2017年1月7日 星期六

Cisco 1841 IOS(Firmware) upgrade c1841-adventerprisek9-mz.123-14.T3.bin(support SSH v2)

######################################################
Before procedure need setup ftp Username & Password
######################################################

# Del origin IOS c2800nm-ipbase-mz.124-15.T9.bin
del /force /recursive flash:c1841-ipbase-mz.124-1c.bin

del /force /recursive flash:c1841-adventerprisek9-mz.123-14.T3.bin

del /force /recursive flash:securedesktop-ios-3.1.1.27-k9.pkg

del /force /recursive flash:sdm.tar

# Del origin IOS c2800nm-ipbase-mz.124-24.T6.bin
del /force /recursive flash:c2800nm-ipbase-mz.124-24.T6.bin

# Use ftp service transfer IOS to flash
copy ftp://172.17.200.2/CiscoIOS/c1841-entservicesk9-mz.124-19a.bin flash:

# Verify IOS file
verify /md5 flash:/c1841-entservicesk9-mz.124-19a.bin aefd7bef96f681fddf5bd1019252425b

# Setup Boot from IOS c1841-entservicesk9-mz.124-19a.bin
config term
# Delete old boot config
no boot system flash c1841-adventerprisek9-mz.123-14.T3.bin

# Add New boot config
boot system flash c1841-entservicesk9-mz.124-19a.bin
exit
write

2017年1月3日 星期二

Cisco Archive(Schedule Backup Config)


Cisco Archive(Schedule Backup Config)

config term

archive
 log config
  hidekeys
 path ftp://172.17.200.2/CiscoArchive/$h-config_
 write-memory
 time-period 10080








======================================================================
The next backup will be performed in one week exactly (time in minutes), but what if we would like to configure this periodicity with an explicit date time? Unfortunately with the current Archive features, it is not possible. In that case we could combine the Archive feature with Kron Schedule.

Kron is a command scheduler used to automate tasks in the Cisco IOS Software. With Kron, we can set policies and use them once or with a certain periodicity. For this we configure a Kron Policy List and then apply an occurrence to the global Kron policy. Note that Kron does not work with interactive commands, meaning commands that have some type of dialog for validation. An example would be "copy running-config startup-config". In this case, a dialog would appear in order to validate the execution of the sentence. Since we have this "limitation" with that sentence, we could use the "write memory" command which does not need any validation and use it in the Kron Policy.

R1(config)#kron policy-list CONFIGURATION_BACKUP
R1(config-kron-policy)#cli write memory
R1(config)#kron occurrence Backup BACKUP_OCCURRENCE at 9:00 25 recurring
R1(config-kron-occurrence)#policy-list CONFIGURATION_BACKUP


=============================================================================

Thank you for response, you can see below our used configs.

!
kron occurrence backup-config at 10:09 Wed recurring system-startup
policy-list backup-config
!
kron policy-list backup-config
cli show config | redirect tftp://10.1.1.200/tftp/iznsw25.conf
!

2016年7月21日 星期四

使用 GRE Tunnel 時,可能會遇到的 MTU 問題

From:http://teenyscrew.blogspot.tw/2014/06/gre-tunnel-mtu.html

一般來說,Ethernet 的 MTU (Frame 除了 header 以外的 Palyload) 是 1500 Bytes, Header  + Tailer 則是 14 Bytes

這 1500 bytes 包含了 

  1. IP 層 Header (固定 20 Bytes)
  2. TCP / UDP 層 Header  (固定 20 Bytes)
  3. TCP / UDP 層 Payload (變動)
對 TCP 來說,在三方交握時,兩方會針對第三點的大小進行協議,得到的數值就是 MSS

因為 Ethernet MTU 一般是 1500 Bytes,扣掉固定大小的 IP Header 以及 TCP Header 之後,


得到的 1460 Bytes 就是在一般情況之下,MSS 能夠達到的最大值。


因此 TCP 在進行三方交握時,一般都假設自己的 MSS 是 1460 Bytes。



好,MTU 的觀念整理完了,接下來要說 GRE Tunnel。


GRE Tunnel 是把封包原封不動的在前面另外加上 GRE Header,而這個 Header 總計 24 Bytes*。


所以一個 TCP / IP Packet ( MSS=1460 ),送到 GRE Tunnel Router 後,再加上 GRE Header 會變成

1460 + 20 + 20 + 24 = 1524 Bytes
冰崩,問題來了,就算是 GRE Tunnel 的封包,最終還是要從實體端口傳送出去,

Ethernet MTU 是 1500 Bytes ,所以封包若要傳送一定要經過 Fragmentation,如果封包加上 DF,則傳送就會失敗。


要避免 fragmentation 的問題,其中一個方法是減少 MSS ,讓封包加上 GRE Header 之後還能在 1500 Bytes 以下。


因此這個 MSS 應該小於或等於

1500 - 24 - 20 - 20 = 1436
這也是為什麼 GRE Tunnel MTU 預設會是 1436 + 20 + 20  = 1476 Bytes 了


