cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

EEM configuration backup using CISCO-COPY-CONFIG-MIB

2033
Views
0
Helpful
16
Comments

 Script calculates an MD hash of the running configuration and compares
it to the previous MD5 hash, if the hash matches the config has not
changed and no action is taken. If hash is different the script will copy the configuraton

to an FTP server.


Script will trigger based on a crontab entry of "0 0 * * *" and this equals
everyday at midnight.

 

 Requirements:
 Three EEM environmental variables must be created in the device CLI
event manager environment ftpserver <ftp ip address>
event manager environment ftpuser <username>
event manager environment ftppass <ftp password>

 

Forth environment variable is optional.   If set the script will set the OIDs in the CISCO-COPY-CONFIG-MIB to do the FTP transfer.   If this variable is not set the script will use normal CLI to perform the FTP transfer.
event manager environment community <snmp community>

Note that snmp community must have write permission if using SNMP.
  snmp-server community <snmp community> rw

 

Script can also be executed manually on the CLI exec mode:

event manager run config_backup.tcl

Comments
Beginner

Thanks Daniel. Unfortunately, the script isn't running for me. It doesn't seem to recognize media, which looks like it should be the location of the script. In my case, this is flash:/. Here's what I'm getting:

Sep  4 15:55:01.391: %HA_EM-6-LOG: config_backup.tcl: can't read "media": no such variable
Sep  4 15:55:01.391: %HA_EM-6-LOG: config_backup.tcl:     while executing
Sep  4 15:55:01.391: %HA_EM-6-LOG: config_backup.tcl: "cli_exec $cli1(fd) "copy run $media:runningconfig\r\r""
Sep  4 15:55:01.391: %HA_EM-6-LOG: config_backup.tcl:     invoked from within
Sep  4 15:55:01.391: %HA_EM-6-LOG: config_backup.tcl: "$slave eval $Contents"
Sep  4 15:55:01.391: %HA_EM-6-LOG: config_backup.tcl:     (procedure "eval_script" line 7)
Sep  4 15:55:01.391: %HA_EM-6-LOG: config_backup.tcl:     invoked from within
Sep  4 15:55:01.391: %HA_EM-6-LOG: config_backup.tcl: "eval_script slave $scriptname"
Sep  4 15:55:01.391: %HA_EM-6-LOG: config_backup.tcl:     invoked from within
Sep  4 15:55:01.395: %HA_EM-6-LOG: config_backup.tcl: "if {$security_level == 1} {       #untrusted script
Sep  4 15:55:01.395: %HA_EM-6-LOG: config_backup.tcl:      interp create -safe slave
Sep  4 15:55:01.395: %HA_EM-6-LOG: config_backup.tcl:      interp share {} stdin slave
Sep  4 15:55:01.395: %HA_EM-6-LOG: config_backup.tcl:      interp share {} stdout slave
Sep  4 15:55:01.395: %HA_EM-6-LOG: config_backup.tcl: ..."
sw1#
Sep  4 15:55:01.395: %HA_EM-6-LOG: config_backup.tcl:     (file "tmpsys:/lib/tcl/base.tcl" line 50)
Sep  4 15:55:01.395: %HA_EM-6-LOG: config_backup.tcl: Tcl policy execute failed: 
Sep  4 15:55:01.395: %HA_EM-6-LOG: config_backup.tcl: can't read "media": no such variable

 

As stated in the file, the following has been added to my configuration:

event manager directory user policy "flash:/"
event manager policy config_backup.tcl type user
event manager environment ftpserver x.x.x.x
event manager environment ftpuser ftpuser
event manager environment ftpass ftppass
event manager environment snmp-rw
Cisco Employee

Make sure you are using version 1.2  (I have updated the config_backup.tcl) file since I initially posted this doc on Friday.    The version number is posted inside the comments of the script.   Also verify that you have created a snmp read-write community on the router "snmp-server community snmp-rw rw" as an example.   Your event manager config looks good however you may need to reregister the policy with authorization bypass.   Two step process:

 

  1. no event manager policy config_backup.tcl ty user
  2. event manager policy config_backup.tcl type user authorization bypass

If this does not fix the issue please post the type  of device and IOS version.

Beginner

After adding authorization bypass, the script gets further along, but is still failing.

Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl: previous hash = 0 | current hash = 3867625843638b715ffe4c9547c57186
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl: can't read "community": no such variable
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl:     while executing
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl: "sys_reqinfo_snmp_set oid 1.3.6.1.4.1.9.9.96.1.1.1.1.2.$RND int 2 community $community "
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl:     invoked from within
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl: "$slave eval $Contents"
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl:     (procedure "eval_script" line 7)
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl:     invoked from within
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl: "eval_script slave $scriptname"
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl:     invoked from within
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl: "if {$security_level == 1} {       #untrusted script
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl:      interp create -safe slave
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl:      interp share {} stdin slave
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl:      interp share {} stdout slave
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl: ..."
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl:     (file "tmpsys:/lib/tcl/base.tcl" line 50)
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl: Tcl policy execute failed: 
Sep  4 16:45:01.898: %HA_EM-6-LOG: config_backup.tcl: can't read "community": no such variable

 

I do have a rw community string configured.

snmp-server community password RW snmp-rw

 

I can't say I understand the need for the SNMP OIDs. To me, I'd just issue like the CLI command to copy a file to an FTP server, but maybe there's some benefit that I'm missing.

