Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

Pancho(configure/archive Cisco routers)

by c (Hermit)
on Aug 29, 2001 at 03:41 UTC ( #108641=sourcecode: print w/replies, xml ) Need Help??
Category: Networking Code
Author/Contact Info c
Description: This is still for all those netadmins out there that need to make global changes by 7am and its already past midnight.
Cisco, in all their wisdom, decided to change a group of their MIBs such that older ios versions known as 11 code are no longer supported. I had originally written Pancho for that group of old-schoolers such as myself that were still using such antiquated software as 11.2.18 from way back in November, 2000.
In the moments after watching a Robin Williams movie, I felt like giving back to the youth and thus began reworking Pancho to support not only the older MIBs, but the new ones as well. I even tricked it out to query the router to figure out which ones to use.
This code is full on unstable, considering that its only been tested against the few routers I have in the house. I think it has been one hell of a lesson on net::snmp which seems to have finally accepted me as one of its own after much coaxing and sending of flowers.

humbly -c

#!/usr/bin/perl -w

# $Id: pancho-unstable,v 1.30 2001/10/09 03:30:11 charles Exp $

##                           PANCHO
##              copyright 2001 Charles J. Menzes

## send bugs to :     
## send feature requests to :
## send questions to :
## send everything else to :

## module calls
use strict;
use Net::SNMP;
use Getopt::Long;
use Socket;
use POSIX qw(strftime);
use Sys::Hostname;
use Fcntl ':flock';

############ THIS SCRIPT TO ENSURE YOU ARE USING THE   ############

my $community = '';     # your RW snmp community string

my $tftpserver = "";    # ip/hostname/fqdn of your tftpserver

my @routers = qw();     # list of routers

my $logging = "";       # set this to "1" to enable logging

my $logfile = "";       # full path to your logfile 

############ NO FURTHER EDITING SHOULD BE REQUIRED.    ############
############ DOING SO IS AT YOUR OWN RISK.             ############

## development variables
my $rcs = (qw$Revision: 1.30 $)[-1];
## ensure some arguments are given
die "\nPancho requires some flags to be specified.\nPlease try running
+ $0 --help\n\n" unless (@ARGV);

## command line options
my $upload;
my $download;
my $filename;
my $commit;
my $list;
my $host;
my $string;
my $version;
my $old;
my $server;
my $regex;
my $help;
my $verbose;
my $path;
my $show;
my $start;
my $reload;
my $query;

GetOptions (    'upload'        => \$upload,
                'download'      => \$download,
                'filename=s'    => \$filename,
                'commit'        => \$commit,
                'list=s'        => \$list,
                'host=s'        => \$host,
                'server=s'      => \$server,
                'string=s'      => \$string,
                'version'       => \$version,
                'old'           => \$old,
                'regex=s'       => \$regex,
                'help'          => \$help,
                'verbose-help'  => \$verbose,
                'path=s'        => \$path,
                'show'          => \$show,
                'startup'       => \$start,
                'reload'        => \$reload,
                'query'         => \$query,
## set up oids

my $rand = strftime("%S", localtime);

my %oid = (  
                ## cisco-config-copy-mib
                method          => ".$ran
                source          => ".$ran
                destination     => ".$ran
                ipaddress       => ".$ran
                filename        => ".$ran
                rowstatus       => ".$ra

                ## deprecated lsystem mibs
                wrnet           => ".",
                confnet         => ".",

                ## universal platform
                wrmem           => ".",

                ## univeral platform
                reload          => ".",

                ## universal platform
                version         => ".",


my %filelocation =      ( tftp          => "1",
                          start         => "3",
                          run           => "4",

## logging format and time
my %clock;
my $user;
my $hostname;
my $format;

if ($logging) {
  my %clock = (         month   => strftime("%b", localtime),
                        day     => strftime("%d", localtime),
                        time    => strftime("%H:%M:%S", localtime),

  my $user = getpwuid($<);
  my $hostname = hostname(); 
  my $format = "$clock{month} $clock{day} $clock{time} [$hostname] pan

## show version and exit
&version if ($version);

## show verbose help menu and exit
&verbose if ($verbose);

## show the help menu and exit
&usage if ($help);

## show set parameters and exit
&showinfo if ($show);

## build out count for error checking
my $count = 0;
$count++ if ($upload);
$count++ if ($download);

## ensure that we have a node or list of nodes 

if ($host) {
  push(@routers, $host);

} elsif ($list) {
  open(FH, $list);
  @routers = <FH>;

} elsif ( $#routers < 0 ) {
  print "\nYou have not specified a node or list of nodes to act upon!
    unless ($count == 0);


## determine the path within the tftproot
my $tftppath = $path || "/";

## determine if we are using the default server or another
$tftpserver = $server if ($server);

## resolve fqdn/hostname for tftpserver
if ($tftpserver =~ /[a-zA-Z]/) {
  my $i = gethostbyname($tftpserver);
  $tftpserver = inet_ntoa($i);

## determine if we are using the default community string or another
$community = $string if ($string);

## check to ensure that we have the information required

if (!$community) {
  print "\nYou have not specified an SNMP community.\n\n";

} elsif (!$tftpserver && ($upload || $download)) {
  print "\nYou have not specified a tftp server.\n\n";


if ($upload && $count == 1) {
  if (!$filename) {
    print "\nIn order to tftp a configuration to a remote device\nyou 
+must indicate a specific filename using -f.\n\n";
  } else {
    if ($start) {
    } else {

} elsif ($download && $count == 1) {
  if ($start) {
  } else {

} elsif ($commit) {

} elsif ($reload) {

} else {

  print "\nYou cannot upload and download at the same time.\n\n"
    unless ($count == 0);


## subroutines

sub version { print "\n  This is Pancho version $rcs\n\n"; exit; }
sub execute {
## pull source and destination of files
my $source = shift;
my $destination = shift;

## declare variable for array of failed hosts
my @failed;

## open log file for writing and put cursor at end of file
if ($logging) {
  open(FH, ">>$logfile") or die "Cant open the logfile! : $!\n";

  for my $host(@routers) {
    chomp $host;

    ## test to see if host resolves to ip address
    my $z = gethostbyname($host);

    unless ($z) {
      ## if not, push host name into failed list
      push (@failed, $host);
      ## skip to next host in list
      next unless ($z); 

    ## test to see if hostname fits regex description
    next if (($regex) and ($host !~ /$regex/));

    ## if sending file to tftpserver set file to $host.cfg
    $filename = "$host.cfg" 
      if ($destination eq "tftp");

    ## query for ios version if necesssary
    if ($count > 0) {
      if ($query) {

        ## set up initial parameters for this nodes snmp session(s)
        my $s = Net::SNMP->session( -hostname  => $host,
                                    -community => $community );

        ## grab the ios major revision number
        my $ios_version = $s->get_request ($oid{version});
        ## close the snmp session
        if (($ios_version->{$oid{version}}) =~ /Version 11/) {

        } else {


      } else {


    ## write config to memory
    if ($commit) {

      ## start session
      my $s = Net::SNMP->session( -hostname  => $host,
                                  -community => $community );

      ## write to memory
      $s->set_request($oid{wrmem}, INTEGER, "1");

      ## close session

      ## log output to screen and possibly external file


    ## reload the router
    if ($reload) {

      ## start the session
      my $s = Net::SNMP->session( -hostname  => $host,
                                  -community => $community );

