DX NetOps

We are in the slow arduous task of migrating from Solarwinds Orion to Spectrum.  Within Solarwinds we are able to backup the start-up configs of our routers but because our routers of managed by our carrier ( Verizon) we do not have SNMP write access only read.  I have tried numerous times to get Spectrum to backup a router's config without much success while Orion works every time.  I do not have SCP server enabled on the routers so how can I use Spectrum to do what Orion can do?

We have this same problem. If you're not going to be using Spectrum to push out configurations, you should never need RW access on the router. It's a hard sell to the security side, "We need to be able to write to the router so we can read from the router (even though this other tool can do it without RW access)."

Is there an idea for this? Let's do it. I'll get everyone on my team to vote it up. ;-)

Spectrum needs RW access to issue a SNMPSET to create and execute the TFTP transfer.

In order to have Spectrum NCM work for vendors that don't support this function over SNMP, I chose to write a perl/expect script for the custom Device Family to log into the device and issue the device's equivalent of "show startup-config" and "show running-config" to capture the output from STDOUT.  The script worked so well, and was written agnostic enough, that I ended up using it even for the Cisco out-of-the-box Device Family's, which allowed me to completely get away from the SNMP RW requirement.  This also helped Spectrum NCM to work with Cisco models not yet supported out-of-the-box.

Please post your script Justin_Kulikowski. I would love to see how that works.

Please post your script

I don't think corporate policy would let me post the script in its entirety, but in general this is what it does:

• Uses Perl CPAN module Net::Appliance::Session
  • Supports both Telnet and SSH
  • Leverages Net::CLI::Interact to provide a "phrasebook" feature to ease the burden of expect
• Default command-line input for 1.) IP, 2.) Username, 3.) Password, 4.) Enable Password; followed by Custom command-line input for 5.) command to run, ie: "show running-config"  6.) phrasebook 'personality'
  • Passing the Command and Personality is what makes the script agnostic.  I'm able to use the same script for all Vendors, and for both Startup and Running configuration capture
• First attempts SSH, and if that fails then attempts Telnet
• Enter privileged mode
• Disable paging
• Run command that was provided as Input
• Print output to STDOUT for Spectrum to capture
• Exit

That's alright, al.sorrell posted something similar. It wouldn't be too hard to modify that to include the command part. What does the personality do?

The 'personality' is how you reference the Net::CLI::Interact Phrasebook used by the Net::Appliance::Session module.  It's passed as a part of the Net::Appliance::Session constructor.  In essence, it allows the script itself to be platform-agnostic, by having the platform-specific Expect/Pattern matching tucked away in these phrasebook configuration files.

For example when entering privileged mode, instead of having to need platform-specific case statements in the script itself to handle various Expect/Pattern matching, the script stays platform-agnostic with just this one single line:

$s->begin_privileged();

I agree should have the capability of pulling device configs using SNMP RO instead of RW.

Unfortunately, that's not the way Cisco designed their implementation. You're doing a SNMP WRITE in order to trigger the router to do a TFTP transfer.

That write tells the router:

1) what config (running/startup) you want

2) what IP address to send it to

3) the filename to receive it

4) what protocol to use (at least in theory - actually only TFTP was implemented)

Example:

tftp_ip=1.2.3.4

writeNet=".1.3.6.1.4.1.9.2.1.55.$tftp_ip"

/usr/local/bin/snmpset -v 2c -c $snmp_rw -t $timeout -r 0 $dev $writeNet s $outfile

So, how does Solarwinds do it without SNMP RW access?

Don’t know about SolarWinds – but a quick Google search shows this which indicates that it probably does a telnet/SSH and then issues a TFTP command. That’s certainly another way to do it. Some in the security field argue against TFTP on general principles. Of course, in U*ix flavors, you must pre-create the destination file in the TFTP directory prior to trying to transfer it.

http://www.kiwisyslog.com/help/cattools/index.html?act_devbackupruncfg.htm

The Device.Backup.Running Config activity will make a backup of a device's running configuration and compare it to the current config file on disk. If there are differences, the current config is moved to the "Dated Configs" folder and the filename is appended with the current date. The newly downloaded config then becomes the current config. An HTML "diff" report is created in the "Reports" folder and a copy is e-mailed to the nominated person.

How it works. Step by step:

1.

A connection is made via SSH or telnet to the device

2.

The "Show running configuration" (or similar) command is issued

3.

The config is collected and stored on disk in a temporary file

4.

A check is made to see if there is an existing config file on disk for this device

5.

If not, the newly downloaded config is placed in the "Configs" folder as the current device backup

6.

If a current config file is present, it is compared to the newly downloaded config

7.

A text and HTML report is made of the differences (if any) and stored in the "Reports" folder

8.

If differences are found, a copy of the difference report is sent via e-mail

9.

The current config file is moved into the "Dated configs" folder and appended with the current date

10.

The newly downloaded config file is put in the "Configs" folder and becomes the current device backup

Yeah, I'm not sure but SSH/telnet sounds like the probable way. However, if you're SSH/telnet'd into the device why wouldn't you just echo the results of issuing the show command back through the same SSH/telnet session?

Our current NCM works this way. It doesn't use SNMP at all since all it does is SSH into the device, issue a command, listen for the response, then store the response in the DB. Much cleaner and more secure than SNMP RW + TFPT or SSH/telnet + TFTP. If that's not possible in the product today, I'll create an idea around it. However, I would imagine Kiran is already all over that.

That’s what the NXOS NCM script does that was the basis for the IOS script I just posted.

Al

A similar generic script is available in the documents section (hp_procurve_capture_config.txt). We use it for HP switches, but it's easily adapted for any other device family where you can just capture using ssh (or telnet) commands.

Here's what I'm using for IOS startup capture; it's modeled on the NXOS script.

To get the running config, change       $ssh->send( "sh start" );  to       $ssh->send( "sh running" );

Change IOS-SSH Capable family to use Scripting

In order to avoid using TFTP, it was desired to allow the IOS-SSH Device family to
use the same scripting as other IOS devices. However, it wasn’t obvious how to
do that as this family didn’t present an option for scripting. Under ticket
21791249-01, we found that you can force the type of communication to be used
for a particular device family. Open the Component Detail, then modify the
attribute NCM_SELECTED_COMM_MODE.

Double click attribute, remove check from No Change, Change from SNMP/TFTP to script

Al

==================================== script ================

#!/opt/SPECTRUM/bin/perl -w
 
  # This script will capture the startup configuration of a
  # Cisco IOS device through an SSH session and print it to STDOUT.
  # It is based on the standard Spectrum startup configuration script for NXOS.
  # Error Codes:
  #   0   = Success
  #   255 = Usage error
  #   254 = Invalid timeout value
  #   252 = Login error
  #   249 = Exec prompt not found error
  #   244 = Error retrieving configuration
  #   245 = Insufficient privileges
  #   253 = Unexpected output
  #
 
  use strict;
  use warnings;
  use Net::SSH::Expect;
 
  $ENV{'PATH'} = "/usr/bin:". $ENV{'PATH'};
 
  ### Main ###
  if( $#ARGV != 4 && $#ARGV != 5 )
  {
      print "Usage: capture_startup.pl <device IP> <user> <pass> <enable_pass>
  <login_timeout_in_seconds> <capture_timeout_in_seconds>\n";
      print STDERR "Usage:  capture_startup.pl <deviceIP> <user> <pass>
  <enable_pass> <login_timeout_in_seconds> <capture_timeout_in_seconds>\n";
      exit 255;
  }
  elsif( $ARGV[4] < 1 || $ARGV[4] > 600 )
  {
      print "$ARGV[4] is the login timeout and must be an int between 1 and 600 seconds\n";
      print STDERR "$ARGV[4] is the login timeout and must be an int between 1 and 600 seconds\n";
      exit 254;
  }
  elsif( $#ARGV == 5 && ( $ARGV[5] < 1 || $ARGV[5] > 600 ) )
  {
      print "$ARGV[5] is the capture timeout and must be an int between 1 and 600 seconds\n";
      print STDERR "$ARGV[5] is the capture timeout and must be an int between 1and 600 seconds\n";
      exit 254;
  }
  else
  {
      my $capture_timeout = $ARGV[4];
      if( $ARGV[5] )
      {
         $capture_timeout = $ARGV[5];
      }
 
      my $errorCode = 1;
      my @data;
      my $errorString = "\nHost $ARGV[0]:  \n";
 
      ($errorCode, @data) = GetConfig( $ARGV[0], $ARGV[1], $ARGV[2], $ARGV[3],
                                       $ARGV[4], $capture_timeout );
 
      if( $errorCode == 0 )
      {
          # Success.  The startup configuration
          # content is in the data variable
 
          foreach ( @data ) { print "$_\n" }; # print the configuration to STDOUT
          exit 0;
      }
      else
      {
          print STDERR $errorString;
 
          if( $errorCode == 245 )
          {
              print STDERR join " ", @data, "\nEnsure that the device user has
  sufficient privileges to disable paging and view the config\n";
          }
          else
          {
              print STDERR join " ", @data, "\n";
          }
 
          exit $errorCode;
      }
  }
 
  exit 0;
 
  sub GetConfig
  {
      my $deviceIP=shift;
      my $user=shift;
      my $pass=shift;
      my $epass=shift;
      my $login_timeout=shift;
      my $capture_timeout=shift;
      my @config;
      my $msg;
      my $ssh = Net::SSH::Expect->new ( host => $deviceIP,
                                        user => $user,
                                        password=> $pass,
                                        raw_pty => 1,
                                        no_terminal => 0,
                                        timeout => $login_timeout
                                      );
 
      my $login_output;
      eval { $login_output = $ssh->login(); };
      if( $@ )
      {
          $msg = "Login has failed: $@";
          return( 252, $msg );
      }
 
      # login output should contain the right prompt characters
      if( $login_output !~ /\>\s*\z/ )
      {
          $msg = "Login has failed. Didn't see device prompt as expected.";
          $ssh->close();
          return( 252, $msg );
      }
      my $enable=$ssh->exec( "enable");
      my $exec_login_output;
      if($enable =~ /Password:\s+/i) {
        $exec_login_output=$ssh->exec( $epass );
      } else {
        $msg = "Login has failed. Didn't see enable password prompt as expected.";
        $ssh->close();
        return( 252, $msg );
      }

      if( $exec_login_output !~ /\#\s*\z/ )  # Replace '#' is the prompt character here
      {
  #        we don't have the '#' prompt, means we still can't exec commands
           $msg = "Exec prompt not found.";
           $ssh->close();
           return( 249, $msg );
      }
 
      # disable paging
      # different commands for different devices, if they don't
      # work then we will get messages about problems later
      # specifically the "No prompt after 'sh run'" error
      # errmsg doesn't get set when these error and if we use print
      # and getlines to read for errors it causes problems with print "sh run"
      # later.
  # $ssh->exec( "term pager 0" );
      my $paging = $ssh->exec( "term len 0" );
      if ( $paging =~  /\s?%\s/ )
      {
          $msg = "Unable to set terminal size to 0 - Insufficient privileges";
          $ssh->close();
              return( 245, $msg);
      }
 
      $ssh->send( "sh start" );
      $ssh->timeout( $capture_timeout );
      $ssh->peek(0);
 
      while( my $line = $ssh->read_line() )
      {
          # get configuration content
 
          if( $line !~
              /sh start|Building configuration|Current configuration|^\s*$/ )
          {
              push @config, $line;
          }
      }
 
      if( @config <= 0 )
      {
          $msg = "No data retrieved, the capture timeout may be too low.";
          $ssh->close();
          return( 244, $msg );
      }
 
      if( scalar grep { $_ =~ /^%/ } @config )
      {
          # Ensure show start actually returned the config and not an error
          # message containing '%'
          return( 245, @config );
      }
 
      return( 0, @config ); # everything was okay, return the captured data
  }

As others before me said, you several options for collecting configuration from a device:

1) SNMP + TFTP.

This requires SNMP RW access, as Justin said.

2) SSH/Telnet.

This requires enable password. In my opinion this can be more destructive to security than using SNMP RW communities on the device. You have to option to restrict by ACL the SNMP access and by using views even more. With enable password you get everything on the device.

3) SSH/Telnet + TFTP

As Al was saying, you might even have the possibility to tell the device where to dump it's configuration using TFTP. Personally I consider that SSH should be used in opposition with Telnet.

You can always use the example scripts from SPECTRUM for collecting configuration using either SSH or Telnet. You have to change some parts of the code but it will work for sure. It's not very complicated. I did it for some ATI switches for SSH. You have to test it around.

While I can see how option 2 might be more disruptive in some environments, that really shouldn't be the concern. We already have a product in house that uses SSH to gather configs. We control access through TACACS and the account we use read only access for this function. This has been easier politically to allow than a RW community string given the difficulties in configuring SNMPv3 and the insecurity of SNMPv2c.

The merits/dangers of these three methods are moot. The software needs to have options. The script provided is a great workaround, but it should be built in.

Our setup is also using Option 2 and we have the same security measures in tacacs. Have been working well so far.

RenatoBR, do you mean you are using option 2 with Spectrum or another product?

Yes, with Spectrum. We also use the method for capturing the config of all device families, not only Cisco Devices.

I have it working now.  Cisco router should have AAA,SSH and IP SCP server enable

Why is this so difficult? I just want to create custom device families for each of my network devices.  One for the Cisco routers that will use SSH/SCP with a username and password BUT NO ENABLE PASSWORD to upload the start-up configs and another for the Cisco switches that will use TELNET/FTP using a username, password, and ENABLE PASSWORD to complete this task.  For example, when  a Cisco router is initially discovered it is placed in the CISCO IOS-SSH Capable device group.  As long as the device is in this group the backup script runs fine using SSH/SCP.  However, when I move the router to a new custom group that I have created editing the attribute NCM_SELECTED_COMM_MODE to read script.  The backup fails.

opnet

I was wondering if you ever got this working with Cisco ASA? I am interested in starting to do this with our Cisco ASAs and then move out to other networking devices from there.