We are using an event-handler with on-startup-config write to push the configuration to our langley service which push the config in the central GIT repository.
To execute an bash command in an different vrf context use „ip netns exec ns-<VRF>“ before the command. See the example:
event-handler ARCHIVE_LANGLEY trigger on-startup-config action bash sudo ip netns exec ns-MANAGEMENT curl https://10.1.1.1/langley/put/$(hostname)/1 --upload-file /mnt/flash/startup-config
Von ARISTA wird ein Python Paket bereitgestellt um über die eAPI mit dem Switch arbeiten zu können. Dies ist eine Qickanleitung.
pip install pyeapi
Auf dem Arista Switch muss die API Schnittstelle aktiviert werden.
!
management api http-commands
protocol http
protocol https
no shutdown
!
vrf MANAGEMENT
no shutdown
!
#!/usr/bin/env python3
import pyeapi
import os, ssl
username = "apiuser"
password = "supersecret"
ip = "10.1.1.1"
# redhat ssl verification patch
if (not os.environ.get('PYTHONHTTPSVERIFY', '') and getattr(ssl, '_create_unverified_context', None)):
ssl._create_default_https_context = ssl._create_unverified_context
conn = pyeapi.client.connect(
transport='https',
host=ip,
username=username,
password=password,
port=443,
timeout=60)
node = pyeapi.client.Node(conn)
print(node.running_config)
#!/usr/bin/env python3
import pyeapi
import os, ssl
username = "apiuser"
password = "supersecret"
ip = "10.1.1.1"
# redhat ssl verification patch
if (not os.environ.get('PYTHONHTTPSVERIFY', '') and getattr(ssl, '_create_unverified_context', None)):
ssl._create_default_https_context = ssl._create_unverified_context
conn = pyeapi.client.connect(
transport='https',
host=ip,
username=username,
password=password,
port=443,
timeout=60)
node = pyeapi.client.Node(conn)
result = node.enable(commands=["show running-config"], encoding="text")
print result[0]['result']['output']
This is a basic configuration for DCB and PFC to use with Windows 2016 and „storage spaces direct“ on Dell EMC S4xxx switches. CoS class is set to 4.
conf t int vlan 30 description S2D ip address 10.10.10.10 255.255.255.0 mtu 9216 no shut exit dcbx enable policy-map type qos TRUSTMAP class class-trust trust dot1p exit exit class-map type network-qos PFCMAP match qos-group 4 exit policy-map type network-qos QOSMAP class PFCMAP pause buffer-size 100 pause-threshold 50 resume-threshold 10 pfc-cos 4 exit exit system qos service-policy input type qos TRUSTMAP exit interface range ethernet 1/1/1-1/1/12 no flowcontrol receive no flowcontrol transmit switchport mode trunk switchport trunk allowed vlan 30 service-policy input type network-qos QOSMAP mtu 9216 priority-flow-control mode on exit exit
Config on Windows:
# Clear previous configuration Get-NetQosTrafficClass | Remove-NetQosTrafficClass Get-NetQosPolicy | Remove-NetQosPolicy # Disable the DCBx setting Set-NetQosDcbxSetting -Willing $false -Confirm $true # create Qos policies and tag each type of traffic with the relevant priority # SMB PFC priority = 4 New-NetQosPolicy 'SMB' -NetDirectPortMatchCondition 445 -PriorityValue8021Action 4 # Set VLAN ID for SMB-NICs Get-NetAdapter | ? Name -like '*SMB*' | Set-NetAdapterAdvancedProperty -RegistryKeyword 'VlanID' -RegistryValue 30 -Verbose Get-NetAdapter | ? Name -like '*SMB*' | Get-NetAdapterAdvancedProperty -RegistryKeyword 'VlanID' # Enable Priotity Flow Control (PFC) on a specific priority (5). Disable for others.... Enable-NetQosFlowControl -Priority 4 Disable-NetQosFlowControl 0,1,2,3,5,6,7 # Enable QoS on SMB-NICs Get-NetAdapter | ? Name -like '*SMB*'| Enable-NetAdapterQos
This tool exports every hardware asset from an Cisco device with a serial number. You can export the list as table or CSV.
Download: https://gist.github.com/lanbugs/4dbed5e0e8a7d5b6d29c4ea9b9e93bb2
>python cisco_inventory.py -h
usage: cisco_inventory.py [-h] -H HOST -v SNMP_VERSION [-C SNMP_COMMUNITY]
[-u SNMP_USER] [-A SNMP_AUTH] [-a SNMP_AUTH_METHOD]
[-X SNMP_PRIVACY] [-x SNMP_PRIVACY_METHOD]
[-L SNMP_SECURITY] [--csv]
Cisco inventory grabber Version 0.1 Written by Maximilian Thoma 2018
optional arguments:
-h, --help show this help message and exit
-H HOST WLC IP address
-v SNMP_VERSION SNMP version, valid are 2 or 3
-C SNMP_COMMUNITY SNMP Community (only v2)
-u SNMP_USER SNMP user (v3)
-A SNMP_AUTH SNMP auth password (v3)
-a SNMP_AUTH_METHOD SNMP auth method, valid are MD5 or SHA (v3)
-X SNMP_PRIVACY SNMP privacy password (v3)
-x SNMP_PRIVACY_METHOD
SNMP privacy method, valid are AES or DES (v3)
-L SNMP_SECURITY SNMP security level, valid are no_auth_or_privacy,
auth_without_privacy or auth_with_privacy (v3)
--csv Result should be CSV
Demo;
>python cisco_inventory.py -H 10.10.10.33 -v 3 -u snmpuser -A snmpauth -a MD5 -X snmpencr -x DES -L auth_with_privacy | Description | Class | Name | HWRev | FWRev | SWRev | Serial | Manufactor | Model | FRU? | |--------------------------------------------------------+-------------+----------------------------------------+---------+-------------+------------+------------------+---------------------+----------------+--------| | 1000BaseSX | - | GigabitEthernet1/4/12 | V01 | | | FNS11111111 | CISCO | GLC-SX-MMD | true | | 1000BaseSX | - | GigabitEthernet1/4/11 | V01 | | | FNS11111111 | CISCO | GLC-SX-MMD | true | | 1000BaseSX | - | GigabitEthernet1/4/10 | V01 | | | FNS11111111 | CISCO | GLC-SX-MMD | true | | 1000BaseSX | - | GigabitEthernet1/4/11 | V01 | | | FNS11111111 | CISCO | GLC-SX-MMD | true | | 1000BaseSX | - | GigabitEthernet1/3/8 | V01 | | | FNS11111111 | CISCO | GLC-SX-MMD | true | | 1000BaseSX | - | GigabitEthernet1/3/9 | V01 | | | FNS11111111 | CISCO | GLC-SX-MMD | true | | 1000BaseSX | - | GigabitEthernet1/3/6 | V01 | | | FNS11111111 | CISCO | GLC-SX-MMD | true | | 1000BaseSX | - | GigabitEthernet1/3/7 | V01 | | | FNS11111111 | CISCO | GLC-SX-MMD | true | | 1000BaseSX | - | GigabitEthernet2/3/10 | V01 | | | FNS11111111 | CISCO | GLC-SX-MMD | true | | 1000BaseX (SFP) with 12 SFP Ports Jumbo Frame Support | module | Switch1 Linecard 4 (virtual slot 4) | V02 | | | FNS11111111 | Cisco | WS-X4612-SFP-E | true | | 1000BaseX (SFP) with 12 SFP Ports Jumbo Frame Support | module | Switch1 Linecard 3 (virtual slot 3) | V02 | | | FNS11111111 | Cisco | WS-X4612-SFP-E | true | | Cisco Systems, Inc. WS-C4506-E 6 slot switch | chassis | Switch1 System | V03 | | | FNS11111111 | Cisco | WS-C4506-E | false | | FanTray | fan | Switch2 FanTray 1 | V04 | | | FNS11111111 | Cisco | WS-X4596-E | true | | Power Supply ( AC 1400W ) | powerSupply | Switch2 Power Supply 1 | V04 | | | FNS11111111 | Cisco Systems, Inc. | PWR-C45-1400AC | true | | Power Supply ( AC 1400W ) | powerSupply | Switch2 Power Supply 2 | V04 | | | FNS11111111 | Cisco Systems, Inc. | PWR-C45-1400AC | true | | SFP-10Gbase-SR | - | TenGigabitEthernet1/1/1 | V03 | | | FNS11111111 | CISCO-FINISAR | SFP-10G-SR | true | | SFP-10Gbase-SR | - | TenGigabitEthernet1/1/2 | V03 | | | FNS11111111 | CISCO-FINISAR | SFP-10G-SR | true | | Sup 7L-E 10GE (SFP+), 1000BaseX (SFP) with 4 SFP Ports | module | Switch1 Supervisor 1 (virtual slot 1) | V01 | 15.0(1r)SG3 | 03.06.03.E | FNS11111111 | Cisco | WS-X45-SUP7L-E | true |
Script:
#!/usr/bin/env python
# Need following pip packages
# - easysnmp
# - tabulate
# Checkout blog article to tool
# https://lanbugs.de/netzwerktechnik/hersteller/cisco/commandline-tool-for-exporting-cisco-hardware-inventory-via-snmp/
from easysnmp import Session
import argparse
from tabulate import tabulate
from operator import itemgetter
from pprint import pprint
def main():
####
# ARGS
####
description = """
Cisco inventory grabber\nVersion 0.1\nWritten by Maximilian Thoma 2018
"""
aparser = argparse.ArgumentParser(description=description)
aparser.add_argument('-H', dest='host', help='WLC IP address', required=True)
aparser.add_argument('-v', dest='snmp_version', help='SNMP version, valid are 2 or 3', required=True)
aparser.add_argument('-C', dest='snmp_community', help='SNMP Community (only v2)')
aparser.add_argument('-u', dest='snmp_user', help='SNMP user (v3)')
aparser.add_argument('-A', dest='snmp_auth', help='SNMP auth password (v3)')
aparser.add_argument('-a', dest='snmp_auth_method', help='SNMP auth method, valid are MD5 or SHA (v3)')
aparser.add_argument('-X', dest='snmp_privacy', help='SNMP privacy password (v3)')
aparser.add_argument('-x', dest='snmp_privacy_method', help='SNMP privacy method, valid are AES or DES (v3)')
aparser.add_argument('-L', dest='snmp_security',
help='SNMP security level, valid are no_auth_or_privacy, auth_without_privacy or auth_with_privacy (v3)')
aparser.add_argument('--csv', dest='csv', help='Result should be CSV', action='store_true')
args = aparser.parse_args()
####
# Setup SNMP connection
####
if args.snmp_version == "2":
try:
snmp = Session(hostname=args.host, version=2, use_numeric=True)
except Exception as e:
print e
if args.snmp_version == "3":
try:
snmp = Session(
hostname=args.host,
version=3,
security_level=args.snmp_security,
security_username=args.snmp_user,
auth_protocol=args.snmp_auth_method,
auth_password=args.snmp_auth,
privacy_protocol=args.snmp_privacy_method,
privacy_password=args.snmp_privacy,
use_numeric=True
)
except Exception as e:
print e
####
# Init Data Buffer
####
inventory = {}
inv_print = []
####
# SNMP Walk inventory
####
port = {
0: "-",
1: "other",
2: "unknown",
3: "chassis",
4: "backplane",
5: "container",
6: "powerSupply",
7: "fan",
8: "sensor",
9: "module",
10: "port",
11: "stack",
12: "cpu"
}
## Get inventory
result_ids = snmp.walk(".1.3.6.1.2.1.47.1.1.1.1")
def stripper(string):
if "NoneType" not in str(type(string)):
return string.strip()
else:
return string
for r in result_ids:
if r.oid_index in inventory:
element_id = r.oid.replace(".1.3.6.1.2.1.47.1.1.1.1.","")
if element_id == "16": # fru
fru = "true" if "1" in r.value else "false"
inventory[r.oid_index][element_id] = fru
elif element_id == "5": # class
classx = port[int(r.value)] if len(r.value) is 1 else port[0]
inventory[r.oid_index][element_id] = classx
else: # everything else
inventory[r.oid_index][element_id] = r.value
else:
element_id = r.oid.replace(".1.3.6.1.2.1.47.1.1.1.1.","")
inventory[r.oid_index] = {}
inventory[r.oid_index][element_id] = r.value
for elements, values in inventory.iteritems():
if len(values['11']) >= 1:
#print elements
#2 entPhysicalDescr
#3 entPhysicalVendorType
#4 entPhysicalContainedIn
#5 entPhysicalClass
#6 entPhysicalParentRelPos
#7 entPhysicalName
#8 entPhysicalHardwareRev
#9 entPhysicalFirmwareRev
#10 entPhysicalSoftwareRev
#11 entPhysicalSerialNum
#12 entPhysicalMfgName
#13 entPhysicalModelName
#14 entPhysicalAlias
#15 entPhysicalAssetID
#16 entPhysicalIsFRU
inv_print.append([stripper(values.get('2')),
stripper(values.get('5')),
stripper(values.get('7')),
stripper(values.get('8')),
stripper(values.get('9')),
stripper(values.get('10')),
stripper(values.get('11')),
stripper(values.get('12')),
stripper(values.get('13')),
stripper(values.get('16'))])
####
# Sort table
####
inv = sorted(inv_print, key=itemgetter(0))
####
# Result
####
if args.csv is True:
print 'Description;Class;Name;HWRev;FWRev;SWRev;Serial;Manufactor;Model;FRU?'
for line in inv:
print ';'.join(str(l) for l in line)
else:
print tabulate(inv, headers=['Description', 'Class', 'Name', 'HWRev', 'FWRev', 'SWRev', 'Serial', 'Manufactor', 'Model', 'FRU?'], tablefmt="orgtbl")
if __name__ == "__main__":
main()
This tool exports all current clients on all APs assigned to the WLC. You can export as CSV or as table.
Download: https://gist.github.com/lanbugs/6dc874ad0736424c5c7808f01ec78f96
$ python cisco_ap_clients_grabber.py -h
usage: cisco_ap_clients_grabber.py [-h] -H HOST -v SNMP_VERSION
[-C SNMP_COMMUNITY] [-u SNMP_USER]
[-A SNMP_AUTH] [-a SNMP_AUTH_METHOD]
[-X SNMP_PRIVACY] [-x SNMP_PRIVACY_METHOD]
[-L SNMP_SECURITY] [--csv]
Cisco AP clients grabber Version 0.1 Written by Maximilian Thoma 2017
optional arguments:
-h, --help show this help message and exit
-H HOST WLC IP address
-v SNMP_VERSION SNMP version, valid are 2 or 3
-C SNMP_COMMUNITY SNMP Community (only v2)
-u SNMP_USER SNMP user (v3)
-A SNMP_AUTH SNMP auth password (v3)
-a SNMP_AUTH_METHOD SNMP auth method, valid are MD5 or SHA (v3)
-X SNMP_PRIVACY SNMP privacy password (v3)
-x SNMP_PRIVACY_METHOD
SNMP privacy method, valid are AES or DES (v3)
-L SNMP_SECURITY SNMP security level, valid are no_auth_or_privacy,
auth_without_privacy or auth_with_privacy (v3)
--csv Result should be CSV
Demo:
>python cisco_ap_clients_grabber.py -H 1.1.1.1 -v 3 -u username -A authpass -a MD5 -X privpass -x DES -L auth_with_privacy | IP | MAC | Name | SSID | SSID MAC | |---------------+-------------------+------------------------------------+--------------+-------------------| | 10.10.10.1 | C0:FF:EE:C0:FF:EE | host/client0001.m.local | workstations | DE:AD:BE:EF:00:00 | | 10.10.10.2 | C0:FF:EE:C0:FF:EE | host/client0002.m.local | workstations | DE:AD:BE:EF:00:00 | | 10.10.10.3 | C0:FF:EE:C0:FF:EE | host/client0003.m.local | workstations | DE:AD:BE:EF:00:00 | | 10.10.10.4 | C0:FF:EE:C0:FF:EE | host/client0004.m.local | workstations | DE:AD:BE:EF:00:00 | | 10.10.10.5 | C0:FF:EE:C0:FF:EE | host/client0005.m.local | workstations | DE:AD:BE:EF:00:00 | | 10.10.45.200 | C0:FF:EE:C0:FF:EE | | guests | DE:AD:BE:EF:00:00 | | 10.10.45.201 | C0:FF:EE:C0:FF:EE | | guests | DE:AD:BE:EF:00:00 | | 10.10.45.202 | C0:FF:EE:C0:FF:EE | | guests | DE:AD:BE:EF:00:00 | | 10.10.45.203 | C0:FF:EE:C0:FF:EE | | guests | DE:AD:BE:EF:00:00 | | 10.10.45.204 | C0:FF:EE:C0:FF:EE | | guests | DE:AD:BE:EF:00:00 | | 10.10.45.205 | C0:FF:EE:C0:FF:EE | | guests | DE:AD:BE:EF:00:00 | | 10.10.45.206 | C0:FF:EE:C0:FF:EE | | guests | DE:AD:BE:EF:00:00 |
Script:
#!/usr/bin/env python
# Need following pip packages
# - easysnmp
# - tabulate
# Checkout blog article to tool
# https://lanbugs.de/netzwerktechnik/commandline-tool-to-export-current-registered-users-at-aps-from-an-cisco-wireless-lan-controller-wlc/
from easysnmp import Session
import argparse
from tabulate import tabulate
from operator import itemgetter
def main():
####
# ARGS
####
description = """
Cisco AP clients grabber\nVersion 0.1\nWritten by Maximilian Thoma 2018
"""
aparser = argparse.ArgumentParser(description=description)
aparser.add_argument('-H', dest='host', help='WLC IP address', required=True)
aparser.add_argument('-v', dest='snmp_version', help='SNMP version, valid are 2 or 3', required=True)
aparser.add_argument('-C', dest='snmp_community', help='SNMP Community (only v2)')
aparser.add_argument('-u', dest='snmp_user', help='SNMP user (v3)')
aparser.add_argument('-A', dest='snmp_auth', help='SNMP auth password (v3)')
aparser.add_argument('-a', dest='snmp_auth_method', help='SNMP auth method, valid are MD5 or SHA (v3)')
aparser.add_argument('-X', dest='snmp_privacy', help='SNMP privacy password (v3)')
aparser.add_argument('-x', dest='snmp_privacy_method', help='SNMP privacy method, valid are AES or DES (v3)')
aparser.add_argument('-L', dest='snmp_security',
help='SNMP security level, valid are no_auth_or_privacy, auth_without_privacy or auth_with_privacy (v3)')
aparser.add_argument('--csv', dest='csv', help='Result should be CSV', action='store_true')
args = aparser.parse_args()
####
# Setup SNMP connection
####
if args.snmp_version == "2":
try:
snmp = Session(hostname=args.host, version=2, use_numeric=True)
except Exception as e:
print e
if args.snmp_version == "3":
try:
snmp = Session(
hostname=args.host,
version=3,
security_level=args.snmp_security,
security_username=args.snmp_user,
auth_protocol=args.snmp_auth_method,
auth_password=args.snmp_auth,
privacy_protocol=args.snmp_privacy_method,
privacy_password=args.snmp_privacy,
use_numeric=True
)
except Exception as e:
print e
####
# Init Data Buffer
####
inventory = []
longids = []
####
# SNMP Walk Clients inventory
####
## Get longids for clients
result_longids = snmp.walk(".1.3.6.1.4.1.14179.2.1.4.1.1")
for rl in result_longids:
longids.append(rl.oid.replace(".1.3.6.1.4.1.14179.2.1.4.1.1.", "") + "." + rl.oid_index)
## Collect informations
for id in longids:
# Client MAC
result_mac = snmp.get(".1.3.6.1.4.1.14179.2.1.4.1.1." + id)
mac = ":".join(["%02s" % hex(ord(m))[2:] for m in result_mac.value]).replace(' ', '0').upper()
# Client Name
name = snmp.get(".1.3.6.1.4.1.14179.2.1.4.1.3." + id).value
# Client IP
ip = snmp.get(".1.3.6.1.4.1.14179.2.1.4.1.2." + id).value
# SSID
ssid = snmp.get(".1.3.6.1.4.1.14179.2.1.4.1.7." + id).value
# SSID MAC
result_ssid_mac = snmp.get(".1.3.6.1.4.1.14179.2.1.4.1.4." + id)
ssid_mac = ":".join(["%02s" % hex(ord(m))[2:] for m in result_ssid_mac.value]).replace(' ', '0').upper()
inventory.append([ip, mac, name, ssid, ssid_mac])
###
# Sort table
####
inv = sorted(inventory, key=itemgetter(0))
####
# Result
####
if args.csv is True:
print 'IP;MAC;Name;SSID;SSID MAC'
for ip, mac, name, ssid, ssid_mac in inv:
print '%s;%s;%s;%s;%s' % (ip, mac, name, ssid, ssid_mac)
else:
print tabulate(inv, headers=["IP", "MAC", "Name", "SSID", "SSID MAC"], tablefmt="orgtbl")
if __name__ == "__main__":
main()
This tool exports the complete AP inventory from an Cisco WLC. You can create an CSV export or an table.
Download: https://gist.github.com/lanbugs/e86042c0b2afaf7166637a9aa9711cb6
$ python cisco_wlc_ap_grabber.py -h
usage: cisco_wlc_ap_grabber.py [-h] -H HOST -v SNMP_VERSION
[-C SNMP_COMMUNITY] [-u SNMP_USER]
[-A SNMP_AUTH] [-a SNMP_AUTH_METHOD]
[-X SNMP_PRIVACY] [-x SNMP_PRIVACY_METHOD]
[-L SNMP_SECURITY] [--csv]
Cisco AP WLC inventory grabber Version 0.1 Written by Maximilian Thoma 2017
optional arguments:
-h, --help show this help message and exit
-H HOST WLC IP address
-v SNMP_VERSION SNMP version, valid are 2 or 3
-C SNMP_COMMUNITY SNMP Community (only v2)
-u SNMP_USER SNMP user (v3)
-A SNMP_AUTH SNMP auth password (v3)
-a SNMP_AUTH_METHOD SNMP auth method, valid are MD5 or SHA (v3)
-X SNMP_PRIVACY SNMP privacy password (v3)
-x SNMP_PRIVACY_METHOD
SNMP privacy method, valid are AES or DES (v3)
-L SNMP_SECURITY SNMP security level, valid are no_auth_or_privacy,
auth_without_privacy or auth_with_privacy (v3)
--csv Result should be CSV
Demo result:
>python cisco_wlc_ap_grabber.py -H 1.1.1.1 -v 3 -u username -A authpass -a MD5 -X privpass -x DES -L auth_with_privacy | Name | IP | MAC | Model | Serialnumber | |-------------+---------------+-------------------+-------------------+----------------| | dexxx-acp01 | 10.10.100.1 | 64:F6:9D:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp02 | 10.11.100.2 | 58:97:1E:C0:FF:EE | AIR-LAP1142N-E-K9 | FCZ11111111 | | dexxx-acp03 | 10.11.100.3 | 34:DB:FD:C0:FF:EE | AIR-CAP1602I-E-K9 | FGL11111111 | | dexxx-acp04 | 10.11.100.4 | 58:97:1E:C0:FF:EE | AIR-LAP1142N-E-K9 | FCZ11111111 | | dexxx-acp05 | 10.11.100.5 | 64:F6:9D:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp06 | 10.11.100.6 | 40:F4:EC:C0:FF:EE | AIR-LAP1142N-E-K9 | FCZ11111111 | | dexxx-acp07 | 10.11.100.7 | 0C:27:24:C0:FF:EE | AIR-CAP1602I-E-K9 | FGL11111111 | | dexxx-acp08 | 10.11.100.8 | 00:78:88:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp09 | 10.11.100.9 | 40:F4:EC:C0:FF:EE | AIR-LAP1142N-E-K9 | FCZ11111111 | | dexxx-acp10 | 10.11.100.10 | 44:AD:D9:C0:FF:EE | AIR-CAP1602I-E-K9 | FGL11111111 | | dexxx-acp11 | 10.11.100.11 | 50:0F:80:C0:FF:EE | AIR-AP2802I-E-K9 | FDW11111111 | | dexxx-acp12 | 10.11.100.12 | 74:A0:2F:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp13 | 10.11.100.13 | 0C:85:25:C0:FF:EE | AIR-LAP1142N-E-K9 | FCZ11111111 | | dexxx-acp14 | 10.11.100.14 | 74:A0:2F:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp15 | 10.11.100.15 | 64:F6:9D:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp16 | 10.11.100.16 | C0:62:6B:C0:FF:EE | AIR-LAP1142N-E-K9 | FCZ11111111 | | dexxx-acp17 | 10.11.100.17 | 0C:27:24:C0:FF:EE | AIR-CAP1602I-E-K9 | FGL11111111 | | dexxx-acp18 | 10.11.100.18 | CC:16:7E:C0:FF:EE | AIR-CAP1702I-E-K9 | FCW11111111 | | dexxx-acp19 | 10.11.100.19 | 64:F6:9D:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp20 | 10.11.100.20 | 64:F6:9D:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp21 | 10.11.100.21 | 64:F6:9D:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp22 | 10.11.100.22 | E4:AA:5D:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp23 | 10.11.100.23 | F4:CF:E2:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp24 | 10.11.100.24 | 00:FE:C8:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp25 | 10.11.100.25 | F4:CF:E2:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp26 | 10.11.100.26 | 00:FE:C8:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp27 | 10.11.100.27 | 64:F6:9D:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp28 | 10.11.100.28 | 64:F6:9D:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 | | dexxx-acp29 | 10.11.100.29 | 64:F6:9D:C0:FF:EE | AIR-CAP1702I-E-K9 | FCZ11111111 |
Script:
#!/usr/bin/env python
# Need following pip packages
# - easysnmp
# - tabulate
# Checkout blog article to tool
# https://lanbugs.de/netzwerktechnik/hersteller/cisco/cli-tool-export-ap-inventory-from-an-cisco-wireless-lan-controller-wlc/
from easysnmp import Session
import argparse
from tabulate import tabulate
from operator import itemgetter
def main():
####
# ARGS
####
description = """
Cisco AP WLC inventory grabber\nVersion 0.1\nWritten by Maximilian Thoma 2017
"""
aparser = argparse.ArgumentParser(description=description)
aparser.add_argument('-H', dest='host', help='WLC IP address', required=True)
aparser.add_argument('-v', dest='snmp_version', help='SNMP version, valid are 2 or 3', required=True)
aparser.add_argument('-C', dest='snmp_community', help='SNMP Community (only v2)')
aparser.add_argument('-u', dest='snmp_user', help='SNMP user (v3)')
aparser.add_argument('-A', dest='snmp_auth', help='SNMP auth password (v3)')
aparser.add_argument('-a', dest='snmp_auth_method', help='SNMP auth method, valid are MD5 or SHA (v3)')
aparser.add_argument('-X', dest='snmp_privacy', help='SNMP privacy password (v3)')
aparser.add_argument('-x', dest='snmp_privacy_method', help='SNMP privacy method, valid are AES or DES (v3)')
aparser.add_argument('-L', dest='snmp_security',
help='SNMP security level, valid are no_auth_or_privacy, auth_without_privacy or auth_with_privacy (v3)')
aparser.add_argument('--csv', dest='csv', help='Result should be CSV', action='store_true')
args = aparser.parse_args()
####
# Setup SNMP connection
####
if args.snmp_version == "2":
try:
snmp = Session(hostname=args.host, version=2, use_numeric=True)
except Exception as e:
print e
if args.snmp_version == "3":
try:
snmp = Session(
hostname=args.host,
version=3,
security_level=args.snmp_security,
security_username=args.snmp_user,
auth_protocol=args.snmp_auth_method,
auth_password=args.snmp_auth,
privacy_protocol=args.snmp_privacy_method,
privacy_password=args.snmp_privacy,
use_numeric=True
)
except Exception as e:
print e
####
# Init Data Buffer
####
inventory = []
longids = []
####
# SNMP Walk AP Inventory
####
## Get longids for APs
result_longids = snmp.walk(".1.3.6.1.4.1.14179.2.2.1.1.1")
for rl in result_longids:
longids.append(rl.oid.replace(".1.3.6.1.4.1.14179.2.2.1.1.1.", "") + "." + rl.oid_index)
## Collect informations
for id in longids:
# MAC
result_mac = snmp.get(".1.3.6.1.4.1.14179.2.2.1.1.1." + id)
mac = ":".join(["%02s" % hex(ord(m))[2:] for m in result_mac.value]).replace(' ', '0').upper()
# Name
name = snmp.get(".1.3.6.1.4.1.14179.2.2.1.1.3." + id).value
# IP
ip = snmp.get(".1.3.6.1.4.1.14179.2.2.1.1.19." + id).value
# SN
sn = snmp.get(".1.3.6.1.4.1.14179.2.2.1.1.17." + id).value
# Model
model = snmp.get(".1.3.6.1.4.1.14179.2.2.1.1.16." + id).value
inventory.append([name, ip, mac, model, sn])
###
# Sort table
####
inv = sorted(inventory, key=itemgetter(0))
####
# Result
####
if args.csv is True:
print 'Name;IP;MAC;Model;Serialnumber'
for name, ip, mac, model, sn in inv:
print '%s;%s;%s;%s;%s' % (name, ip, mac, model, sn)
else:
print tabulate(inv, headers=["Name", "IP", "MAC", "Model", "Serialnumber"], tablefmt="orgtbl")
if __name__ == "__main__":
main()
Diverse Cisco Geräte können bei einem write Event die Konfiguration an einen anderen Server z.B. über HTTP pushen.
Cisco Config:
archive path http://1.2.3.4/cisco_config/put/$h-$t write-memory
Apache /etc/httpd/conf.d/zzz_cisco_backup.conf:
WSGIDaemonProcess cisco_backup user=apache group=apache threads=10
WSGIPythonPath /opt/cisco_backup/web_root
WSGIScriptAlias /cisco_backup /opt/cisco_backup/web_root/cisco_backup.wsgi
<Directory /opt/cisco_backup/web_root>
WSGIProcessGroup cisco_backup
WSGIApplicationGroup %{GLOBAL}
WSGIScriptReloading On
Order deny,allow
Allow from all
<Files cisco_backup.py>
Require all granted
</Files>
<Files cisco_backup.wsgi>
Require all granted
</Files>
</Directory>
cisco_backup.wsgi File:
import sys
sys.path.append("/opt/cisco_backup/web_root")
from cisco_backup import app as application
cisco_backup.py File:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from flask import Flask
from flask import request
app = Flask(__name__)
@app.route("/put/<cfg>", methods=['PUT'])
def get_config(cfg):
with open('/opt/cisco_config/incoming_configs/%s' % cfg, "wb") as f:
f.write(request.data)
return "ok"
if __name__ == "__main__":
app.run()
Viel Spaß 😉
Mit dem Snippet können Kommandos auf einer Cisco Shell via SSH ausgeführt werden.
#!/usr/bin/env python
import paramiko
import sys
def send_string_and_wait_for_string(command, wait_string, should_print):
shell.send(command)
receive_buffer = ""
while not wait_string in receive_buffer:
receive_buffer += shell.recv(1024)
if should_print:
print receive_buffer
return receive_buffer
client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect("10.62.62.10", username="testuser", password="testpasswd", look_for_keys=False, allow_agent=False)
shell = client.invoke_shell()
send_string_and_wait_for_string("", "#", False)
send_string_and_wait_for_string("terminal length 0\n", "#", False)
output=send_string_and_wait_for_string("show logging\n", "#", False)
print output
client.close()
Mehr Infos / Quelle: http://blog.timmattison.com/archives/2014/06/25/automating-cisco-switch-interactions/
Das Script Snippet dient dazu in den Backupfoldern z.B. vom 20.09.2016 nach Interfaces mit einer bestimmten Description und einem gesetzten Parameter z.B. service-policy zu suchen und automatisch Konfiguration zu erzeugen die diese Config entfernt.
Configbeispiel Cisco Config (swt70/20.09.2016/swt70-config.txt):
interface GigabitEthernet1/0/47 description acp10 switchport access vlan 17 switchport mode access switchport nonegotiate spanning-tree guard loop service-policy input ACCESSPOINT ! interface GigabitEthernet1/0/48 description acp43 switchport access vlan 17 switchport mode access switchport nonegotiate spanning-tree guard loop service-policy input ACCESSPOINT !
#!/usr/bin/python
import os
from ciscoconfparse import CiscoConfParse
import re
buffer = []
buffer_f = []
# Folderstruktur: <switchname>/<backup_datum>/config.txt
for dir in os.listdir("."):
buffer.append("./"+dir+"/20.09.2016/")
# Files zusammensammeln
for x in buffer:
try:
for f in os.listdir(x):
buffer_f.append(x+f)
except:
pass
# Alle files abarbeiten
for f in buffer_f:
# Parser laden
parse = CiscoConfParse(f)
# Interfaces finden in config
all_intfs = parse.find_objects(r"^interf")
intfs = list()
fault_intfs = list()
# in den interfaces nach description .+acp.+ suchen
for obj in all_intfs:
if obj.re_search_children(r"description.+acp.+|description.+ACP.+"):
intfs.append(obj)
# fuer alle Suchergebnisse description .+acp.+ suche nach service-policy
for i in intfs:
if i.re_search_children(r"service-policy.+"):
sp = i.re_search_children(r"service-policy.+")
fault_intfs.append((i, sp[0].text) )
# wenn eine zeile im fault buffer ist
if len(fault_intfs) > 0:
# switchnamen aus dateinamen extrahieren
n = re.search(r"^.+(swt[0-9][0-9]).+|^.+(SWT[0-9][0-9]).+",f)
if n.group(1) is None:
print n.group(2)
else:
print n.group(1)
# no statements erzeugen
for i, no_cmd in fault_intfs:
print "!"
print i.text
print "no "+no_cmd
print "! ---"
else:
pass
Das Script erzeugt folgenden Output:
swt70 ! interface GigabitEthernet1/0/47 no service-policy input ACCESSPOINT ! interface GigabitEthernet1/0/48 no service-policy input ACCESSPOINT ! ---
Das Syslog auf der Cisco ASA ist sehr geschwätzig und viele Nachrichten sind für das nachvollziehen von Verbindungen nicht notwendig.
