Configure cisco switch remotely without console access

Question

Since Cisco in their newer firmwares disabled access to the web interface before password is set on the switch I need an alternative way of configuring switches remotely.

I read up on the Cisco Smart Install process: http://www.cisco.com/en/US/docs/switches/lan/smart_install/release_12.2_55_se/configuration/guide/tasks.html

Only problem is it requires a 35xx switch as a director, most of my networks have only 2960ies so I won't be able to do that all the time, I do however always have a linuxbox onsite that I could use as DHCP and TFTP.

Is it possible to give a new fresh switch a config served from the DHCP and TFTP ?

If i for example configure my DHCP with the file-server attribute and point at my tftp server.

And put a client_cfg.txt file on the tftp with a basic config giving it a login password.

Or is there a simpler way to do this ? (no console access is out of the question).

EDIT: To elaborate, we have sites with 50 - 100 switches in separate locations we cannot use console servers, guys with laptops running around for us etc. I'm starting to think my only option is upgrading the MDF Switch to a 3560 on all new sites (we do not have access to routers unfortunately)

Don't you have a Cisco router on site that could serve as director? — petrus, Jan 13 '12 at 20:52

score 3 · Answer 1 · edited Jan 12 '12 at 02:07

3

I still say console access, who says you need to be there physically? You can use a console server which will allow you to access and control serial consoles at remote location.

For instance:

enter image description here

http://www.opengear.com/product-acm5000.html

edited Jan 12 '12 at 02:07

answered Jan 12 '12 at 01:49

Shane Madden

112,982
12
174
248

1

I'm guessing that the problem at the heart of the question is really "I left the site before configuring these switches and now I can't get back there. How can I get access to them remotely." If the OP could install hardware this is likely a possibility. I bet he can't, though. – Evan Anderson Jan 12 '12 at 02:26
we have 50 - 100 switches at some sites, this it out of the question, again I can't do console. And this is before we get to site to save time when onsite from running around to 50 locations hooking up console cables. I appreciate the reply but please answer my question as is, otherwise please don't :) – Alex R Jan 12 '12 at 08:18

score 3 · Accepted Answer · answered Jan 18 '12 at 15:44

So I have found a way to do this that should work for almost all cisco 2950/60, 35xx etc models and firmwares.

You will need a box with DHCP and TFTP Server.

The cisco switch that needs to pull config obviously needs to be able to contact the DHCP Server, so vlan1 is probably where you want to be sure dhcp is passed out.

I am not going to go into detail with DHCP and TFTP configurations just let you know what you need to be aware of.

For my CentOS 6 distribution I needed to set the dhcpd options filename and next-server

next-server is specifying address of TFTP Server.

filename is specifying configuration file you want cisco device to download which is on the TFTP server.

If there is no filename specified or if that file is not available, the switch will start asking for default configs, this will be different per switch/ap/router. One of the files it asks for fx. is cisconet.cfg If it cannot get data on the tftp address specified it will also try on 255.255.255.255 so it will ask on broadcast for a tftp server as well.

The files it requests can be seen if you have console access to the device.

Here is raw output after bootup on a Cisco 2960 switch where the filename specified is not available on the TFTP server so the switch will start asking for other files:

*Mar  1 00:02:18.621: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  1 00:02:28.679: AUTOINSTALL: Vlan1 is assigned 10.10.100.13
*Mar  1 00:02:38.687: AUTOINSTALL: Obtain siaddr 10.10.100.1 (as config server)
*Mar  1 00:02:38.687: AUTOINSTALL: Obtain default router (opt 3) 10.10.100.1
%Error opening tftp://10.10.100.1/client_cfg.txt (Timed out)
%Error opening tftp://10.10.100.1/client_cfg.txt (Timed out)
%Error opening tftp://10.10.100.1/client_cfg.txt (Timed out)
%Error opening tftp://255.255.255.255/client_cfg.txt (Timed out)
%Error opening tftp://255.255.255.255/client_cfg.txt (Timed out)
%Error opening tftp://255.255.255.255/client_cfg.txt (Timed out)
%Error opening tftp://10.10.100.1/network-confg (Timed out)
%Error opening tftp://10.10.100.1/cisconet.cfg (Timed out)
%Error opening tftp://10.10.100.1/router-confg (Timed out)
%Error opening tftp://10.10.100.1/ciscortr.cfg (Timed out)
%Error opening tftp://10.10.100.1/network-confg (Timed out)
%Error opening tftp://10.10.100.1/cisconet.cfg (Timed out)
%Error opening tftp://10.10.100.1/router-confg (Timed out)
%Error opening tftp://10.10.100.1/ciscortr.cfg (Timed out)
%Error opening tftp://10.10.100.1/network-confg (Timed out)
%Error opening tftp://10.10.100.1/cisconet.cfg (Timed out)
%Error opening tftp://10.10.100.1/router-confg (Timed out)
%Error opening tftp://10.10.100.1/ciscortr.cfg (Timed out)
%Error opening tftp://255.255.255.255/network-confg (Timed out)
%Error opening tftp://255.255.255.255/cisconet.cfg (Timed out)
%Error opening tftp://255.255.255.255/router-confg (Timed out)
%Error opening tftp://255.255.255.255/ciscortr.cfg (Timed out)
%Error opening tftp://255.255.255.255/network-confg (Timed out)
%Error opening tftp://255.255.255.255/cisconet.cfg (Timed out)

Here is the output from a switch that receives the file correctly from TFTP:

*Mar  1 00:01:33.289: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  1 00:01:43.674: AUTOINSTALL: Vlan1 is assigned 10.10.100.13
*Mar  1 00:01:53.674: AUTOINSTALL: Obtain siaddr 10.10.100.1 (as config server)
*Mar  1 00:01:53.674: AUTOINSTALL: Obtain default router (opt 3) 10.10.100.1
Loading client_cfg.txt from 10.10.100.1 (via Vlan1): !
[OK - 121 bytes]

*Mar  1 00:03:51.928: %SYS-5-CONFIG_I: Configured from tftp://10.10.100.1/client_cfg.txt by console

My configuration file is simple at the moment it basically allows telnet/www access with username/password cisco

enable password cisco
!
username cisco secret 0 cisco
!
line vty 0 4
password cisco
!
end
!

I could type copy running-config startup-config before the end.

But if you just want this to run in running-config every time the switch starts your good to go.

If someone wanted they could make a do telnet "directorip" on a 3560 switch and check out what the director is replying.. i'm sure it's easy from there to actually create custom configs based on serial number of switch.

The TFTP and DHCP could be set up on a 2960 switch as well if you wanted to, there are guides for this on the interwebs.

score 1 · Answer 3 · answered Jan 13 '12 at 21:06

1

Unfortunately I don't have any 3560 nor 3750 around to test, but if you have only one, you could try to reverse-engineer the Smart Install process by capturing the data between the director and the client switch.

After analyzing the different DHCP options handed out the client, it should be easy to set up your Linux servers with the necessary DHCP and TFTP configurations.

Your servers will then be used as Smart Install director.

Following this blog post, it should be easy to set up a lab, and then reproduce the expected behavior.

But if you have a Cisco router on site that could be used as Smart Install director, it may be easier to use it than the servers.

answered Jan 13 '12 at 21:06

petrus

5,287
25
42

might be my only option to wireshark the director traffic and reproduce it – Alex R Jan 14 '12 at 10:44
@Axlrod: If you do not have a 3560 available, use Jeremy Strech http://packetlife.net/lab/, port mirroring on a 3650 and packet capture on a router (from debug or EPC). It may not be possible to export files from flash, but the debug with an associated ios2pcap script should allow you to export the capture to Wireshark. – petrus Jan 14 '12 at 15:37
we have a 3570 at the office will do nicely. – Alex R Jan 14 '12 at 23:34
@Axlrod: great then. let me know how the process goes. – petrus Jan 15 '12 at 13:57
@Axlrod: on a second thought, documenting the process (both for reverse engineering and resulting dhcp config) might be valuable to others. Feel free to come back to edit your question with your results or a blog post. – petrus Jan 15 '12 at 16:08
I might not have time to do this till in 2 weeks time, but I will be trying this when I have a time slot. – Alex R Jan 17 '12 at 14:15
@Axlrod: great :) – petrus Jan 17 '12 at 14:43

score 0 · Answer 4 · answered Oct 12 '15 at 18:56

0

http://www.cisco.com/c/en/us/td/docs/ios/fundamentals/configuration/guide/15_1s/cf_15_1s_book/cf_autoinstall.html

Using AutoInstall to Remotely Configure Cisco Networking Devices

answered Oct 12 '15 at 18:56

denise

1

1

Welcome to Server Fault! Whilst this may theoretically answer the question, please [provide context around links](http://serverfault.com/help/how-to-answer) so others will have some idea what it is and why it’s there. If possible summarise or quote the most relevant part of an important link, in case the target site is unreachable or goes permanently offline. – HBruijn Oct 12 '15 at 19:10

Configure cisco switch remotely without console access

4 Answers4