Ok here is the thing, when you do a trace route to an IP address, regardless if it’s valid or not the device will try to find the IP address. This finding will only stop once it reaches it’s 30 hops.
Normal case in command prompt you could stop this by doing CTRL+C or CTRL+break.
But in Cisco Devices you can only stop this by doing CTRL+SHIFT+6 which is one of the break sequence on Cisco devices.
Small things helps when you are frustrated!
Ravindu Denawaka
I am not a Juniper specialist, I am a Cisco freak! Too bad Juniper is taking a big sector in the IT industry. So I think you need to know both in near future. I am replacing one of the internal Juniper Netscreen firwals in my company. Here is the easiest and fastest solution that I came up with.
Login to current Netscreen WebUI.
Click on config file.
Click on save config file. (Just save it in to your desktop)
Console in to the 2nd Netscreen where you need to copy the config. In my case there was an existing config in the 2nd Juniper. So I simply erase that off.
Commands used.
#unset all
#reset
Firewall will reboot and now you need to use the default Netscreen root user name password (netscreen/netscreen).
Now you need to enable the WebUI on the Netscreen. It’s because now its back to factory default settings.
# set interface eth1 ip manageable
# set admin manager-ip 192.168.1.1 255.255.255
Plug your Ethernet cable in to eth1 port of the firewall and configure your network settings to.
IP Address: 192.168.1.2
Default Gateway: 192.168.1.1
Network Mask: 255.255.255.0
By default the Netscreen Eth1 is configured with 192.168.1.1 IP address.
Open your browser and type 192.168.1.1
Login as root again. So username :netscreen and password: netscreen.
Go to the same section as above image. (Configuration>update>config file)
Now you have the option to replace the current config. (2nd option)
Browse in to the config file you saved before and click on apply/upload.
That’s it will reboot by it self once it’s uploaded the new config.
Hope this helps someone…
Ravindu Denawaka
The default settings in IE will not allow to comminicate with Netscreen or ScreenOS system over HTTP or HTTPS. It’s becuase IE by default uses TLS 1.0 is and it’s not supported in Netscreen or ScreenOS.
Solution:
Tools>Internet Options>Advanced> Under “Security” > Un tick TLS.
For some reason one of the poe switch Cisco 3750 was not providing enough power to IP phones. When plug an IP phone it will take the power from another IP phone which plugged in to the same switch.
I had two options, either provide IP phones power by an adapter or shutdown the power of few other switch ports which they don’t use the power feature.
How to disable power on a switch port?
Step 1
configure terminal – Enter global configuration mode.
Step 2
interface interface-id – Enter interface configuration mode for the physical interface to be configured.
eg: interface fa 0/1
Step 3
power inline {auto | never} -Configure PoE on the interface:
eg: power inline never
Step 4
end – Return to privileged EXEC mode.
Step 5
show power inline [interface-id | module switch-number] – Display PoE status for a switch or switch stack, for the specified interface, or for a specified stack member.
Step 6
write memory- Save your entries in the configuration file. Else when the switch restarts all the changes will be lost.
This document covers all the steps you need to recover/reset Cisco Switch
http://www-tss.cisco.com/eservice/compass/common/activities/password_cat_2950.htm
Awesome tutorial !
Here is the thing, can you believe there is no straight forward way to configure a read only user in Cisco devices. If you know any way to do it please correct me here.
Scenario: my manager asked me to create a read only user in 90 networking devices (Routers, Switches, Load balancers, Firewalls) for transitioning company. We have two environments and those two environments are configured differently. Again for security reasons I can not tell you more details.
Initial Planning: First thing came to my mind is KiwiCat Tools and run a batch update for all the devices. Before actually building the implementation I thought just try the commands in a DR switch. After spending few hours on the commands I figured out there no way to create a read only user.
By default, there are three command levels on the router:
privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
privilege level 15 — Includes all enable-level commands at the router# prompt.
