Re: protect lab from "cop run start" [7:84166] posted 02/12/2004
- Subject: Re: protect lab from "cop run start" [7:84166]
- From: "JNCIP#0136" <none@xxxxxxxxxx>
- Date: Thu, 12 Feb 2004 18:34:58 GMT
What harm is done when "cop run start" is executed? Let me guess - You need
to "write erase", reload the box(es) and answer some trivial questions while
logged in via console on each of the boxes... This can be automated to a
First, create an initial config for each router - after doing once "wr
erase", reloading and answering trivial stuff , assign initial parameters
like hostname, create aliases - I recommend one something like "alias exec
f2s copy flash:saved.conf start" (not important, this alias creation can be
skipped) - etc, etc. and do "wr mem".
Second, assign an IP address to the interface of Your choice and tftp the
start config to the server. This will be Your initial config for this
Third, repeat the procedure for every router.
Fourth, copy back the saved initial config to the router's flash (You may
need to do 0x2101+extra reload for 2500 series). Flash normally has some
free space - only ~1Kbyte is needed to keep the saved config.
Fifth, if You are using terminal server and Your termial emulator has
scripting capability, record the script that logs into every router via
console, executes "copy fash:saved.conf start" (or alias command f2s) and
shedules reload in 2-3 minutes. Otherwise You may need to come up to every
router, connect console and run the script.
Sixth, make sure Your students do not erase files from flash - 2500 series
flash is Read Only in normal operation mode, others may be Read Write (like
""Priscilla Oppenheimer"" wrote in message
> Hello colleagues,
> I would be eternally grateful for any suggestions regarding the following
> problem and my proposed solution.
> In our college lab we don't teach our students the "copy running-config
> startup-config" command. (We aren't teaching them to be real network
> They are mostly programmer types.) We do let them do lots of
> just not save their work. But some of them arrive at college having taken
> Cisco Networking Academy. They learned lots of commands.
> What would be the easiest way to not allow them to enter "copy
> running-config startup-config"?
> I'm thinking of implementing username and privilege levels. I don't want
> use a server-based solution because they could easily mess up the
> internetwork so that the routers can't get to a server.
> But what if I added a new username, password, and privilege level at say
> Then I will move a bunch of commands that we do allow them to do to that
> level, but make sure to keep "copy running-config startup-config" at
> privilege level 15 with a protected password that the students don't know.
> It would go something like this:
> username student privilege 14 password student
> username 98oiu90 privilege 15 password 9078kwo
> privilege exec level 14 show
> privilege exec level 14 telnet
> privilege exec level 14 config
> It would be quite a bit of configuration up front, but just a one-time
> Will this work? Are there easier ways to accomplish the goal?
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> FAQ, list archives, and subscription info:
Message Posted at:
**Please support GroupStudy by purchasing from the GroupStudy Store:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html