Get the Cisco configuration over SNMP

Saving the configurations from Cisco Devices is normally done by a tool (CW2k, Solarwinds Cirrus or whatever) but if you do not want to buy a tool here’s a way to do it yourself.

Cisco has a SNMP MIB called CISCO-CONFIG-COPY-MIB.oid which allows to save the configurations from Cisco devices over SNMP. If you also know your way around scripting (Shell, Perl or whatever you prefer) this is how you could save your devices automatic.

How to copy a config

This is a step by step guide on how to save the running-config on a TFTP Server. You need SNMP Write Access at the device and a device where you can use the snmpset command. The shown command line syntax was taken from NET-SMP 5.4.1. Please remember to use the ReadWrite Community for your devices.

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1
The ConfigCopyProtocol is set to TFTP

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4
Set the SourceFileType to running-config

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1
Set the DestinationFileType to networkfile

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a <TFTP IP>
Sets the ServerAddress to the IP address of the TFTP server

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s <Filename>
Sets the CopyFilename to your desired file name.

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1
Sets the CopyStatus to active which starts the copy process.

snmpset -c <community> -v 1 <device> 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6
Sets the CopyStatus to delete which cleans all saved informations out of the MIB

The number 111 at each OIDs end is nothing else then a randomly picket number which has to be the same during the whole copy process. Just to keep it easy and the same way I always use 111.
The following section describes all CISCO-CONFIG-COPY-MIB functions so you can change the process how you like it.

CISCO-CONFIG-COPY-MIB.oid functions

ccConfigCopyProtocol
OID:
1.3.6.1.4.1.9.9.96.1.1.1.1.2
Type: INTEGER
Options:tftp(1)
ftp(2)
rcp(3)
scp(4)
sftp(5)
Description: Defines whicn protocol is used for the copy process. TFTP is default

ccCopySourceFileType
OID:
1.3.6.1.4.1.9.9.96.1.1.1.1.3
Type: INTEGER
Options: networkFile(1)
iosFile(2)
startupConfig(3)
runningConfig(4)
terminal(5)
Descripton: Defines the source. Either the Source or the DestinatioFileType have to be set to startupConfig or runningConfig. Furthermore the SourceFileType has to be different to the DestinationFileType.

ccCopyDestFileType
OID:
1.3.6.1.4.1.9.9.96.1.1.1.1.4
Type: INTEGER
Options: networkFile(1)
iosFile(2)
startupConfig(3)
runningConfig(4)
terminal(5)
Description: Defines the destination.Either the Source or the DestinatioFileType have to be set to startupConfig or runningConfig. Furthermore the SourceFileType has to be different to the DestinationFileType.

ccCopyServerAddress
OID:
1.3.6.1.4.1.9.9.96.1.1.1.1.5
Type: IP Address
Description: Sets the address of the server to which the file will be copied to. Values like 0.0.0.0 or FF.FF.FF.FF are not allowed for this OID.

ccCopyFileName
OID:
1.3.6.1.4.1.9.9.96.1.1.1.1.6
Type: STRING
Description: Sets the name of the destination or source file. This OID has to be set as far as the destination or sourceFileType are set to networkFile or iosFile.

ccCopyUserName
OID: 1.3.6.1.4.1.9.9.96.1.1.1.1.7
Type: STRING

Description: Sets a username for FTP, RCP, SFTP or SCP. This will overwrite the user name which might have been set over the rcmd remote-username <username> command if RCP is used as protocol.

ccCopyUserPassword
OID: 1.3.6.1.4.1.9.9.96.1.1.1.1.8
Type: STRING

Description: Sets the password for FTP, RCP, SFTP or SCP

ccCopyNotificationOnCompletion
OID: 1.3.6.1.4.1.9.9.96.1.1.1.1.9
Type: INTEGER

Description: Defines if a notification has to be sent after the process has ended.

ccCopyState
OID:
1.3.6.1.4.1.9.9.96.1.1.1.1.10
Type: INTEGER
Options: waiting(1)
running(2)
successful(3)
failed(4)
Description: Shows the copy process’ status. This value will be set after the COPYEntryRowStatus has been set to active.

ccCopyTimeStarted
OID: 1.3.6.1.4.1.9.9.96.1.1.1.1.11
Type: TimeStamp

Description: Shows the last start time of the process or zero if the process never changed the status to running.

ccCopyTimeCompleted
OID: 1.3.6.1.4.1.9.9.96.1.1.1.1.12
Type: TimeStamp

Description: Shows the last time after the process changed from running to successful or failed.

ccCopyFailCause
OID: 1.3.6.1.4.1.9.9.96.1.1.1.1.13
Type: INTEGER
Options: unknown(1)

badFileName(2)
timeout(3)
noMem(4)
noConfig(5)
unsupportedProtocol(6)
someConfigApplyFailed(7)
Description: Shows why the process failed

ccCopyEntryRowStatus
OID: 1.3.6.1.4.1.9.9.96.1.1.1.1.14
Type: INTEGER
Options: active(1)

notInService(2)
createAndGo(4)
createAndWait(5)
destroy(6)
Description: Shows the process’ status

Advertisements

43 comments

  1. Henrik Thomsen

    Hi

    Great stuff. I’m a CCNA and CCNP teacher working in Viborg Denmark, and currently teaching technicians for a large Danish ISP in QoS and MPLS.

    Just found the OID’s I was searching for.

    Thanks
    Henrik Thomsen

  2. pashtuk

    Hi Henrik
    Thank you, what I saw lately is that there is now a Perl Module on CPAN for the whole thingie.
    best regards

    Michel

  3. Mel Gibson

    Hello,
    So what next? We defined the values? But how are we gonna get the configuration from the device?
    snmpget -c -v1 (and what’s next?)
    Regards…
    b^2-4ac

  4. Chris

    Hi,

    I am successful using SNMPv3 and tftp(1) but I cannot do it with scp(4). Have you ever tried it with scp?

    I’ve tried using “SCP” with NetSNMP as follows:

    snmpset – 1.1.2.111 i 4 [or scp(4)]
    snmpset – 1.1.3.111 i 3 [or startupConfig(3)]
    snmpset – 1.1.4.111 i 4 [or runningConfig(4) and tried 1 as a networkFile(1) – anything different from 3.111]
    snmpset – 1.1.4.111 a 10.1.1.25 [able to use it for tftp(1) – can manually do a secure-copy using “copy run scp:” to this host]
    snmpset – 1.1.7.111 s “username” [works well from CLI]
    snmpset – 1.1.6.111 s “device_config’ [works well from CLI]
    snmpset – 1.1.8.111 s “password” [no problems logging in and moving config to my OpenSSH server from CLI]
    snmpget – 1.1.10.111 always comes back with a failed(4)

    Thanks for your assistance. Chris

    • Ilia

      Chris, could you share your snmpv3 tftp, i tried this and can’t work with that either. i keep on getting this error:
      snmpset -v 3 -a md5 -A xxxxxxxx -x des -X xxxxxxx -u xxxxxxxx -l authPriv 10.10.10.10 1.3.6.1.4.1.9.9.96.1.1.1.1.2.336 i 1
      Error in packet.
      Reason: inconsistentValue (The set value is illegal or unsupported in some way)
      Failed object: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.2.336

  5. pashtuk

    Hi Chris
    Sorry I never used that option and I cant see anything wrong with your syntax, as long as you specify networkFile within -1.1.4.111 that should basically work.
    What did you get back after the fail for: -1.1.13.111? (ccCopyFailCause) Maybe that error message helps a bit.
    best regards

    Michel

  6. shuilong

    Hi Pashtuk,
    I attempted to use tftp to get runningConfig to tftp server. After I executed the command, I got ccCopyState to running (2) and then failed(4). ccCopyFailCause was timeout(3).

    How is the tftp server involved during the operation? Does the tftp server issue tftp command get configuration from cisco switch? Or the Cisco switch issue command tftp and put the configuration file onto the tftp server?

    Appreciate your attention. Shuilong

  7. pashtuk

    Hi Shuilong
    The TFTP Server should not initate anything, the Cisco device starts the connection and the file upload. Something you can try is to copy the running config manually to that tftp server with copy flash tftp and see if it works.
    Best regards

    Michel

    • Arun

      Hi Pashtuk,
      when trying to retrieve running-config, I am also getting ccCopyState as failed, and
      ccCopyFailCause to timedout. Could you please let me know the cause for this?
      Also, my understanding was that when copying config TO the router, if it failed, ccCopyState would be updated as failed. However, does this get updated every time we try to retrieve running-config? In that case, immediately the status would be running, and then failed or successful as the case may be.
      Need your help pls.

      Arun

  8. Sean

    Do you know if there is an equivalent way to do this on the Cisco ASA platform?
    I got this method to work on all the various cisco switches I have, but the ASA’s all give this error for each attempt to snmpset one of the oids listed…

    snmpset(): This name does not exist: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.10.

    Thanks

    • pashtuk

      Hi Sean
      I did a short search, but it does not look like the ASA does support that MIB or another MIB that does something similar (yet)
      regards

      Michel

  9. Oren

    Hello, I was able to copy running config from cisco switch to TFTPD32 server using snmpset command and using microsoft snmp support (c++), But i cant get it work from tftp to the switch. it’s looks like that the switch request to download the config file 2 time(seen in ftp log and while monitor network data using ethreal). i’m sending only 1 request for 100%. hope that you will be able to help, thank’s.

  10. johnb

    Thank you immensely for this post! I get a lot of info from different posts and usually never reply, but this one helped a ton!

    Thanks Again!

  11. patrioticduo

    great for pulling configurations but what about sending a configuration change to the router? Is there an SNMP way to do that? Or must we use SSH or telnet CLI to actually change configurations of routers?

  12. chris

    I am writing a python program for Grad school that automatically configures a network using snmpset. I have been unable for the past few days to find anything quite like this site. Thank you so much for doing this. You have made my life that much easier. I was starting to go blind from reading Cisco documents, and I am a CCNA working on my CCNP =P

  13. Haitham

    I don’t know if you can help me on my problem, but am working on an HP software called “HP Network Automation”, anyways, am running a task called “Take Snapshot” in which the software is capturing the configuration of a certain network device, it uses almost the same commands you are referring to on your post.

    The task fails due to the following error :

    Running: getconfiguration_snmp (retrieve configuration via TFTP through SNMP)
    Connect – SNMP trying read/write community string.
    SNMP SET 1.3.6.1.4.1.9.9.96.1.1.1.1.2.733 to ‘1’
    SNMP SET 1.3.6.1.4.1.9.9.96.1.1.1.1.3.733 to ‘4’
    SNMP SET 1.3.6.1.4.1.9.9.96.1.1.1.1.4.733 to ‘1’
    SNMP SET 1.3.6.1.4.1.9.9.96.1.1.1.1.5.733 to ‘172.16.1.188’
    SNMP SET 1.3.6.1.4.1.9.9.96.1.1.1.1.6.733 to ‘15401_20110714122403.txt’
    SNMP SET 1.3.6.1.4.1.9.9.96.1.1.1.1.14.733 to ‘1’
    SNMP GET 1.3.6.1.4.1.9.9.96.1.1.1.1.10.733 – error: Could not copy running configuration to TFTP server. Check TFTP Server IP and status.

    Do you have any suggestions ??

  14. Marco

    Hi Michel, my name is Marco, and I found your blog regarding a problem I have with a catalyst 3750 switch. for some reason y lost the “enable password”, but the snmp community names are enable and working. so the question is, can I change the config, getting the running configuration (with your method), modifying it and then copy the new configuration via snmp to the switch?
    Thanks for your post, its really helpfull (and sorry if my english is not enough good, I’m from argentina)

  15. John Gardner

    hey, so Im using netmon to deploy the batch script and found that when the script is completed, the netmon system does not understand the “all done” message? I was wondering where in the script we would control how the device responds back to the SNMP server that it has completed its action, without getting errors?

    Thanks!

  16. John Gardner

    So I’m still learning and I would like to rephrase my question:

    I have a script that is running that will initiate and fill in the “copy run tftp” command. Does anyone have a template of the batch script that would use the snmpset command that would initiate the “copy run tftp”. Mine will run if i input the values for , , and manually. But when I use the %1,%2, and %3 values to poll the device for these fields, i receive a “Response is not well-formed” error message. The backup completes, but i am plagued with the mal-formed response.

    Does anyone have any advice?

  17. Phil

    Setting the TFTP address was failing for me but i eventaully got it working and thought I’d document it here for anyone else who hits this. Instead of setting the TFTP with (as documented above):
    snmpset -v2c -c 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 s

    I instead used:
    snmpset -v2c -c 1.3.6.1.4.1.9.9.96.1.1.1.1.15.222 i 1
    snmpset -v2c -c 1.3.6.1.4.1.9.9.96.1.1.1.1.16.222 s

    This is because ccCopyServerAddress is depreciated according to Cisco documentation I found.

    Google ccCopyServerAddressType and ccCopyServerAddressRev1 for the ones I found worked instead.

    Hope this helps people!

  18. Felix

    Would I be able to remotely execute a command using this method? More specifically, I need to generate a RSA key for SSH.

    crypto key generate rsa

    This command is done under configuration mode, and requires an additional input.

    • pashtuk

      Hi Felix
      I never tried this, but I dont think that this would work since the RSA key is something that is generated for every device and if shown in the configuration is based on the device itself. However, you could try it, cant hurt 🙂

  19. Arafat

    is there any OID through which we can know that who has been configuring our Cisco switches/routers/firewalls based on this syslog message

    • pashtuk

      Hi Arafat
      I did never search for it, but you can activate Syslog to a central syslog server and monitor on configuration change messages, thats one way. The other way is using RADIUS or TACACS+ accounting and monitor what has been done that way (AAA configuration)

  20. salem

    Awesome!
    Thanks for your explanation..:)
    Can we do a password recovery using snmp?
    What is the OIDs that we need to deal with?
    Thanks

  21. Marcelo

    This step-by-step was really helpful!!! Due to a wrong change, I could not connect using radius or local user the vty or console, and this was my last chance prior to reboot the switch that is in production…Thanks good I could not only get the running config, but also correct it and upload it into the device… what made the access over Radius available again!!!

    I really thank you so much!!!

  22. Chris

    Hi there,
    Thank you so much for the tutorial. It copies the running-config successfully, but the last command “snmpset -c -v 1 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6” gives me the following error:
    Error in packet.
    Reason: (badValue) The value given has the wrong type or length.
    Failed object: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.14.111

    Any suggestions as to what the problem could be?

    Thanks!

    • pashtuk

      Hi Chris
      Sadly not, I can only guess that maybe this MIB object did change or is not supported in your implementation. As you can see, the Post is from 2008 so chances are there that Cisco did change some things.

  23. Rey

    Hi Chris/All,

    have you or anyone else been able to get this to work with scp?

    I tried the following:

    **
    snmpset -c temp -v 2c 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 4
    snmpset -c temp -v 2c 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4
    snmpset -c temp -v 2c 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1
    snmpset -c temp -v 2c 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a
    snmpset -c temp -v 2c 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s temp.txt
    snmpset -c temp -v 2c 1.3.6.1.4.1.9.9.96.1.1.1.1.7.111 s temp
    snmpset -c temp -v 2c 1.3.6.1.4.1.9.9.96.1.1.1.1.8.111 s temp
    snmpset -c temp -v 2c 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1
    **

    then when I do snmpwalk or snmpget:

    **
    snmpwalk -c temp -v 2c 1.3.6.1.4.1.9.9.96.1.1.1.1.10.111
    iso.3.6.1.4.1.9.9.96.1.1.1.1.10.111 = INTEGER: 2
    snmpwalk -c temp -v 2c 1.3.6.1.4.1.9.9.96.1.1.1.1.10.111
    iso.3.6.1.4.1.9.9.96.1.1.1.1.10.111 = INTEGER: 4
    snmpwalk -c temp -v 2c 1.3.6.1.4.1.9.9.96.1.1.1.1.13.111
    iso.3.6.1.4.1.9.9.96.1.1.1.1.13.111 = INTEGER: 2
    **

    it shows that it’s running (integer 2 for .10), then it fails (integer 4 for .10) and the reason for failure is badfilename (integer 2 for .13).

    I’ve tried different permutations of the string name and none seem to help any. I’ve verified that I can copy to/from scp to the router and server. but with snmp and scp, not able to get it to work.

    anyone else seeing this or got it to work?

    • Rey

      just noticed in my post that the device label and server address label didn’t show. in the above config, i do have a valid device ip set after the 2c and for .5.111 after the a, i do have the server address specified.

  24. JJ.

    Using Enigma NMS for the configuration management for Cisco works very well. You can get config backup done also with SNMP if you have situations where you need it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s