Cisco 1841 IOS(Firmware) upgrade c1841-adventerprisek9-mz.123-14.T3.bin(support SSH v2)

######################################################
Before procedure need setup ftp Username & Password
######################################################

# Del origin IOS c2800nm-ipbase-mz.124-15.T9.bin
del /force /recursive flash:c1841-ipbase-mz.124-1c.bin

del /force /recursive flash:c1841-adventerprisek9-mz.123-14.T3.bin

del /force /recursive flash:securedesktop-ios-3.1.1.27-k9.pkg

del /force /recursive flash:sdm.tar

# Del origin IOS c2800nm-ipbase-mz.124-24.T6.bin
del /force /recursive flash:c2800nm-ipbase-mz.124-24.T6.bin

# Use ftp service transfer IOS to flash
copy ftp://172.17.200.2/CiscoIOS/c1841-entservicesk9-mz.124-19a.bin flash:

# Verify IOS file
verify /md5 flash:/c1841-entservicesk9-mz.124-19a.bin aefd7bef96f681fddf5bd1019252425b

# Setup Boot from IOS c1841-entservicesk9-mz.124-19a.bin
config term
# Delete old boot config
no boot system flash c1841-adventerprisek9-mz.123-14.T3.bin

# Add New boot config
boot system flash c1841-entservicesk9-mz.124-19a.bin
exit
write

Cisco Archive(Schedule Backup Config)

Cisco Archive(Schedule Backup Config)

config term

archive
 log config
  hidekeys
 path ftp://172.17.200.2/CiscoArchive/$h-config_
 write-memory
 time-period 10080








======================================================================

The next backup will be performed in one week exactly (time in minutes), but what if we would like to configure this periodicity with an explicit date time? Unfortunately with the current Archive features, it is not possible. In that case we could combine the Archive feature with Kron Schedule.

Kron is a command scheduler used to automate tasks in the Cisco IOS Software. With Kron, we can set policies and use them once or with a certain periodicity. For this we configure a Kron Policy List and then apply an occurrence to the global Kron policy. Note that Kron does not work with interactive commands, meaning commands that have some type of dialog for validation. An example would be "copy running-config startup-config". In this case, a dialog would appear in order to validate the execution of the sentence. Since we have this "limitation" with that sentence, we could use the "write memory" command which does not need any validation and use it in the Kron Policy.

R1(config)#kron policy-list CONFIGURATION_BACKUP
R1(config-kron-policy)#cli write memory
R1(config)#kron occurrence Backup BACKUP_OCCURRENCE at 9:00 25 recurring
R1(config-kron-occurrence)#policy-list CONFIGURATION_BACKUP

=============================================================================

Thank you for response, you can see below our used configs.




!

kron occurrence backup-config at 10:09 Wed recurring system-startup

policy-list backup-config

!

kron policy-list backup-config

cli show config | redirect tftp://10.1.1.200/tftp/iznsw25.conf

!

使用 GRE Tunnel 時，可能會遇到的 MTU 問題

From:http://teenyscrew.blogspot.tw/2014/06/gre-tunnel-mtu.html

使用 GRE Tunnel 時，可能會遇到的 MTU 問題

一般來說，Ethernet 的 MTU (Frame 除了 header 以外的 Palyload) 是 1500 Bytes， Header  + Tailer 則是 14 Bytes

這 1500 bytes 包含了 

1. IP 層 Header (固定 20 Bytes)
2. TCP / UDP 層 Header  (固定 20 Bytes)
3. TCP / UDP 層 Payload (變動)

對 TCP 來說，在三方交握時，兩方會針對第三點的大小進行協議，得到的數值就是 MSS

因為 Ethernet MTU 一般是 1500 Bytes，扣掉固定大小的 IP Header 以及 TCP Header 之後，

得到的 1460 Bytes 就是在一般情況之下，MSS 能夠達到的最大值。

因此 TCP 在進行三方交握時，一般都假設自己的 MSS 是 1460 Bytes。


好，MTU 的觀念整理完了，接下來要說 GRE Tunnel。

GRE Tunnel 是把封包原封不動的在前面另外加上 GRE Header，而這個 Header 總計 24 Bytes*。

所以一個 TCP / IP Packet ( MSS=1460 )，送到 GRE Tunnel Router 後，再加上 GRE Header 會變成

1460 + 20 + 20 + 24 = 1524 Bytes

冰崩，問題來了，就算是 GRE Tunnel 的封包，最終還是要從實體端口傳送出去，

Ethernet MTU 是 1500 Bytes ，所以封包若要傳送一定要經過 Fragmentation，如果封包加上 DF，則傳送就會失敗。

要避免 fragmentation 的問題，其中一個方法是減少 MSS ，讓封包加上 GRE Header 之後還能在 1500 Bytes 以下。

因此這個 MSS 應該小於或等於

1500 - 24 - 20 - 20 = 1436

這也是為什麼 GRE Tunnel MTU 預設會是 1436 + 20 + 20  = 1476 Bytes 了


至於修改 MSS 的方式有幾種，

1. 主機上修改。很不方便，不建議
2. Router 攔截 TCP Connection 後修改 MSS Value : ip tcp adjust-mss 1436(設定在 int tunnel)(註)

在 windows 用 ping 指令測試時，要注意的是，當我們用 -l  指令來指定封包大小時，這個大小其實只包含了 icmp data 欄位，也就是尚不包含 icmp header **，更不包含 ip header。所以對 MTU = 1500 bytes 的Ethernet 來說，icmp 封包超過 1500 - 20 - 8 = 1472 時，封包就無法傳送出去了。（前提是測試時有設定DF bit）如

 ping 168.95.1.1 -l 1472 -f 

但在 cisco device 上作 ping test 時，指定的 packet size 其實是包含了 ip header + icmp header + icmp data。所以做測試時，packet size 最大可以設定成 1500。超過此數值，又同時設定 df-bit 則封包會無法傳送***。

最後要注意的是，IPv6 header size 是 40 bytes，所以一般狀態下 MSS 應該是 1500(MTU) - 40(IPv6 Header) - 20(TCP Header) = 1440 bytes。在 GRE Tunnel 狀態下，MSS 等於 1500 - 24 - 40 - 20 = 1416 bytes(比 IPv4 小 20 bytes)。

 * 更嚴格來說 4 Bytes 係來自於 GRE 的 4 Bytes 與新的 IP Header 20 Bytes。因為 New IP Packet  = new ip header + gre header + original ip packet。by the way, Dynamic Multipoint VPN (DMVPN) using GRE Header 是 26 Bytes。

** ICMP 封包的完整格式包括：ethernet header + ip header + icmp header。所以 icmp 不屬於二層也不屬於三層，但是又需要 IP 來協助傳送。

*** 引用 Cisco Forum 上一個 CCIE 工程師的回答

In IOS, when you specify the size, that is the overall packet length.  So if you specify size 250, the packet will be 250 bytes.  In windows, ping -l specifies the ICMP data.  So -l 250 produces a 278 byte IP packet.  This is calculated as 250 bytes of data + 8 bytes of ICMP header + 20 bytes of IP header.  I just wanted to make the distinction as to what size meant in IOS as opposed to Windows.

