Collections
Deploying a Cisco Switch
Configuration Backup (Opt.)

Configuration Backup (Opt.)

As part of your Disaster Recovery (DR) plan the switches configuration should be backed up regularly incase of hardware/software failure or misconfiguration.

In this article we’ll walk through creating a dedicated user account with read-only access to the swtich’s configuration. Having the account be read-only is a recommended security practice as it safe guards against both the backup software making unintentional changes and removes the ability for a hacker to use the account to make malicous changes.

A couple commonly used backup solutions that would utilize this new user account are Unimus (free for 5 devices) or Oxidized, commonly tied in with LibreNMS.

Determine Privilege Level

Before setting our hands on the keys, we need to decide what privilege level we’ll be using to grant read-only access. Cisco switches allow up to 15 privilege levels with 0,1 and 15 being reserved.

One gotcha to take into account is that we’ll need to provided file-level access to this new user account. This can be easily done with the file privilege [number] command however it will allow file-level access to not only the level we specify but all levels above it. Taking this into account, I recommend choosing a level somewhere in the middle.

Review any existing custom levels to ensure no undesireable effects.

Grant File-Level Access

Specify which privilege level will allow file-level access. In the example below any privilege level above 7 will be allowed access to the file system.

file privilege 7

Configure Privilege Level

Specify that any user account assigned privilege level 7 will have full viewing rights of the switches configuration.

privilege exec level 7 show running-config view full

Performing a show run you’ll see that the command expanses out to the following:

privilege exec level 7 show running-config view full
privilege exec level 7 show running-config view
privilege exec level 7 show running-config
privilege exec level 7 show

If you make a mistake, you can clear this configuration by running:

⚠️
Note, this will remove all show commands irrespective of level. 
privilege exec reset show

Create User Account

With the privilege level now configured, we can create our user account.

Switch (config)# username [username] privilege 7 secret [password]
802.1X Deployment (Opt.)SNMPv3 Configuration (Opt.)