Рубрика: Cisco

SP-4-DISABLED: power to module in slot 2 set off (Module Failed SCP dnld)

Здравствуйте товарищи !
Сегодня хочу поведать о том почему модуль может не хотеть поднятся в онлайн …
Речь вот о чём SP-4-DISABLED: power to module in slot 2 set off (Module Failed SCP dnld)
Что это значит ? ну тут варианта 2 либо с модулем проблемы либо с оперативкой либо соединения нету между sup/rsp и модулем…
Как понять где именно порылась собака ?

даем команду remote command switch show scp counters
да бы понять нету ли ошибок …

пробуем пропинговать модуль
remote command switch test scp ping 2

если получаем is alive тогда соединения у sup/rsp с модулем есть …
если же получаем no response тогда либо нарушено соединение между sup/rsp либо же битая оперативная память …
Что мы ещё можем посмотреть да бы глубже понять в чём же дело …
remote login switch
debug scp download module 2
show debug
и смотрим если никакого вывода нету даже после пересадки модуля тогда к бабке не ходи проблема в оперативной памяти, если же вывод есть то тогда проблема с самим модулем …

кто ещё не вкурсе читаем тут на счет оперативки : https://habrahabr.ru/post/216287/

За сим усе 😉 всегда ваш Taras Kramarets aka ~NiX~

что прет на проц 76й

Здравствуйте дорогие читатели !

Тут коротко заметка и не болеё так как писать болеё тут просто не чего.

debug netdr capture
Ждем пару секунд
undebug netdr capture
show netdr captured-packets
и смотрим что же на процессор прет.

Cisco HWIC-3G-CDMA настройка

Здравствуйте коллеги сегодня речь пойдет об такой интересной возможности как использование в продакшине модуля Cisco для работы в CDMA сетях за частую использую его там где необходим бекап малой кровью то есть платим только тогда когда используем настройка будет описана под провайдера Intertelecom, старт соединения после первого пакета в сторону роута или дефолт роута через модем.

За сим имеем Cisco 2801

и такой вот модуль «WIC/VIC/HWIC 1», DESCR: «3G WWAN HWIC-EVDO»

собственно сами основные комманды :

1) как узнаеть esn :

sh cellular 0/1/0 hardware

2)  как увидеть тип сети качество сигнала :

sh cellular 0/1/0 radio

3) состояние соединения :

sh cellular 0/1/0 connection

4) как увидеть профайлы для подключения :

sh cellular 0/1/0 profile от 1 до 5 или all

По этому прошлись дальше собственно предположим что у вас есть модем с уже прошитым Intertelecom нам нужно настроить профайл и саму cisco … :

профайл нужно привести + — к такому виду :

Data Profile 5 Information (Active)
==================================
NAI (Network Access Identifier) = 032ххххххх@it.od.ua
MN-HA SS = Set
MN-HA SPI = 1234
MN-AAA SS = Set
MN-AAA SPI = 1234
Reverse Tunneling Preference = Set
Home Address = 0.0.0.0
Primary Home Agent Address = 0.0.0.0
Secondary Home Agent Address = 0.0.0.0

Как это сделать нам нужен esn так как он тут используется номер телефона присвоеный нам провайдером и прямые руки 😉 погнали =)

Вместо esn прописываем еsn который узнаем из команды sh cellular 0/1/0 hardware

cellular 0/1/0 cdma profile configure 5 0.0.0.0 0.0.0.0 032ххххххх@it.od.ua esn esn

 

Поехали дальше теперь нужно активировать данный профайл делается это так :

cellular 0/1/0 cdma profile select 5
Теперь переходим к самому интересному этапу настройке самого подключения привожу готовое :

chat-script cdma «» «ATDT#777» TIMEOUT 30 CONNECT

dialer-list 1 protocol ip permit

interface Cellular0/1/0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
logging event subif-link-status
load-interval 30
dialer in-band
dialer idle-timeout 30
dialer string cdma
dialer-group 1
no peer default ip address
async mode interactive
ppp authentication chap callin
ppp chap hostname IT
ppp chap password IT
ppp ipcp dns request
routing dynamic

line 0/1/0
exec-timeout 0 0
script dialer cdma
modem InOut
no exec
transport input all
transport output all
rxspeed 3100000
txspeed 1800000

Примерно так будет выглядеть интерфейс в процессе ожидания :

sh int cellular 0/1/0
Cellular0/1/0 is up (spoofing), line protocol is up (spoofing)
Hardware is EVDO Rev A/Rel 0/1xRTT-800/1900MHz / SP
Internet address will be negotiated using IPCP
MTU 1500 bytes, BW 1800 Kbit/sec, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Closed, loopback not set
Keepalive not supported
Last input 1d06h, output 1d06h, output hang never
Last clearing of «show interface» counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/16 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1350 kilobits/sec
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
5079 packets input, 114725 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up

Достаточно как я говорил пустить 1 пинг в сторону роута\или дефолт роута на мопед как тут же все взлетит 😉

На этом буду прощаться 😉

Усегда ваш боевой товарищ Taras Kramarets aka ~NiX~

rancid как средство бекапа конфигов

Здравствуйте уважаемые читатели !

Сегодня речь пойдет об автоматических бекапах конфигов со всего парка управляемого оборудования.

Rancid вещь однозначно суперская конфигурируется просто работает надежно и быстро !

Из минусов для всего парка полностью пришлось допиливать плагины что бы работало корректно )

так вот например хотим мы бекапить конфиги с cisco тут есть штатный плагин и делать ничего не надо =)

но вот как только захотим бекапить конфиги с D-Link возникает вопрос что править и как запустить ?! тут все придельно просто для тех кто владеет perl’ом + expect это позволяет самому написать плагин или даже целый аналог rancid на коленке )

Одной из полезных опций является контроль за изменениями которые рапортом приходят на почту, а если сеть большая это становиться очень нужной вещью.

Итак пробежимся по установке и настройке .

Установка :

для FreeBSD : cd /usr/ports/net-mgmt/rancid && make && make install

Настройка :

cd /usr/local/etc/rancid/

увидем файлы :

lg.conf.sample rancid.conf.sample

делаем cp rancid.conf.sample rancid.conf

теперь нам нужно его изменить под свои нужды и требования :

vi rancid.conf

у меня выглядит так :

TMPDIR=/tmp; export TMPDIR

BASEDIR=/usr/local/var/rancid; export BASEDIR

PATH=/usr/local/libexec/rancid:/usr/bin:/usr/local/bin:/usr/sbin:/bin:/usr/bin; export PATH

CVSROOT=$BASEDIR/CVS; export CVSROOT

LOGDIR=$BASEDIR/logs; export LOGDIR

RCSSYS=cvs; export RCSSYS

MAX_ROUNDS=1; export MAX_ROUNDS

PAR_COUNT=100; export PAR_COUNT

MAILDOMAIN=»@rancid.mon»; export MAILDOMAIN

LIST_OF_GROUPS=»CiscoDevices D-LinkDevices»

сохраняем переходим к другому важному этапу

Создаем файл где будут храниться пароли ип адреса методы подключения

touch /home/rancid/.cloginrc

Редактируем его вносим наши данные :

vi /home/rancid/.cloginrc

add user 1.1.1.1 userlogin

add user 2.2.2.2 adminlogin

add password 1.1.1.1  OnlyUserpassword

add password 2.2.2.2 adminpassword enablepswd

add password * any password any enable password

add method 1.1.1.1 ssh

add method 2.2.2.2 telnet

add method * telnet

Что значат данные записи :

* значит что для любых хостов

Задать пароль можно один раз в случае если без enable если нужен enable Обязательно задавать ещё и его !

Метод подключения может быть как telnet так и ssh

Дальше нам нужно поправить права :

chmod 600 /home/rancid/.cloginrc

chown rancid:rancid /home/rancid/.cloginrc

дальше удаляем штатный каталог:

rm –r /usr/local/var/rancid

меняем права :

chmod 775 /usr/local/var

притворяемся юзером rancid :

su rancid

создаем папку для rancid:

mkdir /usr/local/var/rancid

запускаем сам rancid что бы создал нужные директории:

rancid-run

запускаем cvs:

/usr/local/bin/rancid-cvs

переходим в директорию нашего демона:

cd /usr/local/var/rancid/

ls

увидем :

CiscoDevices

D-LinkDevices

заходим сначало в папку CiscoDevices:

cd CiscoDevices

vi router.db

пишем туда имена наших хостов вендор и слово up

1.1.1.1:cisco:up
2.2.2.2:cisco:up

сохраняем

теперь нужно настроить пересылку писем на email предварительно надеюсь что почта у вас настроена :

exit из под юзера rancid

vi /etc/aliases

rancid-CiscoDevices: evil@admin.net
rancid-admin-CiscoDevices: evil@admin.net

rancid-D-LinkDevices: evil@admin.net
rancid-admin-D-LinkDevices: evil@admin.net

сохраняем и даем команду  newaliases

теперь обратно входим под юзером rancid

su rancid 

запускаем сам rancid:

rancid-run

Все хорошо отработал в папке CiscoDevices  должны появиться текущее конфиги.

теперь что бы все это работало автоматом создадим таск в кроне :

crontab -e

0 0 * * * /usr/local/bin/rancid-run

что бы он работал раз в сутки

сохраняем

получаем рабочую схему )

кто то спросит как все это дебагать ?) тут все просто rancid в свою папку пишет логи в папку logs там для опеределенной группы есть логи их читаем и все становиться понятно.

Кто то спросит а что если не стартует для группы ?

ну во первых если не стартует для группы возможно есть блокировка искать её в папке /tmp/ для данной групы и удалить если нету процесов ранцида.

Ну а на счет D-Link скажу что есть у меня аж 2 плагина на базе одного найденого в интернете немного кривого для того что бы добавить новый плагин нужно в папке

cd /usr/local/libexec/rancid/

найти файл :

rancid-fe

редактировать его :

vi rancid-fe

так как он перловый думаю проблем у админа не должно возникнуть но я подскажу на всякий случай нас интересует массив

%vendortable

внутри него описываются что мы будем запускать для конкретного вендора :

‘cisco’ => ‘rancid’, как видим для cisco будем запускать скрипт rancid

для  D-Link

‘dlink’ => ‘dlrancid’,

для D-Link 36xx

‘d36’ => ‘dl36rancid’,

теперь листинг самих скриптов с правками :

cat dllogin
#! /usr/bin/expect —
##
## patched to accomplish fortinet from nlogin
## in turn patched to accomplish D-Link from fnlogin
## by: Daniel G. Epstein <dan at rootlike.com>
## adapted by: Diego Ercolani <diego.ercolani at ssis.sm>
## further adapted by: Gavin McCullagh <gavin.mccullagh at gcd.ie>
##
## rancid 2.3.6
## Copyright (c) 1997-2009 by Terrapin Communications, Inc.
## All rights reserved.
##
## This code is derived from software contributed to and maintained by
## Terrapin Communications, Inc. by Henry Kilmer, John Heasley, Andrew Partan,
## Pete Whiting, Austin Schutz, and Andrew Fort.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted provided that the following conditions
## are met:
## 1. Redistributions of source code must retain the above copyright
## notice, this list of conditions and the following disclaimer.
## 2. Redistributions in binary form must reproduce the above copyright
## notice, this list of conditions and the following disclaimer in the
## documentation and/or other materials provided with the distribution.
## 3. All advertising materials mentioning features or use of this software
## must display the following acknowledgement:
## This product includes software developed by Terrapin Communications,
## Inc. and its contributors for RANCID.
## 4. Neither the name of Terrapin Communications, Inc. nor the names of its
## contributors may be used to endorse or promote products derived from
## this software without specific prior written permission.
## 5. It is requested that non-binding fixes and modifications be contributed
## back to Terrapin Communications, Inc.
##
## THIS SOFTWARE IS PROVIDED BY Terrapin Communications, INC. AND CONTRIBUTORS
## «AS IS» AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
## TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COMPANY OR CONTRIBUTORS
## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
## POSSIBILITY OF SUCH DAMAGE.
#
# The expect login scripts were based on Erik Sherk’s gwtn, by permission.
# Netscreen hacks implemented by Stephen Gill <gillsr at yahoo.com>.
# Fortinet hacks by Daniel G. Epstein <dan at rootlike.com>
# D-Link hacks by Gavin McCullagh <gmccullagh at gmail dot com>
#
#############################################################################
#
# dllogin — D-Link login
# This script is very much a hack based on the existing code, but it works for us.
#
# Thus far we have tested this on the following D-Link Switch models:
#
# DES-3010F — success (telnet, ssh)
# DES-3052P — success (telnet, ssh, … a little slow)
# DES-3526 — success (telnet, ssh)
# DES-3550 — success (telnet, ssh)
# DES-3250TG — fail (there’s no command to print config)
# DGS-3324SR — success (telnet, ssh)
# DGS-3100 — fail (but probably not too big a job to fix)
#
# Known bugs/issues:
# — line wrap problems cause newlines within config lines at 80 chars wide on
# some models (DES-3010F)
# — ssh can be quite slow on these units and we’ve even had anecdotal evidence
# that the load on the switches can occasionally cause packet loss. We
# generally use telnet for this reason and all is fine.
#
#
#############################################################################

# Usage line
set usage «Usage: $argv0 \[-dSV\] \[-c command\] \[-Evar=x\] \
\[-f cloginrc-file\] \[-p user-password\] \
\[-s script-file\] \[-t timeout\] \[-u username\] \
\[-v vty-password\] \[-x command-file\] \
\[-y ssh_cypher_type\] router \[router…\]\n»

# env(CLOGIN) may contain:
# x == do not set xterm banner or name

# Password file
set password_file $env(HOME)/.cloginrc
# Default is to login to the firewall
set do_command 0
set do_script 0
# The default is to look in the password file to find the passwords. This
# tracks if we receive them on the command line.
set do_passwd 1
set do_enapasswd 1
# Save config, if prompted
set do_saveconfig 0

# Find the user in the ENV, or use the unix userid.
if {[ info exists env(CISCO_USER) ]} {
set default_user $env(CISCO_USER)
} elseif {[ info exists env(USER) ]} {
set default_user $env(USER)
} elseif {[ info exists env(LOGNAME) ]} {
set default_user $env(LOGNAME)
} else {
# This uses «id» which I think is portable. At least it has existed
# (without options) on all machines/OSes I’ve been on recently —
# unlike whoami or id -nu.
if [ catch {exec id} reason ] {
send_error «\nError: could not exec id: $reason\n»
exit 1
}
regexp {\(([^)]*)} «$reason» junk default_user
}
if {[ info exists env(CLOGINRC) ]} {
set password_file $env(CLOGINRC)
}

# Sometimes firewall take awhile to answer (the default is 10 sec)
set timeout 45

# Process the command line
for {set i 0} {$i < $argc} {incr i} {
set arg [lindex $argv $i]

switch -glob — $arg {
# Expect debug mode
-d* {
exp_internal 1
# Username
} -u* {
if {! [ regexp .\[uU\](.+) $arg ignore user]} {
incr i
set username [ lindex $argv $i ]
}
# VTY Password
} -p* {
if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} {
incr i
set userpasswd [ lindex $argv $i ]
}
set do_passwd 0
# Environment variable to pass to -s scripts
} -E* {
if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} {
set E$varname $varvalue
} else {
send_user «\nError: invalid format for -E in $arg\n»
exit 1
}
# Command to run.
} -c* {
if {! [ regexp .\[cC\](.+) $arg ignore command]} {
incr i
set command [ lindex $argv $i ]
}
set do_command 1
# Expect script to run.
} -s* {
if {! [ regexp .\[sS\](.+) $arg ignore sfile]} {
incr i
set sfile [ lindex $argv $i ]
}
if { ! [ file readable $sfile ] } {
send_user «\nError: Can’t read $sfile\n»
exit 1
}
set do_script 1
# save config on exit
} -S* {
set do_saveconfig 1
# cypher type
} -y* {
if {! [ regexp .\[eE\](.+) $arg ignore cypher]} {
incr i
set cypher [ lindex $argv $i ]
}
# alternate cloginrc file
} -f* {
if {! [ regexp .\[fF\](.+) $arg ignore password_file]} {
incr i
set password_file [ lindex $argv $i ]
}
} -t* {
incr i
set timeout [ lindex $argv $i ]
} -x* {
if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} {
incr i
set cmd_file [ lindex $argv $i ]
}
if [ catch {set cmd_fd [open $cmd_file r]} reason ] {
send_user «\nError: $reason\n»
exit 1
}
set cmd_text [read $cmd_fd]
close $cmd_fd
set command [join [split $cmd_text \n] \;]
set do_command 1
# Version string
} -V* {
send_user «rancid 2.3.6\n»
exit 0
# Does tacacs automatically enable us?
} -autoenable {
# ignore autoenable
} -* {
send_user «\nError: Unknown argument! $arg\n»
send_user $usage
exit 1
} default {
break
}
}
}
# Process firewalls…no firewalls listed is an error.
if { $i == $argc } {
send_user «\nError: $usage»
}

