[j-nsp] Firwall Counter IPv6 : MIB

Nitzan Tzelniker nitzan.tzelniker at gmail.com
Fri Dec 11 01:12:11 EST 2015 

David

Just checked with MX running 13.3R7-S1 and it works for filter on Lo0 (the
ssh is to increase the counter )

[root at yyyy ~]# /usr/bin/perl /var/www/html/cacti/scripts/juniper-firewall.pl
2.2.2.2 XXXX get bytes MNG_IPV6,DISCARD_v6,2
480
[root at yyyy ~]# ssh 2a02:aaaa:bbbb::111
^C
[root at yyyy ~]# /usr/bin/perl /var/www/html/cacti/scripts/juniper-firewall.pl
2.2.2.2 XXXX get bytes MNG_IPV6,DISCARD_v6,2
640
[root at yyyy ~]#

Thanks

Nitzan

On Fri, Dec 11, 2015 at 5:23 AM, Niall Donaghy <Niall.Donaghy at geant.org>
wrote:

> Correction: 's/13 chars/12 chars/g'
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf
> Of
> Niall Donaghy
> Sent: 11 December 2015 03:19
> To: david.roy at orange.com; Nitzan Tzelniker
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Firwall Counter IPv6 : MIB
>
> Hi David,
>
> To essentially steal a quote from one of Nitzan's scripts:
> In this MIB the index is based on SnmpAdminString where each word is
> prefixed with its length, and each word is in ASCII decimal format.
>
> We have extended one of Nitzan's Perl scripts and have been getting this
> data into Cacti for several years.
> Currently we are running Junos 14.1R5.5 on MX480 and MX960 (and verified
> this also works on MX80).
> Previously this also worked on T-series 10.x.
>
> You can try walking these OIDs:
>
> jnxFWCounterPacketCount = '.1.3.6.1.4.1.2636.3.5.2.1.4';
> jnxFWCounterByteCount = '.1.3.6.1.4.1.2636.3.5.2.1.5';
> jnxDCUCounterPacketCount = '.1.3.6.1.4.1.2636.3.6.2.1.4';
> jnxDCUCounterByteCount = '.1.3.6.1.4.1.2636.3.6.2.1.5';
> jnxSCUCounterPacketCount = '.1.3.6.1.4.1.2636.3.16.1.1.1.4';
> jnxSCUCounterByteCount = '.1.3.6.1.4.1.2636.3.16.1.1.1.5';
>
> To decode, eg:
>
>
> jnxFWCounterByteCount.10.65.98.105.108.105.54.45.111.117.116.12.105.112.118.
> 54.45.99.111.117.110.116.101.114.2 = 17295214115130
>
> Word 0:         10 chars, which are:    65.98.105.108.105.54.45.111.117.116
> Word 1:         13 chars, which are:
> 12.105.112.118.54.45.99.111.117.110.116.101.114
> Word 2:         '2'                     # See end of mail for notes
>
> This translates to:
>
> A.b.i.l.i.6.-.o.u.t             ie:     Abili6-out, which is the name of
> our
> FWF.
> i.p.v.6.-.c.o.u.n.t.e.r ie:     ipv6-counter
>
> Via CLI:
>
> @mx1.fra.de.re0> show firewall filter Abili6-out
>
> Filter: Abili6-out
> Counters:
> Name                                                Bytes
> Packets
> ipv6-counter                               17296383155024
> 10223184319
>
> We drive this Perl script with three input variables, $1 = filter name, $2
> =
> counter name, and $3 is typically '2'.
> From the MIB walk I only see values for OIDs ending with .2, but there are
> entries ending .3 which have values of '0' across the board.
> I don't know the significance of 2 vs. 3, here .... but use '2' and you
> should have more luck than has so far been the case.
>
> I'm interested to know how you get on, and please let me know if I can be
> of
> further help.
>
> Kind regards,
> Niall
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf
> Of
> david.roy at orange.com
> Sent: 10 December 2015 17:45
> To: Nitzan Tzelniker
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Firwall Counter IPv6 : MIB
>
> Does anybody has a setup with FWF MIB counters for IPv6 that work in recent
> release?
>
> Appreciate your help.
>
> BR
> David
>
>
> -------- Message d'origine --------
> De : ROY David DTSI/DERS
> Date :08/12/2015 16:18 (GMT+01:00)
> À : Nitzan Tzelniker
> Cc : juniper-nsp at puck.nether.net
> Objet : RE: [j-nsp] Firwall Counter IPv6 : MIB
>
> Thank you. In 12.3 it doesn’t work.
