Nexus 5600 Automated Backup with EEM (EEM command authorization)

Unanswered Question
Mar 3rd, 2017
User Badges:

Hello,


we are about to deploy some NEXUS 5600 (7.3(0)N1(1)) switches in our detacenter and I am trying to implement automatic configuration backup. On Catalyst we are using kron and archive commands to upload config to ftp server. Now I am trying to achieve the same with EEM.


event manager applet DailySave
event timer cron cron-entry "15 3 * * *"
action 1.0 cli command "copy running-config startup-config"

event manager applet FTPBackup
event cli match "copy running-config startup-config"
action 0.3 syslog msg "Backup started."
action 0.5 cli command "enable"
action 1.0 cli command "copy running-config ftp://user:[email protected]/path/$(SWITCHNAME)_$(TIMESTAMP) vrf default"
action 1.6 syslog msg "Backup ended."
action 2.0 event-default

event manager applet TEST
event cli match "show ip interface brief"
action 1.0 puts "Script begin."
action 1.8 cli command "enable"
action 2.0 cli command "show logging last 5"
action 9.0 puts "Script end."
action 9.9 event-default

The copy command works perfectly fine as long as it is executed interactively from the CLI. The EEM puts actions in the TEST applet work perfectly fine as well. What does not work however are any of the cli actions.


We are using AAA/TACACS+ to do the full AAA. This brings me to the idea that the command authorization does not work correctly. There apparently were ways in Catalyst IOS how to get around this, but these do not seem to be available in NX-OS. Or I just can't find them. 


One thing to mention is that in the ACS log I am not seeing any authentication/authorization attempts.


I would welcome any suggestions how to execute the cli commands, thanks.


AAA config for reference:


aaa authentication login default group ACS_Cluster local 
aaa authentication login console group ACS_Cluster local
aaa authorization config-commands default group ACS_Cluster local
aaa authorization commands default group ACS_Cluster local
aaa authorization config-commands console group ACS_Cluster local
aaa authorization commands console group ACS_Cluster local
aaa accounting default group ACS_Cluster local


Thanks, 


Marek

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark Malone Tue, 03/21/2017 - 08:14
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 LAN

This works for me , im just backing up to flash twice a day , as I have Prime taking configs to an NFS share aswell , the OID is for Nexus found it online on another forum , timer set to 43200 , so it backs up every 12 hours

event manager applet NX-OS_Configuration_Backup
  event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.6.1 get-type exact entry-op le entry-val 12345 poll-interval 43200
  action 1.0 cli command enable
  action 2.0 cli copy run bootflash:NX-OS_Latest_Running_Config_Backup
  action 3.0 syslog priority notifications msg Running_Config_Backup_Complete

Actions

This Discussion