How to auto-archive Cisco router configuration?

creatorrr · 11-15-2007, 10:55 PM

Hi All,

Is there any utility in Linux that can automatically save Cisco router/switches configurations? Something like kiwitools for windows?

Thank You

MasterC · 11-16-2007, 04:47 PM

You could run a tftp server on Linux and back it up over tftp.

-Chad

creatorrr · 11-17-2007, 05:44 AM

Quote:

Originally Posted by MasterC

You could run a tftp server on Linux and back it up over tftp.

-Chad

Can i automate that?

MasterC · 11-17-2007, 10:23 AM

That would be a Cisco question really, but my limited knowledge on the topic says no. In reality you shouldn't be changing it that often to have a need to automate a backup. You could force it in your practice to backup to tftp before AND after any changes are made; we do this on the rare occasion we make changes to our router or switches.

-Chad

MasterC · 11-17-2007, 10:24 AM

Moved: This thread is more suitable in Linux - Networking and has been moved accordingly to help your thread/question get the exposure it deserves.

-Chad

bmarx · 11-17-2007, 11:36 AM

How often do you change the router configuration that you need to automate the backup? Even when you do change the configuration, executing a "copy run start" followed by a "copy run tftp" to a remote tftp server are trivial tasks. Ideally, the config should change as little as possible. This just seems like an odd thing to be doing.

That said, i imagine that you could do the same thing with "expect" to automate the above commands via telnet with a cron job. Although, i would put an acl on the vty, only allowing connections from the ips you specify.

scowles · 11-17-2007, 08:09 PM

Although I agree with the comments about "backup after changing a config", some of us work for corporations that have policy that states all configs will be backed up on a daily basis. In fact, I work for a company that has auditors that ask for proof. <groan!>

In order to satisfy the auditors, I wrote a shell script (see below) that backs up hundreds of cisco routers and switches nightly using tftp from a linux box. I chose this method over telnet/write terminal just because it was easier to code and maintained the same security posture.

The key to making this script work is to edit the DEVICES variable along with setting up a base directory structure for all the downloaded files. I have removed all but four devices as an example. The header section contains info on howto config router/switch to allow tftp access.

NOTE: I copied this script to /etc/cron.daily.

[root@inetsyslog cron.daily]# cat cisco_tftp_backup

Code:

#!/bin/bash
#########################################################################
# Name: cisco_tftp_backup
# Author: Steve Cowles <scowles@infohiiway.com>
#
# Revision: Created 10/1/2005 SWC
# Revision: 03/26/06 - SWC 
#           Added capability to save config data by date.
#
# Description: Shell Script to backup cisco startup-config files
#              using tftp and store in pre-defined directory structure
#
# Directory structure for script is:
#   base_dir             /backup/cisco/{date}
#     device type           /router
#        hostname              /r1
#           filename              startup-config
#        hostname              /r2
#           filename              startup-config
#     device type           /switch
#        hostname              /s1
#           filename              startup-config
#        hostname              /s2
#           filename              startup-config
#
# Note 1: Cisco IOS requires you to configure tftp server access prior
#         to adding a router or switch to this script
# Something like:
#   access-list 55 remark PERMIT hosts requesting TFTP access
#   access-list 55 permit host 10.1.100.201
#   tftp-server nvram:startup-config 55
#
# 10.1.100.201 is the IP address of the system running this script
# nvram:startup-config is the only file allowed to be copied
#########################################################################

####################################################
# Error handlers
error_no_tftp_exec ()
{
        echo "ERROR - Filename '$1' does not exist"
        exit
}

error_no_backup ()
{
        echo "ERROR - Unable to backup Host '$1'"
}

error_zero_length ()
{
        echo "ERROR - Hostname '$1' backup has a zero size"
}
####################################################

# If tftp executable does not exist... then exit
CMD=tftp ; TFTP=`which ${CMD} 2>/dev/null`
[ ! -x "${TFTP}" ] && error_no_tftp_exec ${CMD}

####################################################
# Variable Section, edit below to meet requirements
####################################################

