3.6.1.4.1.2636.3.8 include; # jnxTraceRouteMIB
}
community remote-community {
view remote-view;
authorization read-write;
}
}
For more information about the community statement, see “Configuring SNMP
Communities” on page 192 and community (SNMP).
322
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Configuring SNMP Remote Operations
For more information about the view statement, see “Configuring MIB Views” on page 223,
view (Associating a MIB View with a Community), and view (Configuring a MIB View).
Setting Trap Notification for Remote Operations
In addition to configuring the remote operations MIB for trap notification, you must also
configure Junos OS. You must specify a target host for remote operations traps.
To configure trap notification for SNMP remote operations, include the categories and
targets statements at the [edit snmp trap-group group-name] hierarchy level:
[edit snmp trap-group group-name]
categories {
category;
}
targets {
address;
}
}
Example: Setting Trap Notification for Remote Operations
Specify 172.17.12.213 as a target host for all remote operation traps:
snmp {
trap-group remote-traps {
categories remote-operations;
targets {
172.17.12.213;
}
}
}
For more information about trap groups, see “Configuring SNMP Trap Groups” on page 206.
Using Variable-Length String Indexes
All tabular objects in the remote operations MIBs supported by Junos OS are indexed by
two variables of type SnmpAdminString. For more information about SnmpAdminString,
see RFC 2571.
Junos OS does not handle SnmpAdminString any differently from the octet string variable
type. However, the indexes are defined as variable length. When a variable length string
is used as an index, the length of the string must be included as part of the object identifier
(OID).
Example: Set Variable-Length String Indexes
To reference the pingCtlTargetAddress variable of a row in pingCtlTable where
pingCtlOwnerIndex is bob and pingCtlTestName is test, use the following object identifier
(OID):
pingMIB.pingObjects.pingCtlTable.pingCtlEntry.pingCtlTargetAddress."bob"."test"
1.3.6.1.2.1.80.1.2.1.4.3.98.111.98.4.116.101.115.116
Copyright © 2018, Juniper Networks, Inc.
323
Network Management and Monitoring Guide
For more information about the definition of the Ping MIB, see RFC 2925.
Enabling Logging
The SNMP error code returned in response to SNMP requests can only provide a generic
description of the problem. The error descriptions logged by the remote operations
process can often provide more detailed information about the problem and help you
to solve the problem faster. This logging is not enabled by default. To enable logging,
include the flag general statement at the [edit snmp traceoptions] hierarchy level:
[edit]
snmp {
traceoptions {
flag general;
}
}
For more information about traceoptions, see “Tracing SNMP Activity on a Device Running
Junos OS” on page 349.
If the remote operations process receives an SNMP request that it cannot accommodate,
the error is logged in the /var/log/rmopd file. To monitor this log file, issue the monitor
start rmopd command in operational mode of the command-line interface (CLI).
Related
Documentation
•
Using the Ping MIB for Remote Monitoring Devices Running Junos OS on page 324
•
Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 331
Using the Ping MIB for Remote Monitoring Devices Running Junos OS
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
A ping test is used to determine whether packets sent from the local host reach the
designated host and are returned. If the designated host can be reached, the ping test
provides the approximate round-trip time for the packets. Ping test results are stored in
pingResultsTable and pingProbeHistoryTable.
RFC 2925 is the authoritative description of the Ping MIB in detail and provides the ASN.1
MIB definition of the Ping MIB.
Related
Documentation
324
•
SNMP Remote Operations Overview on page 321
•
Starting a Ping Test on page 325
•
Monitoring a Running Ping Test on page 326
•
Gathering Ping Test Results on page 329
•
Stopping a Ping Test on page 330
•
Interpreting Ping Variables on page 330
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Configuring SNMP Remote Operations
Starting a Ping Test
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
Before you start a ping test, configure a Ping MIB view. This allows SNMP Set requests
on pingMIB. To start a ping test, create a row in pingCtlTable and set pingCtlAdminStatus
to enabled. The minimum information that must be specified before setting
pingCtlAdminStatus to enabled is:
•
pingCtlOwnerIndexSnmpAdminString
•
pingCtlTestNameSnmpAdminString
•
pingCtlTargetAddressInetAddress
•
pingCtlTargetAddressTypeInetAddressType
•
pingCtlRowStatusRowStatus
For all other values, defaults are chosen unless otherwise specified. pingCtlOwnerIndex
and pingCtlTestName are used as the index, so their values are specified as part of the
object identifier (OID). To create a row, set pingCtlRowStatus to createAndWait or
createAndGo on a row that does not already exist. A value of active for pingCtlRowStatus
indicates that all necessary information has been supplied and the test can begin;
pingCtlAdminStatus can be set to enabled. An SNMP Set request that sets
pingCtlRowStatus to active will fail if the necessary information in the row is not specified
or is inconsistent. For information about how to configure a view, see “Setting SNMP
Views” on page 322.
There are two ways to start a ping test:
•
Using Multiple Set Protocol Data Units (PDUs) on page 325
•
Using a Single Set PDU on page 325
Using Multiple Set Protocol Data Units (PDUs)
You can use multiple Set request PDUs (multiple PDUs, with one or more varbinds each)
and set the following variables in this order to start the test:
•
pingCtlRowStatus to createAndWait
•
All appropriate test variables
•
pingCtlRowStatus to active
Junos OS now verifies that all necessary information to run a test has been specified.
•
pingCtlAdminStatus to enabled
Using a Single Set PDU
You can use a single Set request PDU (one PDU, with multiple varbinds) to set the
following variables to start the test:
Copyright © 2018, Juniper Networks, Inc.
325
Network Management and Monitoring Guide
•
pingCtlRowStatus to createAndGo
•
All appropriate test variables
•
pingCtlAdminStatus to enabled
Monitoring a Running Ping Test
When pingCtlAdminStatus is successfully set to enabled, the following is done before
the acknowledgment of the SNMP Set request is sent back to the client:
•
pingResultsEntry is created if it does not already exist.
•
pingResultsOperStatus transitions to enabled.
For more information, see the following sections:
•
pingResultsTable on page 326
•
pingProbeHistoryTable on page 327
•
Generating Traps on page 328
pingResultsTable
While the test is running, pingResultsEntry keeps track of the status of the test. The value
of pingResultsOperStatus is enabled while the test is running and disabled when it has
stopped.
The value of pingCtlAdminStatus remains enabled until you set it to disabled. Thus, to
get the status of the test, you must examine pingResultsOperStatus.
The pingCtlFrequency variable can be used to schedule many tests for one pingCtlEntry.
After a test ends normally (you did not stop the test) and the pingCtlFrequency number
of seconds has elapsed, the test is started again just as if you had set pingCtlAdminStatus
to enabled. If you intervene at any time between repeated tests (you set
pingCtlAdminStatus to disabled or pingCtlRowStatus to notInService), the repeat feature
is disabled until another test is started and ends normally. A value of 0 for
pingCtlFrequency indicates this repeat feature is not active.
pingResultsIpTgtAddr and pingResultsIpTgtAddrType are set to the value of the resolved
destination address when the value of pingCtlTargetAddressType is dns. When a test
starts successfully and pingResultsOperStatus transitions to enabled:
•
pingResultsIpTgtAddr is set to null-string.
•
pingResultsIpTgtAddrType is set to unknown.
pingResultsIpTgtAddr and pingResultsIpTgtAddrType are not set until
pingCtlTargetAddress can be resolved to a numeric address. To retrieve these values,
poll pingResultsIpTgtAddrType for any value other than unknown after successfully setting
pingCtlAdminStatus to enabled.
At the start of a test, pingResultsSentProbes is initialized to 1 and the first probe is sent.
pingResultsSentProbes increases by 1 each time a probe is sent.
326
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Configuring SNMP Remote Operations
As the test runs, every pingCtlTimeOut seconds, the following occur:
•
pingProbeHistoryStatus for the corresponding pingProbeHistoryEntry in
pingProbeHistoryTable is set to requestTimedOut.
•
A pingProbeFailed trap is generated, if necessary.
•
An attempt is made to send the next probe.
NOTE: No more than one outstanding probe exists for each test.
For every probe, you can receive one of the following results:
•
The target host acknowledges the probe with a response.
•
The probe times out; there is no response from the target host acknowledging the
probe.
•
The probe could not be sent.
Each probe result is recorded in pingProbeHistoryTable. For more information about
pingProbeHistoryTable, see “pingProbeHistoryTable” on page 327.
When a response is received from the target host acknowledging the current probe:
•
pingResultsProbeResponses increases by 1.
•
The following variables are updated:
•
pingResultsMinRtt—Minimum round-trip time
•
pingResultsMaxRtt—Maximum round-trip time
•
pingResultsAverageRtt—Average round-trip time
•
pingResultsRttSumOfSquares—Sum of squares of round-trip times
•
pingResultsLastGoodProbe—Timestamp of the last response
NOTE: Only probes that result in a response from the target host
contribute to the calculation of the round-trip time (RTT) variables.
When a response to the last probe is received or the last probe has timed out, the test is
complete.
pingProbeHistoryTable
An entry in pingProbeHistoryTable (pingProbeHistoryEntry) represents a probe result and
is indexed by three variables:
•
The first two variables, pingCtlOwnerIndex and pingCtlTestName, are the same ones
used for pingCtlTable, which identifies the test.
Copyright © 2018, Juniper Networks, Inc.
327
Network Management and Monitoring Guide
•
The third variable, pingProbeHistoryIndex, is a counter to uniquely identify each probe
result.
The maximum number of pingProbeHistoryTable entries created for a given test is limited
by pingCtlMaxRows. If pingCtlMaxRows is set to 0, no pingProbeHistoryTable entries are
created for that test.
Each time a probe result is determined, a pingProbeHistoryEntry is created and added to
pingProbeHistoryTable. pingProbeHistoryIndex of the new pingProbeHistoryEntry is 1
greater than the last pingProbeHistoryEntry added to pingProbeHistoryTable for that test.
pingProbeHistoryIndex is set to 1 if this is the first entry in the table. The same test can be
run multiple times, so this index keeps growing.
If pingProbeHistoryIndex of the last pingProbeHistoryEntry added is 0xFFFFFFFF, the next
pingProbeHistoryEntry added has pingProbeHistoryIndex set to 1.
The following are recorded for each probe result:
•
pingProbeHistoryResponse—Time to live (TTL)
•
pingProbeHistoryStatus—What happened and why
•
pingProbeHistoryLastRC—Return code (RC) value of ICMP packet
•
pingProbeHistoryTime—Timestamp when probe result was determined
When a probe cannot be sent, pingProbeHistoryResponse is set to 0. When a probe times
out, pingProbeHistoryResponse is set to the difference between the time when the probe
was discovered to be timed out and the time when the probe was sent.
Generating Traps
For any trap to be generated, the appropriate bit of pingCtlTrapGeneration must be set.
You must also configure a trap group to receive remote operations. A trap is generated
under the following conditions:
•
A pingProbeFailed trap is generated every time pingCtlTrapProbeFailureFilter number
of consecutive probes fail during the test.
•
A pingTestFailed trap is generated when the test completes and at least
pingCtlTrapTestFailureFilter number of probes fail.
•
A pingTestCompleted trap is generated when the test completes and fewer than
pingCtlTrapTestFailureFilter probes fail.
NOTE: A probe is considered a failure when pingProbeHistoryStatus of the
probe result is anything besides responseReceived.
For information about how to configure a trap group to receive remote operations, see
“Configuring SNMP Trap Groups” on page 206 and “Example: Setting Trap Notification
for Remote Operations” on page 323.
328
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Configuring SNMP Remote Operations
Gathering Ping Test Results
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
You can either poll pingResultsOperStatus to find out when the test is complete or request
that a trap be sent when the test is complete. For more information about
pingResultsOperStatus, see “pingResultsTable” on page 326. For more information about
Ping MIB traps, see “Generating Traps” on page 328.
The statistics calculated and then stored in pingResultsTable include:
•
pingResultsMinRtt—Minimum round-trip time
•
pingResultsMaxRtt—Maximum round-trip time
•
pingResultsAverageRtt—Average round-trip time
•
pingResultsProbeResponses—Number of responses received
•
pingResultsSentProbes—Number of attempts to send probes
•
pingResultsRttSumOfSquares—Sum of squares of round-trip times
•
pingResultsLastGoodProbe—Timestamp of the last response
You can also consult pingProbeHistoryTable for more detailed information about each
probe. The index used for pingProbeHistoryTable starts at 1, goes to 0xFFFFFFFF, and
wraps to 1 again.
For example, if pingCtlProbeCount is 15 and pingCtlMaxRows is 5, then upon completion
of the first run of this test, pingProbeHistoryTable contains probes like those in
Table 33 on page 329.
Table 33: Results in pingProbeHistoryTable: After the First Ping Test
pingProbeHistoryIndex
Probe Result
11
Result of 11th probe from run 1
12
Result of 12th probe from run 1
13
Result of 13th probe from run 1
14
Result of 14th probe from run 1
15
Result of 15th probe from run 1
Upon completion of the first probe of the second run of this test, pingProbeHistoryTable
will contain probes like those in Table 34 on page 330.
Copyright © 2018, Juniper Networks, Inc.
329
Network Management and Monitoring Guide
Table 34: Results in pingProbeHistoryTable: After the First Probe of the
Second Test
pingProbeHistoryIndex
Probe Result
12
Result of 12th probe from run 1
13
Result of 13th probe from run 1
14
Result of 14th probe from run 1
15
Result of 15th probe from run 1
16
Result of 1st probe from run 2
Upon completion of the second run of this test, pingProbeHistoryTable will contain probes
like those in Table 35 on page 330.
Table 35: Results in pingProbeHistoryTable: After the Second Ping Test
pingProbeHistoryIndex
Probe Result
26
Result of 11th probe from run 2
27
Result of 12th probe from run 2
28
Result of 13th probe from run 2
29
Result of 14th probe from run 2
30
Result of 15th probe from run 2
History entries can be deleted from the MIB in two ways:
•
More history entries for a given test are added and the number of history entries exceeds
pingCtlMaxRows. The oldest history entries are deleted to make room for the new ones.
•
You delete the entire test by setting pingCtlRowStatus to destroy.
Stopping a Ping Test
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
To stop an active test, set pingCtlAdminStatus to disabled. To stop the test and remove
its pingCtlEntry, pingResultsEntry, and any pingHistoryEntry objects from the MIB, set
pingCtlRowStatus to destroy.
Interpreting Ping Variables
Supported Platforms
330
ACX Series, M Series, MX Series, PTX Series, T Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Configuring SNMP Remote Operations
This section clarifies the ranges for the following variables that are not explicitly specified
in the Ping MIB:
•
pingCtlDataSize—The value of this variable represents the total size of the payload (in
bytes) of an outgoing probe packet. This payload includes the timestamp (8 bytes)
that is used to time the probe. This is consistent with the definition of pingCtlDataSize
(maximum value of 65,507) and the standard ping application.
If the value of pingCtlDataSize is between 0 and 8 inclusive, it is ignored and the payload
is 8 bytes (the timestamp). The Ping MIB assumes all probes are timed, so the payload
must always include the timestamp.
For example, if you wish to add an additional 4 bytes of payload to the packet, you
must set pingCtlDataSize to 12.
•
pingCtlDataFill—The first 8 bytes of the data segment of the packet is for the timestamp.
After that, the pingCtlDataFill pattern is used in repetition. The default pattern (when
pingCtlDataFill is not specified) is (00, 01, 02, 03 ... FF, 00, 01, 02, 03 ... FF, ...).
•
pingCtlMaxRows—The maximum value is 255.
•
pingMaxConcurrentRequests—The maximum value is 500.
•
pingCtlTrapProbeFailureFilter and pingCtlTrapTestFailureFilter—A value of 0 for
pingCtlTrapProbeFailureFilter or pingCtlTrapTestFailureFilter is not well defined by the
Ping MIB. If pingCtlTrapProbeFailureFilter is 0, pingProbeFailed traps will not be
generated for the test under any circumstances. If pingCtlTrapTestFailureFilter is 0,
pingTestFailed traps will not be generated for the test under any circumstances.
Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS
Supported Platforms
ACX Series, M Series, MX Series, QFX Series, SRX Series, T Series
A traceroute test approximates the path packets take from the local host to the remote
host.
RFC 2925 is the authoritative description of the Traceroute MIB in detail and provides
the ASN.1 MIB definition of the Traceroute MIB.
Related
Documentation
•
SNMP Remote Operations Overview on page 321
•
Starting a Traceroute Test on page 332
•
Monitoring a Running Traceroute Test on page 333
•
Monitoring Traceroute Test Completion on page 337
•
Gathering Traceroute Test Results on page 338
•
Stopping a Traceroute Test on page 339
•
Interpreting Traceroute Variables on page 340
Copyright © 2018, Juniper Networks, Inc.
331
Network Management and Monitoring Guide
Starting a Traceroute Test
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
Before you start a traceroute test, configure a Traceroute MIB view. This allows SNMP
Set requests on tracerouteMIB. To start a test, create a row in traceRouteCtlTable and
set traceRouteCtlAdminStatus to enabled. You must specify at least the following before
setting traceRouteCtlAdminStatus to enabled:
•
traceRouteCtlOwnerIndexSnmpAdminString
•
traceRouteCtlTestNameSnmpAdminString
•
traceRouteCtlTargetAddressInetAddress
•
traceRouteCtlRowStatusRowStatus
For all other values, defaults are chosen unless otherwise specified.
traceRouteCtlOwnerIndex and traceRouteCtlTestName are used as the index, so their
values are specified as part of the OID. To create a row, set traceRouteCtlRowStatus to
createAndWait or createAndGo on a row that does not already exist. A value of active for
traceRouteCtlRowStatus indicates that all necessary information has been specified and
the test can begin; traceRouteCtlAdminStatus can be set to enabled. An SNMP Set request
that sets traceRouteCtlRowStatus to active will fail if the necessary information in the
row is not specified or is inconsistent. For information about how to configure a view, see
“Setting SNMP Views” on page 322.
There are two ways to start a traceroute test:
•
Using Multiple Set PDUs on page 332
•
Using a Single Set PDU on page 332
Using Multiple Set PDUs
You can use multiple Set request PDUs (multiple PDUs, with one or more varbinds each)
and set the following variables in this order to start the test:
•
traceRouteCtlRowStatus to createAndWait
•
All appropriate test variables
•
traceRouteCtlRowStatus to active
The Junos OS now verifies that all necessary information to run a test has been specified.
•
traceRouteCtlAdminStatus to enabled
Using a Single Set PDU
You can use a single Set request PDU (one PDU, with multiple varbinds) to set the
following variables to start the test:
•
332
traceRouteCtlRowStatus to createAndGo
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Configuring SNMP Remote Operations
Related
Documentation
•
All appropriate test variables
•
traceRouteCtlAdminStatus to enabled
•
Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 331
•
Monitoring a Running Traceroute Test on page 333
•
SNMP Remote Operations Overview on page 321
•
Monitoring Traceroute Test Completion on page 337
•
Gathering Traceroute Test Results on page 338
•
Stopping a Traceroute Test on page 339
•
Interpreting Traceroute Variables on page 340
Monitoring a Running Traceroute Test
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
When traceRouteCtlAdminStatus is successfully set to enabled, the following is done
before the acknowledgment of the SNMP Set request is sent back to the client:
•
traceRouteResultsEntry is created if it does not already exist.
•
traceRouteResultsOperStatus transitions to enabled.
For more information, see the following sections:
•
traceRouteResultsTable on page 333
•
traceRouteProbeResultsTable on page 334
•
traceRouteHopsTable on page 335
•
Generating Traps on page 336
traceRouteResultsTable
While the test is running, this traceRouteResultsTable keeps track of the status of the
test. The value of traceRouteResultsOperStatus is enabled while the test is running and
disabled when it has stopped.
The value of traceRouteCtlAdminStatus remains enabled until you set it to disabled. Thus,
to get the status of the test, you must examine traceRouteResultsOperStatus.
The traceRouteCtlFrequency variable can be used to schedule many tests for one
traceRouteCtlEntry. After a test ends normally (you did not stop the test) and
traceRouteCtlFrequency number of seconds has elapsed, the test is started again just as
if you had set traceRouteCtlAdminStatus to enabled. If you intervene at any time between
repeated tests (you set traceRouteCtlAdminStatus to disabled or traceRouteCtlRowStatus
to notInService), the repeat feature is disabled until another test is started and ends
normally. A value of 0 for traceRouteCtlFrequency indicates this repeat feature is not
active.
Copyright © 2018, Juniper Networks, Inc.
333
Network Management and Monitoring Guide
traceRouteResultsIpTgtAddr and traceRouteResultsIpTgtAddrType are set to the value
of the resolved destination address when the value of traceRouteCtlTargetAddressType
is dns. When a test starts successfully and traceRouteResultsOperStatus transitions to
enabled:
•
traceRouteResultsIpTgtAddr is set to null-string.
•
traceRouteResultsIpTgtAddrType is set to unknown.
traceRouteResultsIpTgtAddr and traceRouteResultsIpTgtAddrType are not set until
traceRouteCtlTargetAddress can be resolved to a numeric address. To retrieve these
values, poll traceRouteResultsIpTgtAddrType for any value other than unknown after
successfully setting traceRouteCtlAdminStatus to enabled.
