Port security on a trunk port

interface FastEthernet0/1

 switchport trunk native vlan 20

 switchport mode trunk

 switchport port-security maximum 2

 switchport port-security

 switchport port-security violation restrict

 switchport port-security mac-address sticky

 switchport port-security maximum 1 vlan 20,30

VRF-Lite guest VLAN for Wireless

ip vrf GUEST_WIFI

 description Guest vlan

interface Vlan66

 description Guest WiFi

 ip vrf forwarding GUEST_WIFI

 ip address 10.10.10.250 255.255.255.0

 ip nat inside

 ip virtual-reassembly

ip access-list extended nonat0_GUEST_WIFI

 deny   ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255

 permit ip 10.10.10.0 0.0.0.255 any

ip nat inside source list nonat0_GUEST_WIFI interface FastEthernet1 vrf GUEST_WIFI overload

ip route vrf GUEST_WIFI 0.0.0.0 0.0.0.0 FastEthernet1 192.168.0.1 global

ip dhcp pool GUEST_WIFI

   vrf GUEST_WIFI

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.250 

   dns-server 8.8.8.8  

   domain-name guest

   lease 2

OSPF redistribute static routers

access-list 10 permit 10.10.10.10

access-list 10 permit 10.10.20.0 0.0.0.255

route-map STATIC-OSPF permit 10

 match ip address 10

router ospf 100

 redistribute static metric 100 subnets route-map STATIC-OSPF

delay for wireless client for deploy GPO MSI software

Add this key for boot delay 60 sec for wireless client for deploy GPO and install MSI software.

Usualy 60 sec is enough but you can increase it if need. I use GPO for set this key. 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"GpNetworkStartTimeoutPolicyValue"=dword:0000003c

Cisco IOS archive

Cisco has simple method for backup config

mkdir flash:/archive

 

conf t

archive

 log config

  logging enable

  hidekeys

 path flash:archive/config

 write-memory

 

 

you can use other options like path tftp,scp... etc

also notify syslog contenttype plaintext if you want write to log

for check archive:

 

 

show archive log config all

show archive config differences flash:archive/config-1 system:running-config

 

Software upgrade Cisco Wireless LAN Controller

1. check your controller software version.

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 6.0.199.4

2. check  release notes for new software version and check upgrade patch table. 

3. download new image from cisco site and copy it to tftp server.

4. login to controller

(Cisco Controller) >transfer download mode tftp

(Cisco Controller) >transfer download serverip 172.16.15.70

(Cisco Controller) >transfer download path .

(Cisco Controller) >transfer download filename AIR-WLC2100-K9-7-0-116-0.aes

(Cisco Controller) >transfer download start

Mode............................................. TFTP

Data Type........................................ Code

TFTP Server IP................................... 172.22.22.10

TFTP Packet Timeout.............................. 6

TFTP Max Retries................................. 10

TFTP Path........................................ ./

TFTP Filename.................................... AIR-WLC2100-K9-7-0-116-0.aes

This may take some time.

Are you sure you want to start? (y/N) y

TFTP Code transfer starting.

TFTP receive complete... extracting components.

/mnt/application

Writing new RTOS to flash disk.

Writing new Code to flash disk.

Executing install_code script.

Writing new APIB to flash disk.

Executing install_apib script.

TFTP File transfer is successful.

  Reboot the controller for update to complete.

  Optionally, pre-download the image to APs before rebooting to reduce network downtime.

(Cisco Controller) >reset system

The system has unsaved changes.

Would you like to save them now? (y/N) y

Configuration Saved!

System will now restart!

Enable ASDM for Cisco ASA

ciscoasa# conf t

ciscoasa(config)#asdm image disk0:/asdm-645-106.bin

ciscoasa(config)#http server enable

ciscoasa(config)#http 172.16.1.0 255.255.255.0 inside

upgrade ROM and IOS for cisco 4900 switches

for ROM upgrade:

1. download last rom from cisco site.

2. copy rom file to switch bootflash:

3. turn on switch and enter control-C to go to rommon

4. enter rommon 1 >boot bootflash:cat4500-ios-promupgrade-122_31r_SGA7(or your rom)

5. switch will restarted after upgraide

6. run show version  | i ROM

 

 

for IOS upgrade:

1. download last ios

2. copy ios to switch bootflash:

3. enter show running-config | i boot system

4. go to config mode 

5. enter no boot system flash bootflash:cat4500-entservicesk9-mz.122-13.SG1.bin(your ios)

6. enter boot system flash bootflash:cat4500-entservicesk9-mz.122-54.SG.bin

7. save config and reboot switch

8. check ios version after reboot show version | i bootflash 

MS Outlook autocomplete cache file

MS Outlook autocomplete cache file 

path for file:

Windows XP

C:\Documents and Settings\username\Application Data\Microsoft\Outlook\outlook.NK2

Windows 7

C:\Users\username\AppData\Roaming\Microsoft\Outlook\outlook.NK2

Maximim emails key

H_KEY_CURRENT_USER\Software\microsoft\Office\10.0\outlook\

DWORD MaxNicknames default it is 1000

Cisco switch port security

 Example:

int Fa0/1 

switchport mode access

!- maximum MAC address on port

 switchport port-security maximum 2

 switchport port-security

!- restrict MAC, logging  but don't shutdown port

 switchport port-security violation restrict

 switchport port-security mac-address sticky

 !- allowed MAC addresses

 switchport port-security mac-address sticky 702a.0371.96a6

 switchport port-security mac-address sticky 78d6.f355.eb4d

Show port security settings:

show port-security int Fa 0/1

Cisco DHCP Snooping

just config, it's pretty easy

!enable DHCP snooping for vlan 1

ip dhcp snooping

ip dhcp snooping vlan 1

!enable DHCP option 82

ip dhcp snooping information option

!set trust port for DHCP server

int Gi0/2

ip dhcp snooping trust

!set limit per second

int range Fa0/1 - 24

ip dhcp snooping limit rate 20

!set trust trunk port:

ip dhcp snooping trust

show settings:

show ip dhcp snooping

show ip dhcp snooping binding

Remote change power settings

you can use it if need change power settings for remote computer

get info about remote power pc settings:

PsExec.exe \\rcomputer  powercfg -query

 

disable sleep timeout:

PsExec.exe \\rcomputer  powercfg -change -standby-timeout-ac 0

 

other interesting options:

 

powercfg -change -monitor-timeout-ac 0

powercfg -change -monitor-timeout-dc 0

powercfg -change -disk-timeout-ac 0

powercfg -change -disk-timeout-dc 0

powercfg -change -standby-timeout-ac 0

powercfg -change -standby-timeout-dc 0

powercfg -change -hibernate-timeout-ac 0

powercfg -change -hibernate-timeout-dc 0

 

Remote enable Remote Desktop

This example show how you can use PsExec for enable Remote Desktop remotely

Enable RDP:

PsExec.exe \\remotepc  reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

 

Enable RDP through firewall:

PsExec.exe \\remotepc netsh firewall set service remoteadmin enable

PsExec.exe \\remotepc netsh firewall set service remotedesktop enable

Cisco IOS clock settings

set correct time zone:

clock timezone PCTime -8

 

set summer time old ios:

clock summer-time PCTime date Mar 13 2011 2:00 Nov 6 2011 2:00

 

New IOS have other nice settings, it's need setup just one time:

clock summer-time CDT recurring

 

set ntp server:

ntp server XXX.XXX.XXX.XXX

 

set clock:

clock set 10:30:00 Jul 12 2011

 

show clock:

show clock

VPN syslog error

If vpn is up but you have errors log

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

 

for fix it add to router

crypto ipsec security-association replay window-size 1024

Change your Windows MTU

Example how to find your correct MTU

 

1. Find your Windows MTU:

netsh interface ipv4 show subinterfaces 

 

2. Find your ISP MTU:

ping yourISPgatewayIP -f -l 1400

incrice size until you get:

Packet needs to be fragmented but DF set.

Last sucsess ping size+28 is you correct MTU

 

3. For set MTU:

netsh interface ipv4 set subinterface "Local Area Connection" mtu=1472 store=persistent

 

 

 

  

Flexible NetFlow for IOS

 

If you use vpn links standart netflow don't work with vpn links. You need use flexible netflow.

It works well with vpn links. Update your IOS if your router don't support it.   

 

Example:

 

flow exporter NETFLOW1-EXPORTER

 

 description NetFlow Analyzer

 destination 172.16.0.1

 source Loopback0

 output-features

 transport udp 9996

 export-protocol netflow-v9

!

!

flow exporter NETFLOW2-EXPORTER

 description Scrutinizer

 destination 172.16.0.2

 source Loopback0

 output-features

 transport udp 9996

 export-protocol netflow-v9

!

!

flow monitor NETFLOW1

 record netflow-original

 exporter NETFLOW2-EXPORTER

 exporter NETFLOW1-EXPORTER

 cache timeout active 1

!

!

interface Tunnel12

 ip flow monitor NETFLOW1 input

 ip flow monitor NETFLOW1 output

!

!

interface FastEthernet1

 ip flow monitor NETFLOW1 input

 ip flow monitor NETFLOW1 output

 

 

link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/ps6965/prod_white_paper0900aecd804be1cc.html

 

ssh and MyEnTunnel

I use putty for configure my routers and some time for ssh tunnels for access to home network.

However putty need reconnect every time. MyEnTunnel can reconnect automatically and make your life easy. You can setup a lot of ports. 

For example for 3 RD for home network:

3310:192.168.1.10:3389

3311:192.168.1.11:3389

3312:192.168.1.12:3389

MyEnTunnel is free and you can download it from http://nemesis2.qx.net/pages/MyEnTunnel

Cisco router as dhcp client

Sometimes ISP provide only dhcp ip for branch offices.  When you use firewall, I hope you use it , you need use rule for open dhcp traffic  in your firewall.

interface FastEthernet0/0 ip address dhcp ip access-group ISP in ip access-list extended ISP permit udp any eq bootps any eq bootpc

Bat file for reboot PC remotely

Sometimes you need reboot pc at night. It help you.

@echo off dsquery computer ou=workstations,dc=contoso,dc=com -o rdn > pc_workstations.txt for /F "tokens=*" %%i in (pc_workstations.txt) do call :reboot %%i% goto Ready :Reboot set remotepc=%1% set remotepc=%remotepc:~1,-1% shutdown /f /r /c "Reboot by administrator" /m \\%remotepc% goto :EOF :Ready

Connect Cisco IP Phone 7960 to Asterisk

Previous post was about upgrade cisco ip phone to SIP version firmware.

Now short post how to setup asterisk

Example sip.conf

[550] host=dynamic context = office-all type=friend username = 550 secret = secret550 callerid = cisco550 <550> [551] host=dynamic context = office-all type=friend username = 551 secret = secret551 callerid = cisco551 <551>

 

for reload config run asterisk console and run command

unknown*CLI> config reload /etc/asterisk/sip.conf

Cisco 7960 upgrade to SIP firmware

I bought one ip phone cisco 7960 on ebay it was with SCCP firmware. I use asterisk so need upgrade firmware.

Step by step.

1. Download and setup SolarWinds TFTP Server. It is free and works well.

2. Need SIP firmware from cisco site. I downloaded last version P0S3-08-8-00.zip . Unzip it to TFTP directory.

3. We need additional 5 files. I used notepad for it.

3.1 SIP<MAC adresse>.cnf

Example for two lines :

line1_name : 550 line1_authname : 550 ;user name registered in your Asterisk PBX line1_password : secret550 ;password registered in your Asterisk PBX line2_name : 551 line2_authname : 551 line2_password : secret551

3.2 SIPDefault.cnf

Example:

#Image Version image_version:P0S3-08-8-00 ; #Proxy server address proxy1_address: 192.168.10.1 ; proxy_register: 1;

3.3 xmlDefault.CNF.XML

Example:

<loadInformation7 model="IP Phone 7960">P0S3-08-8-00</loadInformation7>

3.4 RINGLIST.DAT

Example:

Piano 1 Piano1.raw Piano 2 Piano2.raw Pop Pop.raw Pulse Pulse1.raw Old Style ringer1.pcm Synth Low ringer2.pcm

3.5 dialplan.xml

Example:

<DIALTEMPLATE> <TEMPLATE MATCH="*" Timeout="5"/> <!-- Anything else --> </DIALTEMPLATE>

4. Copy all files to TFTP directory. As result we get 10 files.
5. Run TFTP server.
6. Erase cisco ip phone old config.

6.1 Disconnect network cable, power on phone.

6.2 Unlock configuration., go to settings-Network configuration-Erase configuration-yes

6.3 SaveCancel-Exit.

7. Unlock configuration., go to settings-Network configuration-TFTP server. Enter new TFTP server, Save-Exit.

8. Power off, connect network cable, power on phone.

As result you will see tftp server logs and your ip phone will get SIP firmware.

change VM disk size

Some times you need increase disk size for VM disk. It's easy.

vmware-vdiskmanager -x 20GB MV_disk.vmdk

also you need use Partition Magic or Acronis software to change windows drive size.

Cisco port security

SW1# conf t

SW1(config)# interface fastethernet0/1

SW1(config-if)# switchport mode access

SW1(config-if)# switchport port-security

SW1(config-if)# switchport port-security maximum 2

SW1(config-if)# switchport port-security violation restrict

SW1(config-if)# switchport port-security mac-address xxxx.xxxx.xxxa

SW1(config-if)# switchport port-security mac-address xxxx.xxxx.xxxb

Cisco port mirroring

conf t

monitor session 1 source interface fa1/0/1

monitor session 1 destination interface fa1/0/15

if your switch doesn't support the monitor session syntax, you will need

to do the following:

interface FastEthernet0/x

port monitor FastEthernet0/a

port monitor FastEthernet0/b

fa0/x is the port your sniffer is plugged into, 0/a and 0/b would be any

ports u want to sniff.

Setup Vyatta dnsmasq

vyatta@vyatta:~$ configure

vyatta@vyatta# set service dns forwarding listen-on eth1

vyatta@vyatta# set service dns forwarding name-server 192.168.1.1

vyatta@vyatta# commit

vyatta@vyatta# save

Setup Vyatta NAT

vyatta@vyatta:~$ configure

vyatta@vyatta# set service nat rule 1 source address 10.10.10.1/24

vyatta@vyatta# set service nat rule 1 outbound-interface eth0

vyatta@vyatta# set service nat rule 1 type masquerade

vyatta@vyatta# commit

vyatta@vyatta# save

setup Vyatta interfaces, ssh and https access

configure

set interfaces ethernet eth0 address dhcp

set interfaces ethernet eth1 address 192.168.1.1/24

set service ssh

set service https

commit

exit

Install Vyatta on hdd

Download VC6.1 - Virtualization.iso from http://www.vyatta.org/downloads

Create VM 256MB memory and 1Gb HDD

1. boot livecd (default login: vyatta/vyatta)
2. install-system
3. remove CD and reboot
4. "show version" to verify boot via disk
5. configure
6. save
7. reboot