IOS Featureset change whithin a 3750 stack
Im currently working my way around the 3750 stack implementation, even though this technology has been around for years, I just got my hands on it a week ago. After reading the Cisco configuration guide about Managing Switch Stacks I’ve finished with still some questions left. One of these was about the whole IOS management of the stack.
It is written in the guide, that the Switch Stack itself will automatically do IOS up- or downgrades itself (auto-upgrade) as long as the switch in question is at least partial compatible to the stack and the IOS feature set on the Stack and the new switch are the same. But what to do with new stack members that do have a different IOS feature set? In my example an IP Services and an Advanced IP Services feature set and I want to have the Advanced with crypto set on both switches. Since Im too lazy to take out the new switch of the stack I thought there has to be an option to do that over console access and well here we go.
Lock-and-Key Security
Lock-and-Key Security or also known as dynamic Access Lists is a feature which allows dynamic IP traffic which will normally be blocked. Lock-and-Key is configured over a dynamic extended ACL. Lock-and-Key security allows users to open dynamic openings into existing ACLs to get temporary access to a resource which they normally wont have access to. Lock-and-Key reconfigures the ACL if it gets triggered over a successful telnet login onto the blocking router to allow the user to access those resources.
When should we use Lock-and-Key?
The following list describes two possible scenarios where Lock-and-Key could be used:
- If a specified remote user (or a group of users) needs access to a host or subnet which is normally not reachable.
- If a/some hosts on a local network need access to resources in a remote network, which is blocked via firewall.
About
Im a network engineer working for an international medical company based in Basel, Switzerland. I began my professional life in 2000 after 4 years of an IT apprenticeship. I started as the Network Management System responsible with quite a lot other of other tasks inside the Cisco networking field. In 2005 I changed to my current employer where I changed my field of knowledge from part NMS part Networking to full time Networking. I also started to educate myself deeper into networking. After passing the CCNA and CCNP exams I wanted to go further with my education and took the CCIE R&S track instead of doing a school with lots of stuff Im not interested in 
I started the CCIE journey in August 2007 with the first of 5 workshops at the Cisco Network Academy in Rapperswil and passed the CCIE in Brussels at 07th of May 2008.
During that time I wrote a lot of documents to keep the stuff I learned and I thought it might be an idea to make it public so it might help other people on their path through the Cisco Certifications. I hope this site gets useful not only for CCIE candidates but also for other networking professionals on their search for knowledge.
If you have any questions or want to contact me, please drop me a line to pashtuk at gmail.com