At the start of a test, traceRouteResultsCurHopCount is initialized to traceRouteCtlInitialTtl,
and traceRouteResultsCurProbeCount is initialized to 1. Each time a probe result is
determined, traceRouteResultsCurProbeCount increases by 1. While the test is running,
the value of traceRouteResultsCurProbeCount reflects the current outstanding probe for
which results have not yet been determined.
The traceRouteCtlProbesPerHop number of probes is sent for each time-to-live (TTL)
value. When the result of the last probe for the current hop is determined, provided that
the current hop is not the destination hop, traceRouteResultsCurHopCount increases by
1, and traceRouteResultsCurProbeCount resets to 1.
At the start of a test, if this is the first time this test has been run for this traceRouteCtlEntry,
traceRouteResultsTestAttempts and traceRouteResultsTestSuccesses are initialized to
0.
At the end of each test execution, traceRouteResultsOperStatus transitions to disabled,
and traceRouteResultsTestAttempts increases by 1. If the test was successful in
determining the full path to the target, traceRouteResultsTestSuccesses increases by 1,
and traceRouteResultsLastGoodPath is set to the current time.
traceRouteProbeResultsTable
Each entry in traceRouteProbeHistoryTable is indexed by five variables:
334
•
The first two variables, traceRouteCtlOwnerIndex and traceRouteCtlTestName, are the
same ones used for traceRouteCtlTable and to identify the test.
•
The third variable, traceRouteProbeHistoryIndex, is a counter, starting from 1 and
wrapping at FFFFFFFF. The maximum number of entries is limited by
traceRouteCtlMaxRows.
•
The fourth variable, traceRouteProbeHistoryHopIndex, indicates which hop this probe
is for (the actual time-to-live or TTL value). Thus, the first traceRouteCtlProbesPerHop
number of entries created when a test starts have a value of traceRouteCtlInitialTtl for
traceRouteProbeHistoryHopIndex.
•
The fifth variable, traceRouteProbeHistoryProbeIndex, is the probe for the current hop.
It ranges from 1 to traceRouteCtlProbesPerHop.
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Configuring SNMP Remote Operations
While a test is running, as soon as a probe result is determined, the next probe is sent. A
maximum of traceRouteCtlTimeOut seconds elapses before a probe is marked with
status requestTimedOut and the next probe is sent. There is never more than one
outstanding probe per traceroute test. Any probe result coming back after a probe times
out is ignored.
Each probe can:
•
Result in a response from a host acknowledging the probe
•
Time out with no response from a host acknowledging the probe
•
Fail to be sent
Each probe status is recorded in traceRouteProbeHistoryTable with
traceRouteProbeHistoryStatus set accordingly.
Probes that result in a response from a host record the following data:
•
traceRouteProbeHistoryResponse—Round-trip time (RTT)
•
traceRouteProbeHistoryHAddrType—The type of HAddr (next argument)
•
traceRouteProbeHistoryHAddr—The address of the hop
All probes, regardless of whether a response for the probe is received, have the following
recorded:
•
traceRouteProbeHistoryStatus—What happened and why
•
traceRouteProbeHistoryLastRC—Return code (RC) value of the ICMP packet
•
traceRouteProbeHistoryTime—Timestamp when the probe result was determined
When a probe cannot be sent, traceRouteProbeHistoryResponse is set to 0. When a probe
times out, traceRouteProbeHistoryResponse is set to the difference between the time
when the probe was discovered to be timed out and the time when the probe was sent.
traceRouteHopsTable
Entries in traceRouteHopsTable are indexed by three variables:
•
The first two, traceRouteCtlOwnerIndex and traceRouteCtlTestName, are the same
ones used for traceRouteCtlTable and identify the test.
•
The third variable, traceRouteHopsHopIndex, indicates the current hop, which starts
at 1 (not traceRouteCtlInitialTtl).
When a test starts, all entries in traceRouteHopsTable with the given
traceRouteCtlOwnerIndex and traceRouteCtlTestName are deleted. Entries in this table
are only created if traceRouteCtlCreateHopsEntries is set to true.
A new traceRouteHopsEntry is created each time the first probe result for a given TTL is
determined. The new entry is created whether or not the first probe reaches a host. The
value of traceRouteHopsHopIndex is increased by 1 for this new entry.
Copyright © 2018, Juniper Networks, Inc.
335
Network Management and Monitoring Guide
NOTE: Any traceRouteHopsEntry can lack a value for
traceRouteHopsIpTgtAddress if there are no responses to the probes with the
given TTL.
Each time a probe reaches a host, the IP address of that host is available in the probe
result. If the value of traceRouteHopsIpTgtAddress of the current traceRouteHopsEntry
is not set, then the value of traceRouteHopsIpTgtAddress is set to this IP address. If the
value of traceRouteHopsIpTgtAddress of the current traceRouteHopsEntry is the same
as the IP address, then the value does not change. If the value of
traceRouteHopsIpTgtAddress of the current traceRouteHopsEntry is different from this
IP address, indicating a path change, a new traceRouteHopsEntry is created with:
•
traceRouteHopsHopIndex variable increased by 1
•
traceRouteHopsIpTgtAddress set to the IP address
NOTE: A new entry for a test is added to traceRouteHopsTable each time
a new TTL value is used or the path changes. Thus, the number of entries
for a test may exceed the number of different TTL values used.
When a probe result is determined, the value traceRouteHopsSentProbes of the current
traceRouteHopsEntry increases by 1. When a probe result is determined, and the probe
reaches a host:
•
The value traceRouteHopsProbeResponses of the current traceRouteHopsEntry is
increased by 1.
•
The following variables are updated:
•
traceRouteResultsMinRtt—Minimum round-trip time
•
traceRouteResultsMaxRtt—Maximum round-trip time
•
traceRouteResultsAverageRtt—Average round-trip time
•
traceRouteResultsRttSumOfSquares—Sum of squares of round-trip times
•
traceRouteResultsLastGoodProbe—Timestamp of the last response
NOTE: Only probes that reach a host affect the round-trip time values.
Generating Traps
For any trap to be generated, the appropriate bit of traceRouteCtlTrapGeneration must
be set. You must also configure a trap group to receive remote operations. Traps are
generated under the following conditions:
336
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Configuring SNMP Remote Operations
•
traceRouteHopsIpTgtAddress of the current probe is different from the last probe with
the same TTL value (traceRoutePathChange).
•
A path to the target could not be determined (traceRouteTestFailed).
A path to the target was determined (traceRouteTestCompleted).
For information about how to configure a trap group to receive remote operations, see
“Configuring SNMP Trap Groups” on page 206 and “Example: Setting Trap Notification
for Remote Operations” on page 323.
See Also
•
Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 331
•
SNMP Remote Operations Overview on page 321
•
Starting a Traceroute Test on page 332
•
Monitoring Traceroute Test Completion on page 337
•
Gathering Traceroute Test Results on page 338
•
Stopping a Traceroute Test on page 339
•
Interpreting Traceroute Variables on page 340
Monitoring Traceroute Test Completion
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
When a test is complete, traceRouteResultsOperStatus transitions from enabled to
disabled. This transition occurs in the following situations:
•
The test ends successfully. A probe result indicates that the destination has been
reached. In this case, the current hop is the last hop. The rest of the probes for this hop
are sent. When the last probe result for the current hop is determined, the test ends.
•
traceRouteCtlMaxTtl threshold is exceeded. The destination is never reached. The test
ends after the number of probes with TTL value equal to traceRouteCtlMaxttl have
been sent.
•
traceRouteCtlMaxFailures threshold is exceeded. The number of consecutive probes
that end with status requestTimedOut exceeds traceRouteCtlMaxFailures.
•
You end the test. You set traceRouteCtlAdminStatus to disabled or delete the row by
setting traceRouteCtlRowStatus to destroy.
•
You misconfigured the traceroute test. A value or variable you specified in
traceRouteCtlTable is incorrect and will not allow a single probe to be sent. Because
of the nature of the data, this error could not be determined until the test was started;
that is, until after traceRouteResultsOperStatus transitioned to enabled. When this
occurs, one entry is added to traceRouteProbeHistoryTable with
traceRouteProbeHistoryStatus set to the appropriate error code.
If traceRouteCtlTrapGeneration is set properly, either the traceRouteTestFailed or
traceRouteTestCompleted trap is generated.
Copyright © 2018, Juniper Networks, Inc.
337
Network Management and Monitoring Guide
Related
Documentation
•
Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 331
•
Monitoring a Running Traceroute Test on page 333
•
SNMP Remote Operations Overview on page 321
•
Starting a Traceroute Test on page 332
•
Gathering Traceroute Test Results on page 338
•
Stopping a Traceroute Test on page 339
•
Interpreting Traceroute Variables on page 340
Gathering Traceroute Test Results
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
You can either poll traceRouteResultsOperStatus to find out when the test is complete
or request that a trap be sent when the test is complete. For more information about
traceResultsOperStatus, see “traceRouteResultsTable” on page 333. For more information
about Traceroute MIB traps, see the Generating Traps section in “No title found in topic
database” on page 333.
Statistics are calculated on a per-hop basis and then stored in traceRouteHopsTable.
They include the following for each hop:
•
traceRouteHopsIpTgtAddressType—Address type of host at this hop
•
traceRouteHopsIpTgtAddress—Address of host at this hop
•
traceRouteHopsMinRtt—Minimum round-trip time
•
traceRouteHopsMaxRtt—Maximum round-trip time
•
traceRouteHopsAverageRtt—Average round-trip time
•
traceRouteHopsRttSumOfSquares—Sum of squares of round-trip times
•
traceRouteHopsSentProbes—Number of attempts to send probes
•
traceRouteHopsProbeResponses—Number of responses received
•
traceRouteHopsLastGoodProbe—Timestamp of last response
You can also consult traceRouteProbeHistoryTable for more detailed information about
each probe. The index used for traceRouteProbeHistoryTable starts at 1, goes to
0xFFFFFFFF, and wraps to 1 again.
For example, assume the following:
338
•
traceRouteCtlMaxRows is 10.
•
traceRouteCtlProbesPerHop is 5.
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Configuring SNMP Remote Operations
•
There are eight hops to the target (the target being number eight).
•
Each probe sent results in a response from a host (the number of probes sent is not
limited by traceRouteCtlMaxFailures).
In this test, 40 probes are sent. At the end of the test, traceRouteProbeHistoryTable would
have a history of probes like those in Table 36 on page 339.
Table 36: traceRouteProbeHistoryTable
Related
Documentation
HistoryIndex
HistoryHopIndex
HistoryProbeIndex
31
7
1
32
7
2
33
7
3
34
7
4
35
7
5
36
8
1
37
8
2
38
8
3
39
8
4
40
8
5
•
Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 331
•
Monitoring a Running Traceroute Test on page 333
•
SNMP Remote Operations Overview on page 321
•
Starting a Traceroute Test on page 332
•
Monitoring Traceroute Test Completion on page 337
•
Stopping a Traceroute Test on page 339
•
Interpreting Traceroute Variables on page 340
Stopping a Traceroute Test
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
To stop an active test, set traceRouteCtlAdminStatus to disabled. To stop a test and
remove its traceRouteCtlEntry, traceRouteResultsEntry, traceRouteProbeHistoryEntry,
Copyright © 2018, Juniper Networks, Inc.
339
Network Management and Monitoring Guide
and traceRouteProbeHistoryEntry objects from the MIB, set traceRouteCtlRowStatus to
destroy.
Related
Documentation
•
Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 331
•
Monitoring a Running Traceroute Test on page 333
•
SNMP Remote Operations Overview on page 321
•
Starting a Traceroute Test on page 332
•
Monitoring Traceroute Test Completion on page 337
•
Gathering Traceroute Test Results on page 338
•
Interpreting Traceroute Variables on page 340
Interpreting Traceroute Variables
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
This topic contains information about the ranges for the following variables that are not
explicitly specified in the Traceroute MIB:
•
traceRouteCtlMaxRows—The maximum value for traceRouteCtlMaxRows is 2550. This
represents the maximum TTL (255) multiplied by the maximum for
traceRouteCtlProbesPerHop (10). Therefore, the traceRouteProbeHistoryTable
accommodates one complete test at the maximum values for one traceRouteCtlEntry.
Usually, the maximum values are not used and the traceRouteProbeHistoryTable is
able to accommodate the complete history for many tests for the same
traceRouteCtlEntry.
•
traceRouteMaxConcurrentRequests—The maximum value is 50. If a test is running, it
has one outstanding probe. traceRouteMaxConcurrentRequests represents the maximum
number of traceroute tests that have traceRouteResultsOperStatus with a value of
enabled. Any attempt to start a test with traceRouteMaxConcurrentRequests tests
running will result in the creation of one probe with traceRouteProbeHistoryStatus set
to maxConcurrentLimitReached and that test will end immediately.
•
traceRouteCtlTable—The maximum number of entries allowed in this table is 100. Any
attempt to create a 101st entry will result in a BAD_VALUE message for SNMPv1 and a
RESOURCE_UNAVAILABLE message for SNMPv2.
Related
Documentation
340
•
Using the Traceroute MIB for Remote Monitoring Devices Running Junos OS on page 331
•
Monitoring a Running Traceroute Test on page 333
•
SNMP Remote Operations Overview on page 321
•
Starting a Traceroute Test on page 332
•
Monitoring Traceroute Test Completion on page 337
•
Gathering Traceroute Test Results on page 338
Copyright © 2018, Juniper Networks, Inc.
Chapter 12: Configuring SNMP Remote Operations
•
Stopping a Traceroute Test on page 339
Copyright © 2018, Juniper Networks, Inc.
341
Network Management and Monitoring Guide
342
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 13
Tracing SNMP Activity
•
Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS on page 343
•
Tracing SNMP Activity on a Device Running Junos OS on page 349
•
Example: Tracing SNMP Activity on page 353
Monitoring SNMP Activity and Tracking Problems That Affect SNMP Performance on
a Device Running Junos OS
Supported Platforms
ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series,
vSRX
The following sections contain information about monitoring the SNMP activity on devices
running the Junos OS and identifying problems that might impact the SNMP performance
on devices running Junos OS:
•
Checking for MIB Objects Registered with the snmpd on page 343
•
Tracking SNMP Activity on page 345
•
Monitoring SNMP Statistics on page 347
•
Checking CPU Utilization on page 347
•
Checking Kernel and Packet Forwarding Engine Response on page 348
Checking for MIB Objects Registered with the snmpd
For the SNMP process to be able to access data related to a MIB object, the MIB object
must be registered with the snmpd. When an SNMP subagent comes online, it tries to
register the associated MIB objects with the snmpd. The snmpd maintains a mapping of
the objects and the subagents with which the objects are associated. However, the
registration attempt fails occasionally, and the objects remain unregistered with the
snmpd until the next time the subagent restarts and successfully registers the objects.
When a network management system polls for data related to objects that are not
registered with the snmpd, the snmpd returns either a noSuchName error (for SNMPv1
objects) or a noSuchObject error (for SNMPv2 objects).
Copyright © 2018, Juniper Networks, Inc.
343
Network Management and Monitoring Guide
You can use the following commands to check for MIB objects that are registered with
the snmpd:
•
show snmp registered-objects—Creates a /var/log/snmp_reg_objs file that contains
the list of registered objects and their mapping to various subagents.
•
file show /var/log/snmp_reg_objs—Displays the contents of the /var/log/snmp_reg_objs
file.
The following example shows the steps for creating and displaying the
/var/log/snmp_reg_objs file:
user@host> show snmp registered-objects
user@host> file show /var/log/snmp_reg_objs
-------------------------------------------------------------Registered MIB Objects
root_name =
-------------------------------------------------------------.1.2.840.10006.300.43.1.1.1.1.2 (dot3adAggMACAddress) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.3 (dot3adAggActorSystemPriority) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.4 (dot3adAggActorSystemID) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.5 (dot3adAggAggregateOrIndividual)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.6 (dot3adAggActorAdminKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.7 (dot3adAggActorOperKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.8 (dot3adAggPartnerSystemID) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.9 (dot3adAggPartnerSystemPriority)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.10 (dot3adAggPartnerOperKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.1.1.11 (dot3adAggCollectorMaxDelay) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.1.2.1.1 (dot3adAggPortListPorts) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.2 (dot3adAggPortActorSystemPriority)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.3 (dot3adAggPortActorSystemID) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.4 (dot3adAggPortActorAdminKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.5 (dot3adAggPortActorOperKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.6 (dot3adAggPortPartnerAdminSystemPriority)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.7 (dot3adAggPortPartnerOperSystemPriority)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.8 (dot3adAggPortPartnerAdminSystemID)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.9 (dot3adAggPortPartnerOperSystemID)
(/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.10 (dot3adAggPortPartnerAdminKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.11 (dot3adAggPortPartnerOperKey) (/var/run/mib2d-11)
.1.2.840.10006.300.43.1.2.1.1.12 (dot3adAggPortSelectedAggID) (/var/run/mib2d-11)
---(more)---
NOTE: The /var/log/snmp_reg_objs file contains only those objects that are
associated with the Junos OS processes that are up and running and registered
with the snmpd, at the time of executing the show snmp registered-objects
command. If a MIB object related to a Junos OS process that is up and running
is not shown in the list of registered objects, you might want to restart the
software process to retry object registration with the snmpd.
344
Copyright © 2018, Juniper Networks, Inc.
Chapter 13: Tracing SNMP Activity
Tracking SNMP Activity
SNMP tracing operations track activity of SNMP agents and record the information in
log files. The logged event descriptions provide detailed information to help you solve
problems faster. By default, Junos OS does not trace any SNMP activity. To enable
tracking of SNMP activities on a device running Junos OS, include the traceoptions
statement at the [edit snmp] hierarchy level.
A sample traceoptions configuration might look like:
[edit snmp]
set traceoptions flag all;
When the traceoptions flag all statement is included at the [edit snmp] hierarchy level,
the following log files are created:
•
snmpd
•
mib2d
•
rmopd
You can use the show log log-filename operational mode command to view the contents
of the log file. In the snmpd log file (see the following example), a sequence of >>>
represents an incoming packet, whereas a sequence of <<< represents an outgoing
packet. Note that the request response pair might not follow any sequence if there are
multiple network management systems polling the device at the same time. You can
use the source and request ID combinations to match requests and responses. However,
note that no response log is created in the log file if the SNMP master agent or the SNMP
subagent has not responded to a request.
A careful analysis of the request-response time can help you identify and understand
delayed responses.
Reviewing a Log File
The following example shows the output for the show log snmpd command:
user@host> show log snmpd
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Apr 12 06:40:03 snmpd[7ee783df]
Copyright © 2018, Juniper Networks, Inc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> Get-Bulk-Request
>>> Source:
10.209.63.42
>>> Destination: 10.209.2.242
>>> Version:
SNMPv2
>>> Request_id: 0x7ee783df
>>> Community:
public
>>> Non-repeaters:
0
>>> Max-repetitions: 10
>>>
OID : jnxContentsType.6.1.2.0
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
<<< Get-Response
<<< Source:
10.209.63.42
<<< Destination: 10.209.2.242
<<< Version:
SNMPv2
<<< Request_id: 0x7ee783df
345
Network Management and Monitoring Guide
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
……
……
346
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
06:40:03
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783df]
snmpd[7ee783e0]
snmpd[7ee783e0]
snmpd[7ee783e0]
snmpd[7ee783e0]
snmpd[7ee783e0]
snmpd[7ee783e0]
snmpd[7ee783e0]
snmpd[7ee783e0]
snmpd[7ee783e0]
snmpd[7ee783e0]
snmpd[7ee783e0]
<<< Community:
public
<<< Error:
status=0 / vb_index=0
<<<
<<<
OID : jnxContentsType.7.1.0.0
<<<
type : Object
<<<
value: jnxM10iFPC.0
<<<
<<<
OID : jnxContentsType.7.1.1.0
<<<
type : Object
<<<
value: jnxChassisTempSensor.0
<<<
<<<
OID : jnxContentsType.7.2.0.0
<<<
type : Object
<<<
value: jnxM10iFPC.0
<<<
<<<
OID : jnxContentsType.7.2.1.0
<<<
type : Object
<<<
value: jnxChassisTempSensor.0
<<<
<<<
OID : jnxContentsType.9.1.0.0
<<<
type : Object
<<<
value: jnxM10iRE.0
<<<
<<<
OID : jnxContentsType.9.1.1.0
<<<
type : Object
<<<
value: jnxPCMCIACard.0
<<<
<<<
OID : jnxContentsType.9.2.0.0
<<<
type : Object
<<<
value: jnxM10iRE.0
<<<
<<<
OID : jnxContentsType.9.2.1.0
<<<
type : Object
<<<
value: jnxPCMCIACard.0
<<<
<<<
OID : jnxContentsType.12.1.0.0
<<<
type : Object
<<<
value: jnxM10iHCM.0
<<<
<<<
OID : jnxContentsType.12.2.0.0
<<<
type : Object
<<<
value: jnxM10iHCM.0
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> Get-Bulk-Request
>>> Source:
10.209.63.42
>>> Destination: 10.209.2.242
>>> Version:
SNMPv2
>>> Request_id: 0x7ee783e0
>>> Community:
public
>>> Non-repeaters:
0
>>> Max-repetitions: 10
>>>
OID : jnxContentsType.12.2.0.0
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Copyright © 2018, Juniper Networks, Inc.
Chapter 13: Tracing SNMP Activity
Monitoring SNMP Statistics
The show snmp statistics extensive operational mode command provides you with an
option to review SNMP traffic, including traps, on a device. Output for the show snmp
statistics extensive command shows real-time values and can be used to monitor values
such as throttle drops, currently active, max active, not found, time out, max latency,
current queued, total queued, and overflows. You can identify slowness in SNMP
responses by monitoring the currently active count, because a constant increase in the
currently active count is directly linked to slow or no response to SNMP requests.
Sample Output for the show snmp statistics extensive Command
user@host> show snmp statistics extensive
SNMP statistics:
Input:
Packets: 226656, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 1967606, Total set varbinds: 0,
Get requests: 18478, Get nexts: 75794, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 27084, Duplicate request drops: 0
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 0
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0
Output:
Packets: 226537, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 226155, Traps: 382
SA Control Blocks:
Total: 222984, Currently Active: 501, Max Active: 501,
Not found: 0, Timed Out: 0, Max Latency: 25
SA Registration:
Registers: 0, Deregisters: 0, Removes: 0
Trap Queue Stats:
Current queued: 0, Total queued: 0, Discards: 0, Overflows: 0
Trap Throttle Stats:
Current throttled: 0, Throttles needed: 0
Snmp Set Stats:
Commit pending failures: 0, Config lock failures: 0
Rpc failures: 0, Journal write failures: 0
Mgd connect failures: 0, General commit failures: 0
Checking CPU Utilization
High CPU usage of the software processes that are being queried, such as snmpd or
mib2d, is another factor that can lead to slow response or no response. You can use the
show system processes extensive operational mode command to check the CPU usage
levels of the Junos OS processes.
Copyright © 2018, Juniper Networks, Inc.
347
Network Management and Monitoring Guide
Sample Output of show system processes extensive Command
user@host> show system processes extensive
last pid: 1415; load averages: 0.00, 0.00, 0.00
117 processes: 2 running, 98 sleeping, 17 waiting
up 0+02:20:54
10:26:25
Mem: 180M Active, 54M Inact, 39M Wired, 195M Cache, 69M Buf, 272M Free
Swap: 1536M Total, 1536M Free
PID USERNAME THR PRI
11 root
1 171
1184 root
1 97
177 root
1 -8
119 root
1 -8
13 root
1 -20
1373 root
1 96
1371 root
1 96
12 root
1 -40
1375 root
2 96
49 root
1 -8
1345 root
1 96
1181 root
1 96
23 root
1 -68
30 root
1 171
1344 root
1
4
1205 root
1 96
1372 root
1 96
1374 root
1 96
1405 user
1 96
139 root
1 -8
22 root
1 -80
1185 root
1 96
4 root
1 -8
3 root
1 -8
43 root
1 -16
1377 root
1 96
48 root
1 -16
99 root
1 -8
953 root
1 96
1364 root
1 96
15 root
1 -16
1350 root
1 96
1378 root
1 96
NICE
SIZE
RES STATE
TIME
WCPU COMMAND
52
0K
12K RUN
132:09 95.21% idle
0 35580K 9324K select
4:16 1.61% chassisd
0
0K
12K mdwait
0:51 0.00% md7
0
0K
12K mdwait
0:20 0.00% md4
-139
0K
12K WAIT
0:16 0.00% swi7: clock sio
0 15008K 12712K select
0:09 0.00% snmpd
0 9520K 5032K select
0:08 0.00% jdiameterd
-159
0K
12K WAIT
0:07 0.00% swi2: net
0 15016K 5812K select
0:06 0.00% pfed
0
0K
12K mdwait
0:05 0.00% md0
0 10088K 4480K select
0:05 0.00% l2ald
0 1608K
908K select
0:05 0.00% bslockd
-187
0K
12K WAIT
0:04 0.00% irq10: fxp1
52
0K
12K pgzero
0:04 0.00% pagezero
0 39704K 11444K kqread
0:03 0.00% rpd
0 3152K
912K select
0:03 0.00% license-check
0 28364K 6696K select
0:03 0.00% dcd
0 11764K 7632K select
0:02 0.00% mib2d
0 15892K 11132K select
0:02 0.00% cli
0
0K
12K mdwait
0:02 0.00% md5
-199
0K
12K WAIT
0:02 0.00% irq9: cbb1 fxp0
0 4472K 2036K select
0:02 0.00% alarmd
0
0K
12K 0:02 0.00% g_down
0
0K
12K 0:02 0.00% g_up
0
0K
12K psleep
0:02 0.00% vmkmemdaemon
0 3776K 2256K select
0:01 0.00% irsd
0
0K
12K 0:01 0.00% schedcpu
0
0K
12K mdwait
0:01 0.00% md3
0 4168K 2428K select
0:01 0.00% eventd
0 4872K 2808K select
0:01 0.00% cfmd
0
0K
12K 0:01 0.00% yarrow
0 31580K 7248K select
0:01 0.00% cosd
0 19776K 6292K select
0:01 0.00% lpdfd
...
Checking Kernel and Packet Forwarding Engine Response
As mentioned in “Understanding SNMP Implementation in Junos OS” on page 77, some
SNMP MIB data are maintained by the kernel or Packet Forwarding Engine. For such data
to be available for the network management system, the kernel has to provide the required
information to the SNMP subagent in mib2d. A slow response from the kernel can cause
a delay in mib2d returning the data to the network management system. Junos OS adds
an entry in the mib2d log file every time that an interface takes more than 10,000
microseconds to respond to a request for interface statistics. You can use the show log
log-filename | grep “kernel response time” command to find out the response time taken
by the kernel.
348
Copyright © 2018, Juniper Networks, Inc.
Chapter 13: Tracing SNMP Activity
Checking the Kernel Response Time
user@host> show log mib2d | grep “kernel response time”
Aug 17 22:39:37 == kernel response time for
COS_IPVPN_DEFAULT_OUTPUT-t1-7/3/0:10:27.0-o: 9.126471 sec, range
(0.000007, 11.000806)
Aug 17 22:39:53 == kernel response time for
COS_IPVPN_DEFAULT_INPUT-t1-7/2/0:5:15.0-i: 5.387321 sec, range
(0.000007, 11.000806)
Aug 17 22:39:53 == kernel response time for ct1-6/1/0:9:15: 0.695406
sec, range (0.000007, 11.000806)
Aug 17 22:40:04 == kernel response time for t1-6/3/0:6:19: 1.878542
sec, range (0.000007, 11.000806)
Aug 17 22:40:22 == kernel response time for lsq-7/0/0: 2.556592 sec,
range (0.000007, 11.000806)
Related
Documentation
•
Understanding SNMP Implementation in Junos OS on page 77
•
Configuring SNMP on Devices Running Junos OS on page 183
•
Optimizing the Network Management System Configuration for the Best Results on
page 179
•
Configuring Options on Managed Devices for Better SNMP Response Time on page 181
•
Managing Traps and Informs
•
Using the Enterprise-Specific Utility MIB to Enhance SNMP Coverage on page 247
Tracing SNMP Activity on a Device Running Junos OS
Supported Platforms
ACX Series, EX4600, M Series, MX Series, PTX Series, QFX Series, T Series
SNMP tracing operations track activity for SNMP agents and record the information in
log files. The logged error descriptions provide detailed information to help you solve
problems faster.
By default, Junos OS does not trace any SNMP activity. If you include the traceoptions
statement at the [edit snmp] hierarchy level, the default tracing behavior is:
•
Important activities are logged in files located in the /var/log directory. Each log is
named after the SNMP agent that generates it. Currently, the following log files are
created in the /var/log directory when the traceoptions statement is used:
•
chassisd
•
craftd
•
ilmid
•
mib2d
•
rmopd
Copyright © 2018, Juniper Networks, Inc.
349
Network Management and Monitoring Guide
•
serviced
•
snmpd
•
When a trace file named filename reaches its maximum size, it is renamed filename.0,
then filename.1, and so on, until the maximum number of trace files is reached. Then
the oldest trace file is overwritten. (For more information about how log files are created,
see the System Log Explorer.)
•
Log files can be accessed only by the user who configured the tracing operation.
You cannot change the directory (/var/log) in which trace files are located. However,
you can customize the other trace file settings by including the following statements at
the [edit snmp] hierarchy level:
[edit snmp]
traceoptions {
file <files number> <match regular-expression> <size size> <world-readable |
no-world-readable>;
flag flag;
memory-trace;
no-remote-trace;
no-default-memory-trace;
}
These statements are described in the following sections:
•
Configuring the Number and Size of SNMP Log Files on page 350
•
Configuring Access to the Log File on page 351
•
Configuring a Regular Expression for Lines to Be Logged on page 351
•
Configuring the Trace Operations on page 351
Configuring the Number and Size of SNMP Log Files
By default, when the trace file reaches 128 kilobytes (KB) in size, it is renamed filename.0,
then filename.1, and so on, until there are three trace files. Then the oldest trace file
(filename.2) is overwritten.
You can configure the limits on the number and size of trace files by including the following
statements at the [edit snmp traceoptions] hierarchy level:
[edit snmp traceoptions]
file files number size size;
For example, set the maximum file size to 2 MB, and the maximum number of files to 20.
When the file that receives the output of the tracing operation (filename) reaches 2 MB,
filename is renamed filename.0, and a new file called filename is created. When the new
filename reaches 2 MB, filename.0 is renamed filename.1 and filename is renamed
filename.0. This process repeats until there are 20 trace files. Then the oldest file
(filename.19) is overwritten by the newest file (filename.0).
The number of files can be from 2 through 1000 files. The file size of each file can be from
10 KB through 1 gigabyte (GB).
350
Copyright © 2018, Juniper Networks, Inc.
Chapter 13: Tracing SNMP Activity
Configuring Access to the Log File
By default, log files can be accessed only by the user who configured the tracing operation.
To specify that any user can read all log files, include the file world-readable statement
at the [edit snmp traceoptions] hierarchy level:
[edit snmp traceoptions]
file world-readable;
To explicitly set the default behavior, include the file no-world-readable statement at the
[edit snmp traceoptions] hierarchy level:
[edit snmp traceoptions]
file no-world-readable;
Configuring a Regular Expression for Lines to Be Logged
By default, the trace operation output includes all lines relevant to the logged activities.
You can refine the output by including the match statement at the [edit snmp traceoptions
file filename] hierarchy level and specifying a regular expression (regex) to be matched:
[edit snmp traceoptions]
file filename match regular-expression;
Configuring the Trace Operations
By default, only important activities are logged. You can specify which trace operations
are to be logged by including the following flag statement (with one or more tracing
flags) at the [edit snmp traceoptions] hierarchy level:
[edit snmp traceoptions]
flag {
all;
configuration;
database;
events;
general;
interface-stats;
nonvolatile-sets;
pdu;
policy;
protocol-timeouts;
routing-socket;
server;
subagent;
timer;
varbind-error;
}
Table 37 on page 352 describes the meaning of the SNMP tracing flags.
Copyright © 2018, Juniper Networks, Inc.
351
Network Management and Monitoring Guide
Table 37: SNMP Tracing Flags
Flag
Description
Default Setting
all
Log all operations.
Off
configuration
Log reading of the configuration at the
[edit snmp] hierarchy level.
Off
database
Log events involving storage and retrieval in the
events database.
Off
events
Log important events.
Off
general
Log general events.
Off
interface-stats
Log physical and logical interface statistics.
Off
nonvolatile-set
Log nonvolatile SNMP set request handling.
Off
pdu
Log SNMP request and response packets.
Off
policy
Log policy processing.
Off
protocol-timeouts
Log SNMP response timeouts.
Off
routing-socket
Log routing socket calls.
Off
server
Log communication with processes that are
generating events.
Off
subagent
Log subagent restarts.
Off
timer
Log internal timer events.
Off
varbind-error
Log variable binding errors.
Off
To display the end of the log for an agent, issue the show log agentd | last operational
mode command:
[edit]
user@host# run show log agentd | last
where agent is the name of an SNMP agent.
Related
Documentation
352
•
Configuring SNMP on a Device Running Junos OS
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
•
Example: Tracing SNMP Activity on page 353
•
Configuring SNMP on page 176
Copyright © 2018, Juniper Networks, Inc.
Chapter 13: Tracing SNMP Activity
Example: Tracing SNMP Activity
Supported Platforms
M Series, MX Series, PTX Series, T Series
Trace information about SNMP packets:
[edit]
snmp {
traceoptions {
file size 10k files 5;
flag pdu;
flag protocol-timeouts;
flag varbind-error;
}
}
Related
Documentation
•
Configuring SNMP on a Device Running Junos OS
•
Tracing SNMP Activity on a Device Running Junos OS on page 349
•
Configuration Statements at the [edit snmp] Hierarchy Level on page 172
Copyright © 2018, Juniper Networks, Inc.
353
Network Management and Monitoring Guide
354
Copyright © 2018, Juniper Networks, Inc.
PART 5
Remote Monitoring (RMON) with SNMP
Alarms and Events
•
RMON Overview on page 357
•
Using RMON to Monitor Network Service Quality on page 379
•
Health Monitoring with SNMP on page 405
Copyright © 2018, Juniper Networks, Inc.
355
Network Management and Monitoring Guide
356
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 14
RMON Overview
•
Understanding RMON on page 357
•
Understanding RMON Alarms on page 359
•
Understanding RMON Events on page 360
•
Understanding RMON Alarms and Events Configuration on page 361
•
RMON MIB Event, Alarm, Log, and History Control Tables on page 362
•
Minimum RMON Alarm and Event Entry Configuration on page 364
•
Configuring an RMON Alarm Entry and Its Attributes on page 365
•
Configuring an RMON Event Entry and Its Attributes on page 369
•
Example: Configuring an RMON Alarm and Event Entry on page 370
•
Configuring RMON History Sampling on page 371
•
Using alarmTable to Monitor MIB Objects on page 372
•
Using eventTable to Log Alarms on page 376
Understanding RMON
Supported Platforms
EX4600, QFX Series
•
RMON Overview on page 357
•
Alarm Thresholds and Events on page 358
RMON Overview
The Junos OS supports the Remote Network Monitoring (RMON) MIB (RFC 2819), which
allows a management device to monitor the values of MIB objects, or variables, against
configured thresholds. When the value of a variable crosses a threshold, an alarm and
its corresponding event are generated. The event can be logged and can generate an
SNMP trap.
An operational support system (OSS) or a fault-monitoring system can be used to
automatically monitor events that track many different metrics, including performance,
availability, faults, and environmental data. For example, an administrator might want
to know when the internal temperature of a chassis has risen above a configured threshold,
which might indicate that a chassis fan tray is faulty, the chassis air flow is impeded, or
the facility cooling system in the vicinity of the chassis is not operating normally.
Copyright © 2018, Juniper Networks, Inc.
357
Network Management and Monitoring Guide
The RMON MIB also defines tables that store various statistics for Ethernet interfaces,
including the etherStatsTable and the etherHistoryTable. The etherStatsTable contains
cumulative real-time statistics for Ethernet interfaces, such as the number of unicast,
multicast, and broadcast packets received on an interface. The etherHistoryTable
maintains a historical sample of statistics for Ethernet interfaces. The control of the
etherHistoryTable, including the interfaces to track and the sampling interval, is defined
by the RMON historyControlTable.
To enable RMON alarms, you perform the following steps:
1.
Configure SNMP, including trap groups. You configure SNMP at the [edit snmp]
hierarchy level.
2. Configure rising and falling events in the eventTable, including the event types and
trap groups. You can also configure events using the CLI at the [edit snmp rmon event]
hierarchy level.
3. Configure alarms in the alarmTable, including the variables to monitor, rising and falling
thresholds, the sampling types and intervals, and the corresponding events to generate
when alarms occur. You can also configure alarms using the CLI at the [edit snmp
rmon alarm] hierarchy level.
Extensions to the alarmTable are defined in the Juniper Networks enterprise-specific
MIB jnxRmon (mib-jnx-rmon.txt).
Alarm Thresholds and Events
By setting a rising and a falling threshold for a monitored variable, you can be alerted
whenever the value of the variable falls outside the allowable operational range (see
Figure 6 on page 358).
Figure 6: Setting Thresholds
Events are only generated when the alarm threshold is first crossed in any one direction
rather than after each sample interval. For example, if a rising threshold alarm, along
with its corresponding event, is raised, no more threshold crossing events occur until a
358
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: RMON Overview
corresponding falling alarm occurs. This considerably reduces the quantity of events that
are produced by the system, making it easier for operations staff to react when events
do occur.
Before you configure remote monitoring, you should identify what variables need to be
monitored and their allowable operational range. This requires some period of baselining
to determine the allowable operational ranges. An initial baseline period of at least
3 months is not unusual when you first identify the operational ranges and define
thresholds, but baseline monitoring should continue over the life span of each monitored
variable.
Related
Documentation
•
Configuring RMON Alarms and Events on page 258
•
Juniper Networks Enterprise-Specific MIBs
•
RMON MIB Event, Alarm, Log, and History Control Tables on page 362
Understanding RMON Alarms
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series
An RMON alarm identifies:
•
A specific MIB object that is monitored.
•
The frequency of sampling.
•
The method of sampling.
•
The thresholds against which the monitored values are compared.
An RMON alarm can also identify a specific eventTable entry to be triggered when a
threshold is crossed.
Configuration and operational values are defined in alarmTable in RFC 2819. Additional
operational values are defined in Juniper Networks enterprise-specific extensions to
alarmTable (jnxRmonAlarmTable).
This topic covers the following sections:
•
alarmTable on page 359
•
jnxRmonAlarmTable on page 360
alarmTable
alarmTable in the RMON MIB allows you to monitor and poll the following:
•
alarmIndex—The index value for alarmTable that identifies a specific entry.
•
alarmInterval—The interval, in seconds, over which data is sampled and compared
with the rising and falling thresholds.
•
alarmVariable—The MIB variable that is monitored by the alarm entry.
Copyright © 2018, Juniper Networks, Inc.
359
Network Management and Monitoring Guide
•
alarmSampleType—The method of sampling the selected variable and calculating the
value to be compared against the thresholds.
•
alarmValue—The value of the variable during the last sampling period. This value is
compared with the rising and falling thresholds.
•
alarmStartupAlarm—The alarm sent when the entry is first activated.
•
alarmRisingThreshold—The upper threshold for the sampled variable.
•
alarmFallingThreshold—The lower threshold for the sampled variable.
•
alarmRisingEventIndex—The eventTable entry used when a rising threshold is crossed.
•
alarmFallingEventIndex—The eventTable entry used when a falling threshold is crossed.
•
alarmStatus—Method for adding and removing entries from the table. It can also be
used to change the state of an entry to allow modifications.
NOTE: If this object is not set to valid, the associated event alarm does not
take any action.
jnxRmonAlarmTable
The jnxRmonAlarmTable is a Juniper Networks enterprise-specific extension to alarmTable.
It provides additional operational information and includes the following objects:
•
jnxRmonAlarmGetFailCnt—The number of times the internal Get request for the variable
monitored by this entry has failed.
•
jnxRmonAlarmGetFailTime—The value of sysUpTime when an internal Get request for
the variable monitored by this entry last failed.
•
jnxRmonAlarmGetFailReason—The reason an internal Get request for the variable
monitored by this entry last failed.
•
jnxRmonAlarmGetOkTime—The value of sysUpTime when an internal Get request for
the variable monitored by this entry succeeded and the entry left the getFailure state.
•
jnxRmonAlarmState—The current state of this RMON alarm entry.
To view the Juniper Networks enterprise-specific extensions to the RMON Events and
Alarms and Event MIB, see
https://www.juniper.net/documentation/en_US/junos16.1/topics/reference/mibs/mib-jnx-rmon.txt.
Related
Documentation
•
Understanding RMON Events on page 360
•
Configuring an RMON Alarm Entry and Its Attributes on page 365
•
Using alarmTable to Monitor MIB Objects on page 372
Understanding RMON Events
Supported Platforms
360
ACX Series, M Series, MX Series, SRX Series, T Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: RMON Overview
An RMON event allows you to log the crossing of thresholds of other MIB objects. It is
defined in eventTable for the RMON MIB.
This section covers the following topics:
•
eventTable on page 361
eventTable
eventTable contains the following objects:
•
eventIndex—An index that uniquely identifies an entry in eventTable. Each entry defines
one event that is generated when the appropriate conditions occur.
•
eventDescription—A comment describing the event entry.
•
eventType—Type of notification that the probe makes about this event.
•
eventCommunity—Trap group used if an SNMP trap is to be sent. If eventCommunity
is not configured, a trap is sent to each trap group configured with the rmon-alarm
category.
•
eventLastTimeSent—Value of sysUpTime when this event entry last generated an
event.
•
eventOwner—Any text string specified by the creating management application or the
command-line interface (CLI). Typically, it is used to identify a network manager (or
application) and can be used for fine access control between participating management
applications.
•
eventStatus—Status of this event entry.
NOTE: If this object is not set to valid, no action is taken by the associated
event entry. When this object is set to valid, all previous log entries
associated with this entry (if any) are deleted.
Related
Documentation
•
Understanding RMON Alarms on page 359
•
Configuring an RMON Event Entry and Its Attributes on page 369
Understanding RMON Alarms and Events Configuration
Supported Platforms
ACX Series, M Series, MX Series, SRX Series, T Series
Junos OS supports monitoring routers from remote devices. These values are measured
against thresholds and trigger events when the thresholds are crossed. You configure
remote monitoring (RMON) alarm and event entries to monitor the value of a MIB object.
To configure RMON alarm and event entries, you include statements at the [edit snmp]
hierarchy level of the configuration:
[edit snmp]
Copyright © 2018, Juniper Networks, Inc.
361
Network Management and Monitoring Guide
rmon {
alarm index {
description text-description;
falling-event-index index;
falling-threshold integer;
falling-threshold-interval seconds;
interval seconds;
rising-event-index index;
rising-threshold integer;
request-type (get-next-request | get-request | walk-request);
sample-type (absolute-value | delta-value);
startup-alarm (falling-alarm | rising-alarm | rising-or-falling-alarm);
syslog-subtag syslog-subtag;
variable oid-variable;
}
event index {
community community-name;
description description;
type type;
}
}
Related
Documentation
•
Understanding RMON Alarms on page 359
•
Understanding RMON Events on page 360
•
Configuring an RMON Alarm Entry and Its Attributes on page 365
•
Configuring an RMON Event Entry and Its Attributes on page 369
RMON MIB Event, Alarm, Log, and History Control Tables
Supported Platforms
EX4600, OCX1100, QFX Series
The Junos OS supports the Remote Network Monitoring (RMON) MIB (RFC 2819), which
allows a management device to monitor the values of MIB objects, or variables, against
configured thresholds. When the value of a variable crosses a threshold, an alarm and
its corresponding event are generated. The event can be logged and can generate an
SNMP trap.
Table 38 on page 362 provides each field in the RMON eventTable, the description of the
field, and the corresponding Junos OS statement that you can use to configure the field.
The Junos OS statements reside at the [edit snmp rmon] hierarchy level.
Table 38: RMON Event Table
Field
Description
Statement [edit snmp
rmon]
eventDescription
Text description of this event.
description
eventType
Type of event (for example, log, trap, or log and trap).
type
362
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: RMON Overview
Table 38: RMON Event Table (continued)
Statement [edit snmp
rmon]
Field
Description
eventCommunity
Trap group to which to send this event, as defined in the Junos OS
configuration. (This is not the same as the SNMP community.)
community
eventOwner
Entity (for example, manager) that created this event.
—
eventStatus
Status of this row (for example, valid, invalid, or createRequest).
—
Table 39 on page 363 provides each field in the RMON alarmTable, the description of the
field, and the corresponding Junos OS statement that you can use to configure the field.
The Junos OS statements reside at the [edit snmp rmon] hierarchy level.
Table 39: RMON Alarm Table
Field
Description
Statement [edit snmp
rmon]
alarmStatus
Status of this row (for example, valid, invalid, or createRequest)
—
alarmInterval
Sampling period (in seconds) of the monitored variable
interval
alarmVariable
Object identifier (OID) and instance of the variable to be monitored
—
alarmValue
Actual value of the sampled variable
—
alarmSampleType
Sample type (absolute or delta changes)
sample-type
alarmStartupAlarm
Initial alarm (rising, falling, or either)
startup-alarm
alarmRisingThreshold
Rising threshold against which to compare the value
rising-threshold
alarmFallingThreshold
Falling threshold against which to compare the value
falling-threshold
alarmRisingEventIndex
Index (row) of the rising event in the event table
rising-event-index
alarmFallingEventIndex
Index (row) of the falling event in the event table
falling-event-index
Table 40 on page 363 provides each field in the jnxRmon jnxRmonAlarmTable, which is
an extension to the RMON alarmTable. You can troubleshoot the RMON agent, rmopd,
that runs on a switch by inspecting the contents of the jnxRmonAlarmTable object.
Table 40: jnxRmon Alarm Table
Field
Description
jnxRmonAlarmGetFailCnt
Number of times the internal Get request for the variable failed
Copyright © 2018, Juniper Networks, Inc.
363
Network Management and Monitoring Guide
Table 40: jnxRmon Alarm Table (continued)
Field
Description
jnxRmonAlarmGetFailTime
Value of the sysUpTime object when the last failure occurred
jnxRmonAlarmGetFailReason
Reason why the Get request failed
jnxRmonAlarmGetOkTime
Value of the sysUpTime object when the variable moved out of
failure state
jnxRmonAlarmState
Status of this alarm entry
Table 41 on page 364 provides each field in the RMON historyControlTable, the description
of the field, and the corresponding Junos OS statement that you can use to configure
the field. The Junos OS statements reside at the [edit snmp rmon history] hierarchy level.
The historyControlTable controls the RMON etherHistoryTable.
Table 41: RMON History Control Table
Statement [edit snmp
rmon history]
Field
Description
historyControlDataSource
Identifies the source of the data for which historical data was
collected.
interface
historyControlBucketsRequested
Requested number of discrete time intervals over which data is to
be saved.
bucket-size
historyControlBucketsGranted
Number of discrete sampling intervals over which data is to be
saved.
—
historyControlInterval
Interval, in seconds, over which the data is sampled for each bucket.
interval
historyControlOwner
Entity that configured this entry.
owner
historyControlStatus
Status of this entry.
—
Related
Documentation
•
Configuring RMON Alarms and Events on page 258
•
Juniper Networks Enterprise-Specific MIBs
•
Understanding RMON on page 357
Minimum RMON Alarm and Event Entry Configuration
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
To enable RMON on the router, you must configure an alarm entry and an event entry.
To do this, include the following statements at the [edit snmp rmon] hierarchy level:
[edit snmp rmon]
364
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: RMON Overview
alarm index {
rising-event-index index;
rising-threshold integer;
sample-type type;
variable oid-variable;
}
event index;
Related
Documentation
•
Understanding RMON Alarms and Events Configuration on page 361
•
Configuring an RMON Alarm Entry and Its Attributes on page 365
•
Configuring an RMON Event Entry and Its Attributes on page 369
Configuring an RMON Alarm Entry and Its Attributes
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series
An alarm entry monitors the value of a MIB variable. You can configure how often the
value is sampled, the type of sampling to perform, and what event to trigger if a threshold
is crossed.
This section discusses the following topics:
•
Configuring the Alarm Entry on page 365
•
Configuring the Description on page 366
•
Configuring the Falling Event Index or Rising Event Index on page 366
•
Configuring the Falling Threshold or Rising Threshold on page 366
•
Configuring the Interval on page 367
•
Configuring the Falling Threshold Interval on page 367
•
Configuring the Request Type on page 367
•
Configuring the Sample Type on page 368
•
Configuring the Startup Alarm on page 368
•
Configuring the System Log Tag on page 368
•
Configuring the Variable on page 369
Configuring the Alarm Entry
An alarm entry monitors the value of a MIB variable. The rising-event-index,
rising-threshold, sample-type, and variable statements are mandatory. All other
statements are optional.
To configure the alarm entry, include the alarm statement and specify an index at the
[edit snmp rmon] hierarchy level:
[edit snmp rmon]
alarm index {
description description;
falling-event-index index;
falling-threshold integer;
Copyright © 2018, Juniper Networks, Inc.
365
Network Management and Monitoring Guide
falling-threshold-interval seconds;
interval seconds;
rising-event-index index;
rising-threshold integer;
sample-type (absolute-value | delta-value);
startup-alarm (falling-alarm | rising alarm | rising-or-falling-alarm);
variable oid-variable;
}
index is an integer that identifies an alarm or event entry.
Configuring the Description
The description is a text string that identifies the alarm entry.
To configure the description, include the description statement and a description of the
alarm entry at the [edit snmp rmon alarm index] hierarchy level:
[edit snmp rmon alarm index]
description description;
Configuring the Falling Event Index or Rising Event Index
The falling event index identifies the event entry that is triggered when a falling threshold
is crossed. The rising event index identifies the event entry that is triggered when a rising
threshold is crossed.
To configure the falling event index or rising event index, include the falling-event-index
or rising-event-index statement and specify an index at the [edit snmp rmon alarm index]
hierarchy level:
[edit snmp rmon alarm index]
falling-event-index index;
rising-event-index index;
index can be from 0 through 65,535. The default for both the falling and rising event index
is 0.
Configuring the Falling Threshold or Rising Threshold
The falling threshold is the lower threshold for the monitored variable. When the current
sampled value is less than or equal to this threshold, and the value at the last sampling
interval is greater than this threshold, a single event is generated. A single event is also
generated if the first sample after this entry becomes valid is less than or equal to this
threshold, and the associated startup alarm is equal to falling-alarm or
rising-or-falling-alarm. After a falling event is generated, another falling event cannot be
generated until the sampled value rises above this threshold and reaches the rising
threshold. You must specify the falling threshold as an integer. Its default is 20 percent
less than the rising threshold.
By default, the rising threshold is 0. The rising threshold is the upper threshold for the
monitored variable. When the current sampled value is greater than or equal to this
threshold, and the value at the last sampling interval is less than this threshold, a single
event is generated. A single event is also generated if the first sample after this entry
becomes valid is greater than or equal to this threshold, and the associated startup-alarm
366
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: RMON Overview
is equal to rising-alarm or rising-or-falling-alarm. After a rising event is generated, another
rising event cannot be generated until the sampled value falls below this threshold and
reaches the falling threshold. You must specify the rising threshold as an integer.
To configure the falling threshold or rising threshold, include the falling-threshold or
rising-threshold statement at the [edit snmp rmon alarm index] hierarchy level:
[edit snmp rmon alarm index]
falling-threshold integer;
rising-threshold integer;
integer can be a value from -2,147,483,647 through 2,147,483,647.
Configuring the Interval
The interval represents the period of time, in seconds, over which the monitored variable
is sampled and compared with the rising and falling thresholds.
To configure the interval, include the interval statement and specify the number of seconds
at the [edit snmp rmon alarm index] hierarchy level:
[edit snmp rmon alarm index]
interval seconds;
seconds can be a value from 1 through 2,147,483,647. The default is 60 seconds.
Configuring the Falling Threshold Interval
The falling threshold interval represents the interval between samples when the rising
threshold is crossed. Once the alarm crosses the falling threshold, the regular sampling
interval is used.
NOTE: You cannot configure the falling threshold interval for alarms that
have the request type set to walk-request.
To configure the falling threshold interval, include the falling-threshold interval statement
at the [edit snmp rmon alarm index] hierarchy level and specify the number of seconds:
[edit snmp rmon alarm index]
falling-threshold-interval seconds;
seconds can be a value from 1 through 2,147,483,647. The default is 60 seconds.
Configuring the Request Type
By default an RMON alarm can monitor only one object instance (as specified in the
configuration). You can configure a request-type statement to extend the scope of the
RMON alarm to include all object instances belonging to a MIB branch or to include the
next object instance after the instance specified in the configuration.
To configure the request type, include the request-type statement at the [edit snmp rmon
alarm index] hierarchy level and specify get-next-request, get-request, or walk-request:
[edit snmp rmon alarm index]
request-type (get-next-request | get-request | walk-request);
Copyright © 2018, Juniper Networks, Inc.
367
Network Management and Monitoring Guide
walk extends the RMON alarm configuration to all object instances belonging to a MIB
branch. next extends the RMON alarm configuration to include the next object instance
after the instance specified in the configuration.
Configuring the Sample Type
The sample type identifies the method of sampling the selected variable and calculating
the value to be compared against the thresholds. If the value of this object is
absolute-value, the value of the selected variable is compared directly with the thresholds
at the end of the sampling interval. If the value of this object is delta-value, the value of
the selected variable at the last sample is subtracted from the current value, and the
difference is compared with the thresholds.
To configure the sample type, include the sample-type statement and specify the type
of sample at the [edit snmp rmon alarm index] hierarchy level:
[edit snmp rmon alarm index]
sample-type (absolute-value | delta-value);
•
absolute-value—Actual value of the selected variable is compared against the
thresholds.
•
delta-value—Difference between samples of the selected variable is compared against
the thresholds.
Configuring the Startup Alarm
The startup alarm identifies the type of alarm that can be sent when this entry is first
activated. You can specify it as falling-alarm, rising-alarm, or rising-or-falling-alarm.
To configure the startup alarm, include the startup-alarm statement and specify the type
of alarm at the [edit snmp rmon alarm index] hierarchy level:
[edit snmp rmon alarm index]
startup-alarm (falling-alarm | rising-alarm | rising-or-falling-alarm);
•
falling-alarm—Generated if the first sample after the alarm entry becomes active is
less than or equal to the falling threshold.
•
rising-alarm—Generated if the first sample after the alarm entry becomes active is
greater than or equal to the rising threshold.
•
rising-or-falling-alarm—Generated if the first sample after the alarm entry becomes
active satisfies either of the corresponding thresholds.
The default is rising-or-falling-alarm.
Configuring the System Log Tag
The syslog-subtag statement specifies the tag to be added to the system log message.
You can specify a string of not more than 80 uppercase characters as the system log
tag.
368
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: RMON Overview
To configure the system log tag, include the syslog-subtag statement at the [edit snmp
rmon alarm index] hierarchy level:
[edit snmp rmon alarm index]
syslog-subtag syslog-subtag;
Configuring the Variable
The variable identifies the MIB object that is being monitored.
To configure the variable, include the variable statement and specify the object identifier
or object name at the [edit snmp rmon alarm index] hierarchy level:
[edit snmp rmon alarm index]
variable oid-variable;
oid-variable is a dotted decimal (for example, 1.3.6.1.2.1.2.1.2.2.1.10.1) or MIB object name
(for example, ifInOctets.1).
See Also
•
Understanding RMON Alarms and Events Configuration on page 361
•
Understanding RMON Alarms on page 359
•
Understanding RMON Events on page 360
•
Configuring an RMON Event Entry and Its Attributes on page 369
•
Example: Configuring an RMON Alarm and Event Entry on page 370
Configuring an RMON Event Entry and Its Attributes
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series
An event entry generates a notification for an alarm entry when its rising or falling threshold
is crossed. You can configure the type of notification that is generated. To configure the
event entry, include the event statement at the [edit snmp rmon] hierarchy level. All
statements except the event statement are optional.
[edit snmp rmon]
event index {
community community-name;
description description;
type type;
}
index identifies an entry event.
community-name is the trap group that is used when generating a trap. If that trap group
has the rmon-alarm trap category configured, a trap is sent to all the targets configured
for that trap group. The community string in the trap matches the name of the trap group.
If nothing is configured, all the trap groups are examined, and traps are sent using each
group with the rmon-alarm category set.
description is a text string that identifies the entry.
Copyright © 2018, Juniper Networks, Inc.
369
Network Management and Monitoring Guide
The type variable of an event entry specifies where the event is to be logged. You can
specify the type as one of the following:
•
log—Adds the event entry to the logTable.
•
log-and-trap—Sends an SNMP trap and creates a log entry.
•
none—Sends no notification.
•
snmptrap—Sends an SNMP trap.
The default for the event entry type is log-and-trap.
Related
Documentation
•
Understanding RMON Alarms and Events Configuration on page 361
•
Understanding RMON Alarms on page 359
•
Understanding RMON Events on page 360
•
Configuring an RMON Alarm Entry and Its Attributes on page 365
•
Example: Configuring an RMON Alarm and Event Entry on page 370
Example: Configuring an RMON Alarm and Event Entry
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series
Configure an RMON alarm and event entry:
[edit snmp]
rmon {
alarm 100 {
description “input traffic on fxp0”;
falling-event-index 100;
falling-threshold 10000;
interval 60;
rising-event-index 100;
rising-threshold 100000;
sample-type delta-value;
startup-alarm rising-or-falling-alarm;
variable ifInOctets.1;
}
event 100 {
community bedrock;
description” emergency events”;
type log-and-trap;
}
}
Related
Documentation
370
•
Understanding RMON Alarms and Events Configuration on page 361
•
Configuring an RMON Alarm Entry and Its Attributes on page 365
•
Configuring an RMON Event Entry and Its Attributes on page 369
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: RMON Overview
Configuring RMON History Sampling
Supported Platforms
EX Series, OCX1100, QFX Series
The Junos OS supports the history control group (etherHistoryTable) of the Remote
Network Monitoring (RMON) MIB (RFC 2819). The history control tables record statistical
samples from an Ethernet network and store them for later retrieval.
To configure RMON history sampling and view or clear collected statistics using the Junos
OS CLI, perform the following tasks:
•
Configuring RMON History Sampling Collection on page 371
•
Viewing and Clearing RMON History Statistics on page 371
Configuring RMON History Sampling Collection
Use the history statement at the [edit snmp rmon] hierarchy level to configure RMON
history sampling collection parameters. The following parameters are required:
•
History index: The history entry is identified by an integer history index value
(historyControlIndex MIB field) specified when you configure this statement, which is
used to display or clear collected results later.
•
Interface: The interface to monitor for the specified history index. Only one interface
can be associated with a particular RMON history index.
In addition to the required parameters, you can specify a custom sampling interval (in
seconds) and the sampling bucket-size (number of discrete samples to be collected in
a given interval).
[edit snmp]
user@switch# set rmon history history-index interface interface-name
user@switch# set rmon history history-index interval seconds
user@switch# set rmon history history-index bucket-size number
An optional tag (owner) associated with the history index can also be assigned to the
collection.
Viewing and Clearing RMON History Statistics
Use the show snmp rmon history command to display collected RMON history table
entries. You can also use the show snmp mib walk command to view RMON history table
field samples.
The following sample RMON configuration sets up a history table sampling for interface
xe-0/0/20.0 using a history index value of 1:
user@switch# show snmp | display set
set snmp rmon history 1 interface xe-0/0/20.0
set snmp rmon history 1 bucket-size 1000
set snmp rmon history 1 interval 5
set snmp rmon history 1 owner test
Copyright © 2018, Juniper Networks, Inc.
371
Network Management and Monitoring Guide
Using the show snmp mib walk command, you can see etherHistoryPkts field statistics
collected for history index 1:
user@switch> show snmp mib walk etherHistoryPkts
etherHistoryPkts.1.1 = 0
<...>
etherHistoryPkts.1.148 = 10
etherHistoryPkts.1.149 = 14
To clear collected RMON history statistics, use the clear snmp history command. After
clearing samples collected up to that point, collection continues again at the configured
interval, and new samples are recorded. This command has options to clear collected
samples of a particular configured history index or to clear all samples from all configured
indices.
For example, the following command clears collected RMON history samples for history
control index 1 configured above:
user@switch> clear snmp history 1
Samples collected are cleared.
user@switch> show snmp mib walk etherHistoryPkts | no-more
user@switch> show snmp mib walk etherHistoryPkts | no-more
etherHistoryPkts.1.1 = 0
Related
Documentation
•
RMON MIB Event, Alarm, Log, and History Control Tables on page 362
Using alarmTable to Monitor MIB Objects
Supported Platforms
M Series, MX Series, T Series
To use alarmTable to monitor a MIB object, perform the following tasks:
•
Creating an Alarm Entry on page 372
•
Configuring the Alarm MIB Objects on page 372
•
Activating a New Row in alarmTable on page 375
•
Modifying an Active Row in alarmTable on page 375
•
Deactivating a Row in alarmTable on page 375
Creating an Alarm Entry
To create an alarm entry, first create a new row in alarmTable using the alarmStatus
object. For example, create alarm #1 using the UCD command-line utilities:
snmpset -Os -v2c router community alarmStatus.1 i createRequest
Configuring the Alarm MIB Objects
Once you have created the new row in alarmTable, configure the following Alarm MIB
objects:
372
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: RMON Overview
NOTE: Other than alarmStatus, you cannot modify any of the objects in the
entry if the associated alarmStatus object is set to valid.
•
alarmInterval on page 373
•
alarmVariable on page 373
•
alarmSampleType on page 373
•
alarmValue on page 374
•
alarmStartupAlarm on page 374
•
alarmRisingThreshold on page 374
•
alarmFallingThreshold on page 374
•
alarmOwner on page 374
•
alarmRisingEventIndex on page 375
•
alarmFallingEventIndex on page 375
alarmInterval
The interval, in seconds, over which data is sampled and compared with the rising and
falling thresholds. For example, to set alarmInterval for alarm #1 to 30 seconds, use the
following SNMP Set request:
snmpset -Os -v2c router community alarmInterval.1 i 30
alarmVariable
The object identifier of the variable to be sampled. During a Set request, if the supplied
variable name is not available in the selected MIB view, a badValue error is returned. If at
any time the variable name of an established alarmEntry is no longer available in the
selected MIB view, the probe changes the status of alarmVariable to invalid. For example,
to identify ifInOctets.61 as the variable to be monitored, use the following SNMP Set
request:
snmpset -Os -v2c router community alarmVariable.1 o .1.3.6.1.2.1.2.2.1.10.61
alarmSampleType
The method of sampling the selected variable and calculating the value to be compared
against the thresholds. If the value of this object is absoluteValue, the value of the selected
variable is compared directly with the thresholds at the end of the sampling interval. If
the value of this object is deltaValue, the value of the selected variable at the last sample
is subtracted from the current value, and the difference is compared with the thresholds.
For example, to set alarmSampleType for alarm #1 to deltaValue, use the following SNMP
Set request:
snmpset -Os -v2c router community alarmSampleType.1 i deltaValue
Copyright © 2018, Juniper Networks, Inc.
