CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 1 of 1

Thread: Finding which interfaces are used and how many times

  1. #1
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    320
    Rep Power
    13

    Default Finding which interfaces are used and how many times

    I recently had a need to find which interfaces on a VSX system are in use, thereby letting me know which interfaces are available for future expansion. I wrote this quick script and thought it may be worth sharing:
    Code:
    { vsenv 0 >/dev/null 2>&1;for iface in $(ifconfig|egrep '^[^ ]'|cut -d' ' -f1);do ip addr show $iface|grep inet>/dev/null;if [ $? -eq 0 ];then echo "$iface";fi;done;for vsid in $(ls /proc/vrf/|sort -n|tail -n +2);do vsenv $vsid>/dev/null;ifconfig|egrep '^[^ ]'|cut -d' ' -f1;done }|egrep -v '^(lo|usb|wrpj?|br)[0-9]*$'|cut -d. -f1|sort|uniq -c
    Let's break that out a bit to better show what's going on:
    Code:
    {
      vsenv 0 >/dev/null 2>&1;
      for iface in $(ifconfig|egrep '^[^ ]'|cut -d' ' -f1);
        do ip addr show $iface|grep inet>/dev/null;
        if [ $? -eq 0 ];
          then echo "$iface";
          fi;
        done;
      for vsid in $(ls /proc/vrf/|sort -n|tail -n +2);
        do vsenv $vsid>/dev/null;
        ifconfig\
        |egrep '^[^ ]'\
        |cut -d' ' -f1;
        done
    }\
    |egrep -v '^(lo|usb|wrpj?|br)[0-9]*$'\
    |cut -d. -f1\
    |sort\
    |uniq -c
    I have indented this version with spaces rather than tabs, so the shell doesn't try to tab-complete things. It runs in exactly this form.

    The first important construct is the braces: {...}. They tell the shell you want to run all the commands inside them, then work with the output of all of them together. Changes to the environment within the braces also don't spread to the main shell you're running.

    Within the braces, I first set the context to VRF 0. I redirect output to /dev/null and I redirect errors to output. If we're in VSX, this will get us to VS0. If we're not in VSX, this will fail, but we're always in VS0. In either case, we end up where we want to be, so I don't really care about anything that command returns.

    Next, I handle the interfaces in VS0. This gets us to another important construct, the subshell with substitution: $(...). This construct takes the commands inside the parentheses, runs them, and substitutes their output where the $(...) construct is in your code. We'll come back to this in a bit. For now, let's talk about the commands inside it: ifconfig|egrep '^[^ ]'|cut -d' ' -f1

    This is a pipeline. We start by running the command ifconfig. We take the output from that command, then use egrep (GNU grep with extended regular expression support) to filter that output to retain only what we want. In this case, the expression I give to grep tells it to only match lines which start with a character which is not a space. The third item in the pipeline lets you do basic data extraction. In this case, it splits a line of text into one or more fields at a delimiter. I set the delimiter to space, and I tell it to give me field 1. Taken together, this pipeline returns a list of the interfaces on your system.

    Now we come back to the substitution. This gives the list of interfaces into the 'for' command. The 'for' command them breaks them up into individual items and runs once for each item.

    "ip addr show $iface|grep inet>/dev/null" is a quick way to tell if the interface has an IP address or not. We don't care what it is, we just care if it has one.

    Commands in Linux have a concept of an exit code. This is generally used to indicate whether a command worked, kind of like exceptions in other programming languages. By convention, the exit code 0 represents success, and all other numbers represent a failure of some kind. The idea is you can have a variety of failures, so different numbers let you indicate different failures. After running a command, the exit code is stored in a special environment variable: $?

    So once we have run the command to see if the interface has an IP address, we discard the output and test the exit code. If it is 0, we print the interface's name. For any other exit code, we don't print anything. We are now done with the second command in the braces.

    The third command in the braces uses some of what we've discussed before. Specifically, we use a subshell to find all of the VRFs on the system, sort them, then we use tail to drop the first one (which will always be VRF 0, corresponding to VS0. Each item left is a VS we need to check.

    Once we have the list of VRFs, we go through them one by one. For each one, we set the environment to that VRF/VS, then we get the list of interface names in it using the same method we used in VS0. For this, we don't need to test anything, since ifconfig in a VS only shows you interfaces that VS has configuration for. This is important, as switch VSs don't have IP addresses, but they can still reference physical interfaces. With that, we're done with the third command in the braces.

    Taken together, we now have a list of all of the names of interfaces which VSs (including VS0) are configured to use. Now we use another pipeline to process the list a bit.

    First, we remove interfaces which don't correspond to anything real. Loopbacks, USB (some systems have this, most don't), warp links, and bridges (we only care about the physical interface on a switch VS).

    Next, we use cut again, but this time with . as the delimiter, and dots are used to separate the interface name and VLAN tag. We don't care about the VLAN tag, so getting just field 1 gives us just the interface name.

    Finally, we sort the names, then uniq -c gives us a count of the number of times each line is repeated. This tells us how many times each interface is used in the config.
    Last edited by Bob_Zimmerman; 2 Weeks Ago at 17:25.
    Zimmie

Similar Threads

  1. ssh long login and times out
    By susiar in forum Check Point Security Gateway Appliances
    Replies: 3
    Last Post: 2013-11-13, 12:32
  2. R70.40 random high CPU times
    By FloSchn in forum Check Point SecurePlatform (SPLAT)
    Replies: 7
    Last Post: 2011-04-08, 05:45
  3. VPN refuses to connect at times
    By mehul_shroff in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 10
    Last Post: 2009-08-11, 06:56
  4. Security policy times out
    By archie100 in forum Installing And Upgrading
    Replies: 3
    Last Post: 2009-01-21, 13:10
  5. X80 performance 4 times less than C25!?
    By Dragon in forum Crossbeam
    Replies: 21
    Last Post: 2008-06-12, 20:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •