asmartinsen
asked on
Securely saving Cisco device configuration
Hi
At work, we have a bunch of cisco switches and we want to save the running configuration. I'm no expert on this but had CCNA from back in the days. The biggest issue here for us is security. We utilize Cisco Network assistant and can to a certain degree remotely configure all switches. CNA has a configuration archive capability which would be awsome to use, but it seems impossible to choose the switches that i want to backup. We're thinking it might be because telnet is not enabled on the switches or the switches are neighboring devices in the Topology view..?
As telnet is not very secure we dont want to turn it on.
BR
At work, we have a bunch of cisco switches and we want to save the running configuration. I'm no expert on this but had CCNA from back in the days. The biggest issue here for us is security. We utilize Cisco Network assistant and can to a certain degree remotely configure all switches. CNA has a configuration archive capability which would be awsome to use, but it seems impossible to choose the switches that i want to backup. We're thinking it might be because telnet is not enabled on the switches or the switches are neighboring devices in the Topology view..?
As telnet is not very secure we dont want to turn it on.
BR
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I guess ssh and tftp is OK.
Connected to switch with ssh and started a tftp server on a host. I get:
error opening tftp:/x.x.x.x/x-config (timed out) message
when running "copy run tftp" command from switch.
Can ping host from switch and tftp is enabled in my firewall. Maybe I should post a new question for this, but if anybody knows anything- please shout out!
Connected to switch with ssh and started a tftp server on a host. I get:
error opening tftp:/x.x.x.x/x-config (timed out) message
when running "copy run tftp" command from switch.
Can ping host from switch and tftp is enabled in my firewall. Maybe I should post a new question for this, but if anybody knows anything- please shout out!
Try with two '//':
copy run tftp://x.x.x.x/x-config
Or just run:
copy run tftp:
And follow prompts.
From security aspect, this still transfers config as plain text, as TFTP doesn't have security features. For more security use FTP.
Regards!
copy run tftp://x.x.x.x/x-config
Or just run:
copy run tftp:
And follow prompts.
Example:
CE_2#copy running-config tftp:
Address or name of remote host []? 64.104.207.171
Destination filename [ce_2-confg]? backup_cfg_for_my_routerFrom security aspect, this still transfers config as plain text, as TFTP doesn't have security features. For more security use FTP.
Regards!
ASKER
I'm crying a little now. TFTP from switch is just not working.
Ping command:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
xxx#copy running-config tftp:
Address or name of remote host []? x.x.x.x
Destination filename [confg]? config
.....
%Error opening tftp://x.x.x.x/config (Timed out)
Things I have checked:
1. Created rules in local firewall to accept port 69 UDP and all ports my tftp software wants to use.
2. There is an access list permit to my host on all network devices.
3. Turned of all tftp security, sometimes it will no write unless the tftp allready have file with simillar name.
4. Connectivity is present and TFTP is working
In between my and the switch there is a cisco center switch stack, but I don't think it would block the traffic. Could there be a configuration that denies TFTP copying on the switch?
Ping command:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
xxx#copy running-config tftp:
Address or name of remote host []? x.x.x.x
Destination filename [confg]? config
.....
%Error opening tftp://x.x.x.x/config (Timed out)
Things I have checked:
1. Created rules in local firewall to accept port 69 UDP and all ports my tftp software wants to use.
2. There is an access list permit to my host on all network devices.
3. Turned of all tftp security, sometimes it will no write unless the tftp allready have file with simillar name.
4. Connectivity is present and TFTP is working
In between my and the switch there is a cisco center switch stack, but I don't think it would block the traffic. Could there be a configuration that denies TFTP copying on the switch?
Maybe try to add TFTP source interface:
Example:
ip tftp source-interface Vlan10
For VLAN or interface choose one with management address.
Regards!
Example:
ip tftp source-interface Vlan10
For VLAN or interface choose one with management address.
Regards!
ASKER
Ok, i tried that. I used the VLAN with the management IP. After command is run it doesnt show in Show running-config , checked that and it might be because the command points to the default address allready used. There is only one IP configured on the switch, so it makes sense. Thanks for the suggestion.
ASKER
Hi, this is solved for me, manually with ftp and putty ssh was fast and secure enough. The config files can be easilly edited after one backup also, so Im done :) My other issues with file trasfer was because of a loco firewall that didnt care about my fw rules, I have to look at the policy to find out whats going on there. Thanks for help!
ASKER