topic Re: Oneliner to compare routes between two cluster members in Firewall and Security Management

Oneliner to compare routes between two cluster members

Kaspars_Zibarts — Thu, 01 Mar 2018 13:25:40 GMT

Running into "get interfaces with topology" feature problem recently due to route mismatch on cluster members prompted me to write a quick one-liner to compare routes with least possible effort.

It must be noted for example simplicity I used SNMP V1 with public community (which is not advisable in production) so update command snmp part in red accordingly. Also it does require that SNMP port is open on Sync interface (IPs from cphaprob stat output)

For example below I added a dummy 1.1.1.1/32 route to FW1

[Expert@fw1:0]# i=0; cphaprob stat | egrep ^[1,2] | sed 's/(local)//' | awk '{print $2}'| while read line; do let i++; snmpwalk -c public -v 1 $line IP-FORWARD-MIB::inetCidrRouteIfIndex.ipv4 | awk -F\" '{print $2, $4, substr($3,2,2)}' > fw.$i; done; if [ `diff -q fw.1 fw.2 | wc -l` -gt 0 ]; then diff fw.1 fw.2; else echo "Routes OK"; fi
2d1
< 1.1.1.1 10.3.81.67 32

NormaL output would be

[Expert@fwfran1:0]# i=0; cphaprob stat | egrep ^[1,2] | sed 's/(local)//' | awk '{print $2}'| while read line; do let i++; snmpwalk -c public -v 1 $line IP-FORWARD-MIB::inetCidrRouteIfIndex.ipv4 | awk -F\" '{print $2, $4, substr($3,2,2)}' > fw.$i; done; if [ `diff -q fw.1 fw.2 | wc -l` -gt 0 ]; then diff fw.1 fw.2; else echo "Routes OK"; fi
Routes OK

Re: Oneliner to compare routes between two cluster members

KennyManrique — Thu, 01 Mar 2018 14:20:35 GMT

Great solution Kaspar!

It's a useful tip when Cloning Groups are not in use. For cluster enviroments the best is configure a Cloning Group that follows ClusterXL to sync all routing related parameters.

Regards.

Re: Oneliner to compare routes between two cluster members

Kaspars_Zibarts — Thu, 01 Mar 2018 14:41:27 GMT

absolutely (about cloning groups) but there are some reasons that I'm not able to discuss here why we are not doing it

Re: Oneliner to compare routes between two cluster members

Danny — Mon, 27 Mar 2023 07:39:34 GMT

Because of egrep ^[1,2] this only works for clusters consisting of two members only.
Because of snmpwalk -c public -v 1 this only works with insecurely configured SNMP.
Because SNMPv3 is standard I recommend to update this one-liner to work with stattest.

Re: Oneliner to compare routes between two cluster members

Kaspars_Zibarts — Mon, 27 Mar 2023 08:09:51 GMT

@Danny that's why I wrote: It must be noted for example simplicity I used SNMP V1 with public community (which is not advisable in production) 🙂

It was more of an idea that can be replicated in specific environment accordingly. Not everything has be served on silver plate 🙂 it's good to engage our little grey cells as the famous Poirot said 🙂

Re: Oneliner to compare routes between two cluster members

Vincent_Bacher — Fri, 07 Jul 2023 08:10:19 GMT

could be extended for VSX devices using a loop 🙂

Re: Oneliner to compare routes between two cluster members

Kaspars_Zibarts — Mon, 24 Jul 2023 07:16:10 GMT

Since VSX routes are pushed from Mgmt, they "should" the same on all cluster members, else topology push would fail.

Re: Oneliner to compare routes between two cluster members

_Val_ — Mon, 24 Jul 2023 07:19:57 GMT

Why not make it a part of a ToolBox collection?