Monday, December 19, 2011

Port security on a trunk port

interface FastEthernet0/1
 switchport trunk native vlan 20
 switchport mode trunk
 switchport port-security maximum 2
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security maximum 1 vlan 20,30

VRF-Lite guest VLAN for Wireless

ip vrf GUEST_WIFI
 description Guest vlan
interface Vlan66
 description Guest WiFi
 ip vrf forwarding GUEST_WIFI
 ip address 10.10.10.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly
ip access-list extended nonat0_GUEST_WIFI
 deny   ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
 permit ip 10.10.10.0 0.0.0.255 any
ip nat inside source list nonat0_GUEST_WIFI interface FastEthernet1 vrf GUEST_WIFI overload
ip route vrf GUEST_WIFI 0.0.0.0 0.0.0.0 FastEthernet1 192.168.0.1 global
ip dhcp pool GUEST_WIFI
   vrf GUEST_WIFI
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.250 
   dns-server 8.8.8.8  
   domain-name guest
   lease 2

OSPF redistribute static routers

access-list 10 permit 10.10.10.10
access-list 10 permit 10.10.20.0 0.0.0.255
route-map STATIC-OSPF permit 10
 match ip address 10
router ospf 100
 redistribute static metric 100 subnets route-map STATIC-OSPF

Monday, December 5, 2011

delay for wireless client for deploy GPO MSI software

Add this key for boot delay 60 sec for wireless client for deploy GPO and install MSI software.
Usualy 60 sec is enough but you can increase it if need. I use GPO for set this key. 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"GpNetworkStartTimeoutPolicyValue"=dword:0000003c

Monday, November 21, 2011

Cisco IOS archive

Cisco has simple method for backup config

mkdir flash:/archive

 

conf t

archive

 log config

  logging enable

  hidekeys

 path flash:archive/config

 write-memory

 

 

you can use other options like path tftp,scp... etc

also notify syslog contenttype plaintext if you want write to log

for check archive:

 

 

show archive log config all

show archive config differences flash:archive/config-1 system:running-config

 

Friday, October 21, 2011

Software upgrade Cisco Wireless LAN Controller

1. check your controller software version.
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 6.0.199.4
2. check  release notes for new software version and check upgrade patch table. 
3. download new image from cisco site and copy it to tftp server.
4. login to controller
(Cisco Controller) >transfer download mode tftp
(Cisco Controller) >transfer download serverip 172.16.15.70
(Cisco Controller) >transfer download path .
(Cisco Controller) >transfer download filename AIR-WLC2100-K9-7-0-116-0.aes
(Cisco Controller) >transfer download start
Mode............................................. TFTP
Data Type........................................ Code
TFTP Server IP................................... 172.22.22.10
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... AIR-WLC2100-K9-7-0-116-0.aes
This may take some time.
Are you sure you want to start? (y/N) y
TFTP Code transfer starting.
TFTP receive complete... extracting components.
/mnt/application
Writing new RTOS to flash disk.
Writing new Code to flash disk.
Executing install_code script.
Writing new APIB to flash disk.
Executing install_apib script.
TFTP File transfer is successful.
  Reboot the controller for update to complete.
  Optionally, pre-download the image to APs before rebooting to reduce network downtime.
(Cisco Controller) >reset system
The system has unsaved changes.
Would you like to save them now? (y/N) y
Configuration Saved!
System will now restart!

Monday, October 10, 2011

Enable ASDM for Cisco ASA

ciscoasa# conf t
ciscoasa(config)#asdm image disk0:/asdm-645-106.bin
ciscoasa(config)#http server enable
ciscoasa(config)#http 172.16.1.0 255.255.255.0 inside

Tuesday, September 20, 2011

upgrade ROM and IOS for cisco 4900 switches

for ROM upgrade:

1. download last rom from cisco site.

2. copy rom file to switch bootflash:

3. turn on switch and enter control-C to go to rommon

4. enter rommon 1 >boot bootflash:cat4500-ios-promupgrade-122_31r_SGA7(or your rom)

5. switch will restarted after upgraide

6. run show version  | i ROM

 

 

for IOS upgrade:

1. download last ios

2. copy ios to switch bootflash:

3. enter show running-config | i boot system

4. go to config mode 

5. enter no boot system flash bootflash:cat4500-entservicesk9-mz.122-13.SG1.bin(your ios)

6. enter boot system flash bootflash:cat4500-entservicesk9-mz.122-54.SG.bin

7. save config and reboot switch

8. check ios version after reboot show version | i bootflash 

Wednesday, August 24, 2011

MS Outlook autocomplete cache file

MS Outlook autocomplete cache file 
path for file:
Windows XP
C:\Documents and Settings\username\Application Data\Microsoft\Outlook\outlook.NK2
Windows 7
C:\Users\username\AppData\Roaming\Microsoft\Outlook\outlook.NK2
Maximim emails key
H_KEY_CURRENT_USER\Software\microsoft\Office\10.0\outlook\
DWORD MaxNicknames default it is 1000

Wednesday, August 17, 2011

Cisco switch port security

 Example:
int Fa0/1 
switchport mode access
!- maximum MAC address on port
 switchport port-security maximum 2
 switchport port-security
!- restrict MAC, logging  but don't shutdown port
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 !- allowed MAC addresses
 switchport port-security mac-address sticky 702a.0371.96a6
 switchport port-security mac-address sticky 78d6.f355.eb4d
Show port security settings:
show port-security int Fa 0/1

Thursday, August 11, 2011

Cisco DHCP Snooping

just config, it's pretty easy
!enable DHCP snooping for vlan 1
ip dhcp snooping
ip dhcp snooping vlan 1
!enable DHCP option 82
ip dhcp snooping information option
!set trust port for DHCP server
int Gi0/2
ip dhcp snooping trust
!set limit per second
int range Fa0/1 - 24
ip dhcp snooping limit rate 20
!set trust trunk port:
ip dhcp snooping trust

show settings:
show ip dhcp snooping
show ip dhcp snooping binding


Friday, August 5, 2011

Remote change power settings

you can use it if need change power settings for remote computer

get info about remote power pc settings:

PsExec.exe \\rcomputer  powercfg -query

 

disable sleep timeout:

PsExec.exe \\rcomputer  powercfg -change -standby-timeout-ac 0

 

other interesting options:

 

powercfg -change -monitor-timeout-ac 0

powercfg -change -monitor-timeout-dc 0

powercfg -change -disk-timeout-ac 0

powercfg -change -disk-timeout-dc 0

powercfg -change -standby-timeout-ac 0

powercfg -change -standby-timeout-dc 0

powercfg -change -hibernate-timeout-ac 0

powercfg -change -hibernate-timeout-dc 0

 

Remote enable Remote Desktop

This example show how you can use PsExec for enable Remote Desktop remotely

Enable RDP:

PsExec.exe \\remotepc  reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

 

Enable RDP through firewall:

PsExec.exe \\remotepc netsh firewall set service remoteadmin enable

PsExec.exe \\remotepc netsh firewall set service remotedesktop enable

Tuesday, July 12, 2011

Cisco IOS clock settings

set correct time zone:

clock timezone PCTime -8

 

set summer time old ios:

clock summer-time PCTime date Mar 13 2011 2:00 Nov 6 2011 2:00

 

New IOS have other nice settings, it's need setup just one time:

clock summer-time CDT recurring

 

set ntp server:

ntp server XXX.XXX.XXX.XXX

 

set clock:

clock set 10:30:00 Jul 12 2011

 

show clock:

show clock

Monday, July 11, 2011

VPN syslog error

If vpn is up but you have errors log

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

 

for fix it add to router

crypto ipsec security-association replay window-size 1024

Friday, July 8, 2011

Change your Windows MTU

Example how to find your correct MTU
 
1. Find your Windows MTU:
netsh interface ipv4 show subinterfaces 
 
2. Find your ISP MTU:
ping yourISPgatewayIP -f -l 1400
incrice size until you get:
Packet needs to be fragmented but DF set.
Last sucsess ping size+28 is you correct MTU
 
3. For set MTU:
netsh interface ipv4 set subinterface "Local Area Connection" mtu=1472 store=persistent
 

 

 

  

Flexible NetFlow for IOS

 

If you use vpn links standart netflow don't work with vpn links. You need use flexible netflow.

It works well with vpn links. Update your IOS if your router don't support it.   

 

Example:

 

flow exporter NETFLOW1-EXPORTER

 

 description NetFlow Analyzer

 destination 172.16.0.1

 source Loopback0

 output-features

 transport udp 9996

 export-protocol netflow-v9

!

!

flow exporter NETFLOW2-EXPORTER

 description Scrutinizer

 destination 172.16.0.2

 source Loopback0

 output-features

 transport udp 9996

 export-protocol netflow-v9

!

!

flow monitor NETFLOW1

 record netflow-original

 exporter NETFLOW2-EXPORTER

 exporter NETFLOW1-EXPORTER

 cache timeout active 1

!

!

interface Tunnel12

 ip flow monitor NETFLOW1 input

 ip flow monitor NETFLOW1 output

!

!

interface FastEthernet1

 ip flow monitor NETFLOW1 input

 ip flow monitor NETFLOW1 output

 

 

link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/prod_white_paper0900aecd804be1cc.html

 

Sunday, June 19, 2011

ssh and MyEnTunnel

I use putty for configure my routers and some time for ssh tunnels for access to home network.

However putty need reconnect every time. MyEnTunnel can reconnect automatically and make your life easy. You can setup a lot of ports. 

For example for 3 RD for home network:
3310:192.168.1.10:3389
3311:192.168.1.11:3389
3312:192.168.1.12:3389

MyEnTunnel is free and you can download it from http://nemesis2.qx.net/pages/MyEnTunnel

Wednesday, March 30, 2011

Cisco router as dhcp client

Sometimes ISP provide only dhcp ip for branch offices.  When you use firewall, I hope you use it Smile, you need use rule for open dhcp traffic  in your firewall.



interface FastEthernet0/0
ip address dhcp
ip access-group ISP in


ip access-list extended ISP
permit udp any eq bootps any eq bootpc

Sunday, March 13, 2011

Bat file for reboot PC remotely

Sometimes you need reboot pc at night. It help you.

@echo off 
dsquery computer ou=workstations,dc=contoso,dc=com -o rdn > pc_workstations.txt
for /F "tokens=*" %%i in (pc_workstations.txt) do call :reboot %%i%
goto Ready

:Reboot
set remotepc=%1%
set remotepc=%remotepc:~1,-1%
shutdown /f /r /c "Reboot by administrator" /m \\%remotepc%
goto :EOF

:Ready

 

Thursday, March 10, 2011

Connect Cisco IP Phone 7960 to Asterisk

Previous post was about upgrade cisco ip phone to SIP version firmware.

Now short post how to setup asterisk

Example sip.conf

[550]
host=dynamic
context = office-all
type=friend
username = 550
secret = secret550
callerid = cisco550 <550>

[551]
host=dynamic
context = office-all
type=friend
username = 551
secret = secret551
callerid = cisco551 <551>

 

 

for reload config run asterisk console and run command

unknown*CLI> config reload /etc/asterisk/sip.conf

 

Cisco 7960 upgrade to SIP firmware

I bought one ip phone cisco 7960 on ebay it was with SCCP firmware. I use asterisk so need upgrade firmware.

Step by step.

