Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Back Up Configurations to an Archive Site

You can configure a device to transfer its configuration to an archive file periodically.

Configure the Transfer of the Active Configuration

If you want to back up your device’s current configuration to an archive site, you can configure the device to transfer its active configuration by FTP, HTTP, secure copy (SCP), or SFTP periodically or after each commit.

To configure the device to transfer its active configuration to an archive site, include statements at the [edit system archival configuration] hierarchy level:

When you configure the device to transfer its configuration files, you specify an archive site to which the files are transferred. If you specify more than one archive site, the device attempts to transfer files to the first archive site in the list, moving to the next site only if the transfer fails.

When you use the archive-sites statement, you can specify a destination as an FTP URL, HTTP URL, SCP-style remote file specification, or SFTP URL. The URL type file: is also supported. When you specify the archive site, do not add a forward slash (/) to the end of the URL.

Note:
  • The URL type file: is supported only for local files.
  • When using the FTP option, specify a double forward slash (//) after the host:port. For example: ftp://username@host<:port>//url-path

file:/path/ is the minimal representation of a local file with no authority field and an absolute path that begins with a slash "/" as defined in RFC 8089.

file:///path is an example for a traditional file URI for a local file with an empty authority as defined in RFC 8089.

Note:

When specifying a URL in a statement using an IPv6 host address, you must enclose the entire URL in quotation marks ("") and enclose the IPv6 host address in brackets ([ ]). For example, "ftp://username<:password>@[ipv6-host-address]<:port>//url-path"

To configure the device to periodically transfer its active configuration to an archive site, include the transfer-interval statement at the [edit system archival configuration] hierarchy level:

The interval is a period of time ranging from 15 through 2880 minutes.

To configure the device to transfer the configuration to an archive site each time you commit the configuration, include the transfer-on-commit statement at the [edit system archival configuration] hierarchy level:

Before you specify an SCP URL, you must set up passwordless authentication between the local device and the archive server, as outlined in Set Up Passwordless Authentication for SCP Transfers.

If the network device reaches the archive server through a specific routing instance, configure the routing-instance statement at the [edit system archival configuration] hierarchy level, and specify the routing instance.

The destination filename is saved in the following format, where n corresponds to the number of the compressed configuration rollback file that has been archived:

Note:

The time included in the destination filename is in Coordinated Universal Time (UTC).

Set Up Passwordless Authentication for SCP Transfers

You can back up the network device configuration to a remote server by specifying an SCP-style URL at the [edit system archival configuration archive-sites] hierarchy level. Before you can use SCP to transfer the file, you must first configure SSH key-based authentication from the local device (as the root user) to the remote server (for a remote user configured on the server).

Starting in Junos OS Evolved Release 22.3R1, you can use the request security ssh password-less-authentication operational mode command to set up SSH key-based authentication. You can also manually configure SSH key-based authentication in any release.

To configure SSH key-based authentication in Junos OS Evolved Release 22.3R1 and later:

  1. Log in to the Junos OS Evolved device as the root user.

  2. Execute the following command, which generates SSH keys for the current user, provided the user does not already have existing keys, and transfers the public key to the authorized_keys file of the specified user on the remote host.

    For example, the following command appends the root user's public key to the admin user's authorized_keys file on the specified server.

To manually configure SSH key-based authentication in any Junos OS Evolved release:

  1. Log in to the Junos OS Evolved device as the root user.
  2. Verify that the root user has existing SSH keys.
    If the root user has existing SSH keys, proceed to Step 4.
  3. If the root user does not have SSH keys, enter the Linux shell and generate an SSH RSA key pair.
  4. From the shell, copy the root user's public key from the local device to the remote server, and append it to the remote user's authorized_keys file.

    The following command appends the root user's public key to the admin user's authorized_keys file.

    Similarly, the following command executes the same operation but in the context of the mgmt_junos routing instance.