Managing Network Devices with SSH Scripts

Network and security devices typically have a text based or Command Line Interface (CLI) management interface which can access and manage systems across a network connection. CLI commands are typically run from text-based terminals. These systems can also be managed with CLI commands embedded in scripts. This article describes managing network devices with Linux scripts.

While modern DevOps environments software tools such as Ansible, Chef and Puppet to management and deploy network systems, these systems are complex and structured. Often simple (or even advanced) ad-hoc management tasks can be created in minutes with Linux bash scripts. Linux scripting is a comfortable environment and often used daily by most administrators.

We will use the Linux Expect scripting utility for the examples to follow. Expect is a common and popular tool which has been around for over 20 years. It was designed to manage CLI based systems, most commonly Linux shells like bash, csh, etc.

Access to systems over a network will use the SSH protocol. The Linux Expect has built-in support for SSH which can be defined with a single command.

NOTE: Expect can be installed on Linux and Windows systems.

Example CLI Management Script

The example included here is a custom script for an A10 Networks Thunder hardware or virtual appliance. The script can be customized for other network and security systems including Cisco, Juniper, etc.

The following code is a Linux Expect script which will:

  1. Log into an A10 Networks Thunder system via SSH
  2. Enter the Configuration mode
  3. Restore the device image from an FTP server
  4. Reboot the system
  5. Exit

Code Sample

#!/usr/bin/expect -f

#SSH script to restore Thunder ACOS devices from a system backup.

set HOSTIP [lindex $argv 0]
set BKPATH [lindex $argv 1]

spawn ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no admin@$HOSTIP

expect "Password"
send "a10\r"

expect ">"
send "enable\r"
expect "Password"
send "\r"
expect "#"

send "configure\r"
expect "(config)"

send "restore ftp://root@vServer7.ebc.local/$BKPATH\r"
expect "Password"
send "a102345\r"

expect "skip port map"
send "yes\r"

expect "see the diff"
send "no\r"

expect "Complete the restore"
send "yes\r"

sleep 1
expect "Proceed with reboot"
send "yes\r"

expect eof

Code Breakout

The following is an explanation of the sections of code in the above example.

#!/usr/bin/expect -f

Expect is not a standard shell and has to be explicitly referenced.

set HOSTIP [lindex $argv 0]
set BKPATH [lindex $argv 1]

Parameters can be passed to Expect scripts to generalize the utility. In this example, the IP address and the path to the backup library is passed to the script.

spawn ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no admin@$HOSTIP

Log into the remote system using SSH. This syntax will allow the script to login to the remote system then continue processing the next commands.

expect "Password"
send "a10\r"

expect ">"
send "enable\r"
expect "Password"
send "\r"
expect "#"

The [expect] command will pause the script until the exact text is received.

The [send] command sends the quoted text. The return keystroke must be included explicitly.

send "configure\r"
expect "(config)"

Enable the device into the [configuration] mode.

send "restore ftp://root@vServer7.ebc.local/$BKPATH\r"
expect "Password"
send "a102345\r"

Run the device FTP CLI command to retrieve the backup image.

expect "skip port map"
send "yes\r"

expect "see the diff"
send "no\r"

expect "Complete the restore"
send "yes\r"

The device CLI environment will require additional question and answer interactions.

sleep 1
expect "Proceed with reboot"
send "yes\r"

The sleep command may be used in some instances. After the [send] command, the device will initiate a reboot sequence.

expect eof

This last command is required. If this is not included, the Expect script will exit before the reboot CLI command has completed, causing the reboot process to fail.