cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How to retrieve ACL Counters using SNMP and its benefits

2389
Views
0
Helpful
0
Comments

Hi community,
I just wanted to share my findings about accesing to ACL counters by SNMP on ASR9000/XR.

 

Searching on Internet I found the section ACL Counters Using SNMP in the IP Addresses and Services Configuration Guide but I didn't found any information related to how to access those counters so I did:

RP/0/RSP0/CPU0:router#sh snmp mib object-name

...on my router ASR9904 with IOS XR 5.3.4 to look for something interesting... and voila, the two last ones were:

  1.3.6.1.4.1.9.9.808.1.2.1.1.2             caAclLabelIntfStatsEntry.2
  1.3.6.1.4.1.9.9.808.1.2.1.1.3             caAclLabelIntfStatsEntry.3

...which are part of the CISCO-ACL-MIB (OID 1.3.6.1.4.1.9.9.808).

 

Next I configured a counter "test" on my ACL (see documentation) and did a snmpwalk. I got:

[root@server ~]# snmpwalk -v2c -c community hostname .1.3.6.1.4.1.9.9.808
SNMPv2-SMI::enterprises.9.9.808.1.2.1.1.2.14.1.2.4.116.101.115.116 = Counter64: 20617
SNMPv2-SMI::enterprises.9.9.808.1.2.1.1.3.14.1.2.4.116.101.115.116 = Counter64: 1803947

 

On CISCO-ACL-MIB.my I found:
caAclLabelIntfStatsEntry.2 = caAclIntfStatsPackets ("The total number of packets that match this counter label.")
caAclLabelIntfStatsEntry.3 = caAclIntfStatsOctets ("The total number of octets that match this counter label.")
There is also:
caAclLabelIntfStatsEntry.1 = caAclIntfStatsCounterLabelName ("The counter label index associated with this set of statistics.")
...but it seems IOS XR doesn't support it, at least on v5.3.4.

So, I had 20617 packets and 1803947 bytes matching my counter.

Then, after several tests and many counters configured I figured out what the last numbers on the OID chain meant.

In the example:
caAclIntfStatsOctets.14.1.2.4.116.101.115.116

.14 interface index that you get when do snmpwalk with oid .1.3.6.1.2.1.2.2.1.1.
.1 I don't know, it's was the same number for all the tests.
.2 ACL direction (1 for in and 2 for out).
.4 Length of the name of the counter ("test" in my example).
.116.101.115.116 .'t'.'e'.'s'.'t' in ascii code


Once I knew this information I did a template for Cacti to graph the bytes matched for each counter. In this manner, having entries of this type:

permit ipv4 any x.x.x.0 0.0.0.255 counter network_A

...you can have graphs of bandwith usage per link for network_A, or maybe:

permit tcp any any eq www counter HTTP

... for bandwith usage by protocol (HTTP). Of course, notice that one packet can only match one entry, so it's not a good idea to use both examples of above in the same ACL.

Of course, you could also do all this using netflow but you'll need a software to process the data.

I hope you have found interesting this article.