[j-nsp] Firwall Counter IPv6 : MIB

Niall Donaghy Niall.Donaghy at geant.org
Thu Dec 10 22:18:42 EST 2015 

Hi David,

To essentially steal a quote from one of Nitzan's scripts:
In this MIB the index is based on SnmpAdminString where each word is
prefixed with its length, and each word is in ASCII decimal format.

We have extended one of Nitzan's Perl scripts and have been getting this
data into Cacti for several years.
Currently we are running Junos 14.1R5.5 on MX480 and MX960 (and verified
this also works on MX80).
Previously this also worked on T-series 10.x.

You can try walking these OIDs:

jnxFWCounterPacketCount = '.1.3.6.1.4.1.2636.3.5.2.1.4';
jnxFWCounterByteCount = '.1.3.6.1.4.1.2636.3.5.2.1.5';
jnxDCUCounterPacketCount = '.1.3.6.1.4.1.2636.3.6.2.1.4';
jnxDCUCounterByteCount = '.1.3.6.1.4.1.2636.3.6.2.1.5';
jnxSCUCounterPacketCount = '.1.3.6.1.4.1.2636.3.16.1.1.1.4';
jnxSCUCounterByteCount = '.1.3.6.1.4.1.2636.3.16.1.1.1.5';

To decode, eg:

jnxFWCounterByteCount.10.65.98.105.108.105.54.45.111.117.116.12.105.112.118.
54.45.99.111.117.110.116.101.114.2 = 17295214115130

Word 0:		10 chars, which are: 	65.98.105.108.105.54.45.111.117.116
Word 1:		13 chars, which are:
12.105.112.118.54.45.99.111.117.110.116.101.114
Word 2:		'2'			# See end of mail for notes

This translates to:

A.b.i.l.i.6.-.o.u.t		ie:	Abili6-out, which is the name of our
FWF.
i.p.v.6.-.c.o.u.n.t.e.r	ie:	ipv6-counter

Via CLI:

@mx1.fra.de.re0> show firewall filter Abili6-out

Filter: Abili6-out
Counters:
Name                                                Bytes
Packets
ipv6-counter                               17296383155024
10223184319

We drive this Perl script with three input variables, $1 = filter name, $2 =
counter name, and $3 is typically '2'.
>From the MIB walk I only see values for OIDs ending with .2, but there are
entries ending .3 which have values of '0' across the board.
I don't know the significance of 2 vs. 3, here .... but use '2' and you
should have more luck than has so far been the case.

I'm interested to know how you get on, and please let me know if I can be of
further help.

Kind regards,
Niall

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
david.roy at orange.com
Sent: 10 December 2015 17:45
To: Nitzan Tzelniker
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Firwall Counter IPv6 : MIB

Does anybody has a setup with FWF MIB counters for IPv6 that work in recent
release?

Appreciate your help.

BR
David


-------- Message d'origine --------
De : ROY David DTSI/DERS
Date :08/12/2015 16:18 (GMT+01:00)
À : Nitzan Tzelniker
Cc : juniper-nsp at puck.nether.net
Objet : RE: [j-nsp] Firwall Counter IPv6 : MIB

Thank you. In 12.3 it doesn’t work.

Does your interface is a dual stack interface ?

David


De : Nitzan Tzelniker [mailto:nitzan.tzelniker at gmail.com]
Envoyé : mardi 8 décembre 2015 15:54
À : ROY David DTSI/DERS
Cc : juniper-nsp at puck.nether.net
Objet : Re: [j-nsp] Firwall Counter IPv6 : MIB

Hi David,

It works for me on MX80 running 11.4R8.4

snmpwalk -c XXXXX -v2c 1.1.1.1
.1.3.6.1.4.1.2636.3.5.2.1.5.28.118.54.45.105.110.98.111.117.110.100.45.102.1
05.108.116.101.114.45.97.101.48.46.49.48.48.48.45.105.23.105.112.118.54.95.1
16.114.97.102.102.105.99.45.97.101.48.46.49.48.48.48.45.105.2
SNMPv2-SMI::enterprises.2636.3.5.2.1.5.28.118.54.45.105.110.98.111.117.110.1
00.45.102.105.108.116.101.114.45.97.101.48.46.49.48.48.48.45.105.23.105.112.
118.54.95.116.114.97.102.102.105.99.45.97.101.48.46.49.48.48.48.45.105.2 =
Counter64: 73496724892304

snmpwalk -c XXXXX -v2c 1.1.1.1
.1.3.6.1.4.1.2636.3.5.2.1.5.28.118.54.45.105.110.98.111.117.110.100.45.102.1
05.108.116.101.114.45.97.101.48.46.49.48.48.48.45.105.23.105.112.118.54.95.1
16.114.97.102.102.105.99.45.97.101.48.46.49.48.48.48.45.105.2
SNMPv2-SMI::enterprises.2636.3.5.2.1.5.28.118.54.45.105.110.98.111.117.110.1
00.45.102.105.108.116.101.114.45.97.101.48.46.49.48.48.48.45.105.23.105.112.
118.54.95.116.114.97.102.102.105.99.45.97.101.48.46.49.48.48.48.45.105.2 =
Counter64: 73496724892304

Thanks

Nitzan


On Tue, Dec 8, 2015 at 9:33 AM,
<david.roy at orange.com<mailto:david.roy at orange.com>> wrote:
Hello All

We tried to retrieve IPv6 Firewall Filter counters within the jnxFirewalls
MIB. It works well for IPv4 for a long time but we are not able to do the
same for v6. OID are there but their value are all to 0.

Did anyone experience the same issue ? Is there a workaround - or a specific
config / MIB ?

Please note that all cli counters work well.

Thanks
David


____________________________________________________________________________
_____________________________________________

Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
exploites ou copies sans autorisation. Si vous avez recu ce message par
erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les
pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.

This message and its attachments may contain confidential or privileged
information that may be protected by law; they should not be distributed,
used or copied without authorisation.
If you have received this email in error, please notify the sender and
delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.

_______________________________________________
juniper-nsp mailing list
juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp


____________________________________________________________________________
_____________________________________________

Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
exploites ou copies sans autorisation. Si vous avez recu ce message par
erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les
pieces jointes. Les messages electroniques etant susceptibles d'alteration,
France Telecom - Orange decline toute responsabilite si ce message a ete
altere, deforme ou falsifie. Merci

This message and its attachments may contain confidential or privileged
information that may be protected by law; they should not be distributed,
used or copied without authorization.
If you have received this email in error, please notify the sender and
delete this message and its attachments.
As emails may be altered, France Telecom - Orange shall not be liable if
this message was modified, changed or falsified.
Thank you.

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list