至於修改 MSS 的方式有幾種,

  1. 主機上修改。很不方便,不建議
  2. Router 攔截 TCP Connection 後修改 MSS Value : ip tcp adjust-mss 1436(設定在 int tunnel)(註)
在 windows 用 ping 指令測試時,要注意的是,當我們用 -l  指令來指定封包大小時,這個大小其實只包含了 icmp data 欄位,也就是尚不包含 icmp header **,更不包含 ip header。所以對 MTU = 1500 bytes 的Ethernet 來說,icmp 封包超過 1500 - 20 - 8 = 1472 時,封包就無法傳送出去了。(前提是測試時有設定DF bit)如
 ping 168.95.1.1 -l 1472 -f 
但在 cisco device 上作 ping test 時,指定的 packet size 其實是包含了 ip header + icmp header + icmp data。所以做測試時,packet size 最大可以設定成 1500。超過此數值,又同時設定 df-bit 則封包會無法傳送***。

最後要注意的是,IPv6 header size 是 40 bytes,所以一般狀態下 MSS 應該是 1500(MTU) - 40(IPv6 Header) - 20(TCP Header) = 1440 bytes。在 GRE Tunnel 狀態下,MSS 等於 1500 - 24 - 40 - 20 = 1416 bytes(比 IPv4 小 20 bytes)。

 * 更嚴格來說 4 Bytes 係來自於 GRE 的 4 Bytes 與新的 IP Header 20 Bytes。因為 New IP Packet  = new ip header + gre header + original ip packet。by the way, Dynamic Multipoint VPN (DMVPN) using GRE Header 是 26 Bytes。

** ICMP 封包的完整格式包括:ethernet header + ip header + icmp header。所以 icmp 不屬於二層也不屬於三層,但是又需要 IP 來協助傳送。

*** 引用 Cisco Forum 上一個 CCIE 工程師的回答

In IOS, when you specify the size, that is the overall packet length.  So if you specify size 250, the packet will be 250 bytes.  In windows, ping -l specifies the ICMP data.  So -l 250 produces a 278 byte IP packet.  This is calculated as 250 bytes of data + 8 bytes of ICMP header + 20 bytes of IP header.  I just wanted to make the distinction as to what size meant in IOS as opposed to Windows.
註 有篇文章說 IPv6 的指令,IOS version 必須在 15.2(4)M 之後才有,但是我測試結果是不行,或許跟 License 有關?


2014-07-07 更新
經網路上前輩提醒,該文章說的 ipv6 tcp adjust-mss 指令,只有在 ASR 才會出現,所以我用 ISR 試一輩子也沒用。不過原本的 IP tcp adjust-mss 指令就可以滿足我的條件,因為他會同時修改 IPv6 and IPv4 TCP MSS。早上做了實驗的確是這樣,用 Wireshark 看三方交握的封包,的確改成我設定的 1220 Bytes。(測試用,依據最小 MTU 1280 byte計算得來)

參考文章
http://networklessons.com/ip-routing/pppoe-mtu-troubleshooting-cisco-ios/
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/13725-56.pdf
http://itchenyi.blog.51cto.com/4745638/1137143
http://blog.thousandeyes.com/troubleshooting-path-mtu-tcp-mss-problems/
http://switchpacket.blogspot.tw/2014/07/understanding-difference-between-mtu.html

2016年3月25日 星期五

Cron Example

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

3 0 * * * root /raid/log/dailytar.sh >> /raid/data/log/dailytar.log 2>&1
33 0 * * * root /raid/log/synclog.sh >> /raid/syslog/TPBak/rsync.log 2>&1
*/3 1-23 * * * root /raid/log/checklog.sh
50 23 * * * root /raid/data/module/rSyslog/system/etc/rc.d/rsyslog-server restart > /dev/null

2016年3月19日 星期六

Splunk滙入Cisco ASA5550 firewall log並指定特殊字串,避免超出限額


1. Splunk Monitor D:\Firewall-Log-Splunk\filter-tpe-asa5550* file
2. Use 【props.conf】 TRANSFORMS-set
3. Define transforms.conf to filter event include string "0x"
4. After configure need restart splunk service.

