Re: switch backups generate from switch or have a central initiating server

romanroma · ‎01-26-2019

I am looking at cost effective solutions to automatically backup around 80-200 switches. Due to the latter, I am researching the capability of the schedule and a Tcl script on the physical switch 2960x, and some 3750. The idea is to have the switch generate the backup and off-load to a tftp server.

I am conflicted – I can do these tasks with a Tcl\expect script from a server, and have the script login via SSH; however, I really do not want to manage a server and worry about passwords floating around in a Tcl\expect script. My skill set is not great with Linux/Windows security, nor do I want to worry about permissions and other aspects of a server; however, I will if needed.

So – my question is – does anyone use the schedule to auto generate backups? What is a cost-effective way to get automatic backups of switches? Currently I am just backup up my switches when a config change has been made. It seems to be working ‘OK’ for now, and it is only one more step once config changes have been made.

STEP 1: copy run start

STEP 2: copy start tftp

ngkin2010 · ‎01-26-2019

In my experience, tcl/expect (on Linux server) or any custom script based on it is very handy for auto configuration backup. Especially the multi-threading allow you to backup the hundreds of devices in just a few seconds.

Although tcl/expect is very handy, I would say RANCID ( network management application ) is the most cost effective way to perform configuration backup in manageable way (especially it has version control feature).

I would not prefer any scripting running on switch / router, because it definitely not manageable if you have hundreds of devices (which mean you have hundreds of independent script). It's hard to maintain the scripts, the result of scripts...

So, I would definitely suggest you use a Linux/Windows server to act as a centralized remote access server for backup purpose.

Reza Sharifi · ‎01-26-2019

If you are using an application like SolarWinds to manage all your switches via SNMP, you can also use the same application to backup the configs daily nightly or any time you want.

HTH

balaji.bandi · ‎01-26-2019

There is 2 Option you have

1. if you know linux environment, you can setup with expect to backup automatically every night. making cron job.

2. Cattools is simple tool for windows, and it will do for you automatically and send report backup failed and success.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

romanroma · ‎01-26-2019

I like the idea of a central location to manage my 'backup script'; however, I have some reservations about putting a password in my script, or another file. Has any played around with Hashing passwords from the shadow file on Linux? I am not sure how this would even be done on Windows.

I understand that on Linux I can use 'root' and store the script and password file; however, I have a number of admins that have 'root' and or sudo/su access. Due to the latter, not sure if having a script to backup devices is a good fit for my environment.

I will have to check out rancid, it has been sometime since I used it, which was like 5-7 years ago. Do you know if Rancid supports Nexus:7k, 5k devices?

balaji.bandi · ‎01-27-2019

I understand the security concern, you can create a use who has only certain command to take back up and use in the script for backup only, so this will not get harm in terms of security.

or if you writing perl or shell, you make them as excutable, so no one can see the content inside.

Linux is like sky limit option and no cost involved.

The same task can be done in windows tried once long ago..but i still go with Linux. it has capabilites also with report what device backup and any changes and send report in the daily basis and strored.

we using Linux and nexus backup working as expected, this can be done with RAncid als.

I also like the idea @Leo Laohoo suggested. if taht suites your needs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

romanroma · ‎01-28-2019

You make a good point about being compiled. I have used Perl in the past, and use Perl Packer to roll into executable; however, I have noted used the Perl Expect module from CPAN. Can you recommend a good CPAN Expect module?

I guess I can look into the Expect module for Python; however, always liked the native Expect/Tcl support the best. Yet not sure if you can compile Tcl scripts that leverage Expect.

Leo Laohoo · ‎01-26-2019

archive
 log config
  logging enable
  hidekeys
 path tftp://<TFTP_IP_ADDRESS>/path/$h-$t
 time 86400
 write-memory

(Except for the 2960X/XR, Cat 2K doesn't support TCL.)

Try the method above. There are two ways to save the config:

If left alone, the switch will save the config every 24 hours ("time 86400"); and/or
If someone saves the config ("write-memory")

romanroma · ‎01-28-2019

Thank you for the script. I should have pointed out that I am using 2960x - is anyone still using 2k Cat switches? I thought those units were end of life and if so, TIME FOR UPGRADE!!!

Leo Laohoo · ‎01-28-2019

@romanroma wrote:

I should have pointed out that I am using 2960x

The script will work for a 2960/G/S/X/XR. Try it.