Using a Web Server to Manage Your Router Configurations
by Ivan Pepelnjak
Introduction
Unifying the tools and the systems seems to be the ultimate holy grail of cost-cutting strategies in information technology (IT) departments and top priority on today's IT managers' goals sheets. Has it ever crossed your mind that you might be overlooking a step to bring you closer to the goal: the most commonly used IT infrastructure (a web server) could be utilized to manage your router-based network … or did you miss this opportunity to make your boss happy because the infrastructure is poorly documented?
Starting with IOS release 12.3(2)T, you can download and upload software and configuration of your Cisco router to a web server, greatly simplifying router management and enabling the network managers to use the same infrastructure as the rest of their IT department. In this article, you’ll find the description of the required configuration steps for both the Cisco routers and the web server on which you want to store the router configurations.
Overview
A few years ago, Trivial File Transfer Protocol (TFTP) was the only means of transferring information between Cisco routers and external servers. Faced with inadequacies of the TFTP protocol, network managers developed a number of custom solutions, including scripts that would log into the router using Telnet (or later Remote Shell – rsh) and transfer the router configuration to a file on the network management server.
A number of other data-transfer protocols have been added to Cisco IOS in recent releases, some of them use the router as a server, others enable the routers to act as a client communicating with a remote server. In Table 1 you can find an overview of these protocols.
Table 1
Data transfer protocols supported by Cisco IOS
|
Protocol |
IOS server introduced in release |
IOS client introduced in release |
|
Trivial File Transfer Protocol (TFTP) |
Before 10.0, software images only |
Before 10.0 |
|
Remote Copy (RCP) |
10.3 |
10.3 |
|
File Transfer Protocol (FTP) |
12.0, transfer to/from flash or disk only |
10.3 |
|
Secure copy (SCP) |
12.2(T), 12.3 |
12.3(2)T, 12.4 |
|
Hypertext Transfer Protocol (HTTP) |
11.2 |
12.3(2)T, 12.4 |
|
Secure HTTP (HTTPS) |
12.2(15)T, 12.3 |
12.3(2)T, 12.4 |
In IOS releases prior to 12.4, you could thus choose between FTP, RCP, or SCP if you wanted to have at least a minimal amount of authentication when transferring configuration information from the router to a central server. If you wanted to have additional security offered by encryption, you were limited to SCP, which was not widely available as a server outside of the Unix environment.
The File Download Using HTTP feature introduced in release 12.3T (and 12.4) bypasses several limitations of other supported protocols:
It uses the most commonly available server infrastructure (web servers);
Authentication is built into the protocol;
Encryption is inherent if you use Secure Socket Layer (SSL, also known as HTTPS).
Configuring File Download Using HTTP
The file transfer from the router to and from the web server is implemented within the same framework of the copy command as is any other file transfer. Two new URL formats (http:// and https://) were added to support the new functionality. You can specify as many parts of the URL on the command line as you like (see Table 2 for details, for SSL just replace http: with https:), and the router queries you for the missing components.
Table 2
URL format
|
Command line parameter |
Meaning |
|
http: |
Specifies HTTP as the transfer protocol. |
|
http://host |
Specifies the transfer protocol and the host name, the router queries you for the file name. |
|
http://host/file |
Specifies the host name and the file name. Default username and password are used. |
|
http://user:password@host |
Specifies username, password and host, but not the file name. The router queries you for the file name. |
|
http://user:password@host/file |
Specifies all four URL components. |
Sample usage of the copy command to store current router’s configuration to a file on a web server is included in Listing 1. Downloading new router configuration to the startup configuration or merging it with the running configuration is a very similar process (Listing 2).
Using the copy command to store router configuration to a web server
fw#copy running-config http://router:upload@myserver/routers/fw-config
Address or name of remote host [myserver]?
Destination filename [routers/fw-config]?
Storing http://router:upload@myserver/routers/fw-config !
3958 bytes copied in 0.832 secs (4757 bytes/sec)
Downloading new initial router configuration
fw#copy http://router:upload@myserver/routers/fw-new-config startup-config
Destination filename [startup-config]?
Loading http://router:upload@myserver/routers/fw-new-config ![OK]
4087 bytes copied in 2.148 secs (1903 bytes/sec)
A similar process is used to upload (Listing 3) or download (Listing 4) software images or other files residing in the router’s flash or disk memory (for example, files required by the Security Device Manager – SDM).
Storing IOS image from flash to a web server
Directory of flash:/
1 -rw- 36277160 <no date> c2800nm-advipservicesk9-mz.124-6.T.bin
2 -rw- 1038 <no date> home.shtml
3 -rw- 1007616 <no date> common.tar
4 -rw- 1649 <no date> sdmconfig-28xx.cfg
5 -rw- 113152 <no date> home.tar
6 -rw- 756288 <no date> 256MB.sdf
7 -rw- 4049920 <no date> sdm.tar
64225276 bytes total (22018000 bytes free)
fw#copy flash: http://router:upload@myserver
Source filename [c2800nm-advipservicesk9-mz.124-6.T.bin]?
Address or name of remote host [myserver]?
Destination filename [c2800nm-advipservicesk9-mz.124-6.T.bin]? routers/c2800nm-advipservicesk9-mz.124-6.T.bin
Storing http://router:upload@myserver/routers/c2800nm-advipservicesk9-mz.124-6.T.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
36277160 bytes copied in 80.308 secs (451725 bytes/sec)
fw#
Downloading new IOS image from a web server
fw#copy http://router:upload@myserver flash:
Address or name of remote host [myserver]?
Source filename []?routers/c2800nm-advipservicesk9-mz.124-6.T.bin
Destination filename [c2800nm-advipservicesk9-mz.124-6.T.bin]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]y
Erase flash: before copying? [confirm]y
Erasing the flash filesystem will remove all files! Continue? [confirm]y
Erasing device... eeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading http://router:upload@myserver/routers/c2800nm-advipservicesk9-mz.124-6.T.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying checksum... OK (0x394D)
36277160 bytes copied in 503.520 secs (72047 bytes/sec)
Warning
In IOS release 12.4(9), the router will print an error message if the image download fails, but not if the upload fails, so it’s always advisable to check the directory content on the web server after the upload process. Failed configuration upload does produce an error message.
The router uses the HTTP GET request when downloading the information from the web server and the HTTP PUT request for data upload. All web servers support the GET requests, so you can always download configurations or software images from the web server. Internet Information Server (IIS) from Microsoft has built-in support for PUT request (see the next section for configuration details), Apache needs an external PUT script (see this article for more details).
The default username and password used when accessing the web server can be set with the ip http client configuration commands summarized in Table 3.
Table 3
Changing the default parameters of the HTTP client
|
Command syntax |
Explanation |
|
ip http client username string |
Specifies the default username. |
|
ip http client password string |
Specifies the default password. |
|
ip http client proxy-server server port port |
Specifies the proxy server to use when accessing the web servers. |
Configuring IIS PUT support
Internet Information Server (ISS) from Microsoft has built-in support for HTTP PUT requests, which is disabled by default. To configure the IIS server to support file upload from Cisco routers, perform the following steps:
Step 1.
(Optional) Create a new username that will be used to authenticate the routers. You could also create a unique username for each router or a group of routers (for example, core routers could use different usernames than the access routers).
Step 2.
Create a new virtual directory in the IIS Management console (started from Administrative tools which are accessible from Control panel or Programs/Administrative Tasks menu).
Note
Having a writable virtual directory somewhere else in the physical directory tree is a bit more secure than having it within the IIS default directory tree.
Figure 1
Creating a new virtual directory
Step 3.
Enter the virtual directory name and select the physical directory in the Virtual Directory Creation Wizard. During the last step, remove Run scripts and add Write to the list of access permissions.
Figure 2
Setting virtual directory permissions
Step 4.
Start changing the properties of the new virtual directory (right-click on directory name; select Properties). In the Virtual directory tab, make sure the Execute Permissions is set to none, otherwise the web clients could freely upload scripts they would like to have executed on the server.
Figure 3
Changing virtual directory properties
Step 5.
In the Directory Security tab, click the Edit button in the Anonymous access and authentication control section. Disable Anonymous access and Integrated Windows authentication and enable Basic authentication (the only authentication method supported by Cisco IOS). If needed, enter the Default domain (for example, if the usernames should belong to a different domain than the web server). Save the changes.
Figure 4
Changing virtual directory authentication
Step 6.
Change the security of the physical directory in with the Windows Explorer (if needed, disable the Use simple file sharing in Explorer – the dialog box is available under Tools/Folder options). Allow read and write access only to authorized network managers and usernames configured on the routers.
Figure 5
Disabling simple file sharing in Windows Explorer
Figure 6
Changing directory security
Note
You might need to turn off the rights inheritance from parent directories. Use the Advanced button.
Summary
In this article, you’ve seen how you can download and upload your router configurations and software images to and from a properly configured web server. No special configuration is needed on the router (unless you want to store default username and password in router configuration). Basic authentication or anonymous access has to be configured on the web server to support the file download (with the HTTP GET request) and additional steps are needed if you want to store the information to the web server (where HTTP PUT requests are used).
Support for HTTP PUT requests is already built into the IIS server, and you just need to set up proper virtual and physical directory permissions. The Apache server needs an external PUT script plus corresponding configuration changes.