Using TCL to Directly Access Forwarding Databases

richfoster · ‎03-31-2012

Please can someone tell me if this is even possible with a TCL script on IOS?

Open a TCP / SSL control channel from the router to an external monitoring server to do the following:

Reliably replicate the global routing table and VRF routing tables with all information, such as protocol, metrics, next hop, prefix, mask, VRF, etc.
Poll the global routing table and VRF routing tables for changes and send real time updates when there are changes
Encapsulate the information into XML so it can be decoded by the monitoring server

I don’t want to scrape show commands as I don’t believe it would scale or be accurate enough. I’m not even sure if it’s possible to direclty access the forwarding databases (MPLS, routing tables, etc)? Does TCL only work with CLI output?

Thanks!

Richard

Joe Clarke · ‎03-31-2012

Tcl can do more than just parse show commands. It can access SNMP objects. However, it cannot open an SSL connection. You could do a clear text TCP connection to a remote host or do a "copy FILE https://...", but you cannot open an SSL socket directly.

The other requirements could be met somewhat. The routing updates could be seen in real time (if your device has EEM 3.0 or higher), but VRF details are not included in those updates so some fallback to CLI or SNMP would be needed. This would obviously slow things down. XML encapsulation is certainly possible.

richfoster · ‎04-01-2012

Thanks for your help Joseph. Are there any plans to pass VRF information in the routing detector?

Are there any other detector subsystems or methods to directly monitor the routing processes? For example by using the Application Detector (event_register_appl) to subscribe to IOS subsystem events and bypass the built in detectors, or use Resource Detector (event_register_resource) to detect a state change? Even when writing custom TCL scripts are we bound by the predefined event detectors or are there other ways of accessing IOS subsystems?

I also wondered if it was possible to create an EEM / TCL resource tracker or counter tracker that tracks the routing tables for changes via SNMP. The problem here is I’m not sure if it’s possible to monitor the MIB for specific changes, then poll for that specific change, as opposed to doing a complete SNMP walk? For example, with a number of VRFs and hundreds of thousands of routes I just need to know when there has been a change, and report just that change.

I could take the output from the Routing Event then SNMP poll the global routing and all the VRFs for that prefix. With a lot of route updates and lots of VRFs there would be a lot of unnecessary SNMP polling (and it probably wouldn’t scale).

Regarding the SSL limitation it looks like it’s possible (from one of your previous posts) to perform an MD5 hash (maybe even SHA). Therefore I’d expect I can hash the XML payload in the TCP session.

Thanks again!

Joe Clarke · ‎04-01-2012

We recently added VRF support to the routing event detector, but it has not yet made it into released code. When it does, the routing ED should give you everything you want. Plus, it will be directly in line with the RIB updates. You should need to do any additional SNMP polling.

The resource ED and application event EDs will not work to track routing table updates. That's why we have the routing ED. While you can't build your own ED per se, you can use the various timer EDs (e.g., watchdog) to run a CLI command periodically or perform an SNMP operation periodically. Depending on the results, you can choose to perform additional actions. In this manner you can turn just about anything happing on a device into an event.

Yes, using the tcllib MD5 and SHA modules, you can hash data. This is no where near as secure as SSL. Plus, you cannot reverse a hash. So if you transmitted hashed XML data across a socket, the other end would not be able to convert it into clear text.

richfoster · ‎04-02-2012

Hi Joseph.

Do you a rough idea of when the VRF support will come in (this year?!) and will it be across platforms? Also will the routing detector support IPv6 at any point?

Is it possible to import external TCL packages / modules, for example something that could set up an SSL session?

Finally do you think a (well coded) TCL script will be able to handle large routing table updates? For example if 100k routes were installed that would be a lot of work for the routing detector if I’m matching 0.0.0.0/0 ge 1. Also the TCL script would have to XML encode and send every route out over the TCP session – do you think TCL can handle this? Are there scalability limits, am I trying to do something that shouldn’t be done by EEM / TCL?

Thanks, I really appreciate your help.

Joe Clarke · ‎04-02-2012

I believe it will be available by this summer in the latest 15.2T release. It will be available for the ISRG2 devices. IPv6 is already supported in 15.2(2)T for the ISRG2s.

No, it is not possible to load a Tcl module to get SSL support. SSL modules require compiled code, which you cannot load. If you found a pure Tcl implementation that would work, but the performance would be terrible.

EEM would not be able to handle a situation where 100K routes were updated at one time. The event queues are not that deep. You would likely have most of the updates simply dropped by EEM. Tcl itself would be fine to handle the generation of the XML, but you would not be able to use the routing ED if you think you will see such huge shifts in the routing table. Really, you're looking at being able to support about 70 or so changes at one time at the maximum (assuming no other events).

richfoster · ‎04-02-2012

Thanks, you save me quite a few late nights messing around with TCL...!