Cisco Syslog Messages ASA: http://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html
Folgende Syslog Typen lassen sich problemlos deaktivieren:
| no logging message 302012 | Error Message %ASA-6-302012: Pre-allocate H225 Call Signalling Connection for faddr IP_address /port to laddr IP_address |
| no logging message 302013 | Error Message%ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface :real-address /real-port (mapped-address/mapped-port ) [(idfw_user )] to interface :real-address /real-port (mapped-address/mapped-port ) [(idfw_user )] [(user )] |
| no logging message 302014 | Error Message %ASA-6-302014: Teardown TCP connection id for interface :real-address /real-port [(idfw_user )] to interface :real-address /real-port [(idfw_user )] duration hh:mm:ss bytes bytes [reason ] [(user )] |
| no logging message 302015 | Error Message %ASA-6-302015: Built {inbound|outbound} UDP connection number for interface_name :real_address /real_port (mapped_address /mapped_port ) [(idfw_user )] to interface_name :real_address /real_port (mapped_address /mapped_port )[(idfw_user )] [(user )] |
| no logging message 302016 | Error Message %ASA-6-302016: Teardown UDP connection number for interface :real-address /real-port [(idfw_user )] to interface :real-address /real-port [(idfw_user )] duration hh :mm :ss bytes bytes [(user )] |
| no logging message 302020 | Error Message %ASA-6-302020: Built {in | out} bound ICMP connection for faddr {faddr | icmp_seq_num } [(idfw_user )] gaddr {gaddr | cmp_type } laddr laddr [(idfw_user )] type {type } code {code } |
| no logging message 302021 | Error Message %ASA-6-302021: Teardown ICMP connection for faddr {faddr | icmp_seq_num } [(idfw_user )] gaddr {gaddr | cmp_type } laddr laddr [(idfw_user )] (981) type {type } code {code } |
| no logging message 305011 | Error Message %ASA-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from interface_name :real_address/real_port [(idfw_user )] to interface_name :mapped_address/mapped_port |
| no logging message 305012 | Error Message %ASA-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [(acl-name )]:real_address /{real_port |real_ICMP_ID } [(idfw_user )] to interface_name :mapped_address /{mapped_port |mapped_ICMP_ID } duration time |
| Optional: | |
| no logging message 302017 | Error Message %ASA-6-302017: Built {inbound|outbound} GRE connection id from interface :real_address (translated_address ) [(idfw_user )] to interface :real_address /real_cid (translated_address /translated_cid ) [(idfw_user )] [(user ) |
| no logging message 302018 | Error Message %ASA-6-302018: Teardown GRE connection id from interface :real_address (translated_address ) [(idfw_user )] to interface :real_address /real_cid (translated_address /translated_cid ) [(idfw_user )] duration hh :mm :ss bytes bytes [(user )] |
Config:
no logging message 302012 no logging message 302013 no logging message 302014 no logging message 302015 no logging message 302016 no logging message 302020 no logging message 302021 no logging message 305011 no logging message 305012 ! Optional no logging message 302017 no logging message 302018
Kürzlich wurde ich von einem Kunden mit einem Problem konfrontiert das im Enterasys NetSight im Traplog immer wieder „Incorrect Community Name“ auftaucht. SNMP war im NetSight korrekt konfiguriert. Der Kunde wollte wissen wer versucht auf dem Switch zuzugreifen per SNMP. In der Trap Meldung wird diese Information leider nicht mitgesendet. Die bekannten Debug Befehle die man von Cisco kennt gibt es nicht aber man kann den Enterasysgeräten auch einige Informationen entlocken wenn man weiß wo man suchen muss.
Man kann bei Enterasys das Loggingverhalten für verschiedene Systemdienste anpassen um mehr Informationen zu bekommen.
Mit dem Kommando „show logging application“ oder kurz „sh logg app“ angezeigt werden.
Hier eine Liste von den verschiedenen Switch Serien und Applications wo man das Logging ändern kann:
Enterasys B3 Serie:
Application Current Severity Level --------------------------------------------- 89 CLIWEB 6 90 SNMP 7 91 STP 6 92 Driver 6 93 System 7 94 Stacking 6 112 UPN 6 118 Router 6 1(emergencies) 2(alerts) 3(critical) 4(errors) 5(warnings) 6(notifications) 7(information) 8(debugging)
Enterasys C2 Serie:
Application Current Severity Level --------------------------------------------- 89 CLIWEB 6 90 SNMP 6 91 STP 6 92 Driver 6 93 System 6 94 Stacking 6 95 RtrOspf 6 96 RtrMcast 6 97 RtrVrrp 6 112 UPN 6 118 Router 6 1(emergencies) 2(alerts) 3(critical) 4(errors) 5(warnings) 6(notifications) 7(information) 8(debugging)
Enterasys N Serie:
Application Current Severity Level Server List ---------------------------------------------------------- 88 RtrAcl 6 1-8,console,file 89 CLI 6 1-8,console,file 90 SNMP 6 1-8,console,file 91 Webview 6 1-8,console,file 93 System 6 1-8,console,file 95 RtrFe 6 1-8,console,file 96 Trace 6 1-8,console,file 105 RtrLSNat 6 1-8,console,file 111 FlowLimt 6 1-8,console,file 112 UPN 6 1-8,console,file 117 AAA 6 1-8,console,file 118 Router 6 1-8,console,file 140 AddrNtfy 6 1-8,console,file 141 OSPF 6 1-8,console,file 142 VRRP 6 1-8,console,file 145 RtrArpProc 6 1-8,console,file 147 LACP 6 1-8,console,file 148 RtrNat 6 1-8,console,file 151 RtrTwcb 6 1-8,console,file 154 DbgIpPkt 6 1-8,console,file 158 HostDoS 6 1-8,console,file 180 RtrMcast 6 1-8,console,file 183 PIM 6 1-8,console,file 184 DVMRP 6 1-8,console,file 185 BGP 6 1-8,console,file 196 LinkFlap 6 1-8,console,file 199 Spoof 6 1-8,console,file 207 IPmcast 6 1-8,console,file 209 Spantree 6 1-8,console,file 211 trackobj 6 1-8,console,file 213 LinkTrap 6 1-8,console,file 214 CDP 6 1-8,console,file 215 LLDP 6 1-8,console,file 216 CiscoDP 6 1-8,console,file 222 Security 6 1-8,console,file 225 RMON 6 1-8,console,file 231 IPsec 6 1-8,console,file 1(emergencies) 2(alerts) 3(critical) 4(errors) 5(warnings) 6(notifications) 7(information) 8(debugging)
Enterasys S Serie SSA (SW-release mit VSB = Virtual Chassis Bonding):
Application Current Severity Level Server List ---------------------------------------------------------- 88 RtrAcl 6 1-8,console,file 89 CLI 6 1-8,console,file 90 SNMP 6 1-8,console,file 91 Webview 6 1-8,console,file 93 System 6 1-8,console,file 95 RtrFe 6 1-8,console,file 96 Trace 6 1-8,console,file 105 RtrLSNat 6 1-8,console,file 111 FlowLimt 6 1-8,console,file 112 UPN 6 1-8,console,file 117 AAA 6 1-8,console,file 118 Router 6 1-8,console,file 140 AddrNtfy 6 1-8,console,file 141 OSPF 6 1-8,console,file 142 VRRP 6 1-8,console,file 145 RtrArpProc 6 1-8,console,file 147 LACP 6 1-8,console,file 148 RtrNat 6 1-8,console,file 151 RtrTwcb 6 1-8,console,file 154 DbgIpPkt 6 1-8,console,file 158 HostDoS 6 1-8,console,file 180 RtrMcast 6 1-8,console,file 183 PIM 6 1-8,console,file 184 DVMRP 6 1-8,console,file 185 BGP 6 1-8,console,file 196 LinkFlap 6 1-8,console,file 199 Spoof 6 1-8,console,file 207 IPmcast 6 1-8,console,file 209 Spantree 6 1-8,console,file 211 trackobj 6 1-8,console,file 213 LinkTrap 6 1-8,console,file 214 CDP 6 1-8,console,file 215 LLDP 6 1-8,console,file 216 CiscoDP 6 1-8,console,file 218 OAM 6 1-8,console,file 222 Security 6 1-8,console,file 225 RMON 6 1-8,console,file 231 IPsec 6 1-8,console,file 239 Bonding 6 1-8,console,file 242 HAUpgrade 6 1-8,console,file 1(emergencies) 2(alerts) 3(critical) 4(errors) 5(warnings) 6(notifications) 7(information) 8(debugging)
Um jetzt mehr sehen zu können muss der Severity Level angepasst werden für die Application die man „debuggen“ will. Ein meinem Fall war es SNMP auf einem B3 Switch also => SNMP.
set logging application SNMP level 7
Wer die Informationen an einen Syslog Server senden will sollte noch einen Syslogserver hinterlegen mit den richtigen Severity Level.
set logging server 1 ip-addr 10.1.1.1 severity 8 description "default" state enable
Alternativ kann man sich die Syslogs auch auf der Console ausgeben lassen:
A/B/C/D/I-Serie auf Console:
set logging local console enable
A/B/C/D/I/N/S-Serie in File:
set logging local console disable file enable
N/S-Serie:
set logging here enable
Im Syslog tauchte dann auch das System auf das versucht hat mit einer falschen SNMP Community auf die Switche zuzugreifen. Es war ein Printer Verwaltungserver (HP Jetadmin) der die komplette IP-Range des Standorts scannt und versucht per SNMP Parameter von den Geräten abzufragen (Tonerstand, etc.)
