I enjoy solving problems on a shoe string budget with next to no resources. Well… not really. But, because I work with small businesses from time to time that often is the main design requirement. Another design requirement that often doesn’t fall in line with “cheap” is disaster recovery. Fortunately I was able to talk the clients into Cisco gear at one point in the past.
Archive Full Configurations
Backup, archiving and compliance management of Cisco device configurations is best handled by a robust network management solution. Something like Cisco’s LMS or the newer Cisco Prime Infrastructure work for larger organizations while Cisco Network Assistant or a number of other solutions fit the bill for small businesses. The thing is the client has three switches and no real desire to implement a system that will take more resources or money to maintain even if I the capital expense is low. In previous posts I have addressed how to backup IOS configurations with scripts on both Linux and Windows systems. I also addressed command accounting with the open source implementation of TACACS+. The Cisco IOS feature that addresses this goal is “archive”. To get started lets log in and explore our options. From global configuration mode:
sw1(config)#archive sw1(config-archive)#? Archive configuration commands: default Set a command to its defaults exit Exit from archive configuration mode log Logging commands maximum Maximum number of backup copies no Negate a command or set its defaults path Path for backups rollback Rollback parameters time-period Period of time in minutes to automatically archive the running-config write-memory Enable automatic backup generation during write memory
As you can see there are a handful of options. Let’s configure the device to back up its configuration to a specific destination.
sw1(config-archive)#path ? flash: Write archive on flash: file system ftp: Write archive on ftp: file system http: Write archive on http: file system https: Write archive on https: file system rcp: Write archive on rcp: file system scp: Write archive on scp: file system tftp: Write archive on tftp: file system
As you can see we have even more options here. I will be using a TFTP server for this demo. When specifying a path its worth being aware that the format is something like this:
tftp://<server>/<name>-#
For example:
sw1(archive)#path tftp://192.168.1.10/sw1
Will yield a file something like this:
tftp://192.168.1.10/sw1Nov-30-11-32-24-0
Next you will have to set the frequency of the backup in minutes. Let’s say we want to back up every week. That would be periods of 7 days x24 hours a day x60 minutes an hour = 10080 minutes. Do the math accordingly for the period of time you want to use and key the configuration like this:
sw1(archive)# time-period 10080
There is also an option to backup when changes are saved to the startup configuration. This looks something like this:
sw1(archive)#write-memory
Be aware that this archives the configuration AFTER applying your changes.
Now, let’s jump back to privileged mode and check the archive status. This is done with the “show archive” command.
sw1#show archive The maximum archive configurations allowed is 10. The next archive file will be named tftp://192.168.1.10/sw1--2 Archive # Name 1 tftp://192.168.1.10/sw1Nov-30-11-32-24-0 2 tftp://192.168.1.10/sw1Nov-30-11-40-53-1
Finally, if you are about to make changes and would like to archive a copy simple issue a “archive configuration” command from the global configuration mode.
sw1#archive config !
Log Configuration Changes
Another awesome feature of archive is the ability to store the commands that users issues. To configure these options head back into the archive configuration.
sw1(config)#archive sw1(config-archive)#log config sw1(config-archive-log-cfg)#? commands for controlling config logging: default Set a command to its defaults exit Exit from the log config submode hidekeys suppress output (e.g. passwords) when displaying logged commands logging Modify config logging parameters no Negate a command or set its defaults notify Send logged commands to target applications record What to record in the config logger
As you can see there are a few options here as well. Lets configure logging now.
sw1(config-archive-log-cfg)#hidekeys sw1(config-archive-log-cfg)#logging enable sw1(config-archive-log-cfg)#logging size 500
Use “hidekeys” hides passwords, etc, “logging enable” turns the logging function on and finally “logging side 500” allows 500 log entry to be stored. To view the command log lets jump back to enable mode and have us a look.
sw1#sh archive log config all idx sess user@line Logged command 1 1 schaeffer@vty0 | logging enable 2 1 schaeffer@vty0 | hidekeys 3 1 schaeffer@vty0 | logging size 400
There are multiple points of documentations on Cisco’s site. Here is one I found the most useful: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtconlog.html
I hope everyone found this useful!