SRX

knowing

.1.3.6.1.2.1.17.4.3.1.1 dot1dTpFdbAddress

and

.1.3.6.1.2.1.17.4.3.1.2 dot1dTpFdbPort

snmpwalk -v 2c -c public 172.17.136.1 dot1dTpFdbAddress | awk '{print $1 ","  $4 $5 $6 $7 $8 $9}'
snmpwalk -v 2c -c public 172.17.136.1 dot1dTpFdbPort | awk '{print $1 ","  $4}'|grep  <print $1 from line above>

gives me the mac and what port its on.  How do I do this with a srx100-srx240?

In operational mode, run the following command:

show ethernet-switching table

I assume that is what you were asking, right?

Ron

Hi Rob,

welcome. I do not exactly know what you want to do, but if you are not using ethernet-switching, you can take a look in the arp table on the shell.

root@node0% arp --help (for example: arp -a)

I assumed ethernet-switching because of the "all macs on a specific port", but you may be right, it certainly could be a layer-3 interface, and wanting to see all MAC addresses on that subnet.  The arp table would be the way to go there (although you would only see things that have "spoken" on the network within the ARP timeout.

Ron

Hi All,

I am trying to do this scripted ,hence the use of snmpwalk. On the Nortel/Baystacks I can get the port->MAC association

and then write it to a DB so I can have a web page to look up on what switch and port this MAC is. What I need from you is the MIBS that ave the port that the MAC is on.

these are th ones on a Nortel/Baystack

.1.3.6.1.2.1.17.4.3.1.1 dot1dTpFdbAddress

and

.1.3.6.1.2.1.17.4.3.1.2 dot1dTpFdbPort

is there a similar set on juniper srx-100 srx-250?

Command to list all MACS on Switch
snmpwalk -v 2c -c public 172.17.136.1 .1.3.6.1.2.1.17.4.3.1.1 | awk '{print $1 ","  $4 $5 $6 $7 $8 $9}'
.
.
.
SNMPv2-SMI::mib-2.17.4.3.1.1.244.206.70.58.203.14,F4CE463ACB0E

Command to list what Port that specific mac is on:
snmpwalk -v 2c -c public 172.17.136.1 .1.3.6.1.2.1.17.4.3.1.2 | awk '{print $1 ","  $4}'|grep 244.206.70.58.203.14
SNMPv2-SMI::mib-2.17.4.3.1.2.244.206.70.58.203.14,17


SNMPv2-SMI::mib-2.17.4.3.1.1.244.206.70.58.203.14,F4CE463ACB0E
                            |                    |
SNMPv2-SMI::mib-2.17.4.3.1.2.244.206.70.58.203.14,17

see how 244.206.70.58.203.14 links MAC:F4CE463ACB0E -> Port:17

This is actually a pretty interesting question.

It is kind of strange that the SRX devices don't support the standard SNMPv2-SMI OIDs for this.  That's pretty building-block level kind of stuff there.

I took an extensive walk through the jnxBoxAnatomy -> jnxMibs tree, looking around specifically for the Ethernet MAC MIB (jnxMibs 23) and found that my SRX devices don't return anything for those OIDs.  I also visually looked through the output of a complete walk of .1.3.6.1.4.1.2636.3 (.iso.org.dod.internet.private.enterprises.juniperMIB.jnxMibs) and didn't see anything resembling MAC addresses or ethernet statistics.

I'm fairly curious to see how this turns out... maybe JTAC or one of the Juniper employees here has some insight.

Hmmm 

No other action on this KeithR how do I involve JTAC?

The Support site is a good place to start.

Center column under "GET HELP" is "Case Management" where you can create a JTAC case.

got access denied, requested access 

thanks Keith we will see what happens next

hi,

I've not checked the MIBs with SRX, so I'm a bit surprised too, the the docs are clear. dot1dTpFdbTable (important bits) and dot1qTpFdbTable  (perl 802.1Q vlan info) are not supported on the SRXs (only EX/MX):

http://www.juniper.net/techpubs/software/junos-security/junos-security10.3/mib-srx100-srx210-srx240-srx650-service-gateway/topic-21512.html

I do not see any equivalent enterprise mibs neither:

http://www.juniper.net/techpubs/software/junos-security/junos-security10.3/mib-srx100-srx210-srx240-srx650-service-gateway/index.html?topic-48961.html

jtb

Poop!

any idea how I would get similar data from 

.1.3.6.1.2.1.4.22.1.(1 , 2 3 and 4)

ipNetToMediaIfIndex

ipNetToMediaPhysAddress tie this to a port number somehow

ipNetToMediaNetAddress

ipNetToMediaType

Rob, I understand you have tried and it does not work ? I do not have SRX now, no chance to test. Anyway, I'm surprised again. The same Junos docs say the RFC1213/RFC2011is not supported on SRXs ... Good docs (if true), bad news - it's a basic staff. Despite our love to Junoscript we need SNMP sometimes ... Jtb

btw Rob, it's possibile to edit  a post if needed

Ah Thanks thats better ... I am a ringing iPod Now (or something emitting RF)

Agggghhhh spent 2 days playing tag with a juniper guy , denied access to see posting by support tech. you would think that with such a glaring omission they would want a customer to know one way or another how to access that info

(MAC addr on ports). Anyway case is closed I got no information I am looking for different hardware supplier any suggestions

Case 2010-1119-0688 owned by pngarcia has been closed with the following notes:

Your case regarding SRX Configurationis now closed. We encourage you to participate in our Customer Care survey. We appreciate your feedback and continually strive to better your experience with Juniper Customer Care.

You may directly access your case number 2010-1119-0688 at

https://www.juniper.net/cm/case_email_link.jsp?case_number=2010-1119-0688

Site:     JTAC - PRIMARY TAC - CSS - MANILA

Contact:  Panganiban Gracia

Phone:    pngarcia@juniper.net

Email:    mailto:pngarcia@juniper.net

Customer Tracking #:

Priority: 4 - Low

Severity: 4 - Customer Problem/Query

Software: N/AN/A

MSG_ID#20101-003

Comments, Suggestions or other Feedback about this email notification? 

Submit your feedback at: https://www.juniper.net/cm/case_create_choice.jsp

How about asking the arp table?

show arp

You can then use the pipe and grep command to sort out what IF's you are looking for like this:

show arp |grep ge-0/0/0.0

you mean run

ssh root@juniperbox.local 'show arp'   then grep through that?

I just did this and it worked (though I have to write the password etc but you can sort that with key based ssh login, google it and you'll see how its done):

ssh username@mySRXbox.local 'show arp|grep ge-0/0/0.0'

Not sure if that will work on Junos but works on Unix and Linux for sure...

How about this:

snmpwalk -v 2c -c <ComunityString> 172.16.254.4  1.3.6.1.2.1.4.22.1.2

.

IP-MIB::ipNetToMediaPhysAddress.530.172.20.4.1 = STRING: 2c:6b:f5:f:c:8

giving me the arp table as suggested, then I run:

># snmpwalk -v 2c -c <ComunityString> 172.16.254.4  1.3.6.1.2.1.4.22.1.1 |grep 530.172.20.4.1
IP-MIB::ipNetToMediaIfIndex.530.172.20.4.1 = INTEGER: 530

So having the ipNetToMediaIfIndex how do I convert that to a port number? f(530)=<PortNumber>

Cant help u with snmp, nothing i ever dug deper into...

Rob,

I few posts ago I asked if you tested the ipNetToMediaTable OIDs. Did you ? Does it work with SRX ? I said 'Junos docs say the RFC1213/RFC2011is not supported on SRXs'. I had an impression you said it does not work . I have no SRX to check myself.

Back to your SNMP question: So having the ipNetToMediaIfIndex how do I convert that to a port number? f(530)=<PortNumber>.

You may query ifDescr/ifName.<PortNumber> to get the port info info. Does it answer your question ?

jtb

Hi Jtb

Yup ipNetToMedia (1.3.6.1.2.1.4.22)

># snmpwalk -v 2c -c GscsIntra 172.16.254.4  ipNetToMedia |grep 528.172.17.4.31

IP-MIB::ipNetToMediaIfIndex.528.172.17.4.31 = INTEGER: 528
IP-MIB::ipNetToMediaPhysAddress.528.172.17.4.31 = STRING: 0:10:c6:a5:da:12
IP-MIB::ipNetToMediaNetAddress.528.172.17.4.31 = IpAddress: 172.17.4.31
IP-MIB::ipNetToMediaType.528.172.17.4.31 = INTEGER: dynamic(3)

Thats really good Port Mac and IP addr still need to figure out that port # though

whoops just saw you mentioning ifdescr and ifname. that give me the vlan its on

IF-MIB::ifName.4 = STRING: lsi
IF-MIB::ifName.6 = STRING: lo0
IF-MIB::ifName.7 = STRING: tap
IF-MIB::ifName.8 = STRING: gre
IF-MIB::ifName.9 = STRING: ipip
IF-MIB::ifName.10 = STRING: pime
IF-MIB::ifName.11 = STRING: pimd
IF-MIB::ifName.12 = STRING: mtun
IF-MIB::ifName.16 = STRING: lo0.0
IF-MIB::ifName.21 = STRING: lo0.16384
IF-MIB::ifName.22 = STRING: lo0.16385
IF-MIB::ifName.151 = STRING: pd-0/0/0
IF-MIB::ifName.152 = STRING: pe-0/0/0
IF-MIB::ifName.501 = STRING: fe-0/0/0
IF-MIB::ifName.502 = STRING: fe-0/0/0.0
IF-MIB::ifName.503 = STRING: fe-0/0/1
IF-MIB::ifName.504 = STRING: fe-0/0/1.0
IF-MIB::ifName.505 = STRING: fe-0/0/2
IF-MIB::ifName.506 = STRING: fe-0/0/2.0
IF-MIB::ifName.507 = STRING: fe-0/0/3
IF-MIB::ifName.508 = STRING: fe-0/0/3.0
IF-MIB::ifName.509 = STRING: fe-0/0/4
IF-MIB::ifName.510 = STRING: fe-0/0/4.0
IF-MIB::ifName.511 = STRING: fe-0/0/5
IF-MIB::ifName.512 = STRING: fe-0/0/5.0
IF-MIB::ifName.513 = STRING: fe-0/0/6
IF-MIB::ifName.514 = STRING: fe-0/0/6.0
IF-MIB::ifName.515 = STRING: fe-0/0/7
IF-MIB::ifName.516 = STRING: fe-0/0/7.0
IF-MIB::ifName.517 = STRING: gr-0/0/0
IF-MIB::ifName.518 = STRING: ip-0/0/0
IF-MIB::ifName.519 = STRING: lo0.32768
IF-MIB::ifName.520 = STRING: lt-0/0/0
IF-MIB::ifName.521 = STRING: mt-0/0/0
IF-MIB::ifName.522 = STRING: pp0
IF-MIB::ifName.525 = STRING: st0
IF-MIB::ifName.526 = STRING: vlan
IF-MIB::ifName.527 = STRING: vlan.0
IF-MIB::ifName.528 = STRING: vlan.1
IF-MIB::ifName.529 = STRING: vlan.2
IF-MIB::ifName.530 = STRING: vlan.3

hi,

that's correct, IF-MIB::ifName.530 = STRING: vlan.3 since you have L3 interface vlan.3 and the ARP is related to L3 interface. You will not get the MAC to physical port binding from ipNetToMediaTable if using VLANs.

Good the ipNetToMediaTable is support on SRX, the docs are incorrect or I misread it.

If you need MAC to physical port info and the dot1dTpFdbTable,  dot1qTpFdbTable MIBs are not implemented (snmpwalk 1.3.6.1.2.1.17.4.3 and 1.3.6.1.2.1.17.7.1.2.2  ?),  there are no other options left, just parsing the show ethernet-switching table  output/xml.

jtb

@Rob,

Access to JTAC and many of the services on the Juniper support site (CSC) requires a valid service contract (Some access is provided for warranty issues, but it's fairly limited). This is pretty standard industry-wide practice for enterprise-class products.

That's the reason your case was closed.  Using the forums to discuss product issues is an appropriate alternate venue should you choose not to purchase a service contract. However, if for example a later release of Junos corrects your issue, you won't have access to download it.  Please contact your reseller for more info about support options.

Regards,

-Keith (! KeithR)

Thanks Keith

Message recieved

You can imagine my frustration when a case is opened for me (Seemingly implying I should be able to access it)

Please reference "2010-1119-0688" in the subject line of any email message(s) that you send to us regarding this case.  You can do this by replying to this message. This will ensure that your email communications are added to the case.

Synopsis:       Issue ID: 82366/Access to CSC Tools
Arrival-Date:   11/19/10 14:18:29

You may create, modify or check status of your support cases online by using the
Juniper.Net Case Manager, located at https://www.juniper.net/cm/index.jsp

You may directly access your case number 2010-1119-0688 at
https://www.juniper.net/cm/case_email_link.jsp?case_number=2010-1119-0688

In addition to Case Manager, other online support tools are available to Juniper Networks contracted customers at http://support.juniper.net/

We will work quickly towards resolving this problem and keep you updated as we progress through it.

Sincerely,

Juniper Networks Technical Assistance Center

anyway the forums are working out well for me . Next time I am at the customers location I will get the serial number and register this account.

Yes, apologies -  this is unfortunately a use-case the tools were not designed for.

Step by step procedure;

1) Get INTEGER value of mac address;

snmpwalk -O0sUX -v2c -Cc -c netpublic 10.50.2.223 BRIDGE-MIB::dot1dTpFdbPort

dot1dTpFdbPort[STRING: 90:1b:0e:1e:dd:fb] = INTEGER: 557

2) Get port index of this integer;

snmpwalk -O0sUX -v2c -Cc -c netpublic 10.50.2.223 BRIDGE-MIB::dot1dBasePortIfIndex | grep 557
dot1dBasePortIfIndex[557] = INTEGER: 594

3) Get physical port number from ifDescr

snmpwalk -O0sUX -v2c -Cc -c netpublic 10.50.2.223 ifDescr | grep 594
ifDescr[594] = STRING: ge-0/0/44.0