Juniper MX snmp oid for static route

juniperjuniper-mx

Hoping someone has an oid to poll (get/walk) an MX router to retrieve configured static route information and next-hop? Searched MIBs and mib walks on router to no avail.

Thanks!

Best Answer

The best you'll be able to get is inetCidrRouteTable from IP-FORWARD-MIB - this will give you all routes, regardless of protocol.

The OID is .1.3.6.1.2.1.4.24.7 and if you walk it, you'll see a table of entries.

The format of entries is:

IP-MIB::ip.24.7.1.7.1.4.0.0.0.0.0.2.0.0.1.4.10.0.0.254 = INTEGER: 13
                        |     | |           |        |
                Prefix (0.0.0.0)| Next Hop (10.0.0.254)
                 CIDR Mask (/0)-+

If you're specifically after static routes, I would recommend ditching SNMP, and instead use the Junos REST API (available from Junos 15.1 onwards), or NETCONF calls via PyEZ.

Related Solutions

Routing – BGP remote-triggered blackhole (RTBH) filter for Juniper

There is no reason to limit customer to blackhole only /32, allow them to blackhole anything from them.

Something like this:

policy-statement AS42-IN {
    term blackhole {
        from {
            community BLACKHOLE;
            prefix-list-filter AS42 orlonger;
        }
        then {
            community add NO-EXPORT;
            next-hop 192.0.2.1;
            accept;
        }
    }
    term advertise {
        from {
            prefix-list AS42;
        }
        then {
            community add ADVERTISE;
            next-hop peer-address;
            accept;
        }
    }
    term reject {
        then reject;
    }
}

Remember to set 'accept-remote-nexthop' under BGP settings, so that the next-hop can be changed to something else than link address.

I also strongly support that providers start to support different blackhole communities than just 'full blackhole'. Especially if you operate in more than one country usually attack is from transit and often customer actually mostly wants to access domestic peerings, so it's useful to implement several levels of blackhhole:

Full
Outside local country (local IXP, whole own AS + customers seen)
Outside local area (if applicable, like for me it could be 'Nordics')
Include/Exclude specific peering router in blackhole

I'm happy to give example how to implement something like this with JNPR DCU/SCU, provided your peering routers are JNPR, but it's possible with just communities, just bit more awkward.

If you absolutely want to limit your customer's options you can add this:

policy-statement /32 {
    term /32 {
        from {
            route-filter 0.0.0.0/0 prefix-length-range /32-/32;
        }
        then accept;
    }
    term reject {
        then reject;
    }
}

policy-statement AS42-IN {
    term blackhole {
        from {
            community BLACKHOLE;
            policy /32;
            prefix-list-filter AS42 orlonger;
        }
..
}

This way it should be logical AND. But I really don't see the value in creating complexity to reduce expressiveness of configuration.

Poll firewall counters on Juniper routers via SNMP

Yes, this data is populated in the Firewall MIB

.1.3.6.1.4.1.2636.3.5.2.1.5 contains your counters
.1.3.6.1.4.1.2636.3.5.2.1.6 contains your filter names
.1.3.6.1.4.1.2636.3.5.2.1.7 contains your counter names

show firewall filter RE-FILTER | match mgmt_ntp
mgmt_ntp 199728 2628

% snmpbulkwalk jnpr .1.3.6.1.4.1.2636.3.5.2.1.7|grep mgmt_ntp
.1.3.6.1.4.1.2636.3.5.2.1.7.9.82.69.45.70.73.76.84.69.82.8.109.103.109.116.95.110.116.112.2 = STRING: "mgmt_ntp"

% snmpbulkwalk jnpr .1.3.6.1.4.1.2636.3.5.2.1.5.9.82.69.45.70.73.76.84.69.82.8.109.103.109.116.95.110.116.112.2
.1.3.6.1.4.1.2636.3.5.2.1.5.9.82.69.45.70.73.76.84.69.82.8.109.103.109.116.95.110.116.112.2 = Counter64: 199728

More information on juniper.net

Best Answer

Related Solutions

Routing – BGP remote-triggered blackhole (RTBH) filter for Juniper

Poll firewall counters on Juniper routers via SNMP

Related Topic