[mrtg] Re: Graphing cisco access_list hits

John Lord lord at allturbo.com
Fri Aug 15 02:54:36 MEST 2003 

Would the proper syntax be ./mrtg-rsh.sh 192.168.1.1 ACL 110  to test it
, cuase when I run it I get ./mrtg-rsh.sh: 43: Syntax error: Bad
substitution 

Line 43 is   if [ ${i:0:1} = "(" ] 

When I run rsh manually I get results so I know I got rsh working,

ns2# rsh -l root 192.168.1.1 sh access-list 110

Extended IP access list 110
    permit tcp any any established (3286790 matches)
    deny udp any any eq 135 (7021 matches)
    deny tcp any any eq 135 (528270 matches)
    deny udp any any eq netbios-ns (134230 matches)
    deny tcp any any eq 137
    deny udp any any eq netbios-dgm
    deny tcp any any eq 138
    deny udp any any eq netbios-ss
    deny tcp any any eq 139 (90996 matches)
    deny udp any any eq 445
    deny tcp any any eq 445 (163209 matches)
    deny udp any any eq 12345
    deny tcp any any eq 12345 (10 matches)
    deny udp any any eq 31337 (3 matches)
    deny tcp any any eq 31337 (5 matches)
    deny ip any host 1.1.0.0
    deny ip any host 2.2.0.0
    deny ip any 127.0.0.0 0.255.255.255
    deny ip any 10.0.0.0 0.255.255.255 (22 matches)
    deny ip any 172.16.0.0 0.15.255.255 (14 matches)
    deny ip any 192.168.0.0 0.0.255.255
    deny ip any 0.255.255.255 255.0.0.0
    deny ip any 0.0.255.255 255.255.0.0
    deny ip any 0.0.0.255 255.255.255.0 (796 matches)
    permit ip any any (4731478 matches)
    permit igmp any any
    permit ip 224.0.0.0 15.255.255.255 any
    deny ip any any log


John Lord(lord at allturbo.com)
It Manager
AllTurbo Internet Services Inc
410-213-9388 Office
www.allturbo.com


-----Original Message-----
From: Michael Markstaller [mailto:mm at elabnet.de] 
Sent: Thursday, August 14, 2003 3:37 PM
To: John Lord; mrtg at list.ee.ethz.ch
Subject: RE: [mrtg] Graphing cisco access_list hits


You just triggered a thing I wanted to do a long time ago..
As there's no snmp-mib available and I already use rsh (over a IPSec-VPN
with very restriktive ACLs on routers for sure, it should be easy to
convert this using telnet or ssh).. Quite quick&dirty and I'm not quite
good writing shell-scripts but it works..

I extended my "get-rsh-shell-script" for mrtg:

--- cut mrtg-rsh.sh ---
#!/bin/sh
#
# Replace these variables with the correspondig values for your system #
Exe is the location of the check_nt file from the NSclient archive #
clientPwd is the password you set in Registry on the NT client # CPort =
Default is 1248.

Exe=/usr/bin/rsh
rshUser=YOUR_USER

# Get NAT-stats
if [ $2 = "NAT" ]; then
 $Exe -l $rshUser $1 "show ip nat stat | inc Total active" | cut -d ':'
-f 2 |  awk '{print $1}' | head -n 1 
 $Exe -l $rshUser $1 "sh ip inspect stat | inc Current" | head -n 1 |
cut -d'[' -f 2 |  cut -d':' -f 1 | awk '{print $1}' | head -n 1 
 echo "0"
 echo $1
fi

# Get Input-Queue stats 
if [ $2 = "InQ" ]; then
 $Exe -l $rshUser $1 "show int $3 | inc Input" | head -n 1 | cut -d ':'
-f 2 | cut -d '/' -f 1 | awk '{print $1}'  $Exe -l $rshUser $1 "show int
$4 | inc Input" | head -n 1 | cut -d ':' -f 2 | cut -d '/' -f 1 | awk
'{print $1}'
  echo "0"
  echo $1
fi

# Get ACL Permitted/denied stats 
# polls router with specified acl over rsh and summs up permits and
denys # Output: # 1:PERMITTED 2:DENIED

if [ $2 = "ACL" ]; then
for i in `$Exe -l $rshUser $1 "sh access-list $3"`
do  
	if [ "$i" = "permit" ] 
	then
		acl="PERMIT"
	fi
	if [ "$i" = "deny" ] 
	then
		acl="DENY"
	fi
	if [ ${i:0:1} = "(" ] 
	then	# we now have the line with (xxxx matches)
	case $acl in
		PERMIT)	let "PERMITcount += ${i:1:100}";;
		DENY) let "DENYcount += ${i:1:100}";;
	esac
	fi
done 
echo $PERMITcount
echo $DENYcount
echo 0
echo $1
fi

--- cut mrtg-rsh.sh ---

MRTG-config:
#---------------------------------------------------------------
Target[ROUTER_inetacl]: `/usr/local/mrtg/bin/mrtg-rsh.sh ROUTER ACL
FW-Ser0/0-Inet`
Directory[ROUTER_inetacl]: ROUTER
MaxBytes[ROUTER_inetacl]: 1000000
AbsMax[ROUTER_inetacl]: 10000000
Options[ROUTER_inetacl]: growright, nopercent
YLegend[ROUTER_inetacl]: Packets/sec
ShortLegend[ROUTER_inetacl]: pkts/s
LegendI[ROUTER_inetacl]:  Permitted:
LegendO[ROUTER_inetacl]:  Denied:
Legend1[ROUTER_inetacl]: Avg Pkts Permitted/sec
Legend2[ROUTER_inetacl]: Avg Pkts Denied/sec
Legend3[ROUTER_inetacl]: Max Pkts Permitted/sec
Legend4[ROUTER_inetacl]: Max Pkts Denied/sec
Title[ROUTER_inetacl]: ACL Packets -- ROUTER
PageTop[ROUTER_inetacl]: <H1>ACL Packets permitted/denied --
04233.rentavpn.de</H1> 
#---------------------------------------------------------------


maybe it helps..


Michael

-----Original Message-----
From: John Lord [mailto:lord at allturbo.com]
Sent: Thursday, August 14, 2003 6:32 PM
To: mrtg at list.ee.ethz.ch
Subject: [mrtg] Graphing cisco access_list hits


Has any one got a config to graph cisco access_list hits or know how to
do it? Like I want to graph denys per ports I have blocked 
John Lord
It Manager
AllTurbo Internet Services Inc
410-213-9388 Office
www.allturbo.com


--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi


--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

More information about the mrtg mailing list