HOW TO: Automating Cisco Router, Switch, and Firewall backups

[GrammatonCleric]

HOW TO: Automating Cisco Router, Switch, Firewall backups.


Step 1: Download and install rancid.
--------------------------------------------------------------------

For additional information on rancid's complete functionality see the following site.

http://www.shrubbery.net/rancid/


Install rancid, build-essential, and expect.

Code:

sudo apt-get install rancid-core rancid-util build-essential expect

Step 2: Create .cloginrc file in the rancid directory.
--------------------------------------------------------------------


Opend a terminal and type the following.

Code:

sudo gedit /var/lib/rancid/.cloginrc

Add entries for each router, switch, pix firewall you'd like to backup by using the following format.

Code:

add password    IPADDRESS       {telnetpassword}      {enablepassword}

IPADDRESS = the actual ip address of the device you want to backup.
telnetpassword = the actual telnet password for the device you want to backup.
enablepassword = the actual enable password for the device you want to backup.

The "{}" are required. At the bottom of the .clogin add the following line if you require SSH access to your equipment.

Code:

add method     *    telnet ssh

With this clogin will first try to telnet then ssh to your equipment.



Step 3: Protect the .cloginrc file.
--------------------------------------------------------------------

Code:

sudo chmod 640 /var/lib/rancid/.cloginrc

Step 4: Create a backup directory for backup configs.
--------------------------------------------------------------------

Code:

sudo mkdir /var/lib/rancid/backups/

Step 5: Change ownership of the /usr/lib/rancid/backups/ directory.
--------------------------------------------------------------------

Code:

sudo chown -R rancid.rancid /var/lib/rancid/backups/

Step 6: Change permissions to the rancid directory.
--------------------------------------------------------------------

Code:

sudo chmod 770 /var/lib/rancid/

Step 7: Set password for rancid account
--------------------------------------------------------------------

Code:

sudo passwd rancid

Step 8: Test .cloginrc
--------------------------------------------------------------------

As the user rancid test accessing your equipment.

Code:

su rancid

Now using once of the network devices that you've put in the .cloginrc for rancid type the following in the open terminal.

Code:

/usr/lib/rancid/bin/clogin  IPADDESSOFDEVICE

You should see the clogin telnet (or ssh) to the device in question and switch to enable mode on the device. If everything works the proceed on to step 8. Otherwise take a look at your /var/lib/rancid/.cloginrc .



Step 9: Test grabing a backup config from the same device.
--------------------------------------------------------------------

As rancid run the following test to make sure that you have everything setup correctly.

Code:

/usr/lib/rancid/bin/clogin  -c 'write term' IPADDESSOFDEVICE > /var/lib/rancid/backups/test.cfg

Verify the output:

Code:

less /var/lib/rancid/backups/test.cfg

If everthing checks out move on to step 10.


Step 10: Create the bash script for the backups
--------------------------------------------------------------------

Here's a sample script for you to copy and paste into a file (i.e. network_device_backup.sh) and to tweak, add, or change for your needs. But save the script somewhere the rancid user can access and execute the script from (i.e./var/lib/rancid/). If you are planning on backing up a various types of routers, switches, firewalls etc you may want to create serveral differnet scripts.

Code:

#!/bin/bash 
# Variables 
 
clogin=/usr/lib/rancid/bin/clogin 
path=/var/lib/rancid/backups/ 
tdy=`date +%m%d%Y` 
 
#backup network device 
 
$clogin -c 'write term' 192.168.0.1 > $path/foo-$tdy.cfg

NOTE: When rancid is installed the default shell for the rancid user is csh. So for the script above to work the "#!/bin/bash' is needed.



Step 11: Make the script executable to rancid.
--------------------------------------------------------------------

Code:

sudo chmod 700 /path/to/script

Step 12: Test the backup script.
--------------------------------------------------------------------

Test your script logged in as rancid.

Code:

su rancid

Now from wherever you put the backup script verify that it works before adding it as a cron job. For this example I'm going to use the following location /var/lib/rancid/.scripts/routers.sh with the output path being /var/lib/rancid/backups/.

Code:

 ./var/lib/rancid/.scripts/routers.sh

verify the config file that was generated to the output path you specified.

Code:

less /var/lib/rancid/backups/foo-12202005.cfg

Step 13: Add script to CRON.
--------------------------------------------------------------------

As rancid add your script to CRONTAB.

Code:

su rancid

Now add an entry for your script.

Code:

crontab -e

To backup your equipment every Friday at 5pm should look like...

0 17 * * 5 /var/lib/rancid/.scripts/routers.sh >/dev/null 2>&1

Save the entry (crtl+x).

Verify the entry in crontab is correct.

Code:

crontab -l

For more infor on CRONTAB see the following post.
http://ubuntuforums.org/showthread.php?t=102626

You're all set... enjoy!

[troffasky]

As the user rancid test accessing your equipment.

Code:

su rancid

NOTE: When rancid is installed the default shell for the rancid user is csh. So for the script above to work the "#!/bin/bash' is needed.

Looks like RANCIDs user in 8.04 has it's shell set to /bin/false, so using 'su' will silently fail. You can use vipw to change it to /bin/bash.

[zivley]

Open a terminal and type the following.

Code:

sudo gedit /var/lib/rancid/.cloginrc

Add entries for each router, switch, pix firewall you'd like to backup by using the following format.

Code:

add password    IPADDRESS       {telnetpassword}      {enablepassword}

IPADDRESS = the actual ip address of the device you want to backup.
telnetpassword = the actual telnet password for the device you want to backup.
enablepassword = the actual enable password for the device you want to backup.

The "{}" are required. At the bottom of the .clogin add the following line if you require SSH access to your equipment.