註 有篇文章說 IPv6 的指令，IOS version 必須在 15.2(4)M 之後才有，但是我測試結果是不行，或許跟 License 有關？

2014-07-07 更新 經網路上前輩提醒，該文章說的 ipv6 tcp adjust-mss 指令，只有在 ASR 才會出現，所以我用 ISR 試一輩子也沒用。不過原本的 IP tcp adjust-mss 指令就可以滿足我的條件，因為他會同時修改 IPv6 and IPv4 TCP MSS。早上做了實驗的確是這樣，用 Wireshark 看三方交握的封包，的確改成我設定的 1220 Bytes。（測試用，依據最小 MTU 1280 byte計算得來）

參考文章
http://networklessons.com/ip-routing/pppoe-mtu-troubleshooting-cisco-ios/
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/13725-56.pdf
http://itchenyi.blog.51cto.com/4745638/1137143
http://blog.thousandeyes.com/troubleshooting-path-mtu-tcp-mss-problems/
http://switchpacket.blogspot.tw/2014/07/understanding-difference-between-mtu.html

Cron Example

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

3 0 * * * root /raid/log/dailytar.sh >> /raid/data/log/dailytar.log 2>&1
33 0 * * * root /raid/log/synclog.sh >> /raid/syslog/TPBak/rsync.log 2>&1
*/3 1-23 * * * root /raid/log/checklog.sh
50 23 * * * root /raid/data/module/rSyslog/system/etc/rc.d/rsyslog-server restart > /dev/null

Splunk滙入Cisco ASA5550 firewall log並指定特殊字串,避免超出限額

1. Splunk Monitor D:\Firewall-Log-Splunk\filter-tpe-asa5550* file
2. Use 【props.conf】 TRANSFORMS-set
3. Define transforms.conf to filter event include string "0x"
4. After configure need restart splunk service.

C:\Program Files\Splunk\etc\apps\search\local
inputs.conf
===================================================================
[monitor://J:\Firewall-Log-Check]
disabled = false
index = firewall-log-check
whitelist =

[monitor://D:\Firewall-Log-Splunk]
disabled = false
index = tpe-asa5550
whitelist = filter-tpe-asa5550*

[monitor://D:\014-FirewallLog-Splunk]
disabled = false
index = 014-firewalllog-splunk
whitelist = tpe-014pix*

C:\Program Files\Splunk\etc\apps\learned\local

props.conf(與【資料輸入】->【檔案和目錄】->【來源類型】有關)

=================================================================

[filter-tpe-asa]

TRANSFORMS-set = setnull, setparsing

MAX_TIMESTAMP_LOOKAHEAD = 36

is_valid = True

C:\Program Files\Splunk\etc\system\local

transforms.conf(與【欄位】->【欄位轉換】有關)

=================================================================

[setnull]

REGEX = .

DEST_KEY = queue

FORMAT = nullQueue

[setparsing]

 REGEX = 0x

 DEST_KEY = queue

 FORMAT = indexQueue

Cisco Router/Switch Enable SSH

Follow the next steps to enable SSH:
• Configure the hostname command.
• Configure the DNS domain.
• Generate RSA key to be used.
• Enable SSH transport support for the virtual type terminal (vty)

Example SSH version 2 configuration:

hostname ssh-router
aaa new-model
username cisco password cisco
ip domain-name routers.local

! Specifies which RSA keypair to use for SSH usage.
#在Cisco 4506與4507上無法下這段指令
ip ssh rsa keypair-name sshkeys

! Enables the SSH server for local and remote authentication on the router.
! For SSH Version 2, the modulus size must be at least 768 bits.
crypto key generate rsa usage-keys label sshkeys modulus 1024


! Configures SSH control variables on your router.
ip ssh timeout 120

! configure SSH version 2 (will disable SSH version 1)
ip ssh version 2


!--- disable Telnet and enable SSH
line vty 0 4
transport input SSH


Commands to verify SSH configuration:
• show ssh
• show ip ssh
• debug ip ssh

###Remove RSA key
(config)#crypto key zeroize rsa 
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: no

