Juniper SNMP and Tacacs+ in routing-instance.

By | 06.11.2019

Recently, while setting up one more Juniper QFX5100 switch, i have run in to interesting case.
Since the switch was prepared as a classic TOR switch for IP fabric, it was necessary to place management to a routing-instance.

In Junos, SNMP access from routing-instance is disabled by default. To enable it, the following configuration is required:

[edit snmp]
routing-instance-access;

Full SNMP config :

snmp {
    name test1;
    location MSK;
    community public {
        authorization read-only;
        clients {
            1.1.1.2/32;
        }
        routing-instance mng-vrf {
            clients {
                1.1.1.2/32;
            }
        }
    }
    routing-instance-access;
}

When polling via SNMP, you must specify routing-instance name in the community, separeted by “@”. Switch will return data only for those interfaces, that belongs to this routing-instance:

snmpwalk -v2c -c mng-vrf@public 10.2.2.1 .1.3.6.1.2.1.2.2 

You can also poll interfaces in the default routing-instance:

snmpwalk -v2c -c default@public 10.2.2.1 .1.3.6.1.2.1.2.2 

To poll all interfaces at once, regardless of belonging to routing-instance:

snmpwalk -v2c -c @public 10.2.2.1 .1.3.6.1.2.1.2.2 

Junos has another nice feature – filtering interfaces from SNMP polling.
Useful if you are too lazy to configure regular expressions in Zabbix:

snmp { 
filter-interfaces {
        interfaces {
            "^ae[0-9]*.0";
            "^xe-0/0/[0-9]*.0";
        }
        all-internal-interfaces;
    }
 }  

Using this configuration, we will exclude 0 units of the interfaces ae *, and xe-0/0 / * (for example, ae0.0 or xe-0/0/8.0) and all internal interfaces from SNMP polling. Only ae * and xe-0/0 / * will be polled.

Now basic configuration of SNMP in the routing-instance is complete, so let’s move on to setting up Tacacs.

Tacacs + in any routing-instance is supported only from Junos 18.2R1 and later.
To configure Tacacs+, you just need to specify the required routing-instance:

system {
    authentication-order [ tacplus password ];
    tacplus-server {
        1.1.1.2 {
            routing-instance mng-vrf;
            port 49;
            secret "$9******************"; ## SECRET-DATA
            timeout 10;
            single-connection;
            source-address 10.2.2.1;
        }
    }
}

Leave a Reply

Your email address will not be published. Required fields are marked *