Cisco (Altera) VPN concentrators?

Michael Stefaniucmstefani at redhat.com

Mon Nov 28 19:58:39 UTC 2005

On Wed, Nov 23, 2005 at 03:18:10PM -0800, john heasley wrote: > Tue, Nov 22, 2005 at 06:52:02PM +0100, Michael Stefaniuc: > > Hello, > > > > does anybody have a rancid script to get the config file out of the > > Cisco VPN3k (formerly Altera) concentrators? Those have a stupid menu > > driven system and no cli. The format of the config file is not very user > > you are probably out of luck. rancid currently depends on a UI (no snmp > stuff) and menu-driven UIs are very difficult to deal with via expect. I know, i have read the FAQ before sending my email. That's why i asked for a generic rancid wrapper that is able to inject a file (which dosn't matter how it was gathered) into the rancid CVS. > > friendly either but i still prefer to back it up ;). > > Alternatively a generic rancid wrapper that is able to feed a file into > > the rancid cvs would do too as i already have a script to scp the config > > file from the VPN3k. Here is a proposal for such a wrapper. As nothing speaks like code i have attached a proof of concept code which works for me but is a quick hack and NOT ready for production. Use on your own risk. Design: ------- router.db entry: <device_type> is of the form wrapper.<plugin> . Example: # VPN concentrator 192.168.1.1:wrapper.vpn3k:up wrancid is the actual wrapper and it is called from rancid-fe (patch attached). What it does is it calls the /usr/share/rancid/wrapper/<plugin> file passing it the filename to which to save the config file and the hostname. /usr/share/rancid/wrapper/vpn3k this is the actual workhorse. Here it uses scp and snmp to get the config file and some informations and it drops them to the filename it got from wrancid. That's all. Ugly? Sure it is but it gets the job done (to backup the device; nothing more). And it is easily extensible; just drop a script ("plugin") that is able to get you a file into /usr/share/rancid/wrapper and you're done. The plugin file can be written in any language and dosn't have to use expect. How the plugin file gets to the config file depends on the device polled (scp, ftp, http, trained monkey) and it dosn't realy matter. Possible improvements of wrancid would be to parse .cloginrc and pass the username/password down to the plugin scripts making those easier but that needs to be done securely (no command line and no enviroment). At the moment vpn3k has it hard coded in the file (did i say that it is proof of concept code?). And the scripts would need some error handling too. Comments? bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart -------------- next part -------------- #!/usr/bin/perl -w # # wrancid - Wrapper script for all the devices without a proper cli but # for which there is an other way to get to the config file. # # WARNING: This is only PROOF OF CONCEPT code and will screw up your data # and eat babies!!! # # Copyright 2005 Michael Stefaniuc for Red Hat # # This script is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # use strict; use Getopt::Std; ############# # Variables # ############# my $plugin_dir = '/usr/share/rancid/wrapper'; my %options = (); getopts("f:s:", \%options); my $host = $ARGV[0]; my $script = $options{'s'}; my $file; if (defined($options{'f'})) { $file = $options{'f'}; } else { $file = $host . ".new"; } # Call the plugin script and let it do the work exec("$plugin_dir/$script", "-f", $file, $host) or die "Couldn't execute the '$plugin_dir/$script' script!\n"; -------------- next part -------------- --- rancid-fe.orig 2005-11-28 10:53:11.000000000 -0500 +++ rancid-fe 2005-11-28 11:17:35.000000000 -0500 @@ -49,6 +49,7 @@ elsif ($vendor =~ /^redback$/i) { exec('rrancid', $router); } elsif ($vendor =~ /^riverstone$/i) { exec('rivrancid', $router); } elsif ($vendor =~ /^tnt$/i) { exec('tntrancid', $router); } +elsif ($vendor =~ /^wrapper\.(.+)$/i) { exec('wrancid', '-s', $1, $router); } elsif ($vendor =~ /^zebra$/i) { exec('zrancid', $router); } else { printf(STDERR "unknown router manufacturer for $router: $vendor\n"); -------------- next part -------------- #!/usr/bin/perl -w # # vpn3k - SCP and SNMP Backup script for Cisco VPN 3K concentrators # to be used by the wrancid rancid wrapper # # WARNING: This is only PROOF OF CONCEPT code and will screw up your data # and eat babies!!! # # Copyright 2005 Michael Stefaniuc for Red Hat # # This script is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # ####################################################### # Modules ####################################################### # Load any modules needed use strict; use Getopt::Std; use Net::SCP::Expect; use File::Temp; ####################################################### # Variables ####################################################### # Initialize variables used in this script my $backup_user = "backup"; my $backup_pass = "backup"; my $snmp_community = 'public'; my %options = (); getopts('f:', \%options); my $file = $options{'f'}; my $fh; my $host = $ARGV[0]; (my $tempfh, my $tempfile) = mkstemp( "/tmp/tmpfileXXXXX" ); #close($tempfh); # Open the output file. open($fh, ">", $file) or die "Cannot open output file\n"; print($fh "#RANCID-CONTENT-TYPE: wrapper.vpn3k\n#\n"); # Get some infos from snmp my $snmp_command = "snmpget -v2c -c $snmp_community -On $host .1.3.6.1.2.1.1.1.0"; my $result = `$snmp_command`; chomp($result); if ($result =~ /VPN 3000 Concentrator Version (\S+) built by (\S+) on (.+)$/i) { my $version = $1; my $compiled = "$3 by $2"; print($fh "#Chassis Type: VPN 3000\n#\n"); $snmp_command = "snmpget -v2c -c $snmp_community -On $host .1.3.6.1.2.1.47.1.1.1.1.11.1"; $result = `$snmp_command`; chomp($result); if ($result =~ /"([^"]+)"/) { print($fh "#Serial Number: $1\n#\n"); } print($fh "#Image: Version: $version\n"); print($fh "#Image: Compiled: $compiled\n#\n"); } # Call scp and download the running config. my $scp_session = Net::SCP::Expect->new(user=>"$backup_user",password=>"$backup_pass"); # the connection sometimes terminates incorrectly but we fully transfered # the file eval { $scp_session->scp("$host:config", $tempfile); }; # Copy the config file over removing the comment at the beginning open($tempfh, "<", $tempfile) or die "Scp seems to have failed\n"; my $line; while ($line = <$tempfh>) { if ($line =~ /^#/) { next; } print($fh $line); } ####### # End # ####### close($fh); close($tempfh); unlink($tempfile);