Cisco MDS 9124 Recovery Password

Terminal Software : SecureCRT 5.5 


重新開機

>> MDS-Bootloader-01.00.17 (May 28 2009 - 23:13:36), Build: 01.00.17

PowerPC
  CPU:    8541, Version: 1.1, (SVR:0x807a0011)
  Core:   E500, Version: 2.0, (PVR:0x80200020)
  Clocks: CPU: 999 MHz, CCB: 333 MHz,
          DDR: 166 MHz, LBC:  41 MHz
  L1:     D-cache 32 kB enabled
          I-cache 32 kB enabled
INFO: Booting off primary flash.
I2C:   ready
DRAM: Total SDRAM memory is 512 MB
20000000
INFO: SDRAM tests PASSED.
DRAM: ECC initialization in progress...Done.
done.
INFO: Board rev = 6 type = 4 index 9032
L2 cache 256KB: enabled
IDE:   Bus 0: OK
  Device 0: Model: SILICONSYSTEMS INC 256MB Firm: 841-023 Ser#: CB0531XX55920DXX
            Type: Hard Disk
            Capacity: 248.5 MB = 0.2 GB (508928 x 512)

Booting bootflash:/m9100-s2ek9-kickstart-mz.4.1.3a.bin ...
.................  (之後輸入中斷符號 : Ctrl + ] )
Automatic boot of image at addr 0x00000000 ...
Starting kernel...
 Entered kgdb_console_init:1960
INIT: version 2.85 booting
Checking all filesystems..^]... done.
/etc/rc.d/rcS.d/S30procps: line 34: log_action_begin_msg: command not found
/etc/rc.d/rcS.d/S30procps: line 36: log_action_end_msg: command not found
Setting the System Clock using the Hardware Clock as reference...System Clock s1
Loading systemStopping NFS servers: mountd nfsd.
.
INIT: Sending processes the KILL signal
Cisco Nexus Operating System (NX-OS) Software
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
switch(boot)#

switch(boot)# conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
switch(boot)(config)# admin-password new_password
switch(boot)(config)# exit

switch(boot)# load bootflash:m9100-s2ek9-mz.4.1.3a.bin
Uncompressing system image: bootflash:/m9100-s2ek9-mz.4.1.3a.bin
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

CCCCCCCCCCCCCCCCCCCCCCCCCCCCC
INIT: Switching to runlevel: 3
INIT: Sending processes the TERM signal
INItch(boot)#
Starting NFS servers: nfsd mountd.

2011 Nov  2 19:05:38 MDS9124-2 %KERN-2-SYSTEM_MSG: Starting kernel... - kernel
2011 Nov  2 19:05:38 MDS9124-2 %KERN-1-SYSTEM_MSG:  Entered kgdb_console_init:1960 - kernel


User Access Verification
MDS9124-2 login:
2011 Nov  2 19:06:03 MDS9124-2 %PLATFORM-2-PS_OK: Power supply 2 ok (Serial number PAC122531XX)
2011 Nov  2 19:06:03 MDS9124-2 %PLATFORM-2-PS_FANOK: Fan in Power supply 2 ok
2011 Nov  2 19:06:03 MDS9124-2 %PLATFORM-2-FAN_OK: Fan module ok

User Access Verification
MDS9124-2 login: admin
Password:
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
MDS9124-2#

ASA 處理進出同介面的路由 intra-interface

預設：Intra-Interface Communications disabled，不允許進出同介面的路由

  

Intra-Interface Communications Enable 指令：

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

增加以下兩行，route inside 封包，不做 NAT.

