How to run automated back up on all scripts, including configuration, policy and scripts to a SCP server at regular intervals?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-21-2017 02:11 PM
I am looking to archive the configuration of our summit switches every night to our SCP server designed to store backups which is hosted in Amazon (that's why I don't want to use TFTP).
I see many articles with usage of TFTP server, for example: https://github.com/extremenetworks/ExtremeScripting/tree/master/EXOS/CLI_Scripting/autofsbackup
or
https://github.com/extremenetworks/ExtremeScripting/tree/master/EXOS/Python/autofsbackuppy
but I didn't found solution to do it using SCP.
Is it possibie?
I see many articles with usage of TFTP server, for example: https://github.com/extremenetworks/ExtremeScripting/tree/master/EXOS/CLI_Scripting/autofsbackup
or
https://github.com/extremenetworks/ExtremeScripting/tree/master/EXOS/Python/autofsbackuppy
but I didn't found solution to do it using SCP.
Is it possibie?
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-27-2017 09:04 AM
Hi Suresh,
I don't have to use script because there are internal commands to do this:
IOS:
archive
path scp://user:pass@ip_address/$h-$t
write-memory
JUNOS:
set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://username@ip_address:/" password "***"
But I didn't found related command in ExtremeXOS.
Thanks,
Lukasz
I don't have to use script because there are internal commands to do this:
IOS:
archive
path scp://user:pass@ip_address/$h-$t
write-memory
JUNOS:
set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://username@ip_address:/" password "***"
But I didn't found related command in ExtremeXOS.
Thanks,
Lukasz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-25-2017 07:48 AM
Hi Lukasz,
Just trying to understand here, as per below link IOS is using TFTP for transfer back up from router.
could you share the working solution script here ?
https://learningnetwork.cisco.com/blogs/vip-perspectives/2013/10/30/understanding-cisco-auto-archive...
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/transfer-...
Thanks,
Suresh.B
Just trying to understand here, as per below link IOS is using TFTP for transfer back up from router.
could you share the working solution script here ?
https://learningnetwork.cisco.com/blogs/vip-perspectives/2013/10/30/understanding-cisco-auto-archive...
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/transfer-...
Thanks,
Suresh.B
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-22-2017 06:00 PM
Hi Erik, thanks for reply.
I was trying to initiate this task from server but we have configured radius authentication and cannot use local account with rsa key to login when radius server is available (https://gtacknowledge.extremenetworks.com/articles/Q_A/RADIUS-and-local-user-Authentication)
When I set readonly account on radius then I can log into switch but cannot access any files. I don't want to create rw account on radius and use it for this scp because it will be some kind of security gap.
I think that script on switch would be the best solution. On other devices from different vendors we have configured and working solution like this (junos - system archival configuration transfer-on-commit / ios - archive write-memory).
I was trying to initiate this task from server but we have configured radius authentication and cannot use local account with rsa key to login when radius server is available (https://gtacknowledge.extremenetworks.com/articles/Q_A/RADIUS-and-local-user-Authentication)
When I set readonly account on radius then I can log into switch but cannot access any files. I don't want to create rw account on radius and use it for this scp because it will be some kind of security gap.
I think that script on switch would be the best solution. On other devices from different vendors we have configured and working solution like this (junos - system archival configuration transfer-on-commit / ios - archive write-memory).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-22-2017 02:51 PM
Hi Lukasz,
that should be possible, but I would connect from a server to the switch, because the manual states that:
You should at least restrict access to just your Amazon server, not allow all Amazon servers (or everybody) access to the switch, but it would be better to use local server for communicating with the switch.
I would suggest to use a local server to collect backups from the switches, and then securely copy them from the local server to the cloud server, without allowing access to the local server from the cloud server (e.g. using a stateful firewall).
Thanks,
Erik
that should be possible, but I would connect from a server to the switch, because the manual states that:
Only password-based authentication is supported for SSH/SCP client.You can put SSH keys on the switch and use public key based authentication with SSH/SCP for accessing the switch.
You should at least restrict access to just your Amazon server, not allow all Amazon servers (or everybody) access to the switch, but it would be better to use local server for communicating with the switch.
I would suggest to use a local server to collect backups from the switches, and then securely copy them from the local server to the cloud server, without allowing access to the local server from the cloud server (e.g. using a stateful firewall).
Thanks,
Erik
