[ixpmanager] update-l2database.pl and Juniper QFX5100

Thu Feb 2 12:51:30 GMT 2017

Hi Leon,

Leon Meßner wrote:
> has anyone got a working update-l2database.pl for Juniper QFX series
> switches?

Most vendors implement Q-BRIDGE-MIB by using a vlan index.  So in theory
you should be able to walk through an OID which will give you a mapping
between the list of vlan numerical IDs and the snmp vlan mapping ID, and
then use that index to walk through dot1qTpFdbPort to retrieve the list
of MAC address.

This functionality is provided by dot1qVlanIndex on most stacks, but
Juniper decided to implement this using the proprietary OID
jnxExVlanTag, which is why the script checks the following:

> # /usr/local/bin/update-l2database.pl --vlan=2000 --debug
> DEBUG: switch-1: started query process
> DEBUG: switch-1: pre-emptively trying Juniper jnxExVlanTag to see if we're on a J-EX box (.1.3.6.1.4.1.2636.3.40.1.5.1.5.1.5)
> DEBUG: switch-1: this isn't a Juniper EX

This means that jnxExVlanTag isn't supported.

> DEBUG: switch-1: attempting to retrieve dot1qVlanFdbId mapping (.1.3.6.1.2.1.17.7.1.4.2.1.3)
> DEBUG: switch-1: that didn't work either. attempting Q-BRIDGE-MIB with no fdb->ifIndex mapping

This means that the script can't retrieve any index which maps the VLAN
ID to an index which can be used in Q-BRIDGE-MIB.

> DEBUG: switch-1: attempting Q-BRIDGE-MIB (.1.3.6.1.2.1.17.7.1.2.2.1.2.2000)
> DEBUG: switch-1: failed to retrieve Q-BRIDGE-MIB. falling back to BRIDGE-MIB 
> DEBUG: switch-1: attempting BRIDGE-MIB (.1.3.6.1.2.1.17.4.3.1.2)

... and this means that fall-back to BRIDGE-MIB isn't even supported.

Sigh.

There is an argument to say that every other vendor in the world is
wrong by using the vlan index for dot1qTpFdbPort instead of a physical
port index, but then again, every vendor in the world is also incorrect
in their interpretation of ifName, ifAlias and ifDescr.

Could you open a ticket with Juniper and ask them what is their
recommended way of retrieving MAC addresses from QFX5100 boxes using
snmp (without referring to the CLI)?  Juniper EX boxes refer to KB26533,
but this method is not going to work on your qfx5100 for the reasons above.

It might also be worth trawling down through the juniper enterprise MIB
to see what information can be gleaned about VLAN id mappings.

% snmpwalk -v 2c -c foo switch-1 .1.3.6.1.4.1.2636 > output.txt

> Looking at Q-BRIDGE-MIB without the vlanid added i get an interface mapping:
> 
> # snmpwalk -v 2c -c community switch-1 1.3.6.1.2.1.17.7.1.2.2.1
> iso.3.6.1.2.1.17.7.1.2.2.1.2.196608.132.24.136.38.23.197 = INTEGER: 14
> iso.3.6.1.2.1.17.7.1.2.2.1.2.327680.0.2.201.16.240.151 = INTEGER: 4105
> ....
> 
> and with dot1qVlanStaticEgressPorts i can map ports to vlans (1,50,2000...):
> 
> # snmpwalk -v 2c -c community switch-1 1.3.6.1.2.1.17.7.1.4.3.1.2
> iso.3.6.1.2.1.17.7.1.4.3.1.2.1 = ""
> iso.3.6.1.2.1.17.7.1.4.3.1.2.50 = STRING: "14"
> iso.3.6.1.2.1.17.7.1.4.3.1.2.2000 = STRING: "14,4100,4101,4103,4105"
> iso.3.6.1.2.1.17.7.1.4.3.1.2.2103 = STRING: "4101,4102"
> iso.3.6.1.2.1.17.7.1.4.3.1.2.2104 = STRING: "4101,4104"

This looks like it's QFX specific - it doesn't work at all on EX boxes.

Nick