North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: ACL Monitoring

  • From: Glynn Stanton
  • Date: Thu May 12 18:40:36 2005

If you anticipate doing a lot of this kind of monitoring in the future you
may want to take a look at the "expect" programming language , which has very simple "send"/"expect" constructs.
E.g. send "show acl 101/r" expect "access-list .." etc. Perl also allows
similar although is probably not quite as easy to pick up if you've never
done this kind of thing before.

Essentially you'd write a quick script to telnet or ssh to the router "send"
your commands, expect a result and do something based on that result. As I
said, its worth the time investment and you'll find once you get the script
done you can just reuse it for many other tasks.

The TACACS+ suggestion is also good.. Not only would it allow you to limit
who (authentication) can do what (authorization).. The accounting features
would also provide a log entry if an authorized user did do a no access-list
101.. You could then write a shell script to parse the accounting log.


-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Jim
Sent: Thursday, May 12, 2005 5:20 PM
To: Paul Ryan; [email protected]
Subject: RE: ACL Monitoring

I think a better solution maybe to implement TACACS+ and resrict rights on
who can do that..
Sounds like you don't trust someone..... 
I'd try that first...


-----Original Message-----
From: Paul Ryan [mailto:[email protected]]
Sent: Thursday, May 12, 2005 5:15 PM
To: [email protected]
Subject: ACL Monitoring
Importance: High

All - I am looking for a solution (open source, scripts) to allow me to
monitor ACL's on Cisco routers. So if for example a line dissapears from
an ACL or the entire ACL is removed - I am alerted via pager/e-mail etc.


Paul R