# Only be quiet if we are running a script (it can log its output
# on its own)
if { $do_script } {
log_user 0
} else {
log_user 1
}

#
# Done configuration/variable setting. Now run with it…
#

# Sets Xterm title if interactive…if its an xterm and the user cares
proc label { host } {
global env
# if CLOGIN has an ‘x’ in it, don’t set the xterm name/banner
if [info exists env(CLOGIN)] {
if {[string first «x» $env(CLOGIN)] != -1} { return }
}
# take host from ENV(TERM)
if [info exists env(TERM)] {
if [regexp \^(xterm|vs) $env(TERM) ignore ] {
send_user «\033]1;[lindex [split $host «.»] 0]\a»
send_user «\033]2;$host\a»
}
}
}

# This is a helper function to make the password file easier to
# maintain. Using this the password file has the form:
# add password sl* pete cow
# add password at* steve
# add password * hanky-pie
proc add {var args} { global int_$var ; lappend int_$var $args}
proc include {args} {
global env
regsub -all «(^{|}$)» $args {} args
if { [ regexp «^/» $args ignore ] == 0 } {
set args $env(HOME)/$args
}
source_password_file $args
}

proc find {var router} {
upvar int_$var list
if { [info exists list] } {
foreach line $list {
if { [string match [lindex $line 0] $router ] } {
return [lrange $line 1 end]
}
}
}
return {}
}

# Loads the password file. Note that as this file is tcl, and that
# it is sourced, the user better know what to put in there, as it
# could install more than just password info… I will assume however,
# that a «bad guy» could just as easy put such code in the clogin
# script, so I will leave .cloginrc as just an extention of that script
proc source_password_file { password_file } {
global env
if { ! [file exists $password_file] } {
send_user «\nError: password file ($password_file) does not exist\n»
exit 1
}
file stat $password_file fileinfo
if { [expr ($fileinfo(mode) & 007)] != 0000 } {
send_user «\nError: $password_file must not be world readable/writable\n»
exit 1
}
if [ catch {source $password_file} reason ] {
send_user «\nError: $reason\n»
exit 1
}
}

# Log into the firewall.
# returns: 0 on success, 1 on failure
proc login { router user userpswd passwd enapasswd prompt cmethod cyphertype } {
global spawn_id in_proc do_command do_script sshcmd
set in_proc 1
set uprompt_seen 0

# Telnet to the firewall & try to login.
set progs [llength $cmethod]
foreach prog [lrange $cmethod 0 end] {
incr progs -1
if [string match «telnet*» $prog] {
regexp {telnet(:([^[:space:]]+))*} $prog command suffix port
if {«$port» == «»} {
set retval [ catch {spawn telnet $router} reason ]
} else {
set retval [ catch {spawn telnet $router $port} reason ]
}
if { $retval } {
send_user «\nError: telnet failed: $reason\n»
return 1
}
} elseif [string match «ssh*» $prog] {
regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
if {«$port» == «»} {
set cmd [join [lindex $sshcmd 0] » «]
set retval [ catch {eval spawn [split «$cmd -c $cyphertype -x -l $user $router» { }]} reason ]
} else {
set cmd [join [lindex $sshcmd 0] » «]
set retval [ catch {eval spawn [split «$cmd -c $cyphertype -x -l $user -p $port $router» { }]} reason ]
}
if { $retval } {
send_user «\nError: $sshcmd failed: $reason\n»
return 1
}
} elseif ![string compare $prog «rsh»] {
send_error «\nError: unsupported method: rsh\n»
if { $progs == 0 } {
return 1
}
continue;
} else {
send_user «\nError: unknown connection method: $prog\n»
return 1
}

sleep 0.3

# This helps cleanup each expect clause.
expect_after {
timeout {
send_user «\nError: TIMEOUT reached\n»
catch {close}; catch {wait};
if { $in_proc} {
return 1
} else {
continue
}
} eof {
send_user «\nError: EOF received\n»
catch {close}; catch {wait};
if { $in_proc} {
return 1
} else {
continue
}
}
}

# Here we get a little tricky. There are several possibilities:
# the firewall can ask for a username and passwd and then
# talk to the TACACS server to authenticate you, or if the
# TACACS server is not working, then it will use the enable
# passwd. Or, the firewall might not have TACACS turned on,
# then it will just send the passwd.
# if telnet fails with connection refused, try ssh
expect {
-re «(Connection refused|Secure connection \[^\n\r]+ refused)» {
catch {close}; catch {wait};
if !$progs {
send_user «\nError: Connection Refused ($prog): $router\n»
return 1
}
}
-re «(Connection closed by|Connection to \[^\n\r]+ closed)» {
catch {close}; catch {wait};
if !$progs {
send_user «\nError: Connection closed ($prog): $router\n»
return 1
}
}
eof { send_user «\nError: Couldn’t login: $router\n»; wait; return 1 }
-nocase «unknown host\r» {
send_user «\nError: Unknown host $router\n»;
catch {close}; catch {wait};
return 1
}
«Host is unreachable» {
send_user «\nError: Host Unreachable: $router\n»;
catch {close}; catch {wait};
return 1
}
«No address associated with name» {
send_user «\nError: Unknown host $router\n»;
catch {close}; catch {wait};
return 1
}
-re «(Host key not found |The authenticity of host .* be established).*\(yes\/no\)\?» {
send «yes\r»
send_user «\nHost $router added to the list of known hosts.\n»
exp_continue }
-re «HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?» {
send «no\r»
send_user «\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n»
catch {close}; catch {wait};
return 1
}
-re «Offending key for .* \(yes\/no\)\?» {
send «no\r»
send_user «\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n»
catch {close}; catch {wait};
return 1
}
-re «(denied|Sorry)» {
send_user «\nError: Check your passwd for $router\n»
catch {close}; catch {wait}; return 1
}
«Login failed» {
send_user «\nError: Check your passwd for $router\n»;
catch {close}; catch {wait}; return 1
}
-re «\[Uu]ser\[nN]ame:» {
sleep 1;
send — «$user\r»
set uprompt_seen 1
exp_continue
}
-re «@\[^\r\n]+\[Pp]assword:» {
# ssh pwd prompt
sleep 1
send — «$userpswd\r»
exp_continue
}
«\[Pp]ass\[Ww]ord:» {
sleep 1;
if {$uprompt_seen == 1} {
send — «$userpswd\r»
} else {
send — «$passwd\r»
}
exp_continue
}
— «$prompt» { break; }
}
}
set in_proc 0
return 0
}

# Run commands given on the command line.
proc run_commands { prompt command } {
global in_proc
set in_proc 1
# Disable output paging.
send — «disable clipaging\r»
expect -re $prompt;

set commands [split $command \;]
set num_commands [llength $commands]
for {set i 0} {$i < $num_commands} { incr i} {
send — «[subst [lindex $commands $i]]\r»
# send_user «**************** [subst [lindex $commands $i]] ************\n»
expect {
-re «$prompt» { send «\r»
sleep 0.5
}
-re «All » { send «a»
exp_continue
-re «\[\n\r]+» { exp_continue }
}
}
}
# send_user «******* fuori da ciclo for *******\n»
expect {
-re «$prompt$» {
send «enable clipaging\r»
send «logout\r»
sleep 0.5
exp_continue
}
-re «\[\n\r]+» { exp_continue }
-gl «Configuration modified, save?» {
send «n\r»
exp_continue
}
timeout { catch {close}; catch {wait};
return 0
}
eof { return 0 }
}
set in_proc 0
}

#
# For each firewall… (this is main loop)
#
source_password_file $password_file
set in_proc 0
set exitval 0
foreach router [lrange $argv $i end] {
set router [string tolower $router]
send_user «$router\n»

# FortiOS 2.x prompts can end in either ‘#’ or ‘$’
set prompt «\[#\\$]»

# Figure out passwords
if { $do_passwd || $do_enapasswd } {
set pswd [find password $router]
if { [llength $pswd] == 0 } {
send_user «\nError: no password for $router in $password_file.\n»
continue
}
set passwd [join [lindex $pswd 0] «»]
set enapasswd [join [lindex $pswd 1] «»]
} else {
set passwd $userpasswd
set enapasswd $enapasswd
}