Code:

add method     *    telnet ssh

With this clogin will first try to telnet then ssh to your equipment.

Very nice and useful howto! Just what I've been looking for!
But what if my routers use local authentication with username/password and not only password?
How exactly would the /var/lib/rancid/.cloginrc file look in this case?
TIA
Ziv

[GrammatonCleric]

Hi Ziv,

The .cloginrc format is.

Code:

 add password <router name glob> <vty passwd> <enable passwd>

 add user <router name glob> <username>
       The default user is $USER (i.e.: the user running clogin).

 add userprompt <router name glob> <username prompt>
       What the router prints to prompt for the username.
       Default: {"(Username|login|user name):"}

 add userpassword <router name glob> <user password>
       The password for user if different than the password set
       using 'add password'.

 add passprompt <router name glob> <password prompt>
       What the router prints to prompt for the password.
       Default: {"(\[Pp]assword|passwd):"}

 add method <router name glob> {ssh} [...]
       Defines, in order, which connection method(s) to use for a device
       from the set {ssh,telnet,rsh}.  e.g.: add method * {ssh} {telnet} {rsh}
       will attempt ssh connection first.  if ssh fails with connection
       refused (i.e.: not due to authentication failure), then try telnet,
       then rsh.
       Default: {telnet} {ssh}

 add noenable <router name glob>
       equivalent of -noenable on the cmd line to not enable at login.

 add enableprompt <router name glob> <enable prompt>
       What the router prints to prompt for the enable password.
       Default: {"\[Pp]assword:"}

 add enauser <router name glob> <username>
       This is only needed if enable asks for a username and this
       username is different from what user is set to.

 add autoenable <router name glob> <1/0>
       This is used if you are automatically enabled by the login process.

 add cyphertype <router name glob> <ssh encryption type>
       Default is 3des.

 add identity <router name glob> <path to ssh identity file>
       Default is your default ssh identity.

Hope this helps.

- GC

[zivley]

Yes, it helps, thanks!

[zivley]

Another little question, let's say I set the default user "rancid" on every router with priv 15
is there a way I can set a global variable of the user to be used on every device? or I still need to add an entry for every single device even the same user/pass is set on all of them?

[chk9]

Is there a way I can set a global variable of the user to be used on every device?

Code:

add user *              $env(USER)

will set the default user for all devices...

[hovrashko]

Hi Ziv,

The .cloginrc format is.

Code:

 add password <router name glob> <vty passwd> <enable passwd>

 add user <router name glob> <username>
       The default user is $USER (i.e.: the user running clogin).

 add userprompt <router name glob> <username prompt>
       What the router prints to prompt for the username.
       Default: {"(Username|login|user name):"}

 add userpassword <router name glob> <user password>
       The password for user if different than the password set
       using 'add password'.

 add passprompt <router name glob> <password prompt>
       What the router prints to prompt for the password.
       Default: {"(\[Pp]assword|passwd):"}

 add method <router name glob> {ssh} [...]
       Defines, in order, which connection method(s) to use for a device
       from the set {ssh,telnet,rsh}.  e.g.: add method * {ssh} {telnet} {rsh}
       will attempt ssh connection first.  if ssh fails with connection
       refused (i.e.: not due to authentication failure), then try telnet,
       then rsh.
       Default: {telnet} {ssh}

 add noenable <router name glob>
       equivalent of -noenable on the cmd line to not enable at login.

 add enableprompt <router name glob> <enable prompt>
       What the router prints to prompt for the enable password.
       Default: {"\[Pp]assword:"}

 add enauser <router name glob> <username>
       This is only needed if enable asks for a username and this
       username is different from what user is set to.

 add autoenable <router name glob> <1/0>
       This is used if you are automatically enabled by the login process.

 add cyphertype <router name glob> <ssh encryption type>
       Default is 3des.

 add identity <router name glob> <path to ssh identity file>
       Default is your default ssh identity.

Hope this helps.

- GC

Hello!
Thank you for your great post, but cent get trough step 8.
i dont understund content of file .cloginrc, seems to complex for this:
Router Name: Lab_router
ip address: 192.168.1.1
telnet(vty) password cisco
enable secret class
my .cloginrc:
add password 192.168.1.1 {cisco} {class}
when i type
/usr/lib/rancid/bin/clogin 192.168.1.1
i get this:
Error: password file (/home/eric/.cloginrc) does not exist

Ill be very appreciated of any help,
thanks,
Eric

[pininy]

Hello!
Thank you for your great post, but cent get trough step 8.
i dont understund content of file .cloginrc, seems to complex for this:
Router Name: Lab_router
ip address: 192.168.1.1
telnet(vty) password cisco
enable secret class
my .cloginrc:
add password 192.168.1.1 {cisco} {class}
when i type
/usr/lib/rancid/bin/clogin 192.168.1.1
i get this:
Error: password file (/home/eric/.cloginrc) does not exist

Ill be very appreciated of any help,
thanks,
Eric

I have the same issue, anyone can help???

thomas@nms-01:/$ /usr/lib/rancid/bin/clogin 10.1.1.1

Error: password file (/home/thomas/.cloginrc) does not exist
thomas@nms-01:/$

i have follow the guide to the dot!

[kcmjr]

You MUST run the command as the rancid user "su - rancid" or you will get this exact error. here is another (slightly different) install linked from the rancid web site. Note that this install is for fedora not ubuntu and the setup is slightly different.http://www.linuxhomenetworking.com/w...ps_With_Rancid

Basically your rancid user has the wrong home folder set.

To change the user's home directory, just use the 'usermod' command, which exists on all unices. It works like this:

usermod -d /path/to/new/homedir/ username

Best to do this from the root user logon or another admin user that is NOT the rancid user.