8.3. Cisco Router Configuration Backups

At my place of employment, we have a WAN connecting several remote locations. These remote locations have Cisco routers connected via ISDN, or in some instances, Centrex data circuits, to provide Internet and WAN connectivity. Cisco router products allow using TFTP ("Trivial File Transfer Protocol") on a network server to read and write configuration files. Whenever a router configuration is changed, it is important to save the configuration file on the Linux server so that a backup is maintained.

Please note that Red Hat disables the TFTP service by default, because it can be a real security hole if not configured properly. The TFTP daemon allows anyone to read and write files without performing authentication. The way I personally set things up is to create a ``/tftpboot/'' directory, owned by root, and then modify the existing configuration line in the ``/etc/inetd.conf'' file to specify the file location:

tftpd   dgram   udp    wait   root   /usr/sbin/tcpd  in.tftpd  /tftpboot

Note

Note: Adding the ``/tftpboot'' path at the end of the above line specifically indicates where the TFTP daemon is allowed to access files. Although you can actually leave this part out and allow TFTP to access files anywhere on your system, as TFTP is considered somewhat of a security risk, this would probably be a very bad idea.

Once you have enabled the TFTP service, don't forget to type:

killall -HUP inetd

The above command restarts the INETD daemon to recognize whatever changes you have made to the inetd.conf file.

Creating a backup of a router configuration file involves a 3-step process: setting permissions on an existing file (or creating a new one) to allow writes, writing the backup file, and then resetting permissions to restrict access to the file. An example router backup session follows:

mail:~# cd /tftpboot
mail:/tftpboot# chmod a+w xyzrouter-confg
chmod: xyzrouter-confg: No such file or directory
mail:/tftpboot# touch xyzrouter-confg
mail:/tftpboot# chmod a+w loyola-confg
mail:/tftpboot# telnet xyzrouter

Escape character is '^]'.
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# write network
Remote host []? 123.12.41.41
Name of configuration file to write [xyzrouter-confg]?  
Write file xyzrouter-confg on host 123.12.41.41? [confirm]  
Building configuration...
Writing xyzrouter-confg !! [OK] 
xyzrouter# exit
Connection closed by foreign host.

mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg
mail:/tftpboot# exit

In case of router failure (caused, for example, by a power surge during a lightning storm), these backup files can be helpful to reload the router configuration. Again, restoring from a configuration file involves a 3-step process: setting permissions on the existing file, loading the file, and then resetting permissions to restrict access to the file. An example router restoration session follows.

mail:~# cd /tftpboot
mail:/tftpboot# chmod a+r xyzrouter-confg
mail:/tftpboot# telnet xyzrouter

Escape character is '^]'.
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# config network
Host or network configuration file [host]?  
Address of remote host [255.255.255.255]? 123.12.41.41
Name of configuration file [xyzrouter-confg]?  
Configure using loyola-confg from 123.12.41.41? [confirm]  
Loading xyzrouter-confg from 123.12.41.41 (via BRI0): !
[OK - 1265/32723 bytes]
xyzrouter# write
xyzrouter# exit
Connection closed by foreign host.

mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg
mail:/tftpboot# exit