Restore remote access to Cisco switch or router via SNMP RW

Here’s a quick solution when you need to restore remote telnet or SSH access to a Cisco switch or router without having to reload the device with certain impact to the business. This procedure uses the SNMP CISCO-CONFIG-COPY-MIB installed on a typical Cisco device.

What do you need:
A) Tftp server software
B) Read-Write community string currently configured on device
C) Device needs to be walkable from your IP location (in case access-lists are configured for SNMP)
D) Server or workstation with SNMP-utils installed (e.g. MacOSX, Ubuntu with package net-snmp-utils installed or Windows with OpenSSL 0.98r and net-snmp-utils)

Battleplan:
1) Download current running-configuration via SNMP RW to check what’s wrong with the configuration
2) Adjust configuration
3) Push back new configuration to running-configuration via SNMP RW
4) êt Viola!

1) Download Current config via SNMP RW
Note: The integer highlighted in red is a random integer and you can choose any integer between 1 and 255. Keep in mind to use the same integer for the whole download procedure! See the integer as a session.
Set copy method via OID ccCopyProtocol:

snmpset -v 2c -c  {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.2.112 i 1

Set source filetype to running-config via OID ccCopySourceFileType:

snmpset -v 2c -c  {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.3.112 i 4

Set destination to networkfile via OID ccCopyDestFileType:

snmpset -v 2c -c  {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.4.112 i 1

Set TFTP server ip via OID ccCopyServerAddress:

snmpset -v 2c -c  {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.5.112 a {ip-address-tftp-server}

Set destination filename via OID ccCopyFileName:

snmpset -v 2c -c  {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.6.112 s test.txt

Start tftp download via OID ccCopyEntryRowStatus:

snmpset -v 2c -c  {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.14.112 i 1

After each set command you get a confirmation that the setting has been applied

2) Adjust configuration
Find the error and adjust it. You might need to remove any additional security that can deny you from the device. Otherwise you’ll have to repeat the procedure more than once.

3) Push back new configuration to running-configuration via SNMP RW
Set copy method:

snmpset -v 2c -c {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.2.114 i 1

Result output: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.2.114 = INTEGER: 1 >> Confirmation that integer has been set
Set sourcefile to network file:

snmpset -v 2c -c  {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.3.114 i 1

Result output: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.3.114 = INTEGER: 1
Set destination to running-config:

snmpset -v 2c -c {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.4.114 i 4

Result output: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.4.114 = INTEGER: 4
Set TFTP server ip:

snmpset -v 2c -c {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.5.114 a {ip-address-tftp-server}

Result output: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.5.114 = IpAddress: {ip-address-tftp-server}
Set desination filename:

snmpset -v 2c -c {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.6.114 s test.txt

Result output: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.6.114 = STRING: “test.txt”

Start tftp upload via via OID ccCopyEntryRowStatus:

snmpset -v 2c -c {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.14.114 i 1

Result output: SNMPv2-SMI::enterprises.9.9.96.1.1.1.1.14.114 = INTEGER: 1

4) Et Voila
Check if the device is remotely accessible. You can remove the amended OID values as follow:

snmpset -v 2c -c  {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.14.112 i 6

and

snmpset -v 2c -c  {community-string} {device-ip-address}  1.3.6.1.4.1.9.9.96.1.1.1.1.14.114 i 6

 

You can also check the progress via OID ccCopyState or get a notification via ccCopyNotificationOnCompletion. In  case you use a file transfer protocol with mandatory authentication you can use OID’s ccCopyUserName and ccCopyUserPassword

Tip: Use the SNMP Object Navigator on the Cisco Site to get all the possible values needed. The used OID are mentioned in procedure 1 and above.
You can find the link in our Tools section

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s