Wednesday, January 23, 2013

An ideal on backing up cisco routers ( autocmd and tcl )

Here's a trick I would like to pass along, I worked in a environment , where directors mandate that only senior engineers had access to the  routers & in the config mode. This was struggle,  due too I didn't want to be sitting around a phone dialup and vpn session for every little issues that cropped up.

Typically we had onsite technicians at our numerous remote-branches,  that would execute  power-down and relocations in the branch IT room on a monthy if not weekly  rotation schedule.

 To ensure them that  devices (branch routers) where backup,  and that no configuration was  lost due to a power down/electrical_reroute/rollover on generator/etc........ we use a standard backup user account, within our domain & with the cisco autocmd features , and with tacacs and/or a local userdatabase.

The autocmd used tcl ( aka tickle for us linux geeks ) and called the cmd to be execute as if we where on a cli and doing it ourselves.

In this example, I will show  you how a local user named backup, did my chores :)

1st make a user named backup, name can be whatever you want ( neteng,eng,backup, doesn't matter but make it something simple )

config t
   username backup priv 15 autocommand tclsh flash:backmeupnow.tcl


next create  a tcl ( tickle ) script to call out whatever you want it to do. In this case we will backup and copy the file to a tftp:server located at

    set x [ open "flash:backmeupnow.tcl" w+] 
    set ken { write mem 
    copy running tftp:// 
   puts $x $ken
   close $x


validate the script via dir flash:backmeupnow.tcl or a more flash:backmeupnow.tcl

To test, just telnet or ssh into the router as the autocmd username of backup in my case. This user could also execute the same on console, if you have restricted  access-class on your vtys. You can run the cmd on the router using the cli also

i.e ( ran'd off a 7200 cli at a equinix facility )

BO17200WEST01BATL#tclsh backmeupnow.tcl
Building configuration...
Address or name of remote host []?
Destination filename [myroutername.config]?

A backup script like this, can save you from having to be engaged in every powerdown event. It can also be used in a emergency event such as;  the remote-branch office is without  internet due to a fiber, carrier outage and you want to recycle your gear but was not sure if the device was backuped. And you can create  a SNAFU/SHTF account script, for those critical issues that might come up & where your not around or have remote access to the device.

Or worst if you have a major onsite issues ( with lack remote access ),  and maybe you want to save any changes before you have the local techie pull the power_plug for that just-in-case moment.

I hope you find this trick simple to use, be creative in your scripting  thoughts/ideals and you can use this for other simple daily chores.


We use to use have an automated  telnet generator ( linux host )  that would rotate thru all of our financial sector routers at  23:59 ( sun-thurs )  and clear the interface counters and logs on our gear so we had a fresh start at market  open. Since we had  56 routers spread out over  8 data-hotels, I rather be in bed catching ZZZZzzzzzzzs vrs logging into 56 routers and clearing logs/counts on our interfaces :)

In another issue, we had routers that would fail continually, and I didn't want to give a local techie enable access, so we  had a tac act that did a show tech-support, and wrote the file to screen and also copy it down to a tftp server local to each branch. In this way they could get the file over to me via external email & I/them can pass the file to cisco-tac via or whatever cisco is using now.

The security risk  in all of the examples, is minor in these case. Since nothing is being configured.  Whatever action you have, it would need  the priv-level  adjusted,  for it to complete the task at hand. So think about that when you select a autocmd+user+script-cmds.

I hope that you found this tip/trick helpful , and maybe you can hack it up and use it in your setup.

Ken Felix
Freelance Network/Security Guy
kfelix at hyperfeed dot com

No comments:

Post a Comment