Send Netdot-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://osl.uoregon.edu/mailman/listinfo/netdot-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Netdot-users digest..."
Today's Topics:
1. Re: CLI support for Netscreen (Carlos Vicente)
2. Re: CLI support for Netscreen (Robert Kerr)
3. Re: CLI support for Netscreen (Nico)
----------------------------------------------------------------------
Message: 1
Date: Mon, 10 Mar 2014 15:30:55 -0400
From: Carlos Vicente <[email protected]>
Subject: Re: [Netdot-users] CLI support for Netscreen
To: Nico <[email protected]>
Cc: "[email protected]" <[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252
Nico,
What do the interface names look like in Netdot, and what do they look like in
the output of ?get arp? from the CLI?
The issue is in the _reduce_iname() method, I bet.
cv
On Mar 10, 2014, at 1:52 PM, Nico <[email protected]> wrote:
> Hello,
>
> Thanks to Vincent Magnin's help I'm having limited success, I can get
> the arp list, the lines match the regexps, but can't get it through
> the validate_arp function except for the management interface, can
> have something to do with interface names containing slash character
> (/) except for the management one. I've modified the _reduce_iname
> function in Netscreen.pm so that names matches those on the interface
> names to no avail.
>
> Attached goes my latest version of Netscreen.pm
>
> Also i modified the pb
> root@alacran:/home/netdot/105-rc1# cat
> "/usr/share/perl5/Net/CLI/Interact/phrasebook/cisco/screenos/pb"
> prompt prompt
> match /-> ?$/
>
> prompt privileged
> match /> ?$/
>
> prompt configure
> match /# ?$/
>
> prompt user
> match /(?:[Ll]ogin|[Uu]sername)/
> macro paging
> send ''
> macro end_privileged
> send ''
>
> The relevant output of the output of the updatedevice on the netscreen device:
>
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/8.305 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/8.302 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/8.302 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/7.351 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.11 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.121 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.56 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.50 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.87 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/7.353 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.121 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/4 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.524 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.87 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/8.305 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet3/1.1500 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/4 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/7.354 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/7.351 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/7.354 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.56 to any interface name
> DEBUG - Device::CLI::_validate_arp: utumno.defaultdomain: valid:
> mgt.1360 -> 10.x.x.x -> 000AF4E*****
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.11 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.49 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.2 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet3/1.1500 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.2 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.524 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.107 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.50 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/7.353 to any interface name
> WARN - Device::CLI::_validate_arp: utumno.defaultdomain: Could not
> match ethernet2/5.49 to any interface name
> WARN - Device::CLI::_validate_arp: We have no subnet information. ARP
> validation will fail except for link-local addresses
> INFO - utumno.defaultdomain: IPv6 ND cache fetched. 0 entries in 1 sec
> DEBUG - utumno.defaultdomain: Updating ARP cache
> DEBUG - PhysAddr::fast_update: Updating MAC addresses in DB
> DEBUG - PhysAddr::fast_update: Done Updating: 1 addresses in 0 sec
> DEBUG - Ipblock::fast_update: Updating IP addresses in DB
> DEBUG - Ipblock::fast_update: Done Updating: 1 addresses in 0 sec
> DEBUG - Ipblock::_build_tree_mem: Building hierarchy for IPv4 space
> DEBUG - Ipblock::_tree_save: Saved iptree4
> DEBUG - Ipblock::_buil_tree_mem done. 39854 v4 entries in 2 sec
> DEBUG - Ipblock::build_tree: Applying hierarchy changes to DB
> DEBUG - Ipblock::build_tree done saving 0 v4 entries in 0 sec
> DEBUG - utumno.defaultdomain: ARP cache updated. 1 entries in 4 sec
> INFO - Device::snmp_update: utumno.defaultdomain: Finished updating
> INFO - bin/updatedevices.pl total runtime: 8 sec
>
> 2014-03-10 15:09 GMT+01:00 Vincent Magnin <[email protected]>:
>> Hi again,
>>
>> My error was due to forget to copy the file on the right place ( :D ).
>>
>> I found more errors on your codes:
>>
>> - You use $hostname instead of $host
>> - A bracket was missing
>>
>> I've found these 2 errors using perl command line ( perl
>> /usr/local/netdot/lib/Netdot/Model/Device/CLI/Netscreen.pm ). If you have an
>> error due to $log missing, it's normal.
>>
>>
>> Now, I was able to start apache.
>>
>>
>> About the line " personality=>'netscreenos' ":
>>
>> - This is related to Net::CLI::Interact::Manual::Phrasebook .
>>
>>
>> The corresponding phrasebook has to be netscreenos has to be created:
>>
>> 1. Create a directory like
>> /usr/local/share/perl5/Net/CLI/Interact/phrasebook/cisco/netscreenos
>> This directory might be somewhere else on your system
>>
>> 2. Add a file named 'pb' containing your phrasebook. My file looks like
>> following (untested):
>>
>> cat /usr/local/share/perl5/Net/CLI/Interact/phrasebook/cisco/netscreenos/pb
>>>
>>> prompt prompt
>>> match /[\/a-zA-Z0-9._\@-]+ ?(?:\(config[^)]*\))? ?[#>] ?$/
>>>
>>> prompt privileged
>>> match /> ?$/
>>>
>>> prompt configure
>>> match /# ?$/
>>>
>>> prompt user
>>> match /(?:[Ll]ogin|[Uu]sername)/
>>
>>
>>
>> --
>> ------------------------------------------------------------------------
>> Vincent Magnin [email protected]
>> Ing?nieur R?seau & T?l?com +41 21 692 22 48
>> UNIL, Centre Informatique, 1015 Lausanne
>> Switzerland
>
>
>
> --
> Nico
> <Netscreen.pm>_______________________________________________
> Netdot-users mailing list
> [email protected]
> https://osl.uoregon.edu/mailman/listinfo/netdot-users
------------------------------
Message: 2
Date: Tue, 11 Mar 2014 09:42:32 +0000
From: Robert Kerr <[email protected]>
Subject: Re: [Netdot-users] CLI support for Netscreen
To: [email protected]
Message-ID: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1
On 10/03/14 11:33, Nico wrote:
> Hello,
>
> Maybe this should have gone to the devel mailing list.
>
> I'm trying to add support for Netscreen CLI, as getting the ARP table
> from SNMP is failing.
> ie: DEBUG - Device::_get_arp_from_snmp: utumno.defaultdomain: Missing
> information at row: 0.10.x.x.x
It would be interesting to know the version of SNMP::Info and ScreenOS
in use. There are potentially 2 different ways to get the ARP table from
ScreenOS via SNMP. SNMP::Info 3.12 uses a different method to 3.11 -
this fixes issues with some hardware/software versions but might be
breaking things for you?
See this bug:
http://sourceforge.net/p/snmp-info/bugs/52/
If you're using 3.11 it would be worth trying 3.12 and vice-versa.
--
Robert Kerr
------------------------------
Message: 3
Date: Tue, 11 Mar 2014 11:51:35 +0100
From: Nico <[email protected]>
Subject: Re: [Netdot-users] CLI support for Netscreen
To: Robert Kerr <[email protected]>
Cc: "[email protected]" <[email protected]>
Message-ID:
<cakxqfmubq3llmlpdlf8uhhx6r_bmuhuoj8r6rlvcbtmtnxt...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello,
My SNMP::Info Installed: 2.08 (whoa!)
I have 2 Netscreen.
SSG-550 version 6.3.0r7.0
NetScreen-5000 version 6.3.0r12.0
I upgraded SNMP::Info to version 3.12, had to download
NETSCREEN-IP-ARP.mib afterwards, and still have the same error. But it
seems to extract more information for the device, thanks for the tip!.
On the other hand the CLI script is now working good and fetching the
ARP cache for both the 5400 and the SSG-550.
