Automated Backups – Cisco Devices
FTP and TFTP are insecure transport protocols. If the transfer is captured with a packet sniffer all data is in clear text.
- Linux machine running sshd
- Cisco router or switch that supports cryptographic features (image with K9 in the image name) with ssh keys generated
- First, we configure the archiving path with all the necessary details so that the scp copy does not need to prompt us for anything; the username, password, host, path, and filename.
- Notice that the path and filename are using variables! ‘$h’ is the configured hostname of the device and ‘$t’ is the time as configured on the device!
- Next, we enable command logging and specify how many commands should be logged (the last 200), how we should be notified (syslog), and to hide passwords in commands logged.
! Configure Archiving
! Start in privileged mode
! The path is where the archiving will save the configs to.
! The string will also hold the credentials
! example string:
! path scp://<username>:<password>@<linux_machine>://<path_on_linux_machine>
! add command logging for the last 200 commands with passwords hidden
logging size 200
One important thing to note here is that the password in the path will remain in clear text in the configuration despite the use of ‘service password-encryption’. I’m not sure why this is… It is a drawback of this implementation, but this is still more secure than transferring the configurations with FTP and TFTP.
Even though my security spidey-senses are tingling with this configuration, there are, however, other ways to further secure this implementation on the Linux side by restricting what this user can do. For example, preventing the user from having an interactive login and only able to execute the command scp at the same time! Refer to “Taking Things a Step Further” below.
For a long time I didn’t know that kron was supported on Cisco devices, but yes… yes it is… and its awesome! Kron allows us to prepare a set of commands to run in exec mode and perform those on a set schedule. Meaning user exec and privileged exec only, no global configurations, etc.
Below we create a kron policy to save and archive our configuration. We then specify that it should run every night at 10pm. Check it out:
! Configure kron
! Start in privileged mode
! create the policy with two commands
kron policy-list Config_Backup
cli write memory
cli archive config
kron occurrence Config_Backup at 22:00 recurring
Now that all the configuration is in place, lets verify that its working as intended!
Writing /cisco/configs/Switch/Switch_-Mar--1-01-42-43.252.cisco-0 ! Sink: C0644 1853 Switch_-Mar--1-01-42-43.252.cisco-0Switch#Switch#show log | i %PARSER-5-CFGLOG_LOGGEDCMD: User:ivan
*Mar 1 01:21:35.297: %PARSER-5-CFGLOG_LOGGEDCMD: User:ivan logged command:interface GigabitEthernet0/1
*Mar 1 01:21:46.949: %PARSER-5-CFGLOG_LOGGEDCMD: User:ivan logged command:description Testing archive logging
*Mar 1 01:21:53.887: %PARSER-5-CFGLOG_LOGGEDCMD: User:ivan logged command:shutdown
*Mar 1 01:22:04.406: %PARSER-5-CFGLOG_LOGGEDCMD: User:ivan logged command:interface GigabitEthernet0/2
*Mar 1 01:22:09.733: %PARSER-5-CFGLOG_LOGGEDCMD: User:ivan logged command:description more testingSwitch#show archive log config all ... 24 3 ivan@console |interface GigabitEthernet0/1
25 3 ivan@console | description Testing archive logging
26 3 ivan@console | shutdown
27 3 ivan@console | interface GigabitEthernet0/2
28 3 ivan@console | description more testingSwitch#show kron schedule
Kron Occurrence Schedule
Config_Backup inactive, will run again in 0 days 20:15:28 at 22:00 onSwitch#