cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1194
Views
0
Helpful
5
Replies

Default Config on Cisco devices

Imran Moulvi
Cisco Employee
Cisco Employee

Hello Everyone,

We have a lab setup in which the devices are authenticated using Cisco ACS.

We will shortly start giving out these devices to users for testing different scenarios. During their testing, users might do a "write erase" which will also wipe out the aaa config from the devices.

Does anyone know of a way to always load a particular configuration(say aaa config) when a device is reloaded after issuing a "wr erase" command.

Thanks.

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

Why do the users need unrestricted level 15 enable access? Even if they need enable for some things, why not setup an intermediate privilege level user with only the privileged commands they need allowed. See this guide for more details.

If a user can "write erase" then the on-device configuration is gone. External intervention of some type is necessary. A backup copy of the desired configuration can be stored offline and one can "copy tftp (or other method - ftp, scp etc.) run" to restore it. You could store a known good config on the device's flash and copy it to running-config as well (but a level 15 user could delete that as well).

Hi Marvin,

A part of their testing may involve wiping the config. So we need to give them the access.

The tricky part is how do we add the aaa config back to the devices once they have been wiped clean.

As I mentioned in paragraph 2 of my original reply  - I'm pretty sure external intervention would be required to pull a baseline configuration onto the device with the your aaa (and any other critical bits).

I would argue that if the users must have enough privilege to "write erase" then they need to accept the responsibility of doing a restore.

If that's unfeasible, you could have your machines set up for autoinstall from a local tftp server. See this link for details on how that works.

  After a write erase, a switch will not be accessible from the network. You will be able to configure it from the serial console port or, as described before via DHCP/TFTP or DHCP/SNMP.

-- Yaron.

It may not be accessable via the network but I think it will do a bootp that can be used to restore a 'default' config, or even a config per device.

I don't recall the details, but if you sniff the traffic the router does after a write erase and reload, the thing will become clear.

You may also consider using a terminal server to provide console access.

Cheers,

Michel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: