Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
35229
Views
5
Helpful
3
Replies

Cisco Smart Install - no vstack command

mediaworksnz
Level 1
Level 1

‎04-10-2018 02:14 PM - edited ‎03-08-2019 02:36 PM

Hello, we are planning on going through our full inventory of Cisco routers and switches and disabling Cisco Smart Install due the recently advised security vulnerability: 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2'

 

My question is, is there any risk running the command 'no vstack' that something will break?

We do not use Smart Install at all.

 

Thanks for any info.

 

4 people had this problem
Labels:
0 Helpful
3 Replies 3

Leo Laohoo
Hall of Fame
Hall of Fame

‎04-10-2018 03:36 PM - edited ‎04-20-2018 07:04 PM

If no one is using Smart Install then running the command poses no risk to the network.

(Switch models as old as 2940/2950/2955, 3550 and EARLIER are not covered by this response.  I am not yet sure how the new Catalyst 9K behaves.)

I got some good news and some bad news.  

The GOOD news

The list of routers & switches that support Smart Install can be found HERE.  What is missing in the list are the 3650/3850 and 4500/6500 Supervisor cards.  This list is important.  

IF you have appliances found in this list, this means the only way to disable Smart Install is to use the command "no vstack" or "no vstack config".  

The BAD news (a really bad one)

If you have appliances (routers &/or Catalyst switches) not in this list, the ACL must be applied.  Emphasis on the word "must".

Sergio Fernando Gonzalez Parroquin
Level 1
Level 1
In response to Leo Laohoo

‎11-29-2018 05:42 AM

Please note that according to this link, routers can only be directors:

https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/supported_devices.html

 

The security advisory only affects clients, so routers should not have a problem with it:

"Only Smart Install client switches are affected by the vulnerability that is described in this advisory. Cisco devices that are configured as a Smart Install director are not affected by this vulnerability."

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Sergio Fernando Gonzalez Parroquin

‎11-29-2018 11:35 PM

Or upgrade the firmware of the router/switch.
All releases after 01 July 2018, Cisco Smart Install is PERMANENTLY DISABLED.
0 Helpful
Customers Also Viewed These Support Documents