04-04-2012 06:26 AM
Hello,
I am looking for ways to avoid deleting files from the flash in a Switch 2960, I found some scripts TCL / EEM but this switch does not support EEM (IOS c2960-lanbasek9-mz.122-58.SE2.bin).
someone has an idea how to do this?.
thank you very much
04-04-2012 06:54 AM
You could use AAA command authorization with a TACACS+ server to deny access to the "delete" command except for those users privileged enough to do this.
04-04-2012 09:39 AM
It is the only solution possible, you can not do anything without relying on the server.
04-04-2012 09:42 AM
I suppose you could also assign all unauthorized users a privilege less than 15 where the delete command is not allowed. However, this would be more of an administrative burden.
04-04-2012 09:49 AM
right,
The Switch is a laboratory where the practice of CCNA and CCNP, and there are times that some students "malicious" erase the IOS switch and reset the machines.
In 3560 switches achieve reverse by using EEM but for 2960 there is nothing similar.
Idea AAA is good, but would require a previous configuration loaded on the Switch, and if the student clears the startup-config and restart the machine and lost the configuration to verify the AAA.
04-04-2012 10:04 AM
Ah. Well, if you're giving full enable access, then even EEM could be circumvented (unless you block the ability to remove the EEM policy). If you go with AAA, you can specify that the device's config file is loaded from a remote server all the time (e.g., tftp). In this manner, one could never properly erase the startup config.
04-04-2012 10:12 AM
correct
when using EEM I have applet that prevents view or delete anything related to EEM:
event manager applet-event no-NO
event cli pattern "no event manager" sync no skip yes
action 1.0 syslog msg "Not Allowed"
exit
event manager applet-event no-show
event cli pattern "show event" sync no skip yes
exit
and not to erase the flash:
event manager applet not-delete-flash
event cli pattern "delete flash: C3560. *" sync no skip yes
action 1.0 syslog msg "This action is not allowed"
exit
when reset or erase the startup config:
event manager applet restore1
event cli pattern "erase startup-config" sync yes
action 1.0 syslog msg "OK"
action 2.0 syslog msg "VLANS DROP"
action 3.0 cli command "enable"
action 4.0 cli command "erase startup-config" pattern "confirm"
action 5.0 cli command "y"
action 6.0 cli command "configure replace flash: default2.txt force"
action 7.0 cli command "wr"
action 8.0 cli command "delete / force flash: vlan.dat"
action 9.0 cli command "reload" pattern "confirm"
action 9.1 cli command "y"
exit
For 2960:
"If you go with AAA, you can Specify That the device's config file is loaded from a remote server all the time (eg, tftp)."
How I can do this?, You have any tutorial or link that can help me.
Thanks
04-04-2012 10:19 AM
04-04-2012 10:21 AM
I should also add that if they write erase, then "service config" should pick up and the TFTP download should still work. See
http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/frf007.html#wp1017913 .
04-04-2012 10:43 AM
OK, but as to the condition that if they do an erase startup-config on the switch 2960, go to find the TFTP configuration file default.
I can have the Switch validated in AAA with a user without access to the delete command, but that will occur when a student makes an erase startup-config and restart sw (as I told you to go find the default config).
thanks.
04-04-2012 10:47 AM
In the case of a write erase (which you could also block with AAA), the switch should boot with "service config" enabled. That will cause the switch to look for its config from TFTP. So even in that case, you should be covered.
04-04-2012 10:56 AM
ok,
Therefore the switch should be to:
service config
boot network tftp ://1.1.1.1/config-default
config-default file would have all the settings for the Switch to always tell users to validate the AAA and not authorize the write erase command and delete.
by no authorizing the delete command, may not clear the vlan.dat (which if it should be erased).
04-04-2012 11:01 AM
Look at the boot host commands for DHCP from the 2960 guide. That will make sure the switch always boots from the latest config. If anything goes wrong and the switch defaults "service config" will make the switch request a config from the network.
04-06-2012 04:41 AM
Hi.
Maybe if Gonzalez has an access server (router withconsole cables) this is possible to achieve with AAA authorization for reverse telnet connections?
I was successful only at AAA authentication , but not authorization and accounting for reverse telnet connections.
I was trying to do this with all the TACACS+ servers that I could find on Windows OS .
The problem was that there was no documentation about reverse telnet configuration (How to configure TACACS server for reverse telnet authorization and accounting)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide