Monday, June 15, 2009

Monitoring configuration changes

Hi all,
I'm back to tell you a small tip on how to monitor configuration changes on cisco routers.
Let's read the "Configuration Change Notification and Logging" article.

and try to configure it on our favorite Cisco toys ,-)


router(config)#
archive !-- enters the archive config
log config !-- enters the archive log config
logging enable !-- enables log on config changes
logging size 200 !-- sets the log size (default=100 lines)
hidekeys !-- hides passwords
notify syslog !-- also notifies syslog (if any configured) of the changes



well, now our router is able to archive all the configuration changes and to compare it or rollback...

Pod1-R2#sh archive log config all
idx sess user@line Logged command
1 1 console@console | logging enable
2 1 console@console | hidekeys
3 1 console@console | exit
4 1 console@console | exit
5 2 console@console |no interface Vlan1
6 4 console@console |ipv6 unicast-routing

Pod1-R2#


Here I'm using an access server, so the user@line is always console@console... it's a good practice to use a separate access credential to vty for all the admins, so you can view who has done config changes... ;-)

If you want to schedule a rollback, let's read the "Configuration Replace and Configuration Rollback" section:

Let's add an automatic archive timer for our config:
archive
log config
logging enable
logging size 200
hidekeys
path flash: !-- this is the path where config are saved
time-period 1 !-- time in minutes (1 is too short!)


Let's check after a minute:


Pod1-R2#dir
Directory of flash:/

1 -rw- 1440 vlan.dat
4 -rw- 58246016 c2800nm-adventerprisek9-mz.124-22.T.bin
5 -rw- 1260 -0

64225276 bytes total (5964524 bytes free)

Pod1-R2#sh archive
The maximum archive configurations allowed is 14.
There are currently 1 archive configurations saved.
The next archive file will be named flash:-1
Archive # Name
1 flash:-0 <- Most Recent
2
3
4
5
6
7
8
9
10
Pod1-R2#


Ok, config is correctly archived, let's do a modify and try a rollback:

Pod1-R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Pod1-R2(config)#no ipv6 unicast-routing
Pod1-R2(config)#end
Pod1-R2#

!-- let's wait a min

Pod1-R2#sh archive
The maximum archive configurations allowed is 14.
There are currently 2 archive configurations saved.
The next archive file will be named flash:-2
Archive # Name
1 flash:-0
2 flash:-1 <- Most Recent
3
4
5
6
7
8
9
10
Pod1-R2#

!-- let's try to replace the "-0" config

Pod1-R2# configure replace flash:-0 list
This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: y

*Jun 22 20:04:38.881: Rollback:Acquired Configuration lock.
!Pass 1

!List of Commands:
archive
no time-period 525600
default ipv6 cef
ipv6 unicast-routing
ipv6 cef
archive
time-period 1
end


Total number of passes: 1
Rollback Done

Pod1-R2#
Pod1-R2#
*Jun 22 20:04:44.453: %PARSER-6-EXPOSEDLOCKRELEASED: Exclusive configuration lock released from terminal '0' -Process= "Exec", ipl= 0, pid= 3
Pod1-R2#


Use the Cisco Feature Navigator to view if your IOS image supports the "Configuration Change Notification and Logging" feature.