1. We make sure that the piece of iron holds the SNMP protocol - this is the most common protocol for obtaining statistics.
Here, every deshman immediately starts to fall off sharply.
If there is a piece of iron, SNMP is not, but you want to - make sure that the OpenWRT or DD-WRT firmware with the necessary set of functions for your device exists.
If not, donate this junk to those in need and buy a Mikrotik (cool, but still almost deshman).
2. We raise Zabbix or Icinga (or whatever you like), which are quite successfully able to receive SNMP or pull it from the side. Even on managed pieces of iron, you can configure SNMP Trap so that when certain events occur (connection to a port, for example), an alert is sent to the server.
3. With access restriction - in the case of Mikrotik it is quite real. In the case of Zyxel Keenetic of the second generation of firmware, too. In the case of a cisco/juniper and other tops, it's quite easy :).
All of the above have a pretty good command line in the terminal, so you can edit the rules on the server and upload them through the command line.
https://natenka.gitbooks.io/pyneng/content/book/15...
see this and neighboring chapters - an example of automation in python with crowd control.
Perhaps the task with an incomprehensible wording "access restriction" is perfectly superimposed on the capabilities of 802.1X
4. An unmentioned, but usually arising problem - if the SP of the subordinate piece of iron is dynamic - the task is to find this piece of iron.
There are two solutions - each piece of iron uses one of the No-IP options (it's free for Mikrotiks out of the box)
or the pieces of iron support a vpn / openvpn tunnel to the server, and the server simply pulls them through the tunnels to known local (for him) addresses.
Further - the management interface of the piece of iron for good should not stick out at all, so wrapping it in vpn is one of the security methods.
99. The path of a real monster
We write a script for each model that logs in from the central server to the piece of iron on the web interface, pulls out statistics, and adds them to the database.
100. In order to have little sex - immediately throw out incomprehensible pieces of iron and buy ciscos or mikrotiks, or anything of similar professional steepness, the main thing is to be SMART AND SAME otherwise there will be happiness, unlimited happiness, because for sure the most deshman d-links are waiting for you, tp-link, upvel or something else completely unnamed.

Far from always, the router is able to keep this same statistics, and very rarely - to give it away. I'm talking about Dishman type D-Link, TP-Link and others like them. Mikrotik gives normal statistics - you just need to accept it.

If Mikrotik routers, then you can. In others - if custom firmware is done, I have not seen it in standard ones.

Zabbix or its equivalent does not solve the problem?