Send Netdot-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://osl.uoregon.edu/mailman/listinfo/netdot-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Netdot-users digest..."
Today's Topics:
1. CLI support for Netscreen (Nico)
2. Re: CLI support for Netscreen (Nico)
----------------------------------------------------------------------
Message: 1
Date: Mon, 10 Mar 2014 12:33:17 +0100
From: Nico <[email protected]>
Subject: [Netdot-users] CLI support for Netscreen
To: "[email protected]" <[email protected]>
Message-ID:
<CAKXQfmuZ5nfKmDebkd4JDoHqCw9+=TnQ5A5=vag4-bqtoiz...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hello,
Maybe this should have gone to the devel mailing list.
I'm trying to add support for Netscreen CLI, as getting the ARP table
from SNMP is failing.
ie: DEBUG - Device::_get_arp_from_snmp: utumno.defaultdomain: Missing
information at row: 0.10.x.x.x
I think i'm lacking some basic knowledge on perl programming or Netdot
specifics (most likely both). My changes so far took me to this errors
(also can't restart apache):
root@alacran:/home/netdot/105-rc1# bin/updatedevices.pl -A -H utumno -d
Attempt to reload Netdot/Model/Device/CLI/CiscoFW.pm aborted.
Compilation failed in require at (eval 632) line 2.
...propagated at /usr/share/perl/5.14/base.pm line 93.
BEGIN failed--compilation aborted at (eval 631) line 1.
BEGIN failed--compilation aborted at
/home/netdot/105-rc1/lib/Netdot/Model.pm line 374.
Compilation failed in require at (eval 2) line 2.
...propagated at /usr/share/perl/5.14/base.pm line 93.
BEGIN failed--compilation aborted at
/home/netdot/105-rc1/lib/Netdot/Model/Device.pm line 3.
Compilation failed in require at bin/updatedevices.pl line 12.
BEGIN failed--compilation aborted at bin/updatedevices.pl line 12.
Changes so far:
* Copied CiscoFW.pm it as Netscreen.pm and modified it (i think both
being firewalls they'll be the most similar).
* Added a line in Site.conf (FETCH_DEVICE_INFO_VIA_CLI) (will have to
change it to be less model-specific along the way)
'^netscreenNs5000' => 'Netscreen',
* Added line in /lib/Netdot/Meta.pm (%DERIVED_CLASSES)
'Netscreen' =>
['Netdot::Model::Devices:CLI:::Netscreen','Netdot::Model::Device'],
* In ./lib/Netdot/Model/Device/CLI.pm
from if ( $version == 6 && ref($self) =~ /CiscoFW$/o ){
to if ( $version == 6 && ref($self) =~ /CiscoFW$/o ) or ( $version ==
6 && ref($self) =~ /Netscreen$/o ){
My modified Netscreen.pm (so far i've only modified the
get_arp_from_cli function and the regexps are not tested, i'll sure
have to change more stuff):
root@alacran:/home/netdot/105-rc1# cat lib/Netdot/Model/Device/CLI/Netscreen.pm
package Netdot::Model::Device::CLI::Netscreen;
use base 'Netdot::Model::Device::CLI';
use warnings;
use strict;
use Net::Appliance::Session;
my $logger = Netdot->log->get_logger('Netdot::Model::Device');
# Some regular expressions
my $IPV4 = Netdot->get_ipv4_regex();
my $IPV6 = Netdot->get_ipv6_regex();
#my $CISCO_MAC = '\w{4}\.\w{4}\.\w{4}';
my $NETSCREEN_MAC = '\w{12}';
=head1 NAME
Netdot::Model::Device::CLI::Netscreen - Netscreen Firewall Class
=head1 SYNOPSIS
Overrides certain methods from the Device class. Specifically, methods in
this class try to obtain forwarding tables and ARP/ND caches via CLI
instead of via SNMP.
=head1 INSTANCE METHODS
=cut
############################################################################
=head2 get_arp - Fetch ARP tables
Arguments:
session - SNMP session (optional)
Returns:
Hashref
Examples:
my $cache = $self->get_arp(%args)
=cut
sub get_arp {
my ($self, %argv) = @_;
$self->isa_object_method('get_arp');
my $host = $self->fqdn;
unless ( $self->collect_arp ){
$logger->debug(sub{"Device::Netscreen::_get_arp: $host
excluded from ARP collection. Skipping"});
return;
}
if ( $self->is_in_downtime ){
$logger->debug(sub{"Device::Netscreen::_get_arp: $host in
downtime. Skipping"});
return;
}
# This will hold both ARP and v6 ND caches
my %cache;
### v4 ARP
my $start = time;
my $arp_count = 0;
my $arp_cache = $self->_get_arp_from_cli(host=>$host) ||
$self->_get_arp_from_snmp(session=>$argv{session});
foreach ( keys %$arp_cache ){
$cache{'4'}{$_} = $arp_cache->{$_};
$arp_count+= scalar(keys %{$arp_cache->{$_}})
}
my $end = time;
$logger->info(sub{ sprintf("$host: ARP cache fetched. %s entries in %s",
$arp_count, $self->sec2dhms($end-$start) ) });
if ( $self->config->get('GET_IPV6_ND') ){
### v6 ND
$start = time;
my $nd_count = 0;
my $nd_cache = $self->_get_v6_nd_from_cli(host=>$host) ||
$self->_get_v6_nd_from_snmp($argv{session});
# Here we have to go one level deeper in order to
# avoid losing the previous entries
foreach ( keys %$nd_cache ){
foreach my $ip ( keys %{$nd_cache->{$_}} ){
$cache{'6'}{$_}{$ip} = $nd_cache->{$_}->{$ip};
$nd_count++;
}
}
$end = time;
$logger->info(sub{ sprintf("$host: IPv6 ND cache fetched. %s
entries in %s",
$nd_count, $self->sec2dhms($end-$start) ) });
}
return \%cache;
}
############################################################################
#_get_arp_from_cli - Fetch ARP tables via CLI
#
#
# Arguments:
# host
# Returns:
# Hash ref.
# Examples:
# $self->_get_arp_from_cli();
#
#
sub _get_arp_from_cli {
my ($self, %argv) = @_;
$self->isa_object_method('_get_arp_from_cli');
my $host = $argv{host};
my $args = $self->_get_credentials(host=>$host);
# my @output = $self->_cli_cmd(%$args, host=>$host, cmd=>'show
arp', personality=>'pixos');
my @output = $self->_cli_cmd(%$args, host=>$host, cmd=>'get arp',
personality=>'netscreenos');
my %cache;
my ($iname, $ip, $mac, $intid);
# Lines look like this:
# outside 10.10.47.146 0026.9809.f642 251
####### Netscreen stuff
# IP Mac VR/Interface State Age
Retry PakQue Sess_cnt
#-----------------------------------------------------------------------------------------
#10.x.x.x 001a6ca5413f trust-vr/eth3/1.1500 VLD 505 0
0 0
####### Arp entries on AIC Chip(s)
#L2idx IP Dst_Mac(la buena) Interface
Src_Mac(la del interface?) Vlan Sat Flag Ref_cnt
#8890 10.y.y.y 001372918a1d eth2/5.11 0010dbff40b0
11 0 0x2 0
foreach my $line ( @output ) {
# if ( $line =~ /^\s*(\S+)\s($IPV4)\s($NETSCREEN_MAC).*$/ ) {
if ( $line =~ /^\s*($IPV4)\s+($Netscreen_MAC)\s+(.*)\s+VLD.*/ ) {
$iname = $3;
$ip = $1;
$mac = $2;
# }elsif ( $line =~ /^\s*(\S+)\s([\w\._-]+)\s($NETSCREEN_MAC).*$/ ){
elsif ( $line =~
/^\d+\s+($IPV4)\s+($Netscreen_MAC)\s+(.*)\s+$Netscreen_MAC.*/ ) {
# The 'dns domain-lookup outside' option causes
outside-facing entries
# to be reported as hostnames
$iname = $3;
$ip = $1;
$mac = $2;
# Notice we only care about v4 here
if ( my @ips = Netdot->dns->resolve_name($hostname, {v4_only=>1}) ){
$ip = $ips[0];
}else{
$logger->debug(sub{"Device::CLI::Netscreen::_get_arp_from_cli: Cannot
resolve $hostname" });
next;
}
}else{
$logger->debug(sub{"Device::CLI::Netscreen::_get_arp_from_cli:
line did not match criteria: ".
