cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
144788
Views
24
Helpful
12
Replies

Automatic config backups for routers, Catalyst switches and ASA

Adam Hudson
Level 1
Level 1

I'm looking for a free solution to take monthly backups of my routers (2821), Catalyst switches (3650-X, 3750-X), and ASA (5510). I'm in a Windows environment and don't mind doing a little coding.

I've done some research looking at other popular solutions:

- SNMP and some combination of Bash scripts, but that doesn't support Catalyst switches from what I've read.

- Rancid, on Linux & OS X, not something prevalent in our environment

- Kiwi cat tools, not free

Is there something (or if need be, somethings) that I'm missing that will do this from a Windows environment for free?

Thanks in advance.

2 Accepted Solutions

Accepted Solutions

Kron seems to be supported on routers only, for ASA here is a good explanation on how to gather the backups periodically:

https://supportforums.cisco.com/docs/DOC-14958

If you are looking for centralized solution and you have machine to act as a collector, rancid is really the best option (if you can allow non-windows machine).

Kind Regards,
Ivan

Kind Regards,
Ivan

View solution in original post

lrian
Level 1
Level 1

Rancid + Cygwin gets you free, automatic backups of routers, switches and asas on Windows.

View solution in original post

12 Replies 12

Ivan Shirshin
Cisco Employee
Cisco Employee

Hi Adam,

You can use scheduler on Cisco routers for automatic config backup to ftp server. Sample configuration:

kron occurrence monthly at 01:23 june 20 recurring
  policy-list save-config
!
kron policy-list save-config
  cli copy system:/running-config tftp://192.168.1.2/router-confg.txt

Scheduler guide:

http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/g_kron.html

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan

Is that just for routers or does it work for Catalyst switches and ASAs as well?

Kron seems to be supported on routers only, for ASA here is a good explanation on how to gather the backups periodically:

https://supportforums.cisco.com/docs/DOC-14958

If you are looking for centralized solution and you have machine to act as a collector, rancid is really the best option (if you can allow non-windows machine).

Kind Regards,
Ivan

Kind Regards,
Ivan

fb_webuser
Level 6
Level 6

you might consider using Expect (or Expect-Lite) which automates actions, such as entering commands in CLI. you can create a script which will upload the config, and other things you want to backup from your router to som ftp or something else

---

Posted by WebUser Michal Dulus Dulovic from Cisco Support Community App

Ivan Shirshin
Cisco Employee
Cisco Employee

On second thought, if you want to run everything from windows machine and you do not mind coding  - how about using PowerShell or Windows script? You can program a simple list of commands to telnet the router or open a socket with TcpClient in PowerShell script, execute whatever commands you need and collect outputs, then disconnect. And windows have plenty of ways to schedule to run the script periodically.

The drawback is the need to keep the IPs and password up to date in the script.

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan

Similar to Ivan's suggestion...

As you say you're a Windows shop you can use plink (a putty related tool) to do the job.  Script out the commands you'd normal enter into the device into a commands.txt file and run it as...

plink.exe -ssh -pw pass -noagent -m commands.txt user@device

Combine multiple plink commands into a batch file.  Wire that into the scheduler.  Done.

Similar can be done on *nix too with ssh, a script and cron.

A major downside if using an external scheduler is that you need to store credentials.  So it's probably best you prompt for the password in script and run it yourself once a month.  The same method can be used to ease any repetitive task you might need to do.

For completeness: IOS15 supports SSH public key auth, negating the need to store credentials (can use an SSH agent such as pagent) but the ASA doesn't have that support yet AFAIK.

HTH,

Colin

fb_webuser
Level 6
Level 6

We featured your question on our Facebook pages. You can check out the responses here: http://www.facebook.com/CiscoSupportCommunity/posts/384483051615818

---

Posted by WebUser Cisco NetPro from Cisco Support Community App

For the routers and switches, the "archive"-command could help you as the devices send the config to your host. This can be done for example with SCP or TFTP, server-solutions are freely available. For the ASA keep in mind, that depending in your setup, a backup of the config-file is not enough.

Karsten

lrian
Level 1
Level 1

Rancid + Cygwin gets you free, automatic backups of routers, switches and asas on Windows.

Hopefully the install on cygwin goes better than my attempts to install it on Ubunutu, I've got multiple Nagios3 install errors from the latest version.

Thanks everybody for your suggestions so far.

For router/switch try have a script that runs and basically performs a copy run tftp.

ASA is a little trickier if you are using it for anything other than firewall. I would imagine your are leveraging the VPN capabilities of the appliance. If that is the case....

Here's a PowerShell script I wrote based on this:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/admin_swconfig.html#wp1240859

I also expanded it to capture the AnyConnect Client Profiles as well as Images, and export Certificates to provide the basic functionality obtained when using the ASDM Backup option.

It runs on our 2008 server, which is running a free TFTP server. (i.e. SolarWinds or TFTPD32/64)

You could probably re-tool it to use SCP if you have a SSH server running on Windows, it may perform better.

It requires SharpSSH - The initial SSH functions I found on the internet (here), the rest of the ASA specific functions I wrote.

You will probably need to be ASA 8.3+ as there are some syntax differences in the webvpn config that will probably affect the backup if not. Your mileage may vary.

I haven't actually tested the restore via CLI function, but it SHOULD work. The main thing is it backs up the config and then zips it up. You can them move it or whatever.

This script requires the SharpSSH library available from SourceForge. The link is in the header section of the script.

***Standard Disclaimer***

This script is provided as-is. I am not responsible for any damages, failures, disasters, catastrophes, data loss or any other failure resulting from the execution of this script on your system. If you do not agree to these terms you are prohibited from using this code on your system.

Additional notes:

You will need to setup a username and password in the script as well as the address/hostname of your tftp server.

Your ASA devices will need to resolve by their hostnames. Those host names must be in the same folder as the backup script in a file called "asa_list.txt"

You will need to set your path to the TFTP Root directory in the script. ($global:DirBase)

This was recently written by me, and appears to be "working for me" if you notice any problems please feel free to comment.

The script, as configured will export certificates. If this behavior is not desired, please comment out these lines:

Write-Host Exporting Certificates...

ExportCertificates

That should cover it. Without further ado....

Rancid's been working ok until about 2 weeks ago when someone who knows Linux a lot better than I do finally got it configured to only notify and backup the config when there's a change.

For something that seems fairly widely known in the networking community there is a shocking lack of documentation and some sort of support forums for it.

Review Cisco Networking for a $25 gift card