# Define/load a variable to store the device information
# of all routers/switches to backup using tftp.
#
# Values are separated by colons (:)
#     Value 1 = Device Type        (sub-dir created)
#     Value 2 = Device Hostname    (sub-dir created)
#     Value 3 = Device IP address
DEVICES="
router:allar1:10.100.12.1
switch:allsw1:10.100.12.2
router:lewar1:10.100.16.1
switch:lewsw1:10.100.16.2
"

# Should an error occur during execution, e-mail
# errors to following person. i.e. If run as cronjob
MAILTO="scowles@infohiiway.com"

# Define the base directory where you want to store
# files retreived from all devices. All subordinate
# directories will created relative to this base
BASELOG=/var/log/cisco_configs
BASEDIR=${BASELOG}/`date +%m.%d.%y`

# Define the filename to (get) from device using tftp
# See note 1 above
FILENAME=startup-config

####################################################
# END Variable Section, No servicable parts below
####################################################

###################################################################
# Begin Executable Section (do NOT edit below)
###################################################################

# If base directory does not exist, create it
[ ! -d ${BASEDIR} ] && mkdir ${BASEDIR}

# Update the symbolic link to point to the current BASEDIR directory
if [ -d ${BASELOG} ] ; then
        # Router link
        rm ${BASELOG}/router
        ln -s ${BASEDIR}/router ${BASELOG}/router

        # Switch link
        rm ${BASELOG}/switch
        ln -s ${BASEDIR}/switch ${BASELOG}/switch
fi

########################################################
# Setup loop for each device listed in $DEVICES variable
########################################################
for device in $DEVICES ; do
        # Separate DEVICE TYPE/HOSTNAME/IP into separate varaibles
        DEVICE=`echo ${device}   | cut -d ':' -f 1`
        HOSTNAME=`echo ${device} | cut -d ':' -f 2`
        IP=`echo ${device}       | cut -d ':' -f 3`

        # Set and Create the sub-directories to store files
        SUBDIR=${BASEDIR}/${DEVICE}
        [ ! -d ${SUBDIR} ] && mkdir ${SUBDIR}
        [ ! -d ${SUBDIR}/${HOSTNAME} ] && mkdir ${SUBDIR}/${HOSTNAME}

        # Set the fullpath to store file retreived during tftp
        FULLPATH=${SUBDIR}/${HOSTNAME}/${FILENAME}

        # tftp $FILENAME from device/IP to directory/FULLPATH
        ${TFTP} $IP -c get ${FILENAME} ${FULLPATH} >/dev/null 2>&1 ||
        error_no_backup ${HOSTNAME}

        # Since tftp return values don't seem to include zero length
        # gets, test for this condition
        [ ! -s ${FULLPATH} ] && error_zero_length ${HOSTNAME}
done

[root@inetsyslog cron.daily]#

creatorrr · 11-17-2007, 11:40 PM

Thank You for this. I will give it a try and reply back...

Quote:

Originally Posted by scowles

Although I agree with the comments about "backup after changing a config", some of us work for corporations that have policy that states all configs will be backed up on a daily basis. In fact, I work for a company that has auditors that ask for proof. <groan!>

In order to satisfy the auditors, I wrote a shell script (see below) that backs up hundreds of cisco routers and switches nightly using tftp from a linux box. I chose this method over telnet/write terminal just because it was easier to code and maintained the same security posture.

The key to making this script work is to edit the DEVICES variable along with setting up a base directory structure for all the downloaded files. I have removed all but four devices as an example. The header section contains info on howto config router/switch to allow tftp access.

NOTE: I copied this script to /etc/cron.daily.

[root@inetsyslog cron.daily]# cat cisco_tftp_backup

Code:

#!/bin/bash
#########################################################################
# Name: cisco_tftp_backup
# Author: Steve Cowles <scowles@infohiiway.com>
#
# Revision: Created 10/1/2005 SWC
# Revision: 03/26/06 - SWC 
#           Added capability to save config data by date.
#
# Description: Shell Script to backup cisco startup-config files
#              using tftp and store in pre-defined directory structure
#
# Directory structure for script is:
#   base_dir             /backup/cisco/{date}
#     device type           /router
#        hostname              /r1
#           filename              startup-config
#        hostname              /r2
#           filename              startup-config
#     device type           /switch
#        hostname              /s1
#           filename              startup-config
#        hostname              /s2
#           filename              startup-config
#
# Note 1: Cisco IOS requires you to configure tftp server access prior
#         to adding a router or switch to this script
# Something like:
#   access-list 55 remark PERMIT hosts requesting TFTP access
#   access-list 55 permit host 10.1.100.201
#   tftp-server nvram:startup-config 55
#
# 10.1.100.201 is the IP address of the system running this script
# nvram:startup-config is the only file allowed to be copied
#########################################################################