My user on the firewalls have permissions to do a "get arp" out of the
box and seems not have a pager, so i didn't tried that
functionalities, don't know if it could be a problem for people with
other authorization setup.
I left there the ND part that is doing nothing, i guess it should be
removed as it does nothing, but i fear it could break something else.
The working version of Netscreen.pm...
package Netdot::Model::Device::CLI::Netscreen;
use base 'Netdot::Model::Device::CLI';
use warnings;
use strict;
use Net::Appliance::Session;
my $logger = Netdot->log->get_logger('Netdot::Model::Device');
# Some regular expressions
my $IPV4 = Netdot->get_ipv4_regex();
my $IPV6 = Netdot->get_ipv6_regex();
my $CISCO_MAC = '\w{4}\.\w{4}\.\w{4}';
my $NETSCREEN_MAC = '\w{12}';
=head1 NAME
Netdot::Model::Device::CLI::Netscreen - Netscreen Firewall Class
=head1 SYNOPSIS
Overrides certain methods from the Device class. Specifically, methods in
this class try to obtain forwarding tables and ARP/ND caches via CLI
instead of via SNMP.
=head1 INSTANCE METHODS
=cut
############################################################################
=head2 get_arp - Fetch ARP tables
Arguments:
session - SNMP session (optional)
Returns:
Hashref
Examples:
my $cache = $self->get_arp(%args)
=cut
sub get_arp {
my ($self, %argv) = @_;
$self->isa_object_method('get_arp');
my $host = $self->fqdn;
unless ( $self->collect_arp ){
$logger->debug(sub{"Device::Netscreen::_get_arp: $host excluded from
ARP collection. Skipping"});
return;
}
if ( $self->is_in_downtime ){
$logger->debug(sub{"Device::Netscreen::_get_arp: $host in downtime. Skipping"});
return;
}
# This will hold both ARP and v6 ND caches
my %cache;
### v4 ARP
my $start = time;
my $arp_count = 0;
my $arp_cache = $self->_get_arp_from_cli(host=>$host) ||
$self->_get_arp_from_snmp(session=>$argv{session});
foreach ( keys %$arp_cache ){
$cache{'4'}{$_} = $arp_cache->{$_};
$arp_count+= scalar(keys %{$arp_cache->{$_}})
}
my $end = time;
$logger->info(sub{ sprintf("$host: ARP cache fetched. %s entries in %s",
$arp_count, $self->sec2dhms($end-$start) ) });
if ( $self->config->get('GET_IPV6_ND') ){
### v6 ND
$start = time;
my $nd_count = 0;
my $nd_cache = $self->_get_v6_nd_from_cli(host=>$host) ||
$self->_get_v6_nd_from_snmp($argv{session});
# Here we have to go one level deeper in order to
# avoid losing the previous entries
foreach ( keys %$nd_cache ){
foreach my $ip ( keys %{$nd_cache->{$_}} ){
$cache{'6'}{$_}{$ip} = $nd_cache->{$_}->{$ip};
$nd_count++;
}
}
$end = time;
$logger->info(sub{ sprintf("$host: IPv6 ND cache fetched. %s entries in %s",
$nd_count, $self->sec2dhms($end-$start) ) });
}
return \%cache;
