Remote configuration through snmp and tftp

From Internetworkpro

Jump to: navigation, search
This page or section provides device configuration instructions
Please note that the information on this page has not been checked for accuracy and is not intended as a replacement to documentation. Please ensure you understand your desired objectives before attempting to apply any examples listed.
See more examples at Category:Configuration

Contents

[edit] Prerequisites

You need SNMP write access, read only SNMP access will not permit the changes described in here. Furthermore, a tftp server and a toolset like net-snmp are needed. The snmp tool must be capable of delivering a snmp set message to the device (you dont need any MIBs there). The host you run snmpset must be permitted to issue a snmp write operation with the associated community string.

[edit] Description

This article explains the snmp method of doing a config upload a little more detailed. Although IOS supports SNMP driven config/flash manipulation since a very long time, it seems that only a few people know and use this outside of network management systems.

Sometimes there is the need to get some configuration commands to a router or switch, outside of any cli access. For example, you accidentially locked yourself out of the device (non-working aaa config) and want to fix that without a reload.

To make changes to a running config outside of config mode, IOS supports merging configurations via the 

 copy <source> running-config

command since ages. Source contains a text file with the commands you would enter at the config prompt, like 

  no aaa new-model
  int Gig0/1
  no ip access-group in 
  line vty 0 15
  password ifsckedup

This file is usually served from a tftp server. Because we assume that you have no direct cli access anymore, snmp set will be used to issue that copy command. The syntax is as follows: 

snmpset -v<SNMP_VERSION> -c<RW_COMMUNITY_STRING> <DEVICE_IP> 1.3.6.1.4.1.9.2.1.53.<IP_OF_TFTP_SERVER> s "<FILENAME>"

The CCO document referenced at the end of this article lists some additional OIDs. You can easily adapt this example to upload config files directly as startup configs, pull files off the flash to your tftp server or vice versa.

[edit] Example

This is an example walkthrough of the steps required.

[edit] determine what to change

Of course, you need to know what to change. Best idea is to look at a backup config to see if your idea really makes sense. Again, you need SNMP write access, read only wont work.

For this example I assume is I have locked myself out of a router, and I need to change the access-list MANAGEMENT to gain remote cli access again. This is how the messed up acl looks like at the device: 

Router#sh access-list MANAGEMENT               
Standard IP access list MANAGEMENT
    10 deny   any log
Router#

[edit] prepare config statements

Go to your tftp server, and create a file that includes all desired commands (conf t is not required).

For the example, I only need a permit statement at the beginning: 

 ip access-list standard MANAGEMENT
 1 permit host 192.168.10.250

[edit] SNMP SET

Final step is to tell the router to fetch this file via tftp and to copy its content to the running-configuration.

I use snmp version 2, the RW community string is letmein, the IP address of the router is 192.168.10.254. My TFTP server is at 192.168.10.1 and the file name where I put my changes is named unlockme. 

$ snmpset -v2c -cletmein 192.168.10.254 .1.3.6.1.4.1.9.2.1.53.192.168.10.1 s "unlockme"
SNMPv2-SMI::enterprises.9.2.1.53.192.168.10.1 = STRING: "unlockme"
$

The router has fetched the file and merged its content with the running-config: 

Router#sh access-lis MANAGEMENT
Standard IP access list MANAGEMENT
    1 permit 192.168.10.250
    10 deny   any log

[edit] Reference

CCO:Moving Files and Images Between a Router and TFTP Server via SNMP

Retrieved from "http://inetpro.org/wiki/Remote_configuration_through_snmp_and_tftp"
Personal tools