Zyxel SSH Login / automation

Introduction

Automation has arrived everywhere and even on the many network switches you can do much more than it is currently being used. Following ideas are my base why to automate switches.

  • automate setups
  • react to changes in your network
  • try to reduce the power consumption, (green footprint, green production)
  • misuse a switch to control devices like a home control system (or in combination)

@green production / reduce power consumption
You can create an own network for employees mobile devices, and check when the last one left the wifi. Then turn off all access points ports on the switch (and with it the POE power) except the one in the lobby. At the next day when the first connection to this access point is established you turn on all POE Ports again and your network ist back again. This only works in very rare setups. But in my mind the automation in saving power at offices still has many steps to go.

Zyxel Switches

Problems

Unfortunately, Zyxel has not yet managed to make SSH key authentication work. I have just asked the support and it was dismissed as a feature request. Hopefully it will come in the future.

The 2nd problem which unfortunately still occurs frequently is that you receive the following error message

Unable to negotiate with 192.168.0.1 port 22: no matching host key type found. Their offer: ssh-rsa

My only workaround for this is, starting the session with following command:

ssh -oHostKeyAlgorithms=+ssh-rsa admin@192.168.0.1

General Switch information

If you have switches with a lower model number than 2000 (example: XGS1930-52HP) you will not be able to configure on them. You can only show the config and settings, reboot or save. This is the list of available commands:

    boot                      Perform a cold start
    cable-diagnostics         Execute cable diagnostics
    clear                     Clear functions
    disable                   Turn off privileged commands
    exit                      Exit from the EXEC
    igmp-flush                Flush Igmp snooping table
    locator-led               Blink locator-led
    logout                    Exit from the EXEC
    mac-flush                 Flush MAC address table
    no                        Remove configuration
    ping                      Exec ping
    ping6                     Exec ping6
    release                   Release functions
    reload                    Perform a warm start
    renew                     Renew Setting
    reset                     Reset functions
    restart                   Reset functions
    show                      Show system information
    ssh                       SSH client
    test                      Perform testing function.
    traceroute                Exec traceroute
    traceroute6               Exec IPv6 traceroute

If you have switches with a higher model number than 2000 (example: GS2210-24HP) you get the „full“ access to the switch, and with the configure section the possibility to change most things.

    baudrate                  Change baud rate
    boot                      Perform a cold start
    cable-diagnostics         Execute cable diagnostics
    clear                     Clear functions
    configure                 Enter configuration mode
    copy                      Backup/Restore system image and configuration
    disable                   Turn off privileged commands
    enable                    Turn on privileged commands
    erase                     Reset system configuration
    ethernet                  Ethernet
    exit                      Exit from the EXEC
    help                      Description of the interactive help system
    history                   Show a list of previously run commands
    igmp-flush                Flush Igmp snooping table
    kick                      Kick a session
    locator-led               Blink locator-led
    logout                    Exit from the EXEC
    mac-flush                 Flush MAC address table
    no                        Remove configuration
    ping                      Exec ping
    ping6                     Exec ping6
    reload                    Perform a warm start
    renew                     Renew Setting

Scripting for automation

Because of the ssh-key lag it is a pain in the ass to create scripts, which login automatically to the switch and change settings. Booth ways I am describing here are only working with third party tools. So it is not possible to create an easy automation script on your Synology and trigger the script. If you have a solution please write me an email, I would be happy to extend this article with your solution.

SSHPASS

With sshpass you can pass the password into the ssh „opening“. But you have to install the tool first. (Link for installation help)

Now you can create a shell file with the commands you want to execute on the switch. In my example I set the SNMP settings I want to have set and stop the POE power on port 1, wait 5 seconds and start POE power again. This should only be an example for you.

#!/bin/bash

# install sshpass
# MAC: brew install hudochenkov/sshpass/sshpass

# parameter 
SSH_USER="admin"
SSH_PASSWORD="1234"
SWITCH_IP="192.168.0.1"

#SNMP settings
sshpass -p "$SSH_PASSWORD" ssh NM "$SSH_USER@$SWITCH_IP" << EOF
configure
snmp-server set-community vsprivat
snmp-server get-community vsprivat
snmp-server trap-community vsprivat
snmp-server version v3
snmp-server username vssnmap sec-level auth auth md5 auth-password vspassword group admin
ip name-server 192.168.0.1
EOF

# disable POE interface 1
sshpass -p "$SSH_PASSWORD" ssh -oHostKeyAlgorithms=+ssh-rsa "$SSH_USER@$SWITCH_IP" << EOF
configure
no pwr interface 1
EOF

# time for POE downtime
sleep 5

# enable POE interface 1
sshpass -p "$SSH_PASSWORD" ssh -oHostKeyAlgorithms=+ssh-rsa "$SSH_USER@$SWITCH_IP" << EOF
configure
pwr interface 1
EOF

Expect

If you want to go an other way you can use expect script and „type“ every command itself. Thanks to Eugen from baeldung.com. I reused some of his work in this script.

#!/usr/bin/expect
set timeout 60

# SSH-Zugangsdaten und Switch-IP
set SSH_USER admin
set SSH_PASSWORD 1234
set SWITCH_IP 192.168.0.1
set SSH_Port 22

spawn ssh -oHostKeyAlgorithms=+ssh-rsa -p "$SSH_Port" "$SSH_USER@$SWITCH_IP"

expect "*?assword" {
        send "$SSH_PASSWORD\r"
        }
expect "*#*" {
		send "show pwr\r"
		}
expect "*#*" {
		send "configure\r"
		}
expect "*#*" {
        send "no pwr interface 1\r"
        }

sleep 30

expect "*#*" {
		send "pwr interface 1\r"
		}
expect "*#*" {
		send "exit\r"
		}
expect "*#*" {
		send "exit\r"
		}
interact

Access Points

If you run the Access Points in local mode (not via Nebula) you have following options. (This are the options of a NWA50AX). With the scripts you can built an auto reboot script, that boots your Access Points every week.

apply          
atse           
clear          
configure      
copy           
daily-report   
debug          
delete         
diag           
diaginfo       
dir            
disable        
enable         
exit           
iperf          
no             
nslookup       
packet-trace   
ping           
ping6          
psm            
reboot         
release        
rename         
renew          
run            
setenv         
show           
shutdown       
ssh            
sshcon         
tcpping        
telnet         
tracepath      
tracepath6     
traceroute     
traceroute6    
wds            
wizard         
wlan-report    
write   

Downloads

I found some documentation in the depth of the internet:

Zyxel CLI Refernce Guide Ethernet Switche Series:

Zyxel CLI Refernce Guide NWA WAC Series

(c) Thumbnail was created with Adobe AI Firefly

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Time limit is exhausted. Please reload the CAPTCHA.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.