automated config backups for SFTOS

Jon_Heise · November 22, 2011, 7:35pm

Does anyone know of a method of automating config backups for force10
switches running SFTOS ? I've got an python expect script that works on our
routers running FTOS, it uses a role account that can show the running
configs without having to use the enable password. i could expand the
script to use the enable password but i'm hesitant to have it lying around
in a script

Jon Heise

Jason_Biel · November 22, 2011, 7:40pm

Deploy RANCID?

James_Harr · November 24, 2011, 1:36am

Second rancid.

If SFTOS supports per-command authorization (via RADIUS/TACACS), you can
limit the script account to only be able to use 'show run' and whatever
else it needs (even when it logs in).

That said, if you're looking for on-the-cheap, I haven't seen a free
TACACS+ server that does authorization and was stable, so you'll probably
have to compromise and give your script more permissions than it needs just
to get the job done.

Christopher_Morrow · November 24, 2011, 5:03pm

Second rancid.

+3

If SFTOS supports per-command authorization (via RADIUS/TACACS), you can

it does

limit the script account to only be able to use 'show run' and whatever
else it needs (even when it logs in).

you can

That said, if you're looking for on-the-cheap, I haven't seen a free
TACACS+ server that does authorization and was stable, so you'll probably
have to compromise and give your script more permissions than it needs just
to get the job done.

the cisco tacplus src server is a basic example...
shrubbery.net's tacplus server is quite workable (and heasley keeps
the code working/clean/adding-features)

a simple config for 'just permit show run' is certainly possible with
the shrubbery.net server... if you want example config pipe up.

-chris

Christopher_Morrow · November 24, 2011, 5:04pm

Second rancid.

+3

If SFTOS supports per-command authorization (via RADIUS/TACACS), you can

it does

limit the script account to only be able to use 'show run' and whatever
else it needs (even when it logs in).

you can

That said, if you're looking for on-the-cheap, I haven't seen a free
TACACS+ server that does authorization and was stable, so you'll probably
have to compromise and give your script more permissions than it needs just
to get the job done.

the cisco tacplus src server is a basic example...
shrubbery.net's tacplus server is quite workable (and heasley keeps
the code working/clean/adding-features)

a simple config for 'just permit show run' is certainly possible with
the shrubbery.net server... if you want example config pipe up.

I should have included:
<http://www.shrubbery.net/tac_plus/>

and there are some decent example configs available (I think john
payne had some posted/updated, this query seems to show a bunch of
positive results:
<john payne tacplus - Google Search;