=====================================================================
ip domain-name pro.tcbank.cop

crypto key generate rsa usage-keys label sshkeys modulus 1024

ip ssh time-out 120

ip ssh version 2


line vty 0 4
no access-class VTY_ACL in

exit

no ip access-list extended VTY_ACL

ip access-list extended VTY_ACL
 permit tcp host 192.168.91.44 any eq telnet
 permit tcp host 192.168.1.45 any eq telnet
 permit tcp host 172.17.1.18 any eq telnet
 permit tcp host 172.16.11.21 any eq 22
 permit tcp host 172.16.11.196 any eq 22
 permit tcp host 172.17.1.27 any eq 22
 permit tcp host 172.17.1.33 any eq 22
 permit tcp host 172.17.1.56 any eq 22
 permit tcp host 192.168.1.25 any eq 22
 permit tcp host 192.168.1.25 any eq telnet
 permit tcp host 192.168.1.28 any eq 22
 permit tcp host 192.168.90.27 any eq 22
 permit tcp host 192.168.90.27 any eq telnet
 permit tcp host 192.168.90.7 any eq 22
 permit tcp 10.91.0.0 0.0.255.255 any eq 22
 permit tcp 10.90.0.0 0.0.255.255 any eq 22

line vty 0 4
access-class VTY_ACL in
transport input ssh telnet

xShell使用SSH時出現【WARNING! The remote SSH server rejection agent-forwarding request.】

使用xShell SSH連線Cisco Switch時輸入完username/password後，會出現
【WARNING! The remote SSH server rejection agent-forwarding request.】
只需設定SSH Tunneling Forwarding Port即可解決此問題。




reference url:https://www.netsarang.com/tutorial/xshell/1018/Using_X11_forwarding

Cisco 4507R+E Upgrade IOS-xe Firmware

Cisco 4507R+E Upgrade IOS-xe Firmware

Model：Cisco 4507rpluse
OS：ios-xe / 03.04.00.SG
Supervisor：WS-C4507R+E 7 / WS-X45-SUP7L-E

# Define ftp server username & password
config term
ip ftp username tcbnetadmin
ip ftp password 7 01070506035D535D701C1950
exit

# Use ftp service transfer IOS to flash
copy ftp://172.17.200.1/CiscoIOS/cat4500e-universalk9.SPA.03.06.03.E.152-2.E3.bin bootflash:

# Verify IOS file
verify /md5 flash:/cat4500e-universalk9.SPA.03.06.03.E.152-2.E3.bin

# Setup Boot from IOS c2960-lanbasek9-mz.150-2.SE5.bin
config term
boot system flash bootflash:cat4500e-universalk9.SPA.03.06.03.E.152-2.E3.bin
exit

write

Cisco ASA Firewall Allowing SSH Access

config term

### Step 1 To generate an RSA key pair, which is required for SSH###

crypto key generate rsa modulus 1024


### Step 3 To identify the IP addresses from which the ASA accepts connections ###
### ssh source_IP_address mask source_interface ###
ssh 192.168.1.25 255.255.255.255 INT
ssh 192.168.90.27 255.255.255.255 INT


### Enable login from ssh authentication from console or aaa or LDAP ###
aaa authentication ssh console LDAP_SRV_GRP LOCAL

Cisco password Type 7加密機制不安全,建議改為Type 5(MD5 Hash)

Cisco password Type 7加密機制不安全,建議改為Type 5(MD5 Hash)


依PwC建議Ciscoo Password encrypt type 7為不安全加密方式
(Type 7是直接對密碼使用OR或XOR進行加密，很容易可以破解)
建議使用Type 5(MD5 Hash)

###1. Use AAA account login###

config term

###2. Erase Local user account tcbnetadmin(Type 7) ###
no username tcbnetadmin

###3. Add Local user account tcbnetadmin(Secret Type 5) ###
username tcbnetadmin privilege 15 secret 5 $1$q7on$cHPb9N257ld8lmU0R4Npd.

###4. Erase enable password(Type 7) ###
no enable password

###5. Add Enable secret password(Type 5)
enable secret 5 $1$xCj8$5oqZn6GKMlTn4lOhOAVio.

