Express Setup is BAD; or, The Importance of Physical Security and Good Configuration

Cisco Catalyst switches include a feature called Express Setup which is designed to simplify the configuration process for users that don’t spend their lives at an IOS command prompt. A laudable goal, but the way the feature works brings with it some serious consequence.

If you read the appropriate section of the Getting Started Guide for any of several common models of Catalyst switch,  you can see how the feature works. Basically, if your switch is not configured at all, you can hold down the mode button on the front panel for 3 seconds, and that will launch a guided setup which asks you enough questions to help you get the switch reachable via IP. The guide warns:

If the LEDs above the Mode button begin to blink after you press the button, release it. Blinking LEDs mean that the switch has already been configured and cannot go into Express Setup mode.

OK, so it sounds like there is a safeguard there to prevent you from clobbering a working switch. Then, there is the ominous note:

For more information, see the “Resetting the Switch” section.

Uh oh. The “Resetting the Switch” portion of the document points out that holding the button for a total of 7 seconds (just 4 more seconds than the “good” result) will reset the switch. To wit, they remind you:

Caution! Resetting the switch deletes the configuration and reboots the switch.

This behavior is enabled by default. I happened to be staging a customer switch today and had a minute to exercise this feature, so here’s what it looks like:

First, you can see that we have a nice, normal, fairly complete config. I’ve snipped some out of it because it’s not relevant; just trust me that it’s a complete config:

test-02#show run br
Building configuration...

Current configuration : 6917 bytes
!
! Last configuration change at 22:27:01 EDT Tue Mar 29 2011
! NVRAM config last updated at 22:27:05 EDT Tue Mar 29 2011
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname test-02
!
boot-start-marker
boot-end-marker
!
!
logging buffered 524288
logging rate-limit 200 except warnings
logging console errors

.

.

.

!
line con 0
exec-timeout 15 0
authorization exec FromConfig
logging synchronous
login authentication FromConfig
transport preferred none
line vty 0 4
access-class ManagementAccess in
exec-timeout 15 0
authorization exec FromConfig
logging synchronous
login authentication FromConfig
transport preferred none
transport input ssh
transport output none
line vty 5 15
access-class ManagementAccess in
exec-timeout 15 0
authorization exec FromConfig
logging synchronous
login authentication FromConfig
transport preferred none
transport input ssh
transport output none
!
end

OK, so now, I hold the Mode button down for a 10-count. Lights blink, then blink differently (each platform does this a little different, so no use mentioning the exact light sequence), then release and….


Using driver version 1 for media type 1
Base ethernet MAC Address: 08:cc:68:f0:7b:80
Xmodem file system is available.
The password-recovery mechanism is enabled.
Initializing Flash...
mifs[2]: 10 files, 1 directories
mifs[2]: Total bytes : 1806336
mifs[2]: Bytes used : 612352
mifs[2]: Bytes available : 1193984
mifs[2]: mifs fsck took 1 seconds.
mifs[3]: 0 files, 1 directories
mifs[3]: Total bytes : 3870720
mifs[3]: Bytes used : 1024
mifs[3]: Bytes available : 3869696
mifs[3]: mifs fsck took 1 seconds.
mifs[4]: 5 files, 1 directories
mifs[4]: Total bytes : 258048
mifs[4]: Bytes used : 9216
mifs[4]: Bytes available : 248832
mifs[4]: mifs fsck took 0 seconds.
mifs[5]: 5 files, 1 directories
mifs[5]: Total bytes : 258048
mifs[5]: Bytes used : 9216
mifs[5]: Bytes available : 248832
mifs[5]: mifs fsck took 0 seconds.
mifs[6]: 568 files, 19 directories
mifs[6]: Total bytes : 57931776
mifs[6]: Bytes used : 30242304
mifs[6]: Bytes available : 27689472
mifs[6]: mifs fsck took 38 seconds.
...done Initializing Flash.
done.
Loading "flash:/c2960s-universalk9-mz.150-2.SE4.bin"...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
... !---- I trimmed out all the boring ASIC tests and copyright messages from this output
Press RETURN to get started!
*Mar 1 00:00:18.334: Read env variable - LICENSE_BOOT_LEVEL =
Mar 30 01:27:38.529: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c2960s_lanlite Next reboot level = lanlite and License = lanlite
Mar 30 01:28:00.282: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Mar 30 01:28:00.282: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
Mar 30 01:28:01.225: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
Mar 30 01:28:01.551: %DC-4-FILE_OPEN_WARNING: Not able to open flash:/dc_profile_dir/dc_default_profiles.txt
Mar 30 01:28:01.551: %DC-6-DEFAULT_INIT_INFO: Default Profiles DB not loaded.
Mar 30 01:28:28.661: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 26-Jun-13 02:59 by prod_rel_team
Mar 30 01:28:30.428: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45.
Mar 30 01:28:30.596: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to down
Mar 30 01:28:30.774: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
Mar 30 01:28:30.774: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/24, changed state to up
Mar 30 01:28:32.305: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to up
Mar 30 01:28:32.426: %LINK-3-UPDOWN: Interface GigabitEthernet0/24, changed state to up

--- System Configuration Dialog ---

Enable secret warning
----------------------------------
In order to access the device manager, an enable secret is required
If you enter the initial configuration dialog, you will be prompted for the enable secret
If you choose not to enter the intial configuration dialog, or if you exit setup without setting the enable secret,
please set an enable secret using the following CLI in configuration mode-
enable secret 0 <cleartext password>
----------------------------------
Would you like to enter the initial configuration dialog? [yes/no]: no
Switch>

Ouch. Now, really your config isn’t totally lost. It’s still on the flash, and the name has been changed so it wouldn’t be used as the start-up config. But having this happen would surely ruin your day even if it was relatively easy to recover from it by figuring out what happened, renaming the saved config, and rebooting again. Note that a log message is actually generated, but we didn’t see it on console when I held the button because my template config includes:

logging console errors

This command helps minimize the risk of log messages flooding the console by only sending log messages of severity “error” or greater to console, but it means that you don’t see most messages “spontaneously” on the console either.

Now while we all like to think that our equipment is in a secure place where no one could ever get their grubby hands on it unless they were under our watchful eye, this isn’t always the case. How about a colocation data center? Do you have any switches there? Is your cabinet actually caged off from the rest? If not, someone could pretty easily poke a long metal probe through the small vent holes in the cabinet door and poke the button. Surely we’d hope that such juvenile/malicious behavior would never happen in a colo, but do you want to take that chance?

Luckily, it’s easy to disable the Express Setup behavior:

no setup express

This prevents the Express Setup 3-second push as well as the reset behavior of the mode button. I’ve made this a default in my template configs for years. You might want to do the same.

Advertisements
Tagged ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

@greatwhitetec

Virtualization, Storage, and other techy stuff

The Stupid Engineer

I ask those questions you're too clever to.

Sunay Tripathi's Blog

Pluribus Networks Founder's Blog on OS, Networking, Virtualization, Cloud Computing, Solaris Architecture, etc

Ed Koehler's Blog

Just another WordPress.com weblog

JGS.io

Data networking, stray thoughts, nerdy fun...

Network Heresy

Tales of the network reformation

The Borg Queen

Jottings on the intersection of tech and humanness

Networking From The Trenches

Ramblings about my thoughts, experiences, and ideas.

In Search of Tech

Looking for the next big thing.

Packet Maniac

A day in the life of a maniac packet

Fryguy's Blog

A Network Blog by a Network Engineer

Networking 40,000

Attaining my CCIE with the help of Warhammer 40k

stubby router

just another networking blog

Ronnie Angello

Network Architect . CCIE 17846 . CCDE 2012::1

The Peering Introvert

The sundry interests of Ethan Banks including books, cars, hiking in New Hampshire, religion, music, home theater, technology, geek culture, and social media. And maybe cats.

%d bloggers like this: