[mrtg] Re: Monitoring Access-lists? Cisco. - Solution

Scheidel, Greg Greg_Scheidel at ed.gov
Wed Feb 16 01:07:44 MET 2000

CORRECTED VERSION : I accidentally hit the Send key before finishing editing
the config file.  Sorry for any confusion.

There is no way to use SNMP to get the 'match' count from an access list.
This is confirmed by a definitive answer from Cisco support.

However, I have need to do this myself and so wrote a script to pull the
information from the CLI using the UNIX utility Expect.  Here's a copy of
the script (with sensitive information removed) and the MRTG *.cfg file that
I am using.  This *will* require modification to use, as it has to have the
specific access list and access list lines you want to monitor put in.

Greg S.

----- start of script 'access100.sh' : cut here -----

# This script could be set to have parameters for the box to connect
# to, login/enable passwords, access list to look at, which access list
# lines to look for, etc.  However since all of this information is tied
# together and therefore everything would have to be parameter if any one
# item was, and since we are using this for a single box & access list,
# we're just hard-coding the info in the script.
# Items that would have to be changed to use this script for another box/
# access list/access list lines:
# - destination router
# - CLI prompt
# - CLI enable mode prompt
# - login password
# - enable password
# - access list name or number
# - access list lines to search for

# Options to add:
# - multiple pattern matches when looking for access list lines, with
#   second pattern the CLI prompt and the corresponding body exits script;
#   because if you find the CLI prompt before finding the access list line,
#   then the access list is not built the way that we are expecting
# - timeout on *all* expect commands so as to not enter infinite wait; set
#   for 30 secs per command
# - 'abort' procedure
# - change 'getting data for access line' to a procedure with parameter
#   of 'access line text'

# Greg Scheidel, 2/15/2000

# Procedure to call when prematurely aborting.  May need to use
# to output null/0 values.

proc abortproc "" {
  # debugging only
  #  send_tty "ok, works"


# Procedure to search for a specific access list line in the displayed
# access list, and return the value of the counter associated
# with that line.

proc getcounter AccessLine {
  # debugging only
  #  send_tty "*$AccessLine*\n"

  # set R/W variables used during the proc

  # temp variable used to pull information from access list lines
  # before parsing and dumping to output
  set tempvar "0"

  # declare global variables that we'll need to reference
  global CLIenprompt

  # look for the access list line that we want to pull counters for.
  # - if we find the access list line we want, continue
  # - if a CLI enable prompt is found before the access list line, then
  #   the access list is not built the way we expect and we should exit
  # - if expect times out waiting for a match, exit
  expect {
    "$AccessLine" {}
    "$CLIenprompt" {abortproc}
    timeout {abortproc}

  # we are now 'on' the access list line, immediately following the last
  # char that we just searched for.  search for newline character so that
  # expect_out(buffer) contains the text comprising the remainder of the
  expect {
    "\n" {}
    timeout {aportproc}

  # save the string and trim it; if there is no text left on the line
  # we'll end up with an empty string
  set tempvar [string trim "$expect_out(buffer)"]

  # if we got any text it will be in the format "(12341234 matches)" ;
  # trim it down to just the number
  if {"$tempvar" != ""} {
    # debugging only
    # send_tty "Got something.\n"
    set tempvar [string trim "$tempvar" "( matches)"]

  return "$tempvar"

# set R/W variables used during the script

# counter for denied ICMP packets
set ICMPdenycount "0"
# counter for denied spoofed packets
set spoofdenycount "0"

# set variables for items that are important to note (ie security
# sensitive) or could be used multiple times in the script

set CLIprompt "routername>"
set CLIenprompt "routername#"
# login and enable passwords variable must end in \r so that CR is sent
set loginpwd "loginpassword\r"
set enpwd "enablepassword\r"

