LINICKX.com

Automated Cisco WLC backup with a Python Script

Nick Bettison — Wed, 30 Aug 2017 19:50:00 +0100

As part of my ISE work I generally make changes to WLCs, I'm not really a Wi-Fi Guy so don't ask me about channel width but I do a lot with authentication and in ISE's case that usually includes an ACL or two on the WLC!

There are a number of options for backing up a WLC but they're all a bit clunky if you have say 10 of the blighters to backup!!

Using python (and the Netmiko module), I've written a python script to do the job. If you're a windows user, I recommend you look at MicroSoft's Subsystem for linux as setting up python & netmiko is very straight forward... i.e. the same as linux!

Here's what it looks like when you run it.

linickx:~ $ python3 backup_wlc.py
Username: admin
Password:
[INFO] 2017-08-28 16:51:11,065 Connecting to 10.10.10.9
[INFO] 2017-08-28 16:51:16,502 Connected (version 2.0, client CISCO_WLC)
[INFO] 2017-08-28 16:51:17,620 Authentication (password) successful!
[INFO] 2017-08-28 16:51:24,366 Working on CHWC01
[INFO] 2017-08-28 16:51:24,367 Filename: CHWC01_170828-165124.txt
[INFO] 2017-08-28 16:51:24,367 Sending cmd: show run-config commands
[INFO] 2017-08-28 16:51:25,773 Connecting to 10.10.11.10
[INFO] 2017-08-28 16:51:31,205 Connected (version 2.0, client CISCO_WLC)
[INFO] 2017-08-28 16:51:32,322 Authentication (password) successful!
[INFO] 2017-08-28 16:51:39,124 Working on CHWC02
[INFO] 2017-08-28 16:51:39,125 Filename: CHWC02_170828-165139.txt
[INFO] 2017-08-28 16:51:39,125 Sending cmd: show run-config commands
[INFO] 2017-08-28 16:51:40,530 Connecting to 10.11.18.5
[INFO] 2017-08-28 16:51:45,647 Connected (version 2.0, client CISCO_WLC)
[INFO] 2017-08-28 16:51:45,998 Authentication (password) successful!
[INFO] 2017-08-28 16:51:51,782 Working on DEWC01
[INFO] 2017-08-28 16:51:51,783 Filename: DEWC01_170828-165151.txt
Finished:
 CHWC01_170828-165124.txt
 CHWC02_170828-165139.txt
 DEWC01_170828-165151.txt
linickx:~ $

Each WLC gets it's own text file, time/date stamped, of "show run-config commands" which you can use to compare before and after changes... potentially useful for nightly backups if you want to use cron.

The script can be downloaded here (rename to .py), I've pasted it below for your reading pleasure ;-)

Please take note of the comments at the top, the WLC IP addresses are stored in the script, you'll need to update and change as appropriate. By default the script prompts you for credentials which works for runs manually but if used with cron you'll need insecure hardcoded variables (use and secure wisely!)

"""
    Script to backup Cisco WLCs using netmiko

    # Version 1.0 28.Aug.2017
    # Nick Bettison - Linickx.com

    # External Credit...
    # https://github.com/AlexMunoz905/Cisco-Backup-Config/blob/master/WLC.py
    # Thanks to ^that^ for getting me started! :)
"""
import logging
import getpass
import re
import datetime
import sys

try:
    import netmiko
except:
    print("Error Netmiko not installed - https://github.com/ktbyers/netmiko")
    sys.exit()

"""
    This array stores a list if IPS to connect to
    eg.
        one device: `ips = ["10.1.2.12"]`
        two devices: `ips = ["10.1.2.12", "10.1.3.13"]
`
"""
ips = ["10.1.2.12", "10.1.3.13"]

"""
    By default, ths scipt prompts for credentials.
    If you're feeling insecure and want to store them in the file, replace below with...
    um = "admin"
    pw = "insecure_password"
"""
un = input('Username: ')
pw = getpass.getpass()

"""
    No Need to change below here!
"""
logging.basicConfig(format='[%(levelname)s] %(asctime)s %(message)s', level=logging.INFO)
logger = logging.getLogger("wlc_backup")
devices = [] # Empty array to store wlcs
files = [] # Empty array to store filenames

for ip in ips:
    # device definition
    cisco_wlc = {
        'device_type': 'cisco_wlc',
        'ip': ip,
        'username': un,
        'password': pw,
    }
    devices.append(cisco_wlc)

for device in devices:
    logger.info("Connecting to %s", device['ip'])
    # connect to the device w/ netmiko
    try:
        net_connect = netmiko.ConnectHandler(**device)
    except:
        logger.error("Failed to connect to %s", device['ip'])
        logger.debug("Exception: %s", sys.exc_info()[0])
        continue

    # get the prompt as a string
    prompt = net_connect.find_prompt()

    logger.debug("prompt: %s", prompt)

    regex = r'^\((.*)\)[\s]>'

    regmatch = re.match(regex, prompt)
    if regmatch:
        hostname = regmatch.group(1)
        logger.info("Working on %s", hostname)
    else:
        logger.error("Hostname Not Found!")
        logger.debug(regmatch)

    filetime = datetime.datetime.now().strftime("%y%m%d-%H%M%S") # File timestamp
    config_filename = hostname + "_" + filetime + ".txt" # Filname with hostname
    files.append(config_filename)
    logger.info("Filename: %s", config_filename)

    commands = ['show run-config commands'] # commands to run

    for cmd in commands:
        logger.info("Sending cmd: %s", cmd)
        this_cmd = net_connect.send_command(cmd)
        config_filename_f = open(config_filename, 'a')
        config_filename_f.write(this_cmd)
        config_filename_f.write('\n')
        config_filename_f.close()

print("Finished:")
for fname in files:
    print(" %s " % fname)

Enjoy your backups!

snmpwalk v3 and snmpget v3 examples

Nick Bettison — Sat, 01 Apr 2017 15:22:00 +0100

I always forget the syntax for snmpwalk/snmpget v3; so posting here to remember.

snmpwalk version 3

The command is: snmpwalk -v3 -l authPriv -u snmp-poller -a SHA -A "PASSWORD1" -x AES -X "PASSWORD1" 10.10.60.50

Example output:

