How to run automated back up on all scripts, including configuration, policy and scripts to a SCP server at regular intervals?

  • 0
  • 1
  • Question
  • Updated 5 months ago
  • Answered
I am looking to archive the configuration of our summit switches every night to our SCP server designed to store backups which is hosted in Amazon (that's why I don't want to use TFTP).
I see many articles with usage of TFTP server, for example: https://github.com/extremenetworks/ExtremeScripting/tree/master/EXOS/CLI_Scripting/autofsbackup 
or 
https://github.com/extremenetworks/ExtremeScripting/tree/master/EXOS/Python/autofsbackuppy 
but I didn't found solution to do it using SCP.

Is it possibie?
Photo of Lukasz Kaim

Lukasz Kaim

  • 90 Points 75 badge 2x thumb

Posted 5 months ago

  • 0
  • 1
Photo of Drew C.

Drew C., Community Manager

  • 36,968 Points 20k badge 2x thumb
Welcome to The Hub, Lukasz!
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,742 Points 10k badge 2x thumb
Hi Lukasz,

that should be possible, but I would connect from a server to the switch, because the manual states that:
Only password-based authentication is supported for SSH/SCP client.
You can put SSH keys on the switch and use public key based authentication with SSH/SCP for accessing the switch.

You should at least restrict access to just your Amazon server, not allow all Amazon servers (or everybody) access to the switch, but it would be better to use local server for communicating with the switch.

I would suggest to use a local server to collect backups from the switches, and then securely copy them from the local server to the cloud server, without allowing access to the local server from the cloud server (e.g. using a stateful firewall).

Thanks,
Erik
Photo of Lukasz Kaim

Lukasz Kaim

  • 90 Points 75 badge 2x thumb
Hi Erik, thanks for reply.

I was trying to initiate this task from server but we have configured radius authentication and cannot use local account with rsa key to login when radius server is available (https://gtacknowledge.extremenetworks.com/articles/Q_A/RADIUS-and-local-user-Authentication)

When I set readonly account on radius then I can log into switch but cannot access any files. I don't want to create rw account on radius and use it for this scp because it will be some kind of security gap.

I think that script on switch would be the best solution. On other devices from different vendors we have configured and working solution like this (junos - system archival configuration transfer-on-commit / ios - archive write-memory).
Photo of Bharathiraja, Suresh

Bharathiraja, Suresh, Employee

  • 3,442 Points 3k badge 2x thumb
Hi Lukasz,

Just trying to understand here, as per below link IOS is using TFTP for transfer back up from router.

could you share the working solution script here ?

https://learningnetwork.cisco.com/blogs/vip-perspectives/2013/10/30/understanding-cisco-auto-archive...

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/transfer-...


Thanks,
Suresh.B
 
Photo of Lukasz Kaim

Lukasz Kaim

  • 90 Points 75 badge 2x thumb
Hi Suresh, 

I don't have to use script because there are internal commands to do this:

IOS:
archive
 path scp://user:pass@ip_address/$h-$t
 write-memory

JUNOS:
set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://username@ip_address:/" password "***"

But I didn't found related command in ExtremeXOS.

Thanks,
Lukasz