Juniper防火墙基于带外管理实例配置SNMP服务（mgmt_junos）

原创

大写的七 2021-03-16 12:34:45 ©著作权

文章标签 junos srx mgmt_junos snmpv2 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者大写的七的原创作品，请联系作者获取转载授权，否则将追究法律责任

测试TOP

PC（172.27.22.10）---- （fxp0:172.27.22.117）SRX

(1)、配置防火墙fxp0接口到mgmt_junos实例（远程操作需谨慎，同时添加完配置后用commit confirmed ，修改配置） root@SRX4200# show interfaces fxp0 | display set >>>带外管理接口IP地址配置 set interfaces fxp0 unit 0 family inet address 172.27.22.119/25

root@SRX4200# show system management-instance | display set >>>配置mgmt_junos实例，配置完后fxp0接口自动到mgmt_junos实例 set system management-instance

root@SRX4200# show routing-instances mgmt_junos | display set >>>在mgmt_junos实例中添加，带外管理路由 set routing-instances mgmt_junos routing-options static route 0.0.0.0/0 next-hop 172.27.22.1

(2)、确认fxp0路由是否在mgmt_junos路由表中 {primary:node0}[edit] root@SRX4200# run show route 172.27.22.119

mgmt_junos.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

= Active Route, - = Last Active, * = Both

172.27.22.119/32 *[Local/0] 5w0d 21:21:33 Local via fxp0.0

(3)、防火墙配置SNMP v2配置 root@SRX4200# show snmp | display set set snmp community public authorization read-only set snmp community public routing-instance mgmt_junos set snmp routing-instance-access

可选：指定源IP配置： set snmp community public clients 172.27.22.10/32

(4)、PC模拟SNMP服务器，向SRX防火墙读SNMP状态 1. 读取大量的SNMP状态 Yus-MacBook-Pro:~ root# snmpwalk -v 2c -c public 172.27.22.119 .1 iso.0.8802.1.1.1.1.1.1.0 = INTEGER: 0 iso.0.8802.1.1.2.1.1.1.0 = INTEGER: 30 iso.0.8802.1.1.2.1.1.2.0 = INTEGER: 4 iso.0.8802.1.1.2.1.1.3.0 = INTEGER: 2 iso.0.8802.1.1.2.1.1.4.0 = INTEGER: 0 iso.0.8802.1.1.2.1.1.5.0 = INTEGER: 5 iso.0.8802.1.1.2.1.2.1.0 = Timeticks: (0) 0:00:00.00 iso.0.8802.1.1.2.1.2.2.0 = Gauge32: 0 iso.0.8802.1.1.2.1.2.3.0 = Gauge32: 0 iso.0.8802.1.1.2.1.2.4.0 = Gauge32: 0 iso.0.8802.1.1.2.1.2.5.0 = Gauge32: 0 iso.0.8802.1.1.2.1.3.1.0 = INTEGER: 4 iso.0.8802.1.1.2.1.3.2.0 = Hex-STRING: 00 10 DB FF 10 00 iso.0.8802.1.1.2.1.3.3.0 = STRING: "SRX4200" iso.0.8802.1.1.2.1.3.4.0 = STRING: "Juniper Networks, Inc. srx4200 internet router, kernel JUNOS 18.4R3-S4.2, Build date: 2020-06-25 17:34:14 UTC Copyright (c) 1996-2020 Juniper Networks, Inc." <.......>

	2. 读取特定MIB OID的状态

Yus-MacBook-Pro:~ root# snmpwalk -v 2c -c public 172.27.22.119 1.3.6.1.2.1.1.5.0 SNMPv2-MIB::sysName.0 = STRING: SRX4200 Yus-MacBook-Pro:~ root# snmpwalk -v 2c -c public 172.27.22.119 1.3.6.1.4.1.2636.3.1.3.0 SNMPv2-SMI::enterprises.2636.3.1.3.0 = STRING: "DK2317AR0016" Yus-MacBook-Pro:~ root#

(5)、防火墙上看到的状态 root@SRX4200> set cli timestamp Mar 16 10:26:58 CLI timestamp set to: %b %d %T

{primary:node0} root@SRX4200> show snmp mib get sysName.0
Mar 16 10:27:00 sysName.0 = SRX4200

{primary:node0} root@SRX4200> show snmp mib get jnxBoxSerialNo.0
Mar 16 10:27:03 jnxBoxSerialNo.0 = DK2317AR0016

{primary:node0} root@SRX4200>

(6)、SNMP服务器和防火墙SNMP状态截图

SRX SNMP debug的输出 set snmp traceoptions file snmp-debug set snmp traceoptions file size 10m set snmp traceoptions flag all
SRX支持从mgmt_junos VR读取到NMP状态（仅测试参考） SRX测试平台： SRX4200 SRX测试版本： 18.4R3-S4.2
其它的NTP、DNS、RADIUS、TACASA+等管理配置请参考链接 [SRX] Example - Management instance configuration for SRX devices https://kb.juniper.net/InfoCenter/index?page=content&id=KB36101&cat=SRX320&actp=LIST