[nick@server ~]$  snmpwalk -v3  -l authPriv -u snmp-poller -a SHA -A "PASSWORD1"  -x AES -X "PASSWORD1" 10.10.60.50
SNMPv2-MIB::sysDescr.0 = STRING: Cisco Adaptive Security Appliance Version 9.6(2)11
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.1199
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (201155400) 23 days, 6:45:54.00
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: fw01.local
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 4
IF-MIB::ifNumber.0 = INTEGER: 1
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifDescr.1 = STRING: Adaptive Security Appliance 'v101' interface
IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifMtu.1 = INTEGER: 1500
IF-MIB::ifSpeed.1 = Gauge32: 1000000000
IF-MIB::ifPhysAddress.1 = STRING: aa:11:22:33:44:55
IF-MIB::ifAdminStatus.1 = INTEGER: up(1)
IF-MIB::ifOperStatus.1 = INTEGER: up(1)
IF-MIB::ifLastChange.1 = Timeticks: (6600) 0:01:06.00
IF-MIB::ifInOctets.1 = Counter32: 56388261
IF-MIB::ifInUcastPkts.1 = Counter32: 316701
...
[nick@server ~]$

snmpget version 3

A command for just getting the hostname: snmpget -v3 -l authPriv -u snmp-poller -a SHA -A "PASSWORD1" -x AES -X "PASSWORD1" 10.10.60.50 sysName.0

Example output:

[nick@server ~]$ snmpget -v3  -l authPriv -u snmp-poller -a SHA -A "PASSWORD1"  -x AES -X "PASSWORD1" 10.10.60.50 sysName.0
SNMPv2-MIB::sysName.0 = STRING: fw01.local
[nick@server ~]$

A command for getting the hostname and the uptime: snmpget -v3 -l authPriv -u snmp-poller -a SHA -A "PASSWORD1" -x AES -X "PASSWORD1" 10.10.60.50 sysName.0 system.sysUpTime.0

Example output:

[nick@server ~]$ snmpget -v3  -l authPriv -u snmp-poller -a SHA -A "PASSWORD1"  -x AES -X "PASSWORD1" 10.10.60.50 sysName.0 system.sysUpTime.0
SNMPv2-MIB::sysName.0 = STRING: fw01.local
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (14100) 0:02:21.00
[nick@server ~]$

These tests are on a Cisco ASA.

This is the ASA snmp v3 config used:

snmp-server group the-noc v3 priv
snmp-server user snmp-poller the-noc v3 auth sha PASSWORD1 priv aes 128 PASSWORD1
snmp-server host v101 10.10.62.100 version 3 snmp-poller

I've used the same password for authentication & encryption to make it easy. The username is "snmp-poller", the source of my polling is "10.10.61.100", the group "the-noc" is for if you have more than one user account.

Ansible Cisco - Primer 2 - Making Changes

Nick Bettison — Wed, 29 Mar 2017 17:35:00 +0100

This is my second post, documenting some Ansible/Cisco examples, please check out my Ansible Cisco Primer 1 first; in this example we'll make some changes to devices.

TLDR; Some example files are on github: https://github.com/linickx/ansible-cisco

NTP & DNS, an easy example

This is a play to set NTP & DNS servers, it's a simple "quick win" because the syntax is straight forward and typically in enterprises the settings are the same on all devices... well DNS might not be, but let's pretend for a second that it is :)

Here's the play book file: set_ntp_enable.yml

---
- hosts: ios_devices*
  gather_facts: no
  connection: local
  strategy: debug

  tasks:
  - name: Include Login Credentials
    include_vars: secrets.yml

  - name: Define Provider
    set_fact:
      provider:
        host: "{{ ansible_host }}"
        username: "{{ creds['username'] }}"
        password: "{{ creds['password'] }}"

  - name: Define Provider (Enable)
    when: inventory_hostname in groups.ios_devices_enable
    set_fact:
        enable:
            auth_pass: "{{ creds['auth_pass'] }}"
            authorize: yes

  - name: Update Provider (Enable)
    when: inventory_hostname in groups.ios_devices_enable
    set_fact:
        provider: "{{ provider | combine(enable) }}"

  - name: BACKUP
    ios_config:
      provider: "{{ provider }}"
      backup: yes

  - name: RUN 'Set DNS'
    ios_config:
      provider: "{{ provider }}"
      lines:
        - ip name-server 8.8.8.8
        - ip name-server 8.8.4.4
    register: set_dns

  - name: CHECK CHANGE - dns
    when: "(set_dns.changed == true)"
    set_fact: configured=true

  - name: RUN 'Set NTP'
    ios_config:
      provider: "{{ provider }}"
      lines:
        - ntp server uk.pool.ntp.org
        - ntp server time.apple.com
    register: set_ntp

  - name: CHECK CHANGE - ntp
    when: "(set_ntp.changed == true)"
    set_fact: configured=true

  - name: RUN 'wr mem'
    when: "(configured is defined) and (configured == true)"
    register: save_config
    ios_command:
      provider: "{{ provider }}"
      commands:
        - "write memory"

As before, I've used a wildcard host group to match both [ios_devices] and [ios_devices_enable]; in my lab I have two types of router, r1 & r2 which drop you directly into Priv15 and r3 which requires you to type enable before being able to make any changes, I did this because this matches the real world, some places I visit force admins to type enable others don't.

The router configs can be found here: github.com/linickx/ansible-cisco/lab_rtr_configs

The first task imports secrets.yml, this is less secure than my show_clock_prompt.yml example but shows something significant, the file read is part of a task, not before them, that's because include_vars is a task module; once this is read the 2nd task is to define the provider for all devices.

Task 3 is different - Define Provider (Enable)

The third task, Define Provider (Enable) is our first example of limiting a task to a specific group: when: inventory_hostname in groups.ios_devices_enable I think the syntax is quite self explanatory, as such we're only expecting Tasks 3 & 4 to run on r3.

Backup!

The backup task uses the ios_config's built in backup feature. By default a local ./backup/ directory will be created with a config per device saved... BE WARNED ... the backups are overwritten (replaced) each time you run ansible-playbook so if you need per change copies move the files first before running the playbook again.

Onto making changes

In the playbook, there are two sets of similar tasks, this is the DNS pair that is repeated for NTP.

- name: RUN 'Set DNS'
  ios_config:
    provider: "{{ provider }}"
    lines:
      - ip name-server 8.8.8.8
      - ip name-server 8.8.4.4
  register: set_dns

- name: CHECK CHANGE - dns
  when: "(set_dns.changed == true)"
  set_fact: configured=true

Some things to know here. Ansible will add 8.8.8.8/8.8.4.4 to any device that doesn't have them, it will also skip any deivice that has them already, ansible will not remove any erroneous entries.
register: set_dns creates a variable for the task, in the previous show clock example ios_command created in an output, with ios_config we have a changed property; if the device is skipped then change = false, if a change is made it is set to True.

Typically, if we've made a change, one would want to wr mem, but that's slow; instead of writing the config after every task, I create a new fact called configured, then later after all the tasks are complete I have another task that says "if we made a change, then write", like this....

- name: RUN 'wr mem'
  when: "(configured is defined) and (configured == true)"
  register: save_config
  ios_command:
    provider: "{{ provider }}"
    commands:
      - "write memory"

Here's an example of running the play.

linickx:ansible $ ansible-playbook set_ntp_enable.yml

PLAY [ios_devices*] ************************************************************

TASK [Include Login Credentials] ***********************************************
ok: [r1]
ok: [r2]
ok: [r3]

TASK [Define Provider] *********************************************************
ok: [r1]
ok: [r2]
ok: [r3]

TASK [Define Provider (Enable)] ************************************************
skipping: [r1]
ok: [r3]
skipping: [r2]

TASK [Update Provider (Enable)] ************************************************
skipping: [r1]
skipping: [r2]
ok: [r3]

TASK [BACKUP] ******************************************************************
ok: [r3]
ok: [r2]
ok: [r1]

TASK [RUN 'Set DNS'] ***********************************************************
ok: [r2]
ok: [r3]
changed: [r1]

TASK [CHECK CHANGE - dns] ******************************************************
ok: [r1]
skipping: [r2]
skipping: [r3]

TASK [RUN 'Set NTP'] ***********************************************************
ok: [r2]
ok: [r3]
changed: [r1]

TASK [CHECK CHANGE - ntp] ******************************************************
skipping: [r2]
ok: [r1]
skipping: [r3]

TASK [RUN 'wr mem'] ************************************************************
skipping: [r2]
skipping: [r3]
ok: [r1]

PLAY RECAP *********************************************************************
r1                         : ok=8    changed=2    unreachable=0    failed=0
r2                         : ok=5    changed=0    unreachable=0    failed=0
r3                         : ok=7    changed=0    unreachable=0    failed=0

linickx:ansible $

Notice how only r1 was changed?

So, how do I standardise NTP and DNS?

I mentioned that erroneous or incorrect entries are not removed; to fix that we move our lines of config into variables. With our variables we then have two tasks... add the config we need, remove anything that's not defined.

Here's the playbook:

---
- hosts: ios_devices*
  gather_facts: no
  connection: local
  strategy: debug
  #check_mode: yes

  vars:
    dns_servers:
      - ip name-server 8.8.8.8
      - ip name-server 8.8.4.4
    ntp_servers:
      - ntp server uk.pool.ntp.org
      - ntp server time.apple.com

  tasks:
  - name: Include Login Credentials
    include_vars: secrets.yml

  - name: Define Provider
    set_fact:
      provider:
        host: "{{ ansible_host }}"
        username: "{{ creds['username'] }}"
        password: "{{ creds['password'] }}"

  - name: Define Provider (Enable)
    when: inventory_hostname in groups.ios_devices_enable
    set_fact:
        enable:
            auth_pass: "{{ creds['auth_pass'] }}"
            authorize: yes

  - name: Update Provider (Enable)
    when: inventory_hostname in groups.ios_devices_enable
    set_fact:
        provider: "{{ provider | combine(enable) }}"

  - name: BACKUP
    ios_config:
      provider: "{{ provider }}"
      backup: yes

  - name: "GET CONFIG"
    ios_command:
      provider: "{{ provider }}"
      commands:
        - "show running-config | include ip name-server"
        - "show running-config | include ntp server"
    register: get_config

  - debug: var=get_config.stdout_lines

  - name: RUN 'Set DNS'
    with_items: "{{ dns_servers }}"
    ios_config:
      provider: "{{ provider }}"
      lines:
        - "{{ item }}"
    register: set_dns

  - name: RUN 'Remove DNS'
    when: "(get_config.stdout_lines[0][0] != '') and (item not in dns_servers)"
    with_items: "{{ get_config.stdout_lines[0] }}"
    register: remove_dns
    ios_config:
      provider: "{{ provider }}"
      lines:
        - "no {{ item }}"

  - name: CHECK CHANGE - dns
    when: "(set_dns.changed == true) or (remove_dns.changed == true)"
    set_fact: configured=true

  - name: RUN 'Set NTP'
    with_items: "{{ ntp_servers }}"
    ios_config:
      provider: "{{ provider }}"
      lines:
          - "{{ item }}"
    register: set_ntp

  - name: RUN 'Remove NTP'
    when: "(get_config.stdout_lines[1][0] != '') and (item not in ntp_servers)"
    with_items: "{{ get_config.stdout_lines[1] }}"
    register: remove_ntp
    ios_config:
      provider: "{{ provider }}"
      lines:
        - "no {{ item }}"

  - name: CHECK CHANGE - ntp
    when: "(set_ntp.changed == true) or (remove_ntp.changed == true)"
    set_fact: configured=true

  - name: RUN 'wr mem'
    when: "(configured is defined) and (configured == true)"
    register: save_config
    ios_command:
      provider: "{{ provider }}"
      commands:
        - "write memory"

The check change tasks and final wr mem should make a lot more sense now. Oh, and what does check_mode do? Well, you can enable that for a dry-run or do-no-harm kind of thing.
Look closely at the RUN 'Set NTP' Task. The with_items says "loop through the variable ntp_servers", when ansible loops it automagically creates an {{ item }} variable, so that's the line of config we apply.

The RUN 'Remove NTP' is a little more complicated, so I'll pull out two non-contiguous tasks below...

- name: "GET CONFIG"
  ios_command:
    provider: "{{ provider }}"
    commands:
      - "show running-config | include ip name-server"
      - "show running-config | include ntp server"
  register: get_config

- name: RUN 'Remove NTP'
    when: "(get_config.stdout_lines[1][0] != '') and (item not in ntp_servers)"
    with_items: "{{ get_config.stdout_lines[1] }}"
    register: remove_ntp
    ios_config:
      provider: "{{ provider }}"
      lines:
        - "no {{ item }}"

Before we can remove anything, we need to examine what's there, that's what GET CONIG does, it creates a variable get_config with two reults [0] and [1], the former being the list of name servers, the later being the list of NTP servers.
In the Remote NTP task, we have a when: condition... and (item not in ntp_servers) is self explanatory but (get_config.stdout_lines[1][0] != '') means config "[1]", i.e. out NTP servers, the "[0]" means the output content and != '' not blank... so this task only runs when the content is not blank and the item in question is not in {{ ntp_servers }}. So what is the item in question? Well, its with_items: "{{ get_config.stdout_lines[1] }}" ... it the current lines of config (found with "show run | inc ntp"). Assuming all this succeeds, i.e. the line of config is not a pre-defined NTP server, then we "no" the line/item.

Here's what happens when we run it...

linickx:ansible $ ansible-playbook standard_ntp_enable.yml

PLAY [ios_devices*] ************************************************************

TASK [Include Login Credentials] ***********************************************
ok: [r2]
ok: [r3]
ok: [r1]

TASK [Define Provider] *********************************************************
ok: [r1]
ok: [r2]
ok: [r3]

TASK [Define Provider (Enable)] ************************************************
skipping: [r2]
skipping: [r1]
ok: [r3]

TASK [Update Provider (Enable)] ************************************************
skipping: [r1]
skipping: [r2]
ok: [r3]

TASK [BACKUP] ******************************************************************
ok: [r1]
ok: [r3]
ok: [r2]

TASK [GET CONFIG] **************************************************************
ok: [r2]
ok: [r3]
ok: [r1]

TASK [debug] *******************************************************************
ok: [r3] => {
    "get_config.stdout_lines": [
        [
            "ip name-server 8.8.8.8",
            "ip name-server 8.8.4.4"
        ],
        [
            "ntp server uk.pool.ntp.org",
            "ntp server time.apple.com"
        ]
    ]
}
ok: [r2] => {
    "get_config.stdout_lines": [
        [
            "ip name-server 8.8.8.8",
            "ip name-server 8.8.4.4",
            "ip name-server 208.67.222.222",
            "ip name-server 208.67.220.220"
        ],
        [
            "ntp server 1.uk.pool.ntp.org",
            "ntp server 0.uk.pool.ntp.org",
            "ntp server time.apple.com",
            "ntp server uk.pool.ntp.org"
        ]
    ]
}
ok: [r1] => {
    "get_config.stdout_lines": [
        [
            "ip name-server 8.8.8.8",
            "ip name-server 8.8.4.4"
        ],
        [
            "ntp server uk.pool.ntp.org",
            "ntp server time.apple.com"
        ]
    ]
}

TASK [RUN 'Set DNS'] ***********************************************************
ok: [r3] => (item=ip name-server 8.8.8.8)
ok: [r1] => (item=ip name-server 8.8.8.8)
ok: [r2] => (item=ip name-server 8.8.8.8)
ok: [r1] => (item=ip name-server 8.8.4.4)
ok: [r2] => (item=ip name-server 8.8.4.4)
ok: [r3] => (item=ip name-server 8.8.4.4)

TASK [RUN 'Remove DNS'] ********************************************************
skipping: [r2] => (item=ip name-server 8.8.8.8)
skipping: [r2] => (item=ip name-server 8.8.4.4)
skipping: [r1] => (item=ip name-server 8.8.8.8)
skipping: [r3] => (item=ip name-server 8.8.8.8)
skipping: [r1] => (item=ip name-server 8.8.4.4)
skipping: [r3] => (item=ip name-server 8.8.4.4)
changed: [r2] => (item=ip name-server 208.67.222.222)
changed: [r2] => (item=ip name-server 208.67.220.220)

TASK [CHECK CHANGE - dns] ******************************************************
skipping: [r1]
ok: [r2]
skipping: [r3]

TASK [RUN 'Set NTP'] ***********************************************************
ok: [r2] => (item=ntp server uk.pool.ntp.org)
ok: [r3] => (item=ntp server uk.pool.ntp.org)
ok: [r1] => (item=ntp server uk.pool.ntp.org)
ok: [r2] => (item=ntp server time.apple.com)
ok: [r1] => (item=ntp server time.apple.com)
ok: [r3] => (item=ntp server time.apple.com)

TASK [RUN 'Remove NTP'] ********************************************************
skipping: [r1] => (item=ntp server uk.pool.ntp.org)
skipping: [r1] => (item=ntp server time.apple.com)
skipping: [r3] => (item=ntp server uk.pool.ntp.org)
skipping: [r3] => (item=ntp server time.apple.com)
changed: [r2] => (item=ntp server 1.uk.pool.ntp.org)
changed: [r2] => (item=ntp server 0.uk.pool.ntp.org)
skipping: [r2] => (item=ntp server time.apple.com)
skipping: [r2] => (item=ntp server uk.pool.ntp.org)

TASK [CHECK CHANGE - ntp] ******************************************************
skipping: [r3]
skipping: [r1]
ok: [r2]

TASK [RUN 'wr mem'] ************************************************************
skipping: [r1]
skipping: [r3]
ok: [r2]

PLAY RECAP *********************************************************************
r1                         : ok=7    changed=0    unreachable=0    failed=0
r2                         : ok=12   changed=2    unreachable=0    failed=0
r3                         : ok=9    changed=0    unreachable=0    failed=0

linickx:ansible $

Now, I ran this playbook straight after the other one, so all the routers had the correct settings to start with, but notice r2 was different, the opendns and additional time servers have been removed.

That was a long post!

There's a lot covered in this and my last post, hopefully it helps. My ansible files are on github, feel free to download them: https://github.com/linickx/ansible-cisco

Ansible Cisco - Primer 1 - Hello World!

Nick Bettison — Mon, 27 Mar 2017 16:07:00 +0100

Anisble documentation or examples for Cisco devices appear to be a bit hit-n-miss, so I'm documenting my "Hello World Primer" with hope it'll be helpful to others; as this is quite long it will be two posts, one for getting started with a simple "show clock" and a 2nd for making changes. Part two making changes is available here.

TLDR; Some example files are on github: https://github.com/linickx/ansible-cisco

To get started, you need ansible installed on your Laptop/PC, I'm running OSX with homebrew so installation is a simple brew install ansible.

Getting Started - A sane ansible.cfg

Once anisble is installed, the first thing you need an inventory/hosts's file... a lot of the linux examples will get you to start fiddling about with /etc/ansible, firstly this folder doesn't exist on OSX and secondly this is a bad idea on linux as this is a system wide change.

IMHO a better start is to create an ansible directory in your home: mkdir ~/ansible;cd ~/ansible
In your personal ansible directory, create ansible.cfg; in this file you can set a local inventory file and some sane defaults, mine looks like this:

linickx:ansible $ cat ansible.cfg
[defaults]
hostfile = ./inventory.txt
retry_files_enabled = False
timeout = 5
host_key_checking = False
#log_path= ./log.txt
linickx:ansible $

As you can see I have a few other thing set, firstly my local hosts file (inventory.txt) and secondly ansible fails it creates a local retry file, I don't want these. Timeout is ssh timeout, use whatever you like, something between 1 and 10 works for me.

host_key_checking has security implications. The above is set to False because this is my personal test machine, in Production I would set this to True as I want to know if an SSH MitM is happening.

Finally, notice the #, this is a comment; I have commented out the log_path directive, if you enable it, ansible will log all screen output to a file, useful for searching for something instead of scrolling through your terminal.

The Inventory File - Your personal list of devices

The inventory defines the devices you want to manage, anisble expects all devices to have resolvable FQDNs, which is unlikely in most enterprises for Cisco devices, if you're a fan of remembering IP addresses you can have a simple list of IP's but if you're like me an like to know the names of devices you can do something like this...

linickx:ansible $ cat inventory.txt

[all:vars]
# OSX / Homebrew hack, as I have python3 installed.
ansible_python_interpreter=/usr/local/Cellar/python/2.7.13/bin/python2.7

[ios_devices]
r1 ansible_host=10.10.10.135
r2 ansible_host=10.10.10.136

[ios_devices_enable]
r3 ansible_host=10.10.10.137

linickx:ansible $

In my inventory file, the [] are group names, I have two custom groups [ios_devices] and [ios_devices_enable], you can call these anything you want, my naming structure will make more sense as this post continues.
All devices belong to a default [all] group that doesn't need to be defeined in the file, but in my config file I have [all:vars] this means: set the following variables for the all group; I have python3 installed for my other python projects, so ansible_python_interpreter is a hack to point ansible to the correct version of python (Python 3 is not supported - yet - for ansible)
For each device listed in my file (r1,r2,r3, etc) I have ansible_host set to an IP address, that's because my test devices do not have resolvable FQDNs.

Hello World! ... or Show Clock play

Ansible is primarily about Play Books, a Play Book is a list of tasks (instructions) that you want to perform on one or many devices; the idea is that you create repeatable plays to standardise configuration and such in your environment.

For my Hello World! example, I'm not going to make a change but show you how to run show clock on many devices (using the ios_command module), in ansible world this is a play.
Start by creating a file called show_clock.yml with the following contents ( including the first --- ):

---
- hosts: ios_devices*
  gather_facts: no
  connection: local

  tasks:
  - name: Include Login Credentials
    include_vars: secrets.yml

  - name: Define Provider
    set_fact:
      provider:
        host: "{{ ansible_host }}"
        username: "{{ creds['username'] }}"
        password: "{{ creds['password'] }}"

  - name: RUN 'Show Clock'
    ios_command:
      provider: "{{ provider }}"
      commands:
        - show clock
    register: clock

  - debug: var=clock.stdout_lines

This playbook has three tasks: 1. Include Login Credentials, i.e. Read login credentials from a file 2. Define Provider, i.e. Use the credentials in something called a "fact" that is named "provider" 3. Run show clock

Read login credentials from a file

You'll need a credential file, so create secrets.yml with contents like this (update as appropriate):

---
creds:
  username: nick
  password: my_password
  auth_pass: my_enable

Something called a "fact" that is named "provider"

The provider is what tells ansible how to connect to a device, all networking equipment needs one, so the provider includes the ip address and credentials, a fact is a device specific variable, so this task is assigning connectivity details to the device. Anything inside {{ }} is a variable.

Run show clock ...

To execute the Play Book or play, you use the ansible-playbook command, like this...

linickx:ansible $ ansible-playbook show_clock.yml 

PLAY [ios_devices*] ************************************************************

TASK [Include Login Credentials] ***********************************************
ok: [r1]
ok: [r2]
ok: [r3]

TASK [Define Provider] *********************************************************
ok: [r2]
ok: [r1]
ok: [r3]

TASK [RUN 'Show Clock'] ********************************************************
ok: [r1]
ok: [r3]
ok: [r2]

TASK [debug] *******************************************************************
ok: [r1] => {
    "clock.stdout_lines": [
        [
            "18:58:24.812 UTC Mon Mar 27 2017"
        ]
    ]
}
ok: [r2] => {
    "clock.stdout_lines": [
        [
            "18:58:23.490 UTC Mon Mar 27 2017"
        ]
    ]
}
ok: [r3] => {
    "clock.stdout_lines": [
        [
            ".18:58:25.064 UTC Mon Mar 27 2017"
        ]
    ]
}

PLAY RECAP *********************************************************************
r1                         : ok=4    changed=0    unreachable=0    failed=0   
r2                         : ok=4    changed=0    unreachable=0    failed=0   
r3                         : ok=4    changed=0    unreachable=0    failed=0   

linickx:ansible $

What happened there then?!

In my ansible-playbook show_clock.yml you'll see the three tasks ran against three routers; in my show_clock.yml the first line hosts: ios_devices* says run against any wildcard group, starting with ios_devices, which in my inventory.txt is both ios_devices and ios_devices_enable.

Notice how there where four tasks not three, the -debug entry was an unnamed task which simply outputs the results of the previous task :)

But storing credentials in a file is INSECURE!!

Anyone that's been on linickx.com before will find that example of storing a username/password in a plain text file highly out of character, so lets look at how to prompt for the credentials instead; create show_clock_prompt.yml with the following:

---
- hosts: ios_devices
  gather_facts: no
  connection: local

  vars_prompt:
  - name: "mgmt_username"
    prompt: "Username"
    private: no
  - name: "mgmt_password"
    prompt: "Password"

  vars:
    provider:
      host: "{{ ansible_host }}"
      username: "{{ mgmt_username }}"
      password: "{{ mgmt_password }}"

  tasks:
  - name: RUN 'Show Clock'
    ios_command:
      provider: "{{ provider }}"
      commands:
        - show clock
    register: clock

  - debug: var=clock.stdout_lines

Notice a few changes, firstly no *, this play will be run just against one inventory group [ios_devices], secondly one-ish task: RUN 'Show Clock'. In this example, before running any tasks we prompt for some input and save the provider variables, once we have those we can then run the tasks. Run the play.. ansible-playbook show_clock_prompt.yml:

linickx:ansible $ ansible-playbook show_clock_prompt.yml
Username: nick
Password:

PLAY [ios_devices] *************************************************************

TASK [RUN 'Show Clock'] ********************************************************
ok: [r2]
ok: [r1]

TASK [debug] *******************************************************************
ok: [r1] => {
    "clock.stdout_lines": [
        [
            "19:12:37.863 UTC Mon Mar 27 2017"
        ]
    ]
}
ok: [r2] => {
    "clock.stdout_lines": [
        [
            "19:12:39.742 UTC Mon Mar 27 2017"
        ]
    ]
}

PLAY RECAP *********************************************************************
r1                         : ok=2    changed=0    unreachable=0    failed=0
r2                         : ok=2    changed=0    unreachable=0    failed=0

linickx:ansible $

This time, we're prompted for credentials and less tasks take place.

Download the files from github!

My ansible files are on github, feel free to download them: https://github.com/linickx/ansible-cisco

Once you're happy with this, check out Primer 2 making changes .

pip install crassh

Nick Bettison — Sun, 14 Feb 2016 11:23:00 +0000

Recently myself (and a maybe colleague or two) has been copy/pasting parts of C.R.A.SSH (crassh) my python script for automating commands on Cisco IOS devices into personal scripts to get something done; knowing there must be a better a way I decided to turn crassh into a module which can/should be easy to install on linux or OSX systems with pip. PIP is a python (cross platform) package manager that now crassh is available in, i.e. pip install crassh

Below is an output from my machine, as you can see pip will install any necessary dependencies:

$ pip install crassh
Collecting crassh
  Downloading CraSSH-2.02.tar.gz
Collecting paramiko>=1.10 (from crassh)
  Using cached paramiko-1.16.0-py2.py3-none-any.whl
Collecting pycrypto!=2.4,>=2.1 (from paramiko>=1.10->crassh)
Collecting ecdsa>=0.11 (from paramiko>=1.10->crassh)
  Using cached ecdsa-0.13-py2.py3-none-any.whl
Building wheels for collected packages: crassh
  Running setup.py bdist_wheel for crassh
Successfully built crassh
Installing collected packages: pycrypto, ecdsa, paramiko, crassh
Successfully installed crassh-2.2 ecdsa-0.13 paramiko-1.16.0 pycrypto-2.6.1
$

I'm about to start work on some proper documentation , but to get you started there are four functions that most people will want/use:

crassh.connect()
crassh.send_command()
crassh.disconnect()
crassh.readtxtfile()

The first three are self explanatory, the last one is very useful as it'll read in a plain text file (one line at at time) and use it as an array, typically the plain text file would be a list of IP address to connect to or a list of commands to execute.

To show how crassh can be used, below is a simple example to audit to switches for the SNMP community string public - A security no-no!

#!/usr/bin/env python
# coding=utf-8

import crassh

# Variables
routers = ["10.159.83.135", "10.159.83.136"]
username = "nick"
password = "nick"

# Loop
for device in routers:

    hostname = crassh.connect(device, username, password)
    output = crassh.send_command("show run | inc snmp-server community", hostname)
    crassh.disconnect()

    # Split the output by spaces so we can search the response
    words = output.split()

    # Look for "public" in the output
    for x in words:
        if x == "public":
            print("DANGER: Public SNMP Community set on %s [%s]" % (hostname, device))

I've saved the file as no_public.py and this is the response...

$ python no_public.py 
Connecting to 10.159.83.135 ... 
Connecting to 10.159.83.136 ... 
DANGER: Public SNMP Community set on r2 [10.159.83.136]
$

Obviously you could do a lot more than just output but hopefully this'll give you an idea.

NOTE: Instead of routers being an array, I could have done routers = crassh.readtxtfile("./routers.txt") where routers.txt was a plain text file with one IP address per line.

Travis-CI and Dynamips a cloud router for testing scripts against Cisco IOS

Nick Bettison — Fri, 22 Jan 2016 11:59:00 +0000

I think I have started to get my head around unit tests for CRASSH; recently my initial implementation of paramiko's “ssh_session.recv_ready" was ballsed up, python3 was forgiving python2 would bork, creating an issue for many. My first unit test was a basic "print" which I ran on Travis-CI against both python2 and python3 if the build passed then syntax checking for both versions would pass, nice!

Unit tests that check the internal functions of CRASSH are all well and good, but the purpose of the script is to log into routers and do stuff, so I really wanted to spin up a router and check the script against that.

Travis-CI's infrastructure comes in two flavors, Standard and Container Based, which essential boils down to one that allows sudo and one that doesn't*; using the standard environment I have managed to spin up a dynamips router for testing CRASSH against.

If you take a look at my .travis.yml, I'll step you through how this works:

sudo: required

By default all builds are Container Based, this forces the Standard build.

 python:
- '2.6'
- '3.5'

Currently tests all run on linux, I plan to add OSX tests in the future but here we instruct Travis-CI to perform the tests twice, once against each version.

before_install:
- ifconfig -a
- sudo /sbin/modprobe tun
- sudo apt-get update -qq
- sudo apt-get install -qq dynamips

The first thing I do is prepare the OS, the ifconfig -a is for troublehooting so I can see the network stack before I start; then I install the Tun/Tap kernel driver, update the OS and install dynamips.

 install:
- pip install .
- pip install paramiko

Next I install CRASSH onto Travis-CI and it's dependency paramiko. The pip install . basically reads setup.py

Now all the dependencies are installed, the router needs to be loaded...

before_script:
- wget -q $IOS_URL
- ls -l
- sudo dynamips -s 0:0:tap:tap0 -P 3725 -T 2001 --idle-pc=0x607081e0 -C tests/r1.txt c3725-advsecurityk9-mz.124-25c.bin &
- sleep 90
- sudo ifconfig tap0 inet 1.1.1.1 netmask 255.255.255.252
- ifconfig -a
- ping -c 4 1.1.1.2

$IOS_URL is a secure variable so that charlatan's cannot download the Cisco IOS; so wget downloads the IOS from my secret location and dynamips starts up (and backrounds, note: &).

Once dynamips is running we wait 90secs to give time for the router to boot, we configure an interface to connect to the router with sudo ifconfig tap0 and I ping it to make sure it works.

Now that the router is running, standard python unit tests start with script: py.test --cisco

Inside the test config you'll see that --cisco is an optional switch that runs test_cisco_shver inside test_crassh.py.

The magic of test_cisco_shver is that dynamips was booted with the config in r1.txt the test logs into the r1 router and compares a show ver to an expected output if they match (line for line) then the test passes and Travis-CI shuts everything down; if the test fails I get notified.

Status of builds can be reviewed on the CRASSH Travis Page: https://travis-ci.org/linickx/crassh or is shown in the readme.

[*] I have an issue logged to see if this could be done on a Container Based server

Cisco CMNA

Nick Bettison — Thu, 14 Jan 2016 01:11:00 +0000

Cisco CCNP Security

Nick Bettison — Mon, 21 Dec 2015 01:01:00 +0000

Multi-Context HTTPS backups of Cisco ASA Script

Nick Bettison — Tue, 28 Jul 2015 16:04:00 +0100

If you look in the Cisco forums for scripts to backup ASAs you'll find various SSH / Expect , complicated examples... not sure why since in 2006 I showed it can be done with a single wget command ;-)

Recently I needed something that would support Multi-Context firewalls, so I pimped my one line command into the below shell script.

Copy/paste into a new file as backup_cisco_asa.sh then chmod 700 the file as necessary.

Run the file with no options ./backup_cisco_asa.sh and it'll ask you for IP address, username and password to make the connection.

For this to work the ASA needs appropriate HTTP statements (i.e. allow ASDM access from where you are running the script)

The file supports in-line backup of a single device such as ./backup_cisco_asa.sh 10.10.10.10

Multi-context support is via an environment variable or a config file ~/.asa_config. You must set an array containing entries for each context you want to backup. e.g.

ASA_CONTEXTS=( 
 "172.31.9.10:system"
 "172.31.9.10:admin"
 "172.31.9.10:Edge"
 "172.31.2.254:system"
 "172.31.2.254:admin"
 "172.31.2.254:Core" )

If you're feeling insecure you can also save your username/password variables into the ~/.asa_config as ASA_UID and ASA_PW respectively (or as environment variables)

Given that the script is a bash shell script I assume that SCP isn't required (because you are probably already on your linux SSH/SCP server running the script) but to keep the router team happy you might need to copy the files up via TFTP, this can be set with the ASA_TFTP_IP variable in ~/.asa_config.

By default the backup files will be saved to ./ (i.e. where ever you run the script from) and you can change that with the ASA_FILEPATH variable.

backup_cisco_asa.sh

#!/bin/bash

# Nick Bettison - LINICKX.com - 2015 - v1
# Bash Shell Scipt for backing up Cisco ASA's via HTTPS (i.e. ASDM)
# 
# Read the file comments, you can setup a config file ~/.asa_config to store variables.
# ASA_UID & ASA_PW for credentials (if you're feeling insecure)
# ASA_CONTEXTS for multi-context support
# and ASA_TFTP_IP for copying the files via TFTP (for insecure router boys)
#
# Tested on.
# Cisco Adaptive Security Appliance Software Version 9.2(3)4 <context>
# Device Manager Version 7.4(2)

# Timestamp for file names
TIMESTAMP=`date "+%Y%m%d-%H%M%S"`

# Allow single ASA IP address to be passed from CLI
# e.g ./backup_cisco_asa.sh 10.10.10.10
if [ -n "$1" ]
    then
    ASA_IP="$1"
fi

# Check for Curl
type curl >/dev/null 2>&1 || { echo >&2 "I require curl but it's not installed.  Aborting."; exit 1; }

# Read Variables from a config file (if it exits)
# The config file can be used for storing multi-context configurations... and for the insecure username/password ;-)
if [ -e ~/.asa_config ]
then
  . ~/.asa_config
fi

# Default File Path
if [ -z "$ASA_FILEPATH" ]
    then
    ASA_FILEPATH="./"
fi

# Check for UID/PW Variables - Ask if not found
if [ -z "$ASA_UID" ]
        then
        read -p "ASA Username:" ASA_UID
fi
if [ -z "$ASA_PW" ]
        then
        read -s -p "ASA Password:" ASA_PW
        echo
fi

# Check to see if single or multi-context mode.
if [ -z "$ASA_CONTEXTS" ]
        then
        if [ -z "$ASA_IP" ]
                then
                read -p "ASA IP Address:" ASA_IP
        fi

        ASA_tFILE="$ASA_FILEPATH.$TIMESTAMP.asaconfig.txt"

        # Download the "show run" via the unofficial CLI.
        curl -s -k -o $ASA_tFILE -u $ASA_UID:$ASA_PW "https://$ASA_IP/admin/exec/show%20running-config%20asdm/show%20running-config"

        if [ -e $ASA_tFILE ]
            then
            # Look for hostname in config file
            ASA_HOSTNAME=`grep ^hostname $ASA_tFILE | awk '{print $2}'`
            # rename the temp file to something sensible.
            mv $ASA_tFILE "$ASA_FILEPATH$TIMESTAMP.$ASA_HOSTNAME.txt"
            # Setup an array for TFTP later.
            ASA_FILES=("${ASA_FILES[@]}" "$ASA_FILEPATH$TIMESTAMP.$ASA_HOSTNAME.txt")
            # Done.
            echo "DONE: $ASA_FILEPATH$TIMESTAMP.$ASA_HOSTNAME.txt"
        else
            echo "FAILED: $ASA_IP"
            exit 1
        fi
else
    # Example ASA_CONTEXTS array:
    # 172.31.9.10 is the admin context IP, admin & Edge are the names of the two contexts to backup.
    # 172.31.2.254 is the admin context IP, admin & Core are the names of the two contexts to backup.
    # "system is obviously the system context"
    # ASA_CONTEXTS=( 
    #     "172.31.9.10:system"
    #     "172.31.9.10:admin"
    #     "172.31.9.10:Edge"
    #     "172.31.2.254:system"
    #     "172.31.2.254:admin"
    #     "172.31.2.254:Core" )

    # Loop through the array
    for firewall in ${ASA_CONTEXTS[@]} ; do
         ASA_IP=${firewall%%:*}
         ASA_CONTEXT=${firewall##*:}

         # Feedback on progress
         printf "Connecting to %s for %s \n" $ASA_IP $ASA_CONTEXT
         # Filename
         ASA_FILE="$ASA_FILEPATH$TIMESTAMP.$ASA_IP.$ASA_CONTEXT.txt"