373
Network Management and Monitoring Guide
alarmValue
The value of the variable during the last sampling period. This value is compared with
the rising and falling thresholds. If the sample type is deltaValue, this value equals the
difference between the samples at the beginning and end of the period. If the sample
type is absoluteValue, this value equals the sampled value at the end of the period.
alarmStartupAlarm
An alarm that is sent when this entry is first set to valid. If the first sample after this entry
becomes valid is greater than or equal to risingThreshold, and alarmStartupAlarm is equal
to risingAlarm or risingOrFallingAlarm, then a single rising alarm is generated. If the first
sample after this entry becomes valid is less than or equal to fallingThreshold and
alarmStartupAlarm is equal to fallingAlarm or risingOrFallingAlarm, then a single falling
alarm is generated. For example, to set alarmStartupAlarm for alarm #1 to
risingOrFallingAlarm, use the following SNMP Set request:
snmpset -Os -v2c router community alarmStartupAlarm.1 i risingOrFallingAlarm
alarmRisingThreshold
A threshold for the sampled variable. When the current sampled value is greater than or
equal to this threshold, and the value at the last sampling interval is less than this
threshold, a single event is generated. A single event is also generated if the first sample
after this entry becomes valid is greater than or equal to this threshold, and the associated
alarmStartupAlarm is equal to risingAlarm or risingOrFallingAlarm. After a rising event is
generated, another rising event cannot be generated until the sampled value falls below
this threshold and reaches alarmFallingThreshold. For example, to set
alarmRisingThreshold for alarm #1 to 100000, use the following SNMP Set request:
snmpset -Os -v2c router community alarmRisingThreshold.1 i 100000
alarmFallingThreshold
A threshold for the sampled variable. When the current sampled value is less than or
equal to this threshold, and the value at the last sampling interval is greater than this
threshold, a single event is generated. A single event is also generated if the first sample
after this entry becomes valid is less than or equal to this threshold, and the associated
alarmStartupAlarm is equal to fallingAlarm or risingOrFallingAlarm. After a falling event
is generated, another falling event cannot be generated until the sampled value rises
above this threshold and reaches alarmRisingThreshold. For example, to set
alarmFallingThreshold for alarm #1 to 10000, use the following SNMP Set request:
snmpset -Os -v2c router community alarmFallingThreshold.1 i 10000
alarmOwner
Any text string specified by the creating management application or the command-line
interface (CLI). Typically, it is used to identify a network manager (or application) and
can be used for fine access control between participating management applications.
374
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: RMON Overview
alarmRisingEventIndex
The index of the eventEntry object that is used when a rising threshold is crossed. If there
is no corresponding entry in eventTable, then no association exists. If this value is zero,
no associated event is generated because zero is not a valid event index. For example,
to set alarmRisingEventIndex for alarm #1 to 10, use the following SNMP Set request:
snmpset -Os -v2c router community alarmRisingEventIndex.1 i 10
alarmFallingEventIndex
The index of the eventEntry object that is used when a falling threshold is crossed. If there
is no corresponding entry in eventTable, then no association exists. If this value is zero,
no associated event is generated because zero is not a valid event index. For example,
to set alarmFallingEventIndex for alarm #1 to 10, use the following SNMP Set request:
snmpset -Os -v2c router community alarmFallingEventIndex.1 i 10
Activating a New Row in alarmTable
To activate a new row in alarmTable, set alarmStatus to valid using an SNMP Set request:
snmpset -Os -v2c router community alarmStatus.1 i valid
Modifying an Active Row in alarmTable
To modify an active row, first set alarmStatus to underCreation using an SNMP Set request:
snmpset -Os -v2c router community alarmStatus.1 i underCreation
Then change the row contents using an SNMP Set request:
snmpset -Os -v2c router community alarmFallingThreshold.1 i 1000
Finally, activate the row by setting alarmStatus to valid using an SNMP Set request:
snmpset -Os -v2c router community alarmStatus.1 i valid
Deactivating a Row in alarmTable
To deactivate a row in alarmTable, set alarmStatus to invalid using an SNMP Set request:
snmpset -Os -v2c router community alarmStatus.1 i invalid
Related
Documentation
•
Understanding RMON Alarms on page 359
•
Understanding RMON Events on page 360
•
Configuring an RMON Alarm Entry and Its Attributes on page 365
Copyright © 2018, Juniper Networks, Inc.
375
Network Management and Monitoring Guide
Using eventTable to Log Alarms
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, T Series
To use eventTable to log alarms, perform the following tasks:
•
Creating an Event Entry on page 376
•
Configuring the MIB Objects on page 376
•
Activating a New Row in eventTable on page 378
•
Deactivating a Row in eventTable on page 378
Creating an Event Entry
The RMON eventTable controls the generation of notifications from the router.
Notifications can be logs (entries to logTable and syslogs) or SNMP traps. Each event
entry can be configured to generate any combination of these notifications (or no
notification). When an event specifies that an SNMP trap is to be generated, the trap
group that is used when sending the trap is specified by the value of the associated
eventCommunity object. Consequently, the community in the trap message will match
the value specified by eventCommunity. If nothing is configured for eventCommunity, a
trap is sent using each trap group that has the rmon-alarm category configured.
Configuring the MIB Objects
Once you have created the new row in eventTable, set the following objects:
NOTE: The eventType object is required. All other objects are optional.
•
eventType on page 376
•
eventCommunity on page 377
•
eventOwner on page 377
•
eventDescription on page 377
eventType
The type of notification that the router generates when the event is triggered.
This object can be set to the following values:
376
•
log—Adds the event entry to logTable.
•
log-and-trap—Sends an SNMP trap and creates a log entry.
•
none—Sends no notification.
•
snmptrap—Sends an SNMP trap.
Copyright © 2018, Juniper Networks, Inc.
Chapter 14: RMON Overview
For example, to set eventType for event #1 to log-and-trap, use the following SNMP Set
request:
snmpset -Os -v2c router community eventType.1 i log-and-trap
eventCommunity
The trap group that is used when generating a trap (if eventType is configured to send
traps). If that trap group has the rmon-alarm trap category configured, a trap is sent to
all the targets configured for that trap group. The community string in the trap matches
the name of the trap group (and hence, the value of eventCommunity). If nothing is
configured, traps are sent to each group with the rmon-alarm category set. For example,
to set eventCommunity for event #1 to boy-elroy, use the following SNMP Set request:
snmpset -Os -v2c router community eventCommunity.1 s "boy-elroy"
NOTE: The eventCommunity object is optional. If you do not set this object,
then the field is left blank.
eventOwner
Any text string specified by the creating management application or the command-line
interface (CLI). Typically, it is used to identify a network manager (or application) and
can be used for fine access control between participating management applications.
For example, to set eventOwner for event #1 to george jetson, use the following SNMP
Set request:
snmpset -Os -v2c router community eventOwner.1 s "george jetson"
NOTE: The eventOwner object is optional. If you do not set this object, then
the field is left blank.
eventDescription
Any text string specified by the creating management application or the command-line
interface (CLI). The use of this string is application dependent.
For example, to set eventDescription for event #1 to spacelys sprockets, use the following
SNMP Set request:
snmpset -Os -v2c router community eventDescription.1 s "spacelys sprockets"
NOTE: The eventDescription object is optional. If you do not set this object,
then the field is left blank.
Copyright © 2018, Juniper Networks, Inc.
377
Network Management and Monitoring Guide
Activating a New Row in eventTable
To activate the new row in eventTable, set eventStatus to valid using an SNMP Set request
such as:
snmpset -Os -v2c router community eventStatus.1 i valid
Deactivating a Row in eventTable
To deactivate a row in eventTable, set eventStatus to invalid using an SNMP Set request
such as:
snmpset -Os -v2c router community eventStatus.1 i invalid
Related
Documentation
378
•
Understanding RMON Alarms on page 359
•
Understanding RMON Events on page 360
•
Configuring an RMON Event Entry and Its Attributes on page 369
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 15
Using RMON to Monitor Network Service
Quality
•
Understanding RMON for Monitoring Service Quality on page 379
•
Understanding Measurement Points, Key Performance Indicators, and Baseline
Values on page 383
•
Defining and Measuring Network Availability on page 384
•
Measuring Health on page 390
•
Measuring Performance on page 396
Understanding RMON for Monitoring Service Quality
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series
Health and performance monitoring can benefit from the remote monitoring of SNMP
variables by the local SNMP agents running on each router. The SNMP agents compare
MIB values against predefined thresholds and generate exception alarms without the
need for polling by a central SNMP management platform. This is an effective mechanism
for proactive management, as long as the thresholds have baselines determined and set
correctly. For more information, see RFC 2819, Remote Network Monitoring MIB.
This topic includes the following sections:
•
Setting Thresholds on page 379
•
RMON Command-Line Interface on page 380
•
RMON Event Table on page 381
•
RMON Alarm Table on page 381
•
Troubleshooting RMON on page 382
Setting Thresholds
By setting a rising and a falling threshold for a monitored variable, you can be alerted
whenever the value of the variable falls outside of the allowable operational range. (See
Figure 7 on page 380.)
Copyright © 2018, Juniper Networks, Inc.
379
Network Management and Monitoring Guide
Figure 7: Setting Thresholds
Events are only generated when the threshold is first crossed in any one direction rather
than after each sample period. For example, if a rising threshold crossing event is raised,
no more threshold crossing events will occur until a corresponding falling event. This
considerably reduces the quantity of alarms that are produced by the system, making it
easier for operations staff to react when alarms do occur.
To configure remote monitoring, specify the following pieces of information:
•
The variable to be monitored (by its SNMP object identifier)
•
The length of time between each inspection
•
A rising threshold
•
A falling threshold
•
A rising event
•
A falling event
Before you can successfully configure remote monitoring, you should identify what
variables need to be monitored and their allowable operational range. This requires some
period of baselining to determine the allowable operational ranges. An initial baseline
period of at least three months is not unusual when first identifying the operational ranges
and defining thresholds, but baseline monitoring should continue over the life span of
each monitored variable.
RMON Command-Line Interface
Junos OS provides two mechanisms you use to control the Remote Monitoring agent on
the router: command-line interface (CLI) and SNMP. To configure an RMON entry using
the CLI, include the following statements at the [edit snmp] hierarchy level:
rmon {
alarm index {
description;
falling-event-index;
falling-threshold;
intervals;
rising-event-index;
380
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
rising-threshold;
sample-type (absolute-value | delta-value);
startup-alarm (falling | rising | rising-or-falling);
variable;
}
event index {
community;
description;
type (log | trap | log-and-trap | none);
}
}
If you do not have CLI access, you can configure remote monitoring using the SNMP
Manager or management application, assuming SNMP access has been granted. (See
Table 42 on page 381.) To configure RMON using SNMP, perform SNMP Set requests to
the RMON event and alarm tables.
RMON Event Table
Set up an event for each type that you want to generate. For example, you could have
two generic events, rising and falling, or many different events for each variable that is
being monitored (for example, temperature rising event, temperature falling event, firewall
hit event, interface utilization event, and so on). Once the events have been configured,
you do not need to update them.
Table 42: RMON Event Table
Field
Description
eventDescription
Text description of this event
eventType
Type of event (for example, log, trap, or log and trap)
eventCommunity
Trap group to which to send this event (as defined in the Junos OS
configuration, which is not the same as the community)
eventOwner
Entity (for example, manager) that created this event
eventStatus
Status of this row (for example, valid, invalid, or createRequest)
RMON Alarm Table
The RMON alarm table stores the SNMP object identifiers (including their instances) of
the variables that are being monitored, together with any rising and falling thresholds
and their corresponding event indexes. To create an RMON request, specify the fields
shown in Table 43 on page 381.
Table 43: RMON Alarm Table
Field
Description
alarmStatus
Status of this row (for example, valid, invalid, or createRequest)
Copyright © 2018, Juniper Networks, Inc.
381
Network Management and Monitoring Guide
Table 43: RMON Alarm Table (continued)
Field
Description
alarmInterval
Sampling period (in seconds) of the monitored variable
alarmVariable
OID (and instance) of the variable to be monitored
alarmValue
Actual value of the sampled variable
alarmSampleType
Sample type (absolute or delta changes)
alarmStartupAlarm
Initial alarm (rising, falling, or either)
alarmRisingThreshold
Rising threshold against which to compare the value
alarmFallingThreshold
Falling threshold against which to compare the value
alarmRisingEventIndex
Index (row) of the rising event in the event table
alarmFallingEventIndex
Index (row) of the falling event in the event table
Both the alarmStatus and eventStatus fields are entryStatus primitives, as defined in RFC
2579, Textual Conventions for SMIv2.
Troubleshooting RMON
You troubleshoot the RMON agent, rmopd, that runs on the router by inspecting the
contents of the Juniper Networks enterprise RMON MIB, jnxRmon, which provides the
extensions listed in Table 44 on page 382 to the RFC 2819 alarmTable.
Table 44: jnxRmon Alarm Extensions
Field
Description
jnxRmonAlarmGetFailCnt
Number of times the internal Get request for the variable failed
jnxRmonAlarmGetFailTime
Value of sysUpTime when the last failure occurred
jnxRmonAlarmGetFailReason
Reason why the Get request failed
jnxRmonAlarmGetOkTime
Value of sysUpTime when the variable moved out of failure state
jnxRmonAlarmState
Status of this alarm entry
Monitoring the extensions in this table provides clues as to why remote alarms may not
behave as expected.
Related
Documentation
382
•
Understanding Measurement Points, Key Performance Indicators, and Baseline Values
on page 383
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
Understanding Measurement Points, Key Performance Indicators, and Baseline Values
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series
This chapter topic provides guidelines for monitoring the service quality of an IP network.
It describes how service providers and network administrators can use information
provided by Juniper Networks routers to monitor network performance and capacity. You
should have a thorough understanding of the SNMP and the associated MIB supported
by Junos OS.
NOTE: For a good introduction to the process of monitoring an IP network,
see RFC 2330, Framework for IP Performance Metrics.
This topic contains the following sections:
•
Measurement Points on page 383
•
Basic Key Performance Indicators on page 384
•
Setting Baselines on page 384
Measurement Points
Defining the measurement points where metrics are measured is equally as important
as defining the metrics themselves. This section describes measurement points within
the context of this chapter and helps identify where measurements can be taken from
a service provider network. It is important to understand exactly where a measurement
point is. Measurement points are vital to understanding the implication of what the actual
measurement means.
An IP network consists of a collection of routers connected by physical links that are all
running the Internet Protocol. You can view the network as a collection of routers with
an ingress (entry) point and an egress (exit) point. See Figure 8 on page 383.
•
Network-centric measurements are taken at measurement points that most closely
map to the ingress and egress points for the network itself. For example, to measure
delay across the provider network from Site A to Site B, the measurement points should
be the ingress point to the provider network at Site A and the egress point at Site B.
•
Router-centric measurements are taken directly from the routers themselves, but be
careful to ensure that the correct router subcomponents have been identified in
advance.
Figure 8: Network Entry Points
Copyright © 2018, Juniper Networks, Inc.
383
Network Management and Monitoring Guide
NOTE: Figure 8 on page 383 does not show the client networks at customer
premises, but they would be located on either side of the ingress and egress
points. Although this chapter does not discuss how to measure network
services as perceived by these client networks, you can use measurements
taken for the service provider network as input into such calculations.
Basic Key Performance Indicators
For example, you could monitor a service provider network for three basic key performance
indicators (KPIs):
•
Availability measures the “reachability” of one measurement point from another
measurement point at the network layer (for example, using ICMP ping). The underlying
routing and transport infrastructure of the provider network will support the availability
measurements, with failures highlighted as unavailability.
•
Health measures the number and type of errors that are occurring on the provider
network, and can consist of both router-centric and network-centric measurements,
such as hardware failures or packet loss.
•
Performance of the provider network measures how well it can support IP services (for
example, in terms of delay or utilization).
Setting Baselines
How well is the provider network performing? We recommend an initial three-month
period of monitoring to identify a network’s normal operational parameters. With this
information, you can recognize exceptions and identify abnormal behavior. You should
continue baseline monitoring for the lifetime of each measured metric. Over time, you
must be able to recognize performance trends and growth patterns.
Within the context of this chapter, many of the metrics identified do not have an allowable
operational range associated with them. In most cases, you cannot identify the allowable
operational range until you have determined a baseline for the actual variable on a specific
network.
Related
Documentation
•
Understanding RMON for Monitoring Service Quality on page 379
•
Defining and Measuring Network Availability on page 384
•
Measuring Health on page 390
•
Measuring Performance on page 396
Defining and Measuring Network Availability
Supported Platforms
384
ACX Series, M Series, MX Series, PTX Series, T Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
This topic includes the following sections:
•
Defining Network Availability on page 385
•
Measuring Availability on page 387
Defining Network Availability
Availability of a service provider’s IP network can be thought of as the reachability between
the regional points of presence (POP), as shown in Figure 9 on page 385.
Figure 9: Regional Points of Presence
With the example above, when you use a full mesh of measurement points, where every
POP measures the availability to every other POP, you can calculate the total availability
of the service provider’s network. This KPI can also be used to help monitor the service
level of the network, and can be used by the service provider and its customers to
determine if they are operating within the terms of their service-level agreement (SLA).
Where a POP may consist of multiple routers, take measurements to each router as
shown in Figure 10 on page 385.
Figure 10: Measurements to Each Router
Measurements include:
Copyright © 2018, Juniper Networks, Inc.
385
Network Management and Monitoring Guide
•
Path availability—Availability of an egress interface B1 as seen from an ingress interface
A1.
•
Router availability—Percentage of path availability of all measured paths terminating
on the router.
•
POP availability—Percentage of router availability between any two regional POPs, A
and B.
•
Network availability—Percentage of POP availability for all regional POPs in the service
provider’s network.
To measure POP availability of POP A to POP B in Figure 10 on page 385, you must measure
the following four paths:
Path A1 => B1
Path A1 => B2
Path A2 => B1
Path A2 => B2
Measuring availability from POP B to POP A would require a further four measurements,
and so on.
A full mesh of availability measurements can generate significant management traffic.
From the sample diagram above:
•
Each POP has two co-located provider edge (PE) routers, each with 2xSTM1 interfaces,
for a total of 18 PE routers and 36xSTM1 interfaces.
•
There are six core provider (P) routers, four with 2xSTM4 and 3xSTM1 interfaces each,
and two with 3xSTM4 and 3xSTM1 interfaces each.
This makes a total of 68 interfaces. A full mesh of paths between every interface is:
[n x (n–1)] / 2 gives [68 x (68–1)] / 2=2278 paths
To reduce management traffic on the service provider’s network, instead of generating
a full mesh of interface availability tests (for example, from each interface to every other
interface), you can measure from each router’s loopback address. This reduces the
number of availability measurements required to a total of one for each router, or:
[n x (n–1)] / 2 gives [24 x (24–1)] / 2=276 measurements
This measures availability from each router to every other router.
Monitoring the SLA and the Required Bandwidth
A typical SLA between a service provider and a customer might state:
A Point of Presence is the connection of two back-to-back provider edge routers to separate
core provider routers using different links for resilience. The system is considered to be
unavailable when either an entire POP becomes unavailable or for the duration of a
Priority 1 fault.
An SLA availability figure of 99.999 percent for a provider’s network would relate to a
down time of approximately 5 minutes per year. Therefore, to measure this proactively,
386
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
you would have to take availability measurements at a granularity of less than one every
five minutes. With a standard size of 64 bytes per ICMP ping request, one ping test per
minute would generate 7680 bytes of traffic per hour per destination, including ping
responses. A full mesh of ping tests to 276 destinations would generate 2,119,680 bytes
per hour, which represents the following:
•
On an OC3/STM1 link of 155.52 Mbps, a utilization of 1.362 percent
•
On an OC12/STM4 link of 622.08 Mbps, a utilization of 0.340 percent
With a size of 1500 bytes per ICMP ping request, one ping test per minute would generate
180,000 bytes per hour per destination, including ping responses. A full mesh of ping
tests to 276 destinations would generate 49,680,000 bytes per hour, which represents
the following:
•
On an OC3/STM1 link, 31.94 percent utilization
•
On an OC12/STM4 link, 7.986 percent utilization
Each router can record the results for every destination tested. With one test per minute
to each destination, a total of 1 x 60 x 24 x 276 = 397,440 tests per day would be
performed and recorded by each router. All ping results are stored in the
pingProbeHistoryTable (see RFC 2925) and can be retrieved by an SNMP performance
reporting application (for example, service performance management software from
InfoVista, Inc., or Concord Communications, Inc.) for post processing. This table has a
maximum size of 4,294,967,295 rows, which is more than adequate.
Measuring Availability
There are two methods you can use to measure availability:
•
Proactive—Availability is automatically measured as often as possible by an operational
support system.
•
Reactive—Availability is recorded by a Help desk when a fault is first reported by a user
or a fault monitoring system.
This section discusses real-time performance monitoring as a proactive monitoring
solution.
Real-Time Performance Monitoring
Juniper Networks provides a real-time performance monitoring (RPM) service to monitor
real-time network performance. Use the J-Web Quick Configuration feature to configure
real-time performance monitoring parameters used in real-time performance monitoring
tests. (J-Web Quick Configuration is a browser-based GUI that runs on Juniper Networks
routers. For more information, see the J-Web Interface User Guide.)
Configuring Real-Time Performance Monitoring
Some of the most common options you can configure for real-time performance
monitoring tests are shown in Table 45 on page 388.
Copyright © 2018, Juniper Networks, Inc.
387
Network Management and Monitoring Guide
Table 45: Real-Time Performance Monitoring Configuration Options
Field
Description
Request Information
Probe Type
Type of probe to send as part of the test. Probe types can be:
•
http-get
•
http-get-metadata
•
icmp-ping
•
icmp-ping-timestamp
•
tcp-ping
•
udp-ping
Interval
Wait time (in seconds) between each probe transmission.
The range is 1 to 255 seconds.
Test Interval
Wait time (in seconds) between tests. The range is 0 to
86400 seconds.
Probe Count
Total number of probes sent for each test. The range is 1 to
15 probes.
Destination Port
TCP or UDP port to which probes are sent. Use number 7—a
standard TCP or UDP port number—or select a port number
from 49152 through 65535.
DSCP Bits
Differentiated Services code point (DSCP) bits. This value
must be a valid 6-bit pattern. The default is 000000.
Data Size
Size (in bytes) of the data portion of the ICMP probes. The
range is 0 to 65507 bytes.
Data Fill
Contents of the data portion of the ICMP probes. Contents
must be a hexadecimal value. The range is 1 to 800h.
Maximum Probe Thresholds
388
Successive Lost Probes
Total number of probes that must be lost successively to
trigger a probe failure and generate a system log message.
The range is 0 to 15 probes.
Lost Probes
Total number of probes that must be lost to trigger a probe
failure and generate a system log message. The range is 0 to
15 probes.
Round Trip Time
Total round-trip time (in microseconds) from the Services
Router to the remote server, which, if exceeded, triggers a
probe failure and generates a system log message. The range
is 0 to 60,000,000 microseconds.
Jitter
Total jitter (in microseconds) for a test, which, if exceeded,
triggers a probe failure and generates a system log message.
The range is 0 to 60,000,000 microseconds.
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
Table 45: Real-Time Performance Monitoring Configuration
Options (continued)
Field
Description
Standard Deviation
Maximum allowable standard deviation (in microseconds)
for a test, which, if exceeded, triggers a probe failure and
generates a system log message. The range is 0 to
60,000,000 microseconds.
Egress Time
Total one-way time (in microseconds) from the router to the
remote server, which, if exceeded, triggers a probe failure and
generates a system log message. The range is 0 to
60,000,000 microseconds.
Ingress Time
Total one-way time (in microseconds) from the remote server
to the router, which, if exceeded, triggers a probe failure and
generates a system log message. The range is 0 to
60,000,000 microseconds.
Jitter Egress Time
Total outbound-time jitter (in microseconds) for a test, which,
if exceeded, triggers a probe failure and generates a system
log message. The range is 0 to 60,000,000 microseconds.
Jitter Ingress Time
Total inbound-time jitter (in microseconds) for a test, which,
if exceeded, triggers a probe failure and generates a system
log message. The range is 0 to 60,000,000 microseconds.
Egress Standard Deviation
Maximum allowable standard deviation of outbound times
(in microseconds) for a test, which, if exceeded, triggers a
probe failure and generates a system log message. The range
is 0 to 60,000,000 microseconds.
Ingress Standard Deviation
Maximum allowable standard deviation of inbound times (in
microseconds) for a test, which, if exceeded, triggers a probe
failure and generates a system log message. The range is 0
to 60,000,000 microseconds.
Displaying Real-Time Performance Monitoring Information
For each real-time performance monitoring test configured on the router, monitoring
information includes the round-trip time, jitter, and standard deviation. To view this
information, select Monitor > RPM in the J-Web interface, or enter the show services rpm
command-line interface (CLI) command.
To display the results of the most recent real-time performance monitoring probes, enter
the show services rpm probe-results CLI command:
user@host> show services rpm probe-results
Owner: p1, Test: t1
Target address: 10.8.4.1, Source address: 10.8.4.2, Probe type: icmp-ping
Destination interface name: lt-0/0/0.0
Test size: 10 probes
Probe results:
Response received, Sun Jul 10 19:07:34 2005
Rtt: 50302 usec
Copyright © 2018, Juniper Networks, Inc.
389
Network Management and Monitoring Guide
Results over current test:
Probes sent: 2, Probes received: 1, Loss percentage:
Measurement: Round trip time
Minimum: 50302 usec, Maximum: 50302 usec, Average:
Jitter: 0 usec, Stddev: 0 usec
Results over all tests:
Probes sent: 2, Probes received: 1, Loss percentage:
Measurement: Round trip time
Minimum: 50302 usec, Maximum: 50302 usec, Average:
Jitter: 0 usec, Stddev: 0 usec
Related
Documentation
50
50302 usec,
50
50302 usec,
•
Understanding Measurement Points, Key Performance Indicators, and Baseline Values
on page 383
•
Understanding RMON for Monitoring Service Quality on page 379
•
Measuring Health on page 390
•
Measuring Performance on page 396
Measuring Health
Supported Platforms
M Series, MX Series, T Series
You can monitor health metrics reactively by using fault management software such as
SMARTS InCharge, Micromuse Netcool Omnibus, or Concord Live Exceptions. We
recommend that you monitor the health metrics shown in Table 46 on page 390.
Table 46: Health Metrics
390
Metric:
Errors in
Description
Number of inbound packets that contained errors, preventing them
from being delivered
MIB name
IF-MIB (RFC 2233)
Variable name
ifInErrors
Variable OID
.1.3.6.1.31.2.2.1.14
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
Logical interfaces
Metric:
Errors out
Description
Number of outbound packets that contained errors, preventing
them from being transmitted
MIB name
IF-MIB (RFC 2233)
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
Table 46: Health Metrics (continued)
Variable name
ifOutErrors
Variable OID
.1.3.6.1.31.2.2.1.20
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
Logical interfaces
Metric:
Discards in
Description
Number of inbound packets discarded, even though no errors were
detected
MIB name
IF-MIB (RFC 2233)
Variable name
ifInDiscards
Variable OID
.1.3.6.1.31.2.2.1.13
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
Logical interfaces
Metric:
Unknown protocols
Description
Number of inbound packets discarded because they were of an
unknown protocol
MIB name
IF-MIB (RFC 2233)
Variable name
ifInUnknownProtos
Variable OID
.1.3.6.1.31.2.2.1.15
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
Logical interfaces
Metric:
Interface operating status
Description
Operational status of an interface
MIB name
IF-MIB (RFC 2233)
Copyright © 2018, Juniper Networks, Inc.
391
Network Management and Monitoring Guide
Table 46: Health Metrics (continued)
392
Variable name
ifOperStatus
Variable OID
.1.3.6.1.31.2.2.1.8
Frequency (mins)
15
Allowable range
1 (up)
Managed objects
Logical interfaces
Metric:
Label Switched Path (LSP) state
Description
Operational state of an MPLS label-switched path
MIB name
MPLS-MIB
Variable name
mplsLspState
Variable OID
mplsLspEntry.2
Frequency (mins)
60
Allowable range
2 (up)
Managed objects
All label-switched paths in the network
Metric:
Component operating status
Description
Operational status of a router hardware component
MIB name
JUNIPER-MIB
Variable name
jnxOperatingState
Variable OID
.1.3.6.1.4.1.2636.1.13.1.6
Frequency (mins)
60
Allowable range
2 (running) or 3 (ready)
Managed objects
All components in each Juniper Networks router
Metric:
Component operating temperature
Description
Operational temperature of a hardware component, in Celsius
MIB name
JUNIPER-MIB
Variable name
jnxOperatingTemp
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
Table 46: Health Metrics (continued)
Variable OID
.1.3.6.1.4.1.2636.1.13.1.7
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
All components in a chassis
Metric:
System up time
Description
Time, in milliseconds, that the system has been operational.
MIB name
MIB-2 (RFC 1213)
Variable name
sysUpTime
Variable OID
.1.3.6.1.1.3
Frequency (mins)
60
Allowable range
Increasing only (decrement indicates a restart)
Managed objects
All routers
Metric:
No IP route errors
Description
Number of packets that could not be delivered because there was
no IP route to their destination.
MIB name
MIB-2 (RFC 1213)
Variable name
ipOutNoRoutes
Variable OID
ip.12
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
Each router
Metric:
Wrong SNMP community names
Description
Number of incorrect SNMP community names received
MIB name
MIB-2 (RFC 1213)
Variable name
snmpInBadCommunityNames
Copyright © 2018, Juniper Networks, Inc.
393
Network Management and Monitoring Guide
Table 46: Health Metrics (continued)
394
Variable OID
snmp.4
Frequency (hours)
24
Allowable range
To be baselined
Managed objects
Each router
Metric:
SNMP community violations
Description
Number of valid SNMP communities used to attempt invalid
operations (for example, attempting to perform SNMP Set requests)
MIB name
MIB-2 (RFC 1213)
Variable name
snmpInBadCommunityUses
Variable OID
snmp.5
Frequency (hours)
24
Allowable range
To be baselined
Managed objects
Each router
Metric:
Redundancy switchover
Description
Total number of redundancy switchovers reported by this entity
MIB name
JUNIPER-MIB
Variable name
jnxRedundancySwitchoverCount
Variable OID
jnxRedundancyEntry.8
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
All Juniper Networks routers with redundant Routing Engines
Metric:
FRU state
Description
Operational status of each field-replaceable unit (FRU)
MIB name
JUNIPER-MIB
Variable name
jnxFruState
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
Table 46: Health Metrics (continued)
Variable OID
jnxFruEntry.8
Frequency (mins)
15
Allowable range
2 through 6 for ready/online states. See jnxFruOfflineReason in the
event of a FRU failure.
Managed objects
All FRUs in all Juniper Networks routers.
Metric:
Rate of tail-dropped packets
Description
Rate of tail-dropped packets per output queue, per forwarding class,
per interface.
MIB name
JUNIPER-COS-MIB
Variable name
jnxCosIfqTailDropPktRate
Variable OID
jnxCosIfqStatsEntry.12
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
For each forwarding class per interface in the provider network,
when CoS is enabled.
Metric:
Interface utilization: octets received
Description
Total number of octets received on the interface, including framing
characters.
MIB name
IF-MIB
Variable name
ifInOctets
Variable OID
.1.3.6.1.2.1.2.2.1.10.x
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
All operational interfaces in the network
Metric:
Interface utilization: octets transmitted
Description
Total number of octets transmitted out of the interface, including
framing characters.
MIB name
IF-MIB
Copyright © 2018, Juniper Networks, Inc.
395
Network Management and Monitoring Guide
Table 46: Health Metrics (continued)
Variable name
ifOutOctets
Variable OID
.1.3.6.1.2.1.2.2.1.16.x
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
All operational interfaces in the network
NOTE: Byte counts vary depending on interface type, encapsulation used
and PIC supported. For example, with vlan-ccc encapsulation on a 4xFE, GE,
or GE 1Q PIC, the byte count includes framing and control word overhead.
(See Table 47 on page 396.)
Table 47: Counter Values for vlan-ccc Encapsulation
PIC Type
Encapsulation
4xFE
vlan-ccc
GE
GE IQ
input (Unit
Level)
Output (Unit Level)
SNMP
Frame (no frame
check sequence
[FCS])
Frame (including FCS and
control word)
ifInOctets,
ifOutOctets
vlan-ccc
Frame (no FCS)
Frame (including FCS and
control word)
ifInOctets,
ifOutOctets
vlan-ccc
Frame (no FCS)
Frame (including FCS and
control word)
ifInOctets,
ifOutOctets
SNMP traps are also a good mechanism to use for health management. For more
information, see ““Standard SNMP Traps Supported by Junos OS” on page 148” and
““Enterprise-Specific SNMP Traps Supported by Junos OS” on page 156.”
Related
Documentation
•
Understanding Measurement Points, Key Performance Indicators, and Baseline Values
on page 383
•
Understanding RMON for Monitoring Service Quality on page 379
•
Defining and Measuring Network Availability on page 384
•
Measuring Performance on page 396
•
SNMB MIB Explorer
Measuring Performance
Supported Platforms
396
ACX Series, M Series, MX Series, PTX Series, T Series
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
The performance of a service provider’s network is usually defined as how well it can
support services, and is measured with metrics such as delay and utilization. We suggest
that you monitor the following performance metrics using applications such as InfoVista
Service Performance Management or Concord Network Health (see Table 48 on page 397).
Table 48: Performance Metrics
Metric:
Average delay
Description
Average round-trip time (in milliseconds) between two
measurement points.
MIB name
DISMAN-PING-MIB (RFC 2925)
Variable name
pingResultsAverageRtt
Variable OID
pingResultsEntry.6
Frequency (mins)
15 (or depending upon ping test frequency)
Allowable range
To be baselined
Managed objects
Each measured path in the network
Metric:
Interface utilization
Description
Utilization percentage of a logical connection.
MIB name
IF-MIB
Variable name
(ifInOctets & ifOutOctets) * 8 / ifSpeed
Variable OID
ifTable entries
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
All operational interfaces in the network
Metric:
Disk utilization
Description
Utilization of disk space within the Juniper Networks router
MIB name
HOST-RESOURCES-MIB (RFC 2790)
Variable name
hrStorageSize – hrStorageUsed
Variable OID
hrStorageEntry.5 – hrStorageEntry.6
Frequency (mins)
1440
Copyright © 2018, Juniper Networks, Inc.
397
Network Management and Monitoring Guide
Table 48: Performance Metrics (continued)
398
Allowable range
To be baselined
Managed objects
All Routing Engine hard disks
Metric:
Memory utilization
Description
Utilization of memory on the Routing Engine and FPC.
MIB name
JUNIPER-MIB (Juniper Networks enterprise Chassis MIB)
Variable name
jnxOperatingHeap
Variable OID
Table for each component
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
All Juniper Networks routers
Metric:
CPU load
Description
Average utilization over the past minute of a CPU.
MIB name
JUNIPER-MIB (Juniper Networks enterprise Chassis MIB)
Variable name
jnxOperatingCPU
Variable OID
Table for each component
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
All Juniper Networks routers
Metric:
LSP utilization
Description
Utilization of the MPLS label-switched path.
MIB name
MPLS-MIB
Variable name
mplsPathBandwidth / (mplsLspOctets * 8)
Variable OID
mplsLspEntry.21 and mplsLspEntry.3
Frequency (mins)
60
Allowable range
To be baselined
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
Table 48: Performance Metrics (continued)
Managed objects
All label-switched paths in the network
Metric:
Output queue size
Description
Size, in packets, of each output queue per forwarding class, per
interface.
MIB name
JUNIPER-COS-MIB
Variable name
jnxCosIfqQedPkts
Variable OID
jnxCosIfqStatsEntry.3
Frequency (mins)
60
Allowable range
To be baselined
Managed objects
For each forwarding class per interface in the network, once CoS is
enabled.
This section includes the following topics:
•
Measuring Class of Service on page 399
•
Inbound Firewall Filter Counters per Class on page 400
•
Monitoring Output Bytes per Queue on page 401
•
Dropped Traffic on page 402
Measuring Class of Service
You can use class-of-service (CoS) mechanisms to regulate how certain classes of
packets are handled within your network during times of peak congestion. Typically you
must perform the following steps when implementing a CoS mechanism:
•
Identify the type of packets that is applied to this class. For example, include all
customer traffic from a specific ingress edge interface within one class, or include all
packets of a particular protocol such as voice over IP (VoIP).
•
Identify the required deterministic behavior for each class. For example, if VoIP is
important, give VoIP traffic the highest priority during times of network congestion.
Conversely, you can downgrade the importance of Web traffic during congestion, as
it may not impact customers too much.
With this information, you can configure mechanisms at the network ingress to monitor,
mark, and police traffic classes. Marked traffic can then be handled in a more deterministic
way at egress interfaces, typically by applying different queuing mechanisms for each
class during times of network congestion. You can collect information from the network
to provide customers with reports showing how the network is behaving during times of
congestion. (See Figure 11 on page 400.)
Copyright © 2018, Juniper Networks, Inc.
399
Network Management and Monitoring Guide
Figure 11: Network Behavior During Congestion
To generate these reports, routers must provide the following information:
•
Submitted traffic—Amount of traffic received per class.
•
Delivered traffic—Amount of traffic transmitted per class.
•
Dropped traffic—Amount of traffic dropped because of CoS limits.
The following section outlines how this information is provided by Juniper Networks
routers.
Inbound Firewall Filter Counters per Class
Firewall filter counters are a very flexible mechanism you can use to match and count
inbound traffic per class, per interface. For example:
firewall {
filter f1 {
term t1 {
from {
dscp af11;
}
then {
# Assured forwarding class 1 drop profile 1 count inbound-af11;
accept;
}
}
}
}
For example, Table 49 on page 400 shows additional filters used to match the other
classes.
Table 49: Inbound Traffic Per Class
400
DSCP Value
Firewall Match Condition
Description
10
af11
Assured forwarding class 1 drop profile 1
12
af12
Assured forwarding class 1 drop profile 2
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
Table 49: Inbound Traffic Per Class (continued)
DSCP Value
Firewall Match Condition
Description
18
af21
Best effort class 2 drop profile 1
20
af22
Best effort class 2 drop profile 2
26
af31
Best effort class 3 drop profile 1
Any packet with a CoS DiffServ code point (DSCP) conforming to RFC 2474 can be
counted in this way. The Juniper Networks enterprise-specific Firewall Filter MIB presents
the counter information in the variables shown in Table 50 on page 401.
Table 50: Inbound Counters
Indicator Name
Inbound Counters
MIB
jnxFirewalls
Table
jnxFirewallCounterTable
Index
jnxFWFilter.jnxFWCounter
Variables
jnxFWCounterPacketCount
jnxFWCounterByteCount
Description
Number of bytes being counted pertaining to the specified firewall filter
counter
SNMP version
SNMPv2
This information can be collected by any SNMP management application that supports
SNMPv2. Products from vendors such as Concord Communications, Inc., and InfoVista,
Inc., provide support for the Juniper Networks Firewall MIB with their native Juniper
Networks device drivers.
Monitoring Output Bytes per Queue
You can use the Juniper Networks enterprise ATM CoS MIB to monitor outbound traffic,
per virtual circuit forwarding class, per interface. (See Table 51 on page 401.)
Table 51: Outbound Counters for ATM Interfaces
Indicator Name
Outbound Counters
MIB
JUNIPER-ATM-COS-MIB
Variable
jnxCosAtmVcQstatsOutBytes
Index
ifIndex.atmVclVpi.atmVclVci.jnxCosFcId
Copyright © 2018, Juniper Networks, Inc.
401
Network Management and Monitoring Guide
Table 51: Outbound Counters for ATM Interfaces (continued)
Indicator Name
Outbound Counters
Description
Number of bytes belonging to the specified forwarding class that were
transmitted on the specified virtual circuit.
SNMP version
SNMPv2
Non-ATM interface counters are provided by the Juniper Networks enterprise-specific
CoS MIB, which provides information shown in Table 52 on page 402.
Table 52: Outbound Counters for Non-ATM Interfaces
Indicator Name
Outbound Counters
MIB
JUNIPER-COS-MIB
Table
jnxCosIfqStatsTable
Index
jnxCosIfqIfIndex.jnxCosIfqFc
Variables
jnxCosIfqTxedBytes
jnxCosIfqTxedPkts
Description
Number of transmitted bytes or packets per interface per forwarding
class
SNMP version
SNMPv2
Dropped Traffic
You can calculate the amount of dropped traffic by subtracting the outbound traffic from
the incoming traffic:
Dropped = Inbound Counter – Outbound Counter
You can also select counters from the CoS MIB, as shown in Table 53 on page 402.
Table 53: Dropped Traffic Counters
Indicator Name
Dropped Traffic
MIB
JUNIPER-COS-MIB
Table
jnxCosIfqStatsTable
Index
jnxCosIfqIfIndex.jnxCosIfqFc
Variables
jnxCosIfqTailDropPkts
jnxCosIfqTotalRedDropPkts
402
Copyright © 2018, Juniper Networks, Inc.
Chapter 15: Using RMON to Monitor Network Service Quality
Table 53: Dropped Traffic Counters (continued)
Related
Documentation
Indicator Name
Dropped Traffic
Description
The number of tail-dropped or RED-dropped packets per interface per
forwarding class
SNMP version
SNMPv2
•
Understanding Measurement Points, Key Performance Indicators, and Baseline Values
on page 383
•
Understanding RMON for Monitoring Service Quality on page 379
•
Defining and Measuring Network Availability on page 384
•
Measuring Health on page 390
Copyright © 2018, Juniper Networks, Inc.
403
Network Management and Monitoring Guide
404
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 16
Health Monitoring with SNMP
•
Configuring Health Monitoring on Devices Running Junos OS on page 405
•
Example: Configuring Health Monitoring on page 408
Configuring Health Monitoring on Devices Running Junos OS
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series
As the number of devices managed by a typical network management system (NMS)
grows and the complexity of the devices themselves increases, it becomes increasingly
impractical for the NMS to use polling to monitor the devices. A more scalable approach
is to rely on network devices to notify the NMS when something requires attention.
On Juniper Networks routers, RMON alarms and events provide much of the infrastructure
needed to reduce the polling overhead from the NMS. However, with this approach, you
must set up the NMS to configure specific MIB objects into RMON alarms. This often
requires device-specific expertise and customizing of the monitoring application. In
addition, some MIB object instances that need monitoring are set only at initialization or
change at runtime and cannot be configured in advance.
To address these issues, the health monitor extends the RMON alarm infrastructure to
provide predefined monitoring for a selected set of object instances (for file system
usage, CPU usage, and memory usage) and includes support for unknown or dynamic
object instances (such as Junos OS processes).
Health monitoring is designed to minimize user configuration requirements. To configure
health monitoring entries, include the health-monitor statement at the [edit snmp]
hierarchy level:
[edit snmp]
health-monitor {
falling-threshold percentage;
interval seconds;
rising-threshold percentage;
idp {
falling-threshold percentage;
interval seconds;
rising-threshold percentage;
}
}
Copyright © 2018, Juniper Networks, Inc.
