Backup Cisco config with Rancid and an unprivileged user

Thu, 24 Jan 2013 22:35:43 +0000

RANCID is a tool for backing up network devices configuration and versioning the backups. It was originally intended to backup Cisco configurations it does this by logging in to the devices using either telnet or ssh and then runs a series of commands. In a default set up it runs multiple commands and captures the output of each command, we don’t need all this information infact we only want to store the configuration and so we only need to grant the user one command “show running-config”.

You need to have RANCID already set up and be familiar with how it works. You can find a useful guide here:

http://openmaniak.com/rancid_tutorial.php

I’ll explain how the configuration file determines what scripts are run. Lets take the following router.db configuration:

192.168.0.1:cisco:up

192.168.0.2:cisco:up

The first part is the IP address or hostname of the device then the type of device and weather it is up or down. This device type actually specifies what scripts to run, this mapping can be found in the file “rancid-fe” which is by default stored in /usr/libexec/rancid/. Open up the file and we are looking for the vendortable array:

%vendortable = (
    'agm'               => 'agmrancid',
    'alteon'            => 'arancid',
    'arista'            => 'arrancid',
    'avocent'           => 'avorancid',
    'baynet'            => 'brancid',
    'cat5'              => 'cat5rancid',
    'cisco'             => 'rancid',
    'cisco-old'         => 'rancid-old',
    'cisco-nx'          => 'nxrancid',
    'cisco-xr'          => 'xrrancid',
    'css'               => 'cssrancid',
    'enterasys'         => 'rivrancid',
    'erx'               => 'jerancid',
    'extreme'           => 'xrancid',
    'ezt3'              => 'erancid',
    'f5-file'           => 'f5ranciducs',
    'force10'           => 'f10rancid',
    'fortigate'         => 'fnrancid',
    'foundry'           => 'francid',
    'hitachi'           => 'htrancid',
    'hp'                => 'hrancid',
    'juniper'           => 'jrancid',
    'mrtd'              => 'mrancid',
    'mrv'               => 'mrvrancid',
    'netopia'           => 'trancid',
    'netscaler'         => 'nsrancid',
    'netscreen'         => 'nrancid',
    'procket'           => 'prancid',
    'redback'           => 'rrancid',
    'riverstone'        => 'rivrancid',
    'smc'               => 'srancid',
    'tnt'               => 'tntrancid',
    'zebra'             => 'zrancid',
    'watchguard'        => 'wrancid'
)

As you can see cisco maps to the “rancid” script file. So lets copy that script file and call it “rancid.bak”, this is so we can restore the file later if we wish.

Now edit the rancid file using you favourite editor and find the commandtable array “@commandtable”, comment out this entire array:

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

#f0f3f3">

#@commandtable = ( {'show version'                 => 'ShowVersion'}, {'show redundancy secondary'    => 'ShowRedundancy'}, {'show idprom backplane',       => 'ShowIDprom'}, {'show install active'          => 'ShowInstallActive'}, {'show env all'                 => 'ShowEnv'}, {'show rsp chassis-info',       => 'ShowRSP'}, {'show gsr chassis'             => 'ShowGSR'}, {'show diag chassis-info'       => 'ShowGSR'}, {'show boot'                    => 'ShowBoot'}, {'show bootvar'                 => 'ShowBoot'}, {'show variables boot'          => 'ShowBoot'}, {'show flash'                   => 'ShowFlash'}, {'dir /all nvram:'              => 'DirSlotN'}, {'dir /all bootflash:'          => 'DirSlotN'}, {'dir /all slot0:'              => 'DirSlotN'}, {'dir /all disk0:'              => 'DirSlotN'}, {'dir /all slot1:'              => 'DirSlotN'}, {'dir /all disk1:'              => 'DirSlotN'}, {'dir /all slot2:'              => 'DirSlotN'}, {'dir /all disk2:'              => 'DirSlotN'}, {'dir /all harddisk:'           => 'DirSlotN'}, {'dir /all harddiska:'          => 'DirSlotN'}, {'dir /all harddiskb:'          => 'DirSlotN'}, {'dir /all sup-bootflash:'      => 'DirSlotN'},         # cat 6500-ios {'dir /all sup-microcode:'      => 'DirSlotN'},         # cat 6500-ios {'dir /all slavenvram:'         => 'DirSlotN'}, {'dir /all slavebootflash:'     => 'DirSlotN'}, {'dir /all slaveslot0:'         => 'DirSlotN'}, {'dir /all slavedisk0:'         => 'DirSlotN'}, {'dir /all slaveslot1:'         => 'DirSlotN'}, {'dir /all slavedisk1:'         => 'DirSlotN'}, {'dir /all slaveslot2:'         => 'DirSlotN'}, {'dir /all slavedisk2:'         => 'DirSlotN'}, {'dir /all slavesup-bootflash:' => 'DirSlotN'},         # cat 7609 {'dir /all sec-nvram:'          => 'DirSlotN'}, {'dir /all sec-bootflash:'      => 'DirSlotN'}, {'dir /all sec-slot0:'          => 'DirSlotN'}, {'dir /all sec-disk0:'          => 'DirSlotN'}, {'dir /all sec-slot1:'          => 'DirSlotN'}, {'dir /all sec-disk1:'          => 'DirSlotN'}, {'dir /all sec-slot2:'          => 'DirSlotN'}, {'dir /all sec-disk2:'          => 'DirSlotN'}, {'show controllers'             => 'ShowContAll'}, {'show controllers cbus'        => 'ShowContCbus'}, {'show diagbus'                 => 'ShowDiagbus'}, {'show diag'                    => 'ShowDiag'}, {'show module'                  => 'ShowModule'},       # cat 6500-ios {'show spe version'             => 'ShowSpeVersion'}, {'show c7200'                   => 'ShowC7200'}, {'show inventory raw'           => 'ShowInventory'}, {'show vtp status'              => 'ShowVTP'}, {'show vlan'                    => 'ShowVLAN'}, {'show vlan-switch'             => 'ShowVLAN'}, {'show debug'                   => 'ShowDebug'}, {'more system:running-config'   => 'WriteTerm'},        # ASA/PIX {'show running-config'          => 'WriteTerm'}, {'write term'                   => 'WriteTerm'}, );

