The JunOS archival feature

Since JunOS 7.4, there is an feature which enables your Juniper router to backup its current configuration to an remote server by SSH or FTP.
Cisco offers such a functionality too, but their engineers took a little bit longer ;-)

Its quite easy to configure…
Note: example is using “net_admin” with password “c”

# Juniper set statements:
---------------------------
set system archival configuration transfer-on-commit
set system archival configuration archive-sites "ftp://net_admin:c@192.168.222.140/backup_olive"
Hierarchical:
-------------------
system {
    archival {
        configuration {
            transfer-on-commit;
            archive-sites {
                "ftp://net_admin:c@192.168.222.140/backup_olive";
            }
        }
    }
}

From then, your configuration will backed up to the FTP server running on 192.168.222.140 whenever you commit the candidate configuration. You can issue the show system configuration archival command to make sure, that the backup went fine.
Then you should see an empty directory.
Note: configuration is not transfered immediately. It can take up to 60sec…

net_admin@olive> show system configuration archival   
 
/var/transfer/config/:
total 8 

When you have problems…

When you find some queued files with show system configuration archival, you can further investigate by consulting the logfile

net_admin@olive> show log messages | match juniper.conf
Mar  7 13:41:46  olive logger: transfer-file failed to transfer /var/transfer/config/olive_juniper.conf.gz_20090307_124030
Mar  7 16:11:26  olive fetch: fetch: ftp://net_admin:*@192.168.222.140/backup_olive/olive_juniper.conf.gz_20090307_124030: File name not allowed
Mar  7 16:11:26  olive logger: transfer-file failed to transfer /var/transfer/config/olive_juniper.conf.gz_20090307_124030
Mar  8 03:52:16  olive logger: transfer-file: Transferred /var/transfer/config/olive_juniper.conf.gz_20090307_124030
Mar  8 03:52:17  olive logger: transfer-file: Transferred /var/transfer/config/olive_juniper.conf.gz_20090307_151029
Mar  8 03:52:17  olive logger: transfer-file: Transferred /var/transfer/config/olive_juniper.conf.gz_20090307_151102
Mar  8 03:52:17  olive logger: transfer-file: Transferred /var/transfer/config/olive_juniper.conf.gz_20090307_152207
Mar  8 03:55:18  olive fetch: fetch: ftp://net_admin:*@192.168.222.140/backup_olive/olive_juniper.conf.gz_20090308_025433: Not logged in
Mar  8 03:55:18  olive logger: transfer-file failed to transfer /var/transfer/config/olive_juniper.conf.gz_20090308_025433
Mar  8 03:56:18  olive fetch: fetch: ftp://net_admin:*@192.168.222.140/backup_olive/olive_juniper.conf.gz_20090308_025433: Not logged in
Mar  8 03:56:18  olive logger: transfer-file failed to transfer /var/transfer/config/olive_juniper.conf.gz_20090308_025433
Mar  8 03:57:16  olive logger: transfer-file: Transferred /var/transfer/config/olive_juniper.conf.gz_20090308_025433
Mar  8 03:57:17  olive logger: transfer-file: Transferred /var/transfer/config/olive_juniper.conf.gz_20090308_025519
Mar  8 03:57:17  olive logger: transfer-file: Transferred /var/transfer/config/olive_juniper.conf.gz_20090308_025522
Mar  8 03:57:17  olive logger: transfer-file: Transferred /var/transfer/config/olive_juniper.conf.gz_20090308_025524
Mar  8 03:57:17  olive logger: transfer-file: Transferred /var/transfer/config/olive_juniper.conf.gz_20090308_025629
Mar  8 03:57:18  olive logger: transfer-file: Transferred /var/transfer/config/olive_juniper.conf.gz_20090308_025645
Mar  8 03:57:18  olive logger: transfer-file: Transferred /var/transfer/config/olive_juniper.conf.gz_20090308_025703
Mar  8 22:17:09 olive fetch: fetch: ftp://net_admin:*@192.168.222.140/backup_olive/olive_juniper.conf.gz_20090308_211637: Connection refused
Mar  8 22:17:09 olive logger: transfer-file failed to transfer /var/transfer/config/olive_juniper.conf.gz_20090308_211637

Explanation:

  • Transfer failed due to wrong permissions of the FTP directory /home/net_admin/backup_olive (red)
  • Transfer failed because user was disabled on FTP server (purple)
  • Successful transfer of queued files (green)
  • FTP server not running on 192.168.222.140 (blue)

3 comments to The JunOS archival feature

  • Have you had any luck leveraging this feature in a versioning archive like RANCID? I’d love to get every commit into my CVS repository.

  • admin

    Not yet. I also do a daily backup with rancid which is sufficient for me.
    But i think, you could use SEC (simple event correlator, http://simple-evcorr.sourceforge.net/) to watch for syslog messages indicating a config change.
    As an action, you could run rancid-run for the specific device with rancid-run -r
    (Assumed that syslogd, rancid and your cvs runs on the same machine. If not, it could became more difficult)

  • That is more or less what I do today, except I use a snmp trap handler to trigger rancid-run after receiving a config change trap. Works fairly well, but could be a little more cleanly integrated. I like the idea of the element simply scp’ing the file to a server, which sees the updated file, and does a check in. Recently found that there are archival options w/in event-policies. Maybe I’ll write an event script that will wait X seconds (for the archival to complete) then ssh to the server and run rancid-run.

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>