Intelligent Drift Detection
Objective
In this lesson you will configure an automated baseline archive and use IOS archive/diff tools plus syslog to perform intelligent drift detection — distinguishing meaningful configuration drift from intentional changes. This matters in production because silent or accidental changes can degrade routing, break security policies, or cause outages; automating baseline capture and producing focused diffs lets operations and AI systems decide whether a change is benign (intentional) or requires remediation. Real-world scenario: an enterprise network team keeps a baseline configuration on a central management server and uses periodic archives + diffs to feed an AI classifier that raises an incident only when the diff affects routing, ACLs, or interface shutdowns.
Quick Recap
We continue with the topology established in Lesson 1: two routers (R1, R2) connected to each other and to a management/TFTP server. No new devices are added in this lesson; we configure features on R1 and R2 and assume the management server at 192.0.2.10 is reachable.
ASCII Topology (exact IPs on every interface)
[MgmtServer]
192.0.2.10/24 (TFTP/syslog)
|
| 192.0.2.0/24
|
R1 GigabitEthernet0/0 192.0.2.1/24
R1 GigabitEthernet0/1 10.0.0.1/30 --- 10.0.0.2/30 R2 GigabitEthernet0/1
R2 GigabitEthernet0/0 192.0.2.2/24
Device Table
| Device | Role | Management IP | Important Interfaces |
|---|---|---|---|
| R1 | Router (primary) | 192.0.2.1/24 | Gi0/0 (192.0.2.1), Gi0/1 (10.0.0.1/30) |
| R2 | Router (peer) | 192.0.2.2/24 | Gi0/0 (192.0.2.2), Gi0/1 (10.0.0.2/30) |
| MgmtServer | TFTP + Syslog server | 192.0.2.10/24 | N/A |
All example domain names use lab.nhprep.com and passwords use Lab@123.
Key Concepts (theory before CLI)
- Configuration Baseline & Archive: The IOS archive facility saves copies of a router configuration to a remote path (TFTP/SCP) and can log configuration changes locally. Think of this like committing a copy of the config to a central repository every time the device is saved — that repository becomes your baseline for comparison.
- Protocol behavior: when you configure
archive path tftp://...andwrite-memory, the device attempts to write to the TFTP server using UDP. If unreachable, the write fails and the archive won't be saved.
- Protocol behavior: when you configure
- Change Logging (log config): With
archive log config logging enable, IOS records the exact configuration lines that changed (adds/removes) and can send notifications (syslog). This produces structured information about which configuration stanza changed.- Packet flow: config changes trigger syslog messages sent to configured
logging hostusing UDP 514 (by default).
- Packet flow: config changes trigger syslog messages sent to configured
- Config Diffing:
show archive config differencescompares the current running configuration to an archived copy. A diff focuses attention on lines added, removed, or modified — similar to git diff. This reduces noise compared to reading an entire config file. - Intelligent classification: An external AI or operator inspects the diff and classifies risk: e.g., interface shutdown or neighbor removal is high-risk; changing an interface description is low-risk. Automating this requires capturing diffs reliably and sending both the raw diff and contextual metadata (who changed it, when) to the classifier.
- Why this matters: In production, many changes are legitimate (scheduled maintenance). Detecting meaningful drift quickly reduces mean time to detect (MTTD) of accidental changes that could take services down.
Step-by-step configuration
Step 1: Configure management basics and logging on R1
What we are doing: Ensure R1 has consistent management identity and that syslog messages can be sent to the central management server at 192.0.2.10. This lets the archive facility and log notifications be delivered to a central collector for AI analysis.
R1# configure terminal
R1(config)# hostname R1
R1(config)# ip domain-name lab.nhprep.com
R1(config)# username admin privilege 15 secret Lab@123
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip address 192.0.2.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# logging host 192.0.2.10
R1(config)# logging trap informational
R1(config)# end
R1# write memory
Building configuration...
[OK]
What just happened: We set the device hostname and domain to provide a consistent identity for archived filenames and syslog messages. We configured the management IP on Gi0/0 and enabled syslog forwarding to 192.0.2.10; logging trap informational ensures informational-level messages (including archive notifications) are sent. write memory saves the running config to startup-config and triggers archive behavior later when configured.
Real-world note: In production, use a secure transport (syslog over TLS / secure SCP for archives) and restrict access to the management network. Using lab/test TFTP is acceptable for labs but not recommended for sensitive configs.
Verify:
R1# show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 4096 messages logged
Monitor logging: level informational, 0 messages logged
Buffer logging: level debugging, 4096 messages logged
Trap logging: level informational
Logging to 192.0.2.10 (udp), 0 messages queued
Step 2: Configure the IOS archive facility on R1 (baseline capture)
What we are doing: Configure the router to archive configurations to the management server at tftp://192.0.2.10/configs/R1 and enable config-change logging so that the router records what lines change. This creates a machine-readable baseline and change log the AI or operations team can inspect.
R1# configure terminal
R1(config)# archive
R1(config-archive)# path tftp://192.0.2.10/configs/R1
R1(config-archive)# write-memory
R1(config-archive)# time-period 1440
R1(config-archive)# log config
R1(config-archive-log)# logging enable
R1(config-archive-log)# logging size 200
R1(config-archive-log)# notify syslog
R1(config-archive-log)# hidekeys
R1(config-archive-log)# exit
R1(config-archive)# exit
R1(config)# end
R1# write memory
Building configuration...
[OK]
What just happened: The archive stanza configured a remote path (TFTP) where the router will write archived copies when write memory occurs or periodically. write-memory ensures the device archives when configs are saved. time-period 1440 sets automatic periodic saves (minutes). log config enables capturing changed configuration lines, with notify syslog causing change summaries to be sent to the configured syslog host. hidekeys obscures secret values in logs.
Real-world note: In production prefer secure file copy (SCP/SFTP) rather than TFTP. The archive facility gives you change granularity — ideal for feeding diffs into an AI classifier.
Verify:
R1# show archive
Configuration archive:
Path: tftp://192.0.2.10/configs/R1
Maximum archives: 14
Time-period: 1440 minutes
Write-memory: enabled
Log config: enabled
logging: enabled
logging size: 200
notify syslog: enabled
hidekeys: enabled
Step 3: Make an intentional (approved) change and save; observe archive behavior
What we are doing: Apply a non-disruptive, intentional change (interface description) and save. This simulates a planned change so we can see how a meaningful-versus-intentional decision would be made.
R1# configure terminal
R1(config)# interface GigabitEthernet0/1
R1(config-if)# description Link to R2 - maintenance window 2026-04-02
R1(config-if)# exit
R1(config)# end
R1# write memory
Building configuration...
[OK]
What just happened: The description line was added to Gi0/1. Because archive write-memory is enabled, when write memory completed the router attempted to save the current configuration to the TFTP path and recorded the config-line change in its archive log, then generated a syslog notification with the changed lines.
Real-world note: Small operational changes (descriptions, NTP servers) are often benign. An AI classifier should treat these as low-risk, but still record author/timestamp context.
Verify:
R1# show archive config differences
Comparing running-config to archived configuration at tftp://192.0.2.10/configs/R1
*** Differences found: ***
+ interface GigabitEthernet0/1
+ description Link to R2 - maintenance window 2026-04-02
End of differences.
Step 4: Make an accidental (high-risk) change and show the diff for classification
What we are doing: Simulate an accidental disruptive change: administratively shutting the Gi0/1 interface. We'll save the change and produce the diff. This is the kind of change that should trigger an immediate alert.
R1# configure terminal
R1(config)# interface GigabitEthernet0/1
R1(config-if)# shutdown
R1(config-if)# end
R1# write memory
Building configuration...
[OK]
What just happened: The interface was administratively shut down and the change was saved, which archived the new configuration and created a change log. The corresponding diff will highlight the shutdown line, which is high-risk because it impacts reachability.
Real-world note: Interface shutdowns, BGP neighbor removal, or ACL deletions are high-severity changes; automated systems should raise incidents and possibly execute rollbacks.
Verify:
R1# show archive config differences
Comparing running-config to archived configuration at tftp://192.0.2.10/configs/R1
*** Differences found: ***
+ interface GigabitEthernet0/1
+ shutdown
- interface GigabitEthernet0/1
- description Link to R2 - maintenance window 2026-04-02
End of differences.
Step 5: Observe syslog notification (context for AI ingestion)
What we are doing: Show the syslog message generated by the archive notify syslog so an AI or SIEM can ingest a structured change summary including who changed the config and what lines changed.
R1# show logging | include %ARCHIVE_CONFIG
%ARCHIVE_CONFIG-6: Configured from console by admin on vty0 (config)#interface GigabitEthernet0/1
%ARCHIVE_CONFIG-6: Changed configuration from:
- description Link to R2 - maintenance window 2026-04-02
+ shutdown
What just happened: The router generated a syslog message with the archive change summary. This message includes the identity (admin), the source (console/vty), and the exact changed lines. An AI classifier can parse %ARCHIVE_CONFIG entries to rapidly determine severity (e.g., presence of shutdown, no neighbor, permit ip any any removed).
Real-world note: Ensure syslog timestamps and a central collector are in place; correlating who changed what with ticket numbers helps the AI label intentional changes automatically.
Verify:
R1# show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Trap logging: level informational
Logging to 192.0.2.10 (udp), 2 messages queued
Syslog messages:
*Apr 2 12:05:01.000: %ARCHIVE_CONFIG-6: Configured from console by admin on vty0 (config)#interface GigabitEthernet0/1
*Apr 2 12:05:01.005: %ARCHIVE_CONFIG-6: Changed configuration from:
- description Link to R2 - maintenance window 2026-04-02
+ shutdown
Verification Checklist
- Check 1: Archive is configured and visible on R1 — verify with
show archiveand confirmpath tftp://192.0.2.10/configs/R1. - Check 2: After an intentional change,
show archive config differencesshows only the description lines added; verify diff lines prefixed with+. - Check 3: After a disruptive change (shutdown), syslog contains
%ARCHIVE_CONFIGentries showing the changed lines and user; verify withshow logging.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
show archive shows path but no archives saved | TFTP server unreachable or permissions wrong | Verify IP reachability ping 192.0.2.10, ensure TFTP server running and directory writable; check firewall rules |
| Diff shows many unrelated changes (noise) | Whole config was replaced or hidekeys not set, secrets displayed | Use archive log config hidekeys to suppress secrets; review change procedure to avoid wholesale replacements |
No %ARCHIVE_CONFIG syslog messages are received on server | logging host not configured or syslog level too high | Configure logging host 192.0.2.10 and logging trap informational; check UDP 514 connectivity |
| AI classifier flags minor changes as critical | Classifier not trained to distinguish semantics (e.g., description vs shutdown) | Include rule-based pre-filters: treat interface shutdowns, ACL deletions, BGP/OSPF neighbor changes as high-risk; treat descriptions as low-risk |
Key Takeaways
- The IOS
archivefacility pluslog configprovides structured, automatable configuration snapshots and change logs suitable for feeding into an AI drift detector. - Always pair archived diffs with context (who changed it, when, and ticket IDs) — the AI needs metadata to separate intentional changes from accidental drift.
- Focus AI attention on high-risk change patterns (interface shutdowns, neighbor removal, ACL removals, route redistribution toggles). Low-risk changes (descriptions, banners) should not trigger incidents.
- In production prefer secure transports (SCP/SFTP and TLS syslog) and integrate archives + syslog into a central collector so your AI can ingest reliable, timestamped change events.
Tip: Think of configuration drift detection like source control for network devices. The archive is the commit, syslog is the commit message, and
show archive config differencesis yourgit diff— an AI is the reviewer that classifies whether the diff is acceptable or needs rollback.