Using SNMP to Modify a Router's Running Configuration
Problem
You want to use SNMP to either download or modify a router's configuration.
Solution
To upload or download a current copy of your router's configuration file to a TFTP server via SNMP, you have to first configure the router for read-write SNMP access:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server community ORARW rw
Router(config)#end
To download the current configuration file, you will need to create an empty file on your TFTP server. In this case, we assume a Unix server, although TFTP server software is available for essentially every popular operating system. Then you can send an SNMP command to the router to trigger the TFTP download:
Freebsd% touch /tftpboot/router.cfg
Freebsd% chmod 666 /tftpboot/router.cfg
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.55.172.25.1.1 s router.cfg
enterprises.9.2.1.55.172.25.1.1 = "router.cfg"
Freebsd%
You can use SNMP to trigger the router to upload a configuration file from your TFTP server via SNMP as follows:
Freebsd% echo "no ip source-route" > /tftpboot/new.cfg
Freebsd% echo "end" >> /tftpboot/new.cfg
Freebsd% chmod 666 /tftpboot/new.cfg
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.53.172.25.1.1 s new.cfg
enterprises.9.2.1.53.172.25.1.1 = "new.cfg"
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.54.0 i 1
enterprises.9.2.1.54.0 = 1
Freebsd%
Discussion
The ability to extract or modify your router's configuration via SNMP is powerful yet scary. These examples illustrate the power of SNMP read-write access and the main reason we advocate SNMP security features. We highly recommend that you read recipe 17.11 before allowing open SNMP write access on your routers. That recipe demonstrates an effective way to mitigate unauthorized tampering with your router's configuration files.
This first example illustrates how to extract your router's running configuration file to a TFTP server using SNMP. Before a typical TFTP server will accept a file transfer, a world-writable file must exist. On a Unix platform, the touch command creates this file, and the chmod command ensures that it has the proper file attributes.
The snmpset command instructs the router to send its running configuration file to a particular file on a particular TFTP server:
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.55.172.25.1.1 s router.cfg
In this command, Router is the name (or IP address) of the router. The read-write SNMP community string is ORARW. The MIB OID value is actually in two parts. The first part, .1.3.6.1.4.1.9.2.1.55, is the OID value in the Cisco MIB extension that instructs the router to send its configuration file. The second part, 172.25.1.1 in this case, is the IP address of your TFTP server. And router.cfg is the name of the file as it will appear on the TFTP server. In the other argument, the single letter "s" before the filename designates that the argument that follows will be a character string.
It is extremely useful to be able to extract a router's configuration file like this. The Bourne shell script in Example 17-2 uses this method to extract and store the current configuration file from a Cisco router. The script just automates the commands listed in the solution section to simplify the extraction of router configuration files.
The script takes a single argument, the router name or IP address, and it stores the router configuration file in the /tftpboot directory. The file will be the name of the router, with ".auto" appended to it (e.g., router.auto).
Example 17-2. conf
#!/bin/sh |
You would run this script as follows:
Freebsd% ./conf router
Completed Successfully
Freebsd%
This script assumes NET-SNMP is on the server, and requires two variables to be set, snmprw and tftp. The snmprw variable contains the SNMP read-write community string of your organization, and the tftp variable contains the IP address of your TFTP server.
The second example in the Solution loads new configuration commands into a router. You must have a world readable file containing these router configuration commands in your TFTP directory before you can upload anything. So in the example, we have created a simple configuration file. In the example, we used Unix echo commands to create the file, although in practice you should probably use a text editor to help limit the number of typing errors in your router's configuration. The last line in the configuration file should have the end command. This prevents the router from complaining about an unexpected end to the configuration file.
Note that when you upload a configuration file like this, the router merges the commands into its existing configuration, just as it does when you type the commands at the router's console.
There are two important differences between snmpset commands to upload or download a configuration file. The first is the different OID values. Be very careful that you get the right value here because you don't want to accidentally upload an old configuration when you're trying to download. The second difference is that, after uploading the configuration file, we issued another different snmpset command. This second command saves the configuration changes to NVRAM. This is the same as logging into the router and typing write memory or copy running-config startup-config.