Configuring a new Cisco switch via a Neighbor Switch
Cisco admins, here's an awesome trick. If you're not installing Cisco switches, you can stop reading here. Otherwise, it may be of interest. If a new switch is connected to the network and you need to configure it, but don't have a console connection. . . read on.
If an enable password has already been set, you’ll have to add “password the_enable_password” to the command “cluster member mac-address H.H.H”. And if you're nervous about how easy it is to configure a neighbor switch from, say, a compromised or rogue switch, consider "no cluster run" in all of your switch configurations.
When you plug a new Cisco switch into the network, it will acquire an IP address via DHCP, by default. From there, this command list should allow you to access it without a console connection. Log in to one of the other Catalyst switches already running on the network.
cluster run - this command enables clustering.
show cdp neighbors (Optional) – If CDP is running (you could turn it on temporarily) and you’ve chosen to start from a switch that is connected to the new switch, you should see a neighbor named “Switch”. This isn’t really a necessary step, but it’s useful to know things are working.
cluster enable WORD – The cluster commands require you to be in configuration mode. You must give the cluster a name.
show cluster candidates – Get out of configuration mode (or prefix this command with do) and see if you can see the new switch as a cluster member candidate. Remember it should be called “Switch”.
cluster member mac-address H.H.H – Back in configuration mode, this will add the new switch as a member of this cluster. The mac-address should be part of the information shown in the previous step.
show cluster members (Optional) – Exit out of configuration mode. This command should list the command switch (the one you are on), and a member switch. The member switch is the device you are planning to configure and should be designated as member 1.
rcommand 1 – This will log you into the new switch. You shouldn’t need a password. Configure the the new switch.
no cluster member 1 – Log off the new (and now configured) switch and remove it from the cluster. This step may not be really necessary, but better safe than sorry. It will remove the new switch from the temporary cluster.
no cluster enable – This will remove the cluster and end the process.
At this point, you should be able to SSH or telnet into the new switch. The mistake I’ve made most often at this point is forgetting to set an enable password. Without both login (whether telnet or AAA) and enable passwords, the switch won’t let you in.
If an enable password has already been set, you’ll have to add “password the_enable_password” to the command “cluster member mac-address H.H.H”. And if you're nervous about how easy it is to configure a neighbor switch from, say, a compromised or rogue switch, consider "no cluster run" in all of your switch configurations.
No comments:
Post a Comment