Automate Cisco ssh connections with plink in Windows
Plink basics:
Plink is part of Putty and available at
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html (don't
download it from other places, this is the official location). It is
the command line interface for Putty and can be used in scripts. Be
sure to download the installer or the zip with all the files as Putty
is a great tool if you ever SSH, SCP or connect to network hardware in
general. The "latest development snapshot" is what I used for this
post, as things might change in the future and bugs be introduced or
other issues that would alter the information in this post -- please
use the stable release if you are timid.
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html (don't
download it from other places, this is the official location). It is
the command line interface for Putty and can be used in scripts. Be
sure to download the installer or the zip with all the files as Putty
is a great tool if you ever SSH, SCP or connect to network hardware in
general. The "latest development snapshot" is what I used for this
post, as things might change in the future and bugs be introduced or
other issues that would alter the information in this post -- please
use the stable release if you are timid.
Plink.exe is simple to use, but I have had problems with it and Linux
machines ("server refused keyboard-interactive authentication" issue).
That is why this post is all about Cisco, I have not had problems
there. An example to connect to a Cisco device is: c:\putty\plink.exe
cisco@192.168.0.1 -pw P@55W0rD! where the user name is "cisco" with a
super secure password of "P@55W0rD!" connecting to a Cisco device with
an ip of 192.168.0.1. This command should get you a ">" prompt on the
device.
machines ("server refused keyboard-interactive authentication" issue).
That is why this post is all about Cisco, I have not had problems
there. An example to connect to a Cisco device is: c:\putty\plink.exe
cisco@192.168.0.1 -pw P@55W0rD! where the user name is "cisco" with a
super secure password of "P@55W0rD!" connecting to a Cisco device with
an ip of 192.168.0.1. This command should get you a ">" prompt on the
device.
Scripting:
Wait! How to I script this? How do I get enable access? To do much
else you need to make a command file.
else you need to make a command file.
A command file is just a text file with the list of commands you want
to run, in the order you need to run them. Here is an example
(command.txt):
to run, in the order you need to run them. Here is an example
(command.txt):
enable
enablepassword
show clock
show mem
show cpu
exit
enablepassword
show clock
show mem
show cpu
exit
If I were to run: c:\putty\plink.exe cisco@192.168.0.1 -pw P@55W0rD!
-m command.txt then I would get the memory and cpu statistics
displayed on the screen. If I were to redirect the output to a text
file with a "double waka" (>>), like this: c:\putty\plink.exe
cisco@192.168.0.1 -pw P@55W0rD! -m command.txt >>
router_utilization.txt then I could have a text file with the date
and time, memory and cpu statistics. If this command were in a batch
file that was scheduled to run periodically then it could keep a
running log of the device.
-m command.txt then I would get the memory and cpu statistics
displayed on the screen. If I were to redirect the output to a text
file with a "double waka" (>>), like this: c:\putty\plink.exe
cisco@192.168.0.1 -pw P@55W0rD! -m command.txt >>
router_utilization.txt then I could have a text file with the date
and time, memory and cpu statistics. If this command were in a batch
file that was scheduled to run periodically then it could keep a
running log of the device.
For extra credit, how might we get this script to run and check stats
on different devices? If we make a separate file called "devices.txt"
that contained the IP addresses of the devices we need to monitor like
this:
on different devices? If we make a separate file called "devices.txt"
that contained the IP addresses of the devices we need to monitor like
this:
192.168.0.1
192.168.10.22
192.168.10.24
192.168.10.22
192.168.10.24
Then we could run this command (provided that the account name,
password and enable password were the same on each device):
password and enable password were the same on each device):
for /f %i in (devices.txt) do c:\putty\plink.exe cisco@%i -pw
P@55W0rD! -m command.txt >> device_utilization.txt
P@55W0rD! -m command.txt >> device_utilization.txt
(if you put this in a batch file, be sure to use "%%i" and not the
"%i" as the batch will strip the single percents)
"%i" as the batch will strip the single percents)
Enjoy!
So with the command:
for /f %i in (devices.txt) do c:\putty\plink.exe cisco@%i -pw
P@55W0rD! -m command.txt >> device_utilization.txt
the "for /f" command loops through each line of the "devices.txt" file and assigns each line to the variable %i. So, if devices.txt had two lines, the first only having "10.10.1.25" and the second line only as "10.10.1.27"... the the command above would run twice. The first line would be:
c:\putty\plink.exe cisco@10.10.1.25 -pw P@55W0rD! -m command.txt >> device_utilization.txt
and the second would be
c:\putty\plink.exe cisco@10.10.1.27 -pw P@55W0rD! -m command.txt >> device_utilization.txt
The problem a lot of people have is that Cisco is not consistent in how the commands are interpreted as they are passed by plink with the "-m" option. Routers, it would seem, need to have Unix style line formats that end with the invisible LF character (line feed). ASA firewalls can apparently use DOS formatted text files with CR+LF (carriage return+line feed). I can't be sure about switches. So your mileage may vary as to how the command line operates for a given device. I'd be curious if a normal "made in notepad" txt file for commands would work on switches.
I regret not getting back into this an testing each option. There is only so much router/firewall/switch configuration a web developer gets into.
for /f %i in (devices.txt) do c:\putty\plink.exe cisco@%i -pw
P@55W0rD! -m command.txt >> device_utilization.txt
the "for /f" command loops through each line of the "devices.txt" file and assigns each line to the variable %i. So, if devices.txt had two lines, the first only having "10.10.1.25" and the second line only as "10.10.1.27"... the the command above would run twice. The first line would be:
c:\putty\plink.exe cisco@10.10.1.25 -pw P@55W0rD! -m command.txt >> device_utilization.txt
and the second would be
c:\putty\plink.exe cisco@10.10.1.27 -pw P@55W0rD! -m command.txt >> device_utilization.txt
The problem a lot of people have is that Cisco is not consistent in how the commands are interpreted as they are passed by plink with the "-m" option. Routers, it would seem, need to have Unix style line formats that end with the invisible LF character (line feed). ASA firewalls can apparently use DOS formatted text files with CR+LF (carriage return+line feed). I can't be sure about switches. So your mileage may vary as to how the command line operates for a given device. I'd be curious if a normal "made in notepad" txt file for commands would work on switches.
I regret not getting back into this an testing each option. There is only so much router/firewall/switch configuration a web developer gets into.
This works for me using only powershell and plink and scripting to a cisco MDS switch:
PS V:\> $script=@()
PS V:\> $script+="terminal length 0"
PS V:\> $script+="show running-config"
PS V:\> $script+="exit"
PS V:\> $script
terminal length 0
show running-config
exit
PS V:\> [string]::Join( "`n", $script) | V:\WindowsPowershell\Modules\powerEMC\plink.exe admin@MDS01 -pw ****** -batch
PS V:\> $script=@()
PS V:\> $script+="terminal length 0"
PS V:\> $script+="show running-config"
PS V:\> $script+="exit"
PS V:\> $script
terminal length 0
show running-config
exit
PS V:\> [string]::Join( "`n", $script) | V:\WindowsPowershell\Modules\powerEMC\plink.exe admin@MDS01 -pw ****** -batch
No comments:
Post a Comment