KBI 311638 New Feature: Automated Device Configuration, Backup And Archive Management Facility
Version
Argent Advanced Technology 5.1A-1804-A or above
Date
Monday, 9 April 2018
Summary
Cisco and Cisco-like devices can be configured to allow running command ‘show running-config’ or ‘show run’ to compile the current configuration and dump out to terminal
This new Argent facility uses the same mechanism to back up the device’s configuration to the central Argent SQL database
Customers can then view all the versions that have been backed up
In addition the changes between one config file and the next are highlighted
Optionally Alerts on changes of device configuration as well as connection failure can be sent to the central Argent Console
This new facility is a completely automated control and patch management solution for all Cisco and Cisco-like devices
The first step is to specify the SSH parameters to allow Argent to connect to the device
Method
- Not Enabled – Not to backup configuration of this device
- SSH – SSH session is used
Note: Additional methods are being added; please contact Argent Instant Help for details
SSH Logon Option
- Logon Password – Use logon and password for SSH session
- Keyboard Interactive – Another SSH logon mechanism
It behaves similar to ordinary Logon/Password but internally it is very different
- PLINK – Use PLINK executable to run SSH session
Port
SSH server on Cisco device listens to this port, the default value is ’22’
Timeout
The default timeout of SSH session is 300 seconds
Keep Recent Versions
This limits the maximum versions of a device configuration in the Argent SQL database
Require Elevation
Set it to true if configuration retrieve command, which is ‘show running-config’ by default, requires ‘enable’ command to elevate user privileges
Password Prompt
This is the password prompt right after ‘enable’ command
By default, it is ‘*assword:’
Note: Wildcards are supported in this field
Paging-Off Command
When running ‘show running-config’ in interactive SSH session, the device’s terminal does paging to show the results
It prevents device configuration from being fully downloaded
The paging can be turned off using either ‘terminal length 0’ (default) or ‘terminal pager 0’ depending on model of device
Shell Prompt
Shell Prompt is used to remove command line echoes from the output result
If not specified, it is dynamically determined by Argent AT Engine
The default value is empty string
Backup Command
The default value is ‘show running-config’
Custom command might be required for different OS flavors
Note: Up to three Backup Commands can be specified
Some models of devices use ‘admin show running-config’
Validation Keywords
The default is empty string
Normally Engine uses program exit code returned by SSH session to determine if device configuration is successfully downloaded
This works for majority of situations
In some extremely rare cases, non-zero exit code might be returned even the ‘show running-config’ generates the configuration successfully
In this case, the Validation Keywords can be used to determine if the returned content is valid
For example, Cisco devices generally have OS version string at the beginning of configuration
For example, ‘IOS XR Configuration 5.3.3’ is at top of configuration returned by one of Cisco switches
Ignore Top Lines
The generated configuration usually contains some timestamp at the beginning of the output
Apparently they should not be included for comparison when detecting changes between backups
The numeric property allows Engine ignoring first few lines before comparing configuration text
Customer should also define Device Configuration Rules to be used
Two pre-defined Rules ‘DBC_BACKUP_ONLY’ and ‘DBC_BACKUP_AND_DETECT_CHANGE’ are available
Customer then can use the Rules in production Relator to backup device configuration
After successful run of Device Configuration Rules, customer should be able to see the backups and changes in module ‘Device Configuration Backups’
Use right click menu, customer can see the device configurations and changes in NOTEPAD
In case of restoration, customer can copy out the configuration, save into flash drive, and restore through device terminal
User can also export all the backups to an Excel file
It is recommended to use later format ‘.xlsx’ which can hold larger content in the cell
The new feature is implemented in Argent AT 5.1A-1804-A
Technical Background
The configuration backups are stored in SQL table ‘ARGSOFT_SN_DEVICE_CONFIGURATION’
Cisco command ‘show running-config’ requires at least privilege level 15 to run
For better security, it is recommended to enable password to secure the sensitive information
Cisco command ‘enable password’ and ‘no enable password’ are available for the purpose
See https://www.Cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfpass.html for detail
For larger Cisco environment, TACACS server can be used to provide user privileges for specific logon accounts
As a result, user privilege elevation might not be necessary for the Cisco logon account used in Argent AT monitoring
It can be significant for performance when dealing with large amount of Cisco devices
See Configuring TACACS+ for detail
When exporting Device Configuration Backups to Excel file, there are two formats to choice
They are *.xls and *.xlsx
The latter is the newer format, in which cell can hold much more characters
Windows OS bundles Excel OLE DB driver that only support 97-2003 format (.xls)
In order to support newer Excel format (.xlsx), customer has to install 32-bit Microsoft Access Database Engine (2010) or later, which can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=13255
Note: Install 32-bit Engine (AccessDatabaseEngine.exe) not the 64-bit Engine (AccessDagabaseEngine_X64.exe)
They cannot be installed on the same machine
Resolution
Upgrade to Argent Advanced Technology 5.1A-1804-A or above
To Download Feature And Benefits
To Download This KBI As A PDF