# set timeout for each expect command to 20 secs (from default of 10)
set timeout 20

# disable output from being sent to stdout
log_user 0

# initiate the telnet session to the router holding your access list
spawn telnet

# wait for the login password prompt and send login password
expect {
  "Password: " {}
  timeout {abortproc}
send "$loginpwd"

# wait for the CLI prompt
expect {
  "$CLIprompt" {}
  timeout {abortproc}
# enter enable mode
send "enable\r"
expect {
  "Password: " {}
  timeout {abortproc}
send "$enpwd"
expect {
  "$CLIenprompt" {}
  timeout {abortproc}

# display the desired access list
send "show access-list 100\r"

# call procedure to get the values we're interested in
set ICMPdenycount [getcounter "deny   icmp any any"]
set spoofdenycount [getcounter "deny   ip any"]

expect {
  "$CLIenprompt" {}
  timeout {abortproc}
send "logout\r"
expect {
  "Connection closed by foreign host." {}
  timeout {abortproc}

# debugging only
#send_tty ".$ICMPdenycount.\n"
#send_tty ".$spoofdenycount.\n"

send_user "$ICMPdenycount\n"
send_user "$spoofdenycount\n"
send_user "forever\n"
send_user "pancho.ed.gov\n"

# debugging only
#return "$ICMPdenycount\n$spoofdenycount\nforever\npancho.ed.gov\n"

----- end of script 'access100.sh' : cut here -----

----- start of MRTG config file : cut here -----
# Add a WorkDir: /some/path line to this file

WorkDir:  /home/mrtg/pancho

Target[access100]: `/home/mrtg/routers/access100.sh`
MaxBytes[access100]: 6016625
Options[access100]: nopercent
YLegend[access100]: Packets per Second
ShortLegend[access100]: pkts/s
Legend1[access100]: ICMP Packets Per Second Denied
Legend2[access100]: Spoofed Packets Per Second Denied
Legend3[access100]: Max ICMP Packets Per Second Denied
Legend4[access100]: Max Spoofed Packets Per Second Denied
LegendI[access100]: ICMP: 
LegendO[access100]: Spoof: 
WithPeak[access100]: wmy
Title[access100]: routername : Internet Access List
PageTop[access100]: <H1>Traffic Analysis For Internet Access List<br><font
size=-1>(Incoming Packets Denied By Access List 100)</font></H1>
   <TR><TD>System:</TD><TD>routername in Location</TD></TR>
   <TR><TD>Maintainer:</TD><TD>Maintainer Information</TD></TR>


  This is an approximation based upon specific lines in Access List 100.
   <TR><TD>ICMP Packets:</TD><TD>deny   icmp any any</TD></TR>
   <TR><TD>Spoofed Packets:</TD><TD>deny   ip

        <p><i><font size=-1>Config last updated Tues Feb 15

#-------------------------------------------------------------------- end of
MRTG config file : cut here -----

-----Original Message-----
From: Roddy Strachan [mailto:roddy at satlink.com.au]
Sent: Saturday, February 12, 2000 8:48 PM
To: Mrtg List
Subject: [mrtg] Monitoring Access-lists? Cisco.

        This may be a strange request, but I wonder if it possible.

Does anyone know of a way to monitor a particular access-list on a cisco
router and graph it to mrtg?  An example is the following :

permit icmp x.x.x.x any (128 matches)

Either a script or an OID (if there is one), would be able to grab that
number either by rsh if using a script, and plot it on a graph?  Anyone
tried this ??



R. Strachan
Satlink Internet Services Pty Ltd.
Ph.  +61-3-9775-2600
Fax. +61-3-9775-2456
Email. roddy at satlink.com.au

Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Help        mailto:mrtg-request at list.ee.ethz.ch?subject=help
Archive     http://www.ee.ethz.ch/~slist/mrtg

Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Help        mailto:mrtg-request at list.ee.ethz.ch?subject=help
Archive     http://www.ee.ethz.ch/~slist/mrtg

More information about the mrtg mailing list