Retrieving NetScreen/SSG config via scp

There are a couple of prerequisites before you can copy the config from a NetScreen or SSG via scp. First, obviously ssh and scp need to be enabled:

set ssh version v2
set ssh enable
set scp enable

And of course, you need to enable ssh management on the interface you’re going to connect to the device on:

set interface ethernet0 manage ssh

Once that has been done, from your PC, try the following:

scp netscreen@device-hostname:ns_sys_config ssg.cfg

And you should then have a file called ssg.cfg in that directory. Once again, simple when you know how.

It is also possible to load RSA/DSA keys against ScreenOS usernames, so that password-less login for ssh/scp can be utilised, allowing this method to form the basis of automated config backups.

Retrieving IOS running-config via scp

Ok, now I’ve only tested this with routers running IOS – it may be a little different with Catalyst switches, since they store their config on flash, rather than nvram. On the other hand, it may be exactly the same, since we’re retrieving running-config, not startup-config.

First, you need to ensure that ssh and scp have been enabled. I strongly recommend that you run ssh version 2.

ip ssh version 2
ip scp server enable

Then, on your PC:

scp user@router-hostname:system:running-config .

You should then have a file called “running-config” in that directory. Pretty simple…

If you want to grab the startup-config instead of the running-config, try:

scp user@router-hostname:nvram:startup-config .

By using RSA keys to eliminate the password prompt at login, this method could be expanded to form the basis of an automated config backup. I know that various apps already exist, but a lot of them retrieve the config via “expect” scripts, basically executing a “show run” and capturing the output.

Another method of retrieving the config is via SNMP, however unless you’re using SNMP v3 with encryption, this method is potentially insecure.