# Figure out username
if {[info exists username]} {
# command line username
set ruser $username
} else {
set ruser [join [find user $router] «»]
if { «$ruser» == «» } { set ruser $default_user }
}

# Figure out username’s password (if different from the vty password)
if {[info exists userpasswd]} {
# command line username
set userpswd $userpasswd
} else {
set userpswd [join [find userpassword $router] «»]
if { «$userpswd» == «» } { set userpswd $passwd }
}
# Figure out cypher type
if {[info exists cypher]} {
# command line cypher type
set cyphertype $cypher
} else {
set cyphertype [find cyphertype $router]
if { «$cyphertype» == «» } { set cyphertype «3des» }
}

# Figure out connection method
set cmethod [find method $router]
if { «$cmethod» == «» } { set cmethod {{telnet} {ssh}} }

# Figure out the SSH executable name
set sshcmd [find sshcmd $router]
if { «$sshcmd» == «» } { set sshcmd {ssh} }

# Login to the router
if {[login $router $ruser $userpswd $passwd $enapasswd $prompt $cmethod $cyphertype]} {
incr exitval
continue
}

# we are logged in, now figure out the full prompt based on what the device sends us.
send «\r»
expect {
-re «\[\r\n]+» { exp_continue; }
-re «^(.+$prompt)» { set junk $expect_out(0,string); }
if {[$junk = «(^\\$ $)»]} {
set prompt $junk;
} else {
if {[$junk = «(^# $)»]} { set prompt $junk ; }
};
}

if { $do_command } {
if {[run_commands $prompt $command]} {
incr exitval
continue
}
} elseif { $do_script } {
# Disable output paging.
send «enable clipaging\r»
send «config system console\r»
send «set output standard\r»
send «end\r»
expect -re $prompt {}
source $sfile
catch {close};
} else {
label $router
log_user 1
interact
}

# End of for each firewall
catch {wait};
sleep 0.3
}
exit $exitval

 

cat dlrancid
#! /usr/bin/perl
##
##
## dlrancid
##
## rancid 2.3.6
## Copyright (c) 1997-2008 by Terrapin Communications, Inc.
## All rights reserved.
##
## This code is derived from software contributed to and maintained by
## Terrapin Communications, Inc. by Henry Kilmer, John Heasley, Andrew Partan,
## Pete Whiting, Austin Schutz, and Andrew Fort.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted provided that the following conditions
## are met:
## 1. Redistributions of source code must retain the above copyright
## notice, this list of conditions and the following disclaimer.
## 2. Redistributions in binary form must reproduce the above copyright
## notice, this list of conditions and the following disclaimer in the
## documentation and/or other materials provided with the distribution.
## 3. All advertising materials mentioning features or use of this software
## must display the following acknowledgement:
## This product includes software developed by Terrapin Communications,
## Inc. and its contributors for RANCID.
## 4. Neither the name of Terrapin Communications, Inc. nor the names of its
## contributors may be used to endorse or promote products derived from
## this software without specific prior written permission.
## 5. It is requested that non-binding fixes and modifications be contributed
## back to Terrapin Communications, Inc.
##
## THIS SOFTWARE IS PROVIDED BY Terrapin Communications, INC. AND CONTRIBUTORS
## «AS IS» AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
## TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COMPANY OR CONTRIBUTORS
## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
## POSSIBILITY OF SUCH DAMAGE.
#
# A library built on Stephen Gill’s Netscreen stuff to accomodate
# the Fortinet product line. [d_pfleger at juniper.net]
# In turn massaged some more to accomodate the D-Link line of switches
#
# RANCID — Really Awesome New Cisco confIg Differ
#
# usage: dlrancid [-dV] [-l] [-f filename | hostname]
#
use Getopt::Std;
getopts(‘dflV’);
if ($opt_V) {
print «rancid 2.3.6\n»;
exit(0);
}
$log = $opt_l;
$debug = $opt_d;
#$debug = 1;
$file = $opt_f;
$host = $ARGV[0];
$found_end = 0;
$timeo = 300; # dllogin timeout in seconds (some of these devices are remarkably slow to read config)

my(@commandtable, %commands, @commands);# command lists
my($aclsort) = («ipsort»); # ACL sorting mode
my($filter_commstr); # SNMP community string filtering
my($filter_pwds); # password filtering mode

# This routine is used to print out the router configuration
sub ProcessHistory {
my ($new_hist_tag,$new_command,$command_string, @string) = (@_);
if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command))
&& scalar(%history)) {
print eval «$command \%history»;
undef %history;
}
if (($new_hist_tag) && ($new_command) && ($command_string)) {
if ($history{$command_string}) {
$history{$command_string} = «$history{$command_string}@string»;
} else {
$history{$command_string} = «@string»;
}
} elsif (($new_hist_tag) && ($new_command)) {
$history{++$#history} = «@string»;
} else {
print «@string»;
}
$hist_tag = $new_hist_tag;
$command = $new_command;
1;
}

sub numerically { $a <=> $b; }

# This is a sort routine that will sort numerically on the
# keys of a hash as if it were a normal array.
sub keynsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort numerically keys(%lines)) {
$sorted_lines[$i] = $lines{$key};
$i++;
}
@sorted_lines;
}

# This is a sort routine that will sort on the
# keys of a hash as if it were a normal array.
sub keysort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort keys(%lines)) {
$sorted_lines[$i] = $lines{$key};
$i++;
}
@sorted_lines;
}

# This is a sort routine that will sort on the
# values of a hash as if it were a normal array.
sub valsort{
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort values %lines) {
$sorted_lines[$i] = $key;
$i++;
}
@sorted_lines;
}

# This is a numerical sort routine (ascending).
sub numsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $num (sort {$a <=> $b} keys %lines) {
$sorted_lines[$i] = $lines{$num};
$i++;
}
@sorted_lines;
}

# This is a sort routine that will sort on the
# ip address when the ip address is anywhere in
# the strings.
sub ipsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $addr (sort sortbyipaddr keys %lines) {
$sorted_lines[$i] = $lines{$addr};
$i++;
}
@sorted_lines;
}

# These two routines will sort based upon IP addresses
sub ipaddrval {
my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#);
$a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0]));
}
sub sortbyipaddr {
&ipaddrval($a) <=> &ipaddrval($b);
}

# This routine parses «get system»
sub GetSystem {
print STDERR » In GetSystem: $_» if ($debug);

my $priv_key;
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);

#next if (/^System Time:/i);
#next if (/^\s*Virus-DB: .*/);
#next if (/^\s*Extended DB: .*/);
#next if (/^\s*IPS-DB: .*/);
#next if (/^FortiClient application signature package:/);
ProcessHistory(«»,»»,»»,»#$_»);
}
ProcessHistory(«SYSTEM»,»»,»»,»\n»);
return(0);
}

sub GetFile {
print STDERR » In GetFile: $_» if ($debug);

while (<INPUT>) {
last if (/$prompt/);
}
ProcessHistory(«FILE»,»»,»»,»\n»);
return(0);
}

sub GetConf {
print STDERR » In GetConf: $_» if ($debug);
my $password_counter=0;
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);

# filter variabilities between configurations. password encryption
# upon each display of the configuration.
#if (/^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) {
# ProcessHistory(«ENC»,»»,»»,»#$1 ENC <removed> $3\n»);
# next;
#}
# if filtering passwords, note that we’re on an opening account line
# next two lines will be passwords
if (/^create account / && $filter_pwds > 0 ) {
$password_counter=2;
ProcessHistory(«»,»»,»»,»#$_»);
next;
}
elsif ($password_counter > 0) {
$password_counter—;
ProcessHistory(«»,»»,»»,»#<removed>\n»);
next;
}
ProcessHistory(«»,»»,»»,»$_»);
}
$found_end = 1;
return(1);
}

# dummy function
sub DoNothing {print STDOUT;}

# Main
@commandtable = (
{‘show switch’ => ‘GetSystem’},
{‘show config current_config’ => ‘GetConf’}
);
# Use an array to preserve the order of the commands and a hash for mapping
# commands to the subroutine and track commands that have been completed.
@commands = map(keys(%$_), @commandtable);
%commands = map(%$_, @commandtable);

