8.3. Cisco Router Configuration Backups

At my place of employment, we have a WAN connecting several remote locations. These remote locations have Cisco routers connected via ISDN, or in some instances, Centrex data circuits, to provide Internet and WAN connectivity. Cisco router products allow using TFTP ("Trivial File Transfer Protocol") on a network server to read and write configuration files. Whenever a router configuration is changed, it is important to save the configuration file on the Linux server so that a backup is maintained.

Please note that Red Hat disables the TFTP service by default, because it can be a real security hole if not configured properly. The TFTP daemon allows anyone to read and write files without performing authentication. The way I personally set things up is to create a ``/tftpboot/'' directory, owned by root, and then modify the existing configuration line in the ``/etc/inetd.conf'' file to specify the file location:

tftpd dgram udp wait root /usr/sbin/tcpd in.tftpd /tftpboot

Note: Note: Adding the ``/tftpboot'' path at the end of the above line specifically indicates where the TFTP daemon is allowed to access files. Although you can actually leave this part out and allow TFTP to access files anywhere on your system, as TFTP is considered somewhat of a security risk, this would probably be a very bad idea.

Once you have enabled the TFTP service, don't forget to type:

killall -HUP inetd

The above command restarts the INETD daemon to recognize whatever changes you have made to the inetd.conf file.

Creating a backup of a router configuration file involves a 3-step process: setting permissions on an existing file (or creating a new one) to allow writes, writing the backup file, and then resetting permissions to restrict access to the file. An example router backup session follows:

mail:~# cd /tftpboot mail:/tftpboot# chmod a+w xyzrouter-confg chmod: xyzrouter-confg: No such file or directory mail:/tftpboot# touch xyzrouter-confg mail:/tftpboot# chmod a+w loyola-confg mail:/tftpboot# telnet xyzrouter Escape character is '^]'. User Access Verification Password: **** xyzrouter> enable Password: **** xyzrouter# write network Remote host []? 123.12.41.41 Name of configuration file to write [xyzrouter-confg]?   Write file xyzrouter-confg on host 123.12.41.41? [confirm]   Building configuration... Writing xyzrouter-confg !! [OK]  xyzrouter# exit Connection closed by foreign host. mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg mail:/tftpboot# exit

In case of router failure (caused, for example, by a power surge during a lightning storm), these backup files can be helpful to reload the router configuration. Again, restoring from a configuration file involves a 3-step process: setting permissions on the existing file, loading the file, and then resetting permissions to restrict access to the file. An example router restoration session follows.

mail:~# cd /tftpboot mail:/tftpboot# chmod a+r xyzrouter-confg mail:/tftpboot# telnet xyzrouter Escape character is '^]'. User Access Verification Password: **** xyzrouter> enable Password: **** xyzrouter# config network Host or network configuration file [host]?   Address of remote host [255.255.255.255]? 123.12.41.41 Name of configuration file [xyzrouter-confg]?   Configure using loyola-confg from 123.12.41.41? [confirm]   Loading xyzrouter-confg from 123.12.41.41 (via BRI0): ! [OK - 1265/32723 bytes] xyzrouter# write xyzrouter# exit Connection closed by foreign host. mail:/tftpboot# chmod a-wr,u+r xyzrouter-confg mail:/tftpboot# exit