         # Download the CONTEXT "show run" via the unofficial API.
         curl -s -k -o $ASA_FILE -u $ASA_UID:$ASA_PW "https://$ASA_IP/admin/exec/changeto%20context%20$ASA_CONTEXT/show%20running-config/show%20running-config%20asdm"

         if [ -e $ASA_FILE ]
             then
             # Setup an array for TFTP later.
             ASA_FILES=("${ASA_FILES[@]}" "$ASA_FILE")
             # Done!
             echo "DONE: $ASA_FILE"
         else
             echo "FAILED: $ASA_IP"
         fi
     done
fi

# Optional Backup to insecure tftp - you know, to keep the router boys happy!
if [ -n "$ASA_TFTP_IP" ]
    then
    # Check for TFTP binary
    type tftp >/dev/null 2>&1 || { echo >&2 "tftp client not installed.  Aborting."; exit 1; }
    type wc >/dev/null 2>&1 || { echo >&2 "wc not installed (needed for counting stuff).  Aborting."; exit 1; }
    type awk >/dev/null 2>&1 || { echo >&2 "awk not installed.... seriously?!?!  Aborting."; exit 1; }

    # Loop through array
    for file in ${ASA_FILES[@]} ; do
        LOCAL_FILE=$file
        # backup separator
        OIFS=$IFS
        # Change separator to /
        IFS='/'
        # Split the filename from the path
        AWK_POSITION=`echo $file | wc -w`
        REMOTE_FILE=`echo $file | awk -v w=$AWK_POSITION '{print $w}'`
        # restore separator
        IFS=$OIFS
        # TFTP the file.
        tftp -v $ASA_TFTP_IP -c put $LOCAL_FILE $REMOTE_FILE
    done
fi

Running Cisco ISE (1.4) in VirtualBox

Nick Bettison — Fri, 24 Jul 2015 18:59:00 +0100

I've been meaning to do this for a while, but I've finally hacked Cisco ISE into VirtualBox for home lab learning and experimentation.

For those familiar with my ACS in VirtualBox post you should notice a very similar theme.

Copy the .iso to a Web server directory that allows page indexing
Hack the KickStart file (ks.cfg) to remove Cisco's hardware checks
Boot the install CD using the custom ks.cfg

As before, I use the web installation method because it's the easiest way to hack/test/boot multiple times when you're trying to work out why the installer doesn't run... Also ** I will not be providing you an ISO file to download. **

Web Server Configuration (nginx)

First, I mounted ise-1.4.0.253.x86_64.iso and copied the whole CD to ~/public_html/ise

Next, I need to expose this directory to the web server. I'm using nginx on CentOS... it's nice and easy, I added this to my config.

location /ise {
    root /home/nick/public_html/;
    autoindex on;
}

Replace ks.cfg

When you copy the contents of the CD to the local file system you'll notice all files have the RO flag set. Fix with chmod +w ~/public_html/ise/ks.cfg

There are a few things in the file you need to change:

Replace cdrom on line 10 with url --url http://192.168.10.122/ise/ (replace 192.168.10.122 with the IP of your web server)
Optional, replace the encrypted root password with a new one rootpw CISCO_ise_p455w0rd on line 12
Comment out with a # any /sbin/halt -f statements to stop error messages from halting the installation
Replace any cars_udi_util statements with your own versions, so...

UDI_PID=`/sbin/cars_udi_util -p`
UDI_VID=`/sbin/cars_udi_util -v`
UDI_SN=`/sbin/cars_udi_util -s`

becomes...

UDI_PID="Cisco-VM-SPID"
UDI_VID="1.0"
UDI_SN="123456789"

... and just for good measure, after validate_hwinfo(){ insert (on a new line) UDI_PID="Cisco-VM-SPID" to force hardware selection.

If you want, you can ignore all of that and just use my ks.cfg

VirtualBox Configuration

CPU - 4
RAM - 8Gb
Hard Disk - SCSI - 100Gb (thin space allocation)
CDRom - ise-1.4.0.253.x86_64.iso
NIC 1 - Bridged
NIC 2 - Host Only (disconnected)

All other defaults left alone.

Boot the custom install

Boot the virtual machine from the Cisco ISO, but DO NOT select 1,2,3 or 4. Instead type:

vmlinuz text ks=http://192.168.10.122/ise/ks.cfg initrd=initrd.img

...replacing 192.168.10.122 with your web server IP.

Wait, See, Enjoy!

With a little luck, the VM will load your custom KickStart file and begin the install.

If you tail your web server access logs, you should see stuff like:

192.168.10.116 - - [30/Jun/2015:18:50:49 +0100] "GET /ise/Packages/CARSCmdSched-2.0cars-1.x86_64.rpm HTTP/1.1" 200 28353 "-" "Cisco Identity Services Engine (anaconda)/1.3" "-"
192.168.10.116 - - [30/Jun/2015:18:50:49 +0100] "GET /ise/Packages/CARSICMPUtil-2.0cars-1.x86_64.rpm HTTP/1.1" 200 11425 "-" "Cisco Identity Services Engine (anaconda)/1.3" "-"
192.168.10.116 - - [30/Jun/2015:18:50:49 +0100] "GET /ise/Packages/CARSSysMon-2.0cars-1.x86_64.rpm HTTP/1.1" 200 34919 "-" "Cisco Identity Services Engine (anaconda)/1.3" "-"
192.168.10.116 - - [30/Jun/2015:18:50:49 +0100] "GET /ise/Packages/libdrm-2.4.39-1.el6.x86_64.rpm HTTP/1.1" 200 119408 "-" "Cisco Identity Services Engine (anaconda)/1.3" "-"
192.168.10.116 - - [30/Jun/2015:18:50:49 +0100] "GET /ise/Packages/plymouth-0.8.3-27.el6.centos.x86_64.rpm HTTP/1.1" 200 91056 "-" "Cisco Identity Services Engine (anaconda)/1.3" "-"
192.168.10.116 - - [30/Jun/2015:18:50:50 +0100] "GET /ise/Packages/rsyslog-5.8.10-6.el6.x86_64.rpm HTTP/1.1" 200 663780 "-" "Cisco Identity Services Engine (anaconda)/1.3" "-"
192.168.10.116 - - [30/Jun/2015:18:50:50 +0100] "GET /ise/Packages/cronie-anacron-1.4.4-7.el6.x86_64.rpm HTTP/1.1" 200 29768 "-" "Cisco Identity Services Engine (anaconda)/1.3" "-"

At the end of the install the VM should reboot into the normal setup login screen allowing you to complete the setup parameters

The setup will take ages, well over the 15/20mins that Cisco suggest but once it completes and reboots you should find you have a working ISE to play with.

... well, for 90days until the eval lic runs out!