[mrtg] Re: Monitoring Access-lists? Cisco. - Solution

Scheidel, Greg Greg_Scheidel at ed.gov
Wed Feb 16 01:01:39 MET 2000

There is no way to use SNMP to get the 'match' count from an access list.
This is confirmed by a definitive answer from Cisco support.

However, I have need to do this myself and so wrote a script to pull the
information from the CLI using the UNIX utility Expect.  Here's a copy of
the script (with sensitive information removed) and the MRTG *.cfg file that
I am using.  This *will* require modification to use, as it has to have the
specific access list and access list lines you want to monitor put in.

Greg S.

----- start of script 'access100.sh' : cut here -----

# This script could be set to have parameters for the box to connect
# to, login/enable passwords, access list to look at, which access list
# lines to look for, etc.  However since all of this information is tied
# together and therefore everything would have to be parameter if any one
# item was, and since we are using this for a single box & access list,
# we're just hard-coding the info in the script.
# Items that would have to be changed to use this script for another box/
# access list/access list lines:
# - destination router
# - CLI prompt
# - CLI enable mode prompt
# - login password
# - enable password
# - access list name or number
# - access list lines to search for

# Options to add:
# - multiple pattern matches when looking for access list lines, with
#   second pattern the CLI prompt and the corresponding body exits script;
#   because if you find the CLI prompt before finding the access list line,
#   then the access list is not built the way that we are expecting
# - timeout on *all* expect commands so as to not enter infinite wait; set
#   for 30 secs per command
# - 'abort' procedure
# - change 'getting data for access line' to a procedure with parameter
#   of 'access line text'

# Greg Scheidel, 2/15/2000

# Procedure to call when prematurely aborting.  May need to use
# to output null/0 values.

proc abortproc "" {
  # debugging only
  #  send_tty "ok, works"


# Procedure to search for a specific access list line in the displayed
# access list, and return the value of the counter associated
# with that line.

proc getcounter AccessLine {
  # debugging only
  #  send_tty "*$AccessLine*\n"

  # set R/W variables used during the proc

  # temp variable used to pull information from access list lines
  # before parsing and dumping to output
  set tempvar "0"

  # declare global variables that we'll need to reference
  global CLIenprompt

  # look for the access list line that we want to pull counters for.
  # - if we find the access list line we want, continue
  # - if a CLI enable prompt is found before the access list line, then
  #   the access list is not built the way we expect and we should exit
  # - if expect times out waiting for a match, exit
  expect {
    "$AccessLine" {}
    "$CLIenprompt" {abortproc}
    timeout {abortproc}

  # we are now 'on' the access list line, immediately following the last
  # char that we just searched for.  search for newline character so that
  # expect_out(buffer) contains the text comprising the remainder of the
  expect {
    "\n" {}
    timeout {aportproc}

  # save the string and trim it; if there is no text left on the line
  # we'll end up with an empty string
  set tempvar [string trim "$expect_out(buffer)"]

  # if we got any text it will be in the format "(12341234 matches)" ;
  # trim it down to just the number
  if {"$tempvar" != ""} {
    # debugging only
    # send_tty "Got something.\n"
    set tempvar [string trim "$tempvar" "( matches)"]

  return "$tempvar"

# set R/W variables used during the script

# counter for denied ICMP packets
set ICMPdenycount "0"
# counter for denied spoofed packets
set spoofdenycount "0"

# set variables for items that are important to note (ie security
# sensitive) or could be used multiple times in the script

set CLIprompt "routername>"
set CLIenprompt "routername#"
# login and enable passwords variable must end in \r so that CR is sent
set loginpwd "loginpassword\r"
set enpwd "enablepassword\r"

# set timeout for each expect command to 20 secs (from default of 10)
set timeout 20

# disable output from being sent to stdout
log_user 0

# initiate the telnet session to the router holding your access list
spawn telnet

# wait for the login password prompt and send login password
expect {
  "Password: " {}
  timeout {abortproc}
send "$loginpwd"

