CatOS syntax question

[BigFinn]

Hello all,

I need to make some changes on our CatOs core switch and I'm getting a little bit of pucker factor: I'm an IOS guy, and the Core in our place is considered very risky and important and not to be messed with.

I need to though: our Ciscoworks server needs to be able to monirot the Core switch itself and other switches connected to the core on different interfaces.

The core can 'see' the other switches via CDP, but I need to get the Ciscoworks server to use this information as well.

I've written a little aide-memoire to myself how to do the canges on the CatOS core, and I've pasted it in here.

Would any people with CatOS experience read through it and tell me if I'm risking anything dangerous, have left anything out or missed an important step? For example, will I be authenticated successfully against the local account database when I telnet in, or have I missed something?

Thanks for everyone's time.

BF


*******************************


CATOS SNMP settings, Enable password change and a local user account creation for telnet logins.

Overview

These changes are meant to bring the Core switches login and SNMP credentials into line with the rest of the network plant. This will permit Ciscoworks/other LMS system to use one set of credentials to monitor the network.


Work through this list in order on both CATOS core switches when making changes.

Work in enable mode, * means a comment.



****************

START

****************


show snmp

*shows what's running and to where


set snmp enable

*turn it on - it already should be on

set snmp community read-only <snip>

set snmp community read-write <snip>

*set strings to what we use


set snmp trap enable

set snmp trap 192.168.X.Y <snip>

*set traps on and define a receiving station - in our case <snip>




show localusers

set localuser <snip> password <snip> privilege 15

*A local user will be needed to authenticate

set localuser authentication enable

*start using local auth, rather than the current Telnet password




set enablepass

-this will give you a prompt, type the PW in

<snip>

*this changes the enable PW


***********

END

***********



*Changes complete - Now test:

Before logging out of your telnet session, open a second one and telnet in using your new user account and credentials and the new enable PW. Does it all work?

If yes, save the running-config. If No, keep reading.




*******************

REVERSING OUT

*******************

If it all goes wrong,

do these:



set enablepass <snip>

*back to current default

set localuser authentication disable

*to permit telnet access back in

clear localuser <snip>

*delete the user you created earlier


*********

END

*********

 

[burtsbees]

You're fine. The equivalent IOS commands are

username xxx priv 15 secret yyyyyyy

logging trap debugging
logging host x.x.x.x
enable secret xxxxxxx

Crap...now I can't remember the actual snmp...but these won't screw anything up. CatOS is a bit easier and more straightforward, since there is really only one level rather than several with IOS.

Burt

 

[BigFinn]

Thanks Burt,

I'll move forward with that.

Kind Regards

BF

 

[vipergg]

Here is a link for all the set commands.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.6/command/reference/cr_toc.html#wp998463

 

[BigFinn]

Hi, all worked ok.

The only surprise while making the changes was this:

set localuser <snip> password <snip> privilege 15

wouldn't work.


The syntax should be

set localuser user <snip> password <snip> privilege 0



Creating a user with priv 15 will put that user straight into Enable mode on login, which we didn't want. Also, I missed the word 'user' out of the command syntax initially.

Finally, the CatOS won't let you delete or change the last user if

set localuser authentication enable

is still on. You have to create an extra user, or

set localuser authentication disable

to adjust your main (only) user properties.

Makes sense, I guess.


Thanks for your peer review!

BF