Mailing List Archive

SNMP walk on JunOS from inside a routing instance
Hi All,

I am migrating from one Cacti box to another, the new one polls some
MX boxes inside a routing instance but the old one polls in inet0 in
no routing instance.

When I snmpwalk the MX boxes from the new Cacti box I am only returned
the interfaces which are inside that routing instance the poll comes
in on. On the old Cacti box SNMP returns all interfaces, including
those inside all routing instances.

Does Junos restrict the SNMP output to that which relates to the
routing instance only, when polling in a routing instance?

username@mxrouter> show configuration snmp
community SecretCommunity {
authorization read-only;
routing-instance SNMP-TEST {
clients {
10.0.0.0/8;
}
}
}

username@mxrouter> show interfaces terse routing-instance TEST-SNMP
Interface Admin Link Proto Local Remote
vt-0/0/10.1054 up up inet
ge-0/3/7.2012 up up inet 172.21.18.53/30
multiservice
ge-2/3/7.2013 up up inet 172.21.18.57/30
multiservice
ae0.2047 up up inet 10.254.240.1/24
multiservice
lo0.2047 up up inet 10.254.242.1 --> 0/0


[root@cacti ~]# snmpwalk -v 2c -c TEST-SNMP@SecretCommunity
10.254.242.1 .iso | grep ifDesc
IF-MIB::ifDescr.6 = STRING: lo0
IF-MIB::ifDescr.556 = STRING: ge-0/3/7
IF-MIB::ifDescr.571 = STRING: vt-0/0/10
IF-MIB::ifDescr.581 = STRING: ae0
IF-MIB::ifDescr.1220 = STRING: lo0.2047
IF-MIB::ifDescr.1242 = STRING: ae0.2047
IF-MIB::ifDescr.1342 = STRING: ge-0/3/7.2012
IF-MIB::ifDescr.1343 = STRING: ge-2/3/7.2013
IF-MIB::ifDescr.2936 = STRING: ge-2/3/7
IF-MIB::ifDescr.43020 = STRING: vt-0/0/10.1054

This example system is on 11.4R6.5, but we have a range of Junos
versions across MX480s & MX960s and it's the same behaviour for all of
them.

Any info and help with getting all interfaces returned when polling
from within a routing instance would be appreciated.

Cheers,
James.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SNMP walk on JunOS from inside a routing instance [ In reply to ]
That is default behavior, but you can access other RI's interfaces by explicitly using the RI name. No way to reach all IFs at once via a RI.

/Per

PS: Excuse my brevity, caused by screen kbd.

> 27 apr. 2016 kl. 17:45 skrev James Bensley <jwbensley@gmail.com>:
>
> Hi All,
>
> I am migrating from one Cacti box to another, the new one polls some
> MX boxes inside a routing instance but the old one polls in inet0 in
> no routing instance.
>
> When I snmpwalk the MX boxes from the new Cacti box I am only returned
> the interfaces which are inside that routing instance the poll comes
> in on. On the old Cacti box SNMP returns all interfaces, including
> those inside all routing instances.
>
> Does Junos restrict the SNMP output to that which relates to the
> routing instance only, when polling in a routing instance?
>
> username@mxrouter> show configuration snmp
> community SecretCommunity {
> authorization read-only;
> routing-instance SNMP-TEST {
> clients {
> 10.0.0.0/8;
> }
> }
> }
>
> username@mxrouter> show interfaces terse routing-instance TEST-SNMP
> Interface Admin Link Proto Local Remote
> vt-0/0/10.1054 up up inet
> ge-0/3/7.2012 up up inet 172.21.18.53/30
> multiservice
> ge-2/3/7.2013 up up inet 172.21.18.57/30
> multiservice
> ae0.2047 up up inet 10.254.240.1/24
> multiservice
> lo0.2047 up up inet 10.254.242.1 --> 0/0
>
>
> [root@cacti ~]# snmpwalk -v 2c -c TEST-SNMP@SecretCommunity
> 10.254.242.1 .iso | grep ifDesc
> IF-MIB::ifDescr.6 = STRING: lo0
> IF-MIB::ifDescr.556 = STRING: ge-0/3/7
> IF-MIB::ifDescr.571 = STRING: vt-0/0/10
> IF-MIB::ifDescr.581 = STRING: ae0
> IF-MIB::ifDescr.1220 = STRING: lo0.2047
> IF-MIB::ifDescr.1242 = STRING: ae0.2047
> IF-MIB::ifDescr.1342 = STRING: ge-0/3/7.2012
> IF-MIB::ifDescr.1343 = STRING: ge-2/3/7.2013
> IF-MIB::ifDescr.2936 = STRING: ge-2/3/7
> IF-MIB::ifDescr.43020 = STRING: vt-0/0/10.1054
>
> This example system is on 11.4R6.5, but we have a range of Junos
> versions across MX480s & MX960s and it's the same behaviour for all of
> them.
>
> Any info and help with getting all interfaces returned when polling
> from within a routing instance would be appreciated.
>
> Cheers,
> James.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SNMP walk on JunOS from inside a routing instance [ In reply to ]
On 27/04/16 16:45, James Bensley wrote:

> Does Junos restrict the SNMP output to that which relates to the
> routing instance only, when polling in a routing instance?

We have JunOS boxes with routing instances, and see the same when we
poll them from inet.0 or a routing instance.

>
> username@mxrouter> show configuration snmp
> community SecretCommunity {
> authorization read-only;
> routing-instance SNMP-TEST {

You've configured this community string to map to a routing-instance.
Try removing it this config item, and just putting the "clients"
directly under the community.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SNMP walk on JunOS from inside a routing instance [ In reply to ]
On 27/04/16 16:58, Per Westerlund wrote:
> That is default behavior, but you can access other RI's interfaces by explicitly using the RI name. No way to reach all IFs at once via a RI.

