Manage Device Configuration Files

Set Up Device Configuration File Management

Make Sure Devices Are Configured Correctly

Cisco Evolved Programmable Network Manager can transfer files to and from devices only if the SNMP read-write community strings configured on your devices match the strings that were specified when the devices were added to Cisco Evolved Programmable Network Manager. In addition, devices must be configured according to the settings in How Is Inventory Collected?.


Note

To improve security, Cisco Evolved Programmable Network Manager no longer uses some of the SSH CBC (Cipher Block Chaining) ciphers that older Cisco IOS-XE and IOS-XR versions use, as they have been deemed weak. For devices running Cisco IOS-XE, ensure that you upgrade to version 16.5.x or later. And for devices running Cisco IOS-XR, upgrade to version 6.1.2 or later. Otherwise, several Software Image Management operations will fail.

Although we do not recommend doing so (since it weakens security), you also have the option to add the CBC ciphers that Cisco Evolved Programmable Network Manager stopped using back to its SSHD service configuration file. To do so, first configure the CBC ciphers in the ciphers line of the file located in the /etc/ssh/sshd_config directory (as shown in the example below), then restart the sshd service using the service sshd stop/start command. 

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,
arcfour256,arcfour128,aes128-cbc,3des-cbc,
cast128-cbc,aes192-cbc,aes256-cbc

Note
Software Image Management is not supported in the NAT environment. This means that image management features such as image import, upgrade, distribution, and activation, will not function in the NAT environment.

Control How Archiving is Triggered

By default, Cisco EPN Manager saves device configuration files to the archive when:

  • A new device is added to Cisco EPN Manager.

  • When a device change notification is received.

  • Archive collection is not carried out in case of full or granular sync.


    Note
    If there is an event occurrence, archive data is collected after the period of configured hold off timer.

Users with Administrator privileges can change these settings.

Procedure

Step 1

Choose Administration > Settings > System Settings, then choose Inventory > Configuration Archive.

Step 2

Adjust the archiving settings depending on the following criteria.

Check this check box:

To archive files:

Archive configuration while adding a device

When a new device is added (enabled by default)

Collect Configuration Archive whenever configuration is changed

When a configuration change notification is sent (enabled by default); see Set Up Event-Triggered Archiving

Step 3

To schedule regular archiving for groups of devices (or single devices):

  1. Choose Inventory > Device Management > Configuration Archive.

  2. Under the Devices tab, select the devices or device groups that you want to archive regularly.

  3. Click Schedule Archive Collection and complete the schedule settings in the Recurrence area. If the operation is performed on many devices, schedule the archiving for a time that is least likely to impact production.

  4. Click the Backup to Repository button to transfer device configuration periodically to external repository. You can configure or create the repository using CLI commands and the supported repositories are FTP, SSH FTP (SFTP), and Network File System (NFS). You can also select to encrypt the exported files using GnuPG. You have to provide an encryption password if you choose to encrypt using GnuPG.

Set Up Event-Triggered Archiving

By default, Cisco EPN Manager backs up a device’s configuration files whenever it receives a change notification event. This works only if devices are configured correctly, see How Is Inventory Collected?. For example, for devices running Cisco IOS-XR and Cisco IOS XE, the following setting must be configured: 


logging server-IP

When Cisco EPN Manager receives a configuration change event, it waits 10 minutes (by default) before archiving in case more configuration change events are received. This prevents multiple collection processes from running at the same time. To check or change this setting, choose Administration > Settings > System Settings, then choose Inventory > Configuration Archive and adjust the Hold Off Timer (min).


Note

The Hold Off Timer may be set to a shorter period for certain events, called expedited events. For more information, see Change the Behavior of Expedited Events.

To turn off event-triggered archiving, choose Administration > Settings > System Settings, then choose Inventory > Configuration Archive and uncheck the Collect Configuration Archive whenever configuration is changed check box.