"$line" });
next;
}
# The failover interface appears in the arp output but it's
not in the IF-MIB output
next if ($iname eq 'failover');
unless ( $ip && $mac && $iname ){
$logger->debug(sub{"Device::Netscreen::_get_arp_from_cli:
Missing information: $line" });
next;
}
# Store in hash
$cache{$iname}{$ip} = $mac;
}
return $self->_validate_arp(\%cache, 4);
}
############################################################################
#_get_v6_nd_from_cli - Fetch ARP tables via CLI
#
# Arguments:
# host
# Returns:
# Hash ref.
# Examples:
# $self->_get_v6_nd_from_cli(host=>'foo');
#
sub _get_v6_nd_from_cli {
my ($self, %argv) = @_;
$self->isa_object_method('_get_v6_nd_from_cli');
my $host = $argv{host};
my $args = $self->_get_credentials(host=>$host);
return unless ref($args) eq 'HASH';
my @output = $self->_cli_cmd(%$args, host=>$host, cmd=>'show ipv6
neighbor', personality=>'pixos');
shift @output; # Ignore header line
my %cache;
foreach my $line ( @output ) {
my ($ip, $mac, $iname);
chomp($line);
# Lines look like this:
# fe80::224:e8ff:fe51:6abe 0 0024.e851.6abe
REACH dmz
if ( $line =~ /^($IPV6)\s+\d+\s+($NETSCREEN_MAC)\s+\S+\s+(\S+)/o ) {
$ip = $1;
$mac = $2;
$iname = $3;
}else{
$logger->debug(sub{"Device::CLI::Netscreen::_get_v6_nd_from_cli: ".
"line did not match criteria: $line" });
next;
}
unless ( $iname && $ip && $mac ){
$logger->debug(sub{"Device::Netscreen::_get_v6_nd_from_cli:
Missing information: $line"});
next;
}
$cache{$iname}{$ip} = $mac;
}
return $self->_validate_arp(\%cache, 6);
}
############################################################################
# _reduce_iname
#
# Interface names from SNMP are stupidly long and don't match the short name
# in the ARP output so we have to do some pattern matching. Of course, this
# will break when they decide to change the string.
#
# Arguments:
# string
# Returns:
# string
#
sub _reduce_iname{
my ($self, $name) = @_;
return unless $name;
if ( $name =~ /Appliance \'(\S+)\' interface/ ){
return $1;
}elsif ( $name =~ /Firewall Services Module \'(\S+)\' interface/ ){
return $1;
}
return $name;
}
=head1 AUTHOR
Carlos Vicente, C<< <cvicente at ns.uoregon.edu> >>
=head1 COPYRIGHT & LICENSE
Copyright 2012 University of Oregon, all rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTIBILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation,
Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
=cut
#Be sure to return 1
1;
Greetings,
Nico
------------------------------
Message: 2
Date: Mon, 10 Mar 2014 18:52:23 +0100
From: Nico <[email protected]>
Subject: Re: [Netdot-users] CLI support for Netscreen
To: "[email protected]" <[email protected]>
Message-ID:
<cakxqfmupxmanuf5idvzqz+d4ueugeschbmlfm3kfduo5dwi...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello,
Thanks to Vincent Magnin's help I'm having limited success, I can get
the arp list, the lines match the regexps, but can't get it through
the validate_arp function except for the management interface, can
have something to do with interface names containing slash character
(/) except for the management one. I've modified the _reduce_iname
function in Netscreen.pm so that names matches those on the interface
names to no avail.
