[j-nsp] SNMP walk on JunOS from inside a routing instance

Discussion:

James Bensley

2016-04-27 15:45:23 UTC

Hi All,

I am migrating from one Cacti box to another, the new one polls some
MX boxes inside a routing instance but the old one polls in inet0 in
no routing instance.

When I snmpwalk the MX boxes from the new Cacti box I am only returned
the interfaces which are inside that routing instance the poll comes
in on. On the old Cacti box SNMP returns all interfaces, including
those inside all routing instances.

Does Junos restrict the SNMP output to that which relates to the
routing instance only, when polling in a routing instance?

***@mxrouter> show configuration snmp
community SecretCommunity {
authorization read-only;
routing-instance SNMP-TEST {
clients {
10.0.0.0/8;
}
}
}

***@mxrouter> show interfaces terse routing-instance TEST-SNMP
Interface Admin Link Proto Local Remote
vt-0/0/10.1054 up up inet
ge-0/3/7.2012 up up inet 172.21.18.53/30
multiservice
ge-2/3/7.2013 up up inet 172.21.18.57/30
multiservice
ae0.2047 up up inet 10.254.240.1/24
multiservice
lo0.2047 up up inet 10.254.242.1 --> 0/0

[***@cacti ~]# snmpwalk -v 2c -c TEST-***@SecretCommunity
10.254.242.1 .iso | grep ifDesc
IF-MIB::ifDescr.6 = STRING: lo0
IF-MIB::ifDescr.556 = STRING: ge-0/3/7
IF-MIB::ifDescr.571 = STRING: vt-0/0/10
IF-MIB::ifDescr.581 = STRING: ae0
IF-MIB::ifDescr.1220 = STRING: lo0.2047
IF-MIB::ifDescr.1242 = STRING: ae0.2047
IF-MIB::ifDescr.1342 = STRING: ge-0/3/7.2012
IF-MIB::ifDescr.1343 = STRING: ge-2/3/7.2013
IF-MIB::ifDescr.2936 = STRING: ge-2/3/7
IF-MIB::ifDescr.43020 = STRING: vt-0/0/10.1054

This example system is on 11.4R6.5, but we have a range of Junos
versions across MX480s & MX960s and it's the same behaviour for all of
them.

Any info and help with getting all interfaces returned when polling
from within a routing instance would be appreciated.

Cheers,
James.
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Per Westerlund

2016-04-27 15:58:19 UTC

Permalink

That is default behavior, but you can access other RI's interfaces by explicitly using the RI name. No way to reach all IFs at once via a RI.

/Per

PS: Excuse my brevity, caused by screen kbd.

Post by James Bensley
Hi All,
I am migrating from one Cacti box to another, the new one polls some
MX boxes inside a routing instance but the old one polls in inet0 in
no routing instance.
When I snmpwalk the MX boxes from the new Cacti box I am only returned
the interfaces which are inside that routing instance the poll comes
in on. On the old Cacti box SNMP returns all interfaces, including
those inside all routing instances.
Does Junos restrict the SNMP output to that which relates to the
routing instance only, when polling in a routing instance?
community SecretCommunity {
authorization read-only;
routing-instance SNMP-TEST {
clients {
10.0.0.0/8;
}
}
}
Interface Admin Link Proto Local Remote
vt-0/0/10.1054 up up inet
ge-0/3/7.2012 up up inet 172.21.18.53/30
multiservice
ge-2/3/7.2013 up up inet 172.21.18.57/30
multiservice
ae0.2047 up up inet 10.254.240.1/24
multiservice
lo0.2047 up up inet 10.254.242.1 --> 0/0
10.254.242.1 .iso | grep ifDesc
IF-MIB::ifDescr.6 = STRING: lo0
IF-MIB::ifDescr.556 = STRING: ge-0/3/7
IF-MIB::ifDescr.571 = STRING: vt-0/0/10
IF-MIB::ifDescr.581 = STRING: ae0
IF-MIB::ifDescr.1220 = STRING: lo0.2047
IF-MIB::ifDescr.1242 = STRING: ae0.2047
IF-MIB::ifDescr.1342 = STRING: ge-0/3/7.2012
IF-MIB::ifDescr.1343 = STRING: ge-2/3/7.2013
IF-MIB::ifDescr.2936 = STRING: ge-2/3/7
IF-MIB::ifDescr.43020 = STRING: vt-0/0/10.1054
This example system is on 11.4R6.5, but we have a range of Junos
versions across MX480s & MX960s and it's the same behaviour for all of
them.
Any info and help with getting all interfaces returned when polling
from within a routing instance would be appreciated.
Cheers,
James.
_______________________________________________
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Phil Mayers

2016-04-27 16:10:28 UTC

Permalink

Post by Per Westerlund
That is default behavior, but you can access other RI's interfaces by explicitly using the RI name. No way to reach all IFs at once via a RI.

