Juniper SNMPv2 on routing instance

When I need to configure SNMPv2 on a Juniper device and routing instance is involved, I always forget to enable some knobs. Here is a quick one which allowed me to query an EX switch through its VR (in my example VR name is ISP1). You can also specify your specific VR name under “routing-instance-access” too.

root@host# show snmp
client-list allowed-sources {
    10.1.1.1/32;
    10.2.2.2/32;
}
community test123 {
    authorization read-only;
    routing-instance ISP1 {
        client-list-name allowed-sources;
    }
}
routing-instance-access;

If you don’t do this properly you will get two errors like below:

 SNMPD_AUTH_RESTRICTED_ADDRESS: nsa_initial_callback: request from address 10.1.1.1 not allowed 

Even after configuring you may get an error such as below;

SNMPD_AUTH_FAILURE: nsa_initial_embedcomm: unauthorized SNMP community from 10.1.1.1

which means you don’t use the correct SNMP community formatted for routing instance. You should send the SNMP community as “ISP1@test123” i.e routing-instance-name@community instead of just test123

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


3 thoughts on “Juniper SNMPv2 on routing instance”

  1. it only contain routing-instance interface, if you want pull global /default interface . you should you use @test123 community

  2. I have same issue and tried all the recommendations but error persists :

    set snmp view all oid .1 include
    set snmp client-list list0 10.205.102.59/32

    set snmp community “ENT_IP_OAM@Sokotu” authorization read-only
    set snmp community “ENT_IP_OAM@Sokotu” client-list-name list0
    set snmp community “ENT_IP_OAM@Sokotu” routing-instance ENT_IP_OAM

    set snmp trap-group Sokotu version v2
    set snmp trap-group Sokotu destination-port 162
    set snmp trap-group Sokotu targets 10.205.102.59
    set snmp trap-group Sokotu routing-instance ENT_IP_OAM

    set snmp routing-instance-access

    I get below log error

    Jul 4 23:02:37 sokoto-mx240 snmpd[4985]: SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 10.205.102.59 to 10.205.136.120 (Sokotu)
    Jul 4 23:02:37 sokoto-mx240 snmpd[4985]: SNMPD_AUTH_FAILURE: nsa_initial_embedcomm: unauthorized SNMP community from 10.205.102.59 to 10.205.136.120 (Sokotu)

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading