Re: Automaticaly reconfiguring a Cisco Router just by logging in

albertoff · ‎02-29-2008

I have a router 1760 installed in a remote site with DSL, a serial link and LAN users behind it. Under normal conditions it should avoid using the DSL interface to access the Internet for security reasons. It should route all traffic via the serial link to the HQ where users have all services they need including Internet access.

This site, however, is included in our D&R plan and therefore we need that under special conditions (HQ down, for instance) I could easyly reconfigure the router to meet the requirements. I might need to change interfaces status, fw policies, routing table, etc to make the router use the DSL Internet access and allow users to surf the web and incoming mail to come trhu.

The problem is that I want any of my IT peers to do that and not all of them are proficient with Cisco administration. So I thought of some kind of script that could be automatically run when somebody logins in the router with the right account and the right password. For instance I could have all the regular administration accounts and also accounts like: "disaster-status" and "normal-status" and each of them will run the necessary commands to reconfigure the router without the user needing to write one single command... not even "enable".

I remember one Cisco course that I attended that we had a remote lab and the topology of the lab was changed just by logging in the switches with a user that automaticaly, without we interacting, changed the switch configuration (VLANS, etc.) and therefore changed the network topology.

Is this possible? any ideas?

Regards and thanks!

Alberto

yjdabear · ‎02-29-2008

Yeah, this sounds right up the alley for the Tcl/Tk and Expect scripting languages, Tcl/Tk for writing the interactive navigation menus, Expect for interpretting human and/or router responses, then issuing instructions and/or IOS commands accordingly.

albertoff · ‎02-29-2008

Thanks for your answer,

Before posting here, I came accross this document but I wans't sure if TCL was the way to go...

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_tcl.html

Anyway, TCL could help be prepare the scripts I need to run in each case but, how do I build this interactive menus that you pointed out?... is there a document with examples of this?.

Thanks again,

Regards,

Alberto

cisco24x7 · ‎03-01-2008

Here is a sample:

#!/usr/local/bin/expect

set timeout 10

set name [lindex $argv 0]

set user [lindex $argv 1]

set password [lindex $argv 2]

set enable [lindex $argv 3]

spawn telnet $name

expect "*name:"

send "$user\r"

sleep 1

expect "*word:"

sleep 1

send "$password\n"

expect "*>"

sleep 1

send "enable\n"

expect "*:"

sleep 1

send "$enable\n"

expect "*#"

sleep 1

send "configure t\r"

expect "*#"

sleep 1

send "end \r"

expect "*#"

send "disable \r"

expect "*>"

send "exit\r\r\r\r"

#

# ./xxx 10.109.114.2 user exec_pass enable_pass

spawn telnet 10.109.114.2

Trying 10.109.114.2...

Connected to 10.109.114.2.

Escape character is '^]'.

*******************************************************************

******************************************

* UNAUTHORIZED ACCESS PROHIBITED *

******************************************

*******************************************************************

CCIE Sec Corporation Perimeter Cisco IOS with Firewall Feature Set

User Access Verification

Username: cciesec

Password:

CCIE Sec Corporation Perimeter Cisco IOS with Firewall Feature Set

C2621>enable

Password:

C2621#configure t

Enter configuration commands, one per line. End with CNTL/Z.

C2621(config)#end

C2621#disable

C2621>#

CCIE Security

Joe Clarke · ‎03-01-2008

There is a new feature coming in 12.4(20)T called the Embedded Menu Manager which will do what you want. This will allow you to display a menu to the user that you customize completely using an XML menu definition file. The inputs from the user are passed to TCL on the backend. This release is scheduled for June of this year.