Cisco设备配置文件定期备份
一、需求和应对之策
公司IDC机房几台交换机和防火墙设备,因业务需要,经常在交换机上或防火墙上修改配置文件,虽说Cisco设备稳定性很好,但做好备份,可以防万一。
网上有很多关于Cisco设备定期备份的文章,个人根据公司实际情况写了个备份脚本。
个人采用自动交互expect获取Cisco设备的配置文件,让后通过FTP上传到FTP服务器。
该脚本是放在Centos6.5服务器上,每周六晚上23:00执行。
二、线上脚本
1.脚本所在目录介绍
[root@localhost cisco_bak]# pwd/usr/local/scripts/cisco_bak [root@localhost cisco_bak]# ls cfg cisco_bak.sh ip_asa.txt ip_switch.txt telnet_asa.exp telnet_switch.exp up_cfg.sh
2.文件及目录介绍
cfg是存放备份的Cisco设备的配置文件。
telnet_switch.exp是通过Expect获取Cisco交换机的配置文件的。
[root@localhost cisco_bak]# cat telnet_switch.exp #!/usr/bin/expect #This script is get switch cfg. set timeout 60 set ip [lindex $argv 0] set password [lindex $argv 1] spawn /usr/kerberos/bin/telnet $ip expect "Password:" send "$password\r" expect ">" send "enable\r" expect "Password:" send "$password\r" expect "#" send "show running-config\r" while {1} { sleep 1 expect { "*More--" {send " "} "*#" {break} } } send "exit\r" expect eof
telnet_asa.exp是通过Expect获取Cisco防火墙的配置文件的。
[root@localhost cisco_bak]# cat telnet_asa.exp #!/usr/bin/expect #This script is get switch cfg. set timeout 60 set ip [lindex $argv 0] set password [lindex $argv 1] spawn /usr/kerberos/bin/telnet $ip expect "*assword:" send "$password\r" expect ">" send "enable\r" expect "Password:" send "$password\r" expect "#" send "show running-config\r" while {1} { sleep 1 expect { "*More --->" {send " "} "*#" {break} } } send "exit\r" expect eof
ip_switch.txt存放交换机的IP和密码。(我修改了,不能用公司的真实IP和密码。)
[root@localhost cisco_bak]# cat ip_switch.txt 10.10.10.1 123 10.10.20.1 123
ip_asa.txt存放防火墙的IP和密码。(我修改了,不能用公司的真实IP和密码。)
[root@localhost cisco_bak]# cat ip_asa.txt 10.10.10.254 123 10.10.20.254 123
cat up_cfg.sh是将备份的配置文件上传FTP备份。(也可以通过其他途径备份到存储服务器。)
[root@localhost cisco_bak]# cat up_cfg.sh #!/bin/bash #This script is upload cfg to Remote Computer. TODAY=`/bin/date +%F` #Local Path L_PATH=/usr/local/scripts/cisco_bak #date path Date_PATH=`/bin/date +%Y%m%d%H%M%S` cd ${L_PATH} #$1 Ip,$2 User,$3 Passwd,$4 Remote_Path /usr/kerberos/bin/ftp -i -n -v << ! open $1 user $2 $3 bin passive cd $4 lcd ${L_PATH}/cfg mput *${TODAY}.cfg bye !
cisco_bak.sh是主程序,它将telnet_asa.exp 、telnet_switch.exp和up_cfg.sh整合到一个脚本中。
[root@localhost cisco_bak]# cat cisco_bak.sh #!/bin/bash # TODAY=`date +%F` PATH=/usr/local/scripts/cisco_bak [ -d ${PATH}/cfg/ ] || /bin/mkdir -p ${PATH}/cfg/ cd ${PATH} ##ip.txt is stored in the user name and password. #switch_bak while read ip do #IP_NAME is IP IP_NAME=`echo "$ip" | /bin/awk ‘{print $1}‘` /usr/bin/expect telnet_switch.exp $ip > ${PATH}/cfg/switch_${IP_NAME}_${TODAY}.cfg done < ip_switch.txt #asa_bak while read ip do #IP_NAME is IP #IP_NAME=`echo "$ip" | /bin/awk ‘{print $1}‘` /usr/bin/expect telnet_asa.exp $ip > ${PATH}/cfg/asa_${IP_NAME}_${TODAY}.cfg done < ip_asa.txt ##upload cfg to ftp ##/bin/bash ${PATH}/up_cfg.sh FTP_IP FTP_USER FTP_PASSWD FTP_PATH /bin/bash ${PATH}/up_cfg.sh 10.10.10.200 abc 123 /home/abc/Cisco_Devices
3.在linux上定期执行
[root@localhost cisco_bak]# crontab -l 00 23 * * 6 /bin/bash /usr/local/scripts/cisco_bak/cisco_bak.sh >> /dev/null 2>&1
三、总结:
1.telnet_switch.exp和telnet_asa.exp很像,但在while循环中有区别,"*More--" {send " "}和"*More --->" {send " "}是不一样的。
2.有的防火墙需要用户名和密码才能登陆,可稍作修改telnet_asa.exp,传入三个参数:ip、name和passwd
3.可扩展:在备份失败时放送邮件通知管理员。
本文出自 “小小的运维,大大的梦想” 博客,请务必保留此出处http://hunkz.blog.51cto.com/6157447/1759138
原文地址:http://hunkz.blog.51cto.com/6157447/1759138