HOW TO: Automating Cisco Router, Switch, and Firewall backups

[Rev. Dead Corpse]

Spoke too soon. It made it maybe through the first couple of iterations and started doing it again.

Also, if you logon to our core Cisco 4507 and do an "sh run", it'll see it as a new diff even if you don't make any changes.

Annoying...

[tems1234]

Need ur guys expertise on my concern; every time i did below command:


/usr/lib/rancid/bin/clogin -c 'write term' IPADDESSOFDEVICE > /var/lib/rancid/backups/test.cfg
this will comeout

bash: /var/lib/rancid/backups/test.cfg: Permission denied

[eherna2000]

HOW TO: Automating Cisco Router, Switch, Firewall backups.


Step 1: Download and install rancid.
--------------------------------------------------------------------

For additional information on rancid's complete functionality see the following site.

http://www.shrubbery.net/rancid/


Install rancid, build-essential, and expect.

Code:

sudo apt-get install rancid-core rancid-util build-essential expect

Step 2: Create .cloginrc file in the rancid directory.
--------------------------------------------------------------------


Opend a terminal and type the following.

Code:

sudo gedit /var/lib/rancid/.cloginrc

Add entries for each router, switch, pix firewall you'd like to backup by using the following format.

Code:

add password    IPADDRESS       {telnetpassword}      {enablepassword}

IPADDRESS = the actual ip address of the device you want to backup.
telnetpassword = the actual telnet password for the device you want to backup.
enablepassword = the actual enable password for the device you want to backup.

The "{}" are required. At the bottom of the .clogin add the following line if you require SSH access to your equipment.

Code:

add method     *    telnet ssh

With this clogin will first try to telnet then ssh to your equipment.



Step 3: Protect the .cloginrc file.
--------------------------------------------------------------------

Code:

sudo chmod 640 /var/lib/rancid/.cloginrc

Step 4: Create a backup directory for backup configs.
--------------------------------------------------------------------

Code:

sudo mkdir /var/lib/rancid/backups/

Step 5: Change ownership of the /usr/lib/rancid/backups/ directory.
--------------------------------------------------------------------

Code:

sudo chown -R rancid.rancid /var/lib/rancid/backups/

Step 6: Change permissions to the rancid directory.
--------------------------------------------------------------------

Code:

sudo chmod 770 /var/lib/rancid/

Step 7: Set password for rancid account
--------------------------------------------------------------------

Code:

sudo passwd rancid

Step 8: Test .cloginrc
--------------------------------------------------------------------

As the user rancid test accessing your equipment.

Code:

su rancid

Now using once of the network devices that you've put in the .cloginrc for rancid type the following in the open terminal.

Code:

/usr/lib/rancid/bin/clogin  IPADDESSOFDEVICE

You should see the clogin telnet (or ssh) to the device in question and switch to enable mode on the device. If everything works the proceed on to step 8. Otherwise take a look at your /var/lib/rancid/.cloginrc .



Step 9: Test grabing a backup config from the same device.
--------------------------------------------------------------------

As rancid run the following test to make sure that you have everything setup correctly.

Code:

/usr/lib/rancid/bin/clogin  -c 'write term' IPADDESSOFDEVICE > /var/lib/rancid/backups/test.cfg

Verify the output:

Code:

less /var/lib/rancid/backups/test.cfg

If everthing checks out move on to step 10.


Step 10: Create the bash script for the backups
--------------------------------------------------------------------

Here's a sample script for you to copy and paste into a file (i.e. network_device_backup.sh) and to tweak, add, or change for your needs. But save the script somewhere the rancid user can access and execute the script from (i.e./var/lib/rancid/). If you are planning on backing up a various types of routers, switches, firewalls etc you may want to create serveral differnet scripts.

Code:

#!/bin/bash 
# Variables 
 
clogin=/usr/lib/rancid/bin/clogin 
path=/var/lib/rancid/backups/ 
tdy=`date +%m%d%Y` 
 
#backup network device 
 
$clogin -c 'write term' 192.168.0.1 > $path/foo-$tdy.cfg

NOTE: When rancid is installed the default shell for the rancid user is csh. So for the script above to work the "#!/bin/bash' is needed.



Step 11: Make the script executable to rancid.
--------------------------------------------------------------------

Code:

sudo chmod 700 /path/to/script

Step 12: Test the backup script.
--------------------------------------------------------------------

Test your script logged in as rancid.

Code:

su rancid

Now from wherever you put the backup script verify that it works before adding it as a cron job. For this example I'm going to use the following location /var/lib/rancid/.scripts/routers.sh with the output path being /var/lib/rancid/backups/.

Code:

 ./var/lib/rancid/.scripts/routers.sh

verify the config file that was generated to the output path you specified.

Code:

less /var/lib/rancid/backups/foo-12202005.cfg

Step 13: Add script to CRON.
--------------------------------------------------------------------

As rancid add your script to CRONTAB.

Code:

su rancid

Now add an entry for your script.

Code:

crontab -e

To backup your equipment every Friday at 5pm should look like...

0 17 * * 5 /var/lib/rancid/.scripts/routers.sh >/dev/null 2>&1

Save the entry (crtl+x).

Verify the entry in crontab is correct.

Code:

crontab -l

For more infor on CRONTAB see the following post.
http://ubuntuforums.org/showthread.php?t=102626

You're all set... enjoy!

Thank you very much this is awesome

[eherna2000]

Thank you very much this is awesome!!!

[NickCu]

Hi all,

I was wondering if anyone knows how to manipulate the data returned from the clogin script.

For example, If I were to run the below command:

~/bin/clogin -c "show ip ospf ne" 192.168.1.1 > /tmp/ospf.txt

And the output looked something like the below:

Router#show ip ospf nei
Neighbor ID Pri State Dead Time Address Interfae
192.168.1.2 0 FULL/DROTHER 00:01:54 192.168.1.2 Serial0

If I could take the output and replace 00:01:54 with xxxxxx before writing it to the .txt file. The idea is to produce less unnecessary Diff's when it comes to troubleshooting...

I've seen something similar to this with an in house perl script at my old workplace which did a replace on some REGEX however with limited scripting knowledge I don't know where to begin!

If anyone could provide a practical example, it would be much appreciated.


Many thanks in advance.

[gdebaar]

This HOW TO is amazing. Thank you very much!

However I'd like to add something to the shell script. Everybody knows the situation: you change something on a switch and don't save it into permanent memory.

I'd like to add a command to the bash script that makes the switch write the flash memory into permanent memory before backing it up. Could anyone of you help me what to do?

Thanks in advance

[kool_kid]

Hi,

Thanks for this amazing guide. I would like to know how to configure RANCID for ASA which does not prompt for username, as in my case. When I telnet to my ASA it is not prompting for username rather it prompts just for the password, how do I configure RANCID accordingly?

Your help is appreciated.