Using Expect to Configure Cisco Routers
Clay Lin
Changing the configuration on one Cisco router is a breeze - you telnet to the router, enter the configuration line by line, then you are done. But what about manually changing the configurations on 200 routers? Not only is it time consuming, it is also easy to make mistakes during this manual process.
Where I work, the network consists of more than 200 Cisco routers interconnected by frame relay and ISDN wide area network all over the U.S. continent. We used to change all the router configurations by hand, and the entire task would take about a month for two people to finish, not including the time to verify accuracy. As a smart (or lazy?) administrator, I wanted to find a way to automate this task.
Tools from Cisco I first looked for the commercial-off-the-shelf (COTS) solutions to help us. Two applications, ConfigMaker and CiscoWorks, from Cisco are capable of dealing with configuration issues. The ConfigMaker is a little program with a nice graphical user interface (GUI) running on the Win95/NT platform. It is easy to use, and it is free.
This solution does not fit our requirements in that:
- It does not work for Cisco 7000 series routers.
- It is primarily used to configure routers from scratch.
- It is best used for small to mid-sized (about 20-30 routers) networks, according to Cisco's recommendation.
- It does not work with TACACS+, which is the authentication/authorization mechanism we use for Cisco routers.
CiscoWorks is a full-blown management tool for routers with a lot of nice features and is recommended if you have a large number of Cisco routers. However, it only provides configuration management for routers, not switches or dial-up servers. Although CiscoWorks for Switched Internetworks could do the job, but we needed something simpler.
Expect to the Rescue While I was searching the Usenet newsgroups for alternate COTS tools that I might be able to modify for our needs, Expect came to my attention. Expect, a scripting language based on Tcl, was created by Don Libes to make the automation of interactive programs such as telnet or ftp easier. telnet, of course, is the program we use to access the routers and enter the configurations.
At first I was not thrilled with the idea of learning another programming language. But, as a quick example, let's say you don't care about error recovery and just want something quick and dirty to do this job, a mere 10 lines of Expect code will be sufficient (see Listing 1).
As shown in the listing, by replacing the parentheses and their contents with site-specific information, you have a handy tool to configure one Cisco router for you. Although a program without any error recovery mechanisms is not recommended, Listing 1 demonstrates how easy it is to create powerful tools with Expect.
I purchased Exploring Expect by Don Libes from O'Reilly and Associates, and after studying it for a few hours, I was able to come up with a useful program to configure more than 200 routers all at once. What used to take us a month now takes about an hour to finish completely and accurately.
configrouter - An Expect Script to Configure Cisco Routers The following assumptions were made when I wrote the script configrouter (see Listing 2):
- The script only works for those configurations that have "global" characteristics, which means the same configuration can be applied repeatedly to all the routers. Configurations such as implementing TACACS+, SNMP, Network Time Protocol (NTP), and changing enable password on all routers fall into this category. For configuration that has local significance to each router, you need to either create a more complicated Expect script or use some other tool.
- The script will access two files for data. The first file is a list of all the routers' DNS names, one line for each. The second one is the configuration that you would like to apply.
- A naming convention is needed for all the routers. Although Expect can recognize any response from the router and respond properly, the router should have a pattern within its prompt for the Expect script to look for. configrouter looks for location ID and company name, such as LAX001-ZEROONE, within a router's prompt.
- Our network uses TACACS+ to control the access to the routers, so valid TACACS+ username and password are needed as command-line arguments. If the TACACS+ server is not available when accessing the routers, according to our router configuration, the routers will prompt for enable password to get into router configuration mode. This password will also be passed to configrouter.
- configrouter is run under Redhat Linux 4.2 but should work without any modification under all UNIX environments.
As an example, let's assume we would like to synchronize the clocks on all the routers with a network time server. configrouter will take your TACACS+ username and password along with the enable password as command-line arguments to login to all the routers (see Listing 3). It will enter the configuration and apply the configuration (see Listing 4) line by line (for convenience, we'll set the time zone on all the routers to EST).
configrouter will first check to see whether the correct number of arguments has been passed to it, then read the router's DNS name from the file /tmp/routerlist, one name at a time. The script can tell whether access to the router is controlled by TACACS+ service and login accordingly by using proper username and password passed to it. It will then apply the configuration line by line from the file /tmp/ntp. When the configuration is entered successfully, it will save the changed configuration to NVRAM and the target TFTP server. Although this script is simple and fairly self-explanatory, a few items need to be noted here:
- The built-in command expect can be instructed to parse the response from the router by using regular expression given the syntax as: expect -re.
- It is advisable to factor in the WAN delay then adjust the timeout value accordingly to avoid unexpected results.
- If you need to configure a large number of routers at one time, it is wise to follow the close command with a wait command for each spawned process. Otherwise you may end up with a lot of zombie processes, run out of the tty numbers on your system, and cause the script to exit abruptly.
Issues Raised by Running configrouter It is very important to test the script thoroughly before using it in a production environment. As configrouter conducts massive configuration changes on all the routers, I am not responsible nor will be liable for any damages or any consequences of running the scripts in this article.
Although configrouter does not require root privilege to run, it does reveal the router's password on the command line, which, of course, is a security threat. Anyone could use the UNIX ps command to retrieve the password. This problem can be solved by having configrouter take passwords interactively, or by saving the sensitive information in a file encrypted by the UNIX crypt command and decrypting it on the fly.
Other Uses of Expect I am writing a Perl script to wrap configrouter with a Web interface. This Web interface will present an HTML form to the users. Legitimate users can submit username, password, a list of routers, and desired configurations to the script through a Web browser and have the result displayed on the browser.
With minor modifications of configrouter, you can manage not only Cisco routers but also Cisco switches and other equipment that accept telnet login. Although this is a preliminary thought, it appears that by combining configrouter with version control tools such CVS/RCS, we may come up with a home-grown configuration management tool that will satisfy our requirements.
Here are some useful ways of utilizing Expect's power of interaction automation:
- Used together with Tcl/Tk, you can create a nice GUI for certain old command-line based programs without changing the original source code.
- Used with Perl, Expect is an excellent tool to write a TCP/IP port scanner. In fact, this is exactly what the famous scanner SATAN was built from.
Conclusion Expect is not an one-size-fits-all language. It was designed to do one thing, interaction automation, and it does that very well. Although Expect is simple, do not underestimate its power. As Don Libes said in the preface of his book, "Using it is one thing, mastering it is quite another."
About the Author
Clay Lin is a Chief Engineer at Zero & One Engineering, Inc., a system integrator specialized in network engineering and systems integration in the Washington D.C. area. He works on-site at a federal government agency, where he is in charge of network security, router configuration, and UNIX system administration. He can be reached at: clay_lin@0-1.com.
|