You don't have to spend a fortune on CiscoWorks to store and compare your Cisco router configurations. With a little work and some help from Subversion, you can roll your own.
by Tim Conrad
Aug 2, 2004
Page 1 of 6
everal years ago I evaluated CiscoWorks as a network management platform, and was impressed. CiscoWorks is rife with features. In particular it had a few key features that I found to be immensely useful. Unfortunately, CiscoWorks is rather expensive, so I ended up "rolling my own" similar features. One key CiscoWorks feature is the capability of storing Cisco configurations in a versioning-system. This feature lets you save your configurations and compare current configurations to previous ones. CiscoWorks also uses SNMP traps, or system-generated message, so when someone makes a configuration change to a router, the system grabs and stores the new configuration, providing an automated change-tracking system.
I decided to use Subversion and some simple scripts to mimic the CiscoWorks functionality. Subversion is a control versioning system that aims to replace CVS. It's primarily HTTP-based, which makes it a convenient platform for storing configurations that are accessible from any Web browser. I have an additional Web-based interface, called ViewCVS on my Cisco configuration repository, making it easy to view running router configurations while in a meeting, and useful for simply evaluating what has changed on my network recently. But an additional advantage to this type of storage is that you can automatically create up-to-date configurations for disaster recovery scenarios.
This article focuses primarily on setting up the configuration repository on a Unix-like system. You could most certainly follow a similar process to set the repository up on Windows, although the examples in this article don't cover that operating system. Most Unix-like operating systems have some sort of package management for the software discussed here. I'd recommend you use those package systems because they're the simplest to install; however, because such packages vary from OS to OS, I'm simply going to give the software requirements, and leave the installation up to you.
Briefly, you need to install the following software packages:
Apache 2, (currently at version 2.0.50). If you already have an earlier version of Apache installed, be aware that one common problem arises when people use Apache 1.x and 2.x on the same system. While that's possible, you can't run them on the same port. The simplest solution to the problem is to run Apache 2 on a different port such as port 8080 instead of the standard port 80.
Subversion. Subversion is part of the core software of the configuration repository. It's designed to work with Apache 2.0, using the WebDAV protocol, so be sure to install both Apache and Subversion on the same machine. Apache needs direct access to the Subversion database to perform its updates. For more detailed information, try the excellent book Version Control with Subversion. As of this writing, the current version of Subversion is 1.0.5. If you're planning to build the application from the source, make sure your BerkleyDB libraries are new enough (in the 4.1.x realm) and that the configure script uses the flags with-apache or with-axps to build Apache support into Subversion when running the configuration script.
The WebDav protocol (mod_dav module). Subversion needs the mod_dav module to function, so make sure to install this as well.
SSL (recommended). If you'd like the additional security of putting your repository behind an SSL-enabled site, you can build mod_ssl for your Apache installation. In addition, you'll need to comment out two of the directives discussed below to force Apache to use SSL for the directories.
ViewCVS (recommended). Subversion ships with a very limited Web-based front end for browser-based HTTP clients; however a much more advanced front endViewCVSis fairly straightforward to install from source, or install as a package. The current version as of this writing is 0.9.2.
Perl 5. The script that gathers the configurations is written in Perl, so you'll need Perl 5. The scripts for this article were tested with Perl 5.8.3. The script uses a Perl module called Net::Telnet::Cisco. To install it, run the command perl -MCPAN -e 'install Net::Telnet::Cisco, or use your package manager to install the module.
The next two packages are optional, depending on your configuration. The Configuration Repository can work in two different ways. The first is just to go and grab the Cisco configurations once a week. The second way is to configure them to be downloaded whenever an SNMP trap is sent. The first method is very simple to set up, the second is a little trickier, and requires some additional software packages.
Net-SNMP. This package has a program that listens for SNMP traps. So, you'll need to install this to update your configurations when they change. The current version as of this writing is version 5.1.1.
SNMPTT. Finally, you'll need to install SNMPTT, which processes the incoming SNMP traps and runs scripts on certain events. The current version as of this writing is 0.9. SNMPTT requires some additional Perl modulesText::Parsewords, Getopt::Long, Config::IniFil, Time::HiRes and the Net-SNMP module. You should configure SNMPTT in "daemon" mode as well.
Author's Note: You'll need to know what user and group Apache is configured to use. The httpd.conf file (usually located in /etc/apache or /etc/httpd) contains directives for 'User" and "Group". Open the file and make a note of these settings, because you'll need them later.