Every time a network engineer opens a TAC case or asks an AI assistant to help debug a routing issue, the same thing happens: the support engineer says "can you share your running-config?" And then you have a decision to make.

The problem is that show running-config on a Cisco IOS device doesn't just show you interfaces and routes. It shows you everything — the enable password, SNMP community strings, VPN pre-shared keys, RADIUS shared secrets, BGP neighbor passwords. All of it, in one paste.

Sharing that config unmodified is a credential leak waiting to happen.

What a Cisco IOS Config Actually Contains

A typical Cisco IOS running-config includes several categories of sensitive data that most people don't think twice about when copying:

Type-7 passwords are particularly dangerous because they use a reversible Cisco-specific encoding, not a real hash. Anyone with the encoded string and a decoder tool can recover the original password in seconds.

The AI assistant problem When you paste a config into ChatGPT, Claude, or any AI chat, that text may be used for model improvement, visible to support staff reviewing conversations, or stored in the platform's history. A sanitized config gives you the same troubleshooting help without the exposure.

Before and After: What Sanitization Looks Like

Here's a snippet from a typical Cisco IOS config before and after passing through a config sanitizer:

Before — raw config username admin privilege 15 password 7 13061E010803557878 ! enable secret 5 $1$mERr$hx5rVt7rPNoS4 ! snmp-server community corp-mon-2026 RO snmp-server community corp-mon-2026 RW ! crypto isakmp key Tunnel$ecret99 address 203.0.113.10 ! radius-server key RAD_shared_key_42
After — sanitized output username admin privilege 15 password 7 [PASSWORD_1] ! enable secret 5 [SECRET_HASH_1] ! snmp-server community [COMMUNITY_1] RO snmp-server community [COMMUNITY_1] RW ! crypto isakmp key [VPNKEY_1] address 203.0.113.10 ! radius-server key [RADIUS_KEY_1]

Notice that [COMMUNITY_1] appears twice in the sanitized output — the same token for the same original value. That consistency is critical: a support engineer can see that both SNMP entries use the same community string without knowing what it is. The logical structure of the config is fully preserved.

How to Sanitize Your Cisco Config with ScrubForge

ScrubForge is a Chrome extension that processes configuration text locally in your browser. Nothing is uploaded. Here's the workflow:

  1. 1
    Install ScrubForge
    Add ScrubForge from the Chrome Web Store. Free, no account required. Pin the icon to your toolbar so it's one click away.
  2. 2
    Run show running-config
    Connect to your Cisco device via SSH or terminal. Run show running-config (or show run) and copy the full output.
  3. 3
    Open ScrubForge and paste
    Click the ScrubForge icon in your browser toolbar. Paste the config into the input area. ScrubForge processes the text immediately — no submit button, no server call.
  4. 4
    Review the sanitized output
    Scan through the output for any remaining sensitive values. ScrubForge targets known patterns — review the result before sharing, especially if your config uses custom secret formats.
  5. 5
    Copy and share
    Copy the sanitized text and paste it into your TAC ticket, vendor email, or AI assistant. The support engineer gets everything they need to help you. Your credentials stay on your machine.

Why Local Processing Matters

Most "sanitizer" tools you find online work by sending your text to a server, processing it there, and sending back the cleaned version. That's fine for stripping markdown — it's not fine for network configs with active credentials.

ScrubForge processes everything in your browser tab. The extension has no server component. The config text you paste into it doesn't travel anywhere. This matters especially for:

What to Do After Sanitizing

Sanitizing before you share is a good habit. But it's also worth building it into your team's standard operating procedure for any support engagement. A few things worth documenting in your runbook:

If you share configs with external vendors frequently, see also: How to sanitize network configs before sharing with AI assistants for a broader look at multi-vendor workflows including FortiGate and AWS.

Sanitize Cisco configs before they leave your machine

ScrubForge is free to install. Paste your config, strip the credentials locally, and share safely — no upload, no account required.

Install ScrubForge — Free