Networking

Cisco IOS File Management & Maintenance: Backup, Archive, Rollback

Part of pathway: Full Guide for All IOS Commands
4 min read

The Two Configs That Matter

Every Cisco router holds two distinct configurations. Running-config is what’s currently active in RAM — what your changes go into when you’re in config mode. Startup-config is the one in NVRAM that loads on boot. They’re separate files, and changes don’t persist across reload until you copy running to startup.

R1# copy running-config startup-config
R1# write memory     ! shorthand for the same thing
R1# wr               ! shorter still

The day you make ten config changes, then someone power-cycles the router before you save, and you lose all of them — that’s when this becomes muscle memory.

Backing Up Configurations

To TFTP

R1# copy running-config tftp:
Address or name of remote host []? 10.1.1.5
Destination filename [r1-confg]? r1-2026-05-06.cfg

You can pass it inline non-interactively:

R1# copy running-config tftp://10.1.1.5/r1-2026-05-06.cfg

To FTP / HTTP

FTP and HTTP support authentication; specify user/pass either prompted or in the URL:

R1(config)# ip ftp username backup-user
R1(config)# ip ftp password BackupPass!
R1(config)# exit
R1# copy running-config ftp://10.1.1.5/r1.cfg

Or all in the URL: copy running-config ftp://user:pass@10.1.1.5/r1.cfg.

To SCP (recommended)

SCP is FTP’s encrypted cousin and the right choice for production:

R1(config)# ip scp server enable
R1# copy running-config scp://user@10.1.1.5/r1.cfg

The IOS File System

R1# show file systems
R1# dir flash:
R1# dir nvram:

Common file systems:

  • flash: — main storage (IOS image, configs, scripts)
  • nvram: — the startup-config storage
  • system: — running-config (the current memory)
  • tftp:, ftp:, http:, scp: — remote
  • usbflash0: — USB drive on supported platforms

Removing Files

R1# delete flash:old-image.bin
R1# erase startup-config         ! wipe NVRAM (next reload boots clean)

erase startup-config is irreversible without a backup. Make sure you have one before running it on a production device.

Creating Directories

R1# mkdir flash:/configs
R1# rmdir flash:/configs

Router as a TFTP Server

Need to copy IOS from one router to another with no TFTP server in the network? Make the source router itself a TFTP server:

R1(config)# tftp-server flash:c2900-uni.bin

! From the destination router:
R2# copy tftp://10.1.1.1/c2900-uni.bin flash:

Archiving and Rollback

The archive feature snapshots configs automatically — useful when you want to roll back a botched change:

R1(config)# archive
R1(config-archive)# path flash:archive-$h-$t   ! $h=hostname, $t=timestamp
R1(config-archive)# write-memory
R1(config-archive)# time-period 1440           ! every 24 hours

! View saved archives
R1# show archive

! Roll back
R1# configure replace flash:archive-R1-Sep-15-08-30-2026 list

configure replace is non-disruptive — it computes the diff between current and target config and applies just the deltas. Far safer than copy-ing into running-config (which is additive only).

Logging Config Changes

R1(config)# archive
R1(config-archive)# log config
R1(config-archive-log-cfg)# logging enable
R1(config-archive-log-cfg)# logging size 200
R1(config-archive-log-cfg)# notify syslog
R1(config-archive-log-cfg)# hidekeys

R1# show archive log config all

This logs every config command, who ran it, and when. hidekeys redacts password strings from the log. Indispensable for audit and post-incident review.

Verifying File Integrity

After copying an IOS image, always verify the MD5 hash to confirm it didn’t corrupt in transit:

R1# verify /md5 flash:c2900-uni.bin
R1# verify /md5 flash:c2900-uni.bin abc123def456...

The first form computes and displays the hash; the second compares against an expected value and tells you pass/fail.

Common Pitfalls

  • Forgetting copy run start. The single most common operational mistake. Make a habit of saving after every meaningful change.
  • Insufficient flash space. Before copying a new IOS image, dir flash: and check free space. New IOS won’t fit alongside the old; delete the old first or copy to a different file system.
  • TFTP without permission. The TFTP server’s root directory often needs the destination file to already exist (touch it) before the router can write. Test with a small file first.
  • Hard-coded credentials in URLs. copy ftp://user:pass@server/... can leak via shoulder-surf or logs. Set ip ftp password in config or use SCP.
  • Forgotten service password-encryption. Even though it’s a weak Vigenère cipher, it stops casual readers from grabbing plaintext passwords from a backup config.

Conclusion

File management on Cisco IOS is straightforward but easy to take for granted. Five habits that pay off across years:

  1. Save (copy run start) after every meaningful change.
  2. Maintain off-device backups via archive path tftp://... or scheduled SCP.
  3. Use configure replace for non-trivial config restores rather than copy.
  4. Enable archive log config on every production device for a built-in audit trail.
  5. Verify IOS images with verify /md5 before booting from them.
Tags: #Backup #CCNA #Cisco IOS #File Management #TFTP

Related Articles

Leave a Reply