Version

Argent Advanced Technology 5.1A-1804-A or above

Date

Monday, 9 April 2018

Summary

Cisco and Cisco-like devices can be configured to allow running command ‘show running-config’ or ‘show run’ to compile the current configuration and dump out to terminal

This new Argent facility uses the same mechanism to back up the device’s configuration to the central Argent SQL database

Customers can then view all the versions that have been backed up

In addition the changes between one config file and the next are highlighted

Optionally Alerts on changes of device configuration as well as connection failure can be sent to the central Argent Console

The first step is to specify the SSH parameters to allow Argent to connect to the device

Method

• Not Enabled – Not to backup configuration of this device
• SSH – SSH session is used

SSH Logon Option

• Logon Password – Use logon and password for SSH session
• Keyboard Interactive – Another SSH logon mechanism

  It behaves similar to ordinary Logon/Password but internally it is very different

• PLINK – Use PLINK executable to run SSH session

Port

SSH server on Cisco device listens to this port, the default value is ’22’

Timeout

The default timeout of SSH session is 300 seconds

Keep Recent Versions

This limits the maximum versions of a device configuration in the Argent SQL database

Require Elevation

Set it to true if configuration retrieve command, which is ‘show running-config’ by default, requires ‘enable’ command to elevate user privileges

Password Prompt

This is the password prompt right after ‘enable’ command

By default, it is ‘*assword:’

Paging-Off Command

When running ‘show running-config’ in interactive SSH session, the device’s terminal does paging to show the results

It prevents device configuration from being fully downloaded

The paging can be turned off using either ‘terminal length 0’ (default) or ‘terminal pager 0’ depending on model of device

Shell Prompt

Shell Prompt is used to remove command line echoes from the output result

If not specified, it is dynamically determined by Argent AT Engine

The default value is empty string

Backup Command

The default value is ‘show running-config’

Custom command might be required for different OS flavors

Some models of devices use ‘admin show running-config’

Validation Keywords

The default is empty string

Normally Engine uses program exit code returned by SSH session to determine if device configuration is successfully downloaded

This works for majority of situations

In some extremely rare cases, non-zero exit code might be returned even the ‘show running-config’ generates the configuration successfully

In this case, the Validation Keywords can be used to determine if the returned content is valid

For example, Cisco devices generally have OS version string at the beginning of configuration

For example, ‘IOS XR Configuration 5.3.3’ is at top of configuration returned by one of Cisco switches

Ignore Top Lines

The generated configuration usually contains some timestamp at the beginning of the output

Apparently they should not be included for comparison when detecting changes between backups

The numeric property allows Engine ignoring first few lines before comparing configuration text

Customer should also define Device Configuration Rules to be used

Two pre-defined Rules ‘DBC_BACKUP_ONLY’ and ‘DBC_BACKUP_AND_DETECT_CHANGE’ are available

Click For Full Size

Customer then can use the Rules in production Relator to backup device configuration

After successful run of Device Configuration Rules, customer should be able to see the backups and changes in module ‘Device Configuration Backups’

Click For Full Size

Use right click menu, customer can see the device configurations and changes in NOTEPAD

In case of restoration, customer can copy out the configuration, save into flash drive, and restore through device terminal

User can also export all the backups to an Excel file

It is recommended to use later format ‘.xlsx’ which can hold larger content in the cell

The new feature is implemented in Argent AT 5.1A-1804-A

Technical Background

The configuration backups are stored in SQL table ‘ARGSOFT_SN_DEVICE_CONFIGURATION’

Cisco command ‘show running-config’ requires at least privilege level 15 to run

For better security, it is recommended to enable password to secure the sensitive information

Cisco command ‘enable password’ and ‘no enable password’ are available for the purpose

See https://www.Cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfpass.html for detail

For larger Cisco environment, TACACS server can be used to provide user privileges for specific logon accounts

As a result, user privilege elevation might not be necessary for the Cisco logon account used in Argent AT monitoring

It can be significant for performance when dealing with large amount of Cisco devices

See Configuring TACACS+ for detail

When exporting Device Configuration Backups to Excel file, there are two formats to choice

They are *.xls and *.xlsx

The latter is the newer format, in which cell can hold much more characters

Windows OS bundles Excel OLE DB driver that only support 97-2003 format (.xls)

In order to support newer Excel format (.xlsx), customer has to install 32-bit Microsoft Access Database Engine (2010) or later, which can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=13255

Resolution

Upgrade to Argent Advanced Technology 5.1A-1804-A or above

To Download Feature And Benefits

To Download This KBI As A PDF