<166>Feb 1 10:33:06 192.168.1.52-1 TRAPMGR[175072816]: traputil.c(475) 260 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:06 192.168.1.2-1 TRAPMGR[138984840]: traputil.c(475) 430 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:06 192.168.1.4-1 TRAPMGR[138984160]: traputil.c(475) 245 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:06 192.168.1.8-1 TRAPMGR[138983208]: traputil.c(475) 264 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:06 192.168.1.11-1 TRAPMGR[138983560]: traputil.c(475) 327 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:06 192.168.1.14-2 TRAPMGR[138984192]: traputil.c(475) 203 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:06 192.168.1.15-1 TRAPMGR[138983728]: traputil.c(475) 219 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:06 192.168.1.35-1 TRAPMGR[175050544]: traputil.c(475) 205 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:05 192.168.1.39-1 TRAPMGR[126209216]: traputil.c(466) 181 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:07 192.168.1.43-1 TRAPMGR[175061168]: traputil.c(475) 280 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:07 192.168.1.48-1 TRAPMGR[175067568]: traputil.c(475) 446 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:07 192.168.1.52-1 TRAPMGR[175072816]: traputil.c(475) 261 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:07 192.168.1.2-1 TRAPMGR[138984840]: traputil.c(475) 431 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:08 192.168.1.4-1 TRAPMGR[138984160]: traputil.c(475) 246 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:08 192.168.1.8-1 TRAPMGR[138983208]: traputil.c(475) 265 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:07 192.168.1.11-1 TRAPMGR[138983560]: traputil.c(475) 328 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:07 192.168.1.15-1 TRAPMGR[138983728]: traputil.c(475) 220 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:08 192.168.1.14-2 TRAPMGR[138984192]: traputil.c(475) 204 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:08 192.168.1.35-1 TRAPMGR[175050544]: traputil.c(475) 206 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:06 192.168.1.39-1 TRAPMGR[126209216]: traputil.c(466) 182 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:08 192.168.1.43-1 TRAPMGR[175061168]: traputil.c(475) 281 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:08 192.168.1.48-1 TRAPMGR[175067568]: traputil.c(475) 447 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:08 192.168.1.52-1 TRAPMGR[175072816]: traputil.c(475) 262 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:08 192.168.1.2-1 TRAPMGR[138984840]: traputil.c(475) 432 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:09 192.168.1.4-1 TRAPMGR[138984160]: traputil.c(475) 247 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:09 192.168.1.8-1 TRAPMGR[138983208]: traputil.c(475) 266 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:09 192.168.1.11-1 TRAPMGR[138983560]: traputil.c(475) 329 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:09 192.168.1.14-2 TRAPMGR[138984192]: traputil.c(475) 205 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:09 192.168.1.15-1 TRAPMGR[138983728]: traputil.c(475) 221 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:09 192.168.1.35-1 TRAPMGR[175050544]: traputil.c(475) 207 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:08 192.168.1.39-1 TRAPMGR[126209216]: traputil.c(466) 183 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:10 192.168.1.43-1 TRAPMGR[175061168]: traputil.c(475) 282 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:09 192.168.1.48-1 TRAPMGR[175067568]: traputil.c(475) 448 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:09 192.168.1.52-1 TRAPMGR[175072816]: traputil.c(475) 263 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:10 192.168.1.2-1 TRAPMGR[138984840]: traputil.c(475) 433 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:10 192.168.1.4-1 TRAPMGR[138984160]: traputil.c(475) 248 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:10 192.168.1.8-1 TRAPMGR[138983208]: traputil.c(475) 267 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:10 192.168.1.11-1 TRAPMGR[138983560]: traputil.c(475) 330 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:10 192.168.1.14-2 TRAPMGR[138984192]: traputil.c(475) 206 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:10 192.168.1.15-1 TRAPMGR[138983728]: traputil.c(475) 222 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:10 192.168.1.35-1 TRAPMGR[175050544]: traputil.c(475) 208 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:09 192.168.1.39-1 TRAPMGR[126209216]: traputil.c(466) 184 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:11 192.168.1.43-1 TRAPMGR[175061168]: traputil.c(475) 283 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26 <166>Feb 1 10:33:11 192.168.1.48-1 TRAPMGR[175067568]: traputil.c(475) 449 %% Authent. Failure: Unit: 1 IP Address: 192.168.7.26
Das Beispiel habe ich für Huaweiswitche erstellt. Es geht scheinbar auch über SNMP aber per Telnet die Befehle absetzen geht bei jedem Hersteller.
Folgende Software wird benötigt:
Das einzige was man wissen muss sind die Befehle wie man die Konfiguration bei dem entsprechenden Switch sichert. Bei Huawei liegt per Default die Konfiguration in vrpcfg.cfg. Mit dem Kommando tftp x.x.x.x put flash:/vrpcfg.cfg xxxx.cfg kann man die Konfig auf einen TFTP-Server schicken. Das Macro muss also auf verschiedene Situationen warten und dann Kommandos schicken. Das Macro speichert die Konfigurationen unter der jeweiligen IP-Adresse. Eine Erweiterung das noch ein Datum mit in dem Dateinamen eingebaut wird ist auch möglich.
Bei Huawei sieht das wie folgt aus:
>> Username: << Username senden >> Password: << Password senden >> <Switch-1> << Komando tftp ... senden >> <Switch-1> << quit senden
Batch-Datei (get_cfgs.bat):
cls for /F "eol=; tokens=1,2,3,4 delims=, " %%i in (devices.txt) do ( teraterm\ttpmacro.exe get_cfgs.ttl %%i )
Geräte (devices.txt):
172.20.6.11 172.20.6.12 172.20.6.13 ...
ttl Macro Script für Tera Term Macro Programm (get_cfg.ttl):
; Host & Port host = param2 ; Username username = 'admin' ; Password password = 'admin' strconcat host ':23 /nossh' connect host wait 'Username:' sendln username wait 'Password:' sendln password wait '>' kommando = 'tftp 172.20.16.113 put flash:/vrpcfg.cfg ' strconcat kommando param2 strconcat kommando '.cfg' sendln kommando wait '>' sendln 'quit'
Die Macrosprache von Tera Term ist sehr einfach und lässt sich auf andere Hersteller leicht umbiegen.