Cisco use Secert 5 MD5 encryption password

config term

no enable password

enable secret 5 $1$wF.a$fqKnnKbCWmevxYzmtpnLu1

### Del Cisco type 7 encryption password ###
no username tcbnetadmin privilege 15 password

### Add Cisco type 5 MD5 encryption password ###
username tcbnetadmin privilege 15 secret 5 $1$WGXm$iQYYb7vxgUt2.hYqDLm7q.


###Encryption Password###



service password-encryption

Cisco 2811 IOS ipbase-mz.124-24.T6.bin upgrade advsecurityk9-mz.151-4.M10.bin(support IP-SLA)

Cisco 2811 IOS ipbase-mz.124-24.T6.bin upgrade advsecurityk9-mz.151-4.M10.bin(support IP-SLA)

# Define ftp server username & password

config term
ip ftp username anonymous
ip ftp password tcbank
exit

# Del origin IOS c2800nm-ipbase-mz.124-15.T9.bin
del /force /recursive flash:c2800nm-ipbase-mz.124-15.T9.bin

# Del origin IOS c2800nm-ipbase-mz.124-24.T6.bin
del /force /recursive flash:c2800nm-ipbase-mz.124-24.T6.bin
# Use ftp service transfer IOS to flash
copy ftp://172.17.200.1/CiscoIOS/c2800nm-advsecurityk9-mz.151-4.M10.bin flash:

# Verify IOS file
verify /md5 flash:/c2800nm-advsecurityk9-mz.151-4.M10.bin 5f49dcc31ad30fb41b1deb4977cd34f0

# Setup Boot from IOS c2800nm-advsecurityk9-mz.151-4.M10.bin
config term
# Delete old boot config
no boot system flash c2800nm-ipbase-mz.124-24.T6.bin
# Add New boot config
boot system flash c2800nm-advsecurityk9-mz.151-4.M10.bin
exit
write


# After Reboot SuccessFul 

# Verify IOS file MD5
c2800nm-advsecurityk9-mz.151-4.M10.bin ==> 5f49dcc31ad30fb41b1deb4977cd34f0

Cisco Feature Navigator

檢測你需要那一個Cisco IOS版本
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp


Tool 2
https://software.cisco.com/selection/research.html?pid=279343665&sid=280805680#?mode=&tid=&pid=279343665&sid=280805680&cr=&crt=&hid=&fid=&cp=1

Branch Cisco Router Policy-Based Routing(PBR)

Cisco Router 2811



config term

### Add Access-List OA-Out-PBR & acl-RouteToDomain ###
ip access-list extended OA-Out-PBR
permit ip 172.16.0.0 0.0.255.255 any
permit ip 172.17.0.0 0.0.255.255 any

ip access-list extended acl-RouteToDomain
 permit ip any host 192.168.1.23
 permit ip any host 192.168.1.24
 permit ip any host 192.168.90.23
 permit ip any host 192.168.90.24

 ### Add ip sla monitor FTTB-Lease ###
 no track 1

 no ip sla 10

 ip sla 10
 icmp-echo 10.100.xxx.1 source-interface FastEthernet0/0
 frequency 5

ip sla schedule 10 life forever start-time now

track 1 ip sla 10 reachability

exit

exit

### Add Route-map FC ###
 route-map FC permit 9
 match ip address acl-RouteToDomain
 set ip next-hop verify-availability 10.100.xxx.1 1 track 1
 set ip next-hop 10.70.xxx.2
!        
route-map FC permit 10
 match ip address OA-Out-PBR
 set ip next-hop 10.200.xxx.1
!        


inte bvi1
ip policy route-map FC

Cisco 1841 Router Stock Qos

Cisco 1841 Router Stock Qos

1.
ip access-list extended acl_BranchQos
 10 permit ip host 192.168.1.50 any
 11 permit ip host 192.168.1.52 any
 12 permit ip host 192.168.91.50 any
 20 permit ip host 192.168.1.166 any
 21 permit ip host 192.168.91.166 any
 22 permit ip host 172.16.127.166 any
 remark "(10-Antivirus),(20-FileServer)"

