[rancid] Re: Retrieving cisco configuration using SNMP+TFTP

[Kevin]

On 6/28/06, Chris Moody <cmoody at qualcomm.com> wrote:
> 'Write net' (or whatever variation necessary) should be relatively easy
> to implement (however, we all know that IOS CLI is a bit of a bugger
> sometimes for scripts).

Risks and headaches of scripting the CLI are exactly why I went with
the Cisco SNMP solution --  we have technical and political cause not
to have a Unix machine/script with "enable" access into
production-critical Cisco gear.

By using Cisco's "snmp-server view", the community string can only do
one thing -- trigger a "write net".  And with "snmp-server
tftp-server-list", the destination of the write net command can also
be locked down.

This solution gives me much more confidence in the security of the
design than if I were to use "clogin".  Compromise the machine on
which the script runs, and you still don't automatically own the Cisco
routers -- all you can do to the router for which you have a community
is have it send the configuration to the server, you can't even
exploit this to TFTP the configuration to an unapproved destination!


> I'm actually about to tackle this exact task (rancid CVS -and- tftp
> repository).  While this may seem redundant, I have some engineers that
> prefer having a tftp source available for config uploads.  I need to
> have the CVS change repository, but also have a readily available (and
> simple) source for staff to be able to do uploads when devices die.

This is part of why I started looking at rancid -- I want to have a
TFTP server with the latest configurations to do restores, but not
include passwords and crypto secrets -- I started scripting Perl to
remove these, and that's how I ran into rancid.


>p.s. Great work Michael.  Sharp addition. :o)

I will likely hook my Perl script into Michael's "wrancid".