Cisco (Altera) VPN concentrators?

Michael Stefaniuc mstefani at redhat.com
Mon Nov 28 19:58:39 UTC 2005 

On Wed, Nov 23, 2005 at 03:18:10PM -0800, john heasley wrote:
> Tue, Nov 22, 2005 at 06:52:02PM +0100, Michael Stefaniuc:
> > Hello,
> > 
> > does anybody have a rancid script to get the config file out of the 
> > Cisco VPN3k (formerly Altera) concentrators? Those have a stupid menu 
> > driven system and no cli. The format of the config file is not very user 
> 
> you are probably out of luck.  rancid currently depends on a UI (no snmp
> stuff) and menu-driven UIs are very difficult to deal with via expect.
I know, i have read the FAQ before sending my email. That's why i asked
for a generic rancid wrapper that is able to inject a file (which dosn't
matter how it was gathered) into the rancid CVS. 

> > friendly either but i still prefer to back it up ;).
> > Alternatively a generic rancid wrapper that is able to feed a file into 
> > the rancid cvs would do too as i already have a script to scp the config 
> > file from the VPN3k.
Here is a proposal for such a wrapper. As nothing speaks like code i
have attached a proof of concept code which works for me but is a quick
hack and NOT ready for production. Use on your own risk.
Design:
-------
router.db entry:
<device_type> is of the form wrapper.<plugin> . Example:
# VPN concentrator
192.168.1.1:wrapper.vpn3k:up

wrancid is the actual wrapper and it is called from rancid-fe (patch
attached). What it does is it calls the
/usr/share/rancid/wrapper/<plugin> file passing it the filename to which
to save the config file and the hostname.

/usr/share/rancid/wrapper/vpn3k this is the actual workhorse. Here it
uses scp and snmp to get the config file and some informations and it
drops them to the filename it got from wrancid.

That's all. Ugly? Sure it is but it gets the job done (to backup the
device; nothing more). And it is easily extensible; just drop a script
("plugin") that is able to get you a file into /usr/share/rancid/wrapper
and you're done. The plugin file can be written in any language and
dosn't have to use expect. How the plugin file gets to the config file
depends on the device polled (scp, ftp, http, trained monkey) and it
dosn't realy matter.

Possible improvements of wrancid would be to parse .cloginrc and pass
the username/password down to the plugin scripts making those easier but
that needs to be done securely (no command line and no enviroment). At
the moment vpn3k has it hard coded in the file (did i say that it is
proof of concept code?). And the scripts would need some error handling
too.

Comments?

bye
	michael
-- 
Michael Stefaniuc               Tel.: +49-711-96437-199
Sr. Network Engineer            Fax.: +49-711-96437-111
Red Hat GmbH                    Email: mstefani at redhat.com
Hauptstaetterstr. 58            http://www.redhat.de/
D-70178 Stuttgart
-------------- next part --------------
#!/usr/bin/perl -w
#
# wrancid - Wrapper script for all the devices without a proper cli but
#           for which there is an other way to get to the config file.
#
# WARNING: This is only PROOF OF CONCEPT code and will screw up your data
#          and eat babies!!!
#
# Copyright 2005 Michael Stefaniuc for Red Hat
#
# This script is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#

use strict;
use Getopt::Std;

#############
# Variables #
#############
my $plugin_dir = '/usr/share/rancid/wrapper';
my %options = ();
getopts("f:s:", \%options);
my $host = $ARGV[0];
my $script = $options{'s'};
my $file;

if (defined($options{'f'})) {
    $file = $options{'f'};
} else {
    $file = $host . ".new";
}

# Call the plugin script and let it do the work
exec("$plugin_dir/$script", "-f", $file, $host) or
    die "Couldn't execute the '$plugin_dir/$script' script!\n";



-------------- next part --------------
--- rancid-fe.orig	2005-11-28 10:53:11.000000000 -0500
+++ rancid-fe	2005-11-28 11:17:35.000000000 -0500
@@ -49,6 +49,7 @@
 elsif ($vendor =~ /^redback$/i)		{ exec('rrancid', $router); }
 elsif ($vendor =~ /^riverstone$/i)	{ exec('rivrancid', $router); }
 elsif ($vendor =~ /^tnt$/i)		{ exec('tntrancid', $router); }
+elsif ($vendor =~ /^wrapper\.(.+)$/i)	{ exec('wrancid', '-s', $1, $router); }
 elsif ($vendor =~ /^zebra$/i)		{ exec('zrancid', $router); }
 else {
     printf(STDERR "unknown router manufacturer for $router: $vendor\n");
-------------- next part --------------
#!/usr/bin/perl -w
#
# vpn3k - SCP and SNMP Backup script for Cisco VPN 3K concentrators
#         to be used by the wrancid rancid wrapper
#
# WARNING: This is only PROOF OF CONCEPT code and will screw up your data
#          and eat babies!!!
#
# Copyright 2005 Michael Stefaniuc for Red Hat
#
# This script is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
#######################################################
# Modules
#######################################################

# Load any modules needed
use strict;
use Getopt::Std;
use Net::SCP::Expect;
use File::Temp;

#######################################################
# Variables
#######################################################

# Initialize variables used in this script

my $backup_user = "backup";
my $backup_pass = "backup";
my $snmp_community = 'public';

my %options = ();
getopts('f:', \%options);
my $file = $options{'f'};
my $fh;
my $host = $ARGV[0];
(my $tempfh, my $tempfile) = mkstemp( "/tmp/tmpfileXXXXX" );
#close($tempfh);

# Open the output file.
open($fh, ">", $file) or die "Cannot open output file\n";
print($fh "#RANCID-CONTENT-TYPE: wrapper.vpn3k\n#\n");

# Get some infos from snmp
my $snmp_command = "snmpget -v2c -c $snmp_community -On $host .1.3.6.1.2.1.1.1.0";
my $result = `$snmp_command`;
chomp($result);
if ($result =~ /VPN 3000 Concentrator Version (\S+) built by (\S+) on (.+)$/i) {
    my $version = $1;
    my $compiled = "$3 by $2";
    print($fh "#Chassis Type: VPN 3000\n#\n");
    $snmp_command = "snmpget -v2c -c $snmp_community -On $host .1.3.6.1.2.1.47.1.1.1.1.11.1";
    $result = `$snmp_command`;
    chomp($result);
    if ($result =~ /"([^"]+)"/) {
	print($fh "#Serial Number: $1\n#\n");
    }
    print($fh "#Image: Version: $version\n");
    print($fh "#Image: Compiled: $compiled\n#\n");
}

# Call scp and download the running config.
my $scp_session = Net::SCP::Expect->new(user=>"$backup_user",password=>"$backup_pass");
# the connection sometimes terminates incorrectly but we fully transfered
# the file
eval { $scp_session->scp("$host:config", $tempfile); };

# Copy the config file over removing the comment at the beginning
open($tempfh, "<", $tempfile) or die "Scp seems to have failed\n";

my $line;
while ($line = <$tempfh>) {
    if ($line =~ /^#/) {
	next;
    }
    print($fh $line);
}

#######
# End #
#######
close($fh);
close($tempfh);
unlink($tempfile);

More information about the Rancid-discuss mailing list