$cisco_cmds=join(«;», @commands);
$cmds_regexp = join(«|», map quotemeta($_), @commands);

if (length($host) == 0) {
if ($file) {
print(STDERR «Too few arguments: file name required\n»);
exit(1);
} else {
print(STDERR «Too few arguments: host name required\n»);
exit(1);
}
}
open(OUTPUT,»>$host.new») || die «Can’t open $host.new for writing: $!\n»;
select(OUTPUT);
# make OUTPUT unbuffered if debugging
if ($debug) { $| = 1; }

if ($file) {
print STDERR «opening file $host\n» if ($debug);
print STDOUT «opening file $host\n» if ($log);
open(INPUT,»<$host») || die «open failed for $host: $!\n»;
} else {
print STDERR «executing dllogin -t $timeo -c\»$cisco_cmds\» $host\n» if ($debug);
print STDOUT «executing dllogin -t $timeo -c\»$cisco_cmds\» $host\n» if ($log);
if (defined($ENV{NOPIPE})) {
system «dllogin -t $timeo -c \»$cisco_cmds\» $host </dev/null > $host.raw 2>&1″ || die «dllogin failed for $host: $!\n»;
open(INPUT, «< $host.raw») || die «dllogin failed for $host: $!\n»;
} else {
open(INPUT,»dllogin -t $timeo -c \»$cisco_cmds\» $host </dev/null |») || die «dllogin failed for $host: $!\n»;
}
}

# determine ACL sorting mode
if ($ENV{«ACLSORT»} =~ /no/i) {
$aclsort = «»;
}
# determine community string filtering mode
if (defined($ENV{«NOCOMMSTR»}) &&
($ENV{«NOCOMMSTR»} =~ /yes/i || $ENV{«NOCOMMSTR»} =~ /^$/)) {
$filter_commstr = 1;
} else {
$filter_commstr = 0;
}
# determine password filtering mode
if ($ENV{«FILTER_PWDS»} =~ /no/i) {
$filter_pwds = 0;
} elsif ($ENV{«FILTER_PWDS»} =~ /all/i) {
$filter_pwds = 2;
} else {
$filter_pwds = 1;
}

ProcessHistory(«»,»»,»»,»#RANCID-CONTENT-TYPE: D-Link\n\n»);
TOP: while(<INPUT>) {
tr/\015//d;
if (/^Error:/) {
print STDOUT («$host dllogin error: $_»);
print STDERR («$host dllogin error: $_») if ($debug);
last;
}
while (/^.+(#|\$)\s*($cmds_regexp)\s*$/) {
$cmd = $2;
# — FortiGate prompts end with either ‘#’ or ‘$’. Further, they may
# be prepended with a ‘~’ if the hostname is too long. Therefore,
# we need to figure out what our prompt really is.
# if (!defined($prompt)) {
# if ($_ =~ m/^.+\~\$/) {
# $prompt = ‘\~\$ .*’;
# } else {
# if ($_ =~ m/^.+\$/) {
# $prompt = ‘ \$ .*’;
# } else {
# if ($_ =~ m/^.+\~#/) {
# $prompt = ‘\~# .*’;
# } else {
if ($_ =~ m/^.+#/) {
$prompt = ‘.+#.*’;
}
# }
# }
# }
# }
print STDERR («HIT COMMAND:$_») if ($debug);
if (!defined($commands{$cmd})) {
print STDERR «$host: found unexpected command — \»$cmd\»\n»;
last TOP;
}
$rval = &{$commands{$cmd}};
delete($commands{$cmd});
if ($rval == -1) {
last TOP;
}
}
}
print STDOUT «Done $logincmd: $_\n» if ($log);
# Flush History
ProcessHistory(«»,»»,»»,»»);
# Cleanup
close(INPUT);
close(OUTPUT);

if (defined($ENV{NOPIPE})) {
unlink(«$host.raw») if (! $debug);
}

# check for completeness
if (scalar(%commands) || !$found_end) {
if (scalar(%commands)) {
printf(STDOUT «$host: missed cmd(s): %s\n», join(‘,’, keys(%commands)));
printf(STDERR «$host: missed cmd(s): %s\n», join(‘,’, keys(%commands))) if ($debug);
}
if (!$found_end) {
print STDOUT «$found_end: found end\n»;
print STDOUT «$host: End of run not found\n»;
print STDERR «$host: End of run not found\n» if ($debug);
system(«/usr/bin/tail -1 $host.new»);
}
unlink «$host.new» if (! $debug);

}

cat dl36
#! /usr/bin/expect —
##
## patched to accomplish fortinet from nlogin
## in turn patched to accomplish D-Link from fnlogin
## by: Daniel G. Epstein <dan at rootlike.com>
## adapted by: Diego Ercolani <diego.ercolani at ssis.sm>
## further adapted by: Gavin McCullagh <gavin.mccullagh at gcd.ie>
##
## rancid 2.3.6
## Copyright (c) 1997-2009 by Terrapin Communications, Inc.
## All rights reserved.
##
## This code is derived from software contributed to and maintained by
## Terrapin Communications, Inc. by Henry Kilmer, John Heasley, Andrew Partan,
## Pete Whiting, Austin Schutz, and Andrew Fort.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted provided that the following conditions
## are met:
## 1. Redistributions of source code must retain the above copyright
## notice, this list of conditions and the following disclaimer.
## 2. Redistributions in binary form must reproduce the above copyright
## notice, this list of conditions and the following disclaimer in the
## documentation and/or other materials provided with the distribution.
## 3. All advertising materials mentioning features or use of this software
## must display the following acknowledgement:
## This product includes software developed by Terrapin Communications,
## Inc. and its contributors for RANCID.
## 4. Neither the name of Terrapin Communications, Inc. nor the names of its
## contributors may be used to endorse or promote products derived from
## this software without specific prior written permission.
## 5. It is requested that non-binding fixes and modifications be contributed
## back to Terrapin Communications, Inc.
##
## THIS SOFTWARE IS PROVIDED BY Terrapin Communications, INC. AND CONTRIBUTORS
## «AS IS» AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
## TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COMPANY OR CONTRIBUTORS
## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
## POSSIBILITY OF SUCH DAMAGE.
#
# The expect login scripts were based on Erik Sherk’s gwtn, by permission.
# Netscreen hacks implemented by Stephen Gill <gillsr at yahoo.com>.
# Fortinet hacks by Daniel G. Epstein <dan at rootlike.com>
# D-Link hacks by Gavin McCullagh <gmccullagh at gmail dot com>
#
#############################################################################
#
# dllogin — D-Link login
# This script is very much a hack based on the existing code, but it works for us.
#
# Thus far we have tested this on the following D-Link Switch models:
#
# DES-3010F — success (telnet, ssh)
# DES-3052P — success (telnet, ssh, … a little slow)
# DES-3526 — success (telnet, ssh)
# DES-3550 — success (telnet, ssh)
# DES-3250TG — fail (there’s no command to print config)
# DGS-3324SR — success (telnet, ssh)
# DGS-3100 — fail (but probably not too big a job to fix)
#
# Known bugs/issues:
# — line wrap problems cause newlines within config lines at 80 chars wide on
# some models (DES-3010F)
# — ssh can be quite slow on these units and we’ve even had anecdotal evidence
# that the load on the switches can occasionally cause packet loss. We
# generally use telnet for this reason and all is fine.
#
#
#############################################################################

# Usage line
set usage «Usage: $argv0 \[-dSV\] \[-c command\] \[-Evar=x\] \
\[-f cloginrc-file\] \[-p user-password\] \
\[-s script-file\] \[-t timeout\] \[-u username\] \
\[-v vty-password\] \[-x command-file\] \
\[-y ssh_cypher_type\] router \[router…\]\n»

# env(CLOGIN) may contain:
# x == do not set xterm banner or name

# Password file
set password_file $env(HOME)/.cloginrc
# Default is to login to the firewall
set do_command 0
set do_script 0
# The default is to look in the password file to find the passwords. This
# tracks if we receive them on the command line.
set do_passwd 1
set do_enapasswd 1
# Save config, if prompted
set do_saveconfig 0

# Find the user in the ENV, or use the unix userid.
if {[ info exists env(CISCO_USER) ]} {
set default_user $env(CISCO_USER)
} elseif {[ info exists env(USER) ]} {
set default_user $env(USER)
} elseif {[ info exists env(LOGNAME) ]} {
set default_user $env(LOGNAME)
} else {
# This uses «id» which I think is portable. At least it has existed
# (without options) on all machines/OSes I’ve been on recently —
# unlike whoami or id -nu.
if [ catch {exec id} reason ] {
send_error «\nError: could not exec id: $reason\n»
exit 1
}
regexp {\(([^)]*)} «$reason» junk default_user
}
if {[ info exists env(CLOGINRC) ]} {
set password_file $env(CLOGINRC)
}

