You want to use SNMP to download or modify a router's configuration.
To upload or download a current copy of your router's configuration file to a TFTP server via SNMP, you have to first configure the router for read-write SNMP access:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server community ORARW rw
Router(config)#end
To download the current configuration file, you need to create an empty file on your TFTP server. In this case we assume a Unix server, but TFTP server software is available for essentially every popular operating system. Send an SNMP command to the router to trigger the TFTP download:
Freebsd% touch /tftpboot/router.cfg Freebsd% chmod 666 /tftpboot/router.cfg Freebsd% snmpset -v1 -c ORARW Router.1.3.6.1.4.1.9.2.1.55.172.25.1.1 s router.cfg enterprises.9.2.1.55.172.25.1.1 = "router.cfg" Freebsd%
You can use SNMP to trigger the router to upload a configuration file from your TFTP server via SNMP as follows:
Freebsd% echo "no ip source-route" > /tftpboot/new.cfg Freebsd% echo "end" >> /tftpboot/new.cfg Freebsd% chmod 666 /tftpboot/new.cfg Freebsd% snmpset -v1 -c ORARW Router.1.3.6.1.4.1.9.2.1.53.172.25.1.1 s new.cfg enterprises.9.2.1.53.172.25.1.1 = "new.cfg" Freebsd% snmpset -v1 -c ORARW Router.1.3.6.1.4.1.9.2.1.54.0 i 1 enterprises.9.2.1.54.0 = 1 Freebsd%
The ability to extract or modify your router's configuration via SNMP is powerful yet scary. These examples illustrate the power of SNMP read-write access and the main reason we advocate SNMP security features. We highly recommend that you read recipe Recipe 17.11 before allowing open SNMP write access on your routers. In that recipe we demonstrates an effective way to mitigate unauthorized tampering with your router's configuration files.
This first example illustrates how to extract your router's running configuration file to a TFTP server using SNMP. Before a typical TFTP server will accept a file transfer, a world-writable file must exist. On a Unix platform, the touch command creates this file, while the chmod command ensures that it has the proper file attributes.
The snmpset command instructs the router to send its running configuration file to a particular file on a particular TFTP server:
snmpset -v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.55.172.25.1.1 s router.cfg
In this command, Router is the name (or IP address) of the router. The read-write SNMP community string is ORARW. The MIB OID value is actually in two parts. The first part, .1.3.6.1.4.1.9.2.1.55, is the OID value in the Cisco MIB extension that instructs the router to send its configuration file. The second part (172.25.1.1, in this case) is the IP address of your TFTP server, and router.cfg is the name of the file as it will appear on the TFTP server. The single letter s before the file name designates that the argument that follows will be a character string.
Extracting a router's configuration file like this is extremely useful. The Bourne shell script in Example 17-2 uses this method to extract and store the current configuration file from a Cisco router. The script automates the commands listed in the solution section to simplify the extraction of router configuration files. This script takes a single argument, the router name or IP address, and it stores the router configuration file in the /tftpboot directory. The file will be the name of the router, with .auto appended to it (e.g., router.auto).
#!/bin/sh # # conf -- A compact script to extract router configs to a # tftp server. # # # set behavior snmprw="ORARW" tftp="172.25.1.1" # # router=$1 if [ "$router" = "" ]; then echo "Usage: `basename $0` <hostname | ip address>" >&2 && exit 1 else rm /tftpboot/$router-auto touch /tftpboot/$router-auto chmod 666 /tftpboot/$router-auto snmpset="snmpset -v1 -c $snmprw $router " $snmpset .1.3.6.1.4.1.9.2.1.55.$tftp s $router-auto if [ -w /tftpboot/$router-auto -a -s /tftpboot/$router-auto ]; then echo "Completed Successfully" else echo "Operation Failed" fi fi
Run this script as follows:
Freebsd% ./conf router
Completed Successfully
Freebsd%
This script assumes that NET-SNMP is on the server, and requires two variables to be set, snmprw and tftp. The snmprw variable contains the SNMP read-write community string of your organization and the tftp variable contains the IP address of your TFTP server.
The second example in the solution loads new configuration commands into a router. You must have a world-readable file containing these router configuration commands in your TFTP directory before you can upload anything. So in the example we have created a simple configuration file. We used echo commands to create the file, although in practice you should probably use a text editor to help limit the number of typing errors in your router's configuration. The last line in the configuration file should have the end command. This prevents the router from complaining about an unexpected end to the configuration file.
Note that when you upload a configuration file like this, the router merges the commands into its existing configuration, just as it does when you type the commands at the router's console.
There are two important differences between snmpset commands to upload or download a configuration file. The first is the different OID value. Be very careful that you get the right value here, because you don't want to accidentally upload an old configuration when you're trying to download. The second difference is that after uploading the configuration file, we issued another different snmpset command. This second command saves the configuration changes to NVRAM. This is the same as logging into the router and typing write memory or copy running-config startup-config.
Recipe 17.2; Recipe 17.5; Recipe 17.7; Appendix A
|
|
|
| Top |