You want to store a backup copy of your router's configuration on a TFTP server.
This example shows how to use TFTP to upload a copy of the router's active configuration to a remote server:
Freebsd% touch /tftpboot/router1-confg Freebsd% chmod 666 /tftpboot/router1-confg Freebsd% telnet Router1 Trying 172.25.1.5... Connected to Router1. Escape character is '^]'. User Access Verification Password: <vtypassword> Router1>en Password: <enablepassword> Router1#copy running-config tftp://172.25.1.1/router1-confg Address or name of remote host [172.25.1.1]? <enter> Destination filename [router1-confg]? <enter> !!! 9640 bytes copied in 3.956 secs (2437 bytes/sec) Router1#
We cannot overstress the importance of making regular backups of your router configuration files, and keeping copies of these files in a safe place. If a serious failure damages a router's hardware or software, your configuration will be destroyed. Anybody who has had to reconstruct a complex router configuration file from memory can tell you how difficult and stressful this task is! But, if you have a backup of the last working configuration file, you can usually get a router working again within minutes of fixing any hardware problems.
Typical Mean Time Between Failure (MTBF) estimates for Cisco routers tend to be about 16 years. This sounds like a long time, but in a large network it means that you can expect to see a few failures every year. Unfortunately, human errors resulting in complete or partial loss of the configuration file are far more common than device failures.
In the example, we created an empty backup configuration file on the TFTP server, then instructed the router to send its running configuration to this server. It is important to adjust the file permissions with the Unix chmod command. The transfer will fail if the configuration file is not world writable. We highly recommend moving the configuration files out of the TFTP directory to ensure that the file isn't read by unauthorized users, or accidentally overwritten.
Reading files located in the TFTP directory is trivial, because the TFTP program needs this directory to be both world readable and world writeable. Since router configuration files contain passwords and IP addresses, you should take steps to protect these files as much as possible. In fact, you don't even need to be logged into the TFTP server to read these files. In the following example, we are able to access the TFTP server and read a router configuration file from another router:
Router1#more tftp://172.25.1.1/router1-confg
!
! Last configuration change at 11:23:59 EST Sat Jan 11 2003 by ijbrown
! NVRAM config last updated at 00:37:16 EST Sat Jan 11 2003 by ijbrown
!
version 12.2
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname Router1
<removed for brevity>
As you can see, any files left in the TFTP directory can be easily viewed or even deliberately corrupted. TFTP is notoriously insecure, so we recommend using care whenever you work with this protocol.
Recipe 1.18 provides an automated script that gathers the configuration files for a list of routers on a nightly basis and stores these files for 30 days, by default.
|
|
|
| Top |