405
Network Management and Monitoring Guide
Configuring monitoring events at the [edit snmp health-monitor] hierarchy level sets
polling intervals for the overall system health. If you set these same options at the [edit
snmp health-monitor idp] hierarchy level, an SNMP event is generated by the device if
the percentage of dataplane memory utilized by the intrusion detection and prevention
(IDP) system rises above or falls below your settings.
You can use the show snmp health-monitor operational command to view information
about health monitor alarms and logs.
This topic describes the minimum required configuration and discusses the following
tasks for configuring the health monitor:
•
Monitored Objects on page 406
•
Minimum Health Monitoring Configuration on page 407
•
Configuring the Falling Threshold or Rising Threshold on page 407
•
Configuring the Interval on page 408
•
Log Entries and Traps on page 408
Monitored Objects
When you configure the health monitor, monitoring information for certain object instances
is available, as shown in Table 26 on page 256.
Table 54: Monitored Object Instances
Object
Description
n
jxHrStoragePercentUsed1.
Monitors the following file system on the router or switch:
/dev/ad0s1a:
This is the root file system mounted on /.
n
jxHrStoragePercentUsed2
.
Monitors the following file system on the router or switch:
/dev/ad0s1e:
This is the configuration file system mounted on /config.
jnxOperatingCPU
(RE0)
jnxOperatingCPU
(RE1)
jnxOperatingBuffer
(RE0)
jnxOperatingBuffer
(RE1)
406
Monitors CPU usage for Routing Engines (RE0 and RE1). The index values assigned
to Routing Engines depend on whether the Chassis MIB uses a zero-based or
ones-based indexing scheme. Because the indexing scheme is configurable, the
proper index is determined when the router or switch is initialized and when there
is a configuration change. If the router or switch has only one Routing Engine, the
alarm entry monitoring RE1 is removed after five failed attempts to obtain the CPU
value.
Monitors the amount of memory available on Routing Engines (RE0 and RE1).
Because the indexing of this object is identical to that used for jnxOperatingCPU,
index values are adjusted depending on the indexing scheme used in the Chassis
MIB. As with jnxOperatingCPU, the alarm entry monitoring RE1 is removed if the
router or switch has only one Routing Engine.
Copyright © 2018, Juniper Networks, Inc.
Chapter 16: Health Monitoring with SNMP
Table 54: Monitored Object Instances (continued)
Object
Description
sysApplElmtRunCPU
Monitors the CPU usage for each Junos OS process (also called daemon). Multiple
instances of the same process are monitored and indexed separately.
sysAppE
lm
l tRunMemory
Monitors the memory usage for each Junos OS process. Multiple instances of the
same process are monitored and indexed separately.
Minimum Health Monitoring Configuration
To enable health monitoring on the router or switch, include the health-monitor statement
at the [edit snmp] hierarchy level:
[edit snmp]
health-monitor;
Configuring the Falling Threshold or Rising Threshold
The falling threshold is the lower threshold (expressed as a percentage of the maximum
possible value) for the monitored variable. When the current sampled value is less than
or equal to this threshold, and the value at the last sampling interval is greater than this
threshold, a single event is generated. A single event is also generated if the first sample
after this entry becomes valid is less than or equal to this threshold. After a falling event
is generated, another falling event cannot be generated until the sampled value rises
above this threshold and reaches the rising threshold. You must specify the falling
threshold as a percentage of the maximum possible value. The default is 70 percent.
By default, the rising threshold is 80 percent of the maximum possible value for the
monitored object instance. The rising threshold is the upper threshold for the monitored
variable. When the current sampled value is greater than or equal to this threshold, and
the value at the last sampling interval is less than this threshold, a single event is
generated. A single event is also generated if the first sample after this entry becomes
valid is greater than or equal to this threshold. After a rising event is generated, another
rising event cannot be generated until the sampled value falls below this threshold and
reaches the falling threshold. You must specify the rising threshold as a percentage of
the maximum possible value for the monitored variable.
To configure the falling threshold or rising threshold, include the falling-threshold or
rising-threshold statement at the [edit snmp health-monitor] hierarchy level:
[edit snmp health-monitor]
falling-threshold percentage;
rising-threshold percentage;
percentage can be a value from 1 through 100.
The falling and rising thresholds apply to all object instances monitored by the health
monitor.
Copyright © 2018, Juniper Networks, Inc.
407
Network Management and Monitoring Guide
Configuring the Interval
The interval represents the period of time, in seconds, over which the object instance is
sampled and compared with the rising and falling thresholds.
To configure the interval, include the interval statement and specify the number of seconds
at the [edit snmp health-monitor] hierarchy level:
[edit snmp health-monitor]
interval seconds;
seconds can be a value from 1 through 2147483647. The default is 300 seconds
(5 minutes).
Log Entries and Traps
The system log entries generated for any health monitor events (thresholds crossed,
errors, and so on) have a corresponding HEALTHMONITOR tag rather than a generic
SNMPD_RMON_EVENTLOG tag. However, the health monitor sends generic RMON
risingThreshold and fallingThreshold traps.
Related
Documentation
•
Understanding RMON Alarms and Events Configuration on page 361
•
Configuring an RMON Alarm Entry and Its Attributes on page 365
•
Configuring an RMON Event Entry and Its Attributes on page 369
•
Example: Configuring Health Monitoring on page 408
•
Understanding Device Management Functions in Junos OS on page 3
•
health-monitor on page 1389
Example: Configuring Health Monitoring
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series
Configure the health monitor:
[edit snmp]
health-monitor {
falling-threshold 85;
interval 600;
rising-threshold 75;
}
In this example, the sampling interval is every 600 seconds (10 minutes), the falling
threshold is 85 percent of the maximum possible value for each object instance monitored,
and the rising threshold is 75 percent of the maximum possible value for each object
instance monitored.
Related
Documentation
408
•
Configuring Health Monitoring on Devices Running Junos OS on page 255
Copyright © 2018, Juniper Networks, Inc.
PART 6
Accounting Options, Source Class Usage,
and Destination Class Usage Options
•
Accounting Options, Source Class Usage and Destination Class Usage Options
Overview on page 411
•
Configuring Accounting Options, Source Class Usage and Destination Class Usage
Options on page 415
Copyright © 2018, Juniper Networks, Inc.
409
Network Management and Monitoring Guide
410
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 17
Accounting Options, Source Class Usage
and Destination Class Usage Options
Overview
•
Accounting Options Overview on page 411
•
Understanding Source Class Usage and Destination Class Usage Options on page 412
Accounting Options Overview
Supported Platforms
ACX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
An accounting profile represents common characteristics of collected accounting data,
including the following:
•
Collection interval
•
File to contain accounting data
•
Specific fields and counter names on which to collect statistics
You can configure multiple accounting profiles, as described in Table 55 on page 411.
Table 55: Types of Accounting Profiles
Type of Profile
Description
Interface profile
Collects the specified error and statistic information.
Filter profile
Collects the byte and packet counts for the counter names
specified in the filter profile.
MIB profile
Collects selected MIB statistics and logs them to a specified
file.
Routing Engine profile
Collects selected Routing Engine statistics and logs them to
a specified file.
Class usage profile
Collects class usage statistics and logs them to a specified
file.
Copyright © 2018, Juniper Networks, Inc.
411
Network Management and Monitoring Guide
Related
Documentation
•
Understanding Device Management Functions in Junos OS on page 3
•
Accounting Options Configuration
•
Configuring Accounting-Data Log Files on page 424
•
Configuring the Interface Profile
•
Configuring the Filter Profile on page 433
•
Configuration Statements at the [edit accounting-options] Hierarchy Level on page 415
Understanding Source Class Usage and Destination Class Usage Options
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series
You can maintain packet counts based on the entry and exit points for traffic passing
through your network. Entry and exit points are identified by source and destination
prefixes grouped into disjoint sets defined as source classes and destination classes. You
can define classes based on a variety of parameters, such as routing neighbors,
autonomous systems, and route filters.
Source class usage (SCU) counts packets sent to customers by performing lookups on
the IP source address and the IP destination address. SCU makes it possible to track
traffic originating from specific prefixes on the provider core and destined for specific
prefixes on the customer edge. You must enable SCU accounting on both the inbound
and outbound physical interfaces.
Destination class usage (DCU) counts packets from customers by performing lookups
of the IP destination address. DCU makes it possible to track traffic originating from the
customer edge and destined for specific prefixes on the provider core router.
On T Series Core Routers and M320 Multiservice Edge Routers, the source class and
destination classes are not carried across the platform fabric. The implications of this
are as follows:
•
On T Series and M320 routers, SCU and DCU accounting is performed before the packet
enters the fabric.
•
On T Series and M320 routers, DCU is performed before output filters are evaluated.
•
On M Series platforms, DCU is performed after output filters are evaluated.
•
If an output filter drops traffic on M Series devices, the dropped packets are excluded
from DCU statistics.
•
If an output filter drops traffic on T Series and M320 routers, the dropped packets are
included in DCU statistics.
NOTE: SCU and DCU is supported on PTX series routers when enhanced-mode
is configured on the chassis.
412
Copyright © 2018, Juniper Networks, Inc.
Chapter 17: Accounting Options, Source Class Usage and Destination Class Usage Options Overview
On MX Series platforms with MPC/MIC interfaces, SCU and DCU are performed after
output filters are evaluated. Packets dropped by output filters are not included in SCU
or DCU statistics.
On MX Series platforms with non-MPC/MIC interfaces, SCU and DCU are performed
before output filters are evaluated. Packets dropped by output filters are included in SCU
and DCU statistics.
On PTX Series platforms, SCU and DCU accounting is performed before output filters
are evaluated. Packets dropped by output filters are included in SCU and DCU statistics.
On Enhanced Scaling FPCs (T640-FPC1-ES, T640-FPC2-ES, T640-FPC3-ES,
T640-FPC4-1P-ES , and T1600-FPC4-ES), the source class accounting is performed at
ingress. Starting with Junos OS Release 14.2, the SCU accounting is performed at ingress
on a T4000 Type 5 FPC. The implications of this are as follows:
•
SCU accounting is performed when packets traverse from T4000 Type 5 FPC (ingress
FPC) to Enhanced Scaling FPCs (egress FPC).
•
SCU accounting is performed when packets traverse from Enhanced Scaling FPCs
(ingress FPC) to T4000 Type 5 FPC (egress FPC).
NOTE: When the interface statistics are cleared and then the routing engine
is replaced, the SCU and DCU statistics will not match the statistics of the
previous routing engine.
For more information about source class usage, see the Routing Policies, Firewall Filters,
and Traffic Policers Feature Guide and the Junos OS Network Interfaces Library for Routing
Devices.
Related
Documentation
•
Example: Grouping Source and Destination Prefixes into a Forwarding Class
•
Configuring SCU or DCU on page 437
•
Configuring SCU on a Virtual Loopback Tunnel Interface on page 439
•
Configuring Class Usage Profiles on page 441
•
Configuring the MIB Profile on page 443
•
Configuring the Routing Engine Profile on page 445
Copyright © 2018, Juniper Networks, Inc.
413
Network Management and Monitoring Guide
414
Copyright © 2018, Juniper Networks, Inc.
CHAPTER 18
Configuring Accounting Options, Source
Class Usage and Destination Class Usage
Options
•
Configuration Statements at the [edit accounting-options] Hierarchy Level on page 415
•
Accounting Options Configuration on page 416
•
Configuring Accounting-Data Log Files on page 424
•
Managing Accounting Files on page 429
•
Configuring the Interface Profile on page 430
•
Configuring the Filter Profile on page 433
•
Example: Configuring a Filter Profile on page 435
•
Example: Configuring Interface-Specific Firewall Counters and Filter Profiles on page 436
•
Configuring SCU or DCU on page 437
•
Configuring SCU on a Virtual Loopback Tunnel Interface on page 439
•
Configuring Class Usage Profiles on page 441
•
Configuring the MIB Profile on page 443
•
Configuring the Routing Engine Profile on page 445
Configuration Statements at the [edit accounting-options] Hierarchy Level
Supported Platforms
M Series, MX Series, SRX Series, T Series
This topic shows all possible configuration statements at the [edit accounting-options]
hierarchy level and their level in the configuration hierarchy. When you are configuring
Junos OS, your current hierarchy level is shown in the banner on the line preceding the
user@host# prompt.
[edit]
accounting-options {
class-usage-profile profile-name {
file filename;
interval minutes;
destination-classes {
destination-class-name;
Copyright © 2018, Juniper Networks, Inc.
415
Network Management and Monitoring Guide
}
source-classes {
source-class-name;
}
}
file filename {
archive-sites {
}
files number;
nonpersistent;
size bytes;
start-time time;
transfer-interval minutes;
}
filter-profile profile-name {
counters {
counter-name;
}
file filename;
interval minutes;
}
}
interface-profile profile-name {
fields {
field-name;
}
file filename;
interval minutes;
}
mib-profile profile-name {
file filename;
interval seconds;
object-names {
mib-object-name;
}
operation operation-name;
}
routing-engine-profile profile-name {
fields {
field-name;
}
file filename;
interval minutes;
}
Related
Documentation
•
Accounting Options Overview on page 411
•
Accounting Options Configuration on page 416
Accounting Options Configuration
Supported Platforms
416
M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring Accounting Options, Source Class Usage and Destination Class Usage Options
This topic contains the following sections:
•
Accounting Options—Full Configuration on page 417
•
Minimum Accounting Options Configuration on page 420
Accounting Options—Full Configuration
To configure accounting options, include the following statements at the [edit
accounting-options] hierarchy level:
accounting-options {
class-usage-profile profile-name {
file filename;
interval minutes;
destination-classes {
destination-class-name;
}
source-classes {
source-class-name;
}
file filename {
archive-sites {
site-name;
}
files number;
nonpersistent;
size bytes;
source-classes time;
transfer-interval minutes;
}
filter-profile profile-name {
counters {
counter-name;
}
file filename;
interval minutes;
}
}
flat-file-profile profile-name{
fields {
all-fields;
egress-stats {
all-fields;
input-bytes;
input-packets;
output-bytes;
output-packets;
queue-id;
red-drop-bytes;
red-drop-packets;
tail-drop-packets;
}
general-param {
all-fields;
accounting-type;
Copyright © 2018, Juniper Networks, Inc.
417
Network Management and Monitoring Guide
descr;
line-id;
logical-interface;
nas-port-id;
physical-interface;
routing-instance;
timestamp;
vlan-id;
}
ingress-stats {
all-fields;
drop-packets;
input-bytes;
input-packets;
output-bytes;
output-packets;
queue-id;
}
l2-stats {
all-fields;
input-mcast-bytes;
input-mcast-packets;
}
fields {
all-fields;
egress-stats {
all-fields;
input-bytes;
input-packets;
output-bytes;
output-packets;
queue-id;
red-drop-bytes;
red-drop-packets;
tail-drop-packets;
}
general-param {
all-fields;
accounting-type;
descr;
line-id;
logical-interface;
nas-port-id;
physical-interface;
routing-instance;
timestamp;
vlan-id;
}
ingress-stats {
all-fields;
drop-packets;
input-bytes;
input-packets;
output-bytes;
output-packets;
queue-id;
418
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring Accounting Options, Source Class Usage and Destination Class Usage Options
}
general-param {
all-fields;
accounting-type;
descr;
line-id;
logical-interface;
nas-port-id;
physical-interface;
routing-instance;
timestamp;
vlan-id;
}
ingress-stats {
all-fields;
drop-packets;
input-bytes;
input-packets;
output-bytes;
output-packets;
queue-id;
}
l2-stats {
all-fields;
input-mcast-bytes;
input-mcast-packets;
}
overall-packet {
all-fields;
input-bytes;
input-discards;
input-errors;
input-packets;
inputv6-bytes;
inputv6-packets;
output-bytes;
output-errors;
output-packets;
outputv6-bytes;
outputv6-packets;
}
}
file filename;
format (csv | ipdr)
interval minutes;
schema-version schema-name;
}
interface-profile profile-name {
fields {
field-name;
}
file filename;
interval minutes;
}
mib-profile profile-name {
file filename;
Copyright © 2018, Juniper Networks, Inc.
419
Network Management and Monitoring Guide
interval seconds;
object-names {
mib-object-name;
}
operation operation-name;
}
routing-engine-profile profile-name {
fields {
field-name;
}
file filename;
interval minutes;
}
}
}
By default, accounting options are disabled.
NOTE: Do not configure MIB objects related to interface octets or packets
for a MIB profile, because doing so can cause the SNMP walk or a CLI show
command to time out.
Minimum Accounting Options Configuration
To enable accounting options on the router, you must perform at least the following
tasks:
•
Configure accounting options by including a file statement and one or more
source-class-usage, destination-class-profile, filter-profile, interface-profile, mib-profile,
or routing-engine-profile statements at the [edit accounting-options] hierarchy level:
[edit]
accounting-options {
class-usage-profile profile-name {
file filename;
interval minutes;
source-classes {
source-class-name;
}
destination-classes {
destination-class-name;
}
file filename {
archive-sites {
site-name;
}
files number;
size bytes;
transfer-interval minutes;
}
filter-profile profile-name {
counters {
counter-name;
}
420
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring Accounting Options, Source Class Usage and Destination Class Usage Options
file filename;
interval minutes;
}
flat-file-profile profile-name{
fields {
all-fields;
egress-stats {
all-fields;
input-bytes;
input-packets;
output-bytes;
output-packets;
queue-id;
red-drop-bytes;
red-drop-packets;
tail-drop-packets;
}
general-param {
all-fields;
accounting-type;
descr;
line-id;
logical-interface;
nas-port-id;
physical-interface;
routing-instance;
timestamp;
vlan-id;
}
ingress-stats {
all-fields;
drop-packets;
input-bytes;
input-packets;
output-bytes;
output-packets;
queue-id;
}
l2-stats {
all-fields;
input-mcast-bytes;
input-mcast-packets;
}
overall-packet {
all-fields;
input-bytes;
input-discards;
input-errors;
input-packets;
inputv6-bytes;
inputv6-packets;
output-bytes;
output-errors;
output-packets;
outputv6-bytes;
outputv6-packets;
Copyright © 2018, Juniper Networks, Inc.
421
Network Management and Monitoring Guide
}
}
file filename;
format (csv | ipdr)
interval minutes;
schema-version schema-name;
}
flat-file-profile profile-name{
fields {
all-fields;
egress-stats {
all-fields;
input-bytes;
input-packets;
output-bytes;
output-packets;
queue-id;
red-drop-bytes;
red-drop-packets;
tail-drop-packets;
}
general-param {
all-fields;
accounting-type;
descr;
line-id;
logical-interface;
nas-port-id;
physical-interface;
routing-instance;
timestamp;
vlan-id;
}
ingress-stats {
all-fields;
drop-packets;
input-bytes;
input-packets;
output-bytes;
output-packets;
queue-id;
}
l2-stats {
all-fields;
input-mcast-bytes;
input-mcast-packets;
}
overall-packet {
all-fields;
input-bytes;
input-discards;
input-errors;
input-packets;
inputv6-bytes;
inputv6-packets;
output-bytes;
422
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring Accounting Options, Source Class Usage and Destination Class Usage Options
output-errors;
output-packets;
outputv6-bytes;
outputv6-packets;
}
}
file filename;
format (csv | ipdr)
interval minutes;
schema-version schema-name;
}
interface-profile profile-name {
fields {
field-name;
}
file filename;
interval minutes;
}
mib-profile profile-name {
file filename;
interval minutes;
object-names {
mib-object-name;
}
operation operation-name;
}
routing-engine-profile profile-name {
fields {
field-name;
}
file filename;
interval minutes;
}
}
}
•
Apply the profiles to the chosen interfaces or filters.
Apply an interface profile to a physical or logical interface by including the
accounting-profile statement at either the [edit interfaces interface-name] or the [edit
interfaces interface-name unit logical-unit-number] hierarchy level.
[edit interfaces]
interface-name {
accounting-profile profile-name;
unit logical-unit-number {
accounting-profile profile-name;
}
}
NOTE: You do not apply destination class profiles to interfaces. Although
the interface needs to have the destination-class-usage statement
configured, the destination class profile automatically finds all interfaces
with the destination class configured.
Copyright © 2018, Juniper Networks, Inc.
423
Network Management and Monitoring Guide
Apply a filter profile to a firewall filter by including the accounting-profile statement at
the [edit firewall filter filter-name] hierarchy level:
[edit firewall]
filter filter-name {
accounting-profile profile-name;
}
You do not need to apply the Routing Engine profile to an interface because the
statistics are collected on the Routing Engine itself.
Related
Documentation
•
Accounting Options Overview on page 411
•
Understanding Device Management Functions in Junos OS on page 3
•
Configuring Accounting-Data Log Files on page 424
•
Configuring the Interface Profile on page 430
•
Configuring the Filter Profile on page 433
•
Configuration Statements at the [edit accounting-options] Hierarchy Level on page 415
Configuring Accounting-Data Log Files
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
An accounting profile specifies what statistics to collect and write to a log file. To configure
an accounting-data log file, include the file statement at the [edit accounting-options]
hierarchy level:
[edit accounting-options]
cleanup-interval {
interval days;
}
file filename {
archive-sites {
site-name;
}
backup-on-failure (master-and-slave | master-only);
files number;
nonpersistent;
push-backup-to-master;
size bytes;
start-time time;
transfer-interval minutes;
}
where filename is the name of the file in which to write accounting data.
