par Nicolas Jombart (07/06/2002)
Configuring network devices using pancho
-= Background =-
When you have some devices like routers and need to change their configuration
more than one time a year, you can use the CLI, but a better way to do this is
often to use TFTP.
You only need a host with a TFTP server. You can then edit devices configuration
on your local system with your favorite text editor, copy it to your tftproot/
and finally send it to the device, using TFTP.
Your work may look like this:
$ vim conf.txt
$ cp conf.txt /var/tftproot
$ chmod a+w /var/tftproot
$ telnet silver
Connected to silver.
Escape character is '^]'.
User Access Verification
silver#copy tftp running-config
Host or network configuration file [host]?
Address of remote host [255.255.255.255]? 192.168.1.2
Name of configuration file [silver-confg]? conf.txt
Configure using conf.txt from 192.168.1.2? [confirm]
Loading conf.txt from 192.168.1.2 (via Ethernet2): !!!!!!!!!!!!
[OK - 59116/131027 bytes]
At this point, the file you sent will be merged with the running-config (see
The "copy tftp running-config" command can also be executed via a SNMP request.
If you have enabled the SNMP server with a Read-Write access, you can use a
command like this on your local system:
$ snmpset -c rw-string 192.168.1.1 .220.127.116.11.18.104.22.168.22.214.171.124.1.2 \
(Note: check the correct OID that fits your IOS version).
Now, we introduce a powerful tool called Pancho, that can do this job and much
-= Requirements =-
The first thing you need is to set up a TFTP server on an administration host,
i.e. a host dedicated to administration of your devices. You will configure your
devices so that only this host can SSH (you don't use telnet anymore, right?) or
send SNMP requests to them.
Once the TFTP server is ok, the next thing to do is to configure the SNMP server
on your devices. Your configuration may look like:
access-list 1330 permit 192.168.1.2
access-list 1330 deny any log
access-list 1340 permit 192.168.1.2
access-list 1340 deny any log
snmp-server community YourROstring RO 1330
snmp-server community YourRWstring RW 1340
With this configuration , you enable Read-Only and Read-Write access to the
device, only from 192.168.1.2. For more security, you can set up an ACL on the
appropriate interface to permit only 161/UDP port from 192.168.1.2 to the
In addition, you can (should...) restrict TFTP servers that can be used with
SNMP, using (once again) an access-list :
indica(config)#snmp-server tftp-server-list ?
<1-99> IP standard access list
Using a CVS server to maintain history of your configurations is also a good
idea. This is what we do in the following examples.
-= Using pancho =-
You can download pancho at http://www.pancho.org/. You also
need to have Net::SNMP, Config::IniFiles and Parallel::ForkManager.
Let's have a look at common pancho options:
--file <filename> The name of the file you want to send
--host <hostname> The remote device
--server <ip/fqdn/hostname> The TFTP server (may be another host)
--string <snmp community> The RW community string
--path <path within tftproot> The path of the TFTP root
--upload Upload a file to the device and merge with
--download Download from a remote device
--commit Perform a "write memory" on the device
Full configuration is available by typing perldoc `which pancho`
Just two short examples:
1. You want to download the running-config for backup purposes:
$ touch /var/tftproot/shiva.conf
$ chmod a+w /var/tftproot/shiva.conf
$ pancho --host 192.168.1.1 --server 192.168.1.2 \
--string YourRWstring --download --file shiva.conf
2. You keep in a file maintained by CVS the configuration of your router and you
need to modify ACLs on it:
$ cd ~/cvs/router-confs/
$ vi shiva.conf
(... work ...)
$ cvs commit
$ cp shiva.conf /var/tftproot
$ pancho --file shiva.conf --host 192.168.1.1 --server 192.168.1.2 \
--string YourRWstring --path /var/tftproot --upload
$ rm /var/tftproot/shiva.conf
$ pancho --host 192.168.1.1 --commit
-= What to upload =-
You can keep your devices configurations in a CVS repository. However, it can be
more useful to upload only some parts of the configuration, like access-lists,
interface configuration, banners and so on.
The reason behind this is that you'll have to use "no" commands (no access-list,
no snmp-server, etc.) and reduce the efficiency of the configuration merge at
Warning: If you upload a file like the following, the router will not filter
anything between the moment of the "no access-lists xxx" line interpretation and
the first "access-list xxx ..." line encountered :
no access-list 101
access-list 101 permit ...
access-list 101 deny ip any any log
But this time window is very slim.
-= And much more ... =-
You may have noticed that you can easily write scripts on your own that can
automate the job. In addition, remember that you can perform actions on a group
of devices at the same time, setting up default values like TFTP server,
community strings, etc. in the script itself.
type perldoc `which pancho` for more info on these options.
With some more work, you can do really interesting things, like
checking periodically running configuration to look for password, ACL,
etc. changes, like AIDE can do on a Unix filesystem. Just have a look at
http://www.pancho.org/archives/contrib/ for a quick and dirty example.
--Nicolas Jombart <firstname.lastname@example.org>
$Date: 2006/11/21 13:55:11 $