Solved: Re: Cannot disable vstack on switch

CartoGraph · ‎02-07-2018

Hello everybody,

I'm trying to disable at all vstack on a C3560 and the command "no vstack" doesn't work.

Does anybody know how to disable it? and close the port 4786?

PORT     STATE SERVICE
4786/tcp open  unknown

Switch(config)#no vstack
% Incomplete command.


Switch(config)#no vstack ?
  basic             Enable vstack director
  config            Configure default configuration file
  dhcp-localserver  Configure vstack dhcp parameters
  director          Configure director's IP address
  group             Configure a group for vstack
  hostname-prefix   Specify hostname prefix for Client
  image             Configure default image file
  join-window       Configure time interval to enable director
  vlan              Configure vstack management vlan

Thank you!!!

Leo Laohoo · ‎02-07-2018

@CartoGraph wrote:

SW version: 12.2(53)SE2

VStack is supported from 12.2(55)SE.

View solution in original post

patoberli · ‎02-07-2018

Which IOS is running on this device?
Normally the command 'no vstack' should be enough, at least on the 2960-... series.
I'm curious, can you enter the following command and paste the output here:
show run all | inc vstack

CartoGraph · ‎02-07-2018

Hello,

SW version: 12.2(53)SE2

I have no output, but even so... I would like to know if there is a way to close the TCP port.

Switch#show running-config all | i vstack
Switch#

Thank You!

patoberli · ‎02-07-2018

Hmm I guess you have to upgrade first:
https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/commands.html#34399
Otherwise you could set an ACL as outlined here:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi
Anyway, my recommendation is to upgrade the software to > 12.2(58)SE if the switch is under a contract.

Leo Laohoo · ‎02-07-2018

@CartoGraph wrote:

SW version: 12.2(53)SE2

VStack is supported from 12.2(55)SE.

heath762 · ‎04-10-2018

I have the same problem with this model - WS-C3560CG-8PC-S - running version 122-55.EX2.

Leo Laohoo · ‎04-10-2018

Post the complete output to the command "sh vstack conf".

Zitro68 · ‎04-12-2018

Here's a document I wrote for the other engineers on my team.

Note: addresses whether or not you have an OLDER or NEWER IOS/IOSXE.

To disable VSTACK, in config mode:

no vstack

-or-

no vstack config

! NOTE: This second variation was required on an older 2801. “no vstack” by itself responded with “incomplete command”.

Read a BLOG when this first came out and it said that unless the director had been set up, the 4786 port should not be open.

You determine that by entering the following command:

sh vstack config

If a newer IOS/IOSXE, it should show feature is “disabled”, and you're done. Otherwise, it won’t and will show you the configuration of vstack with the Director IP.

If the DIRECTOR SHOWS:

DIRECTOR = 0.0.0.0 Never configured

...TCP/4786 should NOT be open. You confirm if the port is open or not by entering the following command:

show tcp brief all | i 4786

If not in the list of active ports, no need for ACL’s either. STOP HERE

OTHERWISE: If ACL is needed, on every interface that is UP and assigned an IP (includes VLAN SVI’s), you would:

ip access-list extended no-vstack

deny tcp any any eq 4786

permit ip any any

exit

THEN, on EACH interface with an IP (including SVI's)

ip access-group no-vstack in

Hope this helps.

ranjit123 · ‎04-18-2018

Hello,

I have done

no vstack config

but still when i issue the below command i can still see the port is in listening state

SWITCH#show tcp brief all | i 4786
04AEABCC *.4786 *.* LISTEN <---------------*****

its a 3560 switch with 122-55.SE1 IOS..

any pointers?

Zitro68 · ‎04-18-2018

Yes, at the bottom of the instructions, there is an ACL that must be created, then applied to each interface assigned an IP address.

The only final option to close off the hole.

This is also documented in Cisco’s guide.

Don’t forget, all interfaces, including VLAN SVI’s.

ranjit123 · ‎04-18-2018

Hello,

I have done

no vstack config

but still when i issue the below command i can still see the port is in listening state

SWITCH#show tcp brief all | i 4786
04AEABCC *.4786 *.* LISTEN

its a 3560 switch with 122-55.SE1 IOS..

any pointers?

Leo Laohoo · ‎04-18-2018

Can you post the complete output to the command "sh vstack config"?

heath762 · ‎04-18-2018

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-smi
The no vstack global configuration command to disable the Smart Install client feature was introduced with the fix for Cisco bug CSCtj75729<> (Ability to shut Smart Install default service on TCP port 4786). If a Cisco IOS or IOS XE Software release supports the Smart Install client feature but the no vstack command does not exist, the release does not contain the fix for Cisco bug CSCtj75729<>.

ranjit123 · ‎04-18-2018

Hello,

Below are the details

switch#show vstack config
Role: Client
Vstack Director IP address: 0.0.0.0

*** Following configurations will be effective only on director ***
Vstack default management vlan: 1
Vstack management Vlans: none
Join Window Details:
Window: Open (default)
Operation Mode: auto (default)
Vstack Backup Details:
Mode: On (default)
Repository:

switch#show tcp brief all | i 4786

04AEABCC *.4786 *.* LISTEN

Leo Laohoo · ‎04-19-2018

What IOS version is this? It looks like 12.2(55)SE1.
My recommendation is to upgrade to a higher version, say 12.2(55)SE11, and only then will the command "no vstack" be available.