Automatic backup of Cisco configurations

There are several ways to get configs archived and documented, one of the more popular tools seems to be RANCID (I’m yet to try it), another less known tool is config-monitor from iagu networks, but Cisco also provide an inbuilt set of commands which allows a copy of the configuration to be saved remotely via FTP, SCP, or other methods.

There are downsides to the Cisco method, for one, following a reload, it tends to start naming files back at 1, which causes it to overwrite older configs, but the beauty is that it it will only back up a config when the changes are committed to NVRAM; ie. wr mem. Other tools either rely on scheduled checks, or in some cases, can be configured to periodically read a syslog file and grab a copy of the config when they see a new %SYS-5-CONFIG_I: Configured from console entry logged.

The biggest downside though is the need to store FTP/SCP credentials in the router itself, it’s not something I like doing for a number of reasons. However, it does work well for small networks or home lab environments where having recent changes documented is useful.

Enough talk, this is how it’s down with FTP:

ip ftp username <username>
ip ftp password <password>
archive
 log config
  hidekeys
 path ftp://serverIP/desired/path/$h.
 write-memory

There are also additional ip ftp commands, such as source-interface. If the ip ftp username|password commands are left out, an anonymous login will be used.

And SCP:

archive
 log config
  hidekeys
 path scp://username:password@serverIP//desired/path/to/configs/$h.
 write-memory

In both examples I’ve used $h. as the name of the file, there are two parts to this. The $h creates sets the filename to the hostname of the router. When writing files, the router appends -[number] to the end of the filename, it starts at 1 and increments to 14 before returning to 1, so the filename will actually end up being hostname.-[number]. The . is just there so it creates an extension which windows users can map to WordPad (don’t use Notepad, it doesn’t open the files properly). Anything can be used for the filename, but this method works very well.

To view a list of archived configurations, and to show the most recent:

#sh archive
The next archive file will be named ftp://10.250.1.11/lab/adelaide.-6
 Archive #  Name
   0
   1       ftp://10.250.1.11/lab/adelaide.-1
   2       ftp://10.250.1.11/lab/adelaide.-2
   3       ftp://10.250.1.11/lab/adelaide.-3
   4       ftp://10.250.1.11/lab/adelaide.-4
   5       ftp://10.250.1.11/lab/adelaide.-5 <- Most Recent
   6
   7
   8
   9
   10
   11
   12
   13
   14

To view the differences between the running config, and an archived config (this is a spankingly delicious):

#sh archive config differences system:running-config ftp://10.250.1.11/lab/adelaide.-1
Loading lab/adelaide.-1 !
[OK - 10792/4096 bytes]

Contextual Config Diffs:
+ip route 10.1.50.0 255.255.255.0 Tunnel2
+ip nat inside source static tcp 10.1.90.10 80 interface Dialer0 80
+ip nat inside source static tcp 10.1.90.10 443 interface Dialer0 443
interface FastEthernet1
 -ip address 10.1.50.254 255.255.255.0 secondary
-ip nat inside source static tcp 10.1.90.15 80 interface Dialer0 80
-ip nat inside source static tcp 10.1.90.15 443 interface Dialer0 443
-access-list 120 permit tcp any host 203.134.160.154 eq 443

To restore a configuration:

#copy ftp://10.250.1.11/lab/adelaide.-5 startup-config
Destination filename [startup-config]?
Accessing ftp://10.250.1.11/lab/adelaide.-5...
Loading lab/adelaide.-5 !
[OK - 10860/4096 bytes]
[OK]
10860 bytes copied in 11.476 secs (946 bytes/sec)