Configuring management

SR OS supports the following management interfaces:

  • SNMP
  • NETCONF
  • gRPC (gNMI and gNOI)

NETCONF and gRPC interfaces are based on a common infrastructure that uses YANG models as the core definition for configuration, state, and operational actions. All model-driven interfaces, including MD-CLI, take the same common underlying YANG modules and render them for the specific management interface.

See the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide for more information about management interfaces.

SNMP

The SNMP agent in SR OS supports SNMP versions 1, 2, and 3 of the SNMP protocol.

Use the following command to enable SNMPv2 in SR OS.

configure system management-interface snmp admin-state enable

Configuring SNMP v2

In the following example, an SNMP community named "private" is used.

configure system security snmp community "private" access-permissions rwa
configure system security snmp community "private" version v2c

Configuring views

In the following example, a view is created that allows all SNMP OIDs except the management OID (1.3.6.1.2).

configure system security snmp view "testview" subtree "1" mask "ff"
configure system security snmp view "testview" subtree "1.3.6.1.2" mask "ff"
configure system security snmp view "testview" subtree "1.3.6.1.2" type excluded

Configuring access groups

In the following example, the view is attached to an access group.

configure system security snmp access "testgroup" context "" security-model usm security-level privacy read "testview"
configure system security snmp access "testgroup" context "" security-model usm security-level privacy write "testview"
configure system security snmp access "testgroup" context "" security-model usm security-level privacy notify "testview"

Configuring SNMPv3 access and user authentication

In the following example, a user is created with SNMPv3-level security and assigned the access group created in the preceding example. When trying to access the system over SNMPv3 using this user, all OIDs are accessible, except the management OID blocked by the access group.

/configure system security user-params local-user user "testuser" password "password123"
/configure system security user-params local-user user "testuser" access snmp true
/configure system security user-params local-user user "testuser" snmp group "testgroup"
/configure system security user-params local-user user "testuser" snmp authentication authentication-protocol hmac-md5-96
/configure system security user-params local-user user "testuser" snmp authentication authentication-key "ScP+TqePGLFQCji9jsyYADLcm/U21na77A8sCzhnIeQ= hash2"
/configure system security user-params local-user user "testuser" snmp authentication privacy privacy-protocol cfb128-aes-128
/configure system security user-params local-user user "testuser" snmp authentication privacy privacy-key "ScP+TqePGLFQCji9jsyYADKYDOznv3WpBtOO9DGQJaM= hash2"

Use the following command to generate authentication and privacy keys.

tools perform system management-interface snmp generate-key

Configuring SNMP trap destination

configure log snmp-trap-group "my-snmp-trap-dest1" trap-target "Trap-server1" address 192.168.99.10
configure log snmp-trap-group "my-snmp-trap-dest1" trap-target "Trap-server1" version snmpv2c
configure log snmp-trap-group "my-snmp-trap-dest1" trap-target "Trap-server1" notify-community "private"
configure log snmp-trap-group "my-snmp-trap-dest1" trap-target "Trap-server1" security-level no-auth-no-privacy

Configuring log events to be sent as SNMP traps

configure log log-id "my-snmp-trap-dest1" source main true
configure log log-id "my-snmp-trap-dest1" source security true
configure log log-id "my-snmp-trap-dest1" source change true
configure log log-id "my-snmp-trap-dest1" destination { snmp }

NETCONF

NETCONF is a standardized IETF configuration management protocol specified in RFC 6241, Network Configuration Protocol (NETCONF). It is secure, connection-oriented, and runs on top of the SSHv2 transport protocol, as specified in RFC 6242 Using the NETCONF Configuration Protocol over Secure Shell (SSH). NETCONF is an XML-based protocol that can be used as an alternative to CLI or SNMP for managing an SR OS router.

The SR OS NETCONF server supports both the base:1.1 and the base:1.0 capabilities.

SR OS NETCONF supports both a CLI content layer and an XML-based content layer.

Use the following command to enable the NETCONF server in SR OS.

configure system management-interface netconf listen admin-state enable

The default listening port is 830.