I'm a bit confused now.

I just tested (SRX240H running 12.3X48-D15.4) and I can see all
interfaces when hitting an IP inside a routing-instance, as well as in
inet.0.

We do *not* have "routing-instance-access" under the "snmp" block, but
can still make SNMP queries to a routing instance; the docs suggest this
should not work, so I'm not sure what's going on.
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

James Bensley

2016-04-28 10:42:42 UTC

Permalink

Post by Phil Mayers

Post by Per Westerlund
That is default behavior, but you can access other RI's interfaces by
explicitly using the RI name. No way to reach all IFs at once via a RI.

Yes I would expect it to NOT work inline with Per's comments and that
is whats happening for us. From the old Cacti box which is in inet0
(no routing instance) we can hit that community string and get all
interfaces return.

Post by Phil Mayers
You've configured this community string to map to a routing-instance. Try
removing it this config item, and just putting the "clients" directly under
the community.

The problem is that the new Cacti box is only routable to/from the
MX's inside the routing-instance, we want it to be "securely" (take
that with a pinch of salt!) seperated from other traffic and routing.
So this is going to be a problem if the MX's have to be polled from
within inet0. All Cisco boxes are polled inside a management VRF, I
would expect Junos to be able to do this, it seems tome like it would
be a fairly common requirement (to have SNMP traffic seperated into
it's own routing instance).

Cheers,
James.
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Phil Mayers

2016-04-27 16:01:14 UTC

Permalink

Post by James Bensley
Does Junos restrict the SNMP output to that which relates to the
routing instance only, when polling in a routing instance?

We have JunOS boxes with routing instances, and see the same when we
poll them from inet.0 or a routing instance.

Post by James Bensley
community SecretCommunity {
authorization read-only;
routing-instance SNMP-TEST {

You've configured this community string to map to a routing-instance.
Try removing it this config item, and just putting the "clients"
directly under the community.
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Dale Shaw

2016-04-28 11:50:37 UTC

Permalink

Hi James,

On 28 Apr 2016 1:46 AM, "James Bensley" <***@gmail.com> wrote:
[...]

Post by James Bensley
Any info and help with getting all interfaces returned when polling
from within a routing instance would be appreciated.

My memory's a bit hazy on this, but do you see everything you want to see
if you prefix the community string with a "@" in your cacti config?

(e.g. if the string is "public", try configuring cacti to use "@public")

Cheers,
Dale
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

James Bensley

2016-04-28 12:13:35 UTC

Permalink

Post by Dale Shaw
Hi James,
My memory's a bit hazy on this, but do you see everything you want to see if

Hi Dale,

As per my original email, I am prefixing the routing-instance name on
the SNMP get's;

snmpwalk -v 2c -c TEST-***@SecretCommunity 10.254.242.1 .iso | grep ifDesc

Without the routing-instance name the SNMP gets timeout. I can prefix
it as ***@SecretCommunity which will for example bring back all
the interfaces on the MX not in any VRf/routing-instance.

So it seems I have to specify a routing instance when using the config
from my original post, and I can specify "default@" to see interfaces
in the default table, I can also specify
A.Nother.Routing-***@SecretCommunity and see interfaces in
that RI too, but nothing I can do seems to pull all interfaces when
making the SNMP get from within the RI when compared to making the get
from a host default.inet0.

Cheers,
James.
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Hugo Slabbert

2016-04-28 16:16:17 UTC

Permalink

Post by James Bensley

Post by Dale Shaw
Hi James,
My memory's a bit hazy on this, but do you see everything you want to see if

Hi Dale,
As per my original email, I am prefixing the routing-instance name on
the SNMP get's;
Without the routing-instance name the SNMP gets timeout. I can prefix
the interfaces on the MX not in any VRf/routing-instance.
So it seems I have to specify a routing instance when using the config
in the default table, I can also specify
that RI too, but nothing I can do seems to pull all interfaces when
making the SNMP get from within the RI when compared to making the get
from a host default.inet0.

Use a community of simply "@SecretCommunity", *WITHOUT* the actual RI
specified. That will pull everything. It's a little weird, but it works.

Post by James Bensley
Cheers,
James.

--
Hugo Slabbert | email, xmpp/jabber: ***@slabnet.com
pgp key: B178313E | also on Signal

James Bensley

2016-04-28 17:28:29 UTC

Permalink

Post by Hugo Slabbert
specified. That will pull everything. It's a little weird, but it works.

Yeah I had someone point that out to me offlist. I can confirm it's
now working as desired. Weird indeed, but hey, it works! :)

Thanks for the help all.

James.
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp