cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3891
Views
0
Helpful
6
Replies

Automatic Config Backup if Change

nonamer15
Level 1
Level 1

What I'm looking to do is automatically send the configuration to an FTP server if the configuration has changed. I'd like this to run once a day and if the configuration has changed since the last check, send it to the server.

 

It doesn't appear config archive or kron can check if the configuration has actually changed. The only other options that I know of are EEM and TCL. EEM has cron capability, so it can run once a day. As far as checking whether the configuration changed, I'm not sure if EEM can do that. TCL I'm less familiar with than EEM.

 

Regardless of how this is accomplished, I'd like it to be resilient against false configuration changes. I've noticed if you enter configuration mode and then exit, the running configuration will update the 'Last Configuration' timestamp. IOS knows a change didn't occur as issuing 'show archive config diff' does not show any changes.

 

I'd also like it to be resilient against configuration changes that weren't saved. So if someone modifies the running configuration, but forgets to write it to memory, the script would still detect this as a configuration change.

 

Is EEM capable of handling this? If not, is TCL my only option? Thanks.

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

There different methods to do this, but you can chose which ever way it works for you.

 

Option 1:

 

1. you can use EEM Script to archive the config.

2. you do show archive config difference for the changes.

 

Another example this is from my notes :

https://community.cisco.com/t5/network-management/eem-backup-script-to-include-timestamp/td-p/2963432

 

Option 2:

Use any Linux  : get the config back up on daily basis and compare the config and write a script to send email the differences.

 

Option 3 :

 

Solarwind cattools autobackup dialy all the devices and show you the changes in webpage and email you config changes.

 

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

nonamer15
Level 1
Level 1

@balaji.bandi

Thanks for your response. For your option 2, I considered this, but it poses some issues for my environment. The biggest is that a majority of these devices are behind a firewall and I have to use my RSA SecurID to get through the firewall. Additionally, this would be for around 1,500 devices, so I'd much prefer the devices to push the config than for me to remote to each one.

 

For option 3, at some point in the future will we have a management system that will archive these configs for us. What I'm trying to get going is a temporary solution until then. However, there are specific use cases where the devices won't have a management system. In these cases, the environment is airgapped and we don't have any management system within that environment, so some type of script on the device is our only option.

 

For the example you provided, the issue I see with it is that it keys on the syslog string '%SYS-5-CONFIG_I: Configured from'. As mentioned in my original post, this won't detect 'false configuration changes'. It's possible for someone to enter configuration mode and then exit without making changes. This solution would determine a difference occurred when it didn't.

 

For 'show archive config difference', this only works if the running-config hasn't been saved to the startup-config. Once that happens, 'show archive config difference' will show no difference, so I'm not sure how that would work.

 

With EEM, how do you determine if the config has truly changed since the last check? Let's say EEM is configured with a cron timer to run once a day. When it runs, how can I check to see if the current running-config is different from the last check? Conceptually, and I don't know if EEM can do this, but I've thought about saving the running-config to a local file and then hashing that file. So when EEM runs the next day, it will grab the current running-config, save it to file, and compute the hash. If the hashes match, no change occurred. If different, then a change occurred. The problem with something like this, assuming EEM can do it, is that 'false configuration changes' are still possible as when someone enters and exits configuration mode without making changes, the timestamp on the running config is modified. The only way to get around this would be to remove the below lines from the file:

! Last configuration change at 01:47:20 EDT Sun Aug 19 2018 by user
! NVRAM config last updated at 00:03:05 EDT Sun Aug 19 2018 by user

 

 

EEM Script only run based on the event trigger, yes you are right config t and end will also generate the same event, so we can not define is the config changed or not.

----------------

Not sure can we do show run change time and do TFTP.

! Last configuration change at 20:43:24 GMT Mon Aug 20 2018

 

Other Option :

 

If you looking the Option only Push from the device rather pull from external.

 In this case let All devices push the config to TFTP Server, from where you do some scripting to compare the config and generate report.

 

Make Sense ? This is the only option suites your need i guess. because secure environment.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

nonamer15
Level 1
Level 1

My event would be a cron timer. It would be setup to run once a day at a specified time.

 

Currently what I'm trying is saving the current running-config to a file. Then, it checks to see if another file exists, which is the MD5 of the previous running-config. If this file exists, it grabs the MD5 stored in the file and checks this versus the MD5 of the current running-config. If they are the same, no change occurred, so we won't backup the file. If it did change, save the new MD5 to the file and backup the config. I haven't found a way to remove these lines from the config before saving to a file, though:

! Last configuration change at 01:47:20 EDT Sun Aug 19 2018 by user
! NVRAM config last updated at 00:03:05 EDT Sun Aug 19 2018 by user

For your other solution, it would work in certain cases for my environment, but not all. Even with it working in certain cases, it seems wasteful as it's always backing up the config. Then, I have to have a separate system to determine whether a change occurred. If one didn't, then I have to remove that config. All the checks should occur on the Cisco device before backing up as that makes most sense.

I have suggested the best methods, you need to choose which ever suited for your business.

 

Backing up config never be wasted, because in one of the worst situation you need backup to restore any hardware failures.

 

If i were you my back up and compare process will be same box, its simple compare script.

 

Note : this is only a suggestion and advise.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Dan Frey
Cisco Employee
Cisco Employee
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: