Re: Disabling Vstack - C3750 - 12.2(55)SE1

Sheikh Islam · ‎04-16-2018

Hello Everyone,

We have this C3750 switches on our network with IOS version - 12.2(55)SE1. To fix recent vulnerability with smart install ( https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-smartinstall ) we have been disabling vstack on all our switches as we dont use this feature. Vstack configuration are as follows -

#show vstack config
Role: Client
Vstack Director IP address: 0.0.0.0

*** Following configurations will be effective only on director ***
Vstack default management vlan: 1
Vstack management Vlans: none
Join Window Details:
Window: Open (default)
Operation Mode: auto (default)
Vstack Backup Details:
Mode: On (default)
Repository:

#show tcp brief all | include 4786
06170394 *.4786 *.* LISTEN

#sh run | i vstack
#

IOS -

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3750-48P 12.2(55)SE1 C3750-IPSERVICESK9-M

On these 3750s ' No Vstack ' command is unavailable. I have tried few of the followings but vstack was still enabled and port 4786 is still listening.

#conf t
Enter configuration commands, one per line. End with CNTL/Z.
(config)#no vstack ?
backup - Configuration backup feature
basic - Enable vstack director
config - Configure default configuration file
dhcp-localserver Configure vstack dhcp parameters
director - Configure director's IP address
group - Configure a group for vstack
hostname-prefix Specify hostname prefix for Client
image - Configure default image file
join-window Configure time interval to enable director
vlan - Configure vstack management vlan

Any ideas how we can disable vstack on these models please ?

Regards,

Sheikh

Seb Rupik · ‎04-16-2018

Hi there,

See the workaround:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtj75729

cheers,

Seb.

Sheikh Islam · ‎04-16-2018

Thanks Seb. ACL was my 2nd option. I thought someone may have had this same issue and had other ideas.

Leo Laohoo · ‎04-16-2018

~~What about "no vstack config"?~~

~~Smart Install was only introduced starting from 12.2(55)SE2 and later. I think with the current version Smart Install was still operating as a "bug".~~

~~My only recommendation is to upgrade the IOS. 12.2(55)SE1 is not really that stable.~~

WARNING: This recommedation (disable Smart Install by using the command "no vstack") is no longer valid. Read my updated response.

Sheikh Islam · ‎04-16-2018

Thanks Leo. IOS upgrade is always a good idea. I will check to see which version is that latest for this model.

Joseph W. Doherty · ‎04-16-2018

Last time I grabbed a 3750 12.2(55), believe latest was SE12, which is also likely to be the very last. (55) got real stable around SE7..9, but SE12 has a few more fixes, including a recent security bug fix.

Like Leo, I too would recommend upgrading from SE1.

Sheikh Islam · ‎04-16-2018

Thanks. Downloaded se12. For some reason the tftp transfer would drop after a minute of starting. TFTP server said peer dropped connection. On the switch it says - error retrieving file from tftp. Checked on other 3750 switches - same result. Tried this on a different model - no problem. Looks like I will have to do the transfer over a console cable.

Joseph W. Doherty · ‎04-16-2018

Can you try FTP or RCP?

Sheikh Islam · ‎04-20-2018

We dont have internal FTP.

There is now enough space in the flash to copy the files. However, the error msg I am getting is not relevant to to space requirement. hence the confusion. I could delete the existing IOS and try copying the new one but it fails then I end up having a production switch with no IOS on it.

I are to replace our switches later on this year with 3850Xs. But looks like I will have to replace these 3750s now to mitigate the recent vulnerability identified with smart install.

I might try removing the existing IOS and try copying the new IOS again when I have a downtime.

Please share if you have any more ideas.

Regards,

Sheikh

Seb Rupik · ‎04-20-2018

Hi there,

If you are patient, why don't your try a xmodem transfer. Make sure you set the console baud rate to something high:

!
line con 0
  speed 115200
!

cheers,

Seb.

Sheikh Islam · ‎04-20-2018

Hi Seb,

I could do that but i would have to delete the existing IOS to make space. Since this a production switch and if the transfer fails for any reason, that will be bad I guess. So, did not want to take that risk. Not yet at least. Lets see how soon I can get the downtime.

Cheers.

Joseph W. Doherty · ‎04-20-2018

That's not uncommon, the need to remove an existing IOS image, before loading a newer image (at least on earlier devices that often didn't have sufficient flash to contain more than one IOS image. (NB: some of the early 3750s also don't have enough flash to run a 15.x image.)

If you get "stuck" with a non-bootable 3750, as Seb mentions, you can then use XMODEM to load a new image.

Besides falling back to XMODEM, if you have any other host, that can support tftp, on a shared network that the 3750s is on, you can use it to deal with a botched load. (NB: don't forget other Cisco devices, including 3750s, can be tftp servers.)

Sometimes I've found "old" minimal IOS images will fit on flash with the newer image - useful, again, if a new IOS image fails for some reason.

BTW, I've very rarely had an issue loading an IOS image after erasing the existing image from flash. Of course, before reloading, insure your newly loaded image is a "good" copy (by doing a image verification check). (NB: I once had a new image reload fail because I didn't check.)

Lastly, I have encountered "sick" Cisco devices, those that wouldn't load using tftp. Often such was cured by reloading the device even with its existing IOS. (BTW, another time I had an issue, I had already erased the running IOS image THEN I discovered the system wouldn't load any IOS.)

Leo Laohoo · ‎04-20-2018

~~If no one is using Smart Install then running the command poses no risk to the network.~~

(Switch models as old as 2940/2950/2955, 3550 and EARLIER are not covered by this response. I am not yet sure how the new Catalyst 9K behaves.)

I got some good news and some bad news.

The GOOD news

The list of routers & switches that support Smart Install can be found HERE. What is missing in the list are the 3650/3850 and 4500/6500 Supervisor cards. This list is important.

IF you have appliances found in this list, this means the only way to disable Smart Install is to use the command "no vstack" or "no vstack config".

The BAD news (a really bad one)

If you have appliances (routers &/or Catalyst switches) not in this list, the ACL must be applied. Emphasis on the word "must".

Sheikh Islam · ‎04-27-2018

Thanks guys.

Before I plan replacement of these switches with new ones that we now have, ACL may be an option.

Looking at this - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtj75729

Control plane policing -

access-list 150 permit ip any any eq 4786

class-map match-all drop-smartinstall-class match access-group 150

policy-map control-plane-policy class drop-smartinstall-class drop

control-plane service-policy input control-plane-policy

Is this application to c3750 s ?

2nd option - Infrastructure Access Control Lists

access-list 150 deny ip any INFRASTRUCTURE_ADDRESSES WILDCARD eq 4786

access-list 150 permit ip any any

Then applying this ACL on all interfaces.

Has anyone applied this ? Any suggestions with this ACLs ?

Regards,

Sheikh