Cisco IOS Archive functionality
I will not write a great introduction, just say Archive is a handy tool that was introduced in iOS 12.3 (4) and can serve to solve several problems:
You can specify the storage path for archive configurations as follows:
You can store, of course, on the local storage (flash :, disk0: sup-bootflash: nvram :), but how then can you restore the configuration in the event of the device dying?
')
Now try to create the archive manually:
ATTENTION: the “archive config” command archives the current device configuration (running-config), and does not save the running-config in the startup-config.
It turned out a file with the same name:
Why so? Because the default file name of the configuration archive is “ [string] - <timestamp> -№ ”:
If you still decide to use local storage to archive configuration files, then it makes sense to limit the number of files. The maximum can be 14. In my example, I use unix storage: due to the fact that I use IOU / IOL in UnetLAB:
In this case, after changing the archiving path to the local one and setting the limit to 5 files, when trying to create the 6th archive, the oldest archive file will be deleted.
But if I tried to limit the number of stored archive configurations on a remote TFTP server:
If the archiving path is networked, then the restriction cannot be set — it should be limited to the means of the server where the files are being sent.
With the way everything is clear, but you need to do the archives automatically. The “write-memory” command in the context of “archive” will enable automatic archiving while saving the running-config to the startup-config:
No matter what to use: “wr mem” or “copy run start” - the archive will be created. In this example, after using the commands, 2 files were created.
Archiving when copying running-config to startup-config is good, but if we need regular backups? You can use the “time period” command with an indication of the interval of minutes that will be archived. For example, you can use the value 10080 for archiving every week. Here is the result of auto-archiving every minute:
What if you want to archive not at a certain time interval, but at a certain time? The answer is kron . Kron is determined by policy and sheduler. The syntax is intuitive, so it's easier to show with an example.
Let's set the policy:
^ this is the command that will be executed
An important point to note is that kron does not support interactive commands on the cli command, which require some dialogue. For example, “copy run start” will ask for the name of the file to save, so it will not work in kron. Therefore, you need to use wr mem.
Assign sheduler:
Where:
CONFIG_BACKUP_SCHED — Scheduler name;
at and in - obviously, performing at a certain time or at a certain interval, respectively. In the case of at, the time is specified as follows: {hh: mm [month] [day of month] [day of week]}. In my example, doing daily;
oneshot , recurring - perform once or regularly, respectively. The documentation seems to have seen that in some versions of IOS, the system-startup option is also available, i.e. execution at the start of the device;
policy-list CONFIG_BACKUP - an indication of the policy with which to work.
Thus, in my example, the “wr mem” command will be executed daily at 10:00, and this will entail the archiving of the configuration (according to the archive setting).
Something like this will be the kron configuration:
The file name of the archive does not seem to be very talking. I mentioned above that the file name is formed like this: “- <timestamp> -№”. If you disassemble:
Not a very readable name, and a millisecond is clearly not needed. This is due to:
To set up a readable display of the file, you need to correct the timestamp format (we also specify the time zone):
Now the file looks like this:
Those. “Month-day-year-hour-minute-second-hour-belt-file-number”.
From the format of the “service timestamps” command it is quite clear how to remove, for example, a year or a time zone.
What's up with the hostname? You can use this form for clarity:
Then, as you can see, the file name will consist of the text “SW1” and a temporary stamp. It will be clear from which device the configuration is. But if the host name changes, you will have to manually change this setting in the archive. You can use the $ h variable, which stores the host name. By the way, the $ t variable stores the timestamp, but now it does not make sense to use it, in IOS 15 <timestamp> is automatically substituted into the file name. On IOS 12, you would have to use the entry “path tftp: //10.0.5.1/$h-$t”, now quite enough:
And the result:
The “Archive” function allows not only to archive configuration files, but also to archive the entered configuration commands, i.e. those commands that have changed the device configuration and also the “enable” command (i.e. if someone enters the privileged mode, this will also be logged).
The difference from “show history” is obvious (history only lists my personal commands). But it is better to show an example:
logging enable - enables logging of configuration commands;
logging size - the maximum number of stored commands;
hidekeys - hide passwords when viewing logged commands.
How it all looks like:
Those. we see the user name (in my case, mark and greg), the line with which actions were performed, we see even the “enable” command, but we do NOT see the password of the created greg (as it was intended).
It will also notify the syslog server (if it is configured, well, or it will pour into the console and monitor) with the following messages:
You can also view information on each user by session:
But here it is necessary to take into account that the session in this context is the session of entering the configure terminal. Those. 3 sessions does not mean at all that mark has logged out, it only means that he was leaving the configuration mode.
And a couple of examples:
Together with the Archive function in IOS, a useful feature for comparing configurations appeared. For example, compare startup-config with a config on a tftp server:
+ means that the line is in the second specified configuration file (that is, in SW1-Jan-13-2017-10-00-00-Golf-3), but it is not in the first (that is, in startup-config );
- means that the line is in the first configuration file (in the startup-config), but it is not in the second (in SW1-Jan-13-2017-10-00-00-Golf-3).
To compare running-config with the same configuration file on a remote tftp server, the command will be used:
To compare running-config with startup-config, just use a short entry:
In fact, this is the “ show archive config differences system: running-config nvram: startup-config ” command .
Well, in this case, it is clear that run differs from start only in that the interface eth0 / 3 is administratively disabled in the current configuration.
The “show archive config incremental-diffs” command with the configuration file will show which lines will be added to the running-config during the copy operation from this file to run:
But it is worth remembering that copy for running-config is not at all the same as configure replace .
If you look, for example, startup-config:
Those. “Differences” indicates that eth0 / 3 is disabled in run, but incremental-diffs says that nothing will be added to the current configuration when copying “copy start run”. Those. With this command, we will not roll back to the startup-config.
When working through vty, some use the “reload in [min]” command so that if errors are made in the current configuration and access to the device is lost, the device automatically reboots after a certain time interval and changes are rolled back to startup-config.
Archive allows you to solve such problems without rebooting the device - a delayed rollback running-config.
ATTENTION: to use rollbacks, configuration archiving must be configured. For example:
a. Rollback after a certain time interval
Getting to the hardware configuration. Pre-set the rollback timer with “configure terminal revert timer”:
As you can see, the running-config was archived at 10.0.5.1/SW1-Jan-13-2017-16-16-30-Golf-1 and the rollback to this file was delayed by 20 minutes.
Now for an example, we make changes (disable eth0 / 3):
Time passes when 1 minute remains before the rollback, IOS warns me:
The minute expires and rolls back (in fact, "configure replace"):
Checking:
Eth0 / 3 is not disabled, i.e. rollback successful.
b. How much time is left. Instant Rollback
Information about how much time is left before a rollback can be obtained using the “show archive config rollback timer” command:
How much time is left is not shown, but the time is shown when the interval has been configured and the length of the interval itself, i.e. you can count.
How to change the interval - reduce or increase? With the command “configure revert timer”:
In fact, this command adds nothing and does not reduce, but simply sets a new interval from the current moment.
How to make an instant rollback? With the “configure revert now” command:
Well, I had no changes in this case. This is the same as “configure replace”, only the config that needs to be rolled back cannot be specified.
c. How to undo a rollback
Suppose we set a rollback interval, make changes, and the current configuration suits us. How to undo a running-config rollback? With the “configure confirm” command:
It should be clearly understood that “configure confirm” is not saving run to start, it is just undoing rollback.
ATTENTION: after confirming the configuration, i.e. Cancel rollback MUST check “show archive config rollback timer”. The answer should be:
PS throughout the article I mentioned it more than once, but finally I will repeat it again: rollback, as well as configure replace, is a roll-out of running-config and no other file.
- Auto save configuration
- Logging each command entered in configuration mode
- Compare and Rollback Configurations
Auto save configuration
1. Configuration storage path. Rotation
You can specify the storage path for archive configurations as follows:
SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#archive SW1(config-archive)#path tftp://10.0.5.1/ SW1(config-archive)#end SW1# You can store, of course, on the local storage (flash :, disk0: sup-bootflash: nvram :), but how then can you restore the configuration in the event of the device dying?
')
Now try to create the archive manually:
SW1#archive config ! SW1# ATTENTION: the “archive config” command archives the current device configuration (running-config), and does not save the running-config in the startup-config.
It turned out a file with the same name:
Why so? Because the default file name of the configuration archive is “ [string] - <timestamp> -№ ”:
SW1#show archive The maximum archive configurations allowed is 10. The next archive file will be named tftp://10.0.5.1/-<timestamp>-1 Archive # Name 1 tftp://10.0.5.1/-Jan-11-15-44-33.695-0 <- Most Recent 2 ...... 10 If you still decide to use local storage to archive configuration files, then it makes sense to limit the number of files. The maximum can be 14. In my example, I use unix storage: due to the fact that I use IOU / IOL in UnetLAB:
SW1(config-archive)#path unix: SW1(config-archive)#maximum 5 In this case, after changing the archiving path to the local one and setting the limit to 5 files, when trying to create the 6th archive, the oldest archive file will be deleted.
But if I tried to limit the number of stored archive configurations on a remote TFTP server:
SW1(config-archive)#maximum 3 Cannot set maximum when backing up to network path If the archiving path is networked, then the restriction cannot be set — it should be limited to the means of the server where the files are being sent.
2. Automatic archiving. Kron
With the way everything is clear, but you need to do the archives automatically. The “write-memory” command in the context of “archive” will enable automatic archiving while saving the running-config to the startup-config:
SW1(config-archive)#write-memory SW1(config-archive)#end SW1#write mem Building configuration... Compressed configuration from 1177 bytes to 843 bytes[OK]! SW1#copy running-config startup-config Destination filename [startup-config]? Building configuration... Compressed configuration from 1177 bytes to 843 bytes[OK]! SW1# No matter what to use: “wr mem” or “copy run start” - the archive will be created. In this example, after using the commands, 2 files were created.
Archiving when copying running-config to startup-config is good, but if we need regular backups? You can use the “time period” command with an indication of the interval of minutes that will be archived. For example, you can use the value 10080 for archiving every week. Here is the result of auto-archiving every minute:
SW1(config)#archive SW1(config-archive)#time-period 1 SW1(config-archive)#! SW1(config-archive)#end SW1# What if you want to archive not at a certain time interval, but at a certain time? The answer is kron . Kron is determined by policy and sheduler. The syntax is intuitive, so it's easier to show with an example.
Let's set the policy:
SW1(config)#kron policy-list CONFIG_BACKUP SW1(config-kron-policy)#cli wr mem SW1(config-kron-policy)#exit ^ this is the command that will be executed
An important point to note is that kron does not support interactive commands on the cli command, which require some dialogue. For example, “copy run start” will ask for the name of the file to save, so it will not work in kron. Therefore, you need to use wr mem.
Assign sheduler:
SW1(config)#kron occurrence CONFIG_BACKUP_SCHED ? at Date of kron occurrence eg. 14:30 Feb 13 in Delta time to kron occurrence SW1(config)#kron occurrence CONFIG_BACKUP_SCHED at ? hh:mm Time of day for occurrence (hh:min eg. 14:30) SW1(config)#kron occurrence CONFIG_BACKUP_SCHED at 10:00 ? <1-31> Day of month DAY Day of Week eg mon, tue, etc MONTH Month of year eg jan, feb, etc oneshot Schedule kron occurrence exactly once recurring Schedule kron occurrence repeatedly SW1(config)#kron occurrence CONFIG_BACKUP_SCHED at 10:00 recurring Clock currently not set it reads 16:25:44 UTC Wed Jan 11 2017 SW1(config-kron-occurrence)#policy-list CONFIG_BACKUP SW1(config-kron-occurrence)#end SW1# Where:
CONFIG_BACKUP_SCHED — Scheduler name;
at and in - obviously, performing at a certain time or at a certain interval, respectively. In the case of at, the time is specified as follows: {hh: mm [month] [day of month] [day of week]}. In my example, doing daily;
oneshot , recurring - perform once or regularly, respectively. The documentation seems to have seen that in some versions of IOS, the system-startup option is also available, i.e. execution at the start of the device;
policy-list CONFIG_BACKUP - an indication of the policy with which to work.
Thus, in my example, the “wr mem” command will be executed daily at 10:00, and this will entail the archiving of the configuration (according to the archive setting).
