Here's a trick I would like to pass along, I worked in a environment , where directors mandate that only senior engineers had access to the routers & in the config mode. This was struggle, due too I didn't want to be sitting around a phone dialup and vpn session for every little issues that cropped up.
Typically we had onsite technicians at our numerous remote-branches, that would execute power-down and relocations in the branch IT room on a monthy if not weekly rotation schedule.
To ensure them that devices (branch routers) where backup, and that no configuration was lost due to a power down/electrical_reroute/rollover on generator/etc........ we use a standard backup user account, within our domain & with the cisco autocmd features , and with tacacs and/or a local userdatabase.
The autocmd used tcl ( aka tickle for us linux geeks ) and called the cmd to be execute as if we where on a cli and doing it ourselves.
In this example, I will show you how a local user named backup, did my chores :)
1st make a user named backup, name can be whatever you want ( neteng,eng,backup, doesn't matter but make it something simple )
config t
username backup priv 15 autocommand tclsh flash:backmeupnow.tcl
!
2nd
next create a tcl ( tickle ) script to call out whatever you want it to do. In this case we will backup and copy the file to a tftp:server located at 1.1.1.1
tclsh
set x [ open "flash:backmeupnow.tcl" w+]
set ken { write mem
copy running tftp://1.1.1.1/myroutername.config
}
puts $x $ken
close $x
tclquit
3rd
validate the script via dir flash:backmeupnow.tcl or a more flash:backmeupnow.tcl
To test, just telnet or ssh into the router as the autocmd username of backup in my case. This user could also execute the same on console, if you have restricted access-class on your vtys. You can run the cmd on the router using the cli also
i.e ( ran'd off a 7200 cli at a equinix facility )
BO17200WEST01BATL#tclsh backmeupnow.tcl
Building configuration...
[OK]
Address or name of remote host [1.1.1.1]?
Destination filename [myroutername.config]?
A backup script like this, can save you from having to be engaged in every powerdown event. It can also be used in a emergency event such as; the remote-branch office is without internet due to a fiber, carrier outage and you want to recycle your gear but was not sure if the device was backuped. And you can create a SNAFU/SHTF account script, for those critical issues that might come up & where your not around or have remote access to the device.
Or worst if you have a major onsite issues ( with lack remote access ), and maybe you want to save any changes before you have the local techie pull the power_plug for that just-in-case moment.
I hope you find this trick simple to use, be creative in your scripting thoughts/ideals and you can use this for other simple daily chores.
for_example;
example1
We use to use have an automated telnet generator ( linux host ) that would rotate thru all of our financial sector routers at 23:59 ( sun-thurs ) and clear the interface counters and logs on our gear so we had a fresh start at market open. Since we had 56 routers spread out over 8 data-hotels, I rather be in bed catching ZZZZzzzzzzzs vrs logging into 56 routers and clearing logs/counts on our interfaces :)
example2
In another issue, we had routers that would fail continually, and I didn't want to give a local techie enable access, so we had a tac act that did a show tech-support, and wrote the file to screen and also copy it down to a tftp server local to each branch. In this way they could get the file over to me via external email & I/them can pass the file to cisco-tac via attach@cisco.com or whatever cisco is using now.
The security risk in all of the examples, is minor in these case. Since nothing is being configured. Whatever action you have, it would need the priv-level adjusted, for it to complete the task at hand. So think about that when you select a autocmd+user+script-cmds.
I hope that you found this tip/trick helpful , and maybe you can hack it up and use it in your setup.
Ken Felix
Freelance Network/Security Guy
kfelix at hyperfeed dot com
No comments:
Post a Comment