[mrtg] Re: Graphing cisco access_list hits

Michael Markstaller mm at elabnet.de
Thu Aug 14 21:36:34 MEST 2003 

You just triggered a thing I wanted to do a long time ago..
As there's no snmp-mib available and I already use rsh (over a IPSec-VPN with very restriktive ACLs on routers for sure, it should be easy to convert this using telnet or ssh)..
Quite quick&dirty and I'm not quite good writing shell-scripts but it works..

I extended my "get-rsh-shell-script" for mrtg:

--- cut mrtg-rsh.sh ---
#!/bin/sh
#
# Replace these variables with the correspondig values for your system
# Exe is the location of the check_nt file from the NSclient archive
# clientPwd is the password you set in Registry on the NT client
# CPort = Default is 1248.

Exe=/usr/bin/rsh
rshUser=YOUR_USER

# Get NAT-stats
if [ $2 = "NAT" ]; then
 $Exe -l $rshUser $1 "show ip nat stat | inc Total active" | cut -d ':' -f 2 |  awk '{print $1}' | head -n 1 
 $Exe -l $rshUser $1 "sh ip inspect stat | inc Current" | head -n 1 | cut -d'[' -f 2 |  cut -d':' -f 1 | awk '{print $1}' | head -n 1 
 echo "0"
 echo $1
fi

# Get Input-Queue stats 
if [ $2 = "InQ" ]; then
 $Exe -l $rshUser $1 "show int $3 | inc Input" | head -n 1 | cut -d ':' -f 2 | cut -d '/' -f 1 | awk '{print $1}'
 $Exe -l $rshUser $1 "show int $4 | inc Input" | head -n 1 | cut -d ':' -f 2 | cut -d '/' -f 1 | awk '{print $1}'
  echo "0"
  echo $1
fi

# Get ACL Permitted/denied stats 
# polls router with specified acl over rsh and summs up permits and denys
# Output:
# 1:PERMITTED 2:DENIED

if [ $2 = "ACL" ]; then
for i in `$Exe -l $rshUser $1 "sh access-list $3"`
do  
	if [ "$i" = "permit" ] 
	then
		acl="PERMIT"
	fi
	if [ "$i" = "deny" ] 
	then
		acl="DENY"
	fi
	if [ ${i:0:1} = "(" ] 
	then	# we now have the line with (xxxx matches)
	case $acl in
		PERMIT)	let "PERMITcount += ${i:1:100}";;
		DENY) let "DENYcount += ${i:1:100}";;
	esac
	fi
done 
echo $PERMITcount
echo $DENYcount
echo 0
echo $1
fi

--- cut mrtg-rsh.sh ---

MRTG-config:
#---------------------------------------------------------------
Target[ROUTER_inetacl]: `/usr/local/mrtg/bin/mrtg-rsh.sh ROUTER ACL FW-Ser0/0-Inet`
Directory[ROUTER_inetacl]: ROUTER
MaxBytes[ROUTER_inetacl]: 1000000
AbsMax[ROUTER_inetacl]: 10000000
Options[ROUTER_inetacl]: growright, nopercent
YLegend[ROUTER_inetacl]: Packets/sec
ShortLegend[ROUTER_inetacl]: pkts/s
LegendI[ROUTER_inetacl]:  Permitted:
LegendO[ROUTER_inetacl]:  Denied:
Legend1[ROUTER_inetacl]: Avg Pkts Permitted/sec
Legend2[ROUTER_inetacl]: Avg Pkts Denied/sec
Legend3[ROUTER_inetacl]: Max Pkts Permitted/sec
Legend4[ROUTER_inetacl]: Max Pkts Denied/sec
Title[ROUTER_inetacl]: ACL Packets -- ROUTER
PageTop[ROUTER_inetacl]: <H1>ACL Packets permitted/denied -- 04233.rentavpn.de</H1> 
#---------------------------------------------------------------


maybe it helps..


Michael

-----Original Message-----
From: John Lord [mailto:lord at allturbo.com]
Sent: Thursday, August 14, 2003 6:32 PM
To: mrtg at list.ee.ethz.ch
Subject: [mrtg] Graphing cisco access_list hits


Has any one got a config to graph cisco access_list hits or know how to
do it? Like I want to graph denys per ports I have blocked 
John Lord
It Manager
AllTurbo Internet Services Inc
410-213-9388 Office
www.allturbo.com


--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

More information about the mrtg mailing list