1. ACL
access-list route-inside extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

2. NAT 0 (不做 NAT)
nat (inside) 0 access-list route-inside

IPSCAN 設定：超出範圍的例外清單

例外清單 : IP 不受管理，不會被 Block

Cisco ACS radius proxy 設定

需求：

client 輸入 帳號@lab.com 向 ACS1 認證 (不存在此帳號)，
會 proxy 到 ACS2 做認證，

並在 ACS1 / ACS2 都留下 "RADIUS Accounting" 記錄

設定：

ACS1 (add ACS server "ACS2")

ACS2 (add AAA client "ACS1") (add user account "jacky2")

ACS1 設定 Proxy Distribution Table

    Character String：@lab.com  (帳號後接字串)(Suffix)
    AAA Servers : 選兩台

    Accounting : Local/Remote

  

結果：

當帳號 jacky2@lab.com 認證成功：

Report "Passed Authentications" => "jacky2" 只會出現在 ACS2 (不帶domain)


Report "RADIUS Accounting" => "jacky2" 出現在 ACS2 (不帶domain)

同時：

Report "RADIUS Accounting" => "jacky2@lab.com" 出現在 ACS1

RadiusTest 工具：


Download the utility by clicking: RadiusTest.zip

CactiEZ 自動升級 0.8.7g

一、建立 shell file，執行

#update cacitez
mysqldump -l --add-drop-table cacti > /tmp/mysql.cacti
mysqldump -l --add-drop-table syslog > /tmp/mysql.syslog

mv /var/www/html /var/www/html.old

cd /tmp
wget http://www.cacti.net/downloads/cacti-0.8.7g.tar.gz
tar zxvf cacti-0.8.7g.tar.gz
mv cacti-0.8.7g /var/www/html

yes|cp -r /var/www/html.old/rra /var/www/html/

yes|cp /var/www/html.old/log/* /var/www/html/log

cp /var/www/html.old/scripts/* /var/www/html/scripts --reply=no
cp -R /var/www/html.old/resource/* /var/www/html/resource/ --reply=no

sed -i 's/$database_password = "cactiuser";/$database_password = "CactiMadeEZ";/g' /var/www/html/include/config.php
sed -i 's/#$cacti_session_name = "Cacti";/$cacti_session_name = "CactiEZ";/g' /var/www/html/include/config.php

rm -f /tmp/cacti-0.8.7g.tar.gz

#plugins update
cd /tmp
wget http://mirror.cactiusers.org/downloads/plugins/cacti-plugin-0.8.7g-PA-v2.8.zip
unzip cacti-plugin-0.8.7g-PA-v2.8.zip
cd cacti-plugin-arch
yes | cp cacti-plugin-0.8.7g-PA-v2.8.diff LICENSE pa.sql README /var/www/html

yes| cp -r files-0.8.7g/ /var/www/html

cd /var/www/html
patch -p1 -N < cacti-plugin-0.8.7g-PA-v2.8.diff

sed -i 's/"Cacti";/"CactiMadeEZ";/g' /var/www/html/include/global.php

cp -r /var/www/html.old/plugins/* /var/www/html/plugins/ --reply=no

cd /tmp
wget http://cactiusers.org/downloads/boost.tar.gz
cd /var/www/html/plugins/
tar zxvf /tmp/boost-2.4.tar.gz

cd /tmp
wget http://cactiusers.org/downloads/thold.tar.gz
cd /var/www/html/plugins/
tar zxvf /tmp/thold-0.4.3.tar.gz

cd /tmp
wget http://www.network-weathermap.com/files/php-weathermap-0.96a.zip
cd /var/www/html/plugins/
unzip -o /tmp/php-weathermap-0.96a.zip

cd /tmp
wget http://sourceforge.net/projects/cacti-reportit/files/cacti-reportit/reportit_v071/reportit_0.7.1.tar.gz/download
cd /var/www/html/plugins/
tar zxvf /tmp/reportit_0.7.1.tar.gz
rm -rf reportit
mv 0.7.1 reportit

二、編輯 /var/www/html/include/global.php

找到$config = array();在下方添加下面文字

$plugins = array();
$plugins[] = 'settings';
$plugins[] = 'boost';
$plugins[] = 'monitor';
$plugins[] = 'discovery';
$plugins[] = 'tools';
$plugins[] = 'syslog';
$plugins[] = 'mactrack';
$plugins[] = 'loginmod';
$plugins[] = 'update';
$plugins[] = 'flowview';
$plugins[] = 'hostinfo';
$plugins[] = 'errorimage';
$plugins[] = 'weathermap';
$plugins[] = 'docs';
$plugins[] = 'reportit';
//$plugins[] = 'ntop';
//$plugins[] = 'ssl';
$plugins[] = 'routerconfigs';
$plugins[] = 'wmi';
$plugins[] = 'realtime';

三、重啟服務


service httpd restart

四、更新失敗的復原方法


cd /
rm -rf /var/www/html
mv /var/www/html.old /var/www/html

mysql cacti < /tmp/mysql.cacti
mysql syslog < /tmp/mysql.syslog
service httpd restart

五、weathermap 錯誤訊息


Notice: Undefined index: action in /var/www/html/plugins/weathermap/setup.php on line 146



將146行改為以下：


if(isset( $_REQUEST["action"] ) && $_REQUEST["action"] == 'viewmapcycle') 

ACS 4.2 升級 and Patch

CiscoSecure ACS (未升級前)  Release 4.2(0) Build 124

升級順序：

1. ACS-4.2.1.15-BIN-K9.zip  (Release 4.2(1) Build 15)
   (必需由 4.2.0 升級，不能直接安裝)
   (過程：保留舊有設定，移除舊版，安裝新版)

2. Acs-4.2.1.15.4-SW.zip (Release 4.2(1) Build 15 Patch 4)

   (cmd 視窗 : y)

Acentlink Auto Routing

定義內部網段，走不同線路出去，並做備援

(PBR : Policy Based Routing) + Fail-Over backup

Algorithm : Fixed 指定線路

Destination : "WAN" (Internet any)

Fat AP WPA-PSK TKIP Config

Model Number : Cisco AIR-AP1042N-T-K9
IOS version : c1140-k9w7-mx.124-25d.JA


相關設定

dot11 ssid jacky
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 12293134250AJACKY252A2D302112121405140E445D
   information-element ssidl advertisement

interface Dot11Radio0
 !
 encryption mode ciphers aes-ccm tkip 
 !
 ssid jacky

Wireless AP MAC packet filter

一、定義 ACL

access-list 700 permit 000c.f11c.c611   0000.0000.0000
access-list 700 permit 0040.96a5.aa22   0000.0000.0000
access-list 700 deny   0000.0000.0000   ffff.ffff.ffff

二、apply ACL

interface Dot11Radio0
bridge-group 1 input-address-list 700

Cisco ASA failover HA config

說明：Cisco ASA failover active standby unit 固定 ip

   例：ip address 172.16.1.253 255.255.255.0 standby 172.16.1.252

   不管 active / standby unit 切換，

   只要 active unit 總是使用 ip 172.16.1.253，standby unit 總是 ip 172.16.1.252 

一、 failover 設定

failover 設定 : primary

failover

failover lan unit primary

failover lan interface failover Management0/0

failover replication http

failover link failover Management0/0

failover interface ip failover 1.1.1.1 255.255.255.0 standby 1.1.1.2

failover 設定 : secondary

failover

failover lan unit secondary

failover lan interface failover Management0/0

failover replication http

failover link failover Management0/0

failover interface ip failover 1.1.1.1 255.255.255.0 standby 1.1.1.2

二、網路接線

所有 ASA interface 接至一台 switch (切vlan) (含 failover interface)

三、查看 failover 狀態

ASA5520# show failover state

               State          Last Failure Reason      Date/Time

This host  -   Primary

               Standby Ready  None

Other host -   Secondary

               Active                None

====Configuration State===

        Sync Done - STANDBY

====Communication State===

        Mac set

ASA5520# failover ?

  active                Make this system to be the active unit of the failover pair

  exec                  Execute command on the designated unit

  reload-standby  Force standby unit to reboot

  reset                  Force an unit or failover group to an unfailed state

四、切換 Active / Standby

ASA5520# failover active  (登入standby那台，將 standby 切換為 active)

五、NAT-T

狀況：當 ipsec vpn 登入內網後，但無法存取任何設備，是 NAT-T 問題，

      Cisco ASA 需下以下指令

      crypto isakmp nat-traversal

JavaScript 另開網頁 限制改網址

開啟Hinet網頁

---------

<p><a href=""javascript://" onClick="window.open('http://www.hinet.net','','menubar=no,status=no,scrollbars=yes,top=20,left=50,toolbar=no,width=800,height=600')">開啟Hinet網頁</a></DIV></FORM>

<p align="center">&nbsp;</p>

----------

HSRP Config

RA#
interface Ethernet0
ip address 171.16.6.5 255.255.255.0
standby 1 ip 171.16.6.100
standby 1 priority 105  (Priority 值大，Active)
standby 1 preempt (int 0 down-> up，搶回 Active)
standby 1 track Serial0  (int down => Priority -10 => standby)

RB#
interface Ethernet0
ip address 171.16.6.6 255.255.255.0
standby 1 ip 171.16.6.100 (可不設，自動學習)
standby 1 preempt
standby 1 track Serial1

限制 ACS 群組帳號，只用來認證某 AAA Client.

例：只允許登入 SSLVPN 設備：

一、設定

二、結果 ( 嘗試登入其它設備，認證失敗 )
        原因：User Access Filtered.

Cisco router site to site VPN with CA

Linux Fedora CentOS Ubuntu TCP/IP Config

export LANG=C 設定英文語系

"setup" 指令，即可設定網卡



 指令修改網卡設定

一、 Fedora 13

vi /etc/sysconfig/networking/devices/ifcfg-eth0

# Intel Corporation 82557/8/9/0/1 Ethernet Pro 100
DEVICE=eth0
IPADDR=172.16.0.204
NETMASK=255.255.255.0
GATEWAY=172.16.0.254
DNS1=168.95.1.1
NAME="System eth0"


二、 CentOS 5.4

vi /etc/sysconfig/network-scripts/ifcfg-eth0

# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
BROADCAST=172.16.1.255
IPADDR=172.16.1.101
NETMASK=255.255.255.0
NETWORK=172.16.1.0
GATEWAY=172.16.1.254

三、 重啟網路服務

service network restart

[root@lab-linux ~]# service network restart                                               
Shutting down interface eth0:  [  OK  ]
Shutting down loopback interface:  [  OK  ]
Bringing up loopback interface:  [  OK  ]
Bringing up interface eth0:  [  OK  ]

四、確認路由

netstat -nr

[root@lab-linux ~]# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
172.16.1.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0            172.16.1.254    0.0.0.0         UG        0 0          0 eth0

五、Ubuntu 11

vi /etc/network/interfaces


iface eth0 inet static
        address 172.16.1.211
        netmask 255.255.255.0
        network 172.16.1.0
        broadcast 172.16.1.255
        gateway 172.16.1.254

sudo /etc/init.d/networking restart

Cisco VPN Apple Andorid Supported

Apple Devices Supported

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/rn-ac2.4-apl4.2.html

Device  Apple iOS Release Required 
iPad               4.2.1 or later
iPhone 3G      4.1 or later
iPhone 3GS    4.1 or later
iPhone 4         4.1 or later
iPod Touch (2nd Generation or later)  4.1 or later

Download: iPhone Configuration Utility (IPCU) 3.3

Download iTunes 10

Windows 操作：
a. 連接 IPAD /Iphone 設備
b. 安裝 iPhone Configuration Utility
c. 新增 profile，config 憑證 及 AnyConnect.
d. "Install" 到 IPAD (傳送)

IPAD 操作：
a. 收到 config profile，按"安裝" (內含憑證)
b. Anyconnect 連線.

參考文件

Andorid Devices Supported

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html

We now support VPN connections between Android mobile devices and ASA 5500 series devices, when using the L2TP/IPsec protocol and the native Android VPN client.

Requirements:
•Mobile devices must be using the Android 2.1, or later, operating system.
•The ASA must be running the ASA Release 8.4(1) or later.

