Backup your Cisco Device Config without Expensive Software

in networking •  7 years ago 

No, this is not another copy run tftp article. Anyone that's worked with Cisco network equipment is normally familiar with the old setup a TFTP server, login to the device, and issue the copy run tftp command. Several vendors offer software to perform this automatically for you, and many cost some bucks. Cisco has their LAN Management System (LMS) which will backup your configs, manage you inventory, track config revisions, handle inventory, and many, many more features. Solarwinds offers their Network Configuration Manager (NCM) product, which is little more stripped down when compared to LMS, but NCM does backup your configs and integrates nicely with their Orion product. Once more revision and change tracking notifications are built in as well. There's nothing wrong with either one of these, but maybe you don’t need a tactical nuke to go deer hunting (LMS), or maybe you don’t want to spend a few grand for 10 devices (NCM). The other consideration is both of these work by connecting to the device, and then pulling the configuration files backup to the mothership. What if you had to consider compliance requirements for something like NERC CIPs and didn’t want LMS reaching into your Electronic Security Perimeter (ESP) just to grab a backup every night, or every week. Oh sure, Solarwinds or Cisco will gladly sell you another license so their product can run within your ESP and they will likely give you a great deal on the second license. You will of course need to monitor for vulnerabilities on this new system in your ESP, and that system isn’t running just one more piece of software, it’s likely running Windows, IIS, .Net Framework, AntiVirus, and who knows what else. Many times ESP management strategy's don't scale well, because many companies are trying to pass the next audit and resources are often times thin at best.What if you could have the Cisco switch or ASA firewall push its config out to a backup server and the only software needed is a server outside the ESP (DMZ maybe) listening on TCP port 22. Yes that's right no TFTP here, only audit friendly encrypted traffic streams. Sounds good yes? Now let’s get started saving money and push those configs in a secure manner which would make the most scrutinizing CIP Auditor say, “That looks fine.” which is a rare feat indeed.

Switches

Cisco offers some awesome features in their layer 3 switches called Embedded Event Manager (EEM) Applets. These bad boys will allow you to do just about anything, automatically, from inside the switch. Wait for something to happen, then do this, which is basically how it works. The other type of EEM component is called TCL Scripts, pronounced “tickle”, but is nothing like Elmo. So an EEM applet may look something like this:

 event manager applet INTERFACE.SHUTDOWN

event syslog pattern "Interface GigabitEthernet1/0/48, changed state to administratively down"

action 1.0 cli command "enable"

 action 1.5 cli command "config t"

 action 2.0 cli command "interface g1/0/48"

 action 2.5 cli command "no shutdown"

 action 3.0 cli command "end"

 action 3.5 cli command "who"

 action 4.0 mail server "1.1.1.1" to "[email protected]." from "[email protected]." subject ".Interface_G1/0/48_SHUT." body "Current users $_cli_result"

This EEM applet watches for a SysLog message which indicates 1/0/48 was shutdown administratively, then is runs the commands: enable, config t, interface g1/0/48, no shutdown, end, then attempts to see who is logged in, emails some guy named kcherry with a subject line of the switch name, what happened, and who is logged in. I’ve tested this script and can confirm that everything works up to the email, and I didn’t have a test mail server to try it with. Awesome so now we can grab our Cisco Switch, code up some backup stuff and get to work right? Well this is sort of a teaser. You see layer 2 switches don’t support EEM Applets, only layer 3 and higher. I know, I know, “DANG you Kevin!” Hate me not, this is to peak your interest in EEM Applets and is not what we need to backup switches. Next paragraph please….To backup layer 2 switches we can use the archive command. A sample of that is below:

archive

log config

 logging enable

 logging size 200

 notify syslog contenttype plaintext

 hidekeys

 path scp://username:[email protected]/$H-$T.conf

 time-period 10080

Let’s break this down a little shall we? From the global configuration mode we start with “archive”. We tell it to “log config” changes such as who did what, and when. Then set the size of that log with “logging size 200”. Next let’s tell syslog what’s going on with “notify syslog contenttype plaintext”. Of course we need to hide that login info with “hidekeys”. Let’s send our configuration to an SCP server using “path scp://username:[email protected]/$H-$T.conf” with a filename which contains the “hostname and time” with an extension of .”conf” (yes Cisco does have some variables, but not many). Now let’s do this every “time-period 10080” which is in minutes, which is once per week.Ok so all you need is an SCP server which can be reached by the switch with the appropriate username/password, and storage. Solarwinds offers a free SCP server which runs under Windows by the way, but you can use whatever you would like.

Firewalls

Now what about those ASA firewalls? Well a quick "?" mark at the CLI will result in……….. nothing, that’s right no archive command. Great now what? Fear not, we can use something called an Event Manager Applet. Check this out:

event manager applet Weekly_Backup

 description Weekly Backup to My Server

 event timer watchdog time 604800

 action 1 cli command "copy /noconfirm running-config scp://username:[email protected]/ESP-ASA1.conf"

 output none

Let’s review. Create an “event manager applet named Weekly_Backup”. Describe it so the compliance guys leaves you alone as “description Weekly Backup to My Server”. Do this backup thing every 604800 seconds with “event timer watchdog time 604800”. Now do this action from the CLI as if I were typing it myself “action 1 cli command “copy /noconfirm running-config scp://username:[email protected]/ESP-ASA1.conf” Now don’t worry about saving the output “output none”I use this little config in production ASA firewalls and it works very well. Plus we “push” our configs out, not pulling them in (yes I know I use a lot of quotes) “) 

Conclusion

I really hope this helps someone/s, and if so, drop me a line. I developed these configs when confronted with the challenge of compliance requirements, with the help of a TAC engineer for the ASA portion.


Enjoy 


<div class="pull-left">

<CENTER><H1>Upvote, ReSteem & <a href="https://steemit.com/@kevincherry" target='_blank'><img src='' border='0' alt='bluebutton'/></a></H1>

</CENTER>

</div>

networking cisco technology backup
7 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.00
    13 votes
    0
    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!