Attached goes my latest version of Netscreen.pm
Also i modified the pb
root@alacran:/home/netdot/105-rc1# cat
"/usr/share/perl5/Net/CLI/Interact/phrasebook/cisco/screenos/pb"
prompt prompt
match /-> ?$/
prompt privileged
match /> ?$/
prompt configure
match /# ?$/
prompt user
match /(?:[Ll]ogin|[Uu]sername)/
macro paging
send ''
macro end_privileged
send ''
The relevant output of the output of the updatedevice on the netscreen device:
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/8.305 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/8.302 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/8.302 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/7.351 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.11 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.121 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.56 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.50 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.87 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/7.353 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.121 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/4 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.524 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.87 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/8.305 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet3/1.1500 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/4 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/7.354 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/7.351 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/7.354 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.56 to any interface name
DEBUG - Device::CLI::_validate_arp: utumno.defaultdomain: valid:
mgt.1360 -> 10.x.x.x -> 000AF4E*****
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.11 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.49 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.2 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet3/1.1500 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.2 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.524 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.107 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.50 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/7.353 to any interface name
WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
match ethernet2/5.49 to any interface name
WARN - Device::CLI::_validate_arp: We have no subnet information. ARP
validation will fail except for link-local addresses
INFO - utumno.defaultdomain: IPv6 ND cache fetched. 0 entries in 1 sec
DEBUG - utumno.defaultdomain: Updating ARP cache
DEBUG - PhysAddr::fast_update: Updating MAC addresses in DB
DEBUG - PhysAddr::fast_update: Done Updating: 1 addresses in 0 sec
DEBUG - Ipblock::fast_update: Updating IP addresses in DB
DEBUG - Ipblock::fast_update: Done Updating: 1 addresses in 0 sec
DEBUG - Ipblock::_build_tree_mem: Building hierarchy for IPv4 space
DEBUG - Ipblock::_tree_save: Saved iptree4
DEBUG - Ipblock::_buil_tree_mem done. 39854 v4 entries in 2 sec
DEBUG - Ipblock::build_tree: Applying hierarchy changes to DB
DEBUG - Ipblock::build_tree done saving 0 v4 entries in 0 sec
DEBUG - utumno.defaultdomain: ARP cache updated. 1 entries in 4 sec
INFO - Device::snmp_update: utumno.defaultdomain: Finished updating
INFO - bin/updatedevices.pl total runtime: 8 sec
2014-03-10 15:09 GMT+01:00 Vincent Magnin <[email protected]>:
> Hi again,
>
> My error was due to forget to copy the file on the right place ( :D ).
>
> I found more errors on your codes:
>
> - You use $hostname instead of $host
> - A bracket was missing
>
> I've found these 2 errors using perl command line ( perl
> /usr/local/netdot/lib/Netdot/Model/Device/CLI/Netscreen.pm ). If you have an
> error due to $log missing, it's normal.
>
>
> Now, I was able to start apache.
>
>
> About the line " personality=>'netscreenos' ":
>
> - This is related to Net::CLI::Interact::Manual::Phrasebook .
>
>
> The corresponding phrasebook has to be netscreenos has to be created:
>
> 1. Create a directory like
> /usr/local/share/perl5/Net/CLI/Interact/phrasebook/cisco/netscreenos
> This directory might be somewhere else on your system
>
> 2. Add a file named 'pb' containing your phrasebook. My file looks like
> following (untested):
>
> cat /usr/local/share/perl5/Net/CLI/Interact/phrasebook/cisco/netscreenos/pb
>>
>> prompt prompt
>> match /[\/a-zA-Z0-9._\@-]+ ?(?:\(config[^)]*\))? ?[#>] ?$/
>>
>> prompt privileged
>> match /> ?$/
>>
>> prompt configure
>> match /# ?$/
>>
>> prompt user
>> match /(?:[Ll]ogin|[Uu]sername)/
>
>
>
> --
> ------------------------------------------------------------------------
> Vincent Magnin [email protected]
> Ing?nieur R?seau & T?l?com +41 21 692 22 48
> UNIL, Centre Informatique, 1015 Lausanne
> Switzerland
--
Nico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Netscreen.pm
Type: application/octet-stream
Size: 7251 bytes
Desc: not available
Url :
http://osl.uoregon.edu/pipermail/netdot-users/attachments/20140310/ad471985/attachment.obj
------------------------------
_______________________________________________
Netdot-users mailing list
[email protected]
https://osl.uoregon.edu/mailman/listinfo/netdot-users
End of Netdot-users Digest, Vol 64, Issue 6
*******************************************
