Configure Backup Script

Meridian uses an SSH scripting engine to run the commands on devices to upload their configuration settings. You must create a script for each device type whose configuration you want to back up, and save the scripts in ${OPENNMS_HOME}/etc/device-config. Each script simulates an interactive session with the network device, and tells the device to create a backup of its configuration. The backup is then sent to a TFTP server which is operated by either Meridian or a Minion.

Some devices may distinguish between different types of configuration settings (for example, startup configuration versus running configuration). Meridian treats configuration types as arbitrary strings, and uses default when no configuration type is specified.

You will reference these scripts when you create a requisition for a device of each type.

SSH scripting engine

The scripting engine supports two commands:

  • send: …​: Sends the given string to the device.

  • await: …​: Waits for a response from the device that matches the given string.

Scripts can reference the following variables by using ${varname} notation:

SSH scripting variables
Name Description

tftpServerIp

TFTP server’s IP address

tftpServerPort

TFTP server’s port number

filenameSuffix

Suffix that must be appended to the file name before uploading. Meridian uses this additional suffix to identify incoming uploads.

configType

Configuration type. If not specified, this is set to default.

Uploaded configuration files should include filename extensions like .zip or .gz that specify their file type. You must also append the script variable filenameSuffix to the file name; this indicates that the file is set to upload.

Example

This example script is for a Juniper SRX firewall. You will need to modify it to configure other device types.

await: >
send: start shell
await: %
send: cd /config
await: %
send: tftp ${tftpServerIp}
await: tftp>
send: put juniper.conf.gz juniper.conf.gz${filenameSuffix}
await: tftp>
send: exit

Vendor TFTP support

See your device manufacturer’s official documentation for details on their TFTP support. The following are links to popular device manufacturers:

There are several example scripts available in ${OPENNMS_HOME}/etc/examples/device-config:

Table 1. Example scripts for Aruba devices
Script Target Device Description

aruba-cx-cli.dcb

Aruba OS-CX

Retrieves configuration from an ArubaOS-CX device in CLI format.

aruba-cx-json.dcb

Aruba OS-CX

Retrieves configuration from an ArubaOS-CX device in JSON format.

aruba-os.dcb

Aruba OS

Retrieves configuration from an ArubaOS device.

cisco-ios-running.dcb

Cisco IOS

Retrieves running-config from a Cisco IOS device.

cisco-ios-startup.dcb

Cisco IOS

Retrieves startup-config from a Cisco IOS device.

juniper-junos-config-gz.dcb

Juniper JunOS

Retrieves compressed configuration from a Juniper JunOS device.

juniper-junos-config-set.dcb

Juniper JunOS

Retrieves configuration from a Juniper Junos device in set-format.

juniper-junos-config-txt.dcb

Juniper JunOS

Retrieves uncompressed configuration from a Juniper Junos device.

paloalto-panos-config.dcb

Palo Alto PanOS

Retrieves configuration from a Palo Alto PAN-OS device.

Configure DCB user accounts

We recommend that you limit the privileges of any user accounts used for configuration retrieval. The following examples demonstrate how to configure a dcb user account, specify its password (Pa55w0rd), and limit its privileges to only configuration retrieval commands.

  • ArubaOS

  • ArubaOS-CX

  • Cisco IOS

  • Juniper Junos

This script creates a dcb user account based on a custom user group (dcb-group). The user group has limited privileges, which are passed on to the dcb account.

aruba-os# configure
aruba-os(config)# aaa authorization commands local
aruba-os(config)# aaa authorization group "dcb-group" 1 match-command "copy running-config tftp .*" permit
aruba-os(config)# aaa authorization group "dcb-group" 2 match-command "show running-config" permit
aruba-os(config)# aaa authorization group "dcb-group" 3 match-command "copy startup-config tftp .*" permit
aruba-os(config)# aaa authorization group "dcb-group" 4 match-command "show startup-config" permit
aruba-os(config)# aaa authentication local-user "dcb" group "dcb-group" password plaintext
New password for dcb: Pa55w0rd
Please retype new password for dcb: Pa55w0rd
aruba-os(config)# exit

This script creates a dcb user account based on a custom user group (dcb-group). The user group has limited privileges, which are passed on to the dcb account.

aruba-os-cx# config
aruba-os-cx(config)# user-group dcb-group
aruba-os-cx(config-usr-grp-dcb-group)# permit cli command "copy startup-config tftp.*"
aruba-os-cx(config-usr-grp-dcb-group)# permit cli command "copy running-config tftp.*"
aruba-os-cx(config-usr-grp-dcb-group)# permit cli command "show running-config"
aruba-os-cx(config-usr-grp-dcb-group)# deny cli command ".*"
aruba-os-cx(config-usr-grp-dcb-group)# exit
aruba-os-cx(config)# user dcb group dcb-group password
Enter password: Pa55w0rd
Confirm password: Pa55w0rd
aruba-os-cx(config)#

This script creates a dcb user account based on a custom privilege configuration:

cisco-ios#configure terminal
cisco-ios(config)#username dcb privilege 2 secret Pa55w0rd
cisco-ios(config)#privilege exec level 2 copy running-config
cisco-ios(config)#privilege exec level 2 copy startup-config
cisco-ios(config)#exit

This script creates a dcb user account based on a custom login class (dcb-class). The login class has limited privileges, which are passed on to the dcb account.

admin@juniper-junos# set system login class dcb-class permissions all

[edit]
admin@juniper-junos# set system login class dcb-class allow-commands "(exit)|(start shell)|(show configuration.*)"

[edit]
admin@juniper-junos# set system login class dcb-class deny-commands .*

[edit]
admin@juniper-junos# set system login user dcb uid 1006

[edit]
admin@juniper-junos# set system login user dcb class dcb-class

[edit]
admin@juniper-junos# set system login user dcb authentication plain-text-password
New password: Pa55w0rd
Retype new password: Pa55w0rd

[edit]
admin@juniper-junos# exit