If the filename contains spaces, enclose it in quotation marks (" "). The filename cannot
contain a forward slash (/). The file is created in the /var/log directory and can contain
data from multiple profiles.
424
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring Accounting Options, Source Class Usage and Destination Class Usage Options
All accounting-data log files include header and trailer sections that start with a # in the
first column. The header contains the file creation time, the hostname, and the columns
that appear in the file. The trailer contains the time that the file was closed.
Whenever any configured value changes that affects the columns in a file, the file creates
a new profile layout record that contains a new list of columns.
You must configure the file size; all other properties are optional.
•
Configuring How Long Backup Files Are Retained on page 425
•
Configuring the Maximum Size of the File on page 425
•
Configuring Archive Sites for the Files on page 426
•
Configuring Local Backup for Accounting Files on page 426
•
Configuring Files to Be Compressed on page 427
•
Configuring the Maximum Number of Files on page 427
•
Configuring the Storage Location of the File on page 427
•
Configuring Files to Be Saved After a Change in Mastership on page 428
•
Configuring the Start Time for File Transfer on page 428
•
Configuring the Transfer Interval of the File on page 428
Configuring How Long Backup Files Are Retained
You can configure how many days the files are retained in the local directory before they
are deleted.
NOTE: Files saved to the /var/log/pfedBackup directory are always
compressed to conserve local storage, regardless of whether the compress
statement is configured.
To configure retention for backup files:
•
Specify the number of days.
[edit accounting-options]
user@host# set cleanup-interval interval days
NOTE: Files are retained for 1 day if you do not configure this option.
This value, whether configured or default, applies to all configured files at the [edit
accounting-options file] hierarchy level.
Configuring the Maximum Size of the File
To configure the maximum size of the file:
•
Specify the size.
Copyright © 2018, Juniper Networks, Inc.
425
Network Management and Monitoring Guide
[edit accounting-options file filename]
size bytes;
The size statement is the maximum size of the log file, in bytes, kilobytes (KB), megabytes
(MB), or gigabytes (GB). The minimum value for bytes is 256 KB. You must configure
bytes; the remaining attributes are optional.
Configuring Archive Sites for the Files
After a file reaches its maximum size or the transfer-interval time is exceeded, the file is
closed, renamed, and, if you configured an archive site, transferred to a remote host.
To configure the sites where files are archived:
•
Specify one or more site names.
[edit accounting-options file filename]
user@host# set archive-sites site-name
where site-name is any valid FTP URL. For more information about specifying valid FTP
URLs, see the Junos OS Administration Library. You can specify more than one URL, in
any order. When a file is archived, the router or switch attempts to transfer the file to the
first URL in the list, trying the next site in the list only if the transfer does not succeed.
The log file is stored at the archive site with a filename of the format
router-name_log-filename_timestamp.
Configuring Local Backup for Accounting Files
You can configure the router to save a copy of the accounting file locally when the normal
transfer of the files to the archive site fails. The file is saved to the /var/log/pfedBackup
directory of the relevant Routing Engine. You must specify whether only the files from
the master Routing Engine are saved or files are saved from both the master Routing
Engine and the backup (slave) Routing Engine.
NOTE: Files saved to the /var/log/pfedBackup directory are always
compressed to conserve local storage, regardless of whether the compress
statement is configured.
To configure local backup in the event of failure:
•
Specify local backup and which files are saved.
[edit accounting-options file filename]
user@host# set backup-on-failure (master-and-slave | master-only)
Disabling this feature deletes the backed-up accounting files from the directory.
NOTE: When you do not configure this option, the file is saved on failure into
the local directory specified as the last site in the list of archive sites.
426
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring Accounting Options, Source Class Usage and Destination Class Usage Options
Configuring Files to Be Compressed
By default, accounting files are transferred in an uncompressed format. To conserve
resources during transmission and on the archive site, you can configure compression
for the files.
NOTE: Files saved to the /var/log/pfedBackup directory are always
compressed to conserve local storage, regardless of whether the compress
statement is configured.
To configure the router to compress accounting files when they are transferred:
•
Specify compression.
[edit accounting-options file filename]
user@host# set compress
Configuring the Maximum Number of Files
To configure the maximum number of files:
•
Specify the number.
[edit accounting-options file filename]
user@host# set files number
When a log file reaches its maximum size, it is renamed filename.0, then filename.1, and
so on, until the maximum number of log files is reached. Then the oldest log file is
overwritten. The minimum value for number is 3 and the default value is 10.
Configuring the Storage Location of the File
On J Series Services Routers, the files are stored by default on the compact flash drive.
Alternatively, you can configure the files to be stored in the mfs/var/log directory (on
DRAM) instead of the cf/var/log directory (on the compact flash drive).
To configure the storage location on DRAM:
•
Specify nonpersistent storage.
[edit accounting-options file filename]
user@host# set nonpersistent
This feature is useful for minimizing read/write traffic on the router’s compact flash drive.
NOTE: If log files for accounting data are stored on DRAM, these files are lost
when you reboot the router. We recommend that you back up these files
periodically.
Copyright © 2018, Juniper Networks, Inc.
427
Network Management and Monitoring Guide
Configuring Files to Be Saved After a Change in Mastership
You can configure the router to save the accounting files from the new backup Routing
Engine to the new master Routing Engine when a change in mastership occurs. The files
are stored in the /var/log/pfedBackup directory on the router. The master Routing Engine
includes these accounting files with its own current accounting files when it transfers
the files from the backup directory to the archive site at the next transfer interval. Configure
this option when the new backup Routing Engine is not able to connect to the archive
site; for example, when the site is not connected by means of an out-of-band interface
or the path to the site is routed through a line card.
To configure the backup Routing Engine files to be saved when mastership changes:
•
Specify the backup.
[edit accounting-options file filename]
user@host# set push-backup-to-master
NOTE: The backup Routing Engine’s files on the master Routing Engine are
sent at each interval even though the files remain the same. If this is more
activity than you want, consider using the backup-on-failure master-and-slave
statement instead.
Configuring the Start Time for File Transfer
To configure the start time for transferring files:
•
Specify the time.
[edit accounting-options file filename]
user@host# set start-time YYYY-MM-DD.hh:mm
For example, 10:00 a.m. on January 30, 2007 is represented as 2007-01-30.10:00.
Configuring the Transfer Interval of the File
To configure the interval at which files are transferred:
•
Specify the interval.
[edit accounting-options file filename]
user@host# set transfer-interval minutes
The range for transfer-interval is 5 through 2880 minutes. The default is 30 minutes.
TIP:
Junos OS saves the existing log file and creates a new file at the configured
transfer intervals irrespective of whether:
•
428
The file has reached the maximum size.
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring Accounting Options, Source Class Usage and Destination Class Usage Options
•
An archive site is configured.
When you have a relatively small transfer interval configured and if no archive
site is configured, data can be lost as Junos OS overwrites the log files when
the maximum number of log files is reached. To ensure that the log
information is saved for a reasonably long time:
Related
Documentation
•
Configure an archive site to archive the log files every time a new log file is
created.
•
Configure the maximum value (2880 minutes) for transfer-interval so that
new files are created less frequently; that is, only when the file exceeds the
maximum size limit or once in 2 days.
•
Accounting Options Overview on page 411
•
Understanding Device Management Functions in Junos OS on page 3
•
Accounting Options Configuration on page 416
•
Configuring the Interface Profile on page 430
•
Configuring the Filter Profile on page 433
•
Configuration Statements at the [edit accounting-options] Hierarchy Level on page 415
Managing Accounting Files
Supported Platforms
SRX Series, vSRX
If you configure your SRX300, SRX320, SRX340, SRX345, SRX550M, or SRX1500 devices
to capture accounting data in log files, set the location for your accounting files to the
DRAM.
The default location for accounting files is the cfs/var/log directory on the CompactFlash
(CF) card. The nonpersistent option minimizes the read/write traffic to your CF card. We
recommend that you use the nonpersistent option for all accounting files configured on
your system.
To store accounting log files in DRAM instead of the CF card:
1.
Enter configuration mode in the CLI.
2. Create an accounting data log file in DRAM and replace filename with the name of
the file.
[edit]
user@host# edit accounting-options file filename
3. Store accounting log files in the DRAM file.
Copyright © 2018, Juniper Networks, Inc.
429
Network Management and Monitoring Guide
[edit]
user@host# set file filename nonpersistent
CAUTION: If log files for accounting data are stored on DRAM, these files are
lost when the device reboots. Therefore, we recommend that you back up
these files periodically.
Related
Documentation
•
Accounting Options Overview on page 411
Configuring the Interface Profile
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
An interface profile specifies the information collected and written to a log file. You can
configure a profile to collect error and statistic information for input and output packets
on a particular physical or logical interface.
To configure an interface profile, include the interface-profile statement at the
[edit accounting-options] hierarchy level:
[edit accounting-options]
interface-profile profile-name {
fields {
field-name;
}
file filename;
interval minutes;
}
By default, the Packet Forwarding Engine (PFE) periodically collects the statistics for all
interfaces. To improve the performance, you can optionally disable the periodic refresh
by including the periodic-refresh disable statement at the [edit accounting-options]
hierarchy level.
Each accounting profile must have a unique profile-name. To apply a profile to a physical
or logical interface, include the accounting-profile statement at either the [edit interfaces
interface-name] or the [edit interfaces interface-name unit logical-unit-number] hierarchy
level. You can also apply an accounting profile at the [edit firewall family family-type filter
filter-name] hierarchy level. For more information, see the Routing Policies, Firewall Filters,
and Traffic Policers Feature Guide.
To configure an interface profile, perform the tasks described in the following sections:
430
•
Configuring Fields on page 431
•
Configuring the File Information on page 431
•
Configuring Cleared Statistics to be Reported in the Flat File on page 431
•
Configuring the Interval on page 431
•
Example: Configuring the Interface Profile on page 432
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring Accounting Options, Source Class Usage and Destination Class Usage Options
Configuring Fields
An interface profile must specify what statistics are collected. To configure which statistics
should be collected for an interface, include the fields statement at the [edit
accounting-options interface-profile profile-name] hierarchy level:
[edit accounting-options interface-profile profile-name]
fields {
field-name;
}
Configuring the File Information
Each accounting profile logs its statistics to a file in the /var/log directory.
To configure which file to use, include the file statement at the [edit accounting-options
interface-profile profile-name] hierarchy level:
[edit accounting-options interface-profile profile-name]
file filename;
You must specify a file statement for the interface profile that has already been configured
at the [edit accounting-options] hierarchy level.
Configuring Cleared Statistics to be Reported in the Flat File
When you issue the clear interfaces statistics command for a logical interface configured
to collect accounting statistics, all accounting statistics received on that interface from
the Packet Forwarding Engine are cleared. The current values when the command is
issued become the new baseline and the statistics counters are reset to zero. The new
values, starting from zero, are displayed in the CLI. However, they are not reported that
way in the accounting flat file associated with the interface. Instead, the values as reported
in the file continue to increment as if the command had not been issued.
You can change this result by including the allow-clear statement in the interface profile.
In this case, when you issue the clear interfaces statistics command, the statistics are
reset to zero and reported to the flat file.
To configure reporting of cleared accounting statistics to the flat file, specify reporting:
[edit accounting-options interface-profile profile-name]
allow-clear;
Configuring the Interval
Each interface with an accounting profile enabled has statistics collected once per interval
time specified for the accounting profile. Statistics collection time is scheduled evenly
over the configured interval. To configure the interval, include the interval statement at
the [edit accounting-options interface-profile profile-name] hierarchy level:
[edit accounting-options interface-profile profile-name]
interval minutes;
Copyright © 2018, Juniper Networks, Inc.
431
Network Management and Monitoring Guide
NOTE: The minimum interval allowed is 1 minute. Configuring a low interval
in an accounting profile for a large number of interfaces might cause serious
performance degradation.
The range for the interval statement is 1 through 2880 minutes. The default is 30 minutes.
Example: Configuring the Interface Profile
Configure the interface profile:
[edit]
accounting-options {
file if_stats {
size 40 files 5;
}
interface-profile if_profile1 {
file if_stats;
interval 30;
fields {
input-bytes;
output-bytes;
input-packets;
output-packets;
input-multicast;
output-multicast;
}
}
interface-profile if_profile2 {
file if_stats;
interval 30;
fields {
input-bytes;
output-bytes;
input-packets;
output-packets;
input-multicast;
output-multicast;
}
}
interfaces {
xe-1/0/0 {
accounting-profile if_profile1;
unit 0 {
accounting-profile if_profile2;
...
}
}
}
}
432
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring Accounting Options, Source Class Usage and Destination Class Usage Options
The two interface profiles, if-profile1 and if-profile2, write data to the same file, if-stats.
The if-stats file might look like the following:
#FILE CREATED 976823478 2000-12-14-19:51:18
#hostname host
#profile-layout
if_profile2,epoch-timestamp,interface-name,snmp-index,input-bytes,output-bytes,
input-packets,output-packets,input-multicast,output-multicast
#profile-layout
if_profile1,epoch-timestamp,interface-name,snmp-index,input-bytes,output-bytes,
input-packets
if_profile2,976823538,xe-1/0/0.0,8,134696815,3681534,501088,40723,0,0
if_profile1,976823538,xe-1/0/0,7,134696815,3681534,501088
...
#FILE CLOSED 976824378 2000-12-14-20:06:18
Related
Documentation
•
Accounting Options Overview on page 411
•
Understanding Device Management Functions in Junos OS on page 3
•
Accounting Options Configuration on page 416
•
Configuring Accounting-Data Log Files on page 424
•
Configuring the Filter Profile on page 433
•
Configuration Statements at the [edit accounting-options] Hierarchy Level on page 415
Configuring the Filter Profile
Supported Platforms
M Series, MX Series, PTX Series, T Series
A filter profile specifies error and statistics information collected and written to a file. A
filter profile must specify counter names for which statistics are collected.
To configure a filter profile, include the filter-profile statement at the [edit
accounting-options] hierarchy level:
[edit accounting-options]
filter-profile profile-name {
counters {
counter-name;
}
file filename;
interval minutes;
}
To apply the filter profile, include the accounting-profile statement at the [edit firewall
filter filter-name] hierarchy level.
To configure a filter profile, perform the tasks described in the following sections:
•
Configuring the Counters on page 434
•
Configuring the File Information on page 434
•
Configuring the Interval on page 434
Copyright © 2018, Juniper Networks, Inc.
433
Network Management and Monitoring Guide
Configuring the Counters
Statistics are collected for all counters specified in the filter profile. To configure the
counters, include the counters statement at the [edit accounting-options filter-profile
profile-name] hierarchy level:
[edit accounting-options filter-profile profile-name]
counters {
}
Configuring the File Information
Each accounting profile logs its statistics to a file in the /var/log directory.
To configure which file to use, include the file statement at the [edit accounting-options
filter-profile profile-name] hierarchy level:
[edit accounting-options filter-profile profile-name]
file filename;
You must specify a filename for the filter profile that has already been configured at the
[edit accounting-options] hierarchy level.
NOTE: The limit on the total number of characters per line in a log file equals
1023. If this limit is exceeded, the output written to the log file is incomplete.
Ensure that you limit the number of counters or requested data so that this
character limit is not exceeded.
NOTE: If the configured file size or transfer interval is exceeded, Junos OS
closes the file and starts a new one. By default, the transfer interval value is
30 minutes. If the transfer interval is not configured, Junos OS closes the file
and starts a new one when the file size exceeds its configured value or the
default transfer interval value exceeds 30 minutes. To avoid transferring files
every 30 minutes, specify a different value for the transfer interval.
Configuring the Interval
Each filter with an accounting profile enabled has statistics collected once per interval
time specified for the accounting profile. Statistics collection time is scheduled evenly
over the configured interval. To configure the interval, include the interval statement at
the [edit accounting-options filter-profile profile-name] hierarchy level:
[edit accounting-options filter-profile profile-name]
interval;
NOTE: The minimum interval allowed is 1 minute. Configuring a low interval
in an accounting profile for a large number of filters might cause serious
performance degradation.
434
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring Accounting Options, Source Class Usage and Destination Class Usage Options
The range for the interval statement is 1 through 2880 minutes. The default is 30 minutes.
Related
Documentation
•
Accounting Options Overview on page 411
•
Understanding Device Management Functions in Junos OS on page 3
•
Accounting Options Configuration on page 416
•
Configuring Accounting-Data Log Files on page 424
Example: Configuring a Filter Profile
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
Configure a filter profile:
[edit]
accounting-options {
file fw_accounting {
size 500k files 4;
}
filter-profile fw_profile1 {
file fw_accounting;
interval 60;
counters {
counter1;
counter2;
counter3;
}
}
}
firewall {
filter myfilter {
accounting-profile fw_profile1;
...
term accept-all {
then {
count counter1;
accept;
}
}
}
}
The filter profile, fw-profile1, writes data to the file fw_accounting. The file might look like
the following:
#FILE CREATED 976825278 2000-12-14-20:21:18
#hostname host
#profile-layout
fw_profile1,epoch-timestamp,filter-name,counter-name,packet-count,byte-count
fw_profile1,976826058,myfilter,counter1,163,10764
...
#FILE CLOSED 976826178 2000-12-14-20:36:18
Copyright © 2018, Juniper Networks, Inc.
435
Network Management and Monitoring Guide
Related
Documentation
•
Configuring the Filter Profile on page 433
•
Example: Configuring Interface-Specific Firewall Counters and Filter Profiles on page 436
Example: Configuring Interface-Specific Firewall Counters and Filter Profiles
Supported Platforms
M Series, MX Series, SRX Series, T Series, vSRX
To collect and log count statistics collected by firewall filters on a per-interface basis,
you must configure a filter profile and include the interface-specific statement at the
[edit firewall filter filter-name] hierarchy level.
Configure the firewall filter accounting profile:
[edit accounting-options]
file cust1_accounting {
size 500k;
}
filter-profile cust1_profile {
file cust1_accounting;
interval 1;
counters {
r1;
}
}
Configure the interface-specific firewall counter:
[edit firewall]
filter f3 {
accounting-profile cust1_profile;
interface-specific;
term f3-term {
then {
count r1;
accept;
}
}
}
Apply the firewall filter to an interface:
[edit interfaces]
xe-1/0/0 {
unit 0 {
family inet {
filter {
input f3;
output f3;
}
address 20.20.20.30/24;
}
}
}
436
Copyright © 2018, Juniper Networks, Inc.
Chapter 18: Configuring Accounting Options, Source Class Usage and Destination Class Usage Options
The following example shows the contents of the cust1_accounting file in the /var/log
folder that might result from the preceding configuration:
#FILE CREATED 995495212 2001-07-18-22:26:52
#hostname host
#profile-layout cust1_profile,epoch-timestamp,interfaces,filter-name,
counter-name,packet-count,byte-count
cust1_profile,995495572,xe-1/0/0.0,f3-xe-1/0/0.0-i,r1-xe-1/0/0.0-i,5953,1008257
cust1_profile,995495602,xe-1/0/0.0,f3-xe-1/0/0.0-o,r1-xe-1/0/0.0-o,5929,1006481
...
If the interface-specific statement is not included in the configuration, the following output
might result:
#FILE CREATED 995495212 2001-07-18-22:26:52
#hostname host
#profile-layout cust1_profile,epoch-timestamp,interfaces,filter-name,
counter-name,packet-count,byte-count
cust1_profile,995495572,xe-1/0/0.0,f3,r1,5953,1008257
cust1_profile,995495632,xe-1/0/0.0,f3,r1,5929,1006481
Related
Documentation
•
Configuring the Filter Profile on page 433
•
Configuring the Interface Profile on page 430
Configuring SCU or DCU
Supported Platforms
M Series, MX Series, PTX Series, SRX Series, T Series, vSRX
To configure SCU or DCU, perform the following tasks described in this section:
NOTE: We recommend that you stop the network traffic on an interface
before you modify the DCU or SCU configuration for that interface. Modifying
the DCU or SCU configuration without stopping the traffic might corrupt the
DCU or SCU statistics. Before you restart the traffic after modifying the
configuration, enter the clear interfaces statistics command.
•
Creating Prefix Route Filters in a Policy Statement on page 437
•
Applying the Policy to the Forwarding Table on page 438
•
Enabling Accounting on Inbound and Outbound Interfaces on page 438
Creating Prefix Route Filters in a Policy Statement
To define prefix router filters:
[edit policy-options]
policy-statement scu-1 {
term term1;
from {
route-filter 192.0.2.0/24 or longer;
}
Copyright © 2018, Juniper Networks, Inc.
437
Network Management and Monitoring Guide
then source-class gold;
}
Applying the Policy to the Forwarding Table
To apply the policy to the forwarding table:
[edit]
routing-options {
forwarding-table {
export scu-1;
}
}
Enabling Accounting on Inbound and Outbound Interfaces
To enable accounting on inbound and outbound interfaces:
[edit]
interfaces {
so-6/1/0 {
unit 0 {
family inet;
accounting {
destination-class-usage;
source-class-usage {
output;
}
}
}
}
}
[edit]
interfaces {
xe-0/1/0 {
unit 0 {
family inet6 {
accounting {
source-class-usage {
input;
}
}
}
}
}
}
Optionally, you can include the input and output statements on a single interface as
shown:
[edit]
interfaces {
xe-0/1/2 {
unit 0 {
family inet6 {
accounting {
source-class-usage {
438
Copyright © 2018, Juniper Networks, Inc.
Chapte