Archive Cisco Configuration Changes on the Cheap

I enjoy solving problems on a shoe string budget with next to no resources. Well… not really. But, because I work with small businesses from time to time that often is the main design requirement. Another design requirement that often doesn’t fall in line with “cheap” is disaster recovery. Fortunately I was able to talk the clients into Cisco gear at one point in the past.

Archive Full Configurations

Backup, archiving and compliance management of Cisco device configurations is best handled by a robust network management solution. Something like Cisco’s LMS or the newer Cisco Prime Infrastructure work for larger organizations while Cisco Network Assistant or a number of other solutions fit the bill for small businesses. The thing is the client has three switches and no real desire to implement a system that will take more resources or money to maintain even if I the capital expense is low. In previous posts I have addressed how to backup IOS configurations with scripts on both Linux and Windows systems. I also addressed command accounting with the open source implementation of TACACS+. The Cisco IOS feature that addresses this goal is “archive”.  To get started lets log in and explore our options. From global configuration mode:

sw1(config)#archive
sw1(config-archive)#?
Archive configuration commands:
default      Set a command to its defaults
exit         Exit from archive configuration mode
log          Logging commands
maximum      Maximum number of backup copies
no           Negate a command or set its defaults
path         Path for backups
rollback     Rollback parameters
time-period  Period of time in minutes to automatically archive the running-config
write-memory Enable automatic backup generation during write memory

As you can see there are a handful of options. Let’s configure the device to back up its configuration to a specific destination.

sw1(config-archive)#path ?
  flash:  Write archive on flash: file system
  ftp:    Write archive on ftp: file system
  http:   Write archive on http: file system
  https:  Write archive on https: file system
  rcp:    Write archive on rcp: file system
  scp:    Write archive on scp: file system
  tftp:   Write archive on tftp: file system

As you can see we have even more options here. I will be using a TFTP server for this demo. When specifying a path its worth being aware that the format is something like this:

tftp://<server>/<name>-#

For example:

sw1(archive)#path tftp://192.168.1.10/sw1

Will yield a file something like this:

tftp://192.168.1.10/sw1Nov-30-11-32-24-0

Next you will have to set the frequency of the backup in minutes. Let’s say we want to back up every week. That would be periods of 7 days x24 hours a day x60 minutes an hour = 10080 minutes. Do the math accordingly for the period of time you want to use and key the configuration like this:

sw1(archive)# time-period 10080

There is also an option to backup when changes are saved to the startup configuration. This looks something like this:

sw1(archive)#write-memory

Be aware that this archives the configuration AFTER applying your changes.
Now, let’s jump back to privileged mode and check the archive status. This is done with the “show archive” command.

sw1#show archive
The maximum archive configurations allowed is 10.
The next archive file will be named tftp://192.168.1.10/sw1--2
 Archive #  Name
   1        tftp://192.168.1.10/sw1Nov-30-11-32-24-0
   2        tftp://192.168.1.10/sw1Nov-30-11-40-53-1

Finally, if you are about to make changes and would like to archive a copy simple issue a “archive configuration” command from the global configuration mode.

sw1#archive config
!

Log Configuration Changes

Another awesome feature of archive is the ability to store the commands that users issues. To configure these options head back into the archive configuration.

sw1(config)#archive
sw1(config-archive)#log config
sw1(config-archive-log-cfg)#?
commands for controlling config logging:
  default   Set a command to its defaults
  exit      Exit from the log config submode
  hidekeys  suppress output (e.g. passwords) when displaying logged commands
  logging   Modify config logging parameters
  no        Negate a command or set its defaults
  notify    Send logged commands to target applications
  record    What to record in the config logger

As you can see there are a few options here as well. Lets configure logging now.

sw1(config-archive-log-cfg)#hidekeys
sw1(config-archive-log-cfg)#logging enable
sw1(config-archive-log-cfg)#logging size 500

Use “hidekeys” hides passwords, etc, “logging enable” turns the logging function on and finally “logging side 500” allows 500 log entry to be stored. To view the command log lets jump back to enable mode and have us a look.

sw1#sh archive log config all
 idx   sess           user@line      Logged command
    1     1      schaeffer@vty0     |  logging enable
    2     1      schaeffer@vty0     |  hidekeys
    3     1      schaeffer@vty0     |  logging size 400

There are multiple points of documentations on Cisco’s site.  Here is one I found the most useful: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtconlog.html

I hope everyone found this useful!

This entry was posted in Networking and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.