One of the interesting topic at this time in the network monitoring world is the Cisco IOS XR based devices monitoring.

Cisco IOS XR is the new prefered OS for the carrier router from Cisco such as CRS-1 or 12000.

For network operator, monitor this devices is mandatory to detect failure and guaranty a good network availability.

 

So the question now is how to manage Cisco IOS XR. (this page is not the complete article and will be update when I have enough time).

The first idea for sure is SNMP! 

SNMP

Here is what you can monitor through SNMP (will be completed next time):

_ Environnment (sensors, cpu, modules etc via ENTITY and CISCO-ENTITY mibs)

_ BGP (only IPv4 peerings, because not MIB-BGP neither CISCO-BGP mib provide this information)

 

SSH (CLI)

 

SSH is a secure way to monitor things not provided in mibs, such as BGP peerings for other Adress Families than IPv4 Unicast.

So here comes a problem:

Standard method to authenticate: 

1)  Connect

2) Try to authenticate with auth_none (only username, no password)

=> Failure : receive info about how to authenticate

3) Authenticate with the next authorized way (password, pubkey, keyboard-interactive)

The best authentication system is using public key.

 

Now, let's see what method are implemented in IOS XR : 

Regarding to documentation: 

Cisco IOS XR does not support public key authentication.

In real life?

Cisco SSH authentication is really ... hum... special :

1) Connect... OK

2) Trying AUTH_NONE.............................SSH_SUCCESS ???? What ??????

Ok, I had a success.... so , why not to try opening a shell..

3) Opening a shell ................ SSH_OK.... hey !!! 

4) Reading in the shell................. surprise :

Password :

Ok, so you are authenticated with AUTH_NONE method providing your user, and the password is prompted when opening a shell.

I tryed directly with AUTH_PASSWORD and AUTH_KEYBINT (keyboard interactive) but it didn't work.

Note : Cisco improved SSH authentication in the last SMU (Software Maintenance Update) by adding Keyboard Interactive Authentication method (but trying with SSH_NONE will still work.. so that's a little bit dirty)

 

hfr-base-3.6.1.CSCsm17833.tar

Release Date: 18/Jun/2008

Hitless, Support SSH keyboard-interactive authentication method, Optional SMU

Size: 370.00 KB (378880 bytes)

 

So you certainly understood that Cisco does not provide a "standard" way to authenticate ! 

The impact : 

_ You cannot use librairies like Net::SSH in perl (I was not able to use any known librairies using SSH...)

That's really sad....

So what I did was :

_ Using libssh (API in C to use SSH) and coded my own librairy to get access to Cisco IOS XR CLI.

Other thing which is not implemented in Cisco IOS XR is "EXEC COMMAND", this feature allow you to directly send a command to a ssh device and get the result returned back.... So, you MUST do expect like logic, send command, receive result, detect prompt... That's really time consumming.