Configuring NETCONF user profile

A user profile can be created for NETCONF users with authorization for each operation.

configure system security aaa local-profiles profile "netconf-profile" netconf base-o
p-ahorization action true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization cancel-commit true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization close-session true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization commit true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization copy-config true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization create-subscription true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization delete-config true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization discard-changes true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization edit-config true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization get true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization get-config true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization get-data true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization get-schema true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization kill-session true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization lock true
configure system security aaa local-profiles profile "netconf-profile" netconf base-op-authorization validate true

Configuring NETCONF user

The profile created in the preceding example can be assigned to a user for NETCONF access.

configure system security user-params local-user user "netconf-user" password "password123"
configure system security user-params local-user user "netconf-user" access netconf true
configure system security user-params local-user user "netconf-user" console member ["netconf-profile"]

Use the following command to verify connected NETCONF sessions.

show system netconf connection

Displaying list of connected NETCONF sessions

===============================================================================
NETCONF Server connections
===============================================================================
Connection       Username       Session Status        Session Running Candidate
                                Id                    Type    Locked? Locked?
 Session Init                                                         
 Type                                                                 
-------------------------------------------------------------------------------
172.20.20.1      netconf-user   12      connected     global  no      no
  Client-Initiated
-------------------------------------------------------------------------------
Number of NETCONF sessions: 1
===============================================================================

Use the following command to view NETCONF operation counters.

show system netconf counters

Displaying NETCONF counter values

===============================================================================
NETCONF counters
===============================================================================
    Rx Messages
-------------------------------------------------------------------------------
      in gets            : 0
      in get-configs     : 1
      in edit-configs    : 0
      in copy-configs    : 1
      in delete-configs  : 0
      in validates       : 0
      in close-sessions  : 0
      in kill-sessions   : 0
      in locks           : 0
      in unlocks         : 0
      in commits         : 0
      in discards        : 0
      in create-subscrip*: 0
      in get-schemas     : 0
      in get-datas       : 0
      in actions         : 0

-------------------------------------------------------------------------------
      Rx Total           : 2
===============================================================================

gRPC gNMI

The gRPC mechanism is a modern, open-source, high-performance RPC framework that can run in any environment. In SR OS, this framework is used to implement the gRPC server, which can then be used for configuration management or telemetry.

The gRPC service runs on port 57400 by default in SR OS.

The gRPC gNMI is a gRPC-based protocol for network management functions, such as changing the configuration of network elements and retrieving state information. Additionally, gNMI provides functionality necessary for supporting telemetry. The gNMI service is specified in the OpenConfig forum.

Enabling gRPC gNMI

Use the following commands to enable gRPC in non-secure (non-TLS) mode.

configure system grpc admin-state enable
configure system grpc allow-unsecure-connection

Configuring gRPC user profile

configure system security aaa local-profiles profile "grpc-profile" grpc rpc-authorization gnmi-capabilities permit
configure system security aaa local-profiles profile "grpc-profile" grpc rpc-authorization gnmi-get permit
configure system security aaa local-profiles profile "grpc-profile" grpc rpc-authorization gnmi-set permit
configure system security aaa local-profiles profile "grpc-profile" grpc rpc-authorization gnmi-subscribe permit

Configuring gRPC user

configure system security user-params local-user user "grpc-user" password "password123"
configure system security user-params local-user user "grpc-user" access grpc true
configure system security user-params local-user user "grpc-user" console member ["grpc-profile"]

Use the following command to verify connected gRPC sessions.

show system grpc connection

Displaying list of connected gRPC sessions

===============================================================================
gRPC Server connections
===============================================================================
Address                   : 172.20.20.1
Port                      : 47512
Router Instance           : management
Establishment Time        : 2025/08/09 14:11:26
Active RPC Count          : 1
Total RPC Count           : 1
Rx Bytes                  : 335
Tx Bytes                  : 441
-------------------------------------------------------------------------------
No. of connections        : 1
===============================================================================