Now we need to create the array again but with our command:

@commandtable = {
{'show running-config view full' => 'WriteTerm'}
);



This basically maps the command “show running-config view full” to the function “WriteTerm”, so when run it will connect to the device run the command and then the function will parse the output and remove certain things like password etc and then save the output to host.new where host is the name of the host.

Now all we need to do is set up a user on the switch so connect to the switch:

enable
conf t
username rancid privilege 4 secret password
privilege exec level 4 show running-config view full



This creates a user called rancid and password “password” and grants it privilege 4. The last command then allows level 4 to run the command  “show the running config”.

Now add the username and password to your .clogin


add user * rancid

add password * password

add method * {ssh} {telnet}

add autoenable * {[01]}



This means rancid will use the rancid username and password for all devices, it will first try SSH but if that fails it will then try Telnet. The last line means it doesnt need to run enable on login, adjust this to your needs.

This unfortunately doesn’t work on all IOS’s versions, you can also use TACACs to limit a users access to the device and is the preferred way, but if you don’t have TACACs and have the latest IOS the above will work just fine. You can also add a section to the “rancid-fe” file that points “cisco-old” for example to the original script file that we backed up previously then you can run the old and new cisco script as and when you need to.

Upgrading Cisco switches with K9 image

Sat, 18 Aug 2012 20:12:43 +0000

I recently had to install a new HP c7000 chassis with 16 half height blades.

This came with 4 Cisco 3020’s switches in the back, 2 for normal network traffic and 2 for the iSCSI fabric. This was to be placed in a PCI environment and so had to meet PCI requirements.

PCI DSS states:

2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access

So we need to encrypt the management access to the switches, by default the Cisco IOS doesn’t support SSH or HTTPS Encryption. To enable SSH and HTTPS we need to update the IOS with the K9 image:

cbs30x0-ipbasek9-mz.122-58.SE1.tar

From the cisco website

http://www.cisco.com/cisco/software/release.html?mdfid=280348753&softwareid=280805680&release=12.2.58-SE1&relind=AVAILABLE&rellifecycle=ED&reltype=latest

You need a valid Service Contract login to download IOS software.

Note K9 in the IOS filename just make sure you look for this then you know you have the correct IOS update.

Now you need a TFTP server so you can upload the image to the switch, I usually use TFTPD for Windows. You can download it from here:

http://tftpd32.jounin.net/

Open TFTP and then select the directory in which the IOS update is located. Now TFTPD is looking at the correct directory you need to log on to the switch.

You will obviously need to use the console cable and set an IP address on the Management Interface or VLAN depending on your setup. The 3020’s I am dealing with have a seperate FastEthernet (fa0) interface connecting to the HP Onboard Administrator for management. In my case as well because of the HP Onboard Administrator the fa0 interface is given an IP address through EBIPA. Now connect to the same Subnet as the Management interface.

As you can see above I’ve downloaded the archive update file which contains the updated HTTP files as you never know in the future you might want to use the HTTP interface.

On the switch type the following command:

Switch# archive download-sw /overwrite /reload tftp://ipaddress/cbs30x0-ipbasek9-mz.122-58.SE1.tar

This command will download the image from the specified TFTP server, it will overwrite the current IOS and attempt to reload the switch. If the config hasn’t been saved then the reload will be aborted. To save the config I always run the following before running the above command:

Switch# copy run start

This will copy the running config to the start up config then the switch will automatically reload on the update.

Once the switch has booted up fully it should now have the K9 image installed. you can always confirm this by running the following:

Switch# show version

Cisco IOS Software, CBS30X0 Software (CBS30X0-IPBASEK9-M), Version 12.2(58)SE1

TomsBlog

Backup Cisco config with Rancid and an unprivileged user

Upgrading Cisco switches with K9 image