Monitoring changes to switch configuration files

In any corporate network, switches are more than just "boxes with ports." They are critical nodes that determine the topology, security, performance, and availability of the entire infrastructure. Their configurations are the precise "genome" of the network: VLANs, ACLs, ports, STP, QoS, trunk settings, inter-VLAN routing, and much more.

But what happens when one of these settings changes? Accidentally, by mistake, or due to malicious action?
One incorrect command entry can shut down an entire department, disrupt VoIP, break tunnels, or create an attack surface.

That's why monitoring switch configuration changes and systematically backing up startup-config, running-config, and vlan.dat files is not an optional practice, but a mandatory requirement for a robust IT operating environment.

Why is monitoring of the switch configuration changes important?

1. Fast rollback on error

The running-config configuration is what the switch is using right now. It can be changed at any time via the CLI, web interface, or an automated script.
But if the administrator accidentally deleted VLAN 10, disabled the port with the server, or configured the wrong trunk, the network will stop working, and you won't be able to restore it to its previous state without a backup.

Example: The administrator enters the no vlan 50 command, not noticing that a critical server is running on this VLAN. A failure is detected 10 minutes later. Without a backup, you have to restore the settings manually, spending hours rechecking each port. With a backup, he could copy the tftp://server/backup-config.txt running-config file and the network would function as before.

2. Preventing Configuration Drift

Over time, "unofficial" changes accumulate on the network: someone made a setting on a test switch, forgot to save it, and then rebooted it. And... everything was lost.
Another administrator made changes on another device, unaware of the previous changes.
This is how configuration drift occurs. When devices with the same model operate differently, and the documentation is out of date.

The switch configuration change monitoring allows you to:

• Compare the current configuration with the baseline.
• Receive notifications about any differences.
• Automatically record who, when, and what was changed.

3. Audit, Security, and Compliance

ISO 27001, PCI DSS, NIST, and other standards require the infrastructure change monitoring.
If during the audit you cannot show:

• who made the configuration changes
• when they were made
• whether they were approved

You risk to get a non-compliance, fine, or loss of certification.

When you regularly save configuration files with timestamps and user identification, this will be your "log file" of changes, which can save you in the event of an incident.

4. Recovering from Hardware Failure

A switch can fail due to a power outage, overheating, hardware malfunction, or even a cyberattack (such as ransomware attacking network devices).
If you have an up-to-date copy of startup-config, you can install a new switch, download the configuration, and restore the network to a working state in just 15 minutes.
Without it, you're restoring everything manually, spending hours consulting outdated diagrams or trying to remember which ports were in which VLAN.

Why startup-config, running-config, and vlan.dat?

• running-config
  The currently active configuration, running in memory. This is what actually impacts the network now. Without it, you don't know what's actually configured.
  
• startup-config
  The configuration that loads when the device reboots. If you don't save the running-config to startup-config, all changes will be lost on reboot. A copy of startup-config is your "last guaranteed saved" version.
  
• vlan.dat
  The VLAN database (including names, IDs, and status) on Cisco and compatible switches. This file is not copied when you copy running-config to startup-config! If you lose it, all VLANs will disappear after reboot, even if the configuration appears to be intact.

Important: Many administrators forget about vlan.dat. This is a common cause of "non-reproducible" failures: the switch reboots, and the VLANs disappear, but everything appears normal in the configuration file. This is because vlan.dat has been lost.

How to organize a reliable backup?

1. Automation
   Use tools like:

   • RANCID (for Cisco, Juniper, etc.)
   • 10-Strike Network Monitor Pro (for all device types, command templates supported)
   • Ansible + Netmiko for scripted backups
   • TFTP/FTP/SFTP servers for storing backups
     
2. Frequency
   • running-config — Copy after each change (or at least once an hour if active).
   • startup-config — copy after each successful saved reboot..
   • vlan.dat — copy every VLAN change (especially when creating/deleting).
     
3. Version Storage and Control
   Save copies with names in the following format:
   SW01-running-2025-11-14_10-30-00.cfg
   Use Git to track changes. This will allow you to compare versions, see diffs, and revert to any point.
   
4. Notifications
   Configure alerts for:
   • running-config changes (without subsequent write memory),
   • vlan.dat copy missing for more than 24 hours,
   • configuration inconsistencies between devices.
     

Setting up monitoring for switch configuration file changes in 10-Strike Network Monitor Pro

10-Strike Network Monitor Pro allows for continuous monitoring of switch configuration changes. When connecting via SSH, the program reads the running-config, startup-config, and vlan.dat files and compares them with the reference files obtained during the initial poll. If changes are detected, the program triggers configured alerts (email, Telegram, Slack, SMS, etc.)

Detected changes can be quickly viewed in a separate window in "before and after" comparison mode, where additions, deletions, and edits are highlighted in different colors.

To enable monitoring of the switch configuration file changes, you need to:

1. In the main program window, go to the Configurations tab.
2. Start scanning and searching for switches on the network.
   
   
   
3. If you are scanning for switches for the first time, the program will prompt you to set an account to connect to the switches via SSH. Add it and click OK.
   
   
   
   
4. Next, set the network scanning parameters: IP address ranges.
   
   
   
5. Start the scan and wait for it to complete.

The program finds switches, connects to them via SSH, and reads configuration files, creating checks to periodically retrieve each of them. These checks can be viewed in the Checks tab by clicking on the host with the switch address on the left in the tree.

The Configurations tab displays summary information for all added switches, including their configuration status and additional information (serial number, manufacturer, model).

You can add switches for configuration change monitoring via a regular text file, where their addresses will be listed. You can also create checks for switches that have already been added to the monitoring tree.

In this tab, you can also view switch configuration files and copy their contents to the clipboard. This feature is not available in the Operator mode.

There is another way to configure switch configuration file monitoring — by creating checks for each file:

1. Open the Checks tab in the main window.
2. Select the switch in the tree on the left.
3. Click the Add Check button in the main menu.
4. Select the Switch Configuration check type.
5. Configure the SSH connection parameters or select an account from the list if one was previously created in the program settings.
6. Select the appropriate command profile to receive data from the device. If none of the profiles work, you need to create your own in the settings.
7. Select which configuration file this check will query (running-config, startup-config, vlan.dat).
8. Test the operation by clicking the Get the current configuration and compare button.

In this same window, you can set a reference configuration file by clicking the Mark current configuration as reference button.

Create checks for the remaining configuration files in the same way.

Conclusion: the switch configuration is your network

A switch is not just a device. It is a living, dynamic element whose configuration determines the behavior of the entire network.
Changes to it are not just "settings." They are actions that affect business processes, security, and the company's reputation.

Making backups of the startup-config, running-config, and vlan.dat files is your insurance against human error, technical failure, and cyber threats.
Monitoring the switch changes is not just a "good practice." It's a prerequisite for professional network management.

Don't wait for the network to fail.
Maintain. Monitor. Automate.

Remember: the best way to restore a network is not to look for what broke, but to know how it worked yesterday.