network gear config management with tftpd and subversion

published on 2010-03-18 in computing

Keeping revisions and history on device configs is an essential part of a good change control process. I've found this to be an extremely useful and ass-saving part of system/network administration.

WARNING: Consider the security ramifications before you start a project like this. Access to network configs saved on a filesystem or code repository can reveal network topology and login information (some network gear passwords are easily decrypted). Be careful how and where you store this data. For my environment, the tftp server and SVN repository have restricted access to only the systems team.

Here's how I do it:

  • tftpd server reachable from switch management network
  • subversion repository for switch configs
  • manually saving switch configs to the tftpd server
  • cron'd script to automatically check in switch configs (if I don't do it myself)

Setting up TFTPd is pretty easy. On Ubuntu/Debian, it's simple:

apt-get install xinetd tftpd tftp

Set up something like this in /etc/xinetd.d:

service tftp {  
protocol = udp  
port = 69  
socket_type = dgram  
wait = yes  
user = nobody  
server = /usr/sbin/in.tftpd  
server_args = /tftpboot  
disable = no  

Set up the various directories and start the daemon. Be sure of your permissions, as your switch configs will be written to these directories.

mkdir -p /tftpboot/netconfigs/  
chmod -R 700 /tftpboot  
chown -R nobody /tftpboot  
/etc/init.d/xinetd start

Double check that you can write switch configs out using your network gear. This is what it looks like on a Cisco 3560:

copy system:/running-config tftp://TFTPHOST:/netconfigs/SWITCH.config

And on a Cisco PIX firewall:

wr net TFTPHOST:netconfigs/SWITCH.config

Now you need to automate this. I created a utility user on each switch and a utility user in my subversion repository. This is what my script looks like for my Cisco 3560's:


DATE=\`date +%F\`SWITCHES='sw-1 sw-2 sw-3 sw-4 sw-5'  

(echo "${USER}"  
sleep 1  
echo "${PASS}"  
sleep 1  
echo "copy system:/running-config
sleep 15  
echo "exit"  
sleep 2  
echo exit  
while read cmd  
echo $cmd  
done) | telnet $SWITCH >> ~/cronlogs/${SWITCH}.${DATE}.log  

The 'sleep 15' is there in case it takes a moment to write to the tftp server.

I set up another script that runs the actions above, moves the files into the correct subversion tree, scrubs the files for strings that change too much (like timestamps or what-not) and then checks them into SVN. Here's my example:

#! /bin/sh

# write out network configs to TFTP server  
/root/bin/ >/dev/null 2>&1

# copy them into the SVN tree  
cp -fv /tftpboot/netconfigs/*.config /root/svn/network/

# remove things that change all the time  
sed -i "s/ntp clock-period.*/ntp clock-period/g"
sed -i "s/Written by.*/Written by/g" /root/svn/network/sw-*.config

# check them in with subversion  
cd /root/svn/network ; \\  
svn add -q *.config ; \\  
svn commit -q -m 'automatic checkin'

I set these files owned by root, mode 500 and set it to run nightly in cron.

Since everything is now stored within SVN, I can checkout and in configs, see who and when they were saved (depending on if your gear writes that in the output) and compare to previous versions. I run WebSVN on my repo so it's very easy to see what has changed. Super useful.

If anyone implements this and has suggestions for change, please let me know!

Tags: sysadmin