[mrtg] Re: Monitoring Access-lists? Cisco. - Solution
Scheidel, Greg
Greg_Scheidel at ed.gov
Wed Feb 16 01:01:39 MET 2000
There is no way to use SNMP to get the 'match' count from an access list.
This is confirmed by a definitive answer from Cisco support.
However, I have need to do this myself and so wrote a script to pull the
information from the CLI using the UNIX utility Expect. Here's a copy of
the script (with sensitive information removed) and the MRTG *.cfg file that
I am using. This *will* require modification to use, as it has to have the
specific access list and access list lines you want to monitor put in.
Greg S.
----- start of script 'access100.sh' : cut here -----
#!/usr/bin/expect
# This script could be set to have parameters for the box to connect
# to, login/enable passwords, access list to look at, which access list
# lines to look for, etc. However since all of this information is tied
# together and therefore everything would have to be parameter if any one
# item was, and since we are using this for a single box & access list,
# we're just hard-coding the info in the script.
#
# Items that would have to be changed to use this script for another box/
# access list/access list lines:
# - destination router
# - CLI prompt
# - CLI enable mode prompt
# - login password
# - enable password
# - access list name or number
# - access list lines to search for
# Options to add:
# - multiple pattern matches when looking for access list lines, with
# second pattern the CLI prompt and the corresponding body exits script;
# because if you find the CLI prompt before finding the access list line,
# then the access list is not built the way that we are expecting
# - timeout on *all* expect commands so as to not enter infinite wait; set
# for 30 secs per command
# - 'abort' procedure
# - change 'getting data for access line' to a procedure with parameter
# of 'access line text'
# Greg Scheidel, 2/15/2000
#------------------------------------------------------------
# Procedure to call when prematurely aborting. May need to use
# to output null/0 values.
proc abortproc "" {
# debugging only
# send_tty "ok, works"
exit
}
#------------------------------------------------------------
# Procedure to search for a specific access list line in the displayed
# access list, and return the value of the counter associated
# with that line.
proc getcounter AccessLine {
# debugging only
# send_tty "*$AccessLine*\n"
#------------------------------------------------------------
# set R/W variables used during the proc
# temp variable used to pull information from access list lines
# before parsing and dumping to output
set tempvar "0"
#------------------------------------------------------------
# declare global variables that we'll need to reference
global CLIenprompt
#------------------------------------------------------------
# look for the access list line that we want to pull counters for.
# - if we find the access list line we want, continue
# - if a CLI enable prompt is found before the access list line, then
# the access list is not built the way we expect and we should exit
# - if expect times out waiting for a match, exit
expect {
"$AccessLine" {}
"$CLIenprompt" {abortproc}
timeout {abortproc}
}
# we are now 'on' the access list line, immediately following the last
# char that we just searched for. search for newline character so that
# expect_out(buffer) contains the text comprising the remainder of the
line
expect {
"\n" {}
timeout {aportproc}
}
# save the string and trim it; if there is no text left on the line
# we'll end up with an empty string
set tempvar [string trim "$expect_out(buffer)"]
# if we got any text it will be in the format "(12341234 matches)" ;
# trim it down to just the number
if {"$tempvar" != ""} {
# debugging only
# send_tty "Got something.\n"
set tempvar [string trim "$tempvar" "( matches)"]
}
return "$tempvar"
}
#------------------------------------------------------------
# set R/W variables used during the script
# counter for denied ICMP packets
set ICMPdenycount "0"
# counter for denied spoofed packets
set spoofdenycount "0"
#------------------------------------------------------------
# set variables for items that are important to note (ie security
# sensitive) or could be used multiple times in the script
set CLIprompt "routername>"