>
> Does your interface is a dual stack interface ?
>
> David
>
>
> De : Nitzan Tzelniker [mailto:nitzan.tzelniker at gmail.com]
> Envoyé : mardi 8 décembre 2015 15:54
> À : ROY David DTSI/DERS
> Cc : juniper-nsp at puck.nether.net
> Objet : Re: [j-nsp] Firwall Counter IPv6 : MIB
>
> Hi David,
>
> It works for me on MX80 running 11.4R8.4
>
> snmpwalk -c XXXXX -v2c 1.1.1.1
>
> .1.3.6.1.4.1.2636.3.5.2.1.5.28.118.54.45.105.110.98.111.117.110.100.45.102.1
>
> 05.108.116.101.114.45.97.101.48.46.49.48.48.48.45.105.23.105.112.118.54.95.1
> 16.114.97.102.102.105.99.45.97.101.48.46.49.48.48.48.45.105.2
>
> SNMPv2-SMI::enterprises.2636.3.5.2.1.5.28.118.54.45.105.110.98.111.117.110.1
>
> 00.45.102.105.108.116.101.114.45.97.101.48.46.49.48.48.48.45.105.23.105.112.
> 118.54.95.116.114.97.102.102.105.99.45.97.101.48.46.49.48.48.48.45.105.2 =
> Counter64: 73496724892304
>
> snmpwalk -c XXXXX -v2c 1.1.1.1
>
> .1.3.6.1.4.1.2636.3.5.2.1.5.28.118.54.45.105.110.98.111.117.110.100.45.102.1
>
> 05.108.116.101.114.45.97.101.48.46.49.48.48.48.45.105.23.105.112.118.54.95.1
> 16.114.97.102.102.105.99.45.97.101.48.46.49.48.48.48.45.105.2
>
> SNMPv2-SMI::enterprises.2636.3.5.2.1.5.28.118.54.45.105.110.98.111.117.110.1
>
> 00.45.102.105.108.116.101.114.45.97.101.48.46.49.48.48.48.45.105.23.105.112.
> 118.54.95.116.114.97.102.102.105.99.45.97.101.48.46.49.48.48.48.45.105.2 =
> Counter64: 73496724892304
>
> Thanks
>
> Nitzan
>
>
> On Tue, Dec 8, 2015 at 9:33 AM,
> <david.roy at orange.com<mailto:david.roy at orange.com>> wrote:
> Hello All
>
> We tried to retrieve IPv6 Firewall Filter counters within the jnxFirewalls
> MIB. It works well for IPv4 for a long time but we are not able to do the
> same for v6. OID are there but their value are all to 0.
>
> Did anyone experience the same issue ? Is there a workaround - or a
> specific
> config / MIB ?
>
> Please note that all cli counters work well.
>
> Thanks
> David
>
>
>
> ____________________________________________________________________________
> _____________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
> exploites ou copies sans autorisation. Si vous avez recu ce message par
> erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les
> pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou
> falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged
> information that may be protected by law; they should not be distributed,
> used or copied without authorisation.
> If you have received this email in error, please notify the sender and
> delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been
> modified, changed or falsified.
> Thank you.
>
> _______________________________________________
> juniper-nsp mailing list
> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> ____________________________________________________________________________
> _____________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
> exploites ou copies sans autorisation. Si vous avez recu ce message par
> erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les
> pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> France Telecom - Orange decline toute responsabilite si ce message a ete
> altere, deforme ou falsifie. Merci
>
> This message and its attachments may contain confidential or privileged
> information that may be protected by law; they should not be distributed,
> used or copied without authorization.
> If you have received this email in error, please notify the sender and
> delete this message and its attachments.
> As emails may be altered, France Telecom - Orange shall not be liable if
> this message was modified, changed or falsified.
> Thank you.
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list