[mrtg] Re: Monitoring Access-lists? Cisco. - Solution
Steven Sporen
sporens at ecnet.co.za
Wed Feb 16 07:57:24 MET 2000
Just a thought but you could write something that reads the syslog file
and have the router push the info to it via logging.
-----Original Message-----
From: Scheidel, Greg [mailto:Greg_Scheidel at ed.gov]
Sent: 16 February 2000 02:08
To: 'Roddy Strachan'; 'Mrtg List'
Subject: [mrtg] Re: Monitoring Access-lists? Cisco. - Solution
CORRECTED VERSION : I accidentally hit the Send key before finishing
editing
the config file. Sorry for any confusion.
There is no way to use SNMP to get the 'match' count from an access
list.
This is confirmed by a definitive answer from Cisco support.
However, I have need to do this myself and so wrote a script to pull the
information from the CLI using the UNIX utility Expect. Here's a copy
of
the script (with sensitive information removed) and the MRTG *.cfg file
that
I am using. This *will* require modification to use, as it has to have
the
specific access list and access list lines you want to monitor put in.
Greg S.
----- start of script 'access100.sh' : cut here -----
#!/usr/bin/expect
# This script could be set to have parameters for the box to connect
# to, login/enable passwords, access list to look at, which access list
# lines to look for, etc. However since all of this information is tied
# together and therefore everything would have to be parameter if any
one
# item was, and since we are using this for a single box & access list,
# we're just hard-coding the info in the script.
#
# Items that would have to be changed to use this script for another
box/
# access list/access list lines:
# - destination router
# - CLI prompt
# - CLI enable mode prompt
# - login password
# - enable password
# - access list name or number
# - access list lines to search for
# Options to add:
# - multiple pattern matches when looking for access list lines, with
# second pattern the CLI prompt and the corresponding body exits
script;
# because if you find the CLI prompt before finding the access list
line,
# then the access list is not built the way that we are expecting
# - timeout on *all* expect commands so as to not enter infinite wait;
set
# for 30 secs per command
# - 'abort' procedure
# - change 'getting data for access line' to a procedure with parameter
# of 'access line text'
# Greg Scheidel, 2/15/2000
#------------------------------------------------------------
# Procedure to call when prematurely aborting. May need to use
# to output null/0 values.
proc abortproc "" {
# debugging only
# send_tty "ok, works"
exit
}
#------------------------------------------------------------
# Procedure to search for a specific access list line in the displayed
# access list, and return the value of the counter associated
# with that line.
proc getcounter AccessLine {
# debugging only
# send_tty "*$AccessLine*\n"
#------------------------------------------------------------
# set R/W variables used during the proc
# temp variable used to pull information from access list lines
# before parsing and dumping to output
set tempvar "0"
#------------------------------------------------------------
# declare global variables that we'll need to reference
global CLIenprompt
#------------------------------------------------------------
# look for the access list line that we want to pull counters for.
# - if we find the access list line we want, continue
# - if a CLI enable prompt is found before the access list line, then
# the access list is not built the way we expect and we should exit
# - if expect times out waiting for a match, exit
expect {
"$AccessLine" {}
"$CLIenprompt" {abortproc}
timeout {abortproc}
}
# we are now 'on' the access list line, immediately following the last
# char that we just searched for. search for newline character so
that
# expect_out(buffer) contains the text comprising the remainder of the
line
expect {
"\n" {}
timeout {aportproc}
}
# save the string and trim it; if there is no text left on the line
# we'll end up with an empty string
set tempvar [string trim "$expect_out(buffer)"]
# if we got any text it will be in the format "(12341234 matches)" ;
# trim it down to just the number
if {"$tempvar" != ""} {
# debugging only
# send_tty "Got something.\n"
set tempvar [string trim "$tempvar" "( matches)"]
}
return "$tempvar"
}
#------------------------------------------------------------
# set R/W variables used during the script
# counter for denied ICMP packets
set ICMPdenycount "0"
# counter for denied spoofed packets
set spoofdenycount "0"