####################################################
# Error handlers
error_no_tftp_exec ()
{
        echo "ERROR - Filename '$1' does not exist"
        exit
}

error_no_backup ()
{
        echo "ERROR - Unable to backup Host '$1'"
}

error_zero_length ()
{
        echo "ERROR - Hostname '$1' backup has a zero size"
}
####################################################

# If tftp executable does not exist... then exit
CMD=tftp ; TFTP=`which ${CMD} 2>/dev/null`
[ ! -x "${TFTP}" ] && error_no_tftp_exec ${CMD}

####################################################
# Variable Section, edit below to meet requirements
####################################################

# Define/load a variable to store the device information
# of all routers/switches to backup using tftp.
#
# Values are separated by colons (:)
#     Value 1 = Device Type        (sub-dir created)
#     Value 2 = Device Hostname    (sub-dir created)
#     Value 3 = Device IP address
DEVICES="
router:allar1:10.100.12.1
switch:allsw1:10.100.12.2
router:lewar1:10.100.16.1
switch:lewsw1:10.100.16.2
"

# Should an error occur during execution, e-mail
# errors to following person. i.e. If run as cronjob
MAILTO="scowles@infohiiway.com"

# Define the base directory where you want to store
# files retreived from all devices. All subordinate
# directories will created relative to this base
BASELOG=/var/log/cisco_configs
BASEDIR=${BASELOG}/`date +%m.%d.%y`

# Define the filename to (get) from device using tftp
# See note 1 above
FILENAME=startup-config

####################################################
# END Variable Section, No servicable parts below
####################################################

###################################################################
# Begin Executable Section (do NOT edit below)
###################################################################

# If base directory does not exist, create it
[ ! -d ${BASEDIR} ] && mkdir ${BASEDIR}

# Update the symbolic link to point to the current BASEDIR directory
if [ -d ${BASELOG} ] ; then
        # Router link
        rm ${BASELOG}/router
        ln -s ${BASEDIR}/router ${BASELOG}/router

        # Switch link
        rm ${BASELOG}/switch
        ln -s ${BASEDIR}/switch ${BASELOG}/switch
fi

########################################################
# Setup loop for each device listed in $DEVICES variable
########################################################
for device in $DEVICES ; do
        # Separate DEVICE TYPE/HOSTNAME/IP into separate varaibles
        DEVICE=`echo ${device}   | cut -d ':' -f 1`
        HOSTNAME=`echo ${device} | cut -d ':' -f 2`
        IP=`echo ${device}       | cut -d ':' -f 3`

        # Set and Create the sub-directories to store files
        SUBDIR=${BASEDIR}/${DEVICE}
        [ ! -d ${SUBDIR} ] && mkdir ${SUBDIR}
        [ ! -d ${SUBDIR}/${HOSTNAME} ] && mkdir ${SUBDIR}/${HOSTNAME}

        # Set the fullpath to store file retreived during tftp
        FULLPATH=${SUBDIR}/${HOSTNAME}/${FILENAME}

        # tftp $FILENAME from device/IP to directory/FULLPATH
        ${TFTP} $IP -c get ${FILENAME} ${FULLPATH} >/dev/null 2>&1 ||
        error_no_backup ${HOSTNAME}

        # Since tftp return values don't seem to include zero length
        # gets, test for this condition
        [ ! -s ${FULLPATH} ] && error_zero_length ${HOSTNAME}
done

[root@inetsyslog cron.daily]#

creatorrr · 11-18-2007, 07:38 PM

Thanks scowles, this is great code. Tested and works fine. Just one more thing i am trying to figure it out, i want to be emailed each time the config file has changed. Not in real-time of course but on the sheduled backup. Havent been scripting for a while, the coding would be something like this:

"if (diff /var/log/cisco_configs/`date +%m.%d.%y`/switch/test/startup-config /var/log/cisco_configs/`date +%m.%d-1.%y`/switch/test/startup-config)
then MAILTO SOMEONE@SOMEWHERE.COM;"

Will try to fix it myself, if someone meanwhile could help me that would be great...