Something like this will be the kron configuration:
SW1#show running-config | section kron kron occurrence CONFIG_BACKUP_SCHED at 10:00 recurring policy-list CONFIG_BACKUP kron policy-list CONFIG_BACKUP cli wr mem 3. Variables in the configuration archive name. Timestamp
The file name of the archive does not seem to be very talking. I mentioned above that the file name is formed like this: “- <timestamp> -№”. If you disassemble:
Not a very readable name, and a millisecond is clearly not needed. This is due to:
SW1#show running-config | section timestamp service timestamps debug datetime msec service timestamps log datetime msec To set up a readable display of the file, you need to correct the timestamp format (we also specify the time zone):
SW1(config)#clock timezone Golf +7 SW1(config)#service timestamps log datetime year localtime show-timezone Now the file looks like this:
Those. “Month-day-year-hour-minute-second-hour-belt-file-number”.
From the format of the “service timestamps” command it is quite clear how to remove, for example, a year or a time zone.
What's up with the hostname? You can use this form for clarity:
SW1(config)#archive SW1(config-archive)#path tftp://10.0.5.1/SW1 SW1(config-archive)#end SW1#show archive The maximum archive configurations allowed is 10. The next archive file will be named tftp://10.0.5.1/SW1-<timestamp>-0 ..... Then, as you can see, the file name will consist of the text “SW1” and a temporary stamp. It will be clear from which device the configuration is. But if the host name changes, you will have to manually change this setting in the archive. You can use the $ h variable, which stores the host name. By the way, the $ t variable stores the timestamp, but now it does not make sense to use it, in IOS 15 <timestamp> is automatically substituted into the file name. On IOS 12, you would have to use the entry “path tftp: //10.0.5.1/$h-$t”, now quite enough:
SW1(config)#archive SW1(config-archive)#path tftp://10.0.5.1/$h SW1(config-archive)#end SW1# And the result:
Logging commands entered
The “Archive” function allows not only to archive configuration files, but also to archive the entered configuration commands, i.e. those commands that have changed the device configuration and also the “enable” command (i.e. if someone enters the privileged mode, this will also be logged).
The difference from “show history” is obvious (history only lists my personal commands). But it is better to show an example:
SW1(config)#archive SW1(config-archive)#log config SW1(config-archive-log-cfg)#logging enable SW1(config-archive-log-cfg)#logging size 200 SW1(config-archive-log-cfg)#hidekeys logging enable - enables logging of configuration commands;
logging size - the maximum number of stored commands;
hidekeys - hide passwords when viewing logged commands.
How it all looks like:
SW1#show archive log config all idx sess user@line Logged command 1 1 mark@console | logging enable 2 1 mark@console | logging size 200 3 1 mark@console | hidekeys 4 2 mark@console |username greg privilege 1 secret ***** 5 2 mark@console |!config: USER TABLE MODIFIED 6 0 greg@vty0 |!exec: enable Those. we see the user name (in my case, mark and greg), the line with which actions were performed, we see even the “enable” command, but we do NOT see the password of the created greg (as it was intended).
SW1(config-archive-log-cfg)#notify syslog It will also notify the syslog server (if it is configured, well, or it will pour into the console and monitor) with the following messages:
*Jan 12 2017 17:12:30 Golf: %PARSER-5-CFGLOG_LOGGEDCMD: User:mark logged command:interface Ethernet0/3 *Jan 12 2017 17:12:32 Golf: %PARSER-5-CFGLOG_LOGGEDCMD: User:mark logged command:no shutdown You can also view information on each user by session:
But here it is necessary to take into account that the session in this context is the session of entering the configure terminal. Those. 3 sessions does not mean at all that mark has logged out, it only means that he was leaving the configuration mode.