Specify Items to be Excluded When Configuration Files Are Checked for Changes

Some lines in device configuration files should be excluded when Cisco Evolved Programmable Network Manager compares different versions to identify changes. Cisco Evolved Programmable Network Manager excludes some lines by default, such as clock settings for routers and switches. If you have Administrator privileges, you can check which lines are excluded, and add more lines to be excluded.

Procedure

Step 1

Choose Administration > Settings > System Settings, then choose Inventory > Configuration Archive.

Step 2

Click the Advanced tab.

Step 3

In the Product Family list, choose the devices or groups to which you want to apply the command exclusions.

Step 4

In the Command Exclude List, enter a comma-separated list of configuration commands you want to exclude for that selection. These are the parameters Cisco Evolved Programmable Network Manager will ignore when checking devices for configuration changes.

Step 5

Click Save.

Control the Timeouts for Configuration Archive Operations

The Configuration Archive task uses the Device CLI Timeout value for each fetch activity. A single Configuration Archive task entails 1 to 5 files. Consequently, the overall job timeout value is determined using the following logic:Overall job timeout = Number of files*Device CLI Timeout

To configure a CLI timeout value, choose Inventory > Device Management > Network Devices, click the edit device icon, select the Telnet/SSH option, and then enter a value in the Timeout field.


Note

You must increase the Device CLI timeout value if the Configuration Archive task fails due to CLI timeout.

Control How Often Alarms are Triggered

By default, Cisco Evolved Programmable Network Manager saves device configuration files to the archive based on the configured settings. However, when these jobs fail, you can choose to generate an alarm notification.

When a Configuration Archive job fails, Cisco Evolved Programmable Network Manager waits for 7 days or for more than 5 (by default) configuration files before triggering an alarm. The alarm has information about the cause for the trigger of the alarm and other related details associated with the configuration archives. To change the default settings for how often the alarms are generated, choose Administration > Settings > System Settings, then choose Inventory > Configuration Archive, and adjust the Alarm Threshold parameter for maximum number of configuration files (exceeding which an alarm is generated) and the number of days to wait before the alarm is triggered.

Control When Device Configuration Files are Purged from the Database

Device configuration files cannot be automatically deleted from the database (you can manually delete the files); they can be periodically purged by the Cisco EPN manager based on your settings. Users with Administrator privileges can adjust when configuration files are purged as follows. If you do not want any configuration files purged, follow this procedure but leave both fields blank.


Note

For a description of how to manually delete a configuration file, see Delete Archived Device Configuration Files.

Procedure

Step 1

Choose Administration > Settings > System Settings, then choose Inventory > Configuration Archive.

Step 2

Adjust the archive settings depending on the following criteria.

Use this field:

To purge files when:

Maximum configuration archive versions to be retained per device

The number of a device’s configuration files exceed this setting (5 by default).

Maximum days to retain configuration archive

A configuration file’s age exceeds this setting (7 days by default). However, it should be noted that configurations are purged only when a new version is created, ensuring that at least one version is always retained for recovery.

Note

 

Configuration archive feature retains at least one version of the configuration regardless of the specified retention period. This ensures that a baseline configuration is available for recovery purposes, especially in emergency situations. Purging of configuration files occurs only when a new configuration version is created.

How Do I Determine When Files Are Last Archived?

Procedure

Step 1

To find the most recent date when the device running configuration files are backed up to the archive, navigate to Inventory > Device Management > Configuration Archive, and click the Devices tab. The Latest Archive column lists the archiving time stamp for each device with the most recent archive listed first.

The Created By column in the Archives tab displays the archive trigger (for example, a syslog).

Step 2

To view the most recently archived running configuration file contents of a device, click the time stamp hyperlink. The Running Configuration window displays the contents of the file.

To view the changes that are made among archives for a device, see Compare or Delete Device Configuration Files.

Back Up Device Configuration Files to the Archive

What Is Backed Up to the Database?

The configuration archive maintains copies of device configuration files, storing them in the database. Most configuration files are stored in readable format as received from the device and can be compared with earlier versions. Device configurations can be restored to earlier states using the files saved in the archive.

If the running configurations and startup configurations on a device are similar, then the Cisco EPN Manager copies only the running configuration to the database. This is why in some cases, when you view the image repository, you will only see an archive for the running configuration.

If a configuration file has not changed since its last backup, then the Cisco EPN Manager does not archive the file. Cisco EPN Manager reports that the job was successful and the job result displays Already Exists .

Cisco EPN Manager collects and archives the following device configuration files.

Device/Device OS

What is Backed Up

Cisco IOS and Cisco IOS-XE

Latest startup, running, and VLAN configuration.

Cisco IOS-XR

  • Latest running configuration, includes active packages. Devices must be managed with a system user because copy command is not available in command-line interface (CLI) for non-system users.

  • Database configuration (binary file).

    Note

     

    For Cisco NCS 1010 devices, only latest running configuration is backed up.

    Note

     
    For Cisco NCS 4000 devices, the database is backed up as a .tgz file to a file system on your local machine.

Cisco NCS devices

Database configuration (binary file).

Note

 
For Cisco NCS 2000 devices, the database is backed up as a binary file. Because it is not a text file, you cannot compare versions, but you can identify them by their file time stamps in the configuration archive.

Back Up (Archive) Configuration Files

When a configuration file is backed up, Cisco Evolved Programmable Network Manager fetches a copy of the configuration file from the device and copies (backs it up) to the configuration archive (database). Before saving a copy to the archive, Cisco Evolved Programmable Network Manager compares the fetched file with the last version in the archive (of the same type—running with running, startup with startup). Cisco Evolved Programmable Network Manager archives the file only if the two files are different. If the number of archived versions exceeds the maximum (5, by default), the oldest archive is purged.

For devices that support both running and startup configurations, Cisco Evolved Programmable Network Manager identifies out-of-sync (unsynchronized) devices during the backup process by comparing the latest version of the startup configuration with the latest version of the running configuration file. For more information on out-of-sync devices, see Synchronize Running and Startup Device Configurations.

The following table describes the supported backup methods and how they are triggered. To check or adjust the default settings, see Control How Archiving is Triggered.

When you archive a Cisco NCS 2000 database, if you receive an error message saying the database or flash is busy, it is likely caused by one of the following:

  • You are performing the archive operation in parallel with other Configuration Archive or Image Management operations. You should retry the operation after a short period of time.

  • Multiple users are performing the same operation at the same time. You should retry the operation after a short period of time.

  • The device has a software download alarm that has not been cleared. You should clear the alarm.

Table 1. Backup Method

Backup Method

Description

Notes

On-demand manual backup

Choose Inventory > Device Management > Configuration Archive, choose devices, and click Schedule Archive Collection (run the job immediately or at a later time).

N/A

Regular scheduled backups

Choose Inventory > Device Management > Configuration Archive, choose devices, and click Schedule Archive Collection . In the scheduler, specify a Recurrence .

N/A

New device backups

Cisco Evolved Programmable Network Manager automatically performs backup for new devices.

Enabled by default

Event-triggered backups (device change notifications)

Cisco Evolved Programmable Network Manager automatically performs backup when it receives a syslog from a managed device.

Enabled by default

View the Device Configuration Files That Are Saved in the Archive

View All Archived Files

To view the configuration files that are saved in the database, choose Inventory > Device Management > Configuration Archive. Click the Archives or Devices tabs depending on where you want to start:

By default, Cisco Evolved Programmable Network Manager saves up to 5 versions of a file, and deletes any files that are older than 7 days; device configuration files cannot be manually deleted from the database. (To check the current purging settings, see Control When Device Configuration Files are Purged from the Database.)

View Archived Files for a Specific Device


Note
If you only see a running configuration file and not a startup file, that is because the two files are the same. Cisco Evolved Programmable Network Manager only backs up the startup configuration when it is different from the running configuration.

Procedure

Step 1

Choose Inventory > Device Management > Configuration Archive , then click the Devices tab.

Step 2

Click a device name hyperlink. Cisco Evolved Programmable Network Manager lists archived files according to their timestamps.

View the Raw Content of an Archived Configuration File

Use this procedure to view the startup, running, and (if supported) VLAN, database, and admin configuration files that have been saved to the configuration archive. You can choose versions according to timestamps and then compare them with other versions.


Note
For Cisco NCS 2000 and Cisco NCS 4000 devices, the database is backed up as a binary file. Because it is not a text file, you cannot view it or compare it with other versions, instead, you can export the file directly.

To view the contents of a running configuration file stored in the configuration archive:

Procedure

Step 1

Choose Inventory > Device Management > Configuration Archive, then click the Devices tab.

Step 2

Click a device name hyperlink. Cisco Evolved Programmable Network Manager lists archived files according to their timestamps.

Step 3

Expand a timestamp to view the files that were archived at that time. You will see the details for Running Configuration, Startup Configuration, Admin Configuration, VLAN Configuration, and Database Configuration. Click the Details hyperlink under these categories, to see more information.

Note

 
If you only see a running configuration file and not a startup file, that is because the two files are the same. Cisco Evolved Programmable Network Manager only backs up the startup configuration when it is different from the running configuration.

Step 4

Click a file under Configuration Type to view its raw data. The Raw Configuration tab lists the file contents, top to bottom.

Step 5

To compare it with another file, click any of the hyperlinks under the Compare With column. The choices depend on the device type and number of configuration files that have been backed up to the archive. Color codes indicate what was updated, deleted, or added.

Label Important Configuration Files With Tags

Assigning tags to configuration files is a clear method for identifying important configurations and convey critical information. The tag is displayed with the list of files on the Configuration Archive page. Tags can also be edited and deleted using the following procedure.

Procedure

Step 1

Choose Inventory > Device Management > Configuration Archive.

Step 2

Under the Archives tab, locate the configuration file you want to label, and click Edit Tag.

Step 3

Enter your content in the Edit Tag dialog box (or edit or delete existing tags) and click Save.

Synchronize Running and Startup Device Configurations

Devices that have startup configuration files and running configuration files may become out-of-sync (unsynchronized). A device is considered out-of-sync if its startup file (which is loaded when a device is restarted) is different from its running configuration. Unless a modified running configuration is also saved as the startup configuration, if the device is restarted, the modifications in the running configuration will be lost. The overwrite operation synchronizes the files by overwriting the device’s startup configuration with its current running configuration.


Note

This device configuration file synchronize operation is different from the Sync operation, which performs an immediate inventory collection for a device. That Sync operation is described in Collect a Device's Inventory Now (Sync).

Procedure

Step 1

Identify the devices that are out-of-sync:

  1. Choose Inventory > Device Management > Configuration Archive.

  2. Under the Devices tab, check the Startup/Running Mismatch field .

  3. If any devices list Yes , make note of the devices.

Step 2

To synchronize the devices:

  1. Under the Devices tab, select the out-of-sync devices, and click Schedule Archive Overwrite. (See Overwrite a Startup Configuration with a Running Configuration for more information about the overwrite operation.)

Step 3

To check the job details, choose Administration > Job Dashboard to view details about the overwrite jobs.

Download Configuration Files

You can download the Startup and Running configuration files of up to a maximum of 1000 devices at a time, to your local system.

Procedure

Step 1

Choose Inventory > Device Management > Configuration Archive.

Step 2

In the Export Latest Archives drop-down list, select one of the following options to download the configuration files:

  1. Sanitized—The device credential password will be masked in the downloaded file.

  2. Unsanitized—The device credential password is visible in the downloaded file.

The Unsanitized option appears based on the user permission set in Role Based Access Control (RBAC).

This option downloads all supported configuration in the device as a csv file. To download only the Startup or the Running configuration in the device, use the alternate steps given below:

  • Click the device for which you want to download configuration files in the Inventory > Device Management > Configuration Archive page or Click the device for which you want to download configuration files in the Inventory > Device Management > Network Devices page and click Configuration Archive tab.

  • Use the expand icon to display the required configuration details in the archive.

  • Click Details.

  • Select Sanitized or Unsanitized in the Export drop-down list.

Remember

 
Before you upload this config file to your WLC, you must add a keyword, config at the beginning of each line.

Compare or Delete Device Configuration Files

The comparison feature displays two configuration files side by side with additions, deletions, and excluded values indicated by different colors. You can use this feature to view the differences between startup and running configuration files for out-of-sync devices, or to find out if similar devices are configured differently. You can then delete the configuration archives from the database.

Cisco Evolved Programmable Network Manager excludes a small set of commands by default, such as the NTP clock rate (which constantly changes on a managed network element but is not considered a configuration change). You can change the excluded commands list as described in Specify Items to be Excluded When Configuration Files Are Checked for Changes.


Note
File comparisons are not supported on the Cisco NCS 2000 devices because the files are saved in binary format. Only text-based files can be compared.

Procedure

Step 1

Choose Inventory > Device Management > Configuration Archive.

Step 2

To delete the device configuration archive, under the Devices tab, locate the device with the configuration you want to delete and click the X delete button.

Step 3

To compare device configuration archives:

  1. Under the Devices tab, locate the device with the configuration you want to compare and click its device name hyperlink.

  2. Expand a time stamp to view the files that were archived at that time.

  3. Launch a comparison window by clicking any of the hyperlinks under the Compare With column. The choices depend on the device type and number of configuration files that have been backed up to the archive. Color codes indicate what was updated, deleted, or added.

    In the Configuration Comparison window, you can peruse the configuration by looking at the raw files or by looking at certain portions of the files (configlets). Use the color codes at the bottom window to find what was updated, deleted, or added.

Deploy an External Configuration File to a Device

The Schedule Deploy operation updates a device’s configuration file with an external file. The difference between Rollback and Schedule deploy is that the Rollback uses an existing file from the archive, while Schedule Deploy uses an external file.

Depending on the type of device, you can specify the following settings for the deploy job:

  • Overwrite the current startup configuration with the new version and optionally reboot the device after the deploy.

  • Merge the new file with the current running configuration and optionally archive the file as the new startup configuration.

  • Schedule the deploy of database configuration files in .tgz format.


    Note

    Once the configuration archive deploy is performed from EPNM, you must manually synchronize the device.

Make sure you have the location of the file on your local machine.

Procedure

Step 1

Open the device’s Device Details page, from which you will execute the deploy operation.

  1. Choose Inventory > Device Management > Network Devices.

  2. Click the device name hyperlink to open the Chassis View.

Step 2

Open the Configuration Archive page of the device by clicking the Configuration Archive tab.

Step 3

Click Schedule Archive Deploy to open the Schedule Deploy dialog box.

Step 4

Browse the file you want to deploy by clicking the Choose file button.

Note

 

To deploy the database configuration files on Cisco for NCS 4000 devices, you must upload the files in .cfg format.

Step 5

Expand the Scheduling Options drop-down, and schedule the deployment by choosing the Start Time.

Step 6

Configure the job parameters, depending on the type of file you are deploying:

  • Startup configuration—Choose Overwrite Startup Configuration. If you want to reboot the device after the deploy operation, check the Reboot check box.

  • Running configuration—Choose Merge with Running Configuration . If you want to also save the file on the device as the startup configuration, check the Save to Startup check box.

  • Database configuration—Choose Deploy Database Configuration and select a database file.

  • Admin configuration—Choose Merge with Admin Configuration and enter the Device VM Admin Password.

Step 7

Schedule the deploy job to run immediately or at a future time, and click Submit.

Step 8

Choose Administration > Job Dashboard to view details about the schedule deploy job.

Overwrite a Startup Configuration with a Running Configuration

The overwrite operation copies a device’s running configuration to its startup configuration. If you make changes to a device’s running configuration without overwriting its startup configuration, when the device restarts, your changes will be lost.


Note
Do not use the Schedule Archive Overwrite button in the Devices tab (shown when you choose Inventory > Device Management > Configuration Archive) because it only allows you to select a device but not select a configuration file.

