On-box SNMP Script
Another article one about the “Network Automation and Scripting” set of articles. Automation stays for good, so we have to master the skills and use them in our day-to-day tasks while automating part of our work. As part of my JNCIE-SP journey — Python on-box SNMP scripts are in the curriculum. Furthermore, what could be a better way of cementing the knowledge than LABbing it and sharing your findings in an article? Let’s get started!
JNCIE-SP will challenge me with Python on-box OP, COMMIT, EVENT, and SNMP scripts. This article explains how to write, put on a Juniper device, and enable and run an SNMP script. Future articles will take on the remaining on-box scripts (if you are curious how off-box automation works — check out my other articles under link).
The Objective
Let us start with defining what the SNMP Script is supposed to do. We want the script to monitor SNMP queries on a JunosOS router. Each time an SNMP command is executed on the SNMP MIB — we want to know:
- What SNMP command was executed
- Which OID was queried
Furthermore, we want to know this via a Syslog message on the JunosOS router.
On the server-side — we want to receive an output stating that an OID was queried, and we want to receive different outputs while different OID’s were queried.
SNMP Python on-box script — the elements:
SNMP Server — it is usually your Network Monitoring Station (or NMS) that runs SNMP queries towards tour network appliances. All monitoring stations have the basic SNMP queries embedded, and to test our script — NMS will run a snmpwalk towards the router to collect information (the information will be “what” the on-box script will returns).
SNMP Agent — the JunosOS router where SNMP is configured. It is the Juniper router that stores the on-box script and starts the SNMP Agent. The minimum configuration required to enable SNMP and listen to GET and GETNEXT SNMP operations (v1 and v2c) is:
set snmp community test_communityThe script itself — a simple python construct that imports the JCS name-space used to pass data into Syslog, followed by an if-then statement. If the first OID is queried — return the “Hello World” string. If the second OID is queried — return “Hello Earth”.
import jcs
def main():
snmp_action = jcs.get_snmp_action()
snmp_oid = jcs.get_snmp_oid()
jcs.syslog("8", "snmp_action = ", snmp_action, " snmp_oid = ", snmp_oid)
if snmp_action == 'get':
if snmp_oid == '.1.3.6.1.4.1.2636.13.61.1.9.1.1.1':
jcs.emit_snmp_attributes(snmp_oid, "String", "Hello World")
elif snmp_oid == '.1.3.6.1.4.1.2636.13.61.1.9.1.1.2':
jcs.emit_snmp_attributes(snmp_oid, "String", "Hello Earth")
if __name__ == '__main__':
main()To execute local SNMP scripts, we must add the script file name to the appropriate SNMP script directory on the device:
root@router:/var/run/scripts/snmpThe simple method of adding a script to Linux file system — you can follow the below:
root@router# run start shell
//go into FreeBSD shell
root@router:/ #
root@router:/ # cd /var/run/scripts/snmp
//change directory to snmp (scripts)
root@router:/var/run/scripts/snmp # touch snmp_script.py
//create a file named “snmp_scripty.py”
root@router:/var/run/scripts/snmp # vi snmp_script.py
//use your favorite editor to write the scriptEnabling the SNMP script
We are setting up OID’s that the script will be allowed to query. Instead of letting the script interfere with OID’s representing the actual state of functionalities and services, we define our own. The choice fell on the two unused Object ID’s:
.1.3.6.1.4.1.2636.13.61.1.9.1.1.1
.1.3.6.1.4.1.2636.13.61.1.9.1.1.2The snmp_script.py is enabled under the [ system scripts snmp ] configuration stanza
set system scripts snmp file snmp_script.py oid .1.3.6.1.4.1.2636.13.61.1.9.1.1.1
set system scripts snmp file snmp_script.py oid .1.3.6.1.4.1.2636.13.61.1.9.1.1.2
set system scripts snmp file snmp_script.py python-script-user opsAlong with enabling the script, we have to list the OID’s implemented in the script and provide permissions. We specify the user (ops) that we want to be used to run the script. The user has to have full permissions to be able to execute the script.
set system login user ops uid 2001
set system login user ops class super-user
set system login user ops authentication encrypted-password <snip>Finally — we specify the version of Python used to execute the scripts:
set system scripts language pythonLet us draw it out how the data flow would look like:
The output
Between the NMS and Juniper router has to be IP connectivity. In the lab — we connected the appliances as follows:
We tested the script by querying for the 1st OID:
On the SNMP Server:
labuser@base:~$
snmpwalk -v 2c -c test_community 10.0.255.169 .1.3.6.1.4.1.2636.13.61.1.9.1.1.1
iso.3.6.1.4.1.2636.13.61.1.9.1.1.1 = STRING: "Hello World"We see the “Hello world” message.
On the SNMP Agent:
Message from syslogd@router at Jul 31 23:00:49 ...
CE-A cscript: snmp_action = get snmp_oid = .1.3.6.1.4.1.2636.13.61.1.9.1.1.1Furthermore, if we query to the second one (2nd OID):
On the SNMP Server:
labuser@base:~$
snmpwalk -v 2c -c test_community 10.0.255.169 .1.3.6.1.4.1.2636.13.61.1.9.1.1.2
iso.3.6.1.4.1.2636.13.61.1.9.1.1.2 = STRING: "Hello Earth"We get the “Hello Earth” message back.
On the SNMP Agent:
Message from syslogd@router at Jul 31 23:02:51 ...
CE-A cscript: snmp_action = get snmp_oid = .1.3.6.1.4.1.2636.13.61.1.9.1.1.2In the real world — we will be doing something more advanced like taking some data from the device itself, postprocessing it, and returning it over SNMP to the NMS.
And that is a wrap on our Python on-box SNMP Script that notifies Syslog and returns data (strings) based on which OID was queried. The script “lives” on the router and will be triggered every time an NMS interrogates a specified OID. For code and config, the only version of my notes — visit my GitHub repository link to see the “meat” without all the nonsense;)
If you enjoyed reading this article as much as I while writing, then like, share and subscribe ;) This would mean the world to me and would motivate me to write more content like that!
