Automatic Backup using SFTP

karamalomari · ‎06-01-2023

I am trying to configure an automated backup of the configuration on a daily basis from various cisco devices.

I have tried the KRON & archive methods without any luck.

Is there any valid document on this subject with examples?

Switch# config t
Switch(config)# archive
Switch(config-archive)# log config
Switch(config-archive-log-cfg)# logging enable
Switch(config-archive-log-cfg)# hidekeys
Switch(config-archive-log-cfg)# exit
Switch(config-archive)# path sftp://user1:password2123@10.10.10.1//Backups/Cisco-Switch-Backup

Router(config)#kron policy-list Backup
Router(config-kron-policy)#cli show run | redirect sftp://user1:password@123@10.10.10.1//Backups/Cisco-Switch-Backup
Router(config-kron-policy)#exit
Router(config)#kron occurrence Backup at 23:50 Sun recurring
Router(config-kron-occurrence)#policy-list Backup

Switch(config-archive)# write-memory
Switch(config-archive)# time-period 1410

M02@rt37 · ‎06-02-2023

Hello @karamalomari,

You can also use EEM script to send the configuration to the server automatically. With EEM script you can do backup as soon as you do [wr] or every 24 hours (for example).

Example here: https://community.cisco.com/t5/network-management/automatic-backup-using-eem/td-p/1876471/page/2

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

karamalomari · ‎06-05-2023

the issue is with the SFTP connection with the server.

it is displaying the following error:

%SSH-3-NO_MATCH: No matching kex algorithm found: client diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 server curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512.

I am not sure what is the exact issue here.

MHM Cisco World · ‎06-05-2023

show ip ssh <<- share this

Which Ciphers and Algorithms supported by SFTP Connection | ZappySys
WE need to check the Key-exchange the cipher is match between Cisco and SFTP

M02@rt37 · ‎06-05-2023

Hello @karamalomari,

This issue typically arises when the SSH server has more secure algorithms enabled, while the SSH client (in this case your Cisco device) only supports older, less secure algorithms.

Easy way but this is generally not recommended from a security standpoint, but if you have control over the SSH server, you can modify its configuration to allow the diffie-hellman-group-exchange-sha1 and diffie-hellman-group14-sha1 algorithms.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

karamalomari · ‎06-07-2023

Dear M02@rt37

may you please check the below:

Switch(config)#event manager applet Auto-Backup
Switch(config-applet)#event none
Switch(config-applet)#action 1.0 cli command "enable"
Switch(config-applet)#action 2.0 info type routername
Switch(config-applet)#action 3.0 cli command "show clock"
Switch(config-applet)#action 4.0 regexp "([0-9]+) ([0-9]+)" "$_cli_result" match day year
Switch(config-applet)#action 5.0 regexp "([a-zA-Z]+) [0-9]+ [0-9]+" "$_cli_result" match month
Switch(config-applet)#action 6.0 cli command "copy runn sftp://user:password@x.x.x.x/$_info_routername_$h_$t.cfg" pattern "Address"
Switch(config-applet)#action 7.0 cli command "" pattern "Destination"
Switch(config-applet)#action 8.0 cli command ""

this will generate an automatic back daily and send it to sftp server correct?

I am using sftp server will that be an issue or it is the same as tftp?

MHM Cisco World · ‎06-07-2023

SFTP is different than TFTP
the traffic is secure by SSH in SFTP
here your R/SW will be as SSH client and exchange the cipher with SFTP server and after that the connect is establish and you can automatic backup file
if you not config RSA key or your cipher is mismatch then this process will not complete
if you dont like use SFTP use TFTP instead

karamalomari · ‎06-12-2023

it is failing only using the event manager option but when using archive and kron it works perfectly without any issues, of course using SFTP in both cases.

MHM Cisco World · ‎06-12-2023

Sorry I confuse here' your original post mention kron not work? Can you confirm which is not work

Kron or EEM?

Thanks

MHM

karamalomari · ‎06-13-2023

sorry for the confusion, archive + kron is working fine.

EEM is not working, when trying to run the event, it reach to the section where password is required and then fails.

Knassi · ‎07-28-2023

Is it safe to use TFTP? I am worried about data being transferred in the clear. I didn't get any luck with smb.

M02@rt37 · ‎07-28-2023

@Knassi,

TFTP is not the best choice for transferring sensitive or confidential data.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

karamalomari · ‎07-31-2023

@Knassi

You can use SFTP or SCP with the archive & kron method.
Notes:
Version 17.1 and earlier will support both but the SSH algorithm supported is only SHA1, so you need to make sure that your SCP or SFTP server accept that algorithm.
Version 17.2 and above will support the both with SSH algorithm SHA256.
Example:
conf t
ip scp server enable
ip ssh source-interface xxxxx
archive
log config
hidekeys
logging enable
path sftp://username:password@sftp server ip/$h$t
write memory
time-period 1410
!
kron policy-list Backup
cli write memory
!
kron occurance Backup at "time you want the backup to take place"
policy-list Backup
!

Hope this helps

M02@rt37 · ‎06-12-2023

Hello @karamalomari,

it appears to be set up correctly. The actions in the applet include enabling privileged mode, retrieving the router name, displaying the current time, extracting the day, year, and month from the clock output, and then executing a CLI command to copy the running configuration to the specified SFTP server.

If your SFTP server is properly configured and reachable from the switch, the configuration you provided should perform the automatic daily backup and send it to the specified SFTP server successfully.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.