}
############################################################################
#_get_arp_from_cli - Fetch ARP tables via CLI
#
#
# Arguments:
# host
# Returns:
# Hash ref.
# Examples:
# $self->_get_arp_from_cli();
#
#
sub _get_arp_from_cli {
my ($self, %argv) = @_;
$self->isa_object_method('_get_arp_from_cli');
my $host = $argv{host};
my $args = $self->_get_credentials(host=>$host);
my @output = $self->_cli_cmd(%$args, host=>$host, cmd=>'get arp',
personality=>'screenos');
my %cache;
my ($iname, $ip, $mac, $intid);
# Lines look like this:
#10.x.x.x 001a6ca5413f trust-vr/eth3/1.1500 VLD 505 0
0 0
#8890 10.y.y.y 001372918a1d eth2/5.11 0010dbff40b0
11 0 0x2 0
foreach my $line ( @output ) {
# strip the virtual router name from the interface names
if ( $line =~
/^\s*($IPV4)\s*($NETSCREEN_MAC)\s*\S*(eth|mgt)([a-zA-Z\/0-9\.-]*)\s*.*$/
) {
if ( $3 eq 'eth' ) {
$iname = "ethernet".$4;
}
elsif ( $3 eq 'mgt' ) {
$iname = "mgt".$4 ;
}
$ip = $1;
$mac = $2;
}elsif ( $line =~
/^\d*\s*($IPV4)\s*($NETSCREEN_MAC)\s*(eth|mgt)([a-zA-Z\/0-9\.-]*).*$/
){
# The 'dns domain-lookup outside' option causes outside-facing entries
# to be reported as hostnames
if ( $3 eq 'eth' ) {
$iname = "ethernet".$4;
}
elsif ( $3 eq 'mgt' ) {
$iname = "mgt".$4 ;
}
$ip = $1;
$mac = $2;
}else{
$logger->debug(sub{"Device::CLI::Netscreen::_get_arp_from_cli: line
did not match criteria: ".
"$line" });
next;
}
# The failover interface appears in the arp output but it's not in the
IF-MIB output
next if ($iname eq 'failover');
unless ( $ip && $mac && $iname ){
$logger->debug(sub{"Device::Netscreen::_get_arp_from_cli: Missing
information: $line" });
next;
}
# Store in hash
$cache{$iname}{$ip} = $mac;
}
return $self->_validate_arp(\%cache, 4);
}
############################################################################
#_get_v6_nd_from_cli - Fetch ARP tables via CLI
#
# Arguments:
# host
# Returns:
# Hash ref.
# Examples:
# $self->_get_v6_nd_from_cli(host=>'foo');
#
sub _get_v6_nd_from_cli {
my ($self, %argv) = @_;
$self->isa_object_method('_get_v6_nd_from_cli');
my $host = $argv{host};
my $args = $self->_get_credentials(host=>$host);
return unless ref($args) eq 'HASH';
my @output = $self->_cli_cmd(%$args, host=>$host, cmd=>'show ipv6
neighbor', personality=>'screenos');
shift @output; # Ignore header line
my %cache;
foreach my $line ( @output ) {
my ($ip, $mac, $iname);
chomp($line);
# Lines look like this:
# fe80::224:e8ff:fe51:6abe 0 0024.e851.6abe REACH dmz
if ( $line =~ /^($IPV6)\s+\d+\s+($CISCO_MAC)\s+\S+\s+(\S+)/o ) {
$ip = $1;
$mac = $2;
$iname = $3;
}else{
$logger->debug(sub{"Device::CLI::Netscreen::_get_v6_nd_from_cli: ".
"line did not match criteria: $line" });
next;
}
unless ( $iname && $ip && $mac ){
$logger->debug(sub{"Device::Netscreen::_get_v6_nd_from_cli: Missing
information: $line"});
next;
}
$cache{$iname}{$ip} = $mac;
}
return $self->_validate_arp(\%cache, 6);
}
############################################################################
# _reduce_iname
#
# I've conserved the function name but more than reduce it
# interface names from get arp, comes mixed with vrouter names, and
with a format
# diferent than what netdot have in the interface table from the device
# eth2/8.305 instead of ethernet2/8.305
# SAN-vr/eth2/7.351 instead of thernet2/7.351
# and don't match the name in the ARP output so we have to do some
pattern matching.
# Of course, this will break when they decide to change the string.
#
# Arguments:
# string
# Returns:
# string
#
sub _reduce_iname{
my ($self, $name) = @_;
return unless $name;
if ( $name =~ /.*eth(.*)/ ){
return "eth".$1;
}elsif ( $name =~ /.*mgt(.*)/ ){
return "mgt".$1;
}
return $name;
}
=head1 AUTHOR
Carlos Vicente, C<< <cvicente at ns.uoregon.edu> >>
=head1 COPYRIGHT & LICENSE
Copyright 2012 University of Oregon, all rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTIBILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation,
Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
=cut
#Be sure to return 1
1;
########################################## FIN Netscreen.pm
And the (a bit dummy) pb file:
# /usr/share/perl5/Net/CLI/Interact/phrasebook/cisco/screenos/pb
prompt prompt
match /-> ?$/
prompt privileged
match /> ?$/
prompt configure
match /# ?$/
prompt user
match /(?:[Ll]ogin|[Uu]sername)/
macro paging
send ''
macro end_privileged
send ''
Ouput from arp updates:
root@alacran:/home/netdot/105-rc1# bin/updatedevices.pl -A -H ssg-internet
INFO - bin/updatedevices.pl started at Tue Mar 11 11:46:05 2014
INFO - Updating single device: ssg-internet
WARN - Device::CLI::_validate_arp: ssg-internet.defaultdomain: Could
not match ethernet0/3.8 to any interface name
INFO - ssg-internet.defaultdomain: ARP cache fetched. 21 entries in 13 sec
WARN - Device::CLI::_validate_arp: We have no subnet information. ARP
validation will fail except for link-local addresses
INFO - ssg-internet.defaultdomain: IPv6 ND cache fetched. 0 entries in 12 sec
INFO - Device::snmp_update: ssg-internet.defaultdomain: Finished updating
INFO - bin/updatedevices.pl total runtime: 56 sec
About that ethernet0/3.8 it really is not in the interface list of the
device (will look into why) so i don't think it's the CLI's fault.
root@alacran:/home/netdot/105-rc1# bin/updatedevices.pl -A -H utumno
INFO - bin/updatedevices.pl started at Tue Mar 11 11:47:22 2014
INFO - Updating single device: utumno
INFO - utumno.defaultdomain: ARP cache fetched. 83 entries in 14 sec
WARN - Device::CLI::_validate_arp: We have no subnet information. ARP
validation will fail except for link-local addresses
INFO - utumno.defaultdomain: IPv6 ND cache fetched. 0 entries in 12 sec
INFO - Device::snmp_update: utumno.defaultdomain: Finished updating
INFO - bin/updatedevices.pl total runtime: 2 min, 37 sec
Greetings,
Nico
2014-03-11 10:42 GMT+01:00 Robert Kerr <[email protected]>:
> On 10/03/14 11:33, Nico wrote:
>> Hello,
>>
>> Maybe this should have gone to the devel mailing list.
>>
>> I'm trying to add support for Netscreen CLI, as getting the ARP table
>> from SNMP is failing.
>> ie: DEBUG - Device::_get_arp_from_snmp: utumno.defaultdomain: Missing
>> information at row: 0.10.x.x.x
>
> It would be interesting to know the version of SNMP::Info and ScreenOS
> in use. There are potentially 2 different ways to get the ARP table from
> ScreenOS via SNMP. SNMP::Info 3.12 uses a different method to 3.11 -
> this fixes issues with some hardware/software versions but might be
> breaking things for you?
>
> See this bug:
>
> http://sourceforge.net/p/snmp-info/bugs/52/
>
> If you're using 3.11 it would be worth trying 3.12 and vice-versa.
>
> --
> Robert Kerr
> _______________________________________________
> Netdot-users mailing list
> [email protected]
> https://osl.uoregon.edu/mailman/listinfo/netdot-users
Greetings
--
Nico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Netscreen.pm
Type: application/octet-stream
Size: 7442 bytes
Desc: not available
Url :
http://osl.uoregon.edu/pipermail/netdot-users/attachments/20140311/607b004d/attachment.obj
------------------------------
_______________________________________________
Netdot-users mailing list
[email protected]
https://osl.uoregon.edu/mailman/listinfo/netdot-users
End of Netdot-users Digest, Vol 64, Issue 7
*******************************************