 

The device I'm currently testing on is a WS-C3560CX-12PC-S running 15.2(4)E3. As far as the TCL version, I'm not sure how to check this.

 

Cisco Employee

   There is an error in one of your statements that is preventing the community variable from populating.  

Change this:

event manager environment snmp-rw

to this:

event manager environment community snmp-rw

 

The SNMP OIDs provide a common interface so any device that supports the CISCO-COPY-CONFIG-MIB and EEM could use this script without having to modify it.    Sometimes the CLI syntax can change between devices so the script would not be as portable from one platform to another.   

 

Beginner

Sorry about that.

 

The first time I run it, I get the following error:

Sep  4 22:05:02.217: %HA_EM-7-FMFD_SNMP_REQ_FAILED: fh_fd_snmp_set_var: SNMP request failed

 

After running it the first time, the script doesn't seem to catch the above error as it will compute and save the hash. So the next time it runs and assuming the hashes are the same, it won't attempt to backup the config, even though it failed the first time.

 

Looking up the error above, the only thing I could find was a post that suggested adding the following configuration command:

snmp-server manager

 

Even with adding that, I'm still getting the same error.

Cisco Employee

Verify that your snmp community values match.   Looking at the previous posts I see the community is set to "password" with this command 

snmp-server community password RW snmp-rw

and your the community value fore the EEM script is set to  "snmp-rw".   Make them the same where password is the community value in each statement.  

 

snmp-server community password rw

event manager environment community password

Beginner

Thanks, but still no change. Still getting the same error message as before.

sw1#sh run | i event
event manager environment ftpserver 10.15.6.146
event manager environment ftpuser ftpuser
event manager environment ftppass ftppass
event manager environment community password
event manager directory user policy "flash:/"
event manager policy config_backup.tcl type user authorization bypass
sw1#sh run | s snmp
snmp-server community password RW snmp-rw
snmp-server location XXXXX
snmp-server ip dscp 16
snmp-server system-shutdown
snmp-server manager
Cisco Employee

I get the same error when there is an ACL associated with the snmp community.   Does the error go away when the ACL is removed?

 

 

no snmp-server community password RW snmp-rw
snmp-server community password RW 

 

Beginner

Yup. Everything seems to work when the ACL is removed. Unfortunately, every device in my environment has an ACL applied to the SNMP communities. Any idea why it doesn't work with an ACL?

Cisco Employee

I added the ability to do FTP file tranfer via CLI.   If the config does NOT contain: event manager environment community <snmp community> rw then the script will use CLI.    If that line is present in the config the script will use SNMP to do the file transfer.  

Version 1.3 is now posted as config_backup.zip

Beginner

Thanks Daniel. Seems to be working as expected.

 

How difficult is it to loop through the running-config, remove the first 4 lines that contain "!", and then compute the hash? The idea behind computing a hash of the config is to check if the configuration has truly changed. The only issue with it is that any time you exit global configuration mode, a timestamp within the running-config is updated. This happens regardless of whether or not a configuration command is issued. This prevents the hash from truly tracking config changes.

!
! Last configuration change at 17:08:29 EDT Tue Sep 11 2018 by user
! NVRAM config last updated at 17:08:29 EDT Tue Sep 11 2018 by user
!
Cisco Employee

Version 1.4 updated to not account for lines beginning with ! when calculating md5 hash.

Beginner

Thanks. Looks to be working.

 

Is context_retrieve persistent after a reboot? The hash generally seems to still exist after a reboot, but every once in a while, it won't.

 

An even weirder issue I'm seeing is the script runs and has a hash. I reboot the switch and the script computes the same hash. However, if I enter global config mode and exit, when the script runs the next time, it will compute a different hash. I'm not understanding how this is possible. Before rebooting the switch, I can enter/exit global config mode as much as I want and it works no problem. For whatever reason, the first time I enter/exit global config mode after a reboot, it gets a different hash. Afterwards, entering/exiting global config mode works as expected.

 

Are you able to duplicate these results on your end as well? I'm not understanding why a reboot is causing issues as the config isn't changing.

Beginner

I think I see the issue. Within the running-config, there are 2 timestamps:

  1. Last configuration change
  2. NVRAM config last updated

 

Additionally, there's the size in bytes of the running-config. So when you reboot the device, the running-config will no longer have the NVRAM config last updated timestamp, thus changing the size of the running-config. When the script computes the hash after reboot, the size of the config file has changed, and because that line is in the running-config, the file is no longer the same as before.

 

To fix this, the line starting with Current configuration would have to be omitted before computing the hash.

 

 

Cisco Employee

The policy framework is in place and it should be easy to update.    There is CLI command in the policy "

show running-config | exclude ^!" and update it to

"show running-config | exclude ^! | Current configuration" to omit that line.    Once the CLI has been updated reregister the policy on the device.   

CreatePlease to create content
Content for Community-Ad