読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

Cisco 1812-Jのコンフィグの保存、初期化、復元とssh鍵の再作成

■Cisco 1812-Jのコンフィグの保存、初期化、復元とssh鍵の再作成
 IOS等を含む、初回のdebianへのバックアップ退避は以下で試した。

 Debian WheezyからCisco1812-Jで遊んでみる。(シリアル/SSH設定、FTPバックアップ)
 http://labunix.hateblo.jp/entry/20140418/1397747497

■コンフィグのよくある「running-config」の保存手順は以下なので。。。

R1#copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...
[OK]

■コンフィグの保存先を変えてバックアップ。
 running-config = startup-config = myconfig2014042201
 とバックアップ先(Debian Wheezy)4つのmd5の一致が確認が出来る。

R1#verify /?
/md5
R1#verify /md5 system:running-config
.Done!
verify /md5 (system:running-config) = a3e52d84d8c789289f95c09fa8f5d2a3

R1#verify /md5 nvram:startup-config
.Done!
verify /md5 (nvram:startup-config) = a3e52d84d8c789289f95c09fa8f5d2a3

R1#copy running-config flash:myconfig20140422001
Destination filename [myconfig20140422001]? 

1552 bytes copied in 1.852 secs (838 bytes/sec)
R1#verify /md5 flash:myconfig20140422001
.Done!
verify /md5 (flash:myconfig20140422001) = a3e52d84d8c789289f95c09fa8f5d2a3
R1#copy running-config ftp:
Address or name of remote host []? 172.16.16.200
Destination filename [r1-confg]? myconfig20140422001
Writing myconfig20140422001 !
1552 bytes copied in 7.036 secs (221 bytes/sec)

■debian wheezy側から確認

$ md5sum myconfig20140422001 
a3e52d84d8c789289f95c09fa8f5d2a3  myconfig20140422001

■Cisco 1812-Jのコンフィグを初期化

R1>en
Password:
R1#erase startup-config 
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
R1#show startup-config 
startup-config is not present
R1#verify /md5 nvram:startup-config
Done!
verify /md5 (nvram:startup-config) = d41d8cd98f00b204e9800998ecf8427e

R1#reload

System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started.

■Cisco 1812-Jのコンフィグを復元
 ※md5値が変わる点に注意

Router>enable 
Router#
Router#verify /md5 system:running-config
.Done!
verify /md5 (system:running-config) = 7161572763870e1c876f1c7d23d9de7e

Router#copy running-config flash:default.config
Destination filename [default.config]? 

908 bytes copied in 0.984 secs (923 bytes/sec)
Router#verify /md5 flash:default.config
.Done!
verify /md5 (flash:default.config) = 7161572763870e1c876f1c7d23d9de7e
Router#verify /md5 flash:myconfig20140422001
.Done!
verify /md5 (flash:myconfig20140422001) = a3e52d84d8c789289f95c09fa8f5d2a3

Router#copy flash:myconfig20140422001 running-config
Destination filename [running-config]? 

1552 bytes copied in 1.620 secs (958 bytes/sec)

R1#verify /md5 system:running-config
.Done!
verify /md5 (system:running-config) = 6a3cd91b65c995ef8bf45149a09addc8

R1#copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...
[OK]

R1#verify /md5 system:running-config 
.Done!
verify /md5 (system:running-config) = 3c578902532daf8a9952aed7624bd2e1

R1#
R1#verify /md5 nvram:startup-config
.Done!
verify /md5 (nvram:startup-config) = 3c578902532daf8a9952aed7624bd2e1


R1#copy running-config flash:myconfig20140422002
Destination filename [myconfig20140422002]? 

1552 bytes copied in 1.036 secs (1498 bytes/sec)
R1#verify /md5 flash:myconfig20140422002
.Done!
verify /md5 (flash:myconfig20140422002) = 3c578902532daf8a9952aed7624bd2e1

■ところで、初期化、復元するとssh鍵が消失する。
 これは作り直した方が良い。

R1#show crypto key mypubkey rsa 
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#crypto key generate 
The name for the keys will be: R1.localdomain
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#exit
R1#show crypto key mypubkey rsa | include Key
% Key pair was generated at: 23:23:51 JST Apr 22 2014
Key name: R1.localdomain
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
% Key pair was generated at: 23:23:52 JST Apr 22 2014
Key name: R1.localdomain.server
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
R1#

■Ciscoルータのssh鍵を作り直した後の作業
 Debian Wheezy側のkwon_hostsの古いフィンガープリントを削除する。
 以下は行数なので、vimで開いたら「:21」「dd」「:wq」してから再度接続する。

$ ssh 172.16.16.201 2>&1 | grep Offending | awk -F: '{print $2}'
21

■保存や復元の度にmd5値が変わる理由はコメントに時刻が入るから。
 「flash:base.config」のようなバックアップを残しておけば、
 簡単な復元手順後はリモート操作が出来るといった使い方も出来る。
 なお、NVRAM行が無いのは変更がstartup-configに反映されていないから。

R1#show running-config | include JST
! Last configuration change at 23:24:01 JST Tue Apr 22 2014
clock timezone JST 9
R1#write memory 
Building configuration...
[OK]
R1#show running-config | include JST
! Last configuration change at 23:24:01 JST Tue Apr 22 2014
! NVRAM config last updated at 23:33:41 JST Tue Apr 22 2014
clock timezone JST 9
R1#exit

■「banner motd」変更で再現
 LinuxのcatのEOFのように使う、区切り記号を「#」とする場合

R1>reload

R1>enable
Password:
R1#! no change
R1#show running-config | include 2014
R1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#banner motd #
Enter TEXT message.  End with the character '#'.
sample
#
R1(config)#exit
R1#! change running-config
R1#show running-config | include 2014
! Last configuration change at 23:41:05 JST Tue Apr 22 2014
R1#! save nvram:startup-config
R1#write memory 
Building configuration...
[OK]
R1#show running-config | include 2014
! Last configuration change at 23:41:05 JST Tue Apr 22 2014
! NVRAM config last updated at 23:42:34 JST Tue Apr 22 2014
R1#verify /md5 system:running-config
.Done!
verify /md5 (system:running-config) = c280d1f58b71dcd38254def23fb1fa1b

R1#verify /md5 nvram:startup-config
.Done!
verify /md5 (nvram:startup-config) = c280d1f58b71dcd38254def23fb1fa1b


R1#exit

Press RETURN to get started.
sample

R1>