Procedure

Step 1

Choose Inventory > Device Management > Network Devices.

Step 2

Click the device name hyperlink to open the device’s details page, then click the Configuration Archive tab.

Cisco Evolved Programmable Network Manager

Step 3

Click Schedule Archive Overwrite and set the job to run immediately or at a future time, then click Submit.

Step 4

Choose Administration > Job Dashboard to view the image activation job.

Roll Back a Device’s Configuration To an Archived Version

The rollback operation copies files in the archive to devices, making the new files the current configuration. You can roll back running, startup, and VLAN configurations. By default, the operation is performed by merging the files. If you are rolling back a running configuration, you have the option to perform it using overwrite rather than merge. To roll back a configuration file to a previous version.

Procedure

Step 1

Choose Inventory > Device Management > Configuration Archive .

Step 2

Click the Archives tab and check the device that has the configuration file you want to roll back, and click Schedule Archive Rollback.

Step 3

Choose the file types that you want to roll back. In the Schedule Configuration Rollback dialog box:

  1. Expand the Rollback Options area.

  2. From the Files to Rollback drop-down list, choose the file type. Choosing All applies the operation to startup, running, and VLAN configuration files.

    Note

     

    For Cisco IOS XR 64-bit devices, if you select Admin Configuration, enter the Device VM Admin Password.

Step 4

Click the specific configuration file version that you want to roll back to.

Step 5

Click Schedule Archive Rollback and complete the following:

Table 2. Roll Back Device Configuration

Area

Option

Description

Rollback

Files to rollback

Select Database Configuration, Running Configuration, or Admin Configuration.

Reboot

(Startup only) After rolling back the startup configuration, reboot the device so the startup configuration becomes the running configuration.

Save to startup

(Running only) After rolling back the running configuration, save it to the startup configuration.

Archive before rollback

Back-up the selected file(s) before beginning the rollback operation.

Overwrite configurations

Overwrite (rather than merge) the old running configuration with the new one.

Continue rollback on archive failure

(If Archive before rollback is selected) Continue the rollback even if the selected files are not successfully backed up to the database.

VRF Name

Select the applicable VRF name from the drop-down list. The VRF name is validated on submission.

Rollback

Rollback Database Configuration

Begin the rollback operation for database configuration files.

Schedule

(see web GUI)

Specify whether to perform the rollback immediately or at a later scheduled time.

Step 6

Click Submit .

Export Configuration Files to a Local File System

You can export running configuration files and startup configuration files.


Note

For Cisco NCS 2000 devices, you can export database configurations as binary files to a file system on your local machine. With Cisco NCS 4000 devices, you can export database configurations as .tgz files. When you export it, your browser will prompt you to save or open the file.

Procedure

Step 1

Choose Inventory > Device Management > Configuration Archive .

Step 2

Under the Devices tab, locate the device with the archive you want to export, and click its device name hyperlink.

Step 3

Locate the configuration version you want to export and expand it.

Step 4

Under the Configuration Type column, click the hyperlink for the file you want to export (Running Configuration or, if supported, Startup Configuration, or Database Configuration).

Step 5

In the file viewer page, click Export and save the file to your local machine.

Delete Archived Device Configuration Files

Provided you are a user who has the device configuration rollback privilege, you can complete one of the following procedures to manually delete archived device configuration files from the database.

(Method 1)

  1. Choose Inventory > Device Management > Configuration Archive.

    The Configuration Archive page opens with the Devices tab selected.

  2. From the Name column, click the link for the device whose configuration files you want to delete.

    Its Archive Details page opens.

  3. Click the radio button for the configuration files you want to delete and then click the X (Delete) icon.

  4. Click Yes to confirm deletion of the configuration files.

(Method 2)

  1. Choose Inventory > Device Management > Configuration Archive.

    The Configuration Archive page opens with the Devices tab selected.

  2. Click the Archives tab.

  3. Check the check box for the configuration files you want to delete and then click the X (Delete) icon.

  4. Click Yes to confirm deletion of the configuration files.