1. Download and setup SolarWinds TFTP Server. It is free and works well.

2. Need SIP firmware from cisco site. I downloaded last version P0S3-08-8-00.zip . Unzip it to TFTP directory.

3. We need additional 5 files. I used notepad for it.

3.1 SIP<MAC adresse>.cnf

Example for two lines :


line1_name : 550
line1_authname : 550 ;user name registered in your Asterisk PBX
line1_password : secret550 ;password registered in your Asterisk PBX
line2_name : 551
line2_authname : 551
line2_password : secret551


3.2 SIPDefault.cnf

Example:



#Image Version
image_version:P0S3-08-8-00 ;
#Proxy server address
proxy1_address: 192.168.10.1 ;
proxy_register: 1;


3.3 xmlDefault.CNF.XML

Example:



<loadInformation7 model="IP Phone 7960">P0S3-08-8-00</loadInformation7>


3.4 RINGLIST.DAT

Example:



Piano 1  Piano1.raw
Piano 2 Piano2.raw
Pop Pop.raw
Pulse Pulse1.raw
Old Style ringer1.pcm
Synth Low ringer2.pcm



3.5 dialplan.xml

Example:



<DIALTEMPLATE>

<TEMPLATE MATCH="*" Timeout="5"/> <!-- Anything else -->

</DIALTEMPLATE>


4. Copy all files to TFTP directory. As result we get 10 files.
5. Run TFTP server.
6. Erase cisco ip phone old config.
6.1 Disconnect network cable, power on phone.
6.2 Unlock configuration., go to settings-Network configuration-Erase configuration-yes
6.3 SaveCancel-Exit.
7. Unlock configuration., go to settings-Network configuration-TFTP server. Enter new TFTP server, Save-Exit.

8. Power off, connect network cable, power on phone.

As result you will see tftp server logs and your ip phone will get SIP firmware.

7960_tftp


Wednesday, February 9, 2011

change VM disk size

Some times you need increase disk size for VM disk. It's easy.

vmware-vdiskmanager -x 20GB MV_disk.vmdk

also you need use Partition Magic or Acronis software to change windows drive size.

Friday, January 14, 2011

Cisco port security

SW1# conf t
SW1(config)# interface fastethernet0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security maximum 2
SW1(config-if)# switchport port-security violation restrict
SW1(config-if)# switchport port-security mac-address xxxx.xxxx.xxxa
SW1(config-if)# switchport port-security mac-address xxxx.xxxx.xxxb

Wednesday, January 12, 2011

Cisco port mirroring

conf t
monitor session 1 source interface fa1/0/1
monitor session 1 destination interface fa1/0/15


if your switch doesn't support the monitor session syntax, you will need
to do the following:
interface FastEthernet0/x
port monitor FastEthernet0/a
port monitor FastEthernet0/b

fa0/x is the port your sniffer is plugged into, 0/a and 0/b would be any
ports u want to sniff.

Saturday, January 1, 2011

Setup Vyatta dnsmasq

vyatta@vyatta:~$ configure
vyatta@vyatta# set service dns forwarding listen-on eth1
vyatta@vyatta# set service dns forwarding name-server 192.168.1.1
vyatta@vyatta# commit
vyatta@vyatta# save

Setup Vyatta NAT

vyatta@vyatta:~$ configure
vyatta@vyatta# set service nat rule 1 source address 10.10.10.1/24
vyatta@vyatta# set service nat rule 1 outbound-interface eth0
vyatta@vyatta# set service nat rule 1 type masquerade
vyatta@vyatta# commit
vyatta@vyatta# save

setup Vyatta interfaces, ssh and https access

configure

set interfaces ethernet eth0 address dhcp

set interfaces ethernet eth1 address 192.168.1.1/24

set service ssh

set service https

commit

exit

Install Vyatta on hdd

Download VC6.1 - Virtualization.iso from http://www.vyatta.org/downloads

Create VM 256MB memory and 1Gb HDD

1. boot livecd (default login: vyatta/vyatta)
2. install-system
3. remove CD and reboot
4. "show version" to verify boot via disk
5. configure
6. save
7. reboot