Viel Spaß 😉
Howto für 
Ubuntu und 
Debian
Mit diesem Script können Massenbackups durchgeführt werden. Das Tool ist mandantenfähig, es legt pro Kunde einen Unterordner an.
sudo apt-get install snmp tftp-hpa
# Hostname,IP,SNMP-RW-Community, (r=running-config,s=startup-config,b=both) Switch1,10.1.1.1,geheim,r Switch2,10.1.1.2,geheim,r
hp_load_cfg.sh
#!/bin/bash
#################################################################
# hp_load_cfg.sh - Load HP Procurve Configs via TFTP #
#################################################################
# Version 1.0.0 #
# Written by Maximilian Thoma (c) 2009 - admin@lanbugs.de #
#################################################################
# for Ubuntu/Debian - needed snmp and tftp-hpa package #
#################################################################
# Vars
DATE_TOKEN=$(date +"%Y-%m-%d-%H%M%S")
KUNDE=$(echo $1 | awk -F. '{print $1}')
declare K_DIR=$KUNDE
# Check ob Kundenverzeichnis existiert
if [ ! -e $K_DIR ]; then
mkdir $K_DIR; fi
processLine(){
line="$@"
char_1=${line:0:1}
if [ $char_1 != '#' ]; then
### echo $line
# Variablen laden
SwitchNAME=$(echo $line | awk -F, '{print $1}')
SwitchIP=$(echo $line | awk -F, '{print $2}')
SwitchSNMP=$(echo $line | awk -F, '{print $3}')
SwitchSAV=$(echo $line | awk -F, '{print $4}')
# Nur running-config
if [ $SwitchSAV == 'r' ]; then
echo "###########################################"
echo "Save $SwitchNAME - IP: $SwitchIP - Running "
echo "###########################################"
snmpset -v 2c -c $SwitchSNMP $SwitchIP 1.3.6.1.4.1.11.2.14.11.5.1.7.1.5.6.0 i 2
tftp $SwitchIP -v -c get running-config $K_DIR/$SwitchNAME-running-$DATE_TOKEN.cfg
snmpset -v 2c -c $SwitchSNMP $SwitchIP 1.3.6.1.4.1.11.2.14.11.5.1.7.1.5.6.0 i 1
echo "###########################################"
fi
# Nur startup-config
if [ $SwitchSAV == 's' ]; then
echo "###########################################"
echo "Save $SwitchNAME - IP: $SwitchIP - Startup "
echo "###########################################"
snmpset -v 2c -c $SwitchSNMP $SwitchIP 1.3.6.1.4.1.11.2.14.11.5.1.7.1.5.6.0 i 2
tftp $SwitchIP -v -c get startup-config $K_DIR/$SwitchNAME-startup-$DATE_TOKEN.cfg
snmpset -v 2c -c $SwitchSNMP $SwitchIP 1.3.6.1.4.1.11.2.14.11.5.1.7.1.5.6.0 i 1
echo "###########################################"
fi
# Beides
if [ $SwitchSAV == 'b' ]; then
echo "###########################################"
echo "Save $SwitchNAME - IP: $SwitchIP - Both "
echo "###########################################"
snmpset -v 2c -c $SwitchSNMP $SwitchIP 1.3.6.1.4.1.11.2.14.11.5.1.7.1.5.6.0 i 2
tftp $SwitchIP -v -c get running-config $K_DIR/$SwitchNAME-running-$DATE_TOKEN.cfg
tftp $SwitchIP -v -c get startup-config $K_DIR/$SwitchNAME-startup-$DATE_TOKEN.cfg
snmpset -v 2c -c $SwitchSNMP $SwitchIP 1.3.6.1.4.1.11.2.14.11.5.1.7.1.5.6.0 i 1
echo "###########################################"
fi
fi
}
FILE=""
if [ "$1" == "" ]; then
FILE="/dev/stdin"
else
FILE="$1"
if [ ! -f $FILE ]; then
echo "$FILE : does not exists"
exit 1
elif [ ! -r $FILE ]; then
echo "$FILE: can not read"
exit 2
fi
fi
BAKIFS=$IFS
IFS=$(echo -en "\n\b")
exec 3<&0
exec 0<$FILE
while read line
do
processLine $line
done
exec 0<&3
IFS=$BAKIFS
exit 0
./hp_load_cfg.sh Kunde1.txt
./hp_load_cfg.sh Kunde1.txt ########################################### Save Switch1 - IP: 10.21.73.241 - Running ########################################### SNMPv2-SMI::enterprises.11.2.14.11.5.1.7.1.5.6.0 = INTEGER: 2 Connected to 10.21.73.241 (10.21.73.241), port 69 getting from 10.21.73.241:running-config to Kunde1/Switch1-running-2009-07-22-234538.cfg [netascii] Received 748 bytes in 2.3 seconds [2610 bit/s] SNMPv2-SMI::enterprises.11.2.14.11.5.1.7.1.5.6.0 = INTEGER: 1 ########################################### ########################################### Save Switch2 - IP: 10.21.73.242 - Running ########################################### SNMPv2-SMI::enterprises.11.2.14.11.5.1.7.1.5.6.0 = INTEGER: 2 Connected to 10.21.73.242 (10.21.73.242), port 69 getting from 10.21.73.242:running-config to Kunde1/Switch2-running-2009-07-22-234538.cfg [netascii] Received 737 bytes in 1.5 seconds [3981 bit/s] SNMPv2-SMI::enterprises.11.2.14.11.5.1.7.1.5.6.0 = INTEGER: 1 ###########################################
Das Kundenverzeichnis
ls -la Kunde1 ... -rw-r--r-- 1 sysadmin sysadmin 721 2009-07-22 23:45 Switch1-running-2009-07-22-234538.cfg -rw-r--r-- 1 sysadmin sysadmin 710 2009-07-22 23:45 Switch2-running-2009-07-22-234538.cfg ...
Falls Radius nicht funktioniert sollte man noch einen lokalen Backup User anlegen. (siehe Config)
set system login backupuser read-write enable set password backupuser Please enter new password: <passwort eingeben> Please re-enter new password: <passwort eingeben> Password changed. ... set radius server 1 192.168.10.1 1812 geheim set radius enable set authentication login any
Für operator und manager sollte ein Passwort lokal gesetzt werden falls Radius nicht funktioniert.
aaa authentication login privilege-mode aaa authentication console login radius local aaa authentication console enable radius local aaa authentication telnet login radius local aaa authentication telnet enable radius local aaa authentication web login radius local aaa authentication ssh login radius local aaa authentication ssh enable radius local radius-server host 192.168.10.1 key geheim password manager password operator
Fertig.
Konfiguration mit Rescue User falls Radius ausfällt. In dem Fall wird mit Username/Passwort und enable-Secret gearbeitet. Im Fall einer Radiusanmeldung arbeitet der User direkt im Privilege Mode 15.
! aaa new-model aaa group server radius RADIUS_AUTH server 192.168.10.1 auth-port 1812 acct-port 1813 ! aaa authentication login networkaccess group RADIUS_AUTH local aaa authorization exec default group RADIUS_AUTH if-authenticated aaa authorization exec networkaccess group RADIUS_AUTH local if-authenticated enable secret 5 $1$UaiX$0ivA6uWDl0eNoZWv4ciLW. ! username admin privilege 15 secret 5 $1$dArb$Q2sC1uPNaL0QUMlc/V7sF1 ip subnet-zero ! ip radius source-interface FastEthernet0/1 ! radius-server host 192.168.10.1 auth-port 1812 acct-port 1813 key geheim radius-server retransmit 3 ! line con 0 login authentication networkaccess line vty 0 4 exec-timeout 0 0 login authentication networkaccess line vty 5 15 exec-timeout 0 0 login authentication networkaccess !
