I’m planning a small blog post series about Cisco configuration backup with
Netbox and Gitlab.
My idea is to “control” which devices are backed up by Netbox with
Device Type, Site, IPv4 address and Status (“Active”).
Based on above information the script should then login with SSH to the
devices, send a couple of commands like banner, wr mem,
copy run scp to start a file transfer to save the configuration on a
SCP host temporary directory.
The configuration files are then checked in into a GitLab repository so it’s
easy to track and compare configuration files.
To outline the idea, I made the drawing shown below.
Building a list (dict) with Device data from Netbox
This script uses Python3 and some libraries. For example pynetbox is used
to get information from Netbox, pexpect is used for SSH and CLI for the
devices, gitlab is used to communicate with the Gitlab server.
Some variables need to be defined, for example:
Netbox and Gitlab URL and API Token
SCP for the file transfer
Backup User to log in into Cisco devices
I am not using TFTP therefore the Script needs some Login credentials for SCP.
The Backup User is created on a RADIUS server and valid for all devices.
In the next step the script is connecting to the Netbox API to get out
a list (dict) with the Device Type, Site, Hostname, IPv4
In my Netbox setup, I defined the Device Type in a specific scheme, for
example network device types start with “net-“, UPS (Uninterruptable Power
Supply) start with “pwr-” and so on.
To build the list (dict), the script is using the pynetbox filter and then
the script is appending the devices to the initialized list. This is repeating
for my core-switches, access-switches, wireless-controllers and
The result is a list (dict) which contains the data to control the SSH session.
With this, the script can then use a function for a Cisco switch or another
function for a Cisco Wireless Controller. This separation is required because
each device type uses a different CLI syntax. Also the Site can get
important if the script should handle more than one location.
For Cisco Switch Stacks, some “cleanup” is required. In my case, the first
switch in a stack has the extension “:1”, the second switch in a stack “:2” and
Also Netbox returns the subnet bits in the IPv4 Address. This means, a “cleanup”
for the IPv4 Address is required as well.
For security reasons, hostnames and IP addresses are obfuscated.
To verify if I can control the planned backup scriopt from Netbox, I am setting for example one of my ASA Firewalls of “Offline”.
And as expected, the script output shows the status of this ASA Firewall as “Offline”.