And a couple of examples:
Comparison of configurations. Configuration rollback
1. Comparison of configurations
Together with the Archive function in IOS, a useful feature for comparing configurations appeared. For example, compare startup-config with a config on a tftp server:
SW1#$show archive config differences nvram:startup-config tftp://10.0.5.1/SW1-Jan-13-2017-10-00-00-Golf-3 Loading SW1-Jan-13-2017-10-00-00-Golf-3 from 10.0.5.1 (via Vlan1): ! [OK - 1483 bytes] !Contextual Config Diffs: +service timestamps log datetime localtime show-timezone year +username greg secret 4 WGWXTgqyMqk91MhF3Gz5CQdMnLHU4clSthRczGfB2dY +clock timezone Golf 7 0 +archive +log config +logging enable +logging size 200 +hidekeys +path tftp://10.0.5.1/$h +write-memory +kron occurrence CONFIG_BACKUP_SCHED at 10:00 recurring +policy-list CONFIG_BACKUP +kron policy-list CONFIG_BACKUP +cli wr mem -service timestamps log datetime msec + means that the line is in the second specified configuration file (that is, in SW1-Jan-13-2017-10-00-00-Golf-3), but it is not in the first (that is, in startup-config );
- means that the line is in the first configuration file (in the startup-config), but it is not in the second (in SW1-Jan-13-2017-10-00-00-Golf-3).
To compare running-config with the same configuration file on a remote tftp server, the command will be used:
SW1#show archive config differences system:running-config tftp://10.0.5.1/SW1-Jan-13-2017-10-00-00-Golf-3 To compare running-config with startup-config, just use a short entry:
SW1#show archive config differences !Contextual Config Diffs: interface Ethernet0/3 -shutdown In fact, this is the “ show archive config differences system: running-config nvram: startup-config ” command .
Well, in this case, it is clear that run differs from start only in that the interface eth0 / 3 is administratively disabled in the current configuration.
The “show archive config incremental-diffs” command with the configuration file will show which lines will be added to the running-config during the copy operation from this file to run:
SW1#$ show archive config incremental-diffs tftp://10.0.5.1/SW1-Jan-13-2017-10-00-00-Golf-3 Loading SW1-Jan-13-2017-10-00-00-Golf-3 from 10.0.5.1 (via Vlan1): ! [OK - 1483 bytes] !List of Commands: service timestamps log datetime localtime show-timezone year username greg secret 4 WGWXTgqyMqk91MhF3Gz5CQdMnLHU4clSthRczGfB2dY clock timezone Golf 7 0 archive log config logging enable logging size 200 hidekeys path tftp://10.0.5.1/$h write-memory kron occurrence CONFIG_BACKUP_SCHED at 10:00 recurring policy-list CONFIG_BACKUP kron policy-list CONFIG_BACKUP cli wr mem end But it is worth remembering that copy for running-config is not at all the same as configure replace .
If you look, for example, startup-config:
SW1#show archive config differences !Contextual Config Diffs: interface Ethernet0/3 -shutdown SW1#show archive config incremental-diffs nvram:startup-config !List of Commands: end !No changes were found Those. “Differences” indicates that eth0 / 3 is disabled in run, but incremental-diffs says that nothing will be added to the current configuration when copying “copy start run”. Those. With this command, we will not roll back to the startup-config.
2. Rollback configuration
When working through vty, some use the “reload in [min]” command so that if errors are made in the current configuration and access to the device is lost, the device automatically reboots after a certain time interval and changes are rolled back to startup-config.
Archive allows you to solve such problems without rebooting the device - a delayed rollback running-config.
ATTENTION: to use rollbacks, configuration archiving must be configured. For example:
SW1#show running-config | section archive archive log config logging enable logging size 200 hidekeys path tftp://10.0.5.1/$h write-memory a. Rollback after a certain time interval
Getting to the hardware configuration. Pre-set the rollback timer with “configure terminal revert timer”:
SW1#configure terminal revert timer 20 !Rollback Confirmed Change: Backing up current running config to tftp://10.0.5.1/SW1-Jan-13-2017-16-16-30-Golf-1 Enter configuration commands, one per line. End with CNTL/Z. SW1(config)# *Jan 13 2017 16:16:30 Golf: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_BACKUP: Backing up current running config to tftp://10.0.5.1/SW1-Jan-13-2017-16-16-30-Golf-1 *Jan 13 2017 16:16:30 Golf: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_START_ABSTIMER: User: mark: Scheduled to rollback to config tftp://10.0.5.1/SW1-Jan-13-2017-16-16-30-Golf-1 in 20 minutes As you can see, the running-config was archived at 10.0.5.1/SW1-Jan-13-2017-16-16-30-Golf-1 and the rollback to this file was delayed by 20 minutes.
Now for an example, we make changes (disable eth0 / 3):
SW1(config)#interface ethernet 0/3 SW1(config-if)#shutdown SW1(config-if)#end SW1#show running-config | section interface ..... interface Ethernet0/3 shutdown duplex auto ..... Time passes when 1 minute remains before the rollback, IOS warns me:
SW1#Rollback Confirmed Change: Rollback will begin in one minute. Enter "configure confirm" if you wish to keep what you've configured *Jan 13 2017 16:26:38 Golf: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_WARNING_ABSTIMER: System will rollback to config tftp://10.0.5.1/SW1-Jan-13-2017-16-16-30-Golf-1 in one minute. Enter "configure confirm" if you wish to keep what you've configured The minute expires and rolls back (in fact, "configure replace"):
( configure replace): SW1#Rollback Confirmed Change: rolling to:tftp://10.0.5.1/SW1-Jan-13-2017-16-16-30-Golf-1 Loading SW1-Jan-13-2017-16-16-30-Golf-1 from 10.0.5.1 (via Vlan1): ! [OK - 1483 bytes] Loading SW1-Jan-13-2017-16-16-30-Golf-1 from 10.0.5.1 (via Vlan1): ! [OK - 1483 bytes] !Pass 1 !List of Rollback Commands: interface Ethernet0/3 no shutdown end Total number of passes: 1 Rollback Done Checking:
SW1#sh run | section interface ..... interface Ethernet0/3 duplex auto ..... Eth0 / 3 is not disabled, i.e. rollback successful.
b. How much time is left. Instant Rollback
Information about how much time is left before a rollback can be obtained using the “show archive config rollback timer” command:
SW1#configure terminal revert timer 10 !Rollback Confirmed Change: Backing up current running config to tftp://10.0.5.1/SW1-Jan-13-2017-16-40-36-Golf-2 Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#end SW1#show archive config rollback timer Time configured(or reconfigured): 16:40:36 Golf Fri Jan 13 2017 Timer type: absolute timer Timer value: 10 min User: mark How much time is left is not shown, but the time is shown when the interval has been configured and the length of the interval itself, i.e. you can count.
How to change the interval - reduce or increase? With the command “configure revert timer”:
SW1#configure revert timer 5 SW1# *Jan 13 2017 16:43:50 Golf: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_RESET_ABSTIMER: User: mark: Reset Rollback Confirmed Change timer(absolute) to 5 minute SW1#show archive config rollback timer Time configured(or reconfigured): 16:43:50 Golf Fri Jan 13 2017 Timer type: absolute timer Timer value: 5 min User: mark In fact, this command adds nothing and does not reduce, but simply sets a new interval from the current moment.
How to make an instant rollback? With the “configure revert now” command:
SW1#configure revert now Rollback Confirmed Change: rolling to:tftp://10.0.5.1/SW1-Jan-13-2017-16-40-36-Golf-2 Loading SW1-Jan-13-2017-16-40-36-Golf-2 from 10.0.5.1 (via Vlan1): ! [OK - 1483 bytes] Loading SW1-Jan-13-2017-16-40-36-Golf-2 from 10.0.5.1 (via Vlan1): ! [OK - 1483 bytes] Total number of passes: 0 Rollback Done Well, I had no changes in this case. This is the same as “configure replace”, only the config that needs to be rolled back cannot be specified.
c. How to undo a rollback
Suppose we set a rollback interval, make changes, and the current configuration suits us. How to undo a running-config rollback? With the “configure confirm” command:
SW1#configure confirm SW1# *Jan 13 2017 16:48:42 Golf: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_CONFIRM: User: mark: Confirm the configuration change It should be clearly understood that “configure confirm” is not saving run to start, it is just undoing rollback.
ATTENTION: after confirming the configuration, i.e. Cancel rollback MUST check “show archive config rollback timer”. The answer should be:
SW1#show archive config rollback timer %No Rollback Confirmed Change pending PS throughout the article I mentioned it more than once, but finally I will repeat it again: rollback, as well as configure replace, is a roll-out of running-config and no other file.
Source: https://habr.com/ru/post/339844/
All Articles