Sending CISCO commands sent via SSH/Telnet

December 2016


General Information

  • Script Name: publip.sh (publi(point)sh...publipSH.
  • Flexibility: Fullly customizable.
  • Constraints: requires that the password is the same for all the devices, or you will need to add a few lines of code ...
  • Risk level: High. Be very careful with the entries, a wrong manipulation may freeze your entire network.
  • Linux knowledge required: Open/edit a file (vi file_name) and save modifications (Esc then :wq <enter>?.Run a script using the ./Scriptname command from the target folder.

What is the publip.sh script?


This script allows a network administrator to send Cisco commands on a number of selected remote devices (router, firewall, switch, Wireless Access Points ...), via SSH or Telnet (the script automatically handles both types of connection).
  • These command lines will initially be entered in a sequence, one command per line (as a batch or a configuration file), in a small file called commandes.txt (there is no size limit)
  • Enter all the IPs (or DNS alias) for the various devices on your network (there is no limit to the number of devices).
  • Finally, when running the script, you will be asked to enter a password, which in our case must be the same for all devices.


The script goes much further!
Indeed, it fully autonomous and can hangle connection errors, data entry and record changes in a log file. This script also identifies the equipment for which it is able to connect via SSH or Telnet and then it keeps an archive of the procedures generating critical errors (crash script, misinterpretation of a commanf by the equipment). The different types of errors are:
  • 1 - Connection timeout
  • 2 - Log-in error, wrong password
  • 3 - DNS Alias or IP non-existent
  • 4 - Crashes of the Expect script (create log file of the equipment)
  • 5 - Remote Connection disabled
  • 6 - Correct DNS alias but non-existent IP
  • 7 - Equipment not Cisco (HP Procurve)
  • 8 - Non-Cisco equipment (X1000)
  • 9 - Non-Cisco equipment (Alcatel)
  • 10 -Sent command not recognized by equipment
  • 11 - Error not listed above ($?=1)



You will be able to operate on all your equipment at the same time and gather valuable information on your network!

The content of subsidiary files

commandes.txt


You will need to enter the commands ... The file must for any changes to the router configuration start with "conf t" and by "end". Modifications must be performed in a hierarchical manner and do not forget to save your changes! Small example:

#commandes.txt 

conf t 
 router ospf 100 
  network 50.50.100.0 0.0.0.255 area 0 
 exit 
 interface fa0/0 
  ip ospf hello-interval 5 
  ip ospf dead-interval 20 
 exit 
 area 0 authentication message-digest 
end 

write mem

liste.txt


Enter the IP or DNS alias of all the equipment involved:

# liste.txt 

10.25.85.46 
routeur-marseille 

switch-assemblee-generale 
80.54.136.105 



The sript does not take into account empty spaces.

The Script


The script will be captioned by small #[1], which will be discussed at the bottom of the script

#!/bin/bash 
#script.sh 

echo "veuillez donner le mot de passe" 
stty -echo                                                                       #[1] 
read password 
stty echo 

export ssh='./ssh.sh'                                                            #[2] 
export telnet='./telnet.sh' 
export erreur='./rapport_erreurs.log' 
export temp='./tmp_routeur.log' 
export cmdcisco='./commandes.txt' 
export liste='./liste.txt' 
export password 
export routeur 
export commande 

rm -f $erreur                                                                    #[3] 
rm -f $ssh 
rm -f $telnet 

cat $liste | while read routeur; 
do 
        if [ "$routeur" != "" ] 
        then 
                if[ ! -f $ssh ]                                                  #[4] 
                then 
                        echo 'expect 2>&1 << EOF'>> $ssh 
                        echo 'spawn ssh admin@$routeur' >> $ssh 
                        echo 'expect {' >> $ssh 
                        echo '"Password:" {send "$password\r"}' >> $ssh 
                        echo 'timeout {exit}' >> $ssh 
                        echo '        }' >> $ssh 
                        echo 'expect "#"' >> $ssh 

                        cat $cmdcisco | while read commande 
                        do 
                                echo "send \"$commande\r\"" 
                                echo 'expect "#"' 
                        done >> $ssh 

                        echo 'send "exit\r"' >> $ssh 
                        echo 'expect "closed"' >> $ssh 
                        echo 'exit' >> $ssh 
                        echo 'EOF' >> $ssh 

                        chmod +x $ssh                                            #[5] 
                fi 
                time -p $ssh > $temp 2>&1                                        #[6] 

                COD_RET=$? 

                auth='cat $temp | grep -c "Password: "'                          #[7] 
                if [ "$auth" -gt "1" ] 
                then 
                        echo "Problème d'authentification sur $routeur !" 
                        echo "$routeur : wrong log-in/password" >> $erreur 
                        continue 
                fi 

                temps='grep 'real ' $temp | sed 's/real /§/' | cut -d'§' -f2 | cut -d' ' -f1 | cut -d'.' -f1' 
                if [ $temps -ge 10 -a ! "'grep 'closed' $temp'" ]                #[8] 
                then 
                        echo "L'equipement $routeur ne réponds pas !"; 
                        echo "$routeur : connection timed out"  >> $erreur 
                        continue 
                fi 

                if [ "$COD_RET" != "0" ]                                          #[9] 
                then 
                        #Erreur de connexion a l'équipement en SSH 
                        if [ ! -f $telnet ] 
                        then 
                                echo 'expect 2>&1 << EOF'>> $telnet 
                                echo 'spawn telnet $routeur' >> $telnet 
                                echo 'send "admin\r"' >> $telnet 
                                echo 'expect "Password:"' >> $telnet 
                                echo 'send "$password\r"' >> $telnet 
                                echo 'expect "#"' >> $telnet 

