Cisco Catalyst switches include a feature called Express Setup which is designed to simplify the configuration process for users that don’t spend their lives at an IOS command prompt. A laudable goal, but the way the feature works brings with it some serious consequence.
If you read the appropriate section of the Getting Started Guide for any of several common models of Catalyst switch, you can see how the feature works. Basically, if your switch is not configured at all, you can hold down the mode button on the front panel for 3 seconds, and that will launch a guided setup which asks you enough questions to help you get the switch reachable via IP. The guide warns:
If the LEDs above the Mode button begin to blink after you press the button, release it. Blinking LEDs mean that the switch has already been configured and cannot go into Express Setup mode.
OK, so it sounds like there is a safeguard there to prevent you from clobbering a working switch. Then, there is the ominous note:
For more information, see the “Resetting the Switch” section.
Uh oh. The “Resetting the Switch” portion of the document points out that holding the button for a total of 7 seconds (just 4 more seconds than the “good” result) will reset the switch. To wit, they remind you:
Caution! Resetting the switch deletes the configuration and reboots the switch.
This behavior is enabled by default. I happened to be staging a customer switch today and had a minute to exercise this feature, so here’s what it looks like:
First, you can see that we have a nice, normal, fairly complete config. I’ve snipped some out of it because it’s not relevant; just trust me that it’s a complete config:
test-02#show run br Building configuration... Current configuration : 6917 bytes ! ! Last configuration change at 22:27:01 EDT Tue Mar 29 2011 ! NVRAM config last updated at 22:27:05 EDT Tue Mar 29 2011 ! version 15.0 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname test-02 ! boot-start-marker boot-end-marker ! ! logging buffered 524288 logging rate-limit 200 except warnings logging console errors . . . ! line con 0 exec-timeout 15 0 authorization exec FromConfig logging synchronous login authentication FromConfig transport preferred none line vty 0 4 access-class ManagementAccess in exec-timeout 15 0 authorization exec FromConfig logging synchronous login authentication FromConfig transport preferred none transport input ssh transport output none line vty 5 15 access-class ManagementAccess in exec-timeout 15 0 authorization exec FromConfig logging synchronous login authentication FromConfig transport preferred none transport input ssh transport output none ! end
OK, so now, I hold the Mode button down for a 10-count. Lights blink, then blink differently (each platform does this a little different, so no use mentioning the exact light sequence), then release and….
Using driver version 1 for media type 1 Base ethernet MAC Address: 08:cc:68:f0:7b:80 Xmodem file system is available. The password-recovery mechanism is enabled. Initializing Flash... mifs[2]: 10 files, 1 directories mifs[2]: Total bytes : 1806336 mifs[2]: Bytes used : 612352 mifs[2]: Bytes available : 1193984 mifs[2]: mifs fsck took 1 seconds. mifs[3]: 0 files, 1 directories mifs[3]: Total bytes : 3870720 mifs[3]: Bytes used : 1024 mifs[3]: Bytes available : 3869696 mifs[3]: mifs fsck took 1 seconds. mifs[4]: 5 files, 1 directories mifs[4]: Total bytes : 258048 mifs[4]: Bytes used : 9216 mifs[4]: Bytes available : 248832 mifs[4]: mifs fsck took 0 seconds. mifs[5]: 5 files, 1 directories mifs[5]: Total bytes : 258048 mifs[5]: Bytes used : 9216 mifs[5]: Bytes available : 248832 mifs[5]: mifs fsck took 0 seconds. mifs[6]: 568 files, 19 directories mifs[6]: Total bytes : 57931776 mifs[6]: Bytes used : 30242304 mifs[6]: Bytes available : 27689472 mifs[6]: mifs fsck took 38 seconds. ...done Initializing Flash. done. Loading "flash:/c2960s-universalk9-mz.150-2.SE4.bin"...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ... !---- I trimmed out all the boring ASIC tests and copyright messages from this output Press RETURN to get started! *Mar 1 00:00:18.334: Read env variable - LICENSE_BOOT_LEVEL = Mar 30 01:27:38.529: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c2960s_lanlite Next reboot level = lanlite and License = lanlite Mar 30 01:28:00.282: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down Mar 30 01:28:00.282: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down Mar 30 01:28:01.225: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan Mar 30 01:28:01.551: %DC-4-FILE_OPEN_WARNING: Not able to open flash:/dc_profile_dir/dc_default_profiles.txt Mar 30 01:28:01.551: %DC-6-DEFAULT_INIT_INFO: Default Profiles DB not loaded. Mar 30 01:28:28.661: %SYS-5-RESTART: System restarted -- Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Wed 26-Jun-13 02:59 by prod_rel_team Mar 30 01:28:30.428: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45. Mar 30 01:28:30.596: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to down Mar 30 01:28:30.774: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up Mar 30 01:28:30.774: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/24, changed state to up Mar 30 01:28:32.305: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to up Mar 30 01:28:32.426: %LINK-3-UPDOWN: Interface GigabitEthernet0/24, changed state to up --- System Configuration Dialog --- Enable secret warning ---------------------------------- In order to access the device manager, an enable secret is required If you enter the initial configuration dialog, you will be prompted for the enable secret If you choose not to enter the intial configuration dialog, or if you exit setup without setting the enable secret, please set an enable secret using the following CLI in configuration mode- enable secret 0 <cleartext password> ---------------------------------- Would you like to enter the initial configuration dialog? [yes/no]: no Switch>
Ouch. Now, really your config isn’t totally lost. It’s still on the flash, and the name has been changed so it wouldn’t be used as the start-up config. But having this happen would surely ruin your day even if it was relatively easy to recover from it by figuring out what happened, renaming the saved config, and rebooting again. Note that a log message is actually generated, but we didn’t see it on console when I held the button because my template config includes:
logging console errors
This command helps minimize the risk of log messages flooding the console by only sending log messages of severity “error” or greater to console, but it means that you don’t see most messages “spontaneously” on the console either.
Now while we all like to think that our equipment is in a secure place where no one could ever get their grubby hands on it unless they were under our watchful eye, this isn’t always the case. How about a colocation data center? Do you have any switches there? Is your cabinet actually caged off from the rest? If not, someone could pretty easily poke a long metal probe through the small vent holes in the cabinet door and poke the button. Surely we’d hope that such juvenile/malicious behavior would never happen in a colo, but do you want to take that chance?
Luckily, it’s easy to disable the Express Setup behavior:
no setup express
This prevents the Express Setup 3-second push as well as the reset behavior of the mode button. I’ve made this a default in my template configs for years. You might want to do the same.
Herding Packets 