6

I would like to configure an interface on a remote Cisco router (ISR 4000 series) with IPsec. The only way to connect to it is through the interface that I am trying to encrypt.

I want to ensure that I would not lose connection due to misconfiguration.

I would like to know if there is a way to make the router undo the last command(s) that caused the ssh session to drop.

iokarag
  • 63
  • 1
  • 5

2 Answers2

16

You can configure the auto rollback feature to revert to a previous configuration in case you lose access.

First, you need to configure configuration archive on the router. For example:

archive
path flash:
write-memory

This stores the recent configuration in flash.

Then when you're ready to make changes, type

configure term revert time 5
<new configuration lines>
end

If you're happy with the changes, type

configure confirm

If you don't type config confirm in five minutes, the router will revert to the previous configuration. This happens much faster and is less disruptive than rebooting the router.

Ron Trunk
  • 68,291
  • 5
  • 66
  • 126
4

While an undo last is only supported by few devices, there are few alternatives:

  1. Before doing the tricky part, run a reload in 5:00. If you lose contact, the router will reboot a few minutes later. If everything does work out you cancel the reload: reload cancel.
  2. Instead of redefining a live connection, configure a new one and connect in parallel. Make sure you configure static routes accordingly, with increased metric/cost on one link. With dynamic routing, increase the cost on the interface.
  3. For the tricky part, allow SSH sessions from the outside, but only from certain source IP addresses (SSH is permanently attacked). Don't forget to remove afterwards.
Zac67
  • 90,111
  • 4
  • 75
  • 141