C:\Program Files\Splunk\etc\apps\search\local
inputs.conf
===================================================================
[monitor://J:\Firewall-Log-Check]
disabled = false
index = firewall-log-check
whitelist =

[monitor://D:\Firewall-Log-Splunk]
disabled = false
index = tpe-asa5550
whitelist = filter-tpe-asa5550*

[monitor://D:\014-FirewallLog-Splunk]
disabled = false
index = 014-firewalllog-splunk
whitelist = tpe-014pix*


C:\Program Files\Splunk\etc\apps\learned\local
props.conf(與【資料輸入】->【檔案和目錄】->【來源類型】有關)
=================================================================
[filter-tpe-asa]
TRANSFORMS-set = setnull, setparsing
MAX_TIMESTAMP_LOOKAHEAD = 36
is_valid = True


C:\Program Files\Splunk\etc\system\local
transforms.conf(與【欄位】->【欄位轉換】有關)
=================================================================
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
 REGEX = 0x
 DEST_KEY = queue
 FORMAT = indexQueue

2016年3月9日 星期三

Cisco Router/Switch Enable SSH



Follow the next steps to enable SSH:
• Configure the hostname command.
• Configure the DNS domain.
• Generate RSA key to be used.
• Enable SSH transport support for the virtual type terminal (vty)

Example SSH version 2 configuration:

hostname ssh-router
aaa new-model
username cisco password cisco
ip domain-name routers.local

! Specifies which RSA keypair to use for SSH usage.
#在Cisco 4506與4507上無法下這段指令
ip ssh rsa keypair-name sshkeys

! Enables the SSH server for local and remote authentication on the router.
! For SSH Version 2, the modulus size must be at least 768 bits.
crypto key generate rsa usage-keys label sshkeys modulus 1024


! Configures SSH control variables on your router.
ip ssh timeout 120

! configure SSH version 2 (will disable SSH version 1)
ip ssh version 2


!--- disable Telnet and enable SSH
line vty 0 4
transport input SSH


Commands to verify SSH configuration:
• show ssh
• show ip ssh
• debug ip ssh



###Remove RSA key
(config)#crypto key zeroize rsa 
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: no

=====================================================================
ip domain-name pro.tcbank.cop

crypto key generate rsa usage-keys label sshkeys modulus 1024

ip ssh time-out 120

ip ssh version 2


line vty 0 4
no access-class VTY_ACL in

exit

no ip access-list extended VTY_ACL

ip access-list extended VTY_ACL
 permit tcp host 192.168.91.44 any eq telnet
 permit tcp host 192.168.1.45 any eq telnet
 permit tcp host 172.17.1.18 any eq telnet
 permit tcp host 172.16.11.21 any eq 22
 permit tcp host 172.16.11.196 any eq 22
 permit tcp host 172.17.1.27 any eq 22
 permit tcp host 172.17.1.33 any eq 22
 permit tcp host 172.17.1.56 any eq 22
 permit tcp host 192.168.1.25 any eq 22
 permit tcp host 192.168.1.25 any eq telnet
 permit tcp host 192.168.1.28 any eq 22
 permit tcp host 192.168.90.27 any eq 22
 permit tcp host 192.168.90.27 any eq telnet
 permit tcp host 192.168.90.7 any eq 22
 permit tcp 10.91.0.0 0.0.255.255 any eq 22
 permit tcp 10.90.0.0 0.0.255.255 any eq 22

line vty 0 4
access-class VTY_ACL in
transport input ssh telnet


xShell使用SSH時出現【WARNING! The remote SSH server rejection agent-forwarding request.】


使用xShell SSH連線Cisco Switch時輸入完username/password後,會出現
【WARNING! The remote SSH server rejection agent-forwarding request.】
只需設定SSH Tunneling Forwarding Port即可解決此問題。




reference url:https://www.netsarang.com/tutorial/xshell/1018/Using_X11_forwarding



2016年3月3日 星期四

Cisco 4507R+E Upgrade IOS-xe Firmware


Cisco 4507R+E Upgrade IOS-xe Firmware

Model:Cisco 4507rpluse
OS:ios-xe / 03.04.00.SG
Supervisor:WS-C4507R+E 7 / WS-X45-SUP7L-E

# Define ftp server username & password
config term
ip ftp username tcbnetadmin
ip ftp password 7 01070506035D535D701C1950
exit

# Use ftp service transfer IOS to flash
copy ftp://172.17.200.1/CiscoIOS/cat4500e-universalk9.SPA.03.06.03.E.152-2.E3.bin bootflash:

# Verify IOS file
verify /md5 flash:/cat4500e-universalk9.SPA.03.06.03.E.152-2.E3.bin

# Setup Boot from IOS c2960-lanbasek9-mz.150-2.SE5.bin
config term
boot system flash bootflash:cat4500e-universalk9.SPA.03.06.03.E.152-2.E3.bin
exit

write