SNMP can save your life

Ever get locked out of a router or switch that is many hours or even days away? Recently, I had the pleasure, again. For some reason, be it the consultant that was turning up our MLPPP session on site, the engineer who was working with the consultant, or a random case of configuration corruption…. a VTY access-class statement got changed to a non-existent ACL. But, at first, I didn’t know this. I didn’t know anything. I assumed the remote office was up, due to the lack of complaints, and the fact that I could get to the server and switch behind the router, but other than that, I had no clue.

After wasting time trying to figure out why we couldn’t get back into this router, I decided to look into solving our issue with SNMP. I found the Cisco OID‘s for making copying configurations and devised a plan. This simple bash script will instruct the router to copy its running-config to the TFTP Server of your choice. Simply change the variables to match your Read/Write SNMP Community String, Remote Device IP, your TFTP Server’s IP, and the destination filename.

#!/bin/bash
STRING=private
IP=10.8.4.1
TFTP=10.0.1.200
FILENAME=SiteXYZ-Config
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a $TFTP
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s $FILENAME
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1

Once you run this script, you will find the configuration stored in your TFTP directory. If you’re having issues, ensure you have full reachability to the default source interface of the router… You should be able to find the issue preventing you from accessing the router, in our case it was a bad VTY ACL. To remedy this, I created a dummy config file with the changes I wanted to make. For demonstrative purposes we’ll call this FixOurRouter.

line vty 0 4
 no access-class sl_def_acl in
line vty 5 15
 no access-class sl_def_acl in

In order to force the router to download the file, and apply the configuration changes, we simply modify a couple lines from our script. The SNMP MIBs for the OIDs 1.3.6.1.4.1.9.9.96.1.1.1.1.3 and 1.3.6.1.4.1.9.9.96.1.1.1.1.4 are ccCopySourceFileType and ccCopyDestFileType respectively. The integer values we can use for these are the following.

1. networkFile
2. iosFile (a file on flash)
3. startupConfig
4. runningConfig
5. terminal

In our first script, we our copy source was set to 4, or runningConfig, and the destination was networkFile. In order to merge our configuration with the running-config we’re going to simply reverse these settings. You’ll also need to change the FILENAME variable to the new one with the configuration sniplet we just created.

#!/bin/bash
STRING=private
IP=10.8.4.1
TFTP=10.0.1.200
FILENAME=FixOurRouter
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 1
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 4
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a $TFTP
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s $FILENAME
snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1

Once we run this command the VTY ACL will be removed. And if you’re lucky, that was the only issue preventing you from connecting to the router.