Re: Smart Install

MATTHIAS SCHAERER · ‎10-04-2010

Hi,

has somebody found a way to disable the (time consuming) image download that takes place at the beginning of each switch replacement in Smart Install? As far as I see it even if the software version matches the version in the vstack config it is downloaded.

Any ideas are welcome.

regards

mat

dbetker-nait · ‎10-12-2010

Hey,

I've been recently testing out the Smart Install feature, and I too have noticed that even when a switch has the newest IOS, there is no version checking before it grabs the new IOS image archive.

I've looked around and I have been unable to find any options or settings to change to mitigate the unneccessary traffic and wasted time.

I'd be interested in seeing if there are any such options.

One other problem I have also noticed with connecting Non-Smart Install capable switches ( < 12.2(52)SE ) is that when it begins the autoinstall, option 150 (TFTP server) is overwritten with the director IP address and does not contain the IP which is defined by file-server in vstack dhcp-localpool. Now this is a problem when using a remote TFTP server as it errors out (TFTP timeout) by trying to retrieve a dummy file from the director IP three times then switching to a broadcast address which fails again if there isn't a TFTP server with the dummy file located on it. Even if there is a dummy file with 0 bytes, it retrieves it three times then continues onto obtaining the client_cfg.txt from the director IP via TFTP (inital config to allow director to telnet and issue the archive download-sw command). Is retrieving the dummy file even neccessary? Is there a way to disable it?

Wouter Prins · ‎10-18-2010

Good question, Derek. I dont like this smart install stuff at all.

I would like to turn off smart install as it opens a TCP port on each switch. Shown with 'show tcp brief all'.

--

050A7C6C *.4786 *.* LISTEN

--

I checked the documentation but am unable to find a way to turn this smart install/tcp port off. Might be me but it seems like you're not able to turn it off?

Anyone on the forum has an idea?

dbetker-nait · ‎10-18-2010

Smart Install seems to be a bigger hassle than it is to do it manually, depending on how your network is setup.

I've been looking into a way to stop it from using the tcp port 4786, however Cisco documentation seems to be sparse for the Smart Install feature. The only way I can see to block external access to port 4786 is using an acl to deny access, however denying everything would most likely break the Smart Install functionality. An allow on the director's IP with a deny all rule following it might work...

Wouter Prins · ‎10-18-2010

Hi Derek,

I understand you can ACL that smart install tcp port. But i prefer to disable the service. I'm glad you were not able to find any information about how to get rid of this nasty process.

Anyone else who knows how to disable this service/port without use of CPP or ACL's?

Xu Zhang · ‎06-04-2013

I know its too late to post the reply here, but since I had read this so why not to put the CISCO's recommendation here (link below). Other people may need it.

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-smartinstall

--------------------------

Regards,

Zhang Xu

Wouter Prins · ‎06-05-2013

Thanks a lot 'no vstack' disables the tcp port..