Automating IOS Configuration Archival on the Cheap Using Archive and FTP

20 September 2011 By 14 Comments

One of the challenges of managing network infrastructure devices is maintaining a library of historical device configurations. You might think, “Maintain a library of old configs? Who cares? I make a change, I copy run start, and I’m done. Who cares about old configs?”

Yeah, so apparently you’re the most interesting network engineer in the world. (Have we beat this meme to death yet? I’m trying, I’m trying…) You don’t always test your code, but when you do, you do it in production. And – it would seem – without a safety net. Hey, Captain Interesting – what are you going to do when your masterfully-written-yet-untested change goes wrong? When you include too many interfaces in a range statement? When your paste buffer overruns and your code hits the switch with some important text missing? When you have 8 device CLIs open and paste into the wrong one? When you just screw up, plain and simple? Never happen? All this has happened before, and all this will happen again. To you. Probably today.

One handy bail out plan for an IOS device change fail is to have a backup copy of the device configuration. How do you get a config copy before embarking on your change to end all changes?

  • You could do a “term len 0″ followed by “show run” while outputting to a text file. Or if not output to a text file, at least scroll back, highlight the config from your buffer, paste into a text editor, and save. It works, but you score zero style points. Really manual, really tedious, really annoying on multi-hundred line chassis switch configs, and probably the first thing you’re going to skip because when you’re ready to make a change, then you’re ready.
  • You could buy a tool that collects your configs for you, and probably does a bunch of other config related stuff too. They work, but…you know. They cost money. You have to set them up. They’re really aimed at big shops. And some weenie is going to call you once a year for maintenance renewal. Sigh.
  • You could…oh, there’s other hacktastic ways. You get the idea.
  • OR! You could throw up an FTP server (tons of them out there for free, I like FileZilla) and set up IOS to copy its config to the FTP server on a timed interval, and/or every time you write mem. Oooo. Now we’re talking. Cheap AND effective.

For IOS versions that support it, the code is really simple. Take a look at this example:

 archive
  path ftp://username:password@10.100.200.10/MYSWITCH-config-
  write-memory
  time-period 1440
  exit

Line by line, here’s what’s happening:

  • The keyword “archive” takes you into the “archive” subparagraph.
  • The “path” is the destination the IOS device is going to send the configuration to. In my example, I set up an FTP URL in a standard format that embeds the username, password, and the destination IP of my FTP server. You can use a hostname instead of an IP if you’ve configured the device to resolve hostnames via the “ip name-server” command. The “MYSWITCH-config-” section is the part of the filename that will be prepended to a serial number at the end, which is usually a timestamp, but varies by IOS version. You should replace “MYSWITCH” with the hostname of the device who’s config you’re backing up.
  • The “write-memory” directive tells the archive process to write a copy of the config every time you do a “copy run start” or “write memory” at the console.
  • “Time-period 1440″ means that every 1440 minutes (once a day), the switch will auto-write another config to the FTP server. It doesn’t appear that you can schedule this to be at a specific time of day.

So, you blew up a Cisco box? Well, now you can go to your FTP server, take a look at the last config that was saved, and put the lava back in the volcano.

There’s other functionality available within the IOS archive tool, including saving a limited number of archived configurations to flash instead of off-box (I prefer off-box generally speaking, although saving to flash has advantages depending on just how badly you hosed the box), and rolling back configurations.

Take a look here for more deatiled information from Cisco on “Configuration Replace and Configuration Rollback”.

P.S. Yeah, I know. Juniper rocks. We get it.
Filed Under: Blogs, Network Management Tagged With: , , ,
About Ethan Banks

Ethan is a network engineer, blogger, editor, freelance writer, and CCIE #20655. He's also a host on the Packet Pushers podcast, an independent show covering the data networking industry. Find most of his content at PacketPushers.net. He also contributes to CCIE Flyer & Tech Target. Follow him on Twitter, Google Plus, and LinkedIn.

  • Benjamin Story
  • Matthew Walster

    Surely you must be aware of RANCID?

    • http://packetattack.org Ethan Banks

      Heard of it, have not used it.

      • Matthew Walster

        Ok, fair enough. Essentially, once per (configured time interval) RANCID connects to all your devices and downloads the configs. It then enters it into an SCM system such as cvs, svn, or with a patch I maintain, git. This makes it not only easy to backup and take with you when you travel, but incredibly easy to compare lines from different periods of time. 

        It can email you the diff between the old version and the new whenever it detects a change, and it comes with a bunch of useful utilities that allow you to feed commands directly to them which will then subsequently be run on your routers/switches. RANCID has been extended so it won’t just do “show run” but also a number of other commands depending on the platform that will record things like status of power supply (so you can find out easily when your B-feed power went out), when a linecard’s firmware was upgraded, or simply whether new hardware was added/removed.It is, put simply, the most useful tool I’ve seen in quite a while. I’ll stop being a salesman now ;)

        • Kal Feher

          Rancid is a must for anyone with more than a few routers and firewalls. While it gains its fame for config back ups you can do so much more with it if you’re reasonably UNIX capable. The diffs on new to old configs alone make it a great tool. Aside from the mailed diffs you can use the archive tool of choice to compare diffs over time, not just recent changes.

          I’ve also used rancid to run other commands on routers at a specified time for debugging purposes or to avoid using “reload in” (ok I still used it but rancid ran its command first to save my blushes) when the rancid device had a different path to the router than I did.

          rancid can use ssh or telnet to login and it can be adapted for nearly any command line sequence of prompts.

          Obviously this means rancid has access to passwords. No matter how clever you are, this can’t be avoided so put it on a box that is secure.

  • Garrett Marks

    My problem with the Cisco archive command with ftp (or ssh/sftp in some versions of IOS) is the username and password are stored in clear text.  That clear text is in the configuration which is stored on the server’s filesystem, which is a big no no but apparently still occurs pretty often.

    I wish Cisco would add ssh key support to IOS versions for 3750s which is where I would use this the most right now.

    • Curley Worley

      I’m pretty sure the ‘hidekeys’ command gets round this.

  • Marek

    I use this feature a lot but only to store backups on flash. You can define how many backups you want to store on your flash and when you reachad the number then the oldest backup will be deleted and replaced with the new one. I also use the secure boot-config feature for a known good configuration – but only in environment where configuration changes are not on day-to-day basis.

  • Chris Crawley

    We use both RANCID for remote backups and also use archive to copy configs daily to a local disk on the device (path disk1:rtr-cfg). Just to be on the super safe side we also have an FTP server which I write the configs to prior to doing any work. And having a copy of the latest config on my lappy when I’m doing onsite changes/upgrades/reboots gives me the feel good factor, ‘cos you just can’t have enough backups.

    I seem to remember that the default RANCID config is to ***** out any passwords, which came in really handy the first time that we pulled a backup in anger. ISIS and BGP passwords all *******’d out. Nice!

  • Pingback: Archiving IOS configurations « subnetwork

  • Curley Worley

    Great post Ethan. I do the same myself but add a little of ‘kron’ to get more done.

    One thing to note with archiving to flash is you can then do a ‘diff’ against two config version. Great if you have many engineers maintaining your network or if your dealing with a fault and you know it started after someone made a change.