[rancid] Retrieving cisco configuration using SNMP+TFTP

Kevin kkadow at gmail.com
Tue Jun 27 21:49:13 UTC 2006


Has any work been done with RANCID to retrieve cisco configuration via SNMP?

I have a script using the Cisco::CopyConfig perl module to extract
from switches and routers.  I'm working on hooking this into rancid.

The script uses a ReadWrite community string to send a SNMP command
instructing IOS to upload configuration to a TFTP server.

This isn't quite as insecure as you might think at first glance :)

IOS provides "snmp-server view" and "snmp-server tftp-server-list" settings,
restricting a SNMP community to a source IP accessing a specific OID,
and simultaneously restricting destination TFTP server.  The tricky
part may be ensuring that the TFTP server itself is secure.  To this end I
use OpenBSD's TFTP proxy.


Kevin Kadow

===== Pseudocode follows =====
#! /usr/bin/perl
#
# Cisco::CopyConfig requires Net::SNMP
#
use Cisco::CopyConfig;
use Socket;

unless(-w $filename) {
  open(NEW,">$filename"); close(NEW);
  chmod 0622, $filename;
  }

$config = Cisco::CopyConfig->new( 'Host' => $ip, 'Comm' => $community);
$config->copy($tftpserver, $filename);
chmod 0622, $filename:

die "Error result is $error" if($error=$config->error());

###EOF###



More information about the Rancid-discuss mailing list