# wait for the CLI prompt
expect {
  "$CLIprompt" {}
  timeout {abortproc}
# enter enable mode
send "enable\r"
expect {
  "Password: " {}
  timeout {abortproc}
send "$enpwd"
expect {
  "$CLIenprompt" {}
  timeout {abortproc}

# display the desired access list
send "show access-list 100\r"

# call procedure to get the values we're interested in
set ICMPdenycount [getcounter "deny   icmp any any"]
set spoofdenycount [getcounter "deny   ip any"]

expect {
  "$CLIenprompt" {}
  timeout {abortproc}
send "logout\r"
expect {
  "Connection closed by foreign host." {}
  timeout {abortproc}

# debugging only
#send_tty ".$ICMPdenycount.\n"
#send_tty ".$spoofdenycount.\n"

send_user "$ICMPdenycount\n"
send_user "$spoofdenycount\n"
send_user "forever\n"
send_user "pancho.ed.gov\n"

# debugging only
#return "$ICMPdenycount\n$spoofdenycount\nforever\npancho.ed.gov\n"

----- end of script 'access100.sh' : cut here -----

----- start of MRTG config file : cut here -----
# Add a WorkDir: /some/path line to this file

WorkDir:  /home/mrtg/pancho

Target[access102]: `/home/mrtg/routers/access100.sh`
MaxBytes[access102]: 6016625
Options[access102]: nopercent
YLegend[access102]: Packets per Second
ShortLegend[access102]: pkts/s
Legend1[access102]: ICMP Packets Per Second Denied
Legend2[access102]: Spoofed Packets Per Second Denied
Legend3[access102]: Max ICMP Packets Per Second Denied
Legend4[access102]: Max Spoofed Packets Per Second Denied
LegendI[access102]: ICMP: 
LegendO[access102]: Spoof: 
WithPeak[access102]: wmy
ThreshMaxI[access102]: 15
ThreshLabelI[access102]: ICMP Packets Denied
ThreshMaxO[access102]: 5
ThreshLabelO[access102]: Spoofed Packets Denied
TargetURL[access102]: http://ncc/mrtg/pancho/access102.html
Title[access102]: pancho.ed.gov : Internet Access List
PageTop[access102]: <H1>Traffic Analysis For Internet Access List<br><font
size=-1>(Incoming Packets Denied By Access List 102)</font></H1>
   <TR><TD>System:</TD><TD>pancho.ed.gov in ROB3, DoEd HQ, Washington,
   <TR><TD>Maintainer:</TD><TD>DoEd NCC (202-708-5799)</TD></TR>


  This is an approximation based upon specific lines in Access List 102.
   <TR><TD>ICMP Packets:</TD><TD>deny   icmp any any</TD></TR>
   <TR><TD>Spoofed Packets:</TD><TD>deny   ip

	<p><i><font size=-1>Config last updated Tues Feb 15

#-------------------------------------------------------------------- end of
MRTG config file : cut here -----

-----Original Message-----
From: Roddy Strachan [mailto:roddy at satlink.com.au]
Sent: Saturday, February 12, 2000 8:48 PM
To: Mrtg List
Subject: [mrtg] Monitoring Access-lists? Cisco.

        This may be a strange request, but I wonder if it possible.

Does anyone know of a way to monitor a particular access-list on a cisco
router and graph it to mrtg?  An example is the following :

permit icmp x.x.x.x any (128 matches)

Either a script or an OID (if there is one), would be able to grab that
number either by rsh if using a script, and plot it on a graph?  Anyone
tried this ??



R. Strachan
Satlink Internet Services Pty Ltd.
Ph.  +61-3-9775-2600
Fax. +61-3-9775-2456
Email. roddy at satlink.com.au

Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Help        mailto:mrtg-request at list.ee.ethz.ch?subject=help
Archive     http://www.ee.ethz.ch/~slist/mrtg

Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Help        mailto:mrtg-request at list.ee.ethz.ch?subject=help
Archive     http://www.ee.ethz.ch/~slist/mrtg

More information about the mrtg mailing list