隨手雜記

* 免費音樂MP3下載
   BearShare
   YouTube Song Downloader

* 免費在線聽歌
  鯊客
  亦歌

* 免費的「電腦時光機」，幫你輕鬆將系統做快照和還原
   COMODO Time Machine

* 25GB 的免費線上儲存空間
  SkyDrive

* 統一發票中獎號碼單
  財政部稅務入口網

* 2007 Office system 相容性套件
   FileFormatConverters.exe

* PowerPoint Viewer ( Microsoft PowerPoint 2010 向下相容 )
   PowerPointViewer.exe

* Virtual CloneDrive 「免費」虛擬光碟軟體！
  Virtual CloneDrive

POE 802.3at 802.3af 標準，AP1131AG AP1142N Power 需求

802.3at (PoE+) (up to 30W per port)

802.3af (up to 15.4W per port)

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/product_data_sheet0900aecd80322c0c.html

=============
WS-C2960-24PC-L

AP1131#sh power inline f0/1
Interface Admin  Oper       Power       Device                    Class Max
                                        (Watts)                           
--------- ------ ---------- ------- ------------------- ----- ----
Fa0/1     auto   on               12.2    AIR-LAP1131AG-T-K9  3     15.4
Interface  AdminPowerMax   AdminConsumption   
                      (Watts)                    (Watts)          
---------- --------------- -------------------- 
Fa0/1                 15.4                      15.4

=============
WS-C3560G-24PS-S

AP1142N#sh power inline g0/1
Interface Admin  Oper       Power        Device                Class Max
                                        (Watts)
--------- ------ ---------- ------- ------------------- ----- ----
Gi0/1     auto   on               15.4    AIR-LAP1142N-T-K9   3     15.4
Interface  AdminPowerMax   AdminConsumption
                      (Watts)                     (Watts)
---------- --------------- --------------------
Gi0/1                 15.4                 15.4

=============

Cisco SSLVPN，FireFox瀏覽器出現憑證讓你選擇

Microsoft IAS Log Viewer

Microsoft IAS server log analyzing tool.
IAS Log Viewer

http://www.deepsoftware.com/

VMware Workstation Convert to Esxi

Tools : VMware vCenter Converter Standalone Client

Source : VMware Workstation (6.5)
Destination : VMware Infrastructure virtual machine (4.1)

轉檔後，會佔用Storage實際切割的磁碟空間 (例：3G -> 8G)

Exchange 2003 安裝

OS : Win2003 AD Server

1. 新增/移除，安裝
a. IIS
b. ASP.NET
c. NNTP Service
d. SMTP Service

2. 開始安裝 Exchange 2003
D:\SETUP\I386\SETUP.EXE

3. add AD user (建立 Exchange 信箱)

4. Access OWA
http://server_ip/exchange/

ASA 8.3 SSLVPN / IPSEC VPN Config

一、 vpnclient access inside ，no nat (nat 0)

object-group network NETWORK_OBJ_10.1.10.0_26  (vpnclient_net)
 network-object 10.1.10.0 255.255.255.0

object-group network DM_INLINE_NETWORK    (inside_net)
 network-object object 192.168.0.0 255.255.0.0
 network-object object 10.0.0.0 255.0.0.0

nat (inside,outside) source static DM_INLINE_NETWORK DM_INLINE_NETWORK destination static NETWORK_OBJ_10.1.10.0_26 NETWORK_OBJ_10.1.10.0_26

VPN-SSL# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static DM_INLINE_NETWORK DM_INLINE_NETWORK destination static NETWORK_OBJ_10.1.10.0_26 NETWORK_OBJ_10.1.10.0_26
    translate_hits = 3, untranslate_hits = 15

VPN-SSL# sh xl
1 in use, 155 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:192.168.0.0/16, 10.0.0.0/8 to outside:192.168.0.0/16,
    10.0.0.0/8
    flags sI idle 0:00:08 timeout 0:00:00



二、SplitTunnel

splitTunnel, ipsec vpn 建立連線後，依然可以上 internet

建立  ACL

access-list lab_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list lab_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

套用在 group-policy 上

group-policy lab attributes

 dns-server value 10.1.1.1

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value lab_splitTunnelAcl