Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Command for IP accounting on Netscreen interfaces

    Posted 06-27-2008 17:40
    Hi All,

    What is the command on Netscreen FW for IP accounting on interface.

    As in CISCO i know the command ip accounting to find the traffic across the interface.

    Can anyone suggest me on this.


  • 2.  RE: Command for IP accounting on Netscreen interfaces
    Best Answer

    Posted 06-27-2008 22:44

    I'm not entirely sure what you mean by IP accounting. Perhaps you can clarify exactly what it is you want to capture. If you mean something like CFLOW or Netflow, then the NetScreens do not support this. The J-Series does support this (with a license key). But none of the ScreenOS devices support this. What you can do in ScreenOS is enable counting on policies and also do policy logging which can track session usage and durations and send to a syslog server.

     

    Hope this helps

    -Richard



  • 3.  RE: Command for IP accounting on Netscreen interfaces

    Posted 06-30-2008 00:15

    Richard,

     

    FYI,

     

    "

    Usage Guidelines

    The IP accounting command records the number of bytes (IP header and data) and packets switched through the system on a source and destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic generated by the router access server or terminating in this device is not included in the accounting statistics. Traffic coming from a remote site and transiting through a router is also recorded.

     

    If you specify the access-violations keyword, the ip accounting command provides information identifying IP traffic that fails IP access lists. Identifying IP source addresses that violate IP access lists alerts you to possible attempts to breach security. The data might also indicate that you should verify IP access list configurations.

    To receive a logging message on the console when an extended access list entry denies a packet access (to log violations), you must include the log keyword in the access-list (IP extended) or access-list (IP standard) command.

    Statistics are accurate even if IP fast switching or IP access lists are being used on the interface.

    IP accounting disables autonomous switching, SSE switching, and distributed switching (dCEF) on the interface. IP accounting will cause packets to be switched on the Route Switch Processor (RSP) instead of the Versatile Interface Processor (VIP), which can cause performance degradation.

    "

     

    But the answer is still no (as mentioned count and log session as the best options available to get this info).

     

    Laters

     

    Ben



  • 4.  RE: Command for IP accounting on Netscreen interfaces

    Posted 07-01-2008 10:58

    You can use SNMP for that, it can get you each interface In/Out Octets, In/Out Unicast Packets, In/Out Non-Unicast Packets.

     

    By the way, I don't think you'll need any special MIB file for that, such counters a just standard ones. The only trick here is to use a MIB Brouser first in order to know which OID is for which Interface/Counter

     

    Message Edited by gr33ndata on 07-01-2008 09:01 PM

    #screenos
    #SNMP


  • 5.  RE: Command for IP accounting on Netscreen interfaces

    Posted 07-02-2008 17:56

    Got the solution

     

    use the command

     

    get session