Re: Configuration archieve on Cisco 9200L Series

narnox · ‎07-14-2023

Hello there,

I'm doing an internship in the network department of a big company and my job is to the test the configuration archieve feature of network devices.

Since I'm a beginner on network devices I've followed some guides on the internet on figuring out on how to rollback to older versions of configurations. The aim is mainly to avoid losing connection to devices that we cannot reach on foot.

Testdevice is a Cisco 9200L Switch (Version 17.03.03).

So, I've started by configuring the conf-archieve by:

TestSW1(config)#archieve
TestSW1(config-archieve)#path flash:/conf_arch
TestSW1(config-archieve)#write-memory
TestSW1(config-archieve)#CTRL/Z
TestSW1#write
Building configuration...
[OK]

sh arch now shows that an archived version of the configuration has been created. Call it version 0 for now.

I then switched back to configuration mode and made some random changes to the running configuration, such as applying vlan and description changes to various interfaces. Another write to the startup, creating version 1.

Then I want to rollback to version 0.

I do this by:

TestSW1#configure replace flash:/conf_arch/Filedate_Filename_VERSION-0

Now the rollback aborts.

Rollback aborted after 5 passes
The following commands are failed to apply to the IOS image.
********
no quit
no < part of ssh key hash >
no < part of ssh key hash >
no < part of ssh key hash >
no < part of ssh key hash >
no < part of ssh key hash >
no certificate ca < part of key hash >
interface GigabitEthernet1/0/17
switchport trunk allowed vlan 43
switchport mode trunk
********************

What I understand is:
Archieve saves something like a copy of the startup where the hash keys are not part of it. When the configure replace should be done, it detects that there are no such keys in the archieve configuration file. That is why it says no <part of ssh key hash >.
But this is not a guilty CLI command.

Maybe someone can help me with this?

Have a nice weekend everyone

DanielP211 · ‎07-14-2023

Hello!

The first part of you configuration just saves the configuration to the flash each time you do a write memory.

TestSW1(config)#archieve
TestSW1(config-archieve)#path flash:/conf_arch
TestSW1(config-archieve)#write-memory
TestSW1(config-archieve)#CTRL/Z

If you want to do a rollback of configuration use the following:
archive
path flash:/
maximum 1

then in #
configure terminal revert timer idle 1

This will rollback the configuration back to the original saved config if you lose the connection (idle timer is more than 1min).

What you ared doing with your confiuration replace is just replacing the current config with the saved one you are referencing. Whic will fail to overwrite some parts of the config (cert ca...)

BR

****Kindly rate all useful posts*****

MHM Cisco World · ‎07-14-2023

I think what you see is normal' archive dont recover any encrypt/hash value

narnox · ‎07-17-2023

Hi folks,
Thanks for responding.
I've also read the documentation for this feature, so I have some understanding of what the commands do.
My situation is more that the rollback feature itself does not work if you are using any encryption on these devices. The functionality itself tries to negate all hash values (e.g. "no FFFFFF FFFFF FFFFFF FFFFFF FFFFFF"), which simply results in an error and the rollback fails. This happens because there is no encryption in the startup (where the archive is generated from) and the rollback is applied to the running configuration where there is encryption.

How do I get this rollback to work anyway, since not having encryption on the devices is not an option? In my eyes, not having the ability to encrypt devices, if you want to have a rollback funtionality on these, would make the feature pretty much useless.

Best regards