# Sometimes firewall take awhile to answer (the default is 10 sec)
set timeout 45

# Process the command line
for {set i 0} {$i < $argc} {incr i} {
set arg [lindex $argv $i]

switch -glob — $arg {
# Expect debug mode
-d* {
exp_internal 1
# Username
} -u* {
if {! [ regexp .\[uU\](.+) $arg ignore user]} {
incr i
set username [ lindex $argv $i ]
}
# VTY Password
} -p* {
if {! [ regexp .\[pP\](.+) $arg ignore userpasswd]} {
incr i
set userpasswd [ lindex $argv $i ]
}
set do_passwd 0
# Environment variable to pass to -s scripts
} -E* {
if {[ regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} {
set E$varname $varvalue
} else {
send_user «\nError: invalid format for -E in $arg\n»
exit 1
}
# Command to run.
} -c* {
if {! [ regexp .\[cC\](.+) $arg ignore command]} {
incr i
set command [ lindex $argv $i ]
}
set do_command 1
# Expect script to run.
} -s* {
if {! [ regexp .\[sS\](.+) $arg ignore sfile]} {
incr i
set sfile [ lindex $argv $i ]
}
if { ! [ file readable $sfile ] } {
send_user «\nError: Can’t read $sfile\n»
exit 1
}
set do_script 1
# save config on exit
} -S* {
set do_saveconfig 1
# cypher type
} -y* {
if {! [ regexp .\[eE\](.+) $arg ignore cypher]} {
incr i
set cypher [ lindex $argv $i ]
}
# alternate cloginrc file
} -f* {
if {! [ regexp .\[fF\](.+) $arg ignore password_file]} {
incr i
set password_file [ lindex $argv $i ]
}
} -t* {
incr i
set timeout [ lindex $argv $i ]
} -x* {
if {! [ regexp .\[xX\](.+) $arg ignore cmd_file]} {
incr i
set cmd_file [ lindex $argv $i ]
}
if [ catch {set cmd_fd [open $cmd_file r]} reason ] {
send_user «\nError: $reason\n»
exit 1
}
set cmd_text [read $cmd_fd]
close $cmd_fd
set command [join [split $cmd_text \n] \;]
set do_command 1
# Version string
} -V* {
send_user «rancid 2.3.6\n»
exit 0
# Does tacacs automatically enable us?
} -autoenable {
# ignore autoenable
} -* {
send_user «\nError: Unknown argument! $arg\n»
send_user $usage
exit 1
} default {
break
}
}
}
# Process firewalls…no firewalls listed is an error.
if { $i == $argc } {
send_user «\nError: $usage»
}

# Only be quiet if we are running a script (it can log its output
# on its own)
if { $do_script } {
log_user 0
} else {
log_user 1
}

#
# Done configuration/variable setting. Now run with it…
#

# Sets Xterm title if interactive…if its an xterm and the user cares
proc label { host } {
global env
# if CLOGIN has an ‘x’ in it, don’t set the xterm name/banner
if [info exists env(CLOGIN)] {
if {[string first «x» $env(CLOGIN)] != -1} { return }
}
# take host from ENV(TERM)
if [info exists env(TERM)] {
if [regexp \^(xterm|vs) $env(TERM) ignore ] {
send_user «\033]1;[lindex [split $host «.»] 0]\a»
send_user «\033]2;$host\a»
}
}
}

# This is a helper function to make the password file easier to
# maintain. Using this the password file has the form:
# add password sl* pete cow
# add password at* steve
# add password * hanky-pie
proc add {var args} { global int_$var ; lappend int_$var $args}
proc include {args} {
global env
regsub -all «(^{|}$)» $args {} args
if { [ regexp «^/» $args ignore ] == 0 } {
set args $env(HOME)/$args
}
source_password_file $args
}

proc find {var router} {
upvar int_$var list
if { [info exists list] } {
foreach line $list {
if { [string match [lindex $line 0] $router ] } {
return [lrange $line 1 end]
}
}
}
return {}
}

# Loads the password file. Note that as this file is tcl, and that
# it is sourced, the user better know what to put in there, as it
# could install more than just password info… I will assume however,
# that a «bad guy» could just as easy put such code in the clogin
# script, so I will leave .cloginrc as just an extention of that script
proc source_password_file { password_file } {
global env
if { ! [file exists $password_file] } {
send_user «\nError: password file ($password_file) does not exist\n»
exit 1
}
file stat $password_file fileinfo
if { [expr ($fileinfo(mode) & 007)] != 0000 } {
send_user «\nError: $password_file must not be world readable/writable\n»
exit 1
}
if [ catch {source $password_file} reason ] {
send_user «\nError: $reason\n»
exit 1
}
}

# Log into the firewall.
# returns: 0 on success, 1 on failure
proc login { router user userpswd passwd enapasswd prompt cmethod cyphertype } {
global spawn_id in_proc do_command do_script sshcmd
set in_proc 1
set uprompt_seen 0

# Telnet to the firewall & try to login.
set progs [llength $cmethod]
foreach prog [lrange $cmethod 0 end] {
incr progs -1
if [string match «telnet*» $prog] {
regexp {telnet(:([^[:space:]]+))*} $prog command suffix port
if {«$port» == «»} {
set retval [ catch {spawn telnet $router} reason ]
} else {
set retval [ catch {spawn telnet $router $port} reason ]
}
if { $retval } {
send_user «\nError: telnet failed: $reason\n»
return 1
}
} elseif [string match «ssh*» $prog] {
regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port
if {«$port» == «»} {
set cmd [join [lindex $sshcmd 0] » «]
set retval [ catch {eval spawn [split «$cmd -c $cyphertype -x -l $user $router» { }]} reason ]
} else {
set cmd [join [lindex $sshcmd 0] » «]
set retval [ catch {eval spawn [split «$cmd -c $cyphertype -x -l $user -p $port $router» { }]} reason ]
}
if { $retval } {
send_user «\nError: $sshcmd failed: $reason\n»
return 1
}
} elseif ![string compare $prog «rsh»] {
send_error «\nError: unsupported method: rsh\n»
if { $progs == 0 } {
return 1
}
continue;
} else {
send_user «\nError: unknown connection method: $prog\n»
return 1
}

sleep 0.3

# This helps cleanup each expect clause.
expect_after {
timeout {
send_user «\nError: TIMEOUT reached\n»
catch {close}; catch {wait};
if { $in_proc} {
return 1
} else {
continue
}
} eof {
send_user «\nError: EOF received\n»
catch {close}; catch {wait};
if { $in_proc} {
return 1
} else {
continue
}
}
}

# Here we get a little tricky. There are several possibilities:
# the firewall can ask for a username and passwd and then
# talk to the TACACS server to authenticate you, or if the
# TACACS server is not working, then it will use the enable
# passwd. Or, the firewall might not have TACACS turned on,
# then it will just send the passwd.
# if telnet fails with connection refused, try ssh
expect {
-re «(Connection refused|Secure connection \[^\n\r]+ refused)» {
catch {close}; catch {wait};
if !$progs {
send_user «\nError: Connection Refused ($prog): $router\n»
return 1
}
}
-re «(Connection closed by|Connection to \[^\n\r]+ closed)» {
catch {close}; catch {wait};
if !$progs {
send_user «\nError: Connection closed ($prog): $router\n»
return 1
}
}
eof { send_user «\nError: Couldn’t login: $router\n»; wait; return 1 }
-nocase «unknown host\r» {
send_user «\nError: Unknown host $router\n»;
catch {close}; catch {wait};
return 1
}
«Host is unreachable» {
send_user «\nError: Host Unreachable: $router\n»;
catch {close}; catch {wait};
return 1
}
«No address associated with name» {
send_user «\nError: Unknown host $router\n»;
catch {close}; catch {wait};
return 1
}
-re «(Host key not found |The authenticity of host .* be established).*\(yes\/no\)\?» {
send «yes\r»
send_user «\nHost $router added to the list of known hosts.\n»
exp_continue }
-re «HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?» {
send «no\r»
send_user «\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n»
catch {close}; catch {wait};
return 1
}
-re «Offending key for .* \(yes\/no\)\?» {
send «no\r»
send_user «\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n»
catch {close}; catch {wait};
return 1
}
-re «(denied|Sorry)» {
send_user «\nError: Check your passwd for $router\n»
catch {close}; catch {wait}; return 1
}
«Login failed» {
send_user «\nError: Check your passwd for $router\n»;
catch {close}; catch {wait}; return 1
}
-re «\[Uu]ser\[nN]ame:» {
sleep 1;
send — «$user\r»
set uprompt_seen 1
exp_continue
}
-re «@\[^\r\n]+\[Pp]assword:» {
# ssh pwd prompt
sleep 1
send — «$userpswd\r»
exp_continue
}
«\[Pp]ass\[Ww]ord:» {
sleep 1;
if {$uprompt_seen == 1} {
send — «$userpswd\r»
} else {
send — «$passwd\r»
}
exp_continue
}
— «$prompt» { break; }
}
}
set in_proc 0
return 0
}

