Cisco 3850 Repurposing multiples

jlkleins6 · ‎01-16-2024

Hi folks,

Some questions on the subject that my searches haven't found an answer to yet on this. I have 3 Cisco 3850 WS-C3850G-48P-E switches I bought used to upgrade our church network. I do commercial network-based AV as my day job, so am familiar with Cisco Catalysts enough for standard stuff. However, a lot has changed command-wise with the latest v16.x.x 3850 firmware so it's been a challenge at times (I'm more familiar with the 3750-family).

I also learned the hard way that CNA is no longer really supported for 3850's with the latest firmware, as a lot of my initial setup that I'd done in CNA did not appear in the command line. Ex: I set one switch up for 1/2 VLAN 10 and 1/2 VLAN 700 in CNA, but when I applied and saved everything I checked the CLI via "sh vlan" and while it did have the two new VLANs, all ports were still assigned to VLAN1. When I logged back into CNA, it showed the interface VLAN assignments 1/2 and 1/2 as I'd done. I was hoping to use the web interface after initial setup as that has gotten good reviews, but have had issues accessing. I did notice that only one of the switches prompted to set up an HTTP account, while the other 2 didn't, which would explain why only that one switch would access the web interface.

Anyway, after I did a factory reset, upgraded to Gibralter fw on all 3 switches, and got the initial boot setup done, I set up a couple of VLANs on the main office switch and configured two copper ports as uplink ports with "switchport mode trunk". I'll have one of these as uplink for each of the other two switches in other areas of the building until my 10G fiber comes in, after which I'll switch to the 10G fiber uplinks on the NM-2-10G modules each has.

Once I got the office switch configured, I saved off it's running-config to a USB drive and then loaded that onto the other two switches so all I had to do was change the hostname, IP and interface VLAN assignments and descriptions. Problem is, they didn't all act the same afterward. All should have the same setup, but only one could be accessed via CNA and the onboard Web Interface. Some accepted SSH connections, some did not (using Putty).

The only thing I could think of was that:
1) Factory reset does not reset everything...if true, what DOESN'T it reset that I missed?
2) I noticed that in the USB copy options list (copy usbflash0:backupconfig ?), the startup and running config options said "startup-config" and "running-config (merge with)". I had specified "running-config", so it sounds like it didn't overwrite everything after all, which would explain the differing operations. So should I have done "startup-config" instead?

I cut and pasted two of the configs from Putty to a spreadsheet and compared info and found some oddities:
Only the first switch had this entry:

crypto pki trustpoint TP-self-signed-1235470343

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1235470343

revocation-check none

rsakeypair TP-self-signed-1235470343

Both had this entry:

crypto pki certificate chain SLA-TrustPoint

certificate ca 01

But only the first one had this one:

crypto pki certificate chain TP-self-signed-1235470343

certificate self-signed 01

Both had most of this entry, the second switch was missing the "shutdown" entry. I know I had chosen yes or no on configuring port 0/0 (no IP on either), but had recopied the config files, so this may have not been overwritten after all?

interface GigabitEthernet0/0

vrf forwarding Mgmt-vrf

no ip address

shutdown

negotiation auto

I want to retry this again, which isn't hard since it's a simple setup to start, so what did I do wrong? Based on some reading, would this be the best route to start from scratch on all 3 switches?

Do factory reset ALL on each switch (didn't do "all" before).
Erase config.txt and vlan.dat file in flash on all switches.
Reboot and do initial setup again on all switches.
Once first switch is set up to start, backup config to USB.
On each of the other two switches, copy USB backup config to STARTING-config rather than Running-Config.
Reboot and customize hostname, IP, and interface settings for each switch
(Anything I miss?)

Lastly, one thing I did try to regain web interface and CNO access was:

aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
username XXXX privilege 15 password 0 YYYY (where XXXX is username and YYYY is pw)

While it seemed to work, it altered my initial setup passwords. Which password do those commands reset? Enable, Enable Secret, Virtual Terminal or HTTP Server Access? I thought it would be the latter, but it seemed it changed Enable Secret as well.

Appreciate any insights

Thanks,
Jeff

balaji.bandi · ‎01-16-2024

Here is my views

what version IOS code running this devices ?

1. stay away from CNA configuring 3850 - they dont work as expected.

2. its simple configuraiton as startup - Not hard cut and paste from command line (do not copy entire configuration) - Once you have template ready (in the note pad).

Only copy related to configuration (copy certs not going to help you)

3. you can setup GUI if you like, but make sure you enable http and add username and password to access GUI ( avoide http and use https)

check express setup :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/hardware/quick/guide/cat3850_gsg.html

You can do Factory reset :

factory-reset {all | config |boot-vars} - Do not use all this will remove including IOS.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jlkleins6 · ‎01-18-2024

Hi BB,

what version IOS code running this devices ?
A: Gibralter, 16.12.10a

1. stay away from CNA configuring 3850 - they dont work as expected.
A: Indeed, lesson learned

2. its simple configuration as startup - Not hard cut and paste from command line (do not copy entire configuration) - Once you have template ready (in the note pad).
A: It sounds like just doing an initial setup on all of them might be the easiest, after deleting the config.text and vlan.dat file, correct?

Only copy related to configuration (copy certs not going to help you)
A: So, does it not do any good copying one switch's "basic" config to another using a backed up config then? I didn't copy and paste text (didn't know that method was an option); I backed up up the config file from the switch to a USB drive in the switch's USB slot with "Copy startup-config usbflash0:backupconfig". Then I moved the USB drive to the next switch and loaded it with "copy usbflash0:backupconfig running-config" (then copy to starting config to save). I would assume that I'd have the same problem with the certs copying with that method as well?

3. you can setup GUI if you like, but make sure you enable http and add username and password to access GUI ( avoid http and use https)
A: Is that the "aaa" commands that I mentioned in my initial email?

check express setup :
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/hardware/quick/guide/cat3850_gsg.html
A: Unfortunately that link says,"Express Setup is not supported on Cisco IOS XE Denali 16.1.1 and later releases", so it wouldn't work on Gibralter/16.12.10a

You can do Factory reset :
factory-reset {all | config |boot-vars} - Do not use all this will remove including IOS.

A: I ended up just doing a "write erase", deleting the "vlan.dat" file, reloading and rerunning setup.
I did get 2 errors afterward:
1) Apparently there's a bug in the current FW, where the configuration register isn't set correctly and gives the error:
%Error opening tftp://255.255.255.255/router-confg (Timed out).

Resolved by the command "config-register 0x2102".
2) The second error received was "Startup-config is ignored. So, HTTP Secure server configuration not done", which causes the startup-config to not be loaded upon reboot. THAT was way annoying.
Resolved by the following:
Enter boot loader mode
SWITCH_IGNORE_STARTUP_CFG=0
BOOT

Thanks,

Jeff