This method works when ever anybody makes configurations change and by exiting the configuration mode.
1st, here's the goal, we want to execute config changes archival & backups to 2 rancid-like nms hosts
2nd, we will use scp for the protection of the backup configuration file & transfer of the data and to 2 or more backup sources
3rd, we will also execute at a pre-arrange time via kron, an automatic configuration backup via pushing the configuration to our two NMS hosts
4rd, restrict the user from actually logging into the NMS host
All of the above will be done via the cisco IOS following features; 1:kron scheduler , 2:tclsh and the cisco 3:eem ( embedded event manager ) and on our linux server we will install rssh
Here's the topology of our router and 2x NMS hosts & a typical switch/router.
note : The 2 NMS hosts have pre-defined user ( rancid ) that's been enabled for "scp" and not listed in the superuser doers file & we have installed rssh for added security and restrictions.
Okay let's look at the eem script that we use for the backup via the kron job.
This was as simple as I can make it,
- trigger on a syslog mesg
- execute the tclsh that we copy to the local disk
- optional, I generate my own log messages
set date [clock format [clock seconds] -format {%Y%m%d%T}]
set hostname [info hostname]
set file "${hostname}.${date}.cfg"
set hostname [info hostname]
set file "${hostname}.${date}.cfg"
exec "copy running-config scp://rancid:apassword@10.200.40.67/mycfg/$file"
exec "copy running-config scp://rancid:apassword@10.200.41.67/mycfg/$file"
exec "copy running-config scp://rancid:apassword@10.200.41.67/mycfg/$file"
Okay what's happening here,
- we define a few variable like time& date and the hostname plus target filename
- we use scp to copy the config to the scp server
For the archival, we will dump the config every time the a administrator exit config mode. The kron scheduler is quite simple. We create a policy-list and policy and match the 2 for execution at our select time.
NOTE: This step is not really required, but it's nice to write out the configurations regardless if any write action has taken place for any extended periods imho.
The cisco archive is limited to writing to "ONE" target path. So if you have redundant backup targets like 2 or more, cisco archive is of no use.
Kron execution of the tcl shell ensure your have a backup made regardles if EEM is working or not.
One last tidbit, ensure you set the username for EEM applet execution. In this case I have an account on the cisco routers and switches named "rancid". This user will need the correct priv level for execution of the EEM cli actions.
Without defining a user, your EEM applets will fail!
e.g
config t
username rancid secret 123456 priv 15
event manager session cli username rancid
end
fwiw;
I like my approach over using pure rancid, since rancid is a pull process, where-as this a "push" operation.
You don't need to manipulate anything or run any cron schedule on a unix/linux host, and all cfgs are sent immediately upon a execution of a confiiguration mode.
Also with this approach you don't need to install any type rancid program or make modification when a new host is installed or deleted from the network. You can easily serve the configurations diff directly via HTTPS and allow access for your users to review and download the configurations files. You could easily write a cgi script that would diff and display the differences between the two latest files.
You can find more information on rancid here; http://en.wikipedia.org/wiki/RANCID
Cisco EEM here; http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-embedded-event-manager-eem/index.html
You can learn more about cisco tcl via the following;
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ios_tcl/command/ios-tcl-cr-book/ios-tcl-cr-c1.html
BTW:
The following EEM applet was use earlier, but it more complex and was generate a loop.
( notice we match our EEM trigger action on the syslog message "Building configuration" )
NOTE: You can modify the above EEM applet from a "write" operation to any time a admin enters and/or leave configuration mode via matching one of these patterns.
e.g
=====================================================================
The rssh ( restricted shell) is easy to setup btw. Here's a brief summary for a unix host.
1st install the application and supporting files via APT.
apt-get install rssh
Next , vi /etc/rssh.cfg and s uncomment the following line;
allowscp Next install the rssh for the user account that will conduct the scp copy. Here's my user account on a ubuntu server;
And here's what happen when rancid trys to ssh ;
Conclusion:
So all security risk are mitigated and you have restrict the backup account to just a scp. With the $t & $h, variables, we have a time-stamp and unique name for the hosts that pushes the configuration.
EEM is very powerful and by combination of the archive we can do many things with backing up configurations.
The cisco archive is limited to one path destination, but EEM gives us the ability to make backups to 2 or more locations.
Almost all cisco router/swicthes support tcl
Ken Felix
Security and Network Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( - - )=
o
/ \
No comments:
Post a Comment