I'm a bit confused now.

I just tested (SRX240H running 12.3X48-D15.4) and I can see all
interfaces when hitting an IP inside a routing-instance, as well as in
inet.0.

We do *not* have "routing-instance-access" under the "snmp" block, but
can still make SNMP queries to a routing instance; the docs suggest this
should not work, so I'm not sure what's going on.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SNMP walk on JunOS from inside a routing instance [ In reply to ]
On 27 April 2016 at 17:10, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
> On 27/04/16 16:58, Per Westerlund wrote:
>>
>> That is default behavior, but you can access other RI's interfaces by
>> explicitly using the RI name. No way to reach all IFs at once via a RI.
>
>
> I'm a bit confused now.
>
> I just tested (SRX240H running 12.3X48-D15.4) and I can see all interfaces
> when hitting an IP inside a routing-instance, as well as in inet.0.
>
> We do *not* have "routing-instance-access" under the "snmp" block, but can
> still make SNMP queries to a routing instance; the docs suggest this should
> not work, so I'm not sure what's going on.

Yes I would expect it to NOT work inline with Per's comments and that
is whats happening for us. From the old Cacti box which is in inet0
(no routing instance) we can hit that community string and get all
interfaces return.

On 27 April 2016 at 17:01, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
> You've configured this community string to map to a routing-instance. Try
> removing it this config item, and just putting the "clients" directly under
> the community.

The problem is that the new Cacti box is only routable to/from the
MX's inside the routing-instance, we want it to be "securely" (take
that with a pinch of salt!) seperated from other traffic and routing.
So this is going to be a problem if the MX's have to be polled from
within inet0. All Cisco boxes are polled inside a management VRF, I
would expect Junos to be able to do this, it seems tome like it would
be a fairly common requirement (to have SNMP traffic seperated into
it's own routing instance).

Cheers,
James.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SNMP walk on JunOS from inside a routing instance [ In reply to ]
Hi James,

On 28 Apr 2016 1:46 AM, "James Bensley" <jwbensley@gmail.com> wrote:
[...]
> Any info and help with getting all interfaces returned when polling
> from within a routing instance would be appreciated.

My memory's a bit hazy on this, but do you see everything you want to see
if you prefix the community string with a "@" in your cacti config?

(e.g. if the string is "public", try configuring cacti to use "@public")

Cheers,
Dale
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SNMP walk on JunOS from inside a routing instance [ In reply to ]
On 28 April 2016 at 12:50, Dale Shaw <dale.shaw+j-nsp@gmail.com> wrote:
> Hi James,
> My memory's a bit hazy on this, but do you see everything you want to see if
> you prefix the community string with a "@" in your cacti config?



Hi Dale,

As per my original email, I am prefixing the routing-instance name on
the SNMP get's;

snmpwalk -v 2c -c TEST-SNMP@SecretCommunity 10.254.242.1 .iso | grep ifDesc

Without the routing-instance name the SNMP gets timeout. I can prefix
it as default@SecretCommunity which will for example bring back all
the interfaces on the MX not in any VRf/routing-instance.

So it seems I have to specify a routing instance when using the config
from my original post, and I can specify "default@" to see interfaces
in the default table, I can also specify
A.Nother.Routing-Instance.Name@SecretCommunity and see interfaces in
that RI too, but nothing I can do seems to pull all interfaces when
making the SNMP get from within the RI when compared to making the get
from a host default.inet0.

Cheers,
James.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SNMP walk on JunOS from inside a routing instance [ In reply to ]
On Thu 2016-Apr-28 13:13:35 +0100, James Bensley <jwbensley@gmail.com> wrote:

>On 28 April 2016 at 12:50, Dale Shaw <dale.shaw+j-nsp@gmail.com> wrote:
>> Hi James,
>> My memory's a bit hazy on this, but do you see everything you want to see if
>> you prefix the community string with a "@" in your cacti config?
>
>
>
>Hi Dale,
>
>As per my original email, I am prefixing the routing-instance name on
>the SNMP get's;
>
>snmpwalk -v 2c -c TEST-SNMP@SecretCommunity 10.254.242.1 .iso | grep ifDesc
>
>Without the routing-instance name the SNMP gets timeout. I can prefix
>it as default@SecretCommunity which will for example bring back all
>the interfaces on the MX not in any VRf/routing-instance.
>
>So it seems I have to specify a routing instance when using the config
>from my original post, and I can specify "default@" to see interfaces
>in the default table, I can also specify
>A.Nother.Routing-Instance.Name@SecretCommunity and see interfaces in
>that RI too, but nothing I can do seems to pull all interfaces when
>making the SNMP get from within the RI when compared to making the get
>from a host default.inet0.

Use a community of simply "@SecretCommunity", *WITHOUT* the actual RI
specified. That will pull everything. It's a little weird, but it works.

>
>Cheers,
>James.

--
Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com
pgp key: B178313E | also on Signal
Re: SNMP walk on JunOS from inside a routing instance [ In reply to ]
On 28 April 2016 at 17:16, Hugo Slabbert <hugo@slabnet.com> wrote:
> Use a community of simply "@SecretCommunity", *WITHOUT* the actual RI
> specified. That will pull everything. It's a little weird, but it works.

Yeah I had someone point that out to me offlist. I can confirm it's
now working as desired. Weird indeed, but hey, it works! :)

Thanks for the help all.

James.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp