Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Avoid deleting files from flash (Switch 2960) No support EEM !!!

Hello,

I am looking for ways to avoid deleting files from the flash in a Switch 2960, I found some scripts TCL / EEM but this switch does not support EEM (IOS c2960-lanbasek9-mz.122-58.SE2.bin).

someone has an idea how to do this?.

thank you very much

13 REPLIES
Cisco Employee

Avoid deleting files from flash (Switch 2960) No support EEM !!!

You could use AAA command authorization with a TACACS+ server to deny access to the "delete" command except for those users privileged enough to do this.

New Member

Avoid deleting files from flash (Switch 2960) No support EEM !!!

It is the only solution possible, you can not do anything without relying on the server.

Cisco Employee

Avoid deleting files from flash (Switch 2960) No support EEM !!!

I suppose you could also assign all unauthorized users a privilege less than 15 where the delete command is not allowed.  However, this would be more of an administrative burden.

New Member

Avoid deleting files from flash (Switch 2960) No support EEM !!!

right,

The Switch is a laboratory where the practice of CCNA and CCNP, and there are times that some students "malicious" erase the IOS switch and reset the machines.

In 3560 switches achieve reverse by using EEM but for 2960 there is nothing similar.

Idea AAA is good, but would require a previous configuration loaded on the Switch, and if the student clears the startup-config and restart the machine and lost the configuration to verify the AAA.

Cisco Employee

Avoid deleting files from flash (Switch 2960) No support EEM !!!

Ah.  Well, if you're giving full enable access, then even EEM could be circumvented (unless you block the ability to remove the EEM policy).  If you go with AAA, you can specify that the device's config file is loaded from a remote server all the time (e.g., tftp).  In this manner, one could never properly erase the startup config.

New Member

Avoid deleting files from flash (Switch 2960) No support EEM !!!

correct

when using EEM I have applet that prevents view or delete anything related to EEM:

event manager applet-event no-NO

  event cli pattern "no event manager" sync no skip yes

  action 1.0 syslog msg "Not Allowed"

  exit

event manager applet-event no-show

  event cli pattern "show event" sync no skip yes

  exit

and not to erase the flash:

event manager applet not-delete-flash

  event cli pattern "delete flash: C3560. *" sync no skip yes

  action 1.0 syslog msg "This action is not allowed"

  exit

when reset or erase the startup config:

event manager applet restore1

  event cli pattern "erase startup-config" sync yes

  action 1.0 syslog msg "OK"

  action 2.0 syslog msg "VLANS DROP"

  action 3.0 cli command "enable"

  action 4.0 cli command "erase startup-config" pattern "confirm"

  action 5.0 cli command "y"

  action 6.0 cli command "configure replace flash: default2.txt force"

  action 7.0 cli command "wr"

  action 8.0 cli command "delete / force flash: vlan.dat"

  action 9.0 cli command "reload" pattern "confirm"

  action 9.1 cli command "y"

  exit

For 2960:

"If you go with AAA, you can Specify That the device's config file is loaded from a remote server all the time (eg, tftp)."

How I can do this?, You have any tutorial or link that can help me.

Thanks

Cisco Employee

Avoid deleting files from flash (Switch 2960) No support EEM !!!

Cisco Employee

Re: Avoid deleting files from flash (Switch 2960) No support EEM

I should also add that if they write erase, then "service config" should pick up and the TFTP download should still work.  See

http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/frf007.html#wp1017913 .

New Member

Avoid deleting files from flash (Switch 2960) No support EEM !!!

OK, but as to the condition that if they do an erase startup-config on the switch 2960, go to find the TFTP configuration file default.

I can have the Switch validated in AAA with a user without access to the delete command, but that will occur when a student makes an erase startup-config and restart sw (as I told you to go find the default config).

thanks.

Cisco Employee

Avoid deleting files from flash (Switch 2960) No support EEM !!!

In the case of a write erase (which you could also block with AAA), the switch should boot with "service config" enabled.  That will cause the switch to look for its config from TFTP.  So even in that case, you should be covered.

New Member

Avoid deleting files from flash (Switch 2960) No support EEM !!!

ok,

Therefore the switch should be to:

service config

boot network tftp ://1.1.1.1/config-default

config-default  file would have all the settings for the Switch to always tell users to validate the AAA and not authorize the write erase command and delete.

by no authorizing the delete command, may not clear the vlan.dat (which if it should be erased).

Cisco Employee

Avoid deleting files from flash (Switch 2960) No support EEM !!!

Look at the boot host commands for DHCP from the 2960 guide.  That will make sure the switch always boots from the latest config.  If anything goes wrong and the switch defaults "service config" will make the switch request a config from the network.

New Member

Avoid deleting files from flash (Switch 2960) No support EEM !!!

Hi.

Maybe  if Gonzalez has an access server (router withconsole cables) this is  possible to achieve with AAA authorization for reverse telnet  connections?

I was successful only at AAA authentication , but not authorization and accounting for reverse telnet connections.

I was trying to do this with all the TACACS+ servers that I could find on Windows OS .

The  problem was that there was no documentation about reverse telnet  configuration (How to configure TACACS server for reverse telnet  authorization and accounting)

2786
Views
0
Helpful
13
Replies
CreatePlease to create content