×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Default Config on Cisco devices

Unanswered Question
Jun 15th, 2012
User Badges:
  • Cisco Employee,

Hello Everyone,


We have a lab setup in which the devices are authenticated using Cisco ACS.


We will shortly start giving out these devices to users for testing different scenarios. During their testing, users might do a "write erase" which will also wipe out the aaa config from the devices.


Does anyone know of a way to always load a particular configuration(say aaa config) when a device is reloaded after issuing a "wr erase" command.


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marvin Rhoads Fri, 06/15/2012 - 18:58
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Why do the users need unrestricted level 15 enable access? Even if they need enable for some things, why not setup an intermediate privilege level user with only the privileged commands they need allowed. See this guide for more details.


If a user can "write erase" then the on-device configuration is gone. External intervention of some type is necessary. A backup copy of the desired configuration can be stored offline and one can "copy tftp (or other method - ftp, scp etc.) run" to restore it. You could store a known good config on the device's flash and copy it to running-config as well (but a level 15 user could delete that as well).

Imran Moulvi Fri, 06/15/2012 - 19:07
User Badges:
  • Cisco Employee,

Hi Marvin,


A part of their testing may involve wiping the config. So we need to give them the access.

The tricky part is how do we add the aaa config back to the devices once they have been wiped clean.

Marvin Rhoads Fri, 06/15/2012 - 21:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

As I mentioned in paragraph 2 of my original reply  - I'm pretty sure external intervention would be required to pull a baseline configuration onto the device with the your aaa (and any other critical bits).


I would argue that if the users must have enough privilege to "write erase" then they need to accept the responsibility of doing a restore.


If that's unfeasible, you could have your machines set up for autoinstall from a local tftp server. See this link for details on how that works.

Michel Hegeraat Sun, 06/17/2012 - 23:29
User Badges:
  • Gold, 750 points or more

It may not be accessable via the network but I think it will do a bootp that can be used to restore a 'default' config, or even a config per device.


I don't recall the details, but if you sniff the traffic the router does after a write erase and reload, the thing will become clear.


You may also consider using a terminal server to provide console access.


Cheers,


Michel

Actions

This Discussion

Related Content