Juniper EX4200 – Reading SNMP Traffic Counters for Specific VLAN ID

juniperjuniper-junosqinqsnmpvlan

I have multiple q-in-q S-VLANs assigned to the trunk port ge-0/0/0.
How can I read SNMP traffic counters for a specific VLAN id (S-VLAN) on that trunk port?

Hardware is Juniper EX4200-24F.

For reference, the VLAN configuration is shown below. For instance, I need to read, thru SNMP, traffic counters for S-VLAN id=4 for packets received/sent on port ge-0/0/0.

set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members SVID4
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members SVID5
set vlans SVID4 vlan-id 4
set vlans SVID4 dot1q-tunneling customer-vlans 41-42
set vlans SVID4 dot1q-tunneling layer2-protocol-tunneling all
set vlans SVID5 vlan-id 5
set vlans SVID5 dot1q-tunneling customer-vlans 51-52
set vlans SVID5 dot1q-tunneling layer2-protocol-tunneling all

Can EX4200 provide traffic counters thru SNMP for specific VLAN id on a trunk port? If so, please point out directions.

Best Answer

Sadly the EX4200 (or any EX) is not able to do this. You would need a separate logical unit for the VLAN which has its own VLAN counters. This works for example on Junipers MX routers but not on EX.

What you can do however is count the packets and bytes with a firewall filter.

I have an working example here, for VLANS 14, 571, 572. You can of course use any VLAN IDs.

Here is the filter:

firewall {
    family ethernet-switching {
        filter vlan-counters {
            interface-specific;
            term vlan-14 {
                from {
                    dot1q-tag 14;
                }
                then {
                    accept;
                    count vlan-14;
                }
            }
            term vlan-571 {
                from {
                    dot1q-tag 571;
                }
                then {
                    accept;
                    count vlan-571;
                }
            }
            term vlan-572 {
                from {
                    dot1q-tag 572;
                }
                then {
                    accept;
                    count vlan-572;
                }
            }
            term default {
                then accept;
            }
        }
    }
}

As you can see we have a separate term for each VLAN we want to count and a default term at the end. This is important as without that last term traffic for other VLANs would be dropped. The interface-specific keyword tells the switch to generate separate counters for each interface.

You can apply this filter to your interfaces:

set interfaces ae0.0 family ethernet-switching filter input vlan-counters 
set interfaces ae0.0 family ethernet-switching filter output vlan-counters

After that you can see the counters in the show firewall output. Note that they have interface-specific extensions:

Filter: vlan-counters-ae1.0-i                                  
Counters:
Name                                                Bytes              Packets
vlan-14-ae1.0-i                                   7474383                 8504
vlan-571-ae1.0-i                                        0                    0
vlan-572-ae1.0-i                                        0                    0

Filter: vlan-counters-ae1.0-o                                  
Counters:
Name                                                Bytes              Packets
vlan-14-ae1.0-o                                   2651051                 4919
vlan-571-ae1.0-o                                  2057853                14731
vlan-572-ae1.0-o                                      644                   10

Last but not least the SNMP part.

The packet and byte counters displayed above are visible in SNMP under the JUNIPER-FIREWALL-MIB::jnxFWCounterPacketCount and JUNIPER-FIREWALL-MIB::jnxFWCounterByteCount tree.

For example:

$ snmpget -v2c -cpublic 10.1.2.3 'JUNIPER-FIREWALL-MIB::jnxFWCounterByteCount."vlan-counters-ae1.0-o"."vlan-571-ae1.0-o".counter
JUNIPER-FIREWALL-MIB::jnxFWCounterByteCount."vlan-counters-ae1.0-o"."vlan-571-ae1.0-o".counter = Counter64: 298848

If your program does not understand the encoded form of the OID you can translate it to the numeric form with the snmptranslate utility:

$ snmptranslate -On 'JUNIPER-FIREWALL-MIB::jnxFWCounterByteCount."vlan-counters-ae1.0-o"."vlan-571-ae1.0-o".counter'
.1.3.6.1.4.1.2636.3.5.2.1.5.21.118.108.97.110.45.99.111.117.110.116.101.114.115.45.97.101.49.46.48.45.111.16.118.108.97.110.45.53.55.49.45.97.101.49.46.48.45.111.2

Related Solutions

VLAN Traffic Monitoring – How to Monitor VLAN Traffic?

Try adding the counter command under the SVI (see here for more information, specifically the "Understanding L3 interface counters" section).

For instance:

 Cisco#config t
 Cisco(config)#interface vlan 100
 Cisco(config-if)#counter ?
   ipv4  Enable IPv4 statistic counters
   ipv6  Enable IPv6 statistic counters
   <cr>
 Cisco(config-if)#counter
 Cisco(config-if)#end

Combined with Mike's excellent answers this will probably be what you want.

VLAN – Behavior of Untagged Traffic on TRUNK and ACCESS Ports

As Adam stated, generally in a well designed network, you should not be receiving untagged frames on a trunk port. Based on your description, you only want and expect to send and receive VLAN 24 on the uplink port. Thus, configure the port as an access port in VLAN 24:

interface gig0/1
 switchport access vlan 24

If for whatever reason this needs to remain a trunk port, but you still only want VLAN 24 (untagged), then configure as a trunk, but set the native VLAN to 24:

interface gig0/1
 switchport trunk encapsulation dot1q  !may not be necessary depending on hardware
 switchport mode trunk
 switchport trunk native vlan 24

Best Answer

Related Solutions

VLAN Traffic Monitoring – How to Monitor VLAN Traffic?

VLAN – Behavior of Untagged Traffic on TRUNK and ACCESS Ports

Related Topic