Friday, August 8, 2014

How do do config archival with cisco router/switch but without using rancid

In this post , we will look at just one way you can get creative with configuration changes archival.

This method works when ever  anybody makes configurations change and by exiting the configuration mode.

1st, here's the goal, we want to  execute config changes archival &  backups to 2 rancid-like nms  hosts

2nd, we will use  scp   for the protection of the backup configuration file  & transfer of the data and to 2 or more backup sources

3rd, we will also  execute at a pre-arrange time via kron, an automatic configuration backup via pushing the configuration to our two NMS hosts

4rd, restrict the user from actually logging into the NMS host

All of the above will be done via the cisco IOS  following features;  1:kron scheduler , 2:tclsh and  the cisco 3:eem ( embedded event manager )  and on our linux server we will install rssh

Here's the topology of our router and 2x NMS hosts & a typical switch/router.

note : The 2 NMS hosts have pre-defined user  ( rancid ) that's been enabled for "scp" and not listed in the superuser doers file & we have installed rssh  for added security and restrictions.

Okay let's look at the eem script that we use for the backup via the kron job.

This was as simple as I can make it,
  •   trigger on a syslog mesg
  •   execute the tclsh that we copy to the local disk
  •   optional, I generate my own log messages 

And here's the tcl script. Once again a simple script not overly complex.

set date [clock format [clock seconds] -format {%Y%m%d%T}]
set hostname [info hostname]
set file "${hostname}.${date}.cfg"
exec "copy running-config scp://rancid:apassword@$file"
exec "copy running-config scp://rancid:apassword@$file"

Okay what's happening here,

  • we define a few variable like time& date and the hostname  plus target filename
  • we use scp to copy the  config to the scp server

For the  archival, we will dump the config every time the a administrator exit config mode. The kron scheduler is quite simple. We create a policy-list and policy and match the 2 for execution at our select time.

NOTE: This step is not really required, but it's nice to write out the configurations regardless if any write action has taken place for any extended periods imho.

 The cisco archive is limited to writing to "ONE" target path. So if you have redundant backup  targets like 2 or more, cisco archive is of no use.

Kron execution of the  tcl shell ensure your have a backup made regardles if EEM is working or not.

One last tidbit, ensure you set the username for EEM applet execution. In this case I have an account on the cisco routers and switches named "rancid". This user will need the correct priv level for execution of the  EEM cli actions.

Without defining a user, your EEM applets will fail!


config t

  username  rancid  secret 123456 priv 15 
  event  manager session cli username rancid



I like my approach over using pure rancid, since rancid is a pull process, where-as this  a "push" operation.

You don't need to manipulate anything or run any cron schedule on a unix/linux host,  and all cfgs are sent immediately upon a  execution of a confiiguration mode.

Also with this approach you don't need to install any type rancid program or make modification when a new host is installed or deleted from the network.  You can easily serve the configurations diff directly via HTTPS and allow access for your users to review and download  the configurations files. You could easily write a cgi script that would diff and  display the differences between the two latest files.

You can find more information on rancid here;

Cisco EEM here;

You can learn more about cisco tcl via the following;


The following  EEM applet was use earlier, but it more complex and was generate a loop.

( notice we match our EEM trigger action  on the syslog message "Building configuration" )

NOTE:  You can modify the above EEM applet  from a "write" operation to any time a admin enters and/or leave  configuration mode via matching one of these patterns.


Last note, keep in mind most current ios software code allows for archival,  but not all software release supports  kron or the cisco EEM.  ( e.g cisco 2960S lanbase )


The rssh  ( restricted shell) is easy to setup btw. Here's a brief summary for a unix host.

1st install the application and supporting files via APT.

apt-get install rssh

Next , vi /etc/rssh.cfg and s uncomment the following line;

Next install the rssh for the user account that will conduct the scp copy. Here's my user account on a ubuntu server;

And here's what happen when rancid trys to ssh ;

You can find information on rssh here ;


So all security risk are mitigated and you have restrict the backup account to just a scp. With the $t & $h, variables, we have a  time-stamp and unique name for the hosts that pushes the configuration.

EEM is very powerful and by combination of the  archive we can do many things with  backing up configurations.

The cisco archive is limited to one path destination, but EEM gives us the ability to make backups to 2 or  more locations.

Almost all cisco router/swicthes support tcl

Ken Felix
Security and Network  Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   -   - )=
      /     \

No comments:

Post a Comment