06-29-2006 01:25 AM
Hi,
I'm implementing an automated config backup system and i wish to be able to connect to a catalyst switch and do a shwo running-config and just save the output to a file. I'd like to create a dedicated user for this purpose so that should the passwords, which would be saved on the server side, be abused, only a show run would be possible. I've tried creating a priveledge level 14 for this purpose, which can only do this one command, but whilst the command is permitted as i would expect, i don't get the config, only something like this:
!
! Last configuration change at 13:53:48 UTC Thu Jun 22 2006 by admin
! NVRAM config last updated at 20:21:29 UTC Wed Jun 21 2006 by admin
!
!
!
!
end
Which is somewhere short of useful! is there some other sort of permission i need to enable?
I am also only planning on doing this from a single known source IP, if this might encourage any other alternative ways to do this.
Many thanks
Chris
Solved! Go to Solution.
06-29-2006 05:47 PM
Chris
Cisco built good intelligence into the privilege system and the show running-config command. One part of that is that if you do not have the ability to change a parameter or a setting in the config then show running-config will not display that parameter or setting. The underlying assumption here is that if you do not have sufficient privilege to change something then showing it to you might compromise the security of the device. So in your situation if you do not have privilege to change anything, then nothing is shown in show running-config.
HTH
Rick
06-29-2006 03:41 AM
Chris,
Try to use rancid application for this task - http://www.shrubbery.net/rancid. Unfortunately it also requires full privileged access, but this application purpose is to keep an invetory about the configurations. It keep all versions of your conf, when you do some modification it also send a mail about the modified part.
Try it....
Bye
FCS
Rate me if I helped.
06-29-2006 12:55 PM
Thanks, but i'd already decided against using something like that, svn seems overkill for my needs, and increases complexity too. It's almost more of a desire to understand the priveledge system now really.
Thanks
Chris
06-29-2006 05:47 PM
Chris
Cisco built good intelligence into the privilege system and the show running-config command. One part of that is that if you do not have the ability to change a parameter or a setting in the config then show running-config will not display that parameter or setting. The underlying assumption here is that if you do not have sufficient privilege to change something then showing it to you might compromise the security of the device. So in your situation if you do not have privilege to change anything, then nothing is shown in show running-config.
HTH
Rick
06-29-2006 11:36 PM
Rick,
That seems reasonable i guess, thanks for the information!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide