Configuration Management
Ongoing configuration assurance skill covering backup, drift detection, and
golden config validation. This skill identifies unauthorized or unintended
changes by comparing device configurations against known-good baselines and
organizational compliance rules.
Commands are labeled [Cisco], [JunOS], or [EOS] where syntax
diverges. Unlabeled statements apply to all three vendors.
Safety Note — Read-Write Operations: This skill includes procedures that
may modify device state (config archival to remote storage, rollback, config
replace). Steps that write to devices are marked with ⚠️ WRITE. Always
confirm authorization and maintenance window status before executing write
operations. Read-only assessment steps can be run at any time without risk.
When to Use
- - Scheduled configuration compliance audit against golden baselines
- Investigating suspected unauthorized configuration changes
- Post-maintenance verification that running config was saved to startup
- Validating configuration consistency across device groups or stacks
- Checking that security-mandated patterns (AAA, NTP, logging) are present
- Ensuring forbidden patterns (default credentials, telnet, SNMPv1) are absent
- Building or refreshing a configuration archive before a change window
- Periodic drift detection as part of operational hygiene (daily/weekly)
Prerequisites
- - SSH or console access to the device (read-only sufficient for assessment;
enable/configure privilege required for remediation or archival steps)
- - A golden config baseline or previous archived config for comparison
- Knowledge of organizational compliance requirements: required services (AAA,
NTP, syslog), forbidden protocols (telnet, HTTP management, SNMPv1/v2c
without ACL), and mandatory security features (ACLs, CoPP)
- - For archival: reachable SCP/TFTP/FTP server or local flash storage
- Awareness of any active maintenance window that may explain expected drift
Procedure
Follow these steps sequentially. Steps 1–2 are always safe (read-only).
Steps 3–7 include optional write operations marked with ⚠️.
Step 1: Config Collection
Capture the current running and startup/saved configurations.
[Cisco]
�CODEBLOCK0
[JunOS]
�CODEBLOCK1
[EOS]
�CODEBLOCK2
On JunOS, the candidate configuration model means the active config is the
committed config. Use show configuration to view committed state. See
references/cli-reference.md for architectural differences.
Step 2: Running vs Startup Comparison
Detect unsaved changes — running config that would be lost on reload.
[Cisco]
�CODEBLOCK3
[JunOS]
�CODEBLOCK4
[EOS]
�CODEBLOCK5
Any differences indicate unsaved changes. Record the diff output and timestamp.
Classify the age of unsaved changes — see Threshold Tables for severity. If
changes are intentional (active maintenance), note the maintenance ticket.
Step 3: Config Archival
⚠️ WRITE — Back up the current configuration with timestamped naming.
[Cisco]
�CODEBLOCK6
[JunOS]
�CODEBLOCK7
[EOS]
�CODEBLOCK8
Use consistent naming: {hostname}-{YYYYMMDD}-{HHMM}.cfg. Verify the backup
was written successfully by checking file size and comparing a hash of the
backup against the running config. Maintain a minimum of 3 archived configs per
device for rollback options.
Step 4: Golden Config Baseline
Retrieve the golden (intended-state) configuration for this device role. Golden
configs are maintained per device role (e.g., access-switch, core-router,
WAN-edge) and contain all mandatory configuration sections.
If no golden config exists yet, establish one:
- 1. Start from a known-compliant device config
- Remove device-specific values (hostnames, IPs, interface descriptions)
- Keep all compliance-mandated sections (AAA, NTP, logging, SNMP, ACLs)
- Document the golden config version and approval date
For comparison, normalize both configs before diffing — see
references/drift-detection.md for normalization rules.
Step 5: Drift Detection
Compare current config against the golden baseline section by section.
Partition the configuration into logical sections for structured comparison:
| Section | Cisco Examples | JunOS Examples | EOS Examples |
|---|
| Routing | INLINECODE4�, �INLINECODE5 | INLINECODE6 | INLINECODE7�, �INLINECODE8 |
| Switching |
spanning-tree,
vlan |
vlans,
protocols rstp |
spanning-tree,
vlan |
| Security |
access-list,
line vty |
firewall,
system login |
ip access-list,
management |
| Management |
logging,
ntp,
snmp |
system syslog,
system ntp |
logging,
ntp,
snmp-server |
| Services |
ip dhcp,
ip nat |
forwarding-options |
ip dhcp,
ip nat |
For each section, identify additions, deletions, and modifications compared
to the baseline. Classify each difference by severity — see Threshold Tables.
Step 6: Compliance Validation
Check for required and forbidden configuration patterns.
Required patterns (must be present):
- - AAA authentication configured and active
- NTP synchronization to authorized time sources
- Syslog forwarding to centralized logging servers
- SNMP with ACL restrictions (no unrestricted community strings)
- Management access restricted to SSH only (no telnet, no HTTP)
Forbidden patterns (must be absent):
- - Default credentials (e.g.,
username admin password admin) - Telnet or HTTP enabled for management (
transport input telnet, no ip http secure-server) - SNMPv1/v2c without source ACL restriction
- Unrestricted VTY access (no ACL applied to VTY lines)
- DHCP snooping or ARP inspection disabled on access ports
Reference references/drift-detection.md for full compliance rule definitions
with vendor-specific pattern matching.
Step 7: Remediation Guidance
⚠️ WRITE — Address drift findings based on severity classification.
For Critical drift (routing, security sections):
- 1. Verify if the change was authorized (check change tickets)
- If unauthorized, prepare a rollback to the last known-good config
- [Cisco] �INLINECODE38
- [JunOS]
rollback [n] then �INLINECODE40 - [EOS] �INLINECODE41
For Warning drift (management plane, logging):
- 1. Document the deviation in the drift report
- Schedule remediation during the next maintenance window
- Apply missing configuration elements incrementally
For Info drift (cosmetic — descriptions, banners, comments):
- 1. Log the deviation for tracking
- Remediate opportunistically during scheduled maintenance
After any remediation, re-run Steps 1–2 to confirm the config matches the
intended state and save the corrected running config to startup.
Threshold Tables
Drift Severity by Config Section
| Config Section | Severity | Rationale |
|---|
| Routing (BGP, OSPF, static) | Critical | Direct traffic impact, potential outage |
| Security (ACLs, AAA, CoPP) |
Critical | Exposure to unauthorized access |
| Switching (STP, VLANs) | High | Loop risk, VLAN leakage |
| Management (logging, NTP, SNMP) | Warning | Operational visibility loss |
| Services (DHCP, NAT) | Warning | Service-level impact, no network-wide risk |
| Cosmetic (descriptions, banners) | Info | No operational impact |
Unsaved Change Age
| Age | Severity | Action |
|---|
| < 1 hour | Info | Likely active maintenance — verify with operator |
| 1–4 hours |
Warning | Check if maintenance window is active |
| 4–24 hours | High | Likely forgotten save — prompt operator to save or revert |
| > 24 hours | Critical | Unsaved changes at high risk of loss — immediate save or revert |
Config Archive Freshness
| Last Archive | Status | Action |
|---|
| < 7 days | Current | No action needed |
| 7–30 days |
Stale | Schedule archive refresh |
| 30–90 days | Warning | Archive before any changes |
| > 90 days | Critical | Immediate archive required |
Decision Trees
Drift Detected
CODEBLOCK9
Running ≠ Startup
CODEBLOCK10
Compliance Violation
CODEBLOCK11
Report Template
CODEBLOCK12
Troubleshooting
Config Diff Shows False Positives
Diffs include generated lines (timestamps, certificate hashes, build
information) that change between captures but are not real drift. Normalize
configs before comparison by stripping timestamps, build strings, and
auto-generated comments. See references/drift-detection.md for normalization
patterns per vendor.
JunOS Candidate Config Confusion
JunOS uses a candidate-commit model. show configuration displays committed
(active) config. Uncommitted candidate changes appear only with show |
compare. If drift analysis shows differences between a JunOS device and its
golden config, verify that no uncommitted candidate changes are pending —
uncommitted changes do not affect the running device but will take effect on
next commit.
Archive Transfer Failures
Config export to remote servers may fail due to: ACL on the device blocking
outbound SCP/TFTP, DNS resolution failure for server hostname, authentication
failure on SCP, or insufficient flash space for local copy. Test connectivity
with ping first, verify SCP credentials, and check available flash space with
dir flash: (Cisco/EOS) or file list /var/tmp/ (JunOS).
Large Config Diff Overwhelms Analysis
Configs exceeding 10,000 lines produce diffs that are difficult to analyze
holistically. Break the comparison into the section categories from Step 5 and
analyze one section at a time. Prioritize sections by severity tier from the
Threshold Tables. For structured configs (JunOS set-format, EOS section mode),
sort lines before diffing to reduce positional noise.
Compliance Rule Vendor Variations
The same security requirement maps to different config syntax per vendor. For
example, disabling telnet: Cisco uses transport input ssh on VTY lines, JunOS
uses delete system services telnet, and EOS uses no management telnet.
Reference references/drift-detection.md for vendor-specific compliance
patterns to avoid false positives or missed violations.
配置管理
涵盖备份、漂移检测和黄金配置验证的持续配置保障技能。该技能通过将设备配置与已知良好的基线和组织合规规则进行比较,识别未经授权或非预期的更改。
命令在语法不同处标注为 [Cisco]、[JunOS] 或 [EOS]。未标注的语句适用于所有三个厂商。
安全说明 — 读写操作: 此技能包含可能修改设备状态的过程(配置归档到远程存储、回滚、配置替换)。写入设备的步骤标有 ⚠️ 写入。在执行写入操作前,务必确认授权和维护窗口状态。只读评估步骤可随时安全运行。
使用场景
- - 针对黄金基线的定期配置合规审计
- 调查疑似未经授权的配置更改
- 维护后验证运行配置已保存至启动配置
- 验证设备组或堆叠间的配置一致性
- 检查安全强制模式(AAA、NTP、日志记录)是否存在
- 确保禁止模式(默认凭据、Telnet、SNMPv1)不存在
- 在变更窗口前建立或刷新配置归档
- 作为运维卫生的一部分定期进行漂移检测(每日/每周)
前提条件
- - 对设备的SSH或控制台访问(评估仅需只读权限;修复或归档步骤需要启用/配置权限)
- 用于比较的黄金配置基线或先前归档的配置
- 了解组织合规要求:必需服务(AAA、NTP、Syslog)、禁止协议(Telnet、HTTP管理、无ACL的SNMPv1/v2c)和强制安全功能(ACL、CoPP)
- 对于归档:可达的SCP/TFTP/FTP服务器或本地闪存存储
- 了解可能解释预期漂移的任何活动维护窗口
操作步骤
按顺序执行以下步骤。步骤1-2始终安全(只读)。步骤3-7包含标有⚠️的可选写入操作。
步骤1:配置收集
捕获当前的运行配置和启动/保存配置。
[Cisco]
show running-config
show startup-config
[JunOS]
show configuration | display set
show configuration | compare rollback 0
[EOS]
show running-config
show startup-config
在JunOS上,候选配置模型意味着活动配置是已提交的配置。使用show configuration查看已提交状态。架构差异请参见references/cli-reference.md。
步骤2:运行配置与启动配置比较
检测未保存的更改——重新加载时会丢失的运行配置。
[Cisco]
show archive config differences system:running-config nvram:startup-config
[JunOS]
show | compare rollback 0
[EOS]
show running-config diffs
任何差异都表示未保存的更改。记录差异输出和时间戳。对未保存更改的时长进行分类——严重性请参见阈值表。如果更改是有意的(活动维护),请记录维护工单。
步骤3:配置归档
⚠️ 写入 — 使用带时间戳的命名备份当前配置。
[Cisco]
copy running-config tftp://[server]/[hostname]-YYYYMMDD-HHMM.cfg
[JunOS]
request system configuration save /var/tmp/[hostname]-YYYYMMDD-HHMM.conf
[EOS]
copy running-config flash:[hostname]-YYYYMMDD-HHMM.cfg
使用一致的命名:{hostname}-{YYYYMMDD}-{HHMM}.cfg。通过检查文件大小和比较备份与运行配置的哈希值来验证备份是否成功写入。每个设备至少保留3个归档配置以供回滚选项使用。
步骤4:黄金配置基线
检索此设备角色的黄金(预期状态)配置。黄金配置按设备角色维护(例如,接入交换机、核心路由器、WAN边缘),包含所有强制配置部分。
如果尚不存在黄金配置,请建立一个:
- 1. 从已知合规的设备配置开始
- 移除设备特定值(主机名、IP、接口描述)
- 保留所有合规强制部分(AAA、NTP、日志记录、SNMP、ACL)
- 记录黄金配置版本和批准日期
进行比较时,在差异比较前对两个配置进行标准化——标准化规则请参见references/drift-detection.md。
步骤5:漂移检测
逐部分将当前配置与黄金基线进行比较。
将配置划分为逻辑部分进行结构化比较:
| 部分 | Cisco示例 | JunOS示例 | EOS示例 |
|---|
| 路由 | router bgp, router ospf | protocols | router bgp, router ospf |
| 交换 |
spanning-tree, vlan | vlans, protocols rstp | spanning-tree, vlan |
| 安全 | access-list, line vty | firewall, system login | ip access-list, management |
| 管理 | logging, ntp, snmp | system syslog, system ntp | logging, ntp, snmp-server |
| 服务 | ip dhcp, ip nat | forwarding-options | ip dhcp, ip nat |
对于每个部分,识别与基线相比的添加、删除和修改。按严重性对每个差异进行分类——请参见阈值表。
步骤6:合规性验证
检查必需和禁止的配置模式。
必需模式(必须存在):
- - AAA认证已配置且活动
- NTP同步到授权的时间源
- Syslog转发到集中式日志服务器
- 带ACL限制的SNMP(无不受限制的团体字符串)
- 管理访问仅限于SSH(无Telnet,无HTTP)
禁止模式(必须不存在):
- - 默认凭据(例如,username admin password admin)
- 为管理启用Telnet或HTTP(transport input telnet,no ip http secure-server)
- 无源ACL限制的SNMPv1/v2c
- 不受限制的VTY访问(VTY线路上未应用ACL)
- 接入端口上禁用DHCP监听或ARP检测
完整的合规规则定义及厂商特定模式匹配请参考references/drift-detection.md。
步骤7:修复指导
⚠️ 写入 — 根据严重性分类处理漂移发现。
对于严重漂移(路由、安全部分):
- 1. 验证更改是否已授权(检查变更工单)
- 如果未授权,准备回滚到最后一个已知良好的配置
- [Cisco] configure replace flash:[backup].cfg force
- [JunOS] rollback [n] 然后 commit
- [EOS] configure replace flash:[backup].cfg
对于警告漂移(管理平面、日志记录):
- 1. 在漂移报告中记录偏差
- 安排在下一次维护窗口期间进行修复
- 逐步应用缺失的配置元素
对于信息漂移(装饰性——描述、横幅、注释):
- 1. 记录偏差以供跟踪
- 在计划维护期间伺机修复
任何修复后,重新运行步骤1-2以确认配置与预期状态匹配,并将更正后的运行配置保存到启动配置。
阈值表
按配置部分的漂移严重性
| 配置部分 | 严重性 | 理由 |
|---|
| 路由(BGP、OSPF、静态) | 严重 | 直接影响流量,可能导致中断 |
| 安全(ACL、AAA、CoPP) |
严重 | 暴露于未授权访问 |
| 交换(STP、VLAN) | 高 | 环路风险,VLAN泄漏 |
| 管理(日志记录、NTP、SNMP) | 警告 | 运维可见性丧失 |
| 服务(DHCP、NAT) | 警告 | 服务级别影响,无全网风险 |
| 装饰性(描述、横幅) | 信息 | 无运维影响 |
未保存更改的时长
| 时长 | 严重性 | 操作 |
|---|
| < 1小时 | 信息 | 可能是活动维护——与操作员确认 |
| 1–4小时 |
警告 | 检查维护窗口是否活动 |
| 4–24小时 | 高 | 可能是忘记保存——提示操作员保存或还原 |
| > 24小时 | 严重 | 未保存的更改丢失风险高——立即保存或还原 |
配置归档新鲜度
| 最后归档时间 | 状态 | 操作 |
|---|
| < 7天 | 当前 | 无需操作 |
| 7–30天 |
陈旧 | 安排归档刷新 |
| 30–90天 | 警告 | 任何更改前先归档 |
| > 90天 | 严重 | 需要立即归档 |
决策树
检测到漂移