      ## reload the router
      $s->set_request($oid{reload}, INTEGER, "2");

      ## close the session

      ## log output to screen and possibly external file


  print "\nThe following hosts could not be resolved: @failed\n\n" 
    if (@failed);

flock(FH,8) if ($logging);
close(FH) if ($logging);



sub deprecated {
my $host = shift;
my $source = shift;
my $destination = shift;

  if (($source eq "start") or ($destination eq "start")) {
    print "\nCopying configurations to and from startup-config\nis not
+ possible using deprecated mibs.\n\n";    
  } else {
    my $mib;

    ## set up proper value for $mib
    if ($source eq "tftp") {
      $mib = $oid{confnet};
    } else {
      $mib = $oid{wrnet};

    $mib = "$mib$tftpserver"; 

    my $s = Net::SNMP->session( -hostname  => $host,
                                -community => $community );

    ## set up the request
    $s->set_request($mib, OCTET_STRING, "$tftppath/$filename");

    ## grab an error if it exists.
    my $error = $s->error;

    ## close snmp session

    ## log output to screen and possibly external file
    &log_action($host, $source, $destination, $error);


sub ccCopy {
my $host = shift;
my $source = shift;
my $destination = shift;

  ## start up an snmp session
  my $s = Net::SNMP->session( -hostname  => $host,
                              -community => $community );

  ## copy files across network
  $s->set_request   (  ## select method of transfer
                       $oid{method}, INTEGER, 1,

                       ## select source file location
                       $oid{source}, INTEGER, $filelocation{$source},

                       ## select destination file location
                       $oid{destination}, INTEGER, $filelocation{$dest

                       ## set tftpserver ip address
                       $oid{ipaddress}, IPADDRESS, $tftpserver,

                       ## set the filename being written
                       $oid{filename}, OCTET_STRING, "$tftppath$filena

                       ## set the session status
                       $oid{rowstatus}, INTEGER, 4,

  ## grab an error message if it exists
  my $error = $s->error;

  ## close the snmp session

  ## log output to screen and possibly external file
  &log_action($host, $source, $destination, $error);

sub log_action { 
  my $host = shift;
  my $source = shift;
  my $destination = shift;
  my $error = shift;

  if ($error) {
    ## log to screen
    print "\n$error\n\n";
    ## log to external file
    print FH "$format $error"
      if ($logging);

  } elsif ($source eq "tftp") {
    if ($destination eq "run") {
      ## log to screen
      print "\nSuccessfully copied config to $host from $tftpserver\n\
      ## log to external file
      print FH "$format config <$filename> copied from $tftpserver to 
+$host by $user\n"
        if ($logging);
    } elsif ($destination eq "start") {
      ## log to screen
      print "\nSuccessfully copied config to nvram on $host from $tftp
      ## log to external file
      print FH "$format config <$filename> copied from $tftpserver to 
+nvram on $host by $user\n"
        if ($logging);

  } elsif ($destination eq "tftp") {
    if ($source eq "run") {
      ## log to screen
      print "\nSuccessfully copied config to $tftpserver from $host.\n
      ## log to external file
      print FH "$format config copied to $tftpserver from $host by $us
        if ($logging);

    } elsif ($source eq "start") {
      ## log to screen
      print "\nSuccessfully copied config to $tftpserver from nvram on
+ $host.\n\n";
      ## log to external file
      print FH "$format config copied to $tftpserver from nvram on $ho
+st by $user\n"
        if ($logging);

  if ($source eq "wrmem") {
    ## log to screen
    print "\nSuccessfully wrote config to memory on $host.\n\n";
    ## log to external file
    print FH "$format config copied to nvram on $host by $user\n"
      if ($logging);

  if ($source eq "reload") {
    ## log to screen
    print "\nSuccessfully initialized a reload of $host.\n\n";
    ## log to external file
    print FH "$format initialization of reload on $host by $user\n"
      if ($logging);


sub usage {
print <<USAGE;

options   [ --upload | --download | --commit ]
          [ --filename <filename> ]
          [ --list <list> ]
          [ --host <hostname> ]
          [ --server <ip/fqdn/hostname> ]
          [ --string <snmp community> ]
          [ --path <path within tftproot> ]
          [ --regex <regular expression> ]
          [ --query ]
          [ --start ]
          [ --show ]
          [ --version ]
          [ --verbose-help ]
          [ --help ]