2.
class-map match-all classmap_BranchQos
 match access-group name acl_BranchQos

3.
policy-map policymap_BranchQos
 class classmap_BranchQos
   police cir 256000
     conform-action transmit
     exceed-action drop
     violate-action drop

4.
interface serial0/1/0
 service-policy input policymap_BranchQos

2014-11-13更換CSS11506憑證

 2014-11-13更換CSS11506憑證

### Suspend Service ###
config term

service backend-server 171
suspend
service backend-server 172
suspend
service backend-server 175
suspend

service backend-server 176
suspend

service SSL_Front_1
suspend
service SSL_Front_2
suspend

exit

### Suspend ssl-proxy-list ###
config term

ssl-proxy-list TCBank_PDC_Branch_ssl-accel
suspend

exit

### Use FTP Upload cert_fcrbrn.2014.cer,cert_fcrbrn_2014.pem ###

       ###Check and Create ftp-record leslie-ftp
       ftp-record leslie-ftp 172.17.1.27 anonymous des-password tcbank

copy ssl ftp leslie-ftp import cert_fcrbrn_2014.cer PEM "password"
copy ssl ftp leslie-ftp import cert_fcrbrn_2014.pem PEM "password"
請參考cert.cer與cert.pem的產出方法

### 需先執行下列rsakey與rsacert刪除的動件 ###

###config term
###

###ssl-proxy-list TCBank_PDC_Branch_ssl-accel

no ssl-server 21 rsakey cert_fcrbrn_withrsa
no ssl-server 21 rsacert cert_fcrbrn_cert

CSS11506(config)# no ssl associate cert cert_fcrbrn_cert
CSS11506(config)# no ssl associate rsakey cert_fcrbrn_withrsa


### 再import RSA certificate and key pair ###
ssl associate cert cert_fcrbrn_cert cert_fcrbrn_2011.cer
ssl associate rsakey cert_fcrbrn_withrsa cert_fcrbrn_2011.pem

### 再於ssl-proxy-list TCBank_PDC_Branch_ssl-accel下設定 ###
ssl-server 21 rsakey cert_fcrbrn_withrsa
ssl-server 21 rsacert cert_fcrbrn_cert

### Active ssl-proxy-list ###
config term
ssl-proxy-list TCBank_PDC_Branch_ssl-accel
active
exit

### Active service & SSL_Front_1 & 2###
service backend-server 171
active
service backend-server 172
active
service backend-server 175
active

service backend-server 176
active

service SSL_Front_1
active
service SSL_Front_2
active

Certificate convert to .pem & .cer file

Certificate .pfx file convert to .pem & .cer file

1.        下載OpenSSL軟體

https://slproweb.com/products/Win32OpenSSL.html

2.        安裝OpenSSL 軟體

Win64OpenSSL-1_0_1j.exe

3.        下指令

由一個 pfx key 產生 PEM 與 CER Key

openssl pkcs12 -in Brn.pfx -nodes -out server.pem

openssl rsa -in server.pem -out server.key

openssl x509 -in server.pem -out server.cer


======================================================

PEM Format
It is the most common format that Certificate Authorities issue certificates in. It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.

Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg:- Apache) expects the certificates and Private key to be in separate files.
> They are Base64 encoded ACII files
> They have extensions such as .pem, .crt, .cer, .key
> Apache and similar servers uses PEM format certificates

DER Format
It is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format
> They are Binary format files
> They have extensions .cer & .der
> DER is typically used in Java platform

P7B/PKCS#7
They contain “—–BEGIN PKCS—–” & “—–END PKCS7—–” statements. It can contain only Certificates & Chain certificates but not the Private key.
> They are Base64 encoded ASCII files
> They have extensions .p7b, .p7c
> Several platforms supports it. eg:- Windows OS, Java Tomcat