set CLIenprompt "routername#"
# login and enable passwords variable must end in \r so that CR is sent
set loginpwd "loginpassword\r"
set enpwd "enablepassword\r"
#------------------------------------------------------------
# set timeout for each expect command to 20 secs (from default of 10)
set timeout 20
# disable output from being sent to stdout
log_user 0
# initiate the telnet session to the router holding your access list
spawn telnet 100.100.100.100
# wait for the login password prompt and send login password
expect {
"Password: " {}
timeout {abortproc}
}
send "$loginpwd"
# wait for the CLI prompt
expect {
"$CLIprompt" {}
timeout {abortproc}
}
# enter enable mode
send "enable\r"
expect {
"Password: " {}
timeout {abortproc}
}
send "$enpwd"
expect {
"$CLIenprompt" {}
timeout {abortproc}
}
# display the desired access list
send "show access-list 100\r"
# call procedure to get the values we're interested in
set ICMPdenycount [getcounter "deny icmp any any"]
set spoofdenycount [getcounter "deny ip 100.100.0.0 0.0.255.255 any"]
expect {
"$CLIenprompt" {}
timeout {abortproc}
}
send "logout\r"
expect {
"Connection closed by foreign host." {}
timeout {abortproc}
}
close
# debugging only
#send_tty ".$ICMPdenycount.\n"
#send_tty ".$spoofdenycount.\n"
send_user "$ICMPdenycount\n"
send_user "$spoofdenycount\n"
send_user "forever\n"
send_user "pancho.ed.gov\n"
# debugging only
#return "$ICMPdenycount\n$spoofdenycount\nforever\npancho.ed.gov\n"
exit
----- end of script 'access100.sh' : cut here -----
----- start of MRTG config file : cut here -----
# Add a WorkDir: /some/path line to this file
WorkDir: /home/mrtg/pancho
#---------------------------------------------------------------
Target[access102]: `/home/mrtg/routers/access100.sh`
MaxBytes[access102]: 6016625
Options[access102]: nopercent
YLegend[access102]: Packets per Second
ShortLegend[access102]: pkts/s
Legend1[access102]: ICMP Packets Per Second Denied
Legend2[access102]: Spoofed Packets Per Second Denied
Legend3[access102]: Max ICMP Packets Per Second Denied
Legend4[access102]: Max Spoofed Packets Per Second Denied
LegendI[access102]: ICMP:
LegendO[access102]: Spoof:
WithPeak[access102]: wmy
ThreshMaxI[access102]: 15
ThreshLabelI[access102]: ICMP Packets Denied
ThreshMaxO[access102]: 5
ThreshLabelO[access102]: Spoofed Packets Denied
TargetURL[access102]: http://ncc/mrtg/pancho/access102.html
Title[access102]: pancho.ed.gov : Internet Access List
PageTop[access102]: <H1>Traffic Analysis For Internet Access List<br><font
size=-1>(Incoming Packets Denied By Access List 102)</font></H1>
<TABLE>
<TR><TD>System:</TD><TD>pancho.ed.gov in ROB3, DoEd HQ, Washington,
D.C.</TD></TR>
<TR><TD>Maintainer:</TD><TD>DoEd NCC (202-708-5799)</TD></TR>
</TABLE>
<br>
This is an approximation based upon specific lines in Access List 102.
<TABLE>
<TR><TD>ICMP Packets:</TD><TD>deny icmp any any</TD></TR>
<TR><TD>Spoofed Packets:</TD><TD>deny ip 165.224.0.0 0.0.255.255
any</TD></TR>
</TABLE>
<p><i><font size=-1>Config last updated Tues Feb 15
2000</i></font></p>
#-------------------------------------------------------------------- end of
MRTG config file : cut here -----
-----Original Message-----
From: Roddy Strachan [mailto:roddy at satlink.com.au]
Sent: Saturday, February 12, 2000 8:48 PM
To: Mrtg List
Subject: [mrtg] Monitoring Access-lists? Cisco.
Hi,
This may be a strange request, but I wonder if it possible.
Does anyone know of a way to monitor a particular access-list on a cisco
router and graph it to mrtg? An example is the following :
permit icmp x.x.x.x 0.0.0.255 any (128 matches)
Either a script or an OID (if there is one), would be able to grab that
number either by rsh if using a script, and plot it on a graph? Anyone
tried this ??
Thanks
---
Cheers,
R. Strachan
Satlink Internet Services Pty Ltd.
Ph. +61-3-9775-2600
Fax. +61-3-9775-2456
Email. roddy at satlink.com.au
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Help mailto:mrtg-request at list.ee.ethz.ch?subject=help
Archive http://www.ee.ethz.ch/~slist/mrtg
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Help mailto:mrtg-request at list.ee.ethz.ch?subject=help
Archive http://www.ee.ethz.ch/~slist/mrtg
More information about the mrtg
mailing list