On Fri, 6 Apr 2001, Rob Heath wrote:
>
> You can packet filter for RFC1918 source traffic though, I guess the
> benefit of doing this would allow you to filter for other traffic too
> perhaps your own prefixes. Does anyone have any significant traffic through
> such a filter,and would such a filter impact performance on a high
> throughput network?
Packet filtering is done in hardware, so counting ICMP and SYN packets can
be done without negatively effecting routing or forwarding tasks on all
interfaces. This allows you to leave the filters in place during normal
operation so they can be monitored to provide early warning.
>
> It would be great if you could pull SNMP stats for individual filters too
> so that you could see which interface was receiving the traffic. I seem to
> remember that you are just able to see the overall figure of filtered
> traffic, although this may have changed since I last used any Juniper kit
> in anger (4.0R4).
You can use the FW MIB to monitor the counters using SNMP queries.
http://www.juniper.net/techpubs/software/junos43/swconfig43-install/html/snmp-mibs6.html#1024715
Thanks
Sean
This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:42 EDT