#------------------------------------------------------------
# set variables for items that are important to note (ie security
# sensitive) or could be used multiple times in the script
set CLIprompt "routername>"
set CLIenprompt "routername#"
# login and enable passwords variable must end in \r so that CR is sent
set loginpwd "loginpassword\r"
set enpwd "enablepassword\r"
#------------------------------------------------------------
# set timeout for each expect command to 20 secs (from default of 10)
set timeout 20
# disable output from being sent to stdout
log_user 0
# initiate the telnet session to the router holding your access list
spawn telnet 100.100.100.100
# wait for the login password prompt and send login password
expect {
"Password: " {}
timeout {abortproc}
}
send "$loginpwd"
# wait for the CLI prompt
expect {
"$CLIprompt" {}
timeout {abortproc}
}
# enter enable mode
send "enable\r"
expect {
"Password: " {}
timeout {abortproc}
}
send "$enpwd"
expect {
"$CLIenprompt" {}
timeout {abortproc}
}
# display the desired access list
send "show access-list 100\r"
# call procedure to get the values we're interested in
set ICMPdenycount [getcounter "deny icmp any any"]
set spoofdenycount [getcounter "deny ip 100.100.0.0 0.0.255.255 any"]
expect {
"$CLIenprompt" {}
timeout {abortproc}
}
send "logout\r"
expect {
"Connection closed by foreign host." {}
timeout {abortproc}
}
close
# debugging only
#send_tty ".$ICMPdenycount.\n"
#send_tty ".$spoofdenycount.\n"
send_user "$ICMPdenycount\n"
send_user "$spoofdenycount\n"
send_user "forever\n"
send_user "pancho.ed.gov\n"
# debugging only
#return "$ICMPdenycount\n$spoofdenycount\nforever\npancho.ed.gov\n"
exit
----- end of script 'access100.sh' : cut here -----
----- start of MRTG config file : cut here -----
# Add a WorkDir: /some/path line to this file
WorkDir: /home/mrtg/pancho
#---------------------------------------------------------------
Target[access100]: `/home/mrtg/routers/access100.sh`
MaxBytes[access100]: 6016625
Options[access100]: nopercent
YLegend[access100]: Packets per Second
ShortLegend[access100]: pkts/s
Legend1[access100]: ICMP Packets Per Second Denied
Legend2[access100]: Spoofed Packets Per Second Denied
Legend3[access100]: Max ICMP Packets Per Second Denied
Legend4[access100]: Max Spoofed Packets Per Second Denied
LegendI[access100]: ICMP:
LegendO[access100]: Spoof:
WithPeak[access100]: wmy
Title[access100]: routername : Internet Access List
PageTop[access100]: <H1>Traffic Analysis For Internet Access
List<br><font
size=-1>(Incoming Packets Denied By Access List 100)</font></H1>
<TABLE>
<TR><TD>System:</TD><TD>routername in Location</TD></TR>
<TR><TD>Maintainer:</TD><TD>Maintainer Information</TD></TR>
</TABLE>
<br>
This is an approximation based upon specific lines in Access List 100.
<TABLE>
<TR><TD>ICMP Packets:</TD><TD>deny icmp any any</TD></TR>
<TR><TD>Spoofed Packets:</TD><TD>deny ip 100.100.0.0 0.0.255.255
any</TD></TR>
</TABLE>
<p><i><font size=-1>Config last updated Tues Feb 15
2000</i></font></p>
#--------------------------------------------------------------------
end of
MRTG config file : cut here -----
-----Original Message-----
From: Roddy Strachan [mailto:roddy at satlink.com.au]
Sent: Saturday, February 12, 2000 8:48 PM
To: Mrtg List
Subject: [mrtg] Monitoring Access-lists? Cisco.
Hi,
This may be a strange request, but I wonder if it possible.
Does anyone know of a way to monitor a particular access-list on a cisco
router and graph it to mrtg? An example is the following :
permit icmp x.x.x.x 0.0.0.255 any (128 matches)
Either a script or an OID (if there is one), would be able to grab that
number either by rsh if using a script, and plot it on a graph? Anyone
tried this ??
Thanks
---
Cheers,
R. Strachan
Satlink Internet Services Pty Ltd.
Ph. +61-3-9775-2600
Fax. +61-3-9775-2456
Email. roddy at satlink.com.au
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Help mailto:mrtg-request at list.ee.ethz.ch?subject=help
Archive http://www.ee.ethz.ch/~slist/mrtg
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Help mailto:mrtg-request at list.ee.ethz.ch?subject=help
Archive http://www.ee.ethz.ch/~slist/mrtg
-- Attached file removed by Listar and put at URL below --
-- Type: application/x-pkcs7-signature
-- Size: 3k (3308 bytes)
-- URL : http://www.ee.ethz.ch/~slist/pantomime/05-smime.p7s
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Help mailto:mrtg-request at list.ee.ethz.ch?subject=help
Archive http://www.ee.ethz.ch/~slist/mrtg
More information about the mrtg
mailing list