Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1124
Views
0
Helpful
4
Replies

local user for "show running-config" only

Go to solution
acid_kewpie
Level 1
Level 1

‎06-29-2006 01:25 AM

Hi,

I'm implementing an automated config backup system and i wish to be able to connect to a catalyst switch and do a shwo running-config and just save the output to a file. I'd like to create a dedicated user for this purpose so that should the passwords, which would be saved on the server side, be abused, only a show run would be possible. I've tried creating a priveledge level 14 for this purpose, which can only do this one command, but whilst the command is permitted as i would expect, i don't get the config, only something like this:

!

! Last configuration change at 13:53:48 UTC Thu Jun 22 2006 by admin

! NVRAM config last updated at 20:21:29 UTC Wed Jun 21 2006 by admin

!

!

!

!

end

Which is somewhere short of useful! is there some other sort of permission i need to enable?

I am also only planning on doing this from a single known source IP, if this might encourage any other alternative ways to do this.

Many thanks

Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to acid_kewpie

‎06-29-2006 05:47 PM

Chris

Cisco built good intelligence into the privilege system and the show running-config command. One part of that is that if you do not have the ability to change a parameter or a setting in the config then show running-config will not display that parameter or setting. The underlying assumption here is that if you do not have sufficient privilege to change something then showing it to you might compromise the security of the device. So in your situation if you do not have privilege to change anything, then nothing is shown in show running-config.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
4 Replies 4

Go to solution
farkascsgy
Level 4
Level 4

‎06-29-2006 03:41 AM

Chris,

Try to use rancid application for this task - http://www.shrubbery.net/rancid. Unfortunately it also requires full privileged access, but this application purpose is to keep an invetory about the configurations. It keep all versions of your conf, when you do some modification it also send a mail about the modified part.

Try it....

Bye

FCS

Rate me if I helped.

0 Helpful

Go to solution
acid_kewpie
Level 1
Level 1

‎06-29-2006 12:55 PM

Thanks, but i'd already decided against using something like that, svn seems overkill for my needs, and increases complexity too. It's almost more of a desire to understand the priveledge system now really.

Thanks

Chris

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to acid_kewpie

‎06-29-2006 05:47 PM

Chris

Cisco built good intelligence into the privilege system and the show running-config command. One part of that is that if you do not have the ability to change a parameter or a setting in the config then show running-config will not display that parameter or setting. The underlying assumption here is that if you do not have sufficient privilege to change something then showing it to you might compromise the security of the device. So in your situation if you do not have privilege to change anything, then nothing is shown in show running-config.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
acid_kewpie
Level 1
Level 1
In response to Richard Burts

‎06-29-2006 11:36 PM

Rick,

That seems reasonable i guess, thanks for the information!

0 Helpful
Customers Also Viewed These Support Documents