Thanks alot!!!

creatorrr · 11-18-2007, 09:49 PM

OK did it!

diff /var/log/cisco_configs/`echo $(date --date='1 day ago' +%m.%d.%y)`/switch/test/startup-config /var/log/cisco_configs/switch/test/startup-config > /backup/test.txt
if [[ ! -s /backup/test.txt ]]
then
MAILTO SOMEONE@SOMEWHERE.COM

Quote:

Originally Posted by creatorrr

Thanks scowles, this is great code. Tested and works fine. Just one more thing i am trying to figure it out, i want to be emailed each time the config file has changed. Not in real-time of course but on the sheduled backup. Havent been scripting for a while, the coding would be something like this:

"if (diff /var/log/cisco_configs/`date +%m.%d.%y`/switch/test/startup-config /var/log/cisco_configs/`date +%m.%d-1.%y`/switch/test/startup-config)
then MAILTO SOMEONE@SOMEWHERE.COM;"

Will try to fix it myself, if someone meanwhile could help me that would be great...

Thanks alot!!!

scowles · 11-19-2007, 06:45 AM

Glad the script worked for you.

With regards to your proposed changes...

1) diff can compare directories. i.e. diff 11.18.07 11.19.07

2) What if you added a new router/switch to DEVICES variable. The previous days directory will not exist. Consider using the appropriate diff command line argument to deal with this case -or- add the appropriate test prior to calling diff.

3) Just my personal preference (i get too many e-mail alerts in a single day): When a script is run as a cron job, any output from the script will be mailed to the MAILTO variable. With regards to your proposed "diff" additions - I would add the "diff" after the "tftp get", so if there is a difference in files, then you would get a single e-mail with a summary of "all" files that had changed. If there was no difference, then no output would be generated, so you would NOT get an e-mail.

4) With the above in mind... I would add your diff test after the tftp get command. Something like:

NOTE: I have not tested any of this.

Code:

...snip...

# Define the base directory where you want to store
# files retreived from all devices. All subordinate
# directories will created relative to this base
BASELOG=/var/log/cisco_configs
BASEDIR=${BASELOG}/`date +%m.%d.%y`

# Set Yesterdays Date
YESTERDAY=${BASELOG}/`date --date='1 day ago' +%m.%d.%y`

...snip...

########################################################
# Setup loop for each device listed in $DEVICES variable
########################################################
for device in $DEVICES ; do
        # Separate DEVICE TYPE/HOSTNAME/IP into separate varaibles
        DEVICE=`echo ${device}   | cut -d ':' -f 1`
        HOSTNAME=`echo ${device} | cut -d ':' -f 2`
        IP=`echo ${device}       | cut -d ':' -f 3`

        # Set and Create the sub-directories to store files
        SUBDIR=${BASEDIR}/${DEVICE}
        [ ! -d ${SUBDIR} ] && mkdir ${SUBDIR}
        [ ! -d ${SUBDIR}/${HOSTNAME} ] && mkdir ${SUBDIR}/${HOSTNAME}

        # Set the fullpath to store file retreived during tftp
        FULLPATH=${SUBDIR}/${HOSTNAME}/${FILENAME}

        # Set path for yesterdays directory for diff
        YSUBDIR=${YESTERDAY}/${DEVICE}

        # tftp $FILENAME from device/IP to directory/FULLPATH
        ${TFTP} $IP -c get ${FILENAME} ${FULLPATH} >/dev/null 2>&1 ||
        error_no_backup ${HOSTNAME}

        # Run "diff" to alert for any changes in configurations
        diff --new-file ${SUBDIR}/${HOSTNAME} ${YSUBDIR}/${HOSTNAME}

        # Since tftp return values don't seem to include zero length
        # gets, test for this condition
        [ ! -s ${FULLPATH} ] && error_zero_length ${HOSTNAME}
done

Also, I use the "-x" argument to test/debug scripts. Change the first line of the script to:

#!/bin/bash -x

while testing your changes. Comes in handy to see if variables are working correctly.

creatorrr · 11-19-2007, 11:00 PM

2) doesnt worry me too much. 3) i think it is great idea.

Thank You very much for your help!!!

Quote:

Originally Posted by scowles

Glad the script worked for you.

With regards to your proposed changes...

1) diff can compare directories. i.e. diff 11.18.07 11.19.07

2) What if you added a new router/switch to DEVICES variable. The previous days directory will not exist. Consider using the appropriate diff command line argument to deal with this case -or- add the appropriate test prior to calling diff.

3) Just my personal preference (i get too many e-mail alerts in a single day): When a script is run as a cron job, any output from the script will be mailed to the MAILTO variable. With regards to your proposed "diff" additions - I would add the "diff" after the "tftp get", so if there is a difference in files, then you would get a single e-mail with a summary of "all" files that had changed. If there was no difference, then no output would be generated, so you would NOT get an e-mail.

4) With the above in mind... I would add your diff test after the tftp get command. Something like:

NOTE: I have not tested any of this.

Code:

...snip...

# Define the base directory where you want to store
# files retreived from all devices. All subordinate
# directories will created relative to this base
BASELOG=/var/log/cisco_configs
BASEDIR=${BASELOG}/`date +%m.%d.%y`

# Set Yesterdays Date
YESTERDAY=${BASELOG}/`date --date='1 day ago' +%m.%d.%y`

...snip...

########################################################
# Setup loop for each device listed in $DEVICES variable
########################################################
for device in $DEVICES ; do
        # Separate DEVICE TYPE/HOSTNAME/IP into separate varaibles
        DEVICE=`echo ${device}   | cut -d ':' -f 1`
        HOSTNAME=`echo ${device} | cut -d ':' -f 2`
        IP=`echo ${device}       | cut -d ':' -f 3`

        # Set and Create the sub-directories to store files
        SUBDIR=${BASEDIR}/${DEVICE}
        [ ! -d ${SUBDIR} ] && mkdir ${SUBDIR}
        [ ! -d ${SUBDIR}/${HOSTNAME} ] && mkdir ${SUBDIR}/${HOSTNAME}

        # Set the fullpath to store file retreived during tftp
        FULLPATH=${SUBDIR}/${HOSTNAME}/${FILENAME}

        # Set path for yesterdays directory for diff
        YSUBDIR=${YESTERDAY}/${DEVICE}

        # tftp $FILENAME from device/IP to directory/FULLPATH
        ${TFTP} $IP -c get ${FILENAME} ${FULLPATH} >/dev/null 2>&1 ||
        error_no_backup ${HOSTNAME}

        # Run "diff" to alert for any changes in configurations
        diff --new-file ${SUBDIR}/${HOSTNAME} ${YSUBDIR}/${HOSTNAME}

        # Since tftp return values don't seem to include zero length
        # gets, test for this condition
        [ ! -s ${FULLPATH} ] && error_zero_length ${HOSTNAME}
done

Also, I use the "-x" argument to test/debug scripts. Change the first line of the script to:

#!/bin/bash -x

while testing your changes. Comes in handy to see if variables are working correctly.

hovrashko · 03-17-2010, 01:35 PM

Quote:

Originally Posted by creatorrr

2) doesnt worry me too much. 3) i think it is great idea.

Thank You very much for your help!!!

hello!
im not clearly understand how would i use in my case, as far as we have different enable passwords, and telnet passwords. Do you have any idea how can i implement that, because i dont see how that scripts telnet to the router?

thanks,
Eric

xizzor · 11-21-2011, 06:45 AM

HI all

You could use the Kron method as well...
http://www.cisco.com/en/US/products/...8020260d.shtml
/xizzor

jcm8237 · 03-19-2012, 03:19 PM

I hadn't seen this done before arriving at my current organization, but it seems to work well. It archives the current configuration any time it's saved to a TFTP server (which happens to be Gentoo). We're using it on IOS switches and routers.

archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
path tftp://<server_address>/<directory>/<filename>.txt
write-memory