The CYA – Destructive SSH Changes

Standard

Have you ever had to change some configuration over a SSH session?  Of course you have! Everyone in networking has to make a remote change every now and then. But what if you have to make a destructive change like changing the WAN IP and default route while connected remotely?

There are a few ways to tackle that problem and here is my favourite one.
In this example we will SSH from R3 to R1, break the interface and change the IP in one shot by using some TCL goodness.

tclsh-001

First we’ll connect to R1 and get logged in.

R03#ssh -l cisco 155.1.13.1 
Password:
R01>en
Password: 

Then we’ll enter the TCL shell with tclsh, don’t worry if you don’t know much TCL yet, this will be quick. Then we will use TCL to create a file in flash and write our changes to it.

R01#tclsh 
R01(tcl)#puts [open "flash:change.cfg" w+] {
+>default interface g2.13
+>int g2.13
+>encap dot1q 13
+>ip add 155.1.13.11 255.255.255.0
+>no shut
+>}
R01(tcl)#tclquit

When we're done with file we can now copy the file to running config (or startup-config if you prefer.)
R01#copy flash:change.cfg running-config
Destination filename [running-config]? 

Interface GigabitEthernet2.13 set to default configuration
99 bytes copied in 0.456 secs (217 bytes/sec)

Now if we check R1 we can see the change has been applied.

R01(config)#do sh ip int br | in 2\.13
GigabitEthernet2.13 155.1.13.11 YES TFTP up up

3 thoughts on “The CYA – Destructive SSH Changes

  1. Michael Fisher

    Could you expound upon what is transpiring here? I understand that the changes you want to create are set in a script which is then loaded into the running config, which changes the running config. Do you loose connection during this process? Do these changes not take effect until a reboot? Does the interface got through a down state, and if not, why not?

    Like

    • IOS applies configuration line by line, so if you copy and paste the example script you will be disconnected at the “default interface” command and the IP address would never be applied.

      Because the script is now a file on flash the configuration would still disconnect you but the configuration would be fully applied.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s