How to move the configuration from one Nortel VPN Router to another.
Nortel VPN Router
Nortel VPN Router 600
Can’t move configuration over without redoing it from scratch.
Want to “ghost” one Nortel VPN Router (formerly CES) onto another or move part of the configuration of one VPN Router to another.
(Note: As of 6 December 2004, Contivity is referred to as Nortel VPN Router.)
You can either use the Contivity Configuration Manager or use provisioning as per 311645-C “Reference for the Contivity VPN Switch Command Line Interface”.
The following explanation is a specific example of how to do this and explains the commands and steps necessary to provision one VPN Router with the configuration of another VPN Router.
Preliminary note: There are three access levels or modes in the CLI. To do the provisioning, you will have to go to the second level. When you telnet to the IP of your VPN Router, the first level you see is:
If you type – ena – you will be asked for the Password again and then see:
Now you are in level 2 of the CLI session.
Type – show running-config ? – to see a list of options for this command. Note there is one that says – file-URL – .
Here is a quick and easy way of provisioning a VPN Router if you want to use the configuration information from an existing VPN Router and do something like copying firewall rules from one unit to another. To do this, follow the steps outlined below. The following steps assume that both VPN Routers are running 4.8x code or later…
- Go to the VPN Router whose configuration you are copying and telnet by logging into the enable prompt. See instructions above to do this.
- Type: show running-config file-url filename
You decide the filename. It cannot be over eight characters or it will be rejected.
The command above will write the entire configuration of the VPN Router to file on the hard drive. You can use different options after the filename to limit what configuration settings are placed in the file. You can use the – show running-config ? – command to find a list of possible options. In our example, we want to copy the current firewall rules from one switch to another, so we will use the following command: show running-config file-url firewall service policy
- show running-config – takes you to the configuration information for the VPN Router.
- file-url – command specifies that you want to output to a file on the VPN Router in the IDE0/system/runconf directory.
- The word firewall is the name given to the file.
- service – shows a list of services on the VPN Router.
- “policy” displays configuration information for the Firewall/NAT policy.Depending on how many rules or configurations the VPN Router needs to write, it may take a few minutes to write the file. When it is writing, the cursor will drop down a line and pause until the file has been written. When the file is finished, the VPN Router will return to the ces# prompt.
- If you then leave the telnet session and ftp to the same VPN Router, you will find the file, in this case called firewall, in the IDE0/system/runconf directory with an extension appended to it (.cli). In our case the filename will be firewall.cli. Download the file to your workstation.
- Open the downloaded file with notepad or any text editor and add the following lines at the very top of the page: enable
setup (or whatever the password is for the VPN Router)
Since our VPN Router is using – setup – as the password, the added lines would be:
After these lines have been added, save the file. Make sure it has the extension – cli – and that you have not accidentally appended a – txt – extension after the cli extension.
- Once you have edited and saved the file as a cli file, it becomes a provisioning script. You can now upload this file to the new VPN Router that you want to copy the configuration to. Connect to the new VPN Router with an FTP client and upload the .cli file to the following directory: /system/prov
When the file has finished uploading, the VPN Router will automatically execute the script and run the commands that are listed within the file. When the VPN Router has finished executing the script it will generate a .out file in the /system/prov directory with the results of the commands executed from the cli file.
You can download this file and view it with a normal text editor. If there were no errors reported, the configuration of the new unit was successful and the VPN Router will now contain the configuration of the old unit.