# Run commands given on the command line.
proc run_commands { prompt command } {
global in_proc
set in_proc 1
# Disable output paging.
send — «disable clipaging\r»
expect -re $prompt;

set commands [split $command \;]
set num_commands [llength $commands]
for {set i 0} {$i < $num_commands} { incr i} {
send — «[subst [lindex $commands $i]]\r»
# send_user «**************** [subst [lindex $commands $i]] ************\n»
expect {
-re «$prompt» { send «\r»
sleep 0.5
}
-re «All » { send «a»
exp_continue
-re «\[\n\r]+» { exp_continue }
}
}
}
# send_user «******* fuori da ciclo for *******\n»
expect {
-re «$prompt$» {
send «enable clipaging\r»
send «logout\r»
sleep 0.5
exp_continue
}
-re «\[\n\r]+» { exp_continue }
-gl «Configuration modified, save?» {
send «n\r»
exp_continue
}
timeout { catch {close}; catch {wait};
return 0
}
eof { return 0 }
}
set in_proc 0
}

#
# For each firewall… (this is main loop)
#
source_password_file $password_file
set in_proc 0
set exitval 0
foreach router [lrange $argv $i end] {
set router [string tolower $router]
send_user «$router\n»

# FortiOS 2.x prompts can end in either ‘#’ or ‘$’
set prompt «\[#\\$]»

# Figure out passwords
if { $do_passwd || $do_enapasswd } {
set pswd [find password $router]
if { [llength $pswd] == 0 } {
send_user «\nError: no password for $router in $password_file.\n»
continue
}
set passwd [join [lindex $pswd 0] «»]
set enapasswd [join [lindex $pswd 1] «»]
} else {
set passwd $userpasswd
set enapasswd $enapasswd
}

# Figure out username
if {[info exists username]} {
# command line username
set ruser $username
} else {
set ruser [join [find user $router] «»]
if { «$ruser» == «» } { set ruser $default_user }
}

# Figure out username’s password (if different from the vty password)
if {[info exists userpasswd]} {
# command line username
set userpswd $userpasswd
} else {
set userpswd [join [find userpassword $router] «»]
if { «$userpswd» == «» } { set userpswd $passwd }
}
# Figure out cypher type
if {[info exists cypher]} {
# command line cypher type
set cyphertype $cypher
} else {
set cyphertype [find cyphertype $router]
if { «$cyphertype» == «» } { set cyphertype «3des» }
}

# Figure out connection method
set cmethod [find method $router]
if { «$cmethod» == «» } { set cmethod {{telnet} {ssh}} }

# Figure out the SSH executable name
set sshcmd [find sshcmd $router]
if { «$sshcmd» == «» } { set sshcmd {ssh} }

# Login to the router
if {[login $router $ruser $userpswd $passwd $enapasswd $prompt $cmethod $cyphertype]} {
incr exitval
continue
}

# we are logged in, now figure out the full prompt based on what the device sends us.
send «\r»
expect {
-re «\[\r\n]+» { exp_continue; }
-re «^(.+$prompt)» { set junk $expect_out(0,string); }
if {[$junk = «(^\\$ $)»]} {
set prompt $junk;
} else {
if {[$junk = «(^# $)»]} { set prompt $junk ; }
};
}

if { $do_command } {
if {[run_commands $prompt $command]} {
incr exitval
continue
}
} elseif { $do_script } {
# Disable output paging.
send «enable clipaging\r»
send «config system console\r»
send «set output standard\r»
send «end\r»
expect -re $prompt {}
source $sfile
catch {close};
} else {
label $router
log_user 1
interact
}

# End of for each firewall
catch {wait};
sleep 0.3
}
exit $exitval

cat dl36rancid
#! /usr/bin/perl
##
##
## dlrancid
##
## rancid 2.3.6
## Copyright (c) 1997-2008 by Terrapin Communications, Inc.
## All rights reserved.
##
## This code is derived from software contributed to and maintained by
## Terrapin Communications, Inc. by Henry Kilmer, John Heasley, Andrew Partan,
## Pete Whiting, Austin Schutz, and Andrew Fort.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted provided that the following conditions
## are met:
## 1. Redistributions of source code must retain the above copyright
## notice, this list of conditions and the following disclaimer.
## 2. Redistributions in binary form must reproduce the above copyright
## notice, this list of conditions and the following disclaimer in the
## documentation and/or other materials provided with the distribution.
## 3. All advertising materials mentioning features or use of this software
## must display the following acknowledgement:
## This product includes software developed by Terrapin Communications,
## Inc. and its contributors for RANCID.
## 4. Neither the name of Terrapin Communications, Inc. nor the names of its
## contributors may be used to endorse or promote products derived from
## this software without specific prior written permission.
## 5. It is requested that non-binding fixes and modifications be contributed
## back to Terrapin Communications, Inc.
##
## THIS SOFTWARE IS PROVIDED BY Terrapin Communications, INC. AND CONTRIBUTORS
## «AS IS» AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
## TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COMPANY OR CONTRIBUTORS
## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
## POSSIBILITY OF SUCH DAMAGE.
#
# A library built on Stephen Gill’s Netscreen stuff to accomodate
# the Fortinet product line. [d_pfleger at juniper.net]
# In turn massaged some more to accomodate the D-Link line of switches
#
# RANCID — Really Awesome New Cisco confIg Differ
#
# usage: dlrancid [-dV] [-l] [-f filename | hostname]
#
use Getopt::Std;
getopts(‘dflV’);
if ($opt_V) {
print «rancid 2.3.6\n»;
exit(0);
}
$log = $opt_l;
$debug = $opt_d;
#$debug = 1;
$file = $opt_f;
$host = $ARGV[0];
$found_end = 0;
$timeo = 300; # dllogin timeout in seconds (some of these devices are remarkably slow to read config)

my(@commandtable, %commands, @commands);# command lists
my($aclsort) = («ipsort»); # ACL sorting mode
my($filter_commstr); # SNMP community string filtering
my($filter_pwds); # password filtering mode

# This routine is used to print out the router configuration
sub ProcessHistory {
my ($new_hist_tag,$new_command,$command_string, @string) = (@_);
if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command))
&& scalar(%history)) {
print eval «$command \%history»;
undef %history;
}
if (($new_hist_tag) && ($new_command) && ($command_string)) {
if ($history{$command_string}) {
$history{$command_string} = «$history{$command_string}@string»;
} else {
$history{$command_string} = «@string»;
}
} elsif (($new_hist_tag) && ($new_command)) {
$history{++$#history} = «@string»;
} else {
print «@string»;
}
$hist_tag = $new_hist_tag;
$command = $new_command;
1;
}

sub numerically { $a <=> $b; }

# This is a sort routine that will sort numerically on the
# keys of a hash as if it were a normal array.
sub keynsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort numerically keys(%lines)) {
$sorted_lines[$i] = $lines{$key};
$i++;
}
@sorted_lines;
}

# This is a sort routine that will sort on the
# keys of a hash as if it were a normal array.
sub keysort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort keys(%lines)) {
$sorted_lines[$i] = $lines{$key};
$i++;
}
@sorted_lines;
}

# This is a sort routine that will sort on the
# values of a hash as if it were a normal array.
sub valsort{
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort values %lines) {
$sorted_lines[$i] = $key;
$i++;
}
@sorted_lines;
}

# This is a numerical sort routine (ascending).
sub numsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $num (sort {$a <=> $b} keys %lines) {
$sorted_lines[$i] = $lines{$num};
$i++;
}
@sorted_lines;
}

