Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

bodnarg

2 Intern

 • 

385 Posts

11741

January 11th, 2011 07:00

Transfer files from MDS switch

Trying to setup a job to dump some data (and clear logfiles) and push them to a remote server.

Running into two problems trying to either pull or push the data:

1) Trying to push from the MDS host using FTP the job hangs because it prompts for a password even though one is supplied.

2) Trying to pull data using SCP or SFTP doesn't work (I've tried numerous tools, platforms) against the MDS switch for some reason.

Anyone have any luck or specific process they use to automatically transfer files from their switch?

DippityDell

79 Posts

March 3rd, 2011 10:00

I haven't had the opportunity to work on this in a while, but was trying to do exactly the same thing.  The issue I had was having the MDS connect to the host with the SSH keys and dump the files.  Host to MDS worked fine, but didn't seem acceptable to me.  I would be interested to see how this works out for you.

Similar to the last post, here is a primus article that list steps and additional information on how to setup.  emc165558.

Check out the primus as it lists some other good sources of information and some important notes on known issues.  Let me know if you are unable to pull up the primus and I can post.

  1. Create an SSH public/private key on the host (The MDS supports SSH1, SSH2 using RSA, and SSH2 using DSA).  See the documentation that came with the SSH host package.
     
  2. On the switch, create all of the SSH keys.

    switch# conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    switch(config)#     ssh key rsa1
    generating rsa1 key(1024 bits).....
    generated rsa1 key
    swithc(config)#     ssh key dsa
    generating dsa key(1024 bits).....
    generated dsa key
    switch(config)#     ssh key rsa
    generating rsa key(1024 bits).....
    generated rsa key

  3. Enable SSH on the switch.

    switch(config)# ssh server enable
     
  4. On the switch, create the user, pasting in the contents of the host public key after the SSH key parameter.

    switch# conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Switch(config)# username testuser role network-operator
    warning: password for user:testuser not set. S/he cannot login currently
    switch(config)#     username testuser sshkey 1024 35

    139198677264732164858153476357747926024656548233745027006381178621992083524037906211714241
    450436547019604214530354070873624269283640613058470615170649963414635036859628344005142227
    886318134122126153182906740418449098047827961768214148936752631482459130056603268404256522
    191410368204629699075809390037814979061 testuser@host

    switch(config)# end

  5. Look at the configuration of the user with the show user-account command.

    switch# show user-account testuser
    user: testuser
    this user account has no expiry date
    roles:network-operator
    no password set. Local login not allowed
    Remote login through RADIUS/TACACS+ is possible
    ssh public key: 1024 35

     139198677264732164858153476357747926024656548233
    74502700638117862199208352403790621171424145043654701960421453035407087362426928
    36406130584706151706499634146350368596283440051422278863181341221261531829067404
    18449098047827961768214148936752631482459130056603268404256522191410368204629699
    075809390037814979061 test user @host
     
  6. Test the log in process from the host. 

    Using username "testuser".

    MDS Switch
    Authenticating with public key "testuser@host"
    Cisco Storage Area Networking Operating System (SAN-OS) Software
    TAC support:http: / /www .cisco .com / tac. Copyright    (c) 2002-2004, Cisco Systems, Inc. All rights reserved.
    The copyrights to certain works contained herein are owned by
    other third parties and are used and distributed under license.
    Some parts of this software are covered under the GNU Public
    License. A copy of the license is available at
    http://www.gnu.org/licenses/gpl.html.
    switch#

dynamox

9 Legend

 • 

20.4K Posts

January 11th, 2011 07:00

can you do tftp ? I can share my perl script i use to pull weekly configs.

jeffbaum999

17 Posts

March 3rd, 2011 07:00

Excerpt taken from EMC Primus knowlegebase article emc98524

As of 2.0(1b) SAN OS, files can be transferred from and to and from a Cisco MDS 9000 Series via the Fabric Manager GUI or the CLI.The CLI offers a broad range of protocols to use for copying to or from the MDS.   The MDS switch always acts as a client, such that an ftp/scp/tftp session will always originate from the MDS and either push files to an external system or pull files from an external system.

There are four (4) protocols that the MDS copy command supports.   They are scp (secure copy), ftp (file transfer protocol), sftp (secure file transfer protocol), and tftp (trivial file transfer protocol).

  • To use scp (secure copy) as the transfer mechanism, the following syntax would be used:

"scp:[//[username@]server][/path]"

ex.  To copy /etc/hosts from 172.22.36.10 using the user user1, and the destination would be hosts.txt use:

switch# copy scp://user1@172.22.36.10/etc/hosts bootflash:hosts.txt

user1@172.22.36.10's password:

hosts 100% |*****************************| 2035 00:00

  • To use ftp (file transfer protocol) as the transfer mechanism, the following syntax would be used:

"ftp:[//[username@]server][/path]"

ex.  To copy /etc/hosts from 172.22.36.10 using the user user1, and the destination would be hosts.txt use:

switch# ftp://user1@172.22.36.10/etc/hosts bootflash:hosts.txt

  • To use sftp (secure file transfer protocol) as the transfer mechanism, the following syntax would be used:

ex. To backup the startup-configuration to a sftp server:

switch# copy startup-config sftp://user1@172.22.36.10/MDS/startup-configuration.bak1

Connecting to 172.22.36.10...

User1@172.22.36.10's password:

  • To use tftp (trivial file transfer protocol) as the transfer mechanism, the following syntax would be used:

ex. To backup the startup-configuration to a tftp server:

switch# copy startup-config tftp://backup-server/switch1.config.bak

hope this helps..

dynamox

9 Legend

 • 

20.4K Posts

March 3rd, 2011 07:00

Jeff ..other than tftp these approaches are interactive and require user to enter password, so not very friendly to be scripted. Is there a way to setup public key ssh authentication when using scp ?

jeffbaum999

17 Posts

March 3rd, 2011 17:00

The above steps were taken from the CISCO MDS9000 Family Cookbook for MDS SAN-OS Release 2.x. Additional documentation can also be found in the SAN-OS config guide under Configuring SSH Services .

Tip: Assign password-free logons to either a read-only role like network-operator or to a role with a minimal set of privileges.

Caution: Having only the public key does not trigger the switch to grant access. The private key must also be on the host. Treat the private key like a password.

If the same user tries logging in from another host without both the private key file (/users/testuser/.ssh/identity) and the public key file (/users/testuser/.ssh/identity), then access to the switch is denied. The fact that the public key has testuser@host included does not tie it to a specific host but does allow an admin to determine from which host it was generated. In some SSH implementations such as putty, this is the Key comment.

You can allow switch access with no password from automated scripts or agents. Providing a null password or hard coding the password into the script or agent could be considered a weak security practice. However, using the private/public key infrastructure of SSH maintains a secure environment. SSH uses a private/public key exchange; the switch knows only the public key while the host knows both the public and private keys. Access is only granted if the user comes from a host that knows both the public and private keys.

Jeff

CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system.

bodnarg

2 Intern

 • 

385 Posts

April 6th, 2011 07:00

I didn't want to use tftp since it is fairly insecure.

I was hoping to push from the switch, but I'll have to try and get pull working from the switch instead as some of these post suggest.  Since I'm trying to get the data to a Windows 2xxx server secure ftp isn't the best, but I'll have to give it a try.

Thanks.

Was this post helpful?

View All

No Events found!

Top