networking

CISCO automatic configuration backup

zzorica

4 min read

This is one of few ways you can get configuration backups from CISCO devices in a scheduled way.

At least I know 2 ways using archive[1] or kron[2] feature. I will explain both ways, though personally I use kron. Of course both ways doesn't apply to ASA devices (as It rarely does :)) but I will show how you can schedule those backups also. Except admin access to the devices of course you need ftp or tftp server accessible from those devices.

ARCHIVE

This is the easier way. It can be done on switches and routers. In config mode put:

sw1(config)#archive
sw1(config-archive)#path tftp://192.168.100.31/config/cisco/$h-
sw1(config-archive)#time-period 10080
sw1(config-archive)#write-memory

What this does is saving configuration file to your tftp server with filename sw1 ($h gets replaced with your hostname) every 7 days. It is also backed up when you manually do write memory command. File on server looks like this:

-rw-r--r-- 1 tftp tftp  6993 Sep 28 19:56 sw1-Sep-28-19-56-07-0

What is added to file name is date, time and backup number that increments by one every time. You can't control this part of filename and you also can't control number of backups on tftp server using maximum under archive configuration (at least not on IOS 12.2(44) and IOS-XE 03.06.05E versions that I'm using). It only works if archive is done on local flash for example. So old files on tftp or ftp server you have to delete manually.

That is the main reason why I personally use kron feature for backups.

KRON

Kron is not feature rich as cron on linux but it can get the job done. First we need to write alias command for remote backup to tftp/ftp server. Although it's not mandatory it's a lot easier when you wanna do an off schedule configuration backup.

  sw1(config)#alias exec wrinet sh run | redirect tftp://192.168.100.31/config/cisco/sw1

redirect is used cause this way there are no confirmation prompts for source and destination. Now when you need to make a backup just write

sw1#wrinet

Next we need to create kron job:

sw1(config)#kron policy-list backup
sw1(config-kron-policy)#cli write
sw1(config-kron-policy)#cli wrinet
sw1(config-kron-policy)#exit
sw1(config)#kron occurrence backupSchedule at 5:00 Sun recurring
sw1(config-kron-occurrence)#policy-list backup 
sw1(config-kron-occurrence)#exit

First we create policy-list named backup with 2 commands that are run: write and writenet. First one is to remedy the situations when accidentally I or someone else forgot to write changes made in running configuration so this will take care of that.
After that we create schedule that will run this policy-list every Sunday at 5:00AM. Instead of reccuring you can put oneshot so it runs only once.

If you need to check if its working just create new schedule and set it to run in next few minutes.

sw1(config)#kron occurrence test in 5 oneshot
sw1(config-kron-occurrence)#policy-list backup

  • ASA

    As with many thing ASA is a little bit different. For this setup it means no archive and no kron feature. I'm using 8.4(6) version. Maybe there are some changes in >9 versions.
    First we create alias command. It's a little bit different...of course. And no redirect so we need to use old one with prompts but it will not get in the way.

    asa(config)#command-alias exec wrinet copy running-config tftp://192.168.100.31/config/cisco/asa1

    Since there is no kron we need to use script that will automate the rest for us. In short we ssh to asa and run wrinet command. It is possible to put ssh key for user that will be connecting but there is no skipping enable password prompt (It is still a security device).

    asa(config)#username user1 attributes
asa(config-username)#service-type admin
asa(config-username)#ssh authentication  publickey 0c:e5:46:bf:65:a2:d6:2a:73:57:08:65:4d:53:dd:0b:01:71:f1:87:a4:62:5a:11:02:50:d9:65:d0:8d:12:84

    Script I use is written in bash. It needs packet called expect so we can automate ssh connection and commands:

    
sudo apt-get install expect

    Script:

    #!/bin/bash

username="username"
password="password"
host="192.168.100.2"

/usr/bin/expect <<EOD > asa-backup.log
spawn ssh -o ConnectTimeout=4 $username@$host
expect ">"
send "en\r"
expect "Password:"
send "$password\r"
expect "#"
send "write memory\r"
expect "#"
send "wrinet\r"
expect "Source*"
send "\r\r\r"
expect "#"
EOD

    Start script manually to see if it works. Then if everything is ok put it in cron schedule and adjust time same as kron on router and switches.

RESULT

After all these you will have all the backup files uploaded on schedule to your remote server. Directory output will look similar to this:

     -rw-r--r-- 1 tftp tftp 29640 Sep 24 10:00 asa1
     -rw-r--r-- 1 tftp tftp  6082 Sep 24 10:00 router1
     -rw-r--r-- 1 tftp tftp  9144 Sep 24 10:00 sw1
     -rw-r--r-- 1 tftp tftp  6886 Sep 24 00:01 sw2
     -rw-r--r-- 1 tftp tftp  6993 Sep 24 19:56 sw3
     -rw-r--r-- 1 tftp tftp    62 Sep 24 10:00 sw4

Now with git you can do version tracking. Just init his folder to your local git and put that in script and similar schedule as backups. Since file names never changes git will only upload and commit files that differ from last backup/git check. Just don't forget to include removing first line in cisco config for this to work properly. First line contains that date when configuration was written so git will see it as change every time. Removing this line you're good to go.

  1. https://www.cisco.com/c/en/us/td/docs/ios/fundamentals/command/reference/cf_book/cf_a1.html ↩︎

  2. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/cns/configuration/15-s/cns-15-s-book/cns-cmd-sched.html ↩︎

Sign up for more like this.

Enter your email
Subscribe