Hi All,
I need to determine which ports are open on a particular interface on more than 200 routers. I have configuration of all of them, but it would be very time consuming to do this manually.
Is there any application or script that can create this report automatically?
Regards, Masoud
In article , wrote: :I need to determine which ports are open on a particular interface on :more than 200 routers. I have configuration of all of them, but it :would be very time consuming to do this manually.
:Is there any application or script that can create this report :automatically?
Something like nmap ?
Though your reference to "a particular interface" suggests that it might not be the "closest" interface.
There is a definitional problem as to what an "open" port -is-, when one takes into account policy routing, reverse-path tests, flag tests, source port tests, and source address tests. In a way, the only real way to define what ports are open is to run an ACL optimizer over the configuration and then throw away everything except tcp, udp, and ip statements. Whatever is left over -defines- the open ports, in one way of thinking.
Hi,
The cheap(free) and nasty way(probably one of many)!
PERL and Nmap(or any command line scanner) can definitely do the trick together.
Create a txt file with all the router IP addresses which PERL will read and use in the PERL script to scan each router one at a time, grep the output and dump the reports as you like.
Nmap can be slow but the results are good.
Hope this helps,
Rob
Hi Walter,
What I want to know is basically, which TCP/UDP ports are accessibale inbound and outbound on serial interfaces which connects to the internet.
I don't want to use a port scanner as I currently have all router configurations.
Is there any ACL optimizer that you would recommend to do this?
Regards, Masoud
In article , wrote: :What I want to know is basically, which TCP/UDP ports are accessibale :inbound and outbound on serial interfaces which connects to the :internet.
:I don't want to use a port scanner as I currently have all router :configurations.
:Is there any ACL optimizer that you would recommend to do this?
I don't have any particular ACL optimizer in mind -- they are tricky things to write.
How complex are the configurations, structurally? Are you just interested in "any" as the source? Is there a lot of subselection by destination?
Considering the complexity of your configuration, would it be sufficient, do you think, for a program to build up a list of permitted and denied ports per destination? I've done some set manipulation C code that might turn out to be useful in this kind of analysis, but I would need to think a bit more about how to handle permit / deny combinations.
They are fairly complex.
There are a lot of ACLs defined on each router, not just for blocking traffinc, but also for QoS, VPN tunnles and policy based routing.
So the script not only should analyze ACL deny or access commands, but to determine which ACL is used where and for what reason. I'm trying to find a way to do this using CiscoWorks.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.