# This is a sort routine that will sort on the
# ip address when the ip address is anywhere in
# the strings.
sub ipsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $addr (sort sortbyipaddr keys %lines) {
$sorted_lines[$i] = $lines{$addr};
$i++;
}
@sorted_lines;
}

# These two routines will sort based upon IP addresses
sub ipaddrval {
my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#);
$a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0]));
}
sub sortbyipaddr {
&ipaddrval($a) <=> &ipaddrval($b);
}

# This routine parses «get system»
sub GetSystem {
print STDERR » In GetSystem: $_» if ($debug);

my $priv_key;
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);

#next if (/^System Time:/i);
#next if (/^\s*Virus-DB: .*/);
#next if (/^\s*Extended DB: .*/);
#next if (/^\s*IPS-DB: .*/);
#next if (/^FortiClient application signature package:/);
ProcessHistory(«»,»»,»»,»#$_»);
}
ProcessHistory(«SYSTEM»,»»,»»,»\n»);
return(0);
}

sub GetFile {
print STDERR » In GetFile: $_» if ($debug);

while (<INPUT>) {
last if (/$prompt/);
}
ProcessHistory(«FILE»,»»,»»,»\n»);
return(0);
}

sub GetConf {
print STDERR » In GetConf: $_» if ($debug);
my $password_counter=0;
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);

# filter variabilities between configurations. password encryption
# upon each display of the configuration.
#if (/^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) {
# ProcessHistory(«ENC»,»»,»»,»#$1 ENC <removed> $3\n»);
# next;
#}
# if filtering passwords, note that we’re on an opening account line
# next two lines will be passwords
if (/^create account / && $filter_pwds > 0 ) {
$password_counter=2;
ProcessHistory(«»,»»,»»,»#$_»);
next;
}
elsif ($password_counter > 0) {
$password_counter—;
ProcessHistory(«»,»»,»»,»#<removed>\n»);
next;
}
ProcessHistory(«»,»»,»»,»$_»);
}
$found_end = 1;
return(1);
}

# dummy function
sub DoNothing {print STDOUT;}

# Main
@commandtable = (
{‘show switch’ => ‘GetSystem’},
{‘show config active’ => ‘GetConf’}
);
# Use an array to preserve the order of the commands and a hash for mapping
# commands to the subroutine and track commands that have been completed.
@commands = map(keys(%$_), @commandtable);
%commands = map(%$_, @commandtable);

$cisco_cmds=join(«;», @commands);
$cmds_regexp = join(«|», map quotemeta($_), @commands);

if (length($host) == 0) {
if ($file) {
print(STDERR «Too few arguments: file name required\n»);
exit(1);
} else {
print(STDERR «Too few arguments: host name required\n»);
exit(1);
}
}
open(OUTPUT,»>$host.new») || die «Can’t open $host.new for writing: $!\n»;
select(OUTPUT);
# make OUTPUT unbuffered if debugging
if ($debug) { $| = 1; }

if ($file) {
print STDERR «opening file $host\n» if ($debug);
print STDOUT «opening file $host\n» if ($log);
open(INPUT,»<$host») || die «open failed for $host: $!\n»;
} else {
print STDERR «executing dl36 -t $timeo -c\»$cisco_cmds\» $host\n» if ($debug);
print STDOUT «executing dl36 -t $timeo -c\»$cisco_cmds\» $host\n» if ($log);
if (defined($ENV{NOPIPE})) {
system «dl36 -t $timeo -c \»$cisco_cmds\» $host </dev/null > $host.raw 2>&1″ || die «dllogin failed for $host: $!\n»;
open(INPUT, «< $host.raw») || die «dllogin failed for $host: $!\n»;
} else {
open(INPUT,»dl36 -t $timeo -c \»$cisco_cmds\» $host </dev/null |») || die «dllogin failed for $host: $!\n»;
}
}

# determine ACL sorting mode
if ($ENV{«ACLSORT»} =~ /no/i) {
$aclsort = «»;
}
# determine community string filtering mode
if (defined($ENV{«NOCOMMSTR»}) &&
($ENV{«NOCOMMSTR»} =~ /yes/i || $ENV{«NOCOMMSTR»} =~ /^$/)) {
$filter_commstr = 1;
} else {
$filter_commstr = 0;
}
# determine password filtering mode
if ($ENV{«FILTER_PWDS»} =~ /no/i) {
$filter_pwds = 0;
} elsif ($ENV{«FILTER_PWDS»} =~ /all/i) {
$filter_pwds = 2;
} else {
$filter_pwds = 1;
}

ProcessHistory(«»,»»,»»,»#RANCID-CONTENT-TYPE: D-Link\n\n»);
TOP: while(<INPUT>) {
tr/\015//d;
if (/^Error:/) {
print STDOUT («$host dllogin error: $_»);
print STDERR («$host dllogin error: $_») if ($debug);
last;
}
while (/^.+(#|\$)\s*($cmds_regexp)\s*$/) {
$cmd = $2;
# — FortiGate prompts end with either ‘#’ or ‘$’. Further, they may
# be prepended with a ‘~’ if the hostname is too long. Therefore,
# we need to figure out what our prompt really is.
# if (!defined($prompt)) {
# if ($_ =~ m/^.+\~\$/) {
# $prompt = ‘\~\$ .*’;
# } else {
# if ($_ =~ m/^.+\$/) {
# $prompt = ‘ \$ .*’;
# } else {
# if ($_ =~ m/^.+\~#/) {
# $prompt = ‘\~# .*’;
# } else {
if ($_ =~ m/^.+#/) {
$prompt = ‘.+#.*’;
}
# }
# }
# }
# }
print STDERR («HIT COMMAND:$_») if ($debug);
if (!defined($commands{$cmd})) {
print STDERR «$host: found unexpected command — \»$cmd\»\n»;
last TOP;
}
$rval = &{$commands{$cmd}};
delete($commands{$cmd});
if ($rval == -1) {
last TOP;
}
}
}
print STDOUT «Done $logincmd: $_\n» if ($log);
# Flush History
ProcessHistory(«»,»»,»»,»»);
# Cleanup
close(INPUT);
close(OUTPUT);

if (defined($ENV{NOPIPE})) {
unlink(«$host.raw») if (! $debug);
}

# check for completeness
if (scalar(%commands) || !$found_end) {
if (scalar(%commands)) {
printf(STDOUT «$host: missed cmd(s): %s\n», join(‘,’, keys(%commands)));
printf(STDERR «$host: missed cmd(s): %s\n», join(‘,’, keys(%commands))) if ($debug);
}
if (!$found_end) {
print STDOUT «$found_end: found end\n»;
print STDOUT «$host: End of run not found\n»;
print STDERR «$host: End of run not found\n» if ($debug);
system(«/usr/bin/tail -1 $host.new»);
}
unlink «$host.new» if (! $debug);
}

 

На этом все удачных вам бекапов 😉

 

 

Cisco 76xx RSP 720 mls cef maximum-routes

Здравствуйте товарищи это больше заметка чем руководство к действию …
Когда вам необходимо влить full-view который уже перевалил чётко за 500к маршрутов тут же хочешь не хочешь придется заниматься шаманством … а выглядит сие безобразие вот так :
%MLSCEF-SP-4-FIB_EXCEPTION_THRESHOLD: Hardware CEF entry usage is at 95% capacity for IPv4 unicast protocol.

Казалось бы что проще чем просто вбить:
mls cef maximum-routes ip 768

И будет счастье но не тут то было во первых после применения данной команды нужен ребут, во вторых что делать если после ребута железяка говорит что хочет ребутнутся через 3 минуты что мол меняйте конфигурацию взад,  тут на помощь мне пришло курение очередной доки ) и тогда стало для себя понято что
если на SP и RP разные conf-register на выхлопе будут балалайки и что бы их избежать
достаточно привести их во едино для этого достаточно просто вбить :
Router(config)#config-register 0x2102
или же если в rommon то
rommon 1 >confreg 0x2102
теперь принимайте сколько угодно маршрутов с ограничением в 768 тысяч если же хочеться большего то можно сделать и лям но учитывайте что увиличивая TCAM для ipv4 вы ограничиваете его для IPv6 + IP Multicast учитывая что IPv6 начинает по тихоньку движение в сторону увеличения количества префиксов им нельзя пренебрегать.
На этом все !
Успехов в труде и заработной плате =)
Ваш боевой товарищ Taras.Kramarets aka ~NiX~
з.ы. При копировании статьи ссылка(follow, index) на источник обязательна !