PFX/PKCS#12
They are used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.
> They are Binary format files
> They have extensions .pfx, .p12
> Typically used on Windows OS to import and export certificates and Private keys

Converting Certificates between different Formats

PEM
Convert PEM to DER
—————————————————————————————————–
$ openssl x509 -outform der -in certificate.pem -out certificate.der
—————————————————————————————————–

Convert PEM to P7B
———————————————————————————————————————————
$ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfileCAcert.cer
———————————————————————————————————————————-

Convert PEM to PFX
——————————————————————————————————————————————————
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -incertificate.crt -certfile CAcert.crt
——————————————————————————————————————————————————

DER
Convert DER to PEM
————————————————————————————————–
$ openssl x509 -inform der -in certificate.cer -out certificate.pem
————————————————————————————————–

P7B
Convert P7B to PEM
————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
————————————————————————————————-

Convert P7B to PFX
——————————————————————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
$ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -outcertificate.pfx -certfile CAcert.cer
——————————————————————————————————————————————————-

PFX
Convert PFX to PEM
——————————————————————————————–
$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
——————————————————————————————–

NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer,privateKey.key respectively.

Extraction Private Key From PEM
Method 1 -- use openssl——————————————————————————————–
$ openssl x509 -in server.pem -out server.cer

——————————————————————————————–

Method 2 --
      2.1 Install .pfx file
      2.2 Open Certificate -> Detail -> copy to file

Cisco 2811 Router Branch Qos

1.
ip access-list extended acl_BranchQos
 10 permit ip host 192.168.1.50 any
 11 permit ip host 192.168.1.52 any
 12 permit ip host 192.168.91.50 any
 13 permit ip host 192.168.1.60 any
 20 permit ip host 192.168.1.166 any
 21 permit ip host 192.168.91.166 any
 22 permit ip host 172.16.127.166 any
 remark "(10-Antivirus),(20-FileServer)"

2.
class-map match-all classmap_BranchQos
 match access-group name acl_BranchQos

3.
policy-map policymap_BranchQos
 class classmap_BranchQos
   police cir 1000000
     conform-action transmit
     exceed-action drop
     violate-action drop

4.
interface FastEthernet0/0
 service-policy input policymap_BranchQos

【Cisco EEM】Shutdown ISDN at Daily 18:00

使用Cisco EEM applet星期一至星期五自動shutdown isdn interface BRI0/0/0

=====================Cisco Router 1841 Configure=====================
event manager applet ShutdownISDN
 event timer cron name MonFri cron-entry "0 18 * * 1-5"
 action 1 cli command "enable"
 action 2 cli command "config term"
 action 3 cli command "interface bri0/0/0"
 action 4 cli command "shutdown"
 action 5 cli command "end"
 action 6 syslog msg "Shutdown BRI0/0/0 at 18:00"
!

=====================Show EEM policy registered=====================
TCB2NCCC#show event manager policy registered

No.  Class   Type    Event Type          Trap  Time Registered           Name
1    applet  system  timer cron          Off   Wed Aug 13 15:28:41 2014  ShutdownISDN
 name {MonFri} cron entry {0 18 * * 1-5}
 action 1 cli command "enable"
 action 2 cli command "config term"
 action 3 cli command "interface bri0/0/0"
 action 4 cli command "shutdown"
 action 5 cli command "end"
 action 6 syslog msg "Shutdown BRI0/0/0 at 18:00"

【QoS】Bandwidth QoS For 7613/7609/2811

For OPC example
=======================================================
mls qos                (Enable QoS feature in Global mode)

ip access-list extend OPC_ACL                (Define OPC packet)

   permit ip host 10.91.1.185 host 10.90.90.185
   permit ip host 10.91.1.186 host 10.90.90.186




class-map match-all OPC
   match access-group name OPC_QOS

policy-map QOS-OPC
   class OPC
   police 25000000 conform-action transmit

interface Gi11/11 (interface to 4506)
   service-policy output QOS-OPC