Automating Cisco IOS/XE Configuration Operations

When uploading a partial or full configuration file to an IOS or IOS-XE device to perform a merge or replace operation the bellow commands can help.

First configure the device to support such operations:

! Disable file prompts:
conf t file prompt quiet
! They can be enabled with no file prompt quiet

! Ensure configuration archiving is enabled to support manual and automatic rollbacks:
conf t
archive
log config
logging enable
path flash:/backup-
write-memory

! To make changes via the CLI and have the device rollback in 10 minutes for example, in case remote access is lost, use the following command:
configure terminal revert timer 10
! make changes
end
configure confirm ! This commands stops the 10 minute rollback timer
wr ! Save changes is still required

! To trigger a manual rollback after entering "configure confirm" if for example, remote access isn't lost but there is a problem with the change:
configure replace flash:backup--Jun-20-08-31-06.134-0 list force

! Ensure SCP is enabled to securely SCP a config file to the remote device:
conf t
hostname router1
ip domain name lab.net
crypto key generate rsa modulus 4096
ip ssh time-out 60
ip ssh source-interface GigabitEthernet3
ip ssh logging events
ip ssh version 2
ip ssh dh min size 4096
ip ssh dscp 56
ip ssh server algorithm mac hmac-sha1
ip ssh server algorithm encryption aes256-ctr
ip scp server enable
line vty 0 4
 transport input ssh
! access-class ...

! If using legacy TFTP fix the source IP with
ip tftp source-interface Gi0

! Speed up SCP transfer with
ip tcp window-size 65535

! Speed up TFTP transfer with
ip tftp blocksize 8192 ! or the max size supported

Next push/pull config files to the device and apply them:

! Generate an MD5 hash of the config on the Linux host:
$ md5sum ~/candidate_config.txt

! SCP push file from Linux host to flash: on remote device:
$ scp candidate_config.txt [email protected]:candidate_config.txt

! or

! SCP pull file to flash: on remote device from Linux host:
copy scp://[email protected]:~/candidate_config.txt flash:candidate_config.txt vrf mgmt

! Generate an MD5 hash of the config file on the remote device and compare to above:
verify /md5 flash:candidate_config.txt

! Diff any two files:
show archive config differences flash:candidate_config.txt system:running-config ignorecase
! or
show archive config differences system:running-config flash:candidate_config.txt ignorecase

! Diff a file against running config specifically
show archive config incremental-diffs flash:candidate_config.txt ignorecase

! Generate an MD5 hash of the running config:
verify /md5 system:running-config

! Perform a full configuration replace:
configure replace flash:candidate_config.txt force revert trigger error

! Diff a file against running config to check if everything was applied (the diff should be empty, meaning the candidate config and running config are the same):
show archive config incremental-diffs flash:candidate_config.txt ignorecase

! Generate an MD5 hash of the running config (this should be different from before so that we know the running config is altered, it may also match the candicate config MD5 hash generated before depending if hidden commands were used etc):
verify /md5 system:running-config