Hello Peter,

what a surprise How are you doing?

Thank you for your reply. Unfortunately, neither 2960 nor 3560 do not accept that command. Problem was switch wasn't satisfied with "null" word in boot config-file null:/config.text command. It said that "flash" is the only one correct.

It's not a such a big deal. Only thing I wanted to achieve was to make our lab less prone to students' config errors like misconfigured password and subsequent inability to log in....

Still, thank you for your help

Standa Zitta

Hello Standa,

I'm fine, thanks for asking How are you?

Hmmm, the IOS seems to be quite picky here. Well, well... Let's give it one more try. The boot config-file command in fact configures an environment variable called CONFIG_FILE. This variable can also be manipulated manually from the bootloader command line (the one you break into when doing password recovery). Perhaps the bootloader does not perform such a strong validity check on the name of the configuration file. Try breaking the IOS bootup process and in the bootloader, try entering the following command:

set CONFIG_FILE null:/config.text

We'll see if this helps...

Best regards,

Peter

Standa,

Please disregard my previous response. It will sadly not work, either. The trick is that while the bootloader will allow you to set the CONFIG_FILE variable using the null: filesystem, the IOS during boot will detect that the CONFIG_FILE does not contain a valid path and will unset it, reverting to the default. I don't like when software tries to outsmart its administrator

Anyway, it seems that I have found a totally simple yet working solution. Simply use the boot config-file to point the IOS to a nonexistent directory within the flash: filesystem. As the IOS is not going to create the directory itself, it will be unable to store (and thus read) any configuration unless you create that directory manually. So for example:

boot config-file flash:/nonexistent/config.text

After configuring this, any attempt to save the running-config to startup-config will fail:

Switch#show boot
BOOT path-list      : flash:/c2960-lanbasek9-mz.122-58.SE1/c2960-lanbasek9-mz.122-58.SE1.bin
Config file         : flash:/nonexistent/config.text
Private Config file : flash:/private-config.text
Enable Break        : no
Manual Boot         : no
HELPER path-list    :
Auto upgrade        : yes
Auto upgrade path   :
NVRAM/Config file
      buffer size:   65536
Timeout for Config
          Download:    0 seconds
Config Download
       via DHCP:       disabled (next boot: disabled)
Switch#write
Building configuration...
nv_done: unable to open "flash:/nonexistent/config.text.new"[OK]
Switch#

The protection will last as long as the "flash:/nonexistent" directory does not exist.

Try it out and let me know if it worked for you!

Best regards,

Peter

Peter, you are incredibly quick

I just rebooted the switch after saving the configuration and it's asking me if I want to terminate autoinstall - this is proof that everything works correctly. Many many thanks, you solved my "headache". Now, I am going to implement it happily on every switch in our lab.

One more time thanks and have a nice day

Standa Zitta

Hi Standa,

You are very much welcome! Once again, please note that the vlan.dat file will still be stored and processed. I do not currently know of any way of redirecting the vlan.dat to oblivion... Perhaps I can find out something about access rights to files...

Anyway, I'm glad it appears to have worked for you.

Best regards,

Peter

Hello again, Peter,

vlan.dat is not as critical for us as rest of config, students are often aware of deleting vlans before configuring, but if somebody forgots to clean config, consequences are often worse. Anyway, it's interesting topic to think about :-)

Have a nice rest of the day,

Standa

Hi Peter

I just used your input in our Networking Academy Lab, however, I hav run into an issue.
when using the write or copy run start command no config file is created in flash.

I can get around that by using copy run config.text that will save the running config in flash:

But I would like to make an alias so my students always use the same filename - makes it a lot easier to clean up.
However when I try to configure an alias "gem" it takes the command but creates no alias.
I probably do not understand the syntax correctly

Switch(config)# alias configure gem copy run config.text

I am slightly puzzled about your post. The original post and its very interesting suggestions (thank you @Peter Paluch ) was about how to make sure that the switch would not use the startup config in  its boot process. If you do not want the switch to use startup config then why does it matter whether students can save the config or not?

Hi Rhchard
The problem is we spend too much time on students who use "non standard" passwords and then leave the box locked in the middle of an exam. If they can save their startup-config they can reload and copy the config back and correct the password.
The next benefit is that if another student needs the box it is accessible eventhough it may not be reset.
Regards,

Orla