Junos OS

Dear All,

Is there any way to send syslog when the interface bandwidth is over 70% usage?

So client can be alerted to increase the bandwidth.

Thanks.

Br,

Sam

Hello,

I wonder if You have tried RMON events?

http://www.juniper.net/techpubs/en_US/junos10.2/topics/example/rmon-alarm-and-event-configuring-junos-nm.html

Replace fxp0 with interface index You are interested in. Replace ifInOctets with ifHCIn1SecRate and define rising threshold & falling threshold in bps.

HTH

Regards

Alex

Dear Alex,

Thanks.

I changed the configuration as the following:

rmon {
alarm 100 {
description “Output traffic on Fe-0/0/4”;
falling-event-index 100;
falling-threshold 10000;
interval 60;
rising-event-index 100;
rising-threshold 100000;
sample-type delta-value;
startup-alarm rising-or-falling-alarm;
variable ifHCOut1SecRate.1;
}
event 100 {
community bedrock;
description” emergency events”;
type log-and-trap;
}
}

But get the error:

[edit snmp rmon]
  'event 100'
    community 'bedrock' not a configured trap group or snmpCommunityTable entry
[edit snmp rmon]
  'alarm 100'
    invalid rising event index: 100
error: configuration check-out failed

Any hints?

Thanks

Br,

Sam

Dear,

I have changed it to the following:

trap-group overbandwidth {
    categories {
        rmon-alarm;
    }
    targets {
        192.168.4.2;
    }
}
rmon {
    alarm 1 {
        description "Input traffic on fe-0/0/4";
        interval 1;
        variable ifHCIn1SecRate.1;
        sample-type delta-value;
        startup-alarm rising-or-falling-alarm;
        rising-threshold 100;
        falling-threshold 10;
        rising-event-index 1;
        falling-event-index 1;
    }
    event 1 {
        description "overbandwidth emergency events";
        type log-and-trap;
        community overbandwidth;
    }
}

But i tried to ftp on that interface with over 600kb/s, it still no syslog/snmp to my target host.

Thanks

Br,

Sam

Hello,

---

@fwpsam wrote:

rmon {
    alarm 1 {
        description "Input traffic on fe-0/0/4";
        interval 1;
        variable ifHCIn1SecRate.1;

---

Does fe-0/0/4 have ifIndex 1? I doubt that.

Check with "show snmp mib walk ifTable | match fe-0/0/4"

Variable should be defined as ifHCIn1SecRate.<IfIndex of correct logical interface>. In your case the correct logical interface should be fe-0/0/4.<whatever logical unit is used to pass FTP traffic>.

HTH

Regards

Alex

Dear All,

i changed the command to:

alarm 1 {
    description "Input traffic on fe-0/0/4";
    interval 1;
    variable ifHCIn1SecRate.121;
    sample-type delta-value;
    startup-alarm rising-or-falling-alarm;
    rising-threshold 10000000;
    falling-threshold 5000000;
    rising-event-index 1;
    falling-event-index 1;
}

the value 'ifHCln1SecRate.121' is i pick from the command:

# run show snmp mib walk ifHCln1SecRate

which show a list of number like:

ifHCIn1SecRate.4 = 0
ifHCIn1SecRate.6 = 0
ifHCIn1SecRate.7 = 1432452
ifHCIn1SecRate.8 = 0
ifHCIn1SecRate.120 = 0
ifHCIn1SecRate.121 = 12312434

I pick 121 as random. Actually, which number should i pick?

Also, in the above configuration, there is no entry to specify the interface fe0/0/4 (except the descripton).

Thus, how do i can correctly grab the fe-0/0/4 data?

Thanks.

Br,

Sam

Dear Alex,

Thanks for your response.

Found that the index is 139, thus my var is  ifHCIn1SecRate.139, and now there is log about the threshold hit.

But ifHCIn1SecRate should be in bp/s value, and i configure the value of rising-threshold as 10000000, which should be around 10Mb, that is 1.25MB/s, right?

But my ftp traffic is around 660KB/s, but the rising log still comes out, then i get the following information by 'run show snmp rmon logs'

Description: Event 1 triggered by Alarm 1, rising threshold (10000000)
                 crossed, (variable: ifHCIn1SecRate.139, value: 2147483647)

The value '2147483647' seems not correct, which should then be a huge value if in kb/s.

Any hints?

Thanks.

Br,

Sam

Hello,

---

@fwpsam wrote:

 

 

Description: Event 1 triggered by Alarm 1, rising threshold (10000000)
                 crossed, (variable: ifHCIn1SecRate.139, value: 2147483647)

The value '2147483647' seems not correct, which should then be a huge value if in kb/s.

 

 

---

ifHCIn1SecRate is in _bits_per_second_

http://www.juniper.net/techpubs/en_US/junos10.2/information-products/topic-collections/reference-mibs-and-traps/mib-jnx-if-extensions.txt

ifHCIn1SecRate OBJECT-TYPE
	SYNTAX      CounterBasedGauge64
	MAX-ACCESS  read-only
	STATUS      current
	DESCRIPTION
		"The number of bits per second (bps), delivered by 
		this (sub-)layer to its next higher (sub-)layer.
		This object is a 64 bit version of ifIn1SecRate."
	::= { ifJnxEntry 7 }

Two possibilities:

-- either You picked the wrong logical interface, or

-- there is other traffic crossing this interface and thus producing 2Gbps (2,147,483,647) value.

HTH

Rgds

Alex

Dear Alex,

Thanks for you reply.

I changed the var to  ifIn1SecOctets instead, which use byte instead of bit. The result is closer, but still have some weird figure. The ftp output is around 750KB/s, but there is 1 entry of output log show "1422958".

alarm 1 {
    description "input traffic on fe-0/0/4";
    interval 1;
    variable ifIn1SecOctets.130;
    sample-type delta-value;
    startup-alarm rising-or-falling-alarm;
    rising-threshold 800000;
    falling-threshold 400000;
    rising-event-index 1;
    falling-event-index 1;
}
event 1 {
    description "overbandwidth emergency events";
    type log-and-trap;
    community overbandwidth;
}

Thanks.

Br,

Sam

Hello,

I see you are constantly changing ifIndex in RMON alarm definition - would you please be able to do

"show snmp mib walk ifTable | grep fe-0/0/4" and post here?

Which _logical_ unit on fe-0/0/4 is handling Your FTP traffic? Is it FTP _from_ SRX, _to_ SRX, or transit?

Two more suggestions:

---

@fwpsam wrote:

 

alarm 1 {
    description "input traffic on fe-0/0/4";
    interval 1;
    variable ifIn1SecOctets.130;
    sample-type delta-value;
    startup-alarm rising-or-falling-alarm;
    rising-threshold 800000;
    falling-threshold 400000;
    rising-event-index 1;
    falling-event-index 1;
}
event 1 {
    description "overbandwidth emergency events";
    type log-and-trap;
    community overbandwidth;
}

---

1/ please change "sample-type" to absolute. Delta does not make sense to me

2/ please change "interval" from 1 to something like 60 or 120 to avold false positives during very short spikes in BW utilization.

HTH

Regards

Alex

Dear Alex,

Thanks for your help.

I tried to change the interval to 3sec and now the result seems more match to the actual rate.

Thanks.

br,

Sam