                                cat $cmdcisco | while read commande 
                                do 
                                        echo "send \"$commande\r\"" 
                                        echo 'expect "#"' 
                                done >> $telnet 

                                echo 'send "exit\r"' >> $telnet 
                                echo 'expect "closed"' >> $telnet 
                                echo 'exit' >> $telnet 
                                echo 'EOF' >> $telnet 

                                chmod +x $telnet 
                        fi 
                        $telnet > $temp 2>&1 
                fi 
                COD_RET=$? 

                auth='cat $temp | grep -c "Password: "'                          #[10] 
                if [ "$auth" -gt "1" ] 
                then 
                        echo "Problème d'authentification sur $routeur !" 
                        echo "$routeur : wrong log-in/password" >> $erreur 
                elif [ "'grep 'Host name lookup failure' $temp'"  ] 
                then 
                        echo "l'equipement $routeur n'existe pas !" 
                        echo "$routeur : does not exist"  >> $erreur 
                elif [ "'grep 'Unknown host' $temp'" ] 
                then 
                        echo "la saisie de l'ip ou du nom $routeur est incorrecte !" 
                        echo "$routeur : wrong spelling" >> $erreur 
                elif [ "'grep 'send: spawn id exp4 not open' $temp'" ] 
                then 
                        echo "/!\ ERREUR dans la procédure. Consultez le fichier log de $routeur !!!" 
                        echo "$routeur : Expect script execution failed !" >> $erreur 
                        cp $temp $routeur.error.log 
                elif [ "'grep 'Authentication failed' $temp'" ] 
                then 
                        echo "Mot de passe erroné pour $routeur !" 
                        echo "$routeur : wrong log-in/password" >> $erreur 
                elif [ "'grep 'Connection refused' $temp'" ] 
                then 
                        echo "Connexion à distance sur $routeur désactivé !" 
                        echo "$routeur : vty connection disabled" >> $erreur 
                elif [ "'grep 'No route to host' $temp'" ] 
                then 
                        echo "Alias DNS $routeur existant mais IP invalide !" 
                        echo "$routeur : No route to host" >> $erreur 
                elif [ "'grep 'ProCurve' $temp'" ] 
                then 
                        echo "routeur $routeur HP et non Cisco !" 
                        echo "$routeur : non Cisco router (HP ProCurve)" >> $erreur 
                elif [ "'grep 'Alcatel' $temp'" ] 
                then 
                        echo "routeur $routeur Alcatel et non Cisco !" 
                        echo "$routeur : non Cisco router (Alcatel)" >> $erreur 
                elif [ "'grep 'Welcome to X1000' $temp'" ] 
                then 
                        echo "routeur $routeur X1000 et non Cisco !" 
                        echo "$routeur : non Cisco equipement (X1000)" >> $erreur 
                elif [ "'grep '% Unknown command' $temp'" -o "'grep '% Invalid' $temp'" ] 
                then 
                        echo "/!\ Commandes Cisco non reconnues par l'equipement. Consultez le fichier log de $routeur !!!" 
                        echo "$routeur : Unrecognized commands found" >> $erreur 
                        cp $temp $routeur.error.log 
                elif [ "'grep 'Connected to ' $temp'" -o "'grep 'Connection closed by foreign host.' $temp'" ] 
                then 
                        echo "$routeur Telnet OK !" 
                elif [ "'grep 'Connexion enregistree sur le terminal' $temp'" -o "'grep 'Connection to ' $temp'" ] 
                then 
                        echo "$routeur SSH OK !" 
                elif [ "$COD_RET" != "0" ] 
                then 
                        echo "Problème de connexion a l'equipement $routeur !" 
                        echo "$routeur : connection problem" >> $erreur 
                fi 
        fi 
done 
rm -f $temp                                                                      #[11] 
exit 

Comments

  • 1: Hide the password input
  • 2: All files are stored in variables (relative path) allow you to run the script from anywhere.
  • 3: Removes existing files generated if the script has already been executed.
  • 4: Create the Expect script
  • 5: Set permissions for the Expect script
  • 6: Execute the Expect script, aggregating the output error with standard output, calculating the execution time to handle the timeout.
  • 7: Check for authentication problems by counting the number of "Password" occurrences in the temp file.
  • 8: Check the execution time, and verify that it is not higher than 10 (the expected timeout value)
  • 9: For SSH connection error, repeat the procedure via Telnet.
  • 10: Check all the error cases generated by the script. (C.f. II).
  • 11: Delete the temp file.



Related :

This document entitled « Sending CISCO commands sent via SSH/Telnet » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.