Recently, while setting up one more Juniper QFX5100 switch, i have run in to interesting case.
Since the switch was prepared as a classic TOR switch for IP fabric, it was necessary to place management to a routing-instance.
In Junos, SNMP access from routing-instance is disabled by default. To enable it, the following configuration is required:
[edit snmp]
routing-instance-access;
Full SNMP config :
snmp {
name test1;
location MSK;
community public {
authorization read-only;
clients {
1.1.1.2/32;
}
routing-instance mng-vrf {
clients {
1.1.1.2/32;
}
}
}
routing-instance-access;
}
When polling via SNMP, you must specify routing-instance name in the community, separeted by “@”. Switch will return data only for those interfaces, that belongs to this routing-instance:
snmpwalk -v2c -c mng-vrf@public 10.2.2.1 .1.3.6.1.2.1.2.2
You can also poll interfaces in the default routing-instance:
snmpwalk -v2c -c default@public 10.2.2.1 .1.3.6.1.2.1.2.2
To poll all interfaces at once, regardless of belonging to routing-instance:
snmpwalk -v2c -c @public 10.2.2.1 .1.3.6.1.2.1.2.2
Junos has another nice feature – filtering interfaces from SNMP polling.
Useful if you are too lazy to configure regular expressions in Zabbix:
snmp {
filter-interfaces {
interfaces {
"^ae[0-9]*.0";
"^xe-0/0/[0-9]*.0";
}
all-internal-interfaces;
}
}
Using this configuration, we will exclude 0 units of the interfaces ae *, and xe-0/0 / * (for example, ae0.0 or xe-0/0/8.0) and all internal interfaces from SNMP polling. Only ae * and xe-0/0 / * will be polled.
Now basic configuration of SNMP in the routing-instance is complete, so let’s move on to setting up Tacacs.
Tacacs + in any routing-instance is supported only from Junos 18.2R1 and later.
To configure Tacacs+, you just need to specify the required routing-instance:
system {
authentication-order [ tacplus password ];
tacplus-server {
1.1.1.2 {
routing-instance mng-vrf;
port 49;
secret "$9******************"; ## SECRET-DATA
timeout 10;
single-connection;
source-address 10.2.2.1;
}
}
}