CNA questions

Unanswered Question
Oct 31st, 2007
User Badges:

I have a site administrator that was exploring his network using CNA yesterday. The network consists of a 3750 "core", a couple of 3550-12G distribution switches, and several access switch stacks. The access switch stacks are configured as switch clusters. He managed to do two things:

1) While connected to one of the access switch clusters, he managed to add all of the switches that were not configured as part of a cluster to that cluster. This icluded the 3750 stack and the distribution switches.

2) He managed to configure the switch from NVRAM. In other words, the saved config overwrote the running config.

Does anyone know how he could have done this? I rarely use CNA.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aborole Wed, 10/31/2007 - 09:30
User Badges:
  • Cisco Employee,

The question is not very clear.

What I know is that, any change done from CNA will be there only in running config

till user explicitly does a save config from CNA after which the running config will get saved in startup config.

hope that helps.

jedavis Wed, 10/31/2007 - 10:31
User Badges:

Thanks, but that's not what happened. Specifically, in the saved config all of the 10/100 ports on this switch were in one Vlan, with the exception of one that is connected to a 2900XL switch and is configured as a trunk. In the running config there were 4 ports that had been placed into a different Vlan. Those four ports suddenly reverted back to the saved config. It is as if the switch reloaded, except that the uptime on the switch is 1 year 20 weeks +.

scootertgm Wed, 10/31/2007 - 14:27
User Badges:

I'm not familiar with the CNA, however if it will issue a copy start run, then you could have the saved config going than the running config.

jedavis Wed, 10/31/2007 - 14:34
User Badges:

Yes, I am familiar with the CLI. I have been doing this long enough that I would do that with a "config mem" command. The question is, how do you do this from CNA?

Ok let me shift the focus of this question. Without radius or TACACs+, how can I restrict an admin to only be authorized to perform certain functions from within CNA? Specifically, I want to restrict them from doing anything but changing specific access port configurations, one port at a time. Can this be done?

aborole Wed, 10/31/2007 - 14:39
User Badges:
  • Cisco Employee,

In CNA, you cannot restrict features - if a user has the device passwords, all features supported in CNA can be used by that user.

jedavis Wed, 10/31/2007 - 17:56
User Badges:

Ok, thanks. I seem to remember that in earlier versions of CNA that that there was a "privilege level" option, and that I had tried to use it and found that it didn't work. I don't see that on the 5.2 that I have now, so maybe they gave up on fixing a deployed option that never worked.

Allow me to explain my position. I manage several LANs at a dozen or so sites from Texas to Connecticut. Initially the local site admins had full access to their local LANs. Due to well, ignorance (it's not their job, it is mine) and SOX requirements many of the local admins have had their access restricted to read only. However, they occasionally need to change the access vlan on a particular switchport and I would like to grant them that abilty, and that ability only. How do I do that? They are competent people, some are just more adventurous than others and manage to screw things up if given the opportunity. Most are more comfortable with a mouse than a keyboard. How do I accomplish this?

aborole Wed, 10/31/2007 - 18:28
User Badges:
  • Cisco Employee,

Connect dialog of CNA still has the privilege level selection under options.

CNA does not allow explicit configuration of what each privilege level will allow user to do, and it also does not support partial

configuration support - by that I mean user can use all CNA features and apply all configurations if level 15 password is known but for any non-15-level it is considered as read only mode and no configurations are allowed at all.

jedavis Wed, 10/31/2007 - 18:56
User Badges:

Gotcha. Like I said, these are not incompetent people, and if I have to force them to the command line I can. It's been a long time since I looked at it but I know that I can define a custom privilege level with local authorization.

Thanks to all for your help.

jedavis Wed, 10/31/2007 - 19:02
User Badges:

Ok wait. I missed the first sentence "Connect dialog of CNA still has the privilege level selection under options". You are right, I completely missed the pull down menu. Yet I seem to recall that using CNA I could never define a custom privilege level and allow a user to sign on with that privilege level. If CNA is an all-or-nothing game, why is that option even available?

aborole Wed, 10/31/2007 - 19:07
User Badges:
  • Cisco Employee,

because there are customers who want a pure read-only mode of the GUI

jedavis Wed, 10/31/2007 - 19:11
User Badges:

Read only = 0, all = 15. Why can I select 1 through 14?

jedavis Wed, 10/31/2007 - 19:16
User Badges:

Well thank you aborole, I appreciate the candor. I don't know either. However, since this seems to have been a feature of CNA since the beginning, I gotta believe there is a function. Anyone else?


This Discussion