requires  [ perl, net::snmp ]


sub showinfo {
  if ($tftpserver) {
    print "\nYour tftpserver is currently set to : $tftpserver\n";
  } else {
    print "\nYou do not have a default tftpserver value set.\n";

  if ($community) {
    print "Your SNMP community is currently set to : $community\n";
  } else {
    print "You do not have a default SNMP community value set.\n";

  if ( $#routers < 0 ) {
    print "\nThere are no nodes listed in your default list of routers
  } else {
    print "\nThe following nodes are in your default list of routers:\
    for my $node( sort @routers) {
      print " $node\n";
    print "\n";


sub verbose { 
print <<USE;

        options   [ --upload | --download | --commit ]
                  [ --filename <filename> ]
                  [ --list <list> ]
                  [ --host <hostname> ]
                  [ --server <ip/fqdn/hostname> ]
                  [ --string <snmp community> ]
                  [ --path <path within tftproot> ]
                  [ --regex <regular expression> ]
                  [ --query ]
                  [ --start ]
                  [ --show ]
                  [ --version ]
                  [ --verbose-help ]
                  [ --help ]

        requires  [ perl, net::snmp ]

        pancho was written with the goal of allowing network
        admnistrators make a change to a group of cisco routers
        without being required to log into each host.
        pancho also provides the flexibility to allow admins to
        use its function against a single host, a select group
        or the entire whole. in addition to changes to current
        configurations on remote routers, pancho is also capable
        of archiving router configurations manually or through
        automated runs.

        -u, --upload
                specify that pancho send a configuration
                file TO the remote device(s).

        -d, --download
                specify that pancho retrieve a configuration
                file FROM the remote device(s).

        -c. --commit
                specify that pancho perform a 'write memory'
                or 'copy run start' on the remote device(s).

        -f, --filename
                specify the local filename that pancho should
                send to the remote device.

        -l, --list
                specify a local file that hold a list of device
                hostnames or ip addresses that pancho should
                perform actions against.

                specify an individual host on which pancho
                will perform actions.

                specify a tftp server that pancho will push
                or pull configurations to and from. this may
                be in the format of an ip address, a fully
                qualified domain name, or a hostname able to
                be resolved by the machine upon which pancho
                is being ran.

                specify a snmp read-write string.

        -p, --path
                specify a path within the tftproot.

        -r, --regex
                specify a regular expression that pancho can
                use to filter out specific hosts from the
                host file that actions should be taken against.

                script will determine whether older deprecated
                cisco mibs should be used against remote host
                or newer versions.

                change source/destination to startup-config or
                the nvram of the remote router. this will 
                essentially cause the router to either execute
                a "copy tftp startup-config" or "copy startup-
                config tftp".

                display a list of the current default settings.

                display the current version of pancho.

                this display

                short synopsis of flag options. 

        getting started with pancho does not require much work,
        however some thought should be put into the process.
        pancho is capable of having a few default settings 
        predefined that take effect each time pancho is ran.

        open pancho in your favorite text editor and look for 
        the area near the beginning of the file that highlights
        three fields that can be updated with your specific 
        information. The field $community, $tftpserver and \@routers
        all define their matching information. For $community 
        and $tftpserver, simply put the corresponding strings 
        between the quotes to the right of the equal sign.

        \@routers takes a bit more work, however it should not
        prove too difficult. this field should be populated with
        the group of devices that you feel will be configured or
        archived most often on your network. the devices can be
        entered by hostname or by ip address within the parentheses
        to the right of the equal sign. at least one single space 
        should seperate each entry such that it may look like:

                \@routers = qw( border1 

        at first glance, pancho appears to have a significantly
        long command line. however, many of the option flags
        seen above can be set as default such that the flags
        themselves would only be called to override the default
        settings. for example a default tftpserver may be set
        within the pancho configuration, however you will still
        be able to specify:


        in case you would like to push/pull your config to an
        alternate server.

        pancho can be set up to have a default group of nodes
        that it will affect when ran. this list can be altered
        by specifying the --host flag to indicate a single node
        or the --list flag which will let you direct pancho to
        read the group to be effected from a plain text file.
        this text file should have each node listed on its own
        line either by hostname or ip address.
        another method which allows pancho to further limit 
        the group of devices touched is the --regex option. this
        feature is very powerful in the hands of someone with
        a fair amount of knowledge concerning regular expressions
        and nodes grouped with logical naming conventions.

                --regex ^core.*

        would indicate that within the default list of nodes, or
        within the list obtained from an external text file, only
        those with a name beginning in "core" would be affected.

        two flags which allow greater flexibility concerning the
        hosts being touched by pancho are --start and --query.
        using the --start flag will cause pancho to send/receive
        a configuration to/from a remote device's startup-config,
        or nvram, rather than from the machine's running-config.
        the caveat to the --start flag is that this operation can
        only be performed on devices using the newer cisco-copy-
        config mibs. this means that most ios revisions prior to
        12.x will not allow it.

        for networks that do run in a mixed environment, using
        several different revisions of ios, which may cross 
        major version numbers, the --query flag was added. since
        ios 11.x takes a different grouping of mibs than does 12.x
        you can run pancho against your group of nodes with the
        --query flag enabled. pancho will find out the major revision
        number from each remote device and run the operation against
        the node using the correct group of oid. without running
        --query, pancho will try to use the newer cisco mibs.

        the final optional flag is --filename. if unspecified,
        this value defaults to the hostname of the device being
        touched with an extension of ".cfg". the --filename flag
        argument should always be used when a single configuration 
        file will be uploaded to a group of devices. additionally,
        --filename may be used to specify an entire path to a 
        specific individual file within a subdirectory of the 

                --filename /cfg/2500/tacacs_config.txt

        in situations where you are not specifying a specific filename
        but would like your configs to be written/read from a director
        beneath the tftproot, --path allows you to specify an 

                --path /cfg/7200

        pancho's only mandatory flag is one of two options,
        --upload or --download. this specifies whether or not
        pancho will push a configuration to the router or pull
        the remote device's config down to the local tftp server.
        pancho lives remotely from the router and therefore views
        the world from that perspective. --upload signifies that
        a file will be uploaded TO the router. conversely,
        --download indicates that the config will be brought down
        FROM the router.

        the final option of --commit is used to perform a remote
        "write memory" or "copy run start". this option can be
        used either individually, or in conjunction with --upload
        essentially committing to memory the changes as they are
        being made.

        in order to utilize pancho's full capacity for router
        configuration, one needs to be familiar with cisco's
        'copy tftp run' or 'config net' syntax. in depth
        discussion on the procedure can be found on cisco's
        website at

        a summary of the process is as follows. a remote
        router will tftp a configuration file consisting of
        standard ios commands into its running-config. the
        router will merge the current running-config and the
        command options received from the text file and then
        apply the whole to its new running configuration.

        an example may better state the process.

        on the tftp server, we create a plain text file to
        update the access-list 5 on a group of remote routers.
        the plain text file, is as follows:

                no access-list 5
                access-list 5 permit
                access-list 5 permit

        since we plan on completely rewriting access-list 5
        on the remote routers with this new acl, our first
        statement is 'no access-list 5' which allows us to
        start a new acl listing. the following acl statements
        will then build the new access-list.

        since cisco's 'copy tftp run' process first merges the
        current running-config and our plain text commands before
        it applies the newly created configuration, there will
        be no interruption in traffic being inspected by access-
        list 5. very different than just copying and pasting the
        same commands into the cisco command prompt which applies
        each statement with the hit of the carriage return
        allowing for the possibility of serious consequences.

        with knowledge of cisco's ios syntax, the possibilities for
        remote configuration are endless, and with pancho's
        capability for customization, an entire network may be
        updated or archived from a single point of management.

        the following a just a few of pancho's command line options
        in running syntax:

                update all routers with changes held in a flat file
                  pancho -u -f acl_update.txt

                archive all router configurations locally
                  pancho -d

                or to a remote tftp server
                  pancho -d --server 

                download a host's configuration to a directory
                within the tftproot called configs
                  pancho -d --host rsm716.pdx --path /configs

                commit changes on a group of hosts held within
                an external file
                  pancho --commit --list hostfile.txt

                send configuration changes to a group of devices
                with varying versions of ios
                  pancho --upload --query --filename config.txt

                update all border routers with a new motd using an
                alternate snmp community
                  pancho -u -f motd.txt --regex border --string f00B\@

        pancho's power does come with some caveats that should not
        be considered lightly. pancho depends upon remote routers
        having a read-write(rw) snmp community string configured.
        since read-write strings offer full snmp control to a machine
        the potential for exploit could be high.

        it is HIGHLY recommended, if not considered mandatory by this
        author that all routers using rw snmp strings should have an
        acl configured to limit what machines can gain such access to
        the device. again, full documentation can be found on cisco's
        website, however a short synopsis is as follows:

                ! access-list specifying nodes that will be capable
                ! of using snmp access to routers
                access-list 10 permit host
                access-list 10 permit
                ! apply access-list to snmp community
                snmp-server community 9Eck#0-A rw 10

        pancho also relies on the tftp protocol and server. files held
        within the tftproot and its subdirectories are generally world
        readable. moreover the tftp protocol does not inherently provi
        any method for user authentication.
        because of this, it is generally good measure to try to limit
        the nodes which have access to the tftp mechanism. this can be
        achieved through a local firewall specifying remote nodes or
        subnets that can push/pull to and from the tftpserver. with re
        routers all belonging to different subnets, this would at firs
        seem tedious to set up and even worse to maintain. a common
        convention to combat this is to use loopback addresses from an
        aggregate on all remote devices. it is then possible to specif

                ip tftp source-interface Loopback 100

        and ensure that all tftp requests coming in from remote device
        will have a predictable source address, that can be grouped in
        the aggregate. using this mechanism, a large group of routers
        numbered with Loopback addresses having /32 masks can be conso
        into a larger aggregate with a shorter mask allowing for less
        configuration within the firewall rules.

        one final caveat when using pancho is the new grouping of cisc
        mibs, cisco-copy-config. these mibs deprecate those used previ
        with ios revision 11.x
        as a result pancho tries to compensate by allowing the adminis
        access to both sets of mibs. some functionality available thro
+ugh the
        newer set is not available through the older. the full details
+ of 
        cisco's new oid, can be found at:


        Please send all comments regarding pancho to:


        Check for new releases of pancho at:



        Charles J. Menzes <menzes\>
        Pancho Copyright(C) 2001


Replies are listed 'Best First'.
Re: Pancho(configure/archive Cisco routers)
by Anonymous Monk on May 17, 2002 at 15:14 UTC
    hi, this version seems to have a error when i try to start the script i receive an error message:"missing right curly or square bracket at line 903, at end of line - compilation error" can you please check the source code ?! thx thalal
      Sorry if this code has a typo. I could swear it was in decent shape. Regardless, this is actually the verion 1.0 of the script. It now lives here and is on version 4.3Devel and 4.0.1Stable, so it probably best to not use the version on perlmonks anyway.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: sourcecode [id://108641]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (12)
As of 2018-12-19 15:38 GMT
Find Nodes?
    Voting Booth?
    How many stories does it take before you've heard them all?

    Results (85 votes). Check out past polls.