Keeping revisions and history on device configs is an essential part of a good change control process. I've found this to be an extremely useful and ass-saving part of system/network administration.
WARNING: Consider the security ramifications before you start a project like this. Access to network configs saved on a filesystem or code repository can reveal network topology and login information (some network gear passwords are easily decrypted). Be careful how and where you store this data. For my environment, the tftp server and SVN repository have restricted access to only the systems team.
Here's how I do it:
Setting up TFTPd is pretty easy. On Ubuntu/Debian, it's simple:
apt-get install xinetd tftpd tftp
Set up something like this in /etc/xinetd.d:
service tftp { protocol = udp port = 69 socket_type = dgram wait = yes user = nobody server = /usr/sbin/in.tftpd server_args = /tftpboot disable = no }
Set up the various directories and start the daemon. Be sure of your permissions, as your switch configs will be written to these directories.
mkdir -p /tftpboot/netconfigs/
chmod -R 700 /tftpboot
chown -R nobody /tftpboot
/etc/init.d/xinetd start
Double check that you can write switch configs out using your network gear. This is what it looks like on a Cisco 3560:
copy system:/running-config tftp://TFTPHOST:/netconfigs/SWITCH.config
And on a Cisco PIX firewall:
wr net TFTPHOST:netconfigs/SWITCH.config
Now you need to automate this. I created a utility user on each switch and a utility user in my subversion repository. This is what my tftp_switch.sh script looks like for my Cisco 3560's:
#!/bin/sh DATE=\`date +%F\`SWITCHES='sw-1 sw-2 sw-3 sw-4 sw-5' USER=username PASS=password TFTPHOST="TFTPHOST" for SWITCH in $SWITCHES do (echo "${USER}" sleep 1 echo "${PASS}" sleep 1 echo "copy system:/running-config tftp://${TFTPHOST}://netconfigs/${SWITCH}.config" sleep 15 echo "exit" sleep 2 echo exit while read cmd do echo $cmd done) | telnet $SWITCH >> ~/cronlogs/${SWITCH}.${DATE}.log done
The 'sleep 15' is there in case it takes a moment to write to the tftp server.
I set up another script that runs the actions above, moves the files into the correct subversion tree, scrubs the files for strings that change too much (like timestamps or what-not) and then checks them into SVN. Here's my example:
#! /bin/sh # write out network configs to TFTP server /root/bin/tftp_switch.sh >/dev/null 2>&1 # copy them into the SVN tree cp -fv /tftpboot/netconfigs/*.config /root/svn/network/ # remove things that change all the time sed -i "s/ntp clock-period.*/ntp clock-period/g" /root/svn/network/sw-*.config sed -i "s/Written by.*/Written by/g" /root/svn/network/sw-*.config # check them in with subversion cd /root/svn/network ; \\ svn add -q *.config ; \\ svn commit -q -m 'automatic checkin'
I set these files owned by root, mode 500 and set it to run nightly in cron.
Since everything is now stored within SVN, I can checkout and in configs, see who and when they were saved (depending on if your gear writes that in the output) and compare to previous versions. I run WebSVN on my repo so it's very easy to see what has changed. Super useful.
If anyone implements this and has suggestions for change, please let me know!