#!/usr/bin/perl
print "$ENV{SERVER_PROTOCOL} 200 OK\n";
print "Server: $ENV{SERVER_SOFTWARE}\n";
print "Content-type: text/plain\n\n";
$|=1;
use Net::Telnet;
$login="MyLogin";
$password="MySecret";
$port="23";
$host="xxx.xxx.xxx.xxx";
$command="traceroute www.google.com | no-more";
$telnet = new Net::Telnet;
$telnet->errmode( sub { print "ERROR:" . join('|', @_) . "\n"; } );
$telnet->timeout('10');
$telnet->option_callback( sub { return; } );
$telnet->option_accept(Do => 31);
$telnet->open(Host => $host, Port => $port);
if ($login ne "") {
  $telnet->waitfor('/(ogin|name|word):.*$/');
  $telnet->print("$login");
}
if ($password ne "") {
    $telnet->waitfor('/word:.*$/');
    $telnet->print("$password");
}
$telnet->waitfor(Match => '/.*[\$%>] {0,1}$/',
                 Match => '/^[^#]*[\$%#>] {0,1}$/');
$telnet->telnetmode(0);
$telnet->put(pack("C9",
                  255,                  # TELNET_IAC
                  250,                  # TELNET_SB
                  31, 0, 200, 0, 0,     # TELOPT_NAWS
                  255,                  # TELNET_IAC
                  240));                # TELNET_SE
$telnet->telnetmode(1);
my $telnetcmd = $command;
$telnet->print("$telnetcmd");
$telnet->getline;               # read out command line
while (1) {
  if ($#output >= 0) {
    $_ = shift (@output);
  }
  elsif (! $telnet->eof) {
    my ($prematch, $match) = $telnet->waitfor(Match => '/\n/',
                                              Match => '/[\$%#>] {0,1}$/',
                                              Errmode => "return")
    or do {
    };
    if ($match =~ /[\$%#>] {0,1}$/) {
      $telnet->print("quit");
      $telnet->close;
      last;
    }
    push @output, $prematch . $match;
    next;
  }
  else {
    last;
  }
  print $_;
}

system-view
Enter system view, return user view with Ctrl+Z.
[Quidway]aaa
[Quidway]local-user root password simple MySecretPassword
[Quidway-aaa]local-user root service-type ftp ssh terminal
[Quidway-aaa]local-user root ftp-directory flash:
[Quidway-aaa]quit
[Quidway]ftp server enable
Info:FTP server has been started

View flash content:

dir flash:
Directory of flash:/

   0   -rw-   6813684  Jan 01 2008 00:14:54   SV100R002C02B181SPC001_for_2352_3352.cc
   1   -rw-    107176  Jan 01 2008 00:00:51   matnlog.dat
   2   -rw-        60  Jan 01 2008 00:06:39   $_patchstate_a
   3   -rw-     10668  Jan 01 2008 01:01:53   vrpcfg.cfg
   4   -rw-       684  Jan 01 2008 00:33:20   hostkey
   5   -rw-       540  Jan 01 2008 00:33:28   serverkey
   6   -rw-   7236892  Jan 01 2008 00:15:31   s2352_s3352-v100r003c00spc301.cc
   7   -rw-        28  Jan 01 2008 00:42:31   private-data.txt
   8   -rw-         4  Jan 01 2008 00:07:35   notilogindex.txt

14632 KB total (748 KB free)

Tell the switch which firmware to boot after restart:

startup system-software s2352_s3352-v100r003c00spc301.cc

View the startup options:

display startup
[Unit 0]:
MainBoard:
  Configed startup system software:          flash:/s2352_s3352-v100r003c00spc301.cc
  Startup system software:                   flash:/s2352_s3352-v100r003c00spc301.cc
  Next startup system software:              flash:/s2352_s3352-v100r003c00spc301.cc
  Startup saved-configuration file:          flash:/vrpcfg.cfg
  Next startup saved-configuration file:     flash:/vrpcfg.cfg
  Startup license file:                      NULL
  Next startup license file:                 NULL
  Startup patch package:                     NULL
  Next startup patch package:                NULL

Delete the old firmware:

delete flash:/SV100R002C02B181SPC001_for_2352_3352.cc

But after deleting the file you can see that the usage of flash is still the same – after deleting the old firmware, it is just send to recycle bin

reset recycle-bin
Squeeze flash:/SV100R002C02B181SPC001_for_2352_3352.cc ?[Y/N]:y
Clear file from flash will take a long time if needed...
Jan  1 2008 01:32:45 huawei-iz-bl74 %%01VFS/4/RST_RECYCLE(l): When deciding whether to permanently delete file flash:/SV100R002C02B181SPC001_for_2352_3352.cc, the user chose Y ...Done!.
%Cleared file flash:/SV100R002C02B181SPC001_for_2352_3352.cc
dir flash:
Directory of flash:/

   0   -rw-    107176  Jan 01 2008 00:00:51   matnlog.dat
   1   -rw-        60  Jan 01 2008 00:06:39   $_patchstate_a
   2   -rw-     10668  Jan 01 2008 01:01:53   vrpcfg.cfg
   3   -rw-       684  Jan 01 2008 00:33:20   hostkey
   4   -rw-       540  Jan 01 2008 00:33:28   serverkey
   5   -rw-   7236892  Jan 01 2008 00:15:31   s2352_s3352-v100r003c00spc301.cc
   6   -rw-        28  Jan 01 2008 00:42:31   private-data.txt
   7   -rw-         4  Jan 01 2008 00:07:35   notilogindex.txt

14632 KB total (7404 KB free)

If someone is looking for latest release of Huawei Quidway S2352P-EI ( Basic BOOTROM Version : 209 Compiled at Nov 4 2009, 14:50:43, Software Version : VRP (R) Software, Version 5.30 (S2300 V100R003C00SPC301) ) contact me : nyck [at] tvskat [dot] net

<Quidway>system-view
Enter system view, return user view with Ctrl+Z.
[Quidway]rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
 It will take a few minutes.
Input the bits in the modulus[default = 512]:1024
Generating keys...
......................................++++++
.....++++++
..++++++++
.........++++++++

[Quidway]

Create username and password:

system-view
Enter system view, return user view with Ctrl+Z.
[Quidway]aaa
[Quidway-aaa]local-user root password cipher YourPassword
[Quidway-aaa]local-user root level 15
[Quidway-aaa]local-user root service-type ssh telnet
[Quidway-aaa]quit
[Quidway]
[Quidway]display current-configuration configuration aaa
#
aaa
 local-user root password cipher XXXXXXXXX
 local-user root service-type terminal ssh
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
#

Configure SSH server:

[Quidway]stelnet server enable
Info:Start STELNET server
[Quidway]ssh user root authentication-type password
Info:A new ssh user added
[Quidway]ssh user root service-type stelnet

Configure virtual user terminal interface:

[Quidway]user-interface vty 0 4
[Quidway-ui-vty0-4]authentication-mode aaa
[Quidway-ui-vty0-4]protocol inbound ssh

• UNI – User Network Interface
• NNI – Network Node Interface

Based on the port type, certain features/behaviors are enabled or disabled to ease configuration, deployment, and troubleshooting.

UNI ports will not do local switching by default,  for example no local switching on UNI protects customers from each other ( host A dosn’t see host B ), and Control Plane Security  (CPS) is enabled, CPS protects against DoS attacks.

By default UNI ports:

• not switching local traffic, for example no local switching on UNI protects customers from each other ( host A dosn’t see host B ).
• Control Plane Security  (CPS) is enabled, CPS protects against DoS attacks.
• using multiple UNI ports on the same ME 3400, up to 8 UNI ports can be configured to do local switching.

NNI ports:

• For ME 3400-24TS, by default, the 2 SFP ports are NNI port-type
• For ME 3400G-12CS and ME 3400G-2CS, by default, the SFP-only ports are NNI port-type
• There can be a maximum of 4 ports defined as NNI ports (applicable to ME 3400-24TS and ME 3400G-12CS, all 4 ports can be configured as NNI on ME 3400G-2CS)

NOTE: In 12.2(25)SEG and later releases—Metro IP Access Image, all ports can be optionally configured as NNI (not limited to 4).

To configure port type:

me3400#conf t
me3400(config)#int gi0/10
me3400(config-if)#port-type ?
  nni  Set port-type to NNI
  uni  Set port-type to UNI

Configuring UNI ports to do local switching (forwarding traffic between UNI ports)

Port Gi0/1 and Gi0/2 on Cisco me3400-12G are UNI ports, belongs to VLAN 2000, and Gi0/1 is not forwarding traffic to Gi0/2, and vice versa, but we wand to do local switching between them. Configuration:

me3400(config)#vlan 1000
me3400(config-vlan)#uni-vlan community

to be continued …

apt-get install  ifenslave

Edit or create file /etc/modprobe.d/aliases.conf

alias bond0 bonding
options bonding mode=4 miimon=100

where mode 4 – IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and
duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.
Edit /etc/network/interfaces.

auto bond0
iface bond0 inet static
        address 192.168.200.5
        netmask 255.255.255.0
        network 192.168.200.0
        broadcast 192.168.200.255
        post-up ifenslave bond0 eth0 eth1
        gateway 192.168.200.1
        dns-nameservers 192.168.200.1
        dns-search example.com

Cisco configuration ( Gi1/0/1 and Gi1/0/2 will be aggregated ):

cisco-3750(config)#interface range GigabitEthernet 1/0/1, GigabitEthernet 1/0/2
cisco-3750(config-if-range)#switchport trunk encapsulation dot1q
cisco-3750(config-if-range)#switchport trunk allowed vlan 10,20
cisco-3750(config-if-range)#switchport mode trunk
cisco-3750(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
cisco-3750(config-if-range)#end
cisco-3750#

Configuration of interface Port-Channel 1 must be exactly the same as Gi1/0/1 and Gi1/0/2.

cisco-3750#sh ru int Po1
Building configuration...
Current configuration : 159 bytes
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20
end

If you want to modify configuration of aggregated interfaces, modify only configuration of Port-Channel interface.
And the last step is to set load-balance algorithm:

cisco-3750(config)#port-channel load-balance src-dst-ip
cisco-3750#sh etherchannel load-balance
EtherChannel Load-Balancing Operational State (src-dst-ip):
Non-IP: Source XOR Destination MAC address
  IPv4: Source XOR Destination IP address
  IPv6: Source XOR Destination IP address

cisco-3750#show etherchannel summary
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)         LACP      Gi1/0/1(P)  Gi1/0/2(P)

cisco-3750#
cisco-3750#show etherchannel protocol
                Channel-group listing:
                ----------------------
Group: 1
----------
Protocol:  LACP

Traffic on Gi1/0/1

Traffic on Gi1/0/2

Traffic on Port-Channel1

%PM-4-ERR_DISABLE: gbic-invalid error detected on Gi0/2, putting Gi0/2 in err-disable state

This can happen if you are using third party SFP (non-cisco). The solution is to use undocumented command.
First enter command:

no errdisable detect cause gbic-invalid

and second command:

service unsupported-transceiver

There is no autocomplete for this command and no guarantee, but try it … It works for me on Cisco 3750.

Fig. 1

[edit policy-options] show configuration policy-options policy-statement bgp-in term local_pref_sp1 { from neighbor 192.168.1.1; then { local-preference 160; } } term local_pref_sp1_backup { from neighbor 192.168.2.1; then { local-preference 150; } term local_pref_sp2 { from neighbor 192.168.3.1; then { local-preference 140; } }

BGP selects the path of route, based on the number of the Local Preference – the highest number of this parameter wins. In this case traffic will go trough neigbour 192.168.1.1, with the highest number, and traffic will be not forward trough SP2. There is a solution: to make a load balancing between ISP1 and ISP2, or to force some netwroks through ISP2, using Filter-Based Forwarding to control next-hop selection.

To use Filter-Based Forwarding we need routing-instance. A routing instance is a routing entity for a router. According Juniper’s official documentation you use routnig instances to:

» Create administrative separation in a large network to segregate customer traffic and associated settings. The customers see only the routes belonging to them.
» Create overlay networks in which separate services are routed only towards routers participating in that service, such as voice. The overlay network isolates routes belonging to one service from another service by exporting routes, applying tags, and filtering based on tags.

Configuration of routing instance:

show configuration routing-instances

isp2-route {
  instance-type forwarding;
  routing-options {
      static {
          route 0.0.0.0/0 next-hop 192.168.3.1;
      }
  }
}

Showing new routing table “isp2-route”

root@border# run show route table isp2-route
isp2-route.inet.0: 250 destinations, 250 routes (249 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 08:55:12
               > to 192.168.3.1 via ge-1/3/0.4
10.0.3.0/24 *[Direct/0] 08:55:12
               > via ge-0/1/0.18
10.0.8.0/24 *[Direct/0] 08:55:12
               > via ge-0/1/0.19

Now we need to import interface routes into our new routing table. To define the routing tables into which interface routes are imported, we need to create a routing table group and associate it with the router’s interfaces.

[edit routing-options]
root@border# show
interface-routes {
   rib-group inet filter-based-forwarding-group;
}
rib-groups {
   filter-based-forwarding-group {
      import-rib [ inet.0 isp2-route.inet.0 ];
   }
}

The option “rib-group”, basically allows two routing tables to share information. The “rib-group” we created, named “filter-based-forwarding-group”, exchanges information between routing table inet.0 and new created table isp2-route from the routing instance isp2-route.
Fnally we’ll create the fliter list.

root@border> show configuration firewall family inet filter sp2-customers
term sp2_customers_networks {
   from {
      source-address {
          10.0.8.0/24;
   }
}
   then {
      routing-instance isp2-route;
   }
}
term default {
      then accept;
}

It’s not necessary to specify the networks going through isp1, and create routing table for isp1, just apply the filter on interface where client from network 10.0.8.0/24 are connected.

root@border> show configuration interfaces ge-0/1/0.19
description clients_to_sp2;
vlan-id 19;
    family inet {
        filter {
                input sp2-customers;
        }
        address 10.0.8.1/24;
}

Configuration of BGP, based on the Filter-Based Forwarding, to control next-hop selection:

root@border> show configuration protocols bgp
path-selection external-router-id;
import bgp-in;
group ISP_neighbours {
   type external;
   neighbor 192.168.1.1 {
      description ISP1_primary;
      export announce_to_isp1;
      peer-as 65000;
   }
   neighbor 192.168.2.1 {
      description ISP1_backup;
      export announce_to_isp1;
      peer-as 65000;
   }
   neighbor 192.168.3.1 {
      description ISP2;
      export announce_to_isp2;
      peer-as 65000;
   }
}

root@border> show configuration policy-options policy-statement bgp-in
term local_pref_sp1 {
   from neighbor 192.168.1.1;
   then {
      local-preference 160;
   }
}
local_pref_sp1_backup {
   from neighbor 192.168.2.1;
   then {
      local-preference 150;
   }
term local_pref_sp2 {
   from neighbor 192.168.3.1;
   then {
          local-preference 140;
  }
}

root@border> show configuration policy-options policy-statement announce_to_isp1
term 1 {
   from {
       prefix-list to_isp1;
   }
   then accept;
}
term deny {
   then reject;
}

root@border> show configuration policy-options policy-statement announce_to_isp2
term 1 {
   from {
       prefix-list to_isp2;
   }
   then accept;
}
term deny {
   then reject;
}

root@border> show configuration policy-options prefix-list to_isp1
10.0.3.0/24

root@border > show configuration policy-options prefix-list to_isp2
10.0.8.0/24

root@border> show configuration routing-instances
isp2-route {
  instance-type forwarding;
  routing-options {
      static {
          route 0.0.0.0/0 next-hop 192.168.3.1;
      }
  }
}

[edit routing-options]

root@border# show
interface-routes {
   rib-group inet filter-based-forwarding-group;
}

rib-groups {
   filter-based-forwarding-group {
      import-rib [ inet.0 isp2-route.inet.0 ];
   }
}

root@border> show configuration firewall family inet filter sp2-customers
term sp2_customers_networks {
   from {
      source-address {
          10.0.8.0/24;
   }
}
   then {
      routing-instance isp2-route;
   }
}
term default {
      then accept;
}

root@border> show configuration interfaces ge-0/1/0.19
description clients_to_sp2;
vlan-id 19;
    family inet {
        filter {
                input sp2-customers;
        }
        address 10.0.8.1/24;
}

nas100 ~ # dpkg -l | grep ppp
ii  ppp                               2.4.5~git20081126t100229-0ubuntu2 Point-to-Point Protocol (PPP) - daemon
ii  pppconfig                         2.3.18ubuntu2                     A text menu based utility for configuring pp
ii  pppoeconf                         1.18ubuntu1                       configures PPPoE/ADSL connections

and install ppp-dev:

 apt-get install ppp-dev

Download rp-pppoer server from http://www.roaringpenguin.com/products/pppoe. Before compiling we need to install gcc:

apt-get install gcc binutils

Extract and install rp-pppoe:

tar xvzf rp-pppoe-3.10.tar.gz
cd rp-pppoe-3.10/src/
 ./configure --enable-plugin
 make && make install

Don’t forget “–enable-plugin” – this will build pppd plugin.
Now we need radiusclient support:

apt-get  install radiusclient1

PPPoE server configuration file ( /etc/ppp/pppoe-server-options ) :

# PPP options for the PPPoE server
# LIC: GPL
require-pap
ms-dns xxx.xxx.xxx.xxx
ms-dns xxx.xxx.xxx.xxx
lcp-echo-interval 10
lcp-echo-failure 5
plugin radius.so
plugin radattr.so
debug
kdebug 1

require-pap – you can use PAP, CHAP or MS-CHAP
ms-dns – sepcify DNS servers
lcp-echo-interval n -If  this option is given, pppd will send an LCP echo-request frame to the peer every n seconds.  Normally the peer should respond to the echo-request by sending an echo-reply.  This option can be used with the lcp-echo-failure option to detect that the peer is no longer connected.
lcp-echo-failure n – If this option is given, pppd will presume the peer to be dead if n LCP echo-requests are sent without receiving a valid  LCP  echo-reply.   If  this happens,  pppd  will terminate the connection.  Use of this option requires a non-zero value for the lcp-echo-interval parameter.  This option can be used to enable pppd to terminate after the physical connection has been broken (e.g., the modem has hung up) in situations where  no  hardware  modem control lines are available.

Taken from syslog:

Feb  1 07:04:51 hostname pppd[1433]: No response to 5 echo-requests
Feb  1 07:04:51 hostname pppd[1433]: Serial link appears to be disconnected.
Feb  1 07:04:51 hostname pppd[1433]: Connect time 488.3 minutes.
Feb  1 07:04:51 hostname pppd[1433]: Sent 2157465 bytes, received 674186 bytes.
Feb  1 07:04:51 hostname pppd[1433]: sent [LCP TermReq id=0x2 "Peer not responding"]

In our configuration lcp-echo-interval is 10 sec. and lcp-echo-failure is 5 packets: if ppp cleint is dead, pppoe-server will disconnect ppp interface after 50 sec.

plugin radius.so , plugin radattr.so – load RADIUS plugin and attributes.

kdebug 1- Enable debugging code in the kernel-level PPP driver.  The argument values depend on the specific kernel driver, but in general a  value  of  1  will enable  general  kernel  debug  messages.

debug - Enables  connection  debugging facilities.  If this option is given, pppd will log the contents of all control packets sent or received in a readable form.

Now we need ppp radius client support. Install :

apt-get  install radiusclient1

Configuration files are located in /etc/radiusclient/ :

First edit /etc/radiusclient/radiusclient.conf :

# General settings
auth_order      radius
login_tries     4 # maximum login tries a user has
login_timeout   60 # timeout for all login tries,  if this time is exceeded the user is kicked out
nologin /etc/nologin
issue   /etc/radiusclient/issue
authserver      xxx.xxx.xxx.xxx # set IP address of RADIUS authentication server
acctserver      xxx.xxx.xxx.xxx # set IP address of RADIUS  accounting server
servers         /etc/radiusclient/servers #  file holding shared secrets used for the communicationclient and server
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
default_realm
radius_timeout  10 #  time to wait for a reply from the RADIUS server
radius_retries  3
login_local     /bin/login #  program to execute for local login
nas_identifier nas100 # set NAS indentifier name

The seconf file we need to edit is /etc/radiusclient/servers :

# Make sure that this file is mode 600 (readable only to owner)!
#
#Server Name or Client/Server pair              Key
#----------------                               ---------------

xxx.xxx.xxx.xxx                                     RADIUS_server_secret

That’s all, start the server :

/usr/sbin/pppoe-server -L xxx.xxx.xxx.xxx -I vlan23 -I vlan25 -N 1200 -C rtr-nas100 -S nas100 -T 300 -k

where:

-I if_name — Specify interface (default eth0.)
-T timeout — Specify inactivity timeout in seconds.
-C name — Set access concentrator name.
-L ip — Set local IP address.
-S name — Advertise specified service-name.
-N num — Allow ‘num’ concurrent sessions.
-k — Use kernel-mode PPPoE.

segfault at 1 ip 00007fdcf44f4a29 sp 00007fff19659078 error 4 in libc-2.10.1.so[7fdcf4451000+166000]

After a research in diffrent forums, the solution is:
Install:

sudo apt-get install libc6-dev-i386

Now we need 32 bit version of MySQL development clien library. But there is a small utility, to help install libraries: getlibs. Download getlibs-all from http://frozenfox.freehostia.com/cappy/.

sudo  dpkg -i getlibs-all.deb

32 bit libraries we needed: libmysqlclient-dev and zlib1g-dev.

getlibs -w http://mirrors.kernel.org/ubuntu/pool/main/m/mysql-dfsg-5.1/libmysqlclient-dev_5.1.37-1ubuntu5_i386.deb

The version of MySQL server is:

mysql  Ver 14.14 Distrib 5.1.37, for debian-linux-gnu (x86_64)

And last libruary:

getlibs -w http://mirrors.kernel.org/ubuntu/pool/main/z/zlib/zlib1g-dev_1.2.3.3.dfsg-12ubuntu1_i386.deb

Compiler ( gcc version 4.4.1, x86_64-linux-gnu) command line:

gcc -m32 -c radauth.c -L/usr/lib/mysql -lmysqlclient -lnsl -lm -lz

m32 – 32 bit application
m64 – 64 bit application

perl -MCPAN -e 'install Cisco::CopyConfig'

Cisco::CopyConfig provides methods for manipulating the running-config of devices running IOS via SNMP directed TFTP. This module is essentially a wrapper for Net::SNMP and the CISCO-CONFIG-COPY-MIB-V1SMI.my MIB schema.
It’s a good idea to store switch’s ip address ( if you have more switches ) in database like MySQL. The following perl script uses MySQL database. In MySQL database we store switch’s ip and snmp community.
MySQL table:

 CREATE TABLE `sw_backup`.`switches` (
`id` BIGINT( 128 ) NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`description` VARCHAR( 128 ) NOT NULL ,
`ip_address` VARCHAR( 128 ) NOT NULL ,
`community` VARCHAR( 128 ) NOT NULL
) ENGINE = MYISAM CHARACTER SET utf8 COLLATE utf8_bin

insert into switches values('','core-switch','192.168.200.251','SNMPconfigCommunity1');
insert into switches values('','access-switch','192.168.200.252','SNMPconfigCommunity2');

mysql> select * from switches;
+----+---------------+-----------------+----------------------+
| id | description   | ip_address      | community            |
+----+---------------+-----------------+----------------------+
|  1 | core-switch   | 192.168.200.251 | SNMPconfigCommunity1 |
|  2 | access-switch | 192.168.200.252 | SNMPconfigCommunity2 |
+----+---------------+-----------------+----------------------+
2 rows in set (0.00 sec)

We need to istall TFTP server:

on Debian: apt-get install atftp

TFTP config file (/etc/default/atftpd):

USE_INETD=true
OPTIONS="--tftpd-timeout 300 --retry-timeout 5  --maxthread 100 --verbose=5 /backup_switch"

TFTP working directory is /backup_switch
Configuring Cisco switch ( tested on C2960G, C3750G, 3400G ):
A read-write SNMP community needs to be defined on each device, which allows the setting of parameters to copy or merge a running-config. Below is an example configuration that attempts to restrict read-write access to only the 192.168.200.10 (tftp server) host :

access-list 70 remark tft-server-list
access-list 70 permit 192.168.200.10
access-list 70 deny   any

SNMP configuration:

snmp-server tftp-server-list 70
snmp-server view backup ciscoMgmt.96.1.1.1.1 included
snmp-server community SNMPconfigCommunity1 view backup RW 70

Variables used in cisco backup script:
/backup_switch – tftp root directory
/storage/backup/daily/switches/ – backup directory
Backup script:

#!/usr/bin/perl
use DBI;
use Cisco::CopyConfig;

my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst)=localtime(time);
$year+=1900;
$mon  = sprintf("%02d",$mon+1);
$mday = sprintf("%02d",$mday);
$hour = sprintf("%02d",$hour);
$min  = sprintf("%02d",$min);
$sec  = sprintf("%02d",$sec);
$date_format="$mday.$mon.$year";

$sql="select ip_address,community,description from switches order by inet_aton(ip_address) asc";
$dbh = DBI->connect("dbi:mysql:sw_backup:xxx.xxx.xxx.xxx","username","password") or die "Can't connect to MySQL: $DBI::errstr\n";
$sth = $dbh->prepare($sql);
$sth->execute();

$tftp_address   = '192.168.200.10';

while (@row=$sth->fetchrow_array) {
 $config     = Cisco::CopyConfig->new(
 Host => $row[0],   # host
 Comm => $row[1], # community
 Tmout => '10',       # timeout
 Retry => '2'           # retry
 );

 $tftp_file = "$row[2].$date_format.conf";

 if ($config->copy($tftp_address, $tftp_file) ) {
 print "OK -> switch ip: $row[0], file: $tftp_file\n"; }
 else {
 print "ERROR -> switch ip: $row[0], no backup file\n";
 }

}

system("mkdir /storage/backup/daily/switches/$date_format");
system("cp /backup_switch/cisco-* /storage/backup/daily/switches/$date_format");

Result:

sns ~ # perl cisco-backup.pl
OK -> switch ip: 192.168.200.251, file: core-switch.19.01.2010.conf
OK -> switch ip: 192.168.200.252, file: access-switch.19.01.2010.conf

sns ~ # tail -n 100 /var/log/syslog | grep tftp
Jan 19 15:56:53 sns atftpd[7848]: Fetching from 192.168.200.251 to core-switch.19.01.2010.conf
Jan 19 15:56:55 sns atftpd[7848]: Fetching from 192.168.200.252 to access-switch.19.01.2010.conf