Hi, I’m looking for suggestions on the following backup scenario and specifically looking to see if there’s a better way of doing this.
I have a couple of cisco routers, IOS 16.x, that are connected together, via back channel mgt link. One router is active the other is a cold standby backup router. The backup router gets sent the config from the active router via SCP copy. This copies the active router’s start config over to the backup router’s bootflash. I’m doing this via a kron scheduled job, I know I can do this over EEM scripts with the same result, but my biggest concern is that the username used to copy over the config via SCP has the password visible on the Active router’s config.
I’m using this command to copy over the config to the backup router,
I just don’t like how the username’s password is visible. Is there a way to obfuscate this or encrypt the password so it’s not visible on the config? Likewise, is there a better solution than SCP. I know the router (ASR) can have hotstandby config but for various reasons we came to the conclusion that copying the config over and then applying the config as needed is the simplest way to an already complicated network. BTW I do have, service password-encryption but that only works for what IOS recognizes as a password command.
On the active router I have this
file prompt quiet ! stops the copy command from getting stuck with running inside kron. Will not ask for confirmation
! schedule kron job
kron occurrence ASR-config-to-Backup-ASR at 5:00 Sat recurring
kron policy-list ASR-config-to-Backup-ASR
cli copy start scp://backupuser:email@example.com/edge-frv-ma-asr1001x-edge-ACTIVE-confg
On the destination router I have,
ip scp server enable ! enable scp copies from another device
username backupuser privilege 15 secret 9 xxxxxxxx ! username that is used on active router to copy over config to bootflash.
I also don't like how the username that copies over the config via SCP has to be privilege 15, I looked to see if there is a way to give it only write access to the bootflash but I can't seem to find a way with privilege level commands, not sure if there is a way with aaa authorize.
Looking forward to a better way of doing this and/or how to not make the password visible.
Please rate and mark as an accepted solution if you have found any of the information provided useful. This then could assist others on these forums to find a valuable answer and broadens the community’s global network.