Switching

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Automaticaly saving switch configs in git

    Posted 20 days ago
      |   view attached

    In another thread, I mentioned that I have a script which renames uploaded Juniper config files and stores them in git.  Here is info on that.  Since this is written specifically for my own setup, you'll need to adapt each script.

    First, you need a server with git and python3 installed, and with a user that will be used by the Juniper's to upload the configs.  I very creatively called this user "switch". You'll also need a git repo for the switch configs, checked out in a location not accessible by the switch user.

    And of course the switches must be configured to upload their configs on commit.

    set system archival configuration transfer-on-commit
    set system archival configuration archive-sites "scp://switch@192.168.19.139:/home/switch"

    I cobbled together my own scponly script, based on various search results.

    #!/bin/bash

    # Not related to the old and unmaintained scponly program

    # Only allow from switch IP range
    if [[ "${SSH_CLIENT:0:9}" != "10.100.1." && "${SSH_CLIENT:0:9}" != "10.1.1.1 " ]]; then
       logger "Reject connection from invalid client ${SSH_CLIENT}"
       echo "Access Denied"
       exit 1
    fi

    # Only allow incoming scp commands from switches
    if [ "${SSH_ORIGINAL_COMMAND:0:4}" != "scp " ]; then
       logger "Reject invalid command '${SSH_ORIGINAL_COMMAND}' from client ${SSH_CLIENT}"
       echo "Access Denied"
       exit 1
    fi

    logger "Accept scp connection from client ${SSH_CLIENT}"
    $SSH_ORIGINAL_COMMAND

    To use this, add the following to the bottom of /etc/ssh/sshd_config:

    Match User switch
           X11Forwarding no
           AllowTcpForwarding no
           ForceCommand /usr/local/bin/scp_only.sh

    And finally, the switch config management script itself.  This will definitely need to be edited to handle your switches, since right now it only handles a couple of obsolete switches.  And if you don't want to store the number of switches in a VC in the filename, there's a few lines you can delete.  The script is a decent size, so I've added it as an attachment.  I had to make it a .txt in order to upload it, but as you can see, it really is a .py.

    The last step is to add it to crontab, running every 5 minutes (or whatever interval you desire).

    This is written for Linux, but I'm sure some brave intrepid soul could adapt the script to Windows if they really wanted to.

    Hope this helps!  :)



    ------------------------------
    MELISSA NEWROCK
    ------------------------------

    Attachment(s)



  • 2.  RE: Automaticaly saving switch configs in git

    Posted 19 days ago

    There is a full feature open source project called Oxidized which will pull backups and keep a Git source change repository for each device so you can see the changes.

     https://github.com/ytti/oxidized

    Blog on a quick start for Oxidized.

    https://blog.jasons.org/tag/junos/

    Another option is to configure archival to have Junos copy off the config file to an external scp or ftp server on commit or at a time interval.  This is a built in feature for Junos.

     https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/junos-software-system-management-router-configuration-archiving.html



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------