cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3311
Views
0
Helpful
13
Replies
cgonzalez
Beginner

Avoid deleting files from flash (Switch 2960) No support EEM !!!

Hello,

I am looking for ways to avoid deleting files from the flash in a Switch 2960, I found some scripts TCL / EEM but this switch does not support EEM (IOS c2960-lanbasek9-mz.122-58.SE2.bin).

someone has an idea how to do this?.

thank you very much

13 REPLIES 13
Joe Clarke
Hall of Fame Cisco Employee

You could use AAA command authorization with a TACACS+ server to deny access to the "delete" command except for those users privileged enough to do this.

It is the only solution possible, you can not do anything without relying on the server.

Joe Clarke
Hall of Fame Cisco Employee

I suppose you could also assign all unauthorized users a privilege less than 15 where the delete command is not allowed.  However, this would be more of an administrative burden.

right,

The Switch is a laboratory where the practice of CCNA and CCNP, and there are times that some students "malicious" erase the IOS switch and reset the machines.

In 3560 switches achieve reverse by using EEM but for 2960 there is nothing similar.

Idea AAA is good, but would require a previous configuration loaded on the Switch, and if the student clears the startup-config and restart the machine and lost the configuration to verify the AAA.

Joe Clarke
Hall of Fame Cisco Employee

Ah.  Well, if you're giving full enable access, then even EEM could be circumvented (unless you block the ability to remove the EEM policy).  If you go with AAA, you can specify that the device's config file is loaded from a remote server all the time (e.g., tftp).  In this manner, one could never properly erase the startup config.

correct

when using EEM I have applet that prevents view or delete anything related to EEM:

event manager applet-event no-NO

  event cli pattern "no event manager" sync no skip yes

  action 1.0 syslog msg "Not Allowed"

  exit

event manager applet-event no-show

  event cli pattern "show event" sync no skip yes

  exit

and not to erase the flash:

event manager applet not-delete-flash

  event cli pattern "delete flash: C3560. *" sync no skip yes

  action 1.0 syslog msg "This action is not allowed"

  exit

when reset or erase the startup config:

event manager applet restore1

  event cli pattern "erase startup-config" sync yes

  action 1.0 syslog msg "OK"

  action 2.0 syslog msg "VLANS DROP"

  action 3.0 cli command "enable"

  action 4.0 cli command "erase startup-config" pattern "confirm"

  action 5.0 cli command "y"

  action 6.0 cli command "configure replace flash: default2.txt force"

  action 7.0 cli command "wr"

  action 8.0 cli command "delete / force flash: vlan.dat"

  action 9.0 cli command "reload" pattern "confirm"

  action 9.1 cli command "y"

  exit

For 2960:

"If you go with AAA, you can Specify That the device's config file is loaded from a remote server all the time (eg, tftp)."

How I can do this?, You have any tutorial or link that can help me.

Thanks

Joe Clarke
Hall of Fame Cisco Employee
Joe Clarke
Hall of Fame Cisco Employee

I should also add that if they write erase, then "service config" should pick up and the TFTP download should still work.  See

http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/frf007.html#wp1017913 .

OK, but as to the condition that if they do an erase startup-config on the switch 2960, go to find the TFTP configuration file default.

I can have the Switch validated in AAA with a user without access to the delete command, but that will occur when a student makes an erase startup-config and restart sw (as I told you to go find the default config).

thanks.

Joe Clarke
Hall of Fame Cisco Employee

In the case of a write erase (which you could also block with AAA), the switch should boot with "service config" enabled.  That will cause the switch to look for its config from TFTP.  So even in that case, you should be covered.

ok,

Therefore the switch should be to:

service config

boot network tftp ://1.1.1.1/config-default

config-default  file would have all the settings for the Switch to always tell users to validate the AAA and not authorize the write erase command and delete.

by no authorizing the delete command, may not clear the vlan.dat (which if it should be erased).

Joe Clarke
Hall of Fame Cisco Employee

Look at the boot host commands for DHCP from the 2960 guide.  That will make sure the switch always boots from the latest config.  If anything goes wrong and the switch defaults "service config" will make the switch request a config from the network.

Hi.

Maybe  if Gonzalez has an access server (router withconsole cables) this is  possible to achieve with AAA authorization for reverse telnet  connections?

I was successful only at AAA authentication , but not authorization and accounting for reverse telnet connections.

I was trying to do this with all the TACACS+ servers that I could find on Windows OS .

The  problem was that there was no documentation about reverse telnet  configuration (How to configure TACACS server for reverse telnet  authorization and accounting)