Backing Up the Running Configuration
The switch configuration that you edit with the CLI is called the running configuration, or running config. You can save the running config for the next reboot, disaster recovery, or for exporting the configuration from one switch to another.The running config is divided into two major components: the local-running config for the current switch, and global config for parameters that are shared by both switches in a redundant pair. This chapter explains how to save both config types and restore them later.
Before you begin backing up the configuration, you have the option to simplify FTP uploads and/or SCP transfers later. The running config exists in one or more local files, which you can copy to an external FTP or SCP server. The default FTP username/password is anonymous/upgrade-hostname, but you can enter a specific username/password for each copy. There is no default for SCP transfers. To avoid retyping FTP or SCP credentials each time, you can establish a default username and password for each transfer protocol FTP. From cfg mode, use ip ftp-user to set the FTP username: where username is 1-32 characters. where, as above, username is 1-32 characters. bstnA(cfg)# ip ftp-user juser bstnA(cfg)# ip scp-user juser The next step in saving the running configuration is to save the local running config. The local running config applies only to the current switch: this config includes network and chassis parameters. From priv-exec mode, use the copy running-config command to save the local config as an executable script. scripts is the destination directory, and destination-file (1-1024 characters) is a name you choose for the running-config file. bstnA# copy running-config scripts running copy running-config ftp://[username:password@]ftp-site/file username:password@ (optional) is an FTP username and password (the default is the username/password set by the ip ftp-user command, described above), ftp-site identifies the FTP server with an IP address or FQDN (for example, 172.16.88.3 or ftp.myftpsite.com), and file is the chosen file name. Lead with an extra / if the path starts at the root of the server machine; for example, aramis//var/cfg/running-config specifies /var/config/running-config on server aramis. Omit the leading slash if the file is going to the home directory for username. bstnA# copy running-config ftp://juser:/oct24lcl copy running-config scp://username@server:file [accept-host-key] username@ (optional) is a valid username at the remote host (the default is the username set by the ip scp-user command, described above), server identifies the SCP server with an IP address or FQDN (for example, 172.16.100.18 or deb1.mynet.com), and file is the chosen file name. Lead with a slash (scp-server:/file) if the file path is absolute. Without the slash, the path is presumed to start in the home directory for username. accept-host-key (optional) tells the CLI to accept an unknown host key if offered by the SCP server. The host key authenticates the server; if the key is unknown, it is possible that an attacker has taken the servers hostname and/or IP address. Note that any SCP server is unknown if the switch has not had an SCP exchange with it since the switchs last reboot. The CLI prompts for the usernames password, unless you set up a default with the ip scp-user command. If the prompt appears, enter a password that is valid at the remote site. bstnA# copy running-config scp://rh1.wwmed.com:oct24running You can also place the config file into an ARX volume. You can use the nfs or cifs clause to send the config file to a given directory in a given volume: cifs | nfs is a required choice. This is the network protocol used to transfer the config file to the ARX volume. namespace (1-30 characters) identifies the destination namespace. volume (1-1024 characters) is the destination-volume name. dest-path (1-1024 characters) is the intended path from the volume root (above) to the config file. The directory you specify here must exist on the volume. bstnA# copy running-config cifs medarcv /rcrds admin/oct24running file is the chosen file name. bstnA(cfg-smtp)# mail-server email1.wwmed.com bstnA(cfg-smtp)# from bstnA# copy running-config smtp:///oct24running You can send the current local config to the screen without saving it to a file. Use the show running-config command to view all the CLI commands required to re-create the local running-config. bstnA> show running-config ; Version 6.01.000.14059 (Aug 12 2011 20:10:50) [nbuilds] ; Database version: 601000.106 ; Generated running-config Thu Aug 18 02:22:14 2011 ; System UUID d9bdece8-9866-11d8-91e3-f48e42637d58 terminal character-set unicode-utf-8 ;================================= vlan ================================== description "personnel dept." ;============================ config-if-vlan ============================= ip address 192.168.25.5 255.255.255.0 ip address 10.46.11.253 255.255.0.0 The next step in saving the running configuration is to save the global-config parameters. The global config is the part of the configuration that is shared among both ARXes in a redundant pair: this includes namespace and policy parameters. From priv-exec mode, use the copy global-config command to save the global config to an executable script file. scripts is the destination directory, and destination-file (1-1024 characters) is a name you choose for the global-config file. bstnA# copy global-config scripts global copy global-config ftp://[username:password@]ftp-site/file username:password@ (optional) is an FTP username and password (the default is the username/password set by the ip ftp-user command), ftp-site identifies the FTP server with an IP address or FQDN (for example, 172.16.88.3 or ftp.myftpsite.com), and file is the chosen file name. As with other FTP copies, use two slashes (ftp-site//file) if the file path is absolute. bstnA# copy global-config ftp://juser://var/oct24gbl copy global-config scp://username@server:file [accept-host-key] username@ (optional) is a valid username at the remote host (the default is the username set by the ip scp-user command, described earlier), server identifies the SCP server with an IP address or FQDN (for example, 172.16.100.12 or host.mynet.com), and file is the chosen file name. Lead with a slash (scp-server:/file) if the file path is absolute. Without the slash, the path is presumed to start in the home directory for username. accept-host-key (optional) tells the CLI to accept an unknown host key if offered by the SCP server. The host key authenticates the server; if the key is unknown, it is possible that an attacker has taken the servers hostname and/or IP address. Note that any SCP server is unknown if the switch has not had an SCP exchange with it since the switchs last reboot. The CLI prompts for the usernames password, unless you set up a default with the ip scp-user command. If the prompt appears, enter a password that is valid at the remote site. bstnA# copy global-config scp://rh1.wwmed.com:/var/oct24gbl You can also place the config file into an ARX volume. You can use the nfs or cifs clause to send the config file to a given directory in a given volume: cifs | nfs is a required choice. This is the network protocol used to transfer the config file to the ARX volume. namespace (1-30 characters) identifies the destination namespace. volume (1-1024 characters) is the destination-volume name. dest-path (1-1024 characters) is the intended path from the volume root (above) to the config file. The directory you specify here must exist on the volume. bstnA# copy global-config cifs medarcv /rcrds admin/oct24gbl file is the chosen file name. bstnA(cfg-smtp)# mail-server email1.wwmed.com bstnA(cfg-smtp)# from bstnA(cfg-smtp)# to bstnA# copy global-config smtp://oct24gbl You can send the current global config to the screen without saving it to a file. Use the show global-config command to view all the CLI commands required to re-create the global config. bstnA> show global-config ; Version 6.01.000.14059 (Aug 12 2011 20:10:50) [nbuilds] ; Database version: 601000.106 ; Generated global-config Thu Aug 18 02:22:15 2011 terminal character-set unicode-utf-8 ;================================ global ================================= kerberos health-check threshold 3500 ;================================= user ================================== user adm1 encrypted-password 54yL5vSNV3206ZSWtR6dsumZt0fsIY25EMsJZf79tVk= user admin encrypted-password 50bNTfSNV3206ZSWtR6dsumZt0fsIY25hfpcuPT8l2k= ;================================= group ================================= windows-domain MEDARCH.ORG bstnA> show global-config security ;================================= group ================================= ;============================= radius-server ============================= ;============================ nfs-access-list ============================ ;============================= ntlm-auth-db ============================== ;=========================== ntlm-auth-server ============================ ;============================== proxy-user =============================== ;============================= win-mgmt-auth ============================= radius-server 192.168.25.201 radius-server 192.168.25.207 nfs-access-list eastcoast description "allowable subnets in MA, NY, & DC" permit 172.16.100.0 255.255.255.0 read-write root squash permit 172.16.204.0 255.255.255.0 read-only root allow permit 172.16.0.0 255.255.0.0 read-write root squash permit netgroup surgeons read-write root allow permit netgroup medtechs read-only root squash deny 192.168.77.0 255.255.255.0 deny 192.168.202.0 255.255.255.0 permit 192.168.98.0 255.255.255.0 read-write root allow permit 192.168.0.0 255.255.0.0 read-write root squash nfs-access-list westcoast permit 172.209.3.0 255.255.255.0 read-write root squash permit 172.214.1.0 255.255.255.0 read-write root squash encrypted-password V4K/jx9iwZifO974V0iS8Ok7sDOIJkPBi71fuA== ip address 192.168.25.109 windows-domain MEDARCH.ORG pre-win2k-name NTNET encrypted-password V4K/jx9iwZifO974V0iS8Ok7sDOIJkPBi71fuA== ip address 192.168.25.102 windows-domain MEDARCH.ORG pre-win2k-name NTNET description "jq's admin account" windows-domain WWMEDNET.COM pre-win2k-name WWMEDNET windows-domain FDTESTNET.COM pre-win2k-name BOSTONCIFS windows-domain MEDARCH.ORG pre-win2k-name MEDARCH user root encrypted-password ePQN2FeCv48fYsGYnzve+FdIkvDpO7AziCZDwYu9X7g= windows-domain NY.COM pre-win2k-name NY description "user with backup and admin creds on our servers" windows-domain MEDARCH.ORG pre-win2k-name MEDARCH windows-mgmt-auth fullAccess user juser windows-domain MEDARCH.ORG user jquser windows-domain MEDARCH.ORG windows-mgmt-auth readOnly user mhoward_md windows-domain MEDARCH.ORG user zmarx_cpa windows-domain MEDARCH.ORG user lfine_md windows-domain MEDARCH.ORG user choward_md windows-domain MEDARCH.ORG windows-mgmt-auth snapViewers user juser windows-domain MEDARCH.ORG user jquser windows-domain MEDARCH.ORG name (1-30 characters) identifies the namespace, where name (1-255 characters) is the fully-qualified domain name (FQDN) for the front-end service. bstnA> show global-config namespace medarcv ;=============================== namespace =============================== cifs authentication kerberos cifs authentication ntlmv2 windows-mgmt-auth readOnly windows-mgmt-auth fullAccess windows-mgmt-auth snapViewers cifs access-based-enum auto-enable cifs notify-change-mode ignore-subtree-flag snapshot directory display all-exports snapshot privileged-access metadata share nas1 nfs3 /vol/vol1/meta6 policy freespace percent 3 resume-migrate 5 filer fs2 cifs backlot_records import skip-managed-check policy freespace percent 3 resume-migrate 5 filer nas10 cifs equipment policy freespace percent 3 resume-migrate 5 filer nas10 cifs for_lease cifs access-based-enum exclude policy freespace percent 3 resume-migrate 5 filer fs5 cifs xraysScanners contents volume-config metadata report leTier1 verbose delete-empty inline report hourly leTier1 verbose from fileset modThisMonth report leTier2 verbose delete-empty place-rule masterDirs2Tier1 from fileset allDirs match directories promote-directories filer-subshares replicate scripts is the destination directory, and destination-file (1-1024 characters) is a name you choose for the startup-config file. bstnA# copy startup-config scripts start_conf Use a URL in the copy startup-config command to save the startup config to an FTP site: copy startup-config ftp://[username:password@]ftp-site/file username:password@ (optional) is an FTP username and password (the default is the username/password set by the ip ftp-user command), ftp-site identifies the FTP server with an IP address or FQDN (for example, 172.16.88.3 or ftp.myftpsite.com), and file is the chosen file name. As with other FTP copies, use two slashes (ftp-site//file) if the file path is absolute. bstnA# copy startup-config ftp://juser:/feb6startup copy startup-config scp://username@server:file [accept-host-key] The CLI prompts for the usernames password if there is no ip scp-user defined. If the password prompt appears, enter a password that is valid at the remote site. Then a message shows the results of the copy operation. bstnA# copy startup-config scp://:/var/feb6startup You can also place the config file into an ARX volume. You can use the nfs or cifs clause to send the config file to a given directory in a given volume: cifs | nfs is a required choice. This is the network protocol used to transfer the config file to the ARX volume. namespace (1-30 characters) identifies the destination namespace. volume (1-1024 characters) is the destination-volume name. dest-path (1-1024 characters) is the intended path from the volume root (above) to the config file. The directory you specify here must exist on the volume. bstnA# copy startup-config cifs medarcv /rcrds admin/feb6startup bstnA(cfg-smtp)# mail-server email1.wwmed.com bstnA(cfg-smtp)# from bstnA(cfg-smtp)# to bstnA# copy startup-config smtp://feb6startup
copy ftp://[username:password@]ftp-site/file scripts destination username:password@ (optional) is an FTP username and password (the default is the username/password set by the ip ftp-user command), ftp-site identifies the FTP server with an IP address or FQDN (for example, 172.16.88.3 or ftp.myftpsite.com), file is the script name at the server (lead with an extra / if the path is absolute), scripts specifies the directory for the destination file, and destination is the script name at the chassis. bstnA# copy ftp://juser:/feb6startup scripts start_conf % INFO: The copy command completed successfully. bstnA# delete startup-config From priv-exec mode, use the run command to run each running-config script: where script-name (1-1024 characters) identifies the running-config script. Use show scripts for a list of available scripts. SWITCH# run scripts start_conf For instructions on joining a redundant pair, refer to Enabling Redundancy, on page 7-19 of the ARX® CLI Network-Management Guide. Peer A SWITCH# run scripts running SWITCH(cfg)# hostname prtlndA Peer B SWITCH# run scripts running-B SWITCH(cfg)# hostname prtlndB Peer A Wait for the peers to join. Use the show redundancy command: when both peers and the quorum disk are Up, the pair is complete. prtlndA(cfg-redundancy)# show redundancy Node Switch/Quorum Disk Status Role Total Last (UTC) ---- -------------------- ---------- ------- ----- ------------------- *1 prtlndA Up Active Never - 2 prtlndB Up Backup 1 05:33:19 09/14/2009 QD 192.168.74.83 Up Quorum 1 05:33:07 09/14/2009 prtlndA(cfg-redundancy)# ... prtlndA(cfg-redundancy)# end prtlndA# run scripts global After executing the resource-profile command on both devices in the pair, you must execute the dual-reboot command to reboot both devices at once. This is true also if you replay a running-config script with the resource-profile legacy setting. (One method of replaying a running-config is to save the file on the ARX-2500 and use the run command.) After replaying the config script, you must reload the ARX-2500 for resource-profile legacy to take effect. SWITCH# run scripts running-B SWITCH(cfg)# hostname prtlndB |