Using Cisco’s IOS Archive

Cisco’s IOS offers an easy to use feature for configuration versioning to an external server such as TFTP or SCP. Furthermore, you can use IOS commands to compare any two snapshots and to roll back to one of them.

Archive

Using the archive command within the configuration mode you are entering the archive configuration mode. You must select a path, which SHOULD be a secure protocol such as SCP. You need to specify the username and password, separated by a colon, in plaintext though. (While this is not really good, it is still much better than transferring the whole configuration via plain TFTP through your complete network!) The variables $h and $t are for the hostname respectively the date/time. The last step is to set the condition when the configuration is copied to the destination: Either time-based via time-period <minutes> or during the “wr mem” process via write-memory. I prefer the latter. My default setup is:

It uses a username of “iosarchive” and the password “iospassword”. The SCP server is set via an FQDN “scp.weberlab.de” after the @-sign. I am copying directly into the root folder “/” while the filenames are displayed as hostname-dash-datetime.

Now for every “write memory” or “copy run start” you’ll see the copy process. In my case it’s resolving the FQDN first. Note the exclamation mark in the middle of the last line which shows the copy process:

 

You can also trigger a copy of the running configuration via archive config manually.

Show Archive

Using the show archive command you can see the last 10 archives:

Note the “<- Most Recent” keyword at the end of one line.

Looking at the SCP server itself (in my case a Ubuntu Linux) you can see exactly those configuration snapshots:

 

Differences & Rollback

Let’s make a concrete example how to use the compare and rollback features. Before I started I archived the current configuration. This was called “R4-Feb-20-2018-21-57-46.530-UTC-5”. Now I made some configuration changes manually, namely an interface tracking for HSRP and an access-list:

After that I copied the configuration via “archive config” to the SCP server. This snapshot is called “R4-Feb-21-2018-08-40-39.857-UTC-6”.

Now I used the  show archive config differences <path1> <path2> command to compare the differences. This fantastically reveals all configuration changes at a glance, line 10-16:

 

Some time later I wanted to rollback to the configuration before I made any of those changes. Therefore I could use the configure replace command. The “list” keyword at the end additionally shows all CLI changes:

 

Nice. ;)

Just for fun I used the  show archive config differences again, but this time with only a single path to the old config, which then compares it to the running config:

Also note that you can use this command without any paths to compare the running config with the startup config. The “+” indicates that those commands are present in the startup config but not in the running config, while a “-” would indicate commands in the running but not in the startup config:

 

And one more note: There is the option of “incremental-diffs” within the “show archive config” commands that shows actual configuration commands that are not present in the running configuration, that is, without those “+” and “-“. Comparing my current running-config with the one saved after my manual changes shows:

 

Time-Based Reload & Rollback

Very similar to the time-based reload you can schedule a time-based config replace. These are the commands to do a time-based reload, just for the sake of completeness:

Combined with the rollback functionalities you can set a time at which a rollback shall take place (e.g., just a few minutes after some big changes). In case you’ve cut your connection this can save your life. ;) If all your changes work properly you can “confirm” the replace, i.e., stop the pending revert action.

Good to know.

For more posts about routing/switching you can follow the Routing” or “Switching” categories concerning various firewall/router vendors, or the “Cisco Router“/”Cisco Switch” tags for posts related to Cisco stuff.

Featured image “Archives” by Marino González is licensed under CC BY-NC-ND 2.0.

1 thought on “Using Cisco’s IOS Archive

  1. Nice writeup!.
    I also tend to do a show archive config diff without further parameters just after logging in a device. Just to see if anyone left some unsaved stuff in before I do my changes. So I would not save them to start along with my changes I’m about to make. Or at the very least I would then be aware that I’m saving other changes along with mine.

Leave a Reply

Your email address will not be published. Required fields are marked *