[ Cisco ] NM-16A / NM-32A

| No Comments

The following documentation from Cisco indicating that you will not be able to use the NM-16A on the Cisco 2800 Series routers.

  1. https://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/7258-hw-async.html
  2. https://www.cisco.com/c/en/us/td/docs/ios/interface/configuration/guide/ir_nm16as.html

But chances are, you can. I have installed the NM-16A to my Cisco 2821 Router, and it has been recognized and configurable.

Cisco 2821 (revision 53.51) with 419840K/104448K bytes of memory.
Processor board ID FTXXXXXXXXX
2 Gigabit Ethernet interfaces
1 Serial(sync/async) interface
16 terminal lines
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
250880K bytes of ATA CompactFlash (Read/Write)

Just remember, do not plug this module into the upper right slot (marked as EVM only), put it into the left-bottom slot instead.

[ MacOS ] Uninstall Java

| No Comments

sudo rm -fr /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin
sudo rm -fr /Library/PreferencesPanes/JavaControlPanel.prefPane
sudo rm -fr ~/Library/Application\ Support/Java

MacOS Capitan 版本在访问ASA 5505 的AIP-SSC-5 时,会出现如下错误。

Unsigned application requesting unrestricted access to system. The following resource is signed with a weak signature algorithm MD5withRSA and is treated as unsigned.

此时,编辑如下文件:

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/securit/java.security

注释掉如下这行:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

即可启用Java 对MD5 with SHA1 的支持。

For the following Cisco Wireless LAN Controller model:

  • 2500 DTLS License (Product_Id "AIR-CT2504-K9" )
  • 5500 DTLS License (Product_Id "AIR-CT5508-K9" )
  • 7500 DTLS License (Product_Id "AIR-CT7510-K9" )
  • WISM2 DTLS License (Product_Id "WS-SVC-WISM2-K9" )
  • VWLC DTLS License(WCVWLCDTLS)

You can obtain your DTLS license from this page.

[ Photography ] The new Audi A3

| 2 Comments

20170922182913.jpgPhotographed by : erebus
Processed by : Shen, Li Feng
Camera : Nikon D610 with Nikkor 105mm f/2.8 VR IF ED

最近开始有不少家庭用户,在购买Cisco AP 后询问,是否可以创建多个SSID。原因不外乎是为了设置一个访客专用的SSID,然后设置和主要SSID 不同的密码。防止常用密码被WIFI 万能钥匙一类的软件盗取。

在一般的家庭环境拓扑中,此配置方法不适用。只因思科限制一个SSID 只能绑定到同一个radio 的单个VLAN 下。换言之。你只能在2.4GHz ( dot11radio0 ) 下面,设置一个属于vlan1 的ssid -> Cisco1。

参考思科的文档中所提到的:

SSIDs, VLANs, and encryption schemes are mapped together on a one-to-one-to-one basis; one SSID can be mapped to one VLAN, and one VLAN can be mapped to one encryption scheme. When using a global SSID configuration, you cannot configure one SSID with two different encryption schemes. For example, you cannot apply SSID north with TKIP on interface dot11 0 and also apply SSID north with WEP128 on interface dot11 1.

所以再有类似需求的用户不要再找我了,我也没有办法。特发文公告之。感谢。

[ Cisco ] Reflect ACL Example

| 1 Comment

CiscoDynamicACL.png

R1 configuration:

interface GigabitEthernet0/0

ip address 10.0.0.2 255.255.255.0

ip access-group external_acl in

ip access-group internal_acl out

duplex auto

speed auto

media-type rj45

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

media-type rj45

ip access-list extended external_acl

evaluate web-only-reflect-acl

evaluate icmp-only-reflect-acl

deny ip any any

ip access-list extended internal_acl

permit tcp any any eq www reflect web-only-reflect-acl timeout 300

permit icmp any any reflect icmp-only-reflect-acl timeout 300

deny ip any any

R2 configuration:

interface GigabitEthernet0/0

ip address 10.0.0.1 255.255.255.0

duplex auto

speed auto

media-type rj45

ip http server

ip route 192.168.1.0 255.255.255.0 10.0.0.2

Linux configuration:

ifconfig eth0 inet 192.168.1.200 netmask 255.255.255.0

ip route add default via 192.168.1.1 dev eth0

Ping from Linux to R2:

root@box:/tmp# ping 10.0.0.1

PING 10.0.0.1 (10.0.0.1): 56 data bytes

64 bytes from 10.0.0.1: seq=0 ttl=254 time=13.111 ms

^C

--- 10.0.0.1 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss

round-trip min/avg/max = 13.111/13.111/13.111 ms

root@box:/tmp#

Ping from R2 to Linux:

R2#ping 192.168.1.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.200, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

R2#

R1's access-list after Linux ping to R2:

R1#show access-list

Extended IP access list external_acl

10 evaluate web-only-reflect-acl

40 evaluate icmp-only-reflect-acl

50 deny ip any any (5 matches)

Reflexive IP access list icmp-only-reflect-acl

permit icmp host 10.0.0.1 host 192.168.1.200 (2 matches) (time left 265)

Extended IP access list internal_acl

10 permit tcp any any eq www reflect web-only-reflect-acl

20 permit icmp any any reflect icmp-only-reflect-acl (67 matches)

30 deny ip any any

Reflexive IP access list web-only-reflect-acl

R1's access-list after Linux has accessed R2's web server:

root@box:/tmp# wget http://10.0.0.1

Connecting to 10.0.0.1 (10.0.0.1:80)

wget: server returned error: HTTP/1.1 401 Unauthorized

root@box:/tmp#

R1#show access-list

Extended IP access list external_acl

10 evaluate web-only-reflect-acl

40 evaluate icmp-only-reflect-acl

50 deny ip any any (10 matches)

Reflexive IP access list icmp-only-reflect-acl

permit icmp host 10.0.0.1 host 192.168.1.200 (2 matches) (time left 195)

Extended IP access list internal_acl

10 permit tcp any any eq www reflect web-only-reflect-acl (7 matches)

20 permit icmp any any reflect icmp-only-reflect-acl (67 matches)

30 deny ip any any

Reflexive IP access list web-only-reflect-acl

permit tcp host 10.0.0.1 eq www host 192.168.1.200 eq 55411 (11 matches) (time left 2)

[ Cisco ] Dynamic ACL Example

| No Comments

CiscoDynamicACL.png

R1 Configuration:

username cisco privilege 15 secret 5 $1$hkHo$WNwPkxt5bvyzMK5yxEeTi0

!

redundancy

!

interface GigabitEthernet0/0

ip address 10.0.0.2 255.255.255.0

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip access-group 101 in

duplex auto

speed auto

media-type rj45

!

access-list 101 permit tcp any host 192.168.1.1 eq telnet

access-list 101 dynamic telnet timeout 15 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

!

line con 0

logging synchronous

line aux 0

line vty 0 4

login local

autocommand access-enable host timeout 5

transport input telnet

line vty 5 15

login local

autocommand access-enable host timeout 5

transport input telnet

!

end

R2 Configuration:

interface GigabitEthernet0/0

ip address 10.0.0.1 255.255.255.0

duplex auto

speed auto

media-type rj45

!

ip route 192.168.1.0 255.255.255.0 10.0.0.2

!

Linux Configuration:

# ifconfig eth0 inet 192.168.1.200 netmask 255.255.255.0

# ip route add default via 192.168.1.1 dev eth0

Verify:

1. Linux can't ping to 10.0.0.0/24 with access-list in place.

root@box:/# ping -c 1 -w 1 10.0.0.1

PING 10.0.0.1 (10.0.0.1): 56 data bytes

--- 10.0.0.1 ping statistics ---

1 packets transmitted, 0 packets received, 100% packet loss

root@box:/#

2. Show access-list 101 on R1.

R1#show access-list 101

Extended IP access list 101

10 permit tcp any host 192.168.1.1 eq telnet (48 matches)

20 Dynamic telnet permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

3. Linux initiate telnet session to R1.

root@box:/# telnet 192.168.1.1

Entering character mode

Escape character is '^]'.

User Access Verification

Username: cisco

Password: Connection closed by foreign host

root@box:/#

4. Linux can now ping to 10.0.0.0/24 with dynamic access-list generated acl.

root@box:/# ping -c 1 -w 1 10.0.0.1

PING 10.0.0.1 (10.0.0.1): 56 data bytes

64 bytes from 10.0.0.1: seq=0 ttl=254 time=9.179 ms

--- 10.0.0.1 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss

round-trip min/avg/max = 9.179/9.179/9.179 ms

root@box:/# ping -c 1 -w 1 10.0.0.2

PING 10.0.0.2 (10.0.0.2): 56 data bytes

64 bytes from 10.0.0.2: seq=0 ttl=255 time=4.638 ms

--- 10.0.0.2 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss

round-trip min/avg/max = 4.638/4.638/4.638 ms

5. Show access-list 101 on R1.

R1#show access-list 101

Extended IP access list 101

10 permit tcp any host 192.168.1.1 eq telnet (71 matches)

20 Dynamic telnet permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip host 192.168.1.200 10.0.0.0 0.0.0.255 (2 matches) (time left 279)

[ Note ] The version of Ubuntu here is : Ubuntu Linux Server 16.04 LTS.

First, you will need to install the wpasupplicant package.

apt install wpasupplicant

Then you will determine the Wi-Fi interface card's name.

dmesg | grep wlan

In this case, it will be wls3.

[ 28.100572] iwl3945 0000:03:00.0 wls3: renamed from wlan0

Bring up the interface.

ip link set wls3 up

Scan the BSSID / ESSID.

iw wls3 scan

Creating wpa configuration file.

wpa_passphrase SSID WPA2_PSK > /etc/wpa_supplicant.conf

Connect to the Wi-Fi network.

wpa_supplicant -B -D wext -i wls3 -c /etc/wpa_supplicant.conf

Get address from DHCP server.

dhclient wls3

Set default route.

ip route add default via 192.168.0.1 via wls3

When proceeding password recovery for a Brocade 5300.

sh-2.04# /sbin/passwdDefault
/sbin/passwdDefault: [: !=: unary operator expected

Don't know why so far. Marked as unresolved.

*** Update ***

After some trying, I found the solution here.

Since the OSRootPartition was originally: OSRootPartition=hda1;hda2, will have to change it to: OSRootPartition=hda2;hda1. Commit /sbin/passwdDefault again, and it works.

Photography

Tools / Links

Recent Comments

Recent Entries

Books