How can I use SSH to run Cisco IOS commands in Global config mode?

Question

I know about Kron, but there is supposedly no way to run global config commands:

http://www.techrepublic.com/article/schedule-commands-with-cisco-ios-kron/

If I connect using Putty, Putty is able to run several commands after login and that works like a charm. The thing is I want to automatically enter into a switch each night at 11pm and shut down a range of interfaces.

I am trying with sshpass but it seems to only allow 1 command at a time.

There is also a passwordless way to enter cisco switches but from IOS 15.0 on:

https://www.m00nie.com/2010/12/password-less-ssh-login-using-pki-to-cisco-ios/

Jose Mendez · Answer 1 · 2014-10-02T19:14:32.123

Ok I found this:

/usr/local/bin/sshpass -p password ssh admin@1.1.1.1 < ios-cmds.txt

where ios-cmds.txt contains all the commands in separate lines as if I was typing them sequentially.

Also, one of my colleagues suggested using the linux command:

expect

EDIT: One thing to be careful with is, that if the SSH session has never taken place, the certificate exchange part with the switch will make the command fail silently, or do nothing. Connect to the switch first to accept the certificate manually, and then SSHPASS will be happy to login and execute the commands.

EDIT 2: After YBounya's comment, I ended up with this script that basically loops through consecutive IPs and shuts down a range of interfaces, the script receives 'on' or 'off' as an argument to perform either a power on or shut down operation:

#!/usr/bin/expect -f

if { [lindex $argv 0] eq "on"} {
set action "no shut\r"
puts "Turning on switchports\n"
  } elseif { [lindex $argv 0] eq "off" } {
set action "shut\r"
puts "Turning off switchports\n"
} else {
puts "No power action found. Provide \"on\" or \"off\"."
exit
}  

proc shutPort {ip action} { 

spawn ssh admin@192.168.201.$ip

expect {
    "(yes/no)"              { send "yes\r";
                              expect { "assword:" { send -- "REAL_PASSWORD\r"; }}}
    "assword: "             { send -- "REAL_PASSWORD\r" }
    "No route to host"      { return } ;# switch uses Telnet or just not listen on port 22
    "Connection refused"    { return } ;# switch is not reachable
    "modulus too small"     { return } ;# RSA key is not acceptable
}

expect ">"
send -- "en\r"

expect "assword: "
send -- "REAL_PASSWORD\r"

expect -re "\r\n#"
send -- "conf t\r"

expect "(config)#"
send -- "int ran gig1/0/7-48\r" 

expect  {
  "config-if-range" { send -- $action } ; # if previous sends succeeds, enter interface range mode
  "marker"  { send "int ran gig0/7-48\r"; # interface syntax didn't work
              expect  {
                "config-if-range"   { send -- $action }
                "marker"    { send "int ran fas0/7-48\r";
                              expect  {
                                "config-if-range"   { send -- $action }
                                "marker"    { send "int ran fas0/7-24\r";
                                              expect  {
                                                "config-if-range"   { send -- $action }
} } } } } } }

send -- "exi\r"
send -- "exi\r"
send -- "exi\r"

expect eof
}


for  {set i 42} {$i < 51} {incr i} {

shutPort $i $action
}

score 1 · Accepted Answer · answered Oct 01 '14 at 14:04

It happens I have had the same kind of job to do, a few years ago. Here's what I did at the time, I hope that can help :

#!/usr/bin/expect -f

set ipadr [lindex $argv 0]
set cmd [lindex $argv 1]
set fich [lindex $argv 2]

if { ${cmd} == 1 } then {set comm "sh flash | tee tftp://TFTP-IP-ADDRESS/essai\r"} else {set comm "copy flash:${fich} tftp://TFTP-IP-ADDRESS\r"}

spawn ssh niji@${ipadr}
expect {
"password:"  { send "YOURPASSWORDHERE\r" }
"(yes/no)?"  { send "yes\r"; expect { "password:" { send "YOURPASSWORDHERE\r"; }}}
"Name:"      { send "YOURUSERNAMEHERE\r"; sleep 3 ; send "YOURPASSWORDHERE\r"; }
"Connection refused" { exit }
}

expect {
">" { send "en\r" ; sleep 3; send "EN-PASSWD\r";}
"#" { send "\r" }
}


expect {
"#" { send "${comm}" ; sleep 5; send "\r" ;send "\r" }
}

expect {
"#" { send "exit\r"; send "quit\r" }
}

This connects an IOS device with the IP Address provided as an argument. The passwords and usernames are hard coded, so I suppose you'd want to improve that.

The command sent to the router is "copy run tftp" or something of the like, but you can change it to whatever you'd need too.

That was a while ago, I suppose I would do some re-work if I had to re-use it now, but that could be a good base to start with.

Cheers,

How can I use SSH to run Cisco IOS commands in Global config mode?

2 Answers2