tom's blog logo

Backup cisco config with Rancid and an Unprivileged user

Post by Thomas Weaver on January 24, 2013 10:14 pm

RANCID is a tool for backing up network devices configuration and versioning the backups. It was originally intended to backup Cisco configurations it does this by logging in to the devices using either telnet or ssh and then runs a series of commands. In a default set up it runs multiple commands and captures the output of each command, we don’t need all this information infact we only want to store the configuration and so we only need to grant the user one command “show running-config”.

You need to have RANCID already set up and be familiar with how it works. You can find a useful guide here:

http://openmaniak.com/rancid_tutorial.php

I’ll explain how the configuration file determines what scripts are run. Lets take the following router.db configuration:

192.168.0.1:cisco:up
192.168.0.2:cisco:up

The first part is the IP address or hostname of the device then the type of device and weather it is up or down. This device type actually specifies what scripts to run, this mapping can be found in the file “rancid-fe” which is by default stored in /usr/libexec/rancid/. Open up the file and we are looking for the vendortable  array:

%vendortable = (
    'agm'               => 'agmrancid',
    'alteon'            => 'arancid',
    'arista'            => 'arrancid',
    'avocent'           => 'avorancid',
    'baynet'            => 'brancid',
    'cat5'              => 'cat5rancid',
    'cisco'             => 'rancid',
    'cisco-old'         => 'rancid-old',
    'cisco-nx'          => 'nxrancid',
    'cisco-xr'          => 'xrrancid',
    'css'               => 'cssrancid',
    'enterasys'         => 'rivrancid',
    'erx'               => 'jerancid',
    'extreme'           => 'xrancid',
    'ezt3'              => 'erancid',
    'f5-file'           => 'f5ranciducs',
    'force10'           => 'f10rancid',
    'fortigate'         => 'fnrancid',
    'foundry'           => 'francid',
    'hitachi'           => 'htrancid',
    'hp'                => 'hrancid',
    'juniper'           => 'jrancid',
    'mrtd'              => 'mrancid',
    'mrv'               => 'mrvrancid',
    'netopia'           => 'trancid',
    'netscaler'         => 'nsrancid',
    'netscreen'         => 'nrancid',
    'procket'           => 'prancid',
    'redback'           => 'rrancid',
    'riverstone'        => 'rivrancid',
    'smc'               => 'srancid',
    'tnt'               => 'tntrancid',
    'zebra'             => 'zrancid',
    'watchguard'        => 'wrancid'
)

As you can see cisco maps to the “rancid” script file. So lets copy that script file and call it “rancid.bak”, this is so we can restore the file later if we wish.

Now edit the rancid file using you favourite editor and find the commandtable array “@commandtable”, comment out this entire array:

#@commandtable = (
#       {'show version'                 => 'ShowVersion'},
#       {'show redundancy secondary'    => 'ShowRedundancy'},
#       {'show idprom backplane',       => 'ShowIDprom'},
#       {'show install active'          => 'ShowInstallActive'},
#       {'show env all'                 => 'ShowEnv'},
#       {'show rsp chassis-info',       => 'ShowRSP'},
#       {'show gsr chassis'             => 'ShowGSR'},
#       {'show diag chassis-info'       => 'ShowGSR'},
#       {'show boot'                    => 'ShowBoot'},
#       {'show bootvar'                 => 'ShowBoot'},
#       {'show variables boot'          => 'ShowBoot'},
#       {'show flash'                   => 'ShowFlash'},
#       {'dir /all nvram:'              => 'DirSlotN'},
#       {'dir /all bootflash:'          => 'DirSlotN'},
#       {'dir /all slot0:'              => 'DirSlotN'},
#       {'dir /all disk0:'              => 'DirSlotN'},
#       {'dir /all slot1:'              => 'DirSlotN'},
#       {'dir /all disk1:'              => 'DirSlotN'},
#       {'dir /all slot2:'              => 'DirSlotN'},
#       {'dir /all disk2:'              => 'DirSlotN'},
#       {'dir /all harddisk:'           => 'DirSlotN'},
#       {'dir /all harddiska:'          => 'DirSlotN'},
#       {'dir /all harddiskb:'          => 'DirSlotN'},
#       {'dir /all sup-bootflash:'      => 'DirSlotN'},         # cat 6500-ios
#       {'dir /all sup-microcode:'      => 'DirSlotN'},         # cat 6500-ios
#       {'dir /all slavenvram:'         => 'DirSlotN'},
#       {'dir /all slavebootflash:'     => 'DirSlotN'},
#       {'dir /all slaveslot0:'         => 'DirSlotN'},
#       {'dir /all slavedisk0:'         => 'DirSlotN'},
#       {'dir /all slaveslot1:'         => 'DirSlotN'},
#       {'dir /all slavedisk1:'         => 'DirSlotN'},
#       {'dir /all slaveslot2:'         => 'DirSlotN'},
#       {'dir /all slavedisk2:'         => 'DirSlotN'},
#       {'dir /all slavesup-bootflash:' => 'DirSlotN'},         # cat 7609
#       {'dir /all sec-nvram:'          => 'DirSlotN'},
#       {'dir /all sec-bootflash:'      => 'DirSlotN'},
#       {'dir /all sec-slot0:'          => 'DirSlotN'},
#       {'dir /all sec-disk0:'          => 'DirSlotN'},
#       {'dir /all sec-slot1:'          => 'DirSlotN'},
#       {'dir /all sec-disk1:'          => 'DirSlotN'},
#       {'dir /all sec-slot2:'          => 'DirSlotN'},
#       {'dir /all sec-disk2:'          => 'DirSlotN'},
#       {'show controllers'             => 'ShowContAll'},
#       {'show controllers cbus'        => 'ShowContCbus'},
#       {'show diagbus'                 => 'ShowDiagbus'},
#       {'show diag'                    => 'ShowDiag'},
#       {'show module'                  => 'ShowModule'},       # cat 6500-ios
#       {'show spe version'             => 'ShowSpeVersion'},
#       {'show c7200'                   => 'ShowC7200'},
#       {'show inventory raw'           => 'ShowInventory'},
#       {'show vtp status'              => 'ShowVTP'},
#       {'show vlan'                    => 'ShowVLAN'},
#       {'show vlan-switch'             => 'ShowVLAN'},
#       {'show debug'                   => 'ShowDebug'},
#       {'more system:running-config'   => 'WriteTerm'},        # ASA/PIX
#       {'show running-config'          => 'WriteTerm'},
#       {'write term'                   => 'WriteTerm'},
#);

Now we need to create the array again but with our command:

@commandtable = (
{'show running-config view full' => 'WriteTerm'}
);

This basically maps the command “show running-config view full” to the function “WriteTerm”, so when run it will connect to the device run the command and then the function will parse the output and remove certain things like password etc and then save the output to host.new where host is the name of the host.

Now all we need to do is set up a user on the switch so connect to the switch:

enable
conf t
username rancid privilege 4 secret password
privilege exec level 4 show running-config view full

This creates a user called rancid and password “password” and grants it privilege 4. The last command then allows level 4 to run the command  “show the running config”.

Now add the username and password to your .clogin

add user * rancid
add password * password
add method * {ssh} {telnet}
add autoenable * {[01]}

This means rancid will use the rancid username and password for all devices, it will first try SSH but if that fails it will then try Telnet. The last line means it doesnt need to run enable on login, adjust this to your needs.

This unfortunately doesn’t work on all IOS’s versions, you can also use TACACs to limit a users access to the device and is the preferred way, but if you don’t have TACACs and have the latest IOS the above will work just fine. You can also add a section to the “rancid-fe” file that points “cisco-old” for example to the original script file that we backed up previously then you can run the old and new cisco script as and when you need to.

Post a Comment

Your email address will not be published. Required fields are marked *


*


  • Florian Berthelot says:

    Hi,
    very interesting, good mix of using a bit of cisco user privileges and rancid.

    If needed you can add commands using the
    privilege exec level 5 show flash:

    and so on

    Florian