取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

December 2020

15955
查看次数
0
有帮助
12
回复
iosvip_163_com
Beginner

12.2(52)以前的版本 不支持smart install功能服务的禁用

12.2(52)以前的版本 不支持smart install功能服务的禁用,还是另有命令,请兄弟姐妹们支持一下。或是否有其他解决方案。版本升级除外。为谢!
1 个已接受解答

已接受的解答
Rockyw
Advisor

iosvip@163.com 发表于 2018-7-4 10:50
非常感谢Rocky元老。

如果问题解决了,麻烦把我的回复标记会最佳,谢谢!

在原帖中查看解决方案

12 条回复12
Rockyw
Advisor

iosvip@163.com 发表于 2018-7-4 10:50
非常感谢Rocky元老。

如果问题解决了,麻烦把我的回复标记会最佳,谢谢!
Rockyw
Advisor

IOS 12.2(52)SE之前的软件版本,不受Smart Install安全漏洞影响,所以就没有这命令。
iosvip_163_com
Beginner

本帖最后由 iosvip@163.com 于 2018-6-27 08:59 编辑
Rocky 发表于 2018-6-26 23:02
IOS 12.2(52)SE之前的软件版本,不受Smart Install安全漏洞影响,所以就没有这命令。

IOS 12.2(52)SE 当前这个版本,本身有监听TCP.4786 端口,且show vstack也能看到作为客户端的信息,但没有关闭该服务的命令。是否有其他解决方法?thx.
xxx-C3560-24TS#show ver
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 08:13 by sasyamal
Image text-base: 0x01000000, data-base: 0x02E00000
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(50r)SE, RELEASE SOFTWARE (fc1)
dqg-C3560-24TS uptime is 1 day, 22 hours, 58 minutes
System returned to ROM by power-on
System image file is "flash:c3560-ipservicesk9-mz.122-52.SE.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco WS-C3560V2-24TS (PowerPC405) processor (revision F0) with 131072K bytes of memory.
Processor board ID FDO1439X286
Last reset from power-on
2 Virtual Ethernet interfaces
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : B4:14:89:10:D7:00
Motherboard assembly number : 73-11765-08
Power supply part number : 341-0328-02
Motherboard serial number : FDO143911KV
Power supply serial number : DCA1428M4JV
Model revision number : F0
Motherboard revision number : A0
Model number : WS-C3560V2-24TS-S
System serial number : FDO1439xxx6
Top Assembly Part Number : 800-31050-04
Top Assembly Revision Number : A0
Version ID : V04
CLEI Code Number : COMP900ARA
Hardware Board Revision Number : 0x03
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C3560V2-24TS 12.2(52)SE C3560-IPSERVICESK9-M
Configuration register is 0xF
xx-C3560-24TS#show vs conf Role: Client
Vstack Director IP address: 0.0.0.0
*** Following configurations will be effective only on director ***
Vstack default management vlan: 1
Vstack management Vlans: none
xx-C3560-24TS#conf t
Enter configuration commands, one per line. End with CNTL/Z.
xx-C3560-24TS(config)#no vs
xx-C3560-24TS(config)#no vstack
% Incomplete command.
xxg-C3560-24TS(config)#no vstack config
xxg-C3560-24TS(config)#end
xxg-C3560-24TS#show tcp br all
TCB Local Address Foreign Address (state)
04F65F88 10.x.128.14.22 10.x.33.91.14176 ESTAB
04F37D28 *.4786 *.* LISTEN
Mansur
Engager

iosvip@163.com 发表于 2018-6-27 00:43
IOS 12.2(52)SE 当前这个版本,本身有监听TCP.4786 端口,且show vstack也能看到作为客户端的信息,但没 ...

可以用ACL过滤
Rockyw
Advisor

本帖最后由 Rocky 于 2018-7-2 23:19 编辑
iosvip@163.com 发表于 2018-6-27 00:43
IOS 12.2(52)SE 当前这个版本,本身有监听TCP.4786 端口,且show vstack也能看到作为客户端的信息,但没 ...

你有没有用网上的检测脚本检测过你的设备是否存在这个问题?你的show vstack config的输出只Role:Client没有Oper Mode:Enabled。
To determine whether a device is configured with the Smart Install client feature enabled, use the show vstack config privileged EXEC command on the Smart Install client. An output of Role: Clientand Oper Mode: Enabledor Role: Client (SmartInstall enabled)from the show vstack config command confirms that the feature is enabled on the device.


wuleihen
Advocate

我之前又处理过关于vstack 的问题,有些老版本的iOS不支持关闭smart功能,但show是enable状态,我影响中,且TCP端口是在监听中的,这只能利用ACL过滤掉,不过当时我呢客户说过几天老IOS的设备不用了,就没有处理这些设备
iosvip_163_com
Beginner

wuleihen 发表于 2018-7-3 09:28
我之前又处理过关于vstack 的问题,有些老版本的iOS不支持关闭smart功能,但show是enable状态,我影响中, ...

非常感谢!:)
iosvip_163_com
Beginner

Rocky 发表于 2018-7-2 23:15
你有没有用网上的检测脚本检测过你的设备是否存在这个问题?你的show vstack config的输出只Role:Client ...

这两天思科官网的版本检测数据不可用。
iosvip_163_com
Beginner

iosvip@163.com 发表于 2018-7-3 17:40
这两天思科官网的版本检测数据不可用。

c3560-ipservicesk9-mz.122-52.SE.bin
上述版本,有修复漏洞的新版本吗?这两天思科官网的版本检测库有异常。为谢。
iosvip_163_com
Beginner

Rocky 发表于 2018-7-2 23:15
你有没有用网上的检测脚本检测过你的设备是否存在这个问题?你的show vstack config的输出只Role:Client ...

c3560-ipservicesk9-mz.122-52.SE.bin
上述版本,有修复漏洞的新版本吗?这两天思科官网的版本检测库有异常。为谢。
Rockyw
Advisor

iosvip@163.com 发表于 2018-7-3 21:09
c3560-ipservicesk9-mz.122-52.SE.bin
上述版本,有修复漏洞的新版本吗?这两天思科官网的版本检测库有 ...

Smart Install Configuration Guide
https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html
这里面有详细的介绍,包括之前网友提到的用ACL的方法。
In the releases that do not support the vstack command (Cisco IOS Release 12.2(55)SE02 and prior releases), apply an access control list (ACL) on client switches to block the traffic on TCP port 4786.
The following example shows an interface ACL with the Smart Install director IP address as 10.10.10.1 and the Smart Install client IP address as 10.10.10.200:
ip access-list extended SMI_HARDENING_LIST
permit tcp host 10.10.10.1 host 10.10.10.200 eq 4786
deny tcp any any eq 4786
permit ip any any
This ACL must be deployed on all IP interfaces on all clients. It can also be pushed via the director when switches are first deployed.
To further restrict access to all the clients within the infrastructure, administrators can use the following security best practices on other devices in the network:
·Infrastructure access control lists (iACLs)
·VLAN access control lists (VACLs)
iosvip_163_com
Beginner

Rocky 发表于 2018-7-3 23:18
Smart Install Configuration Guide
https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_instal ...

非常感谢Rocky元老。handshake
创建
认可您的同行
Content for Community-Ad