If I use privilege level 0 or 1 it will not allow to do any show commands such as #show run or #show config. And if I use privilege level 15 it’s going to be power user. So my research continues… Link below helped me a lot and saved my research time. Also official CCNA Security book, page 123, AAA configuration helped me to understand how this run levels and AAA works in Cisco devices.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
My solution: There are two things you can do to out come this problem.
a) Create a new user add a custom run level and specify each exec command this user can run [This is not really what I was looking for]. In this way when the user do a show run it will show only the items/sections that he can modify in exec level.
username john privilege 9 password cisco
privilege configure level 8 configure terminal
privilege configure level 8 interfacelogin as the user created in my case its “John” and do a show run.
b) Create a new user and a custom run level and allow Show Configuration command for this user. In this way the user can run show configuration command which is very similar to Show Running-Configuration
username john privilege 9 password cisco
privilege exec level 7 show configlogin as the user created in my case its “John” and do a show config.
For both methods you need to enable AAA on each device. If you dont understand AAA model please read them at Cisco knowledge base.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
Note: You can not add Show Running-Configuration in this manner. [Don't ask my why]
Note: If you have specify any privilege levels in line vty’s it will overwrite what ever the values you specified in user level.
|
line vty 0 3 |
Additional Note: in order to prompt for a user name in all Cisco devices you need to specify it. You could do that by either saying login local or creating an authentication string
|
line vty 0 3 |
Ravindu Denawaka [Bachelor of Network Computing, CCNA, MCSE]
Quick note of how to set up JS frameworks using ScriptManager server control.
by Gordon Fyodor Lyon (Author)
The book that we all being waiting for. It seems like it has included all the techniques in port scanning and enumeration. You can buy this in Amazon;
http://www.amazon.com/gp/offer-listing/0979958717/ref=dp_olp_new?ie=UTF8&condition=new
What is a VLAN?
What is a Native VLAN?
Native VLAN must be the same on both trunk ends?
What is a TRUNK?
What is DTP (Dynamic Trunking Protocol)
Basic Configuration of a VLAN
Show commands associated
What is port security?
The Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port’s disabled for security reasons.
How to enable port security
|
Switch)# config t Switch(config)# int fa0/18 Switch(config-if)# switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode
Switch(config-if)# switchport port-security Switch(config-if)#^Z |
You can also configure port security on a range of ports.
|
Switch)# config t Switch(config)# int range fastEthernet 0/1 – 24 Switch(config-if)# switchport port-security Switch(config-if)#^Z |
SNMP Trap?
|
TBA
|
Show port security status of switch ports
|
Switch)# show port-security address |
The output should look something like this.
|
Switch#sh port-security address
Secure Mac Address Table ———————————————————————— Vlan Mac Address Type Ports 116 0013.d333.9007 SecureSticky Fa1/1 116 001a.6b61.5274 SecureSticky Fa1/2 990 0000.0000.0001 SecureConfigured Fa1/4 116 0016.41ef.4b5b SecureSticky Fa1/5 148 0000.74ad.e544 SecureSticky Fa1/6 136 0013.d333.9bef SecureSticky Fa1/7 990 0000.0000.0002 SecureConfigured Fa1/8 116 0013.d333.955f SecureSticky Fa1/9 990 0000.0000.0003 SecureConfigured Fa1/10 116 0016.1789.9d9f SecureSticky Fa1/12 116 000d.60c1.f423 SecureSticky Fa1/14 116 0013.d333.ab4d SecureSticky Fa1/15 |
Clear port security
There are few ways you can clear port securities.
|
Console> (enable) clear port security 4/1 00-11-22-33-44-55 |
00-11-22-33-44-55 cleared from secure address list list for port 4/1.
|
Console> (enable) clear port security sticky interface fa 0/1 |
Note: When port is in the disable mode (err- disable), in most cases you need to shutdown the interface and bring it up.
Note: if a MAC address is registered on a port and if you still want to assign this MAC address to another port in the same switch, I got in to so much trouble by doing this. In my experience you can not allocate 2 ports the same MAC address. You need to clear the port security and shut down one interface and assign the MAC address to the other port.
Cisco Reference: http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_port_security_on_Cisco_Catalyst_switches_running_CatOS
