Friday, December 9, 2016

Cisco Catalyst L2/ L3 Switch password recovery

  1. Attach a terminal or PC with terminal emulation (for example, Hyper Terminal) to the console port of the switch.
    Use the following terminal settings:
    • Bits per second (baud): 9600
    • Data bits: 8
    • Parity: None
    • Stop bits: 1
    • Flow Control: Xon/Xoff

  2. Unplug the power cable.
  3. Power the switch and bring it to the switch: prompt:
    For 2900XL, 3500XL, 2940, 2950, 2960, 2970, 3550, 3560, and 3750 series switches, do this:
    Hold down the mode button located on the left side of the front panel, while you reconnect the power cable to the switch.
  4. The example below uses Hyperterm to break into switch: mode on a 2955.
    C2955 Boot Loader (C2955-HBOOT-M) Version 12.1(0.0.514), CISCO DEVELOPMENT TEST
VERSION
Compiled Fri 13-Dec-02 17:38 by madison
WS-C2955T-12 starting...
Base ethernet MAC Address: 00:0b:be:b6:ee:00
Xmodem file system is available.
Initializing Flash...
flashfs[0]: 19 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 7741440
flashfs[0]: Bytes used: 4510720
flashfs[0]: Bytes available: 3230720
flashfs[0]: flashfs fsck took 7 seconds.
...done initializing flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4

*** The system will autoboot in 15 seconds ***
Send break character to prevent autobooting.


!--- Wait until you see this message before !--- you issue the break sequence. !--- Ctrl+Break is entered using Hyperterm.


The system has been interrupted prior to initializing the flash file system to finish 
loading the operating system software:

flash_init
load_helper
boot
switch:
  5. Issue the flash_init command.
    switch: flash_init
Initializing Flash...
flashfs[0]: 143 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 3612672
flashfs[0]: Bytes used: 2729472
flashfs[0]: Bytes available: 883200
flashfs[0]: flashfs fsck took 86 seconds
....done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
switch:

!--- This output is from a 2900XL switch. Output from !--- other switches will vary slightly.
  6. Issue the load_helper command.
    switch: load_helper
switch:
  7. Issue the dir flash: command.
    Note: Make sure to type a colon ":" after the dir flash.
    The switch file system is displayed: 
    switch: dir flash:
Directory of flash:/
2    -rwx  1803357   <date>               c3500xl-c3h2s-mz.120-5.WC7.bin

!--- This is the current version of software.

4    -rwx  1131      <date>               config.text

!--- This is the configuration file.

5    -rwx  109       <date>               info
6    -rwx  389       <date>               env_vars
7    drwx  640       <date>               html
18   -rwx  109       <date>               info.ver
403968 bytes available (3208704 bytes used)
switch:

!--- This output is from a 3500XL switch. Output from !--- other switches will vary slightly.
  8. Type rename flash:config.text flash:config.old to rename the configuration file. 
    switch: rename flash:config.text flash:config.old
switch:

!--- The config.text file contains the password !--- definition.
  9. Issue the boot command to boot the system. 
    switch: boot
Loading "flash:c3500xl-c3h2s-mz.120-5.WC7.bin"...###############################
################################################################################
######################################################################
File "flash:c3500xl-c3h2s-mz.120-5.WC7.bin" uncompressed and installed, entry po
int: 0x3000
executing...

!--- Output suppressed. !--- This output is from a 3500XL switch. Output from other switches !--- will vary slightly.
  10. Enter "n" at the prompt to abort the initial configuration dialog.
    --- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Continue with configuration dialog? [yes/no]: n 

!--- Type "n" for no.

Press RETURN to get started.

!--- Press Return or Enter.

Switch>

!--- The Switch> prompt is displayed.
  11. At the switch prompt, type en to enter enable mode. 
    Switch>en
Switch#
  12. Type rename flash:config.old flash:config.text to rename the configuration file with its original name. 
    Switch#rename flash:config.old flash:config.text
Destination filename [config.text] 

!--- Press Return or Enter.

Switch#
  13. Copy the configuration file into memory.
    Switch#copy flash:config.text system:running-config
Destination filename [running-config]? 

!--- Press Return or Enter.

1131 bytes copied in 0.760 secs
Sw1#
    The configuration file is now reloaded.
  14. Overwrite the current passwords that you do not know. Choose a strong password with at least one capital letter, one number, and one special character.
    Note: Overwrite the passwords which are necessary. You need not overwrite all of the mentioned passwords.
    Sw1# conf t


!--- To overwrite existing secret password

Sw1(config)#enable secret <new_secret_password>



!--- To overwrite existing enable password

Sw1(config)#enable password <new_enable_password>



!--- To overwrite existing vty password

Sw1(config)#line vty 0 15
Sw1(config-line)#password <new_vty_password>

Sw1(config-line)#login


!--- To overwrite existing console password

Sw1(config-line)#line con 0
Sw1(config-line)#password <new_console_password>
  15. Write the running configuration to the configuration file with the write memory command.
    Sw1#write memory
Building configuration...
[OK]
Sw1#
Posted by at No comments:

Monday, June 22, 2015

Configure Cisco VTY local accounts and Enable passwords

  1. From the privileged EXEC (or "enable") prompt, enter configuration mode and enter username/password combinations, one for each user for whom you want to allow access to the router: 
    router#configure terminal
 Enter configuration commands, one per line.  End with CNTL/Z.
 router(config)#username user1 privilege 5 secret california
 router(config)#username user2 privilege 10 secret texas
 router(config)#username user3 privilege 15 secret arizona
 router(config)#service password-encryption
    Note: Use "service password-encryption" to hide all passwords from the configuration view.
  2. Switch to line configuration mode, using the following commands. Notice that the prompt changes to reflect the current mode. 
    router(config)#line vty 0 4
router(config-line)#logging synchronous
router(config-line)#exec-timeout 60 0
  3. Configure password checking at login for vty line. 
    router(config-line)#login local
  4. Exit configuration mode. 
    router(config-line)#end
router#
%SYS-5-CONFIG_I: Configured from console by console

Verify the Configuration

Examine the configuration of the router to verify that the commands have been properly entered:
  • show running-config - displays the current configuration of the router. 
    router#show running-config
Building configuration...
!

!--- Lines omitted for brevity



!
username user1 privilege 15 secret 5 $1$giXN$BA4qQ61PMFH0pckB1VvNp/
username user2 ...............etc
username user3 ...............etc
!

!--- Lines omitted for brevity



!
line con 0
line 1 8
line aux 0
line vty 0 4
 password 7 13151601181B382F
 login local
!
end
    To test this configuration, a Telnet connection must be made to the router. This can be done by connecting from a different host on the network, but you can also test from the router itself by telnetting to the IP address of any interface on the router that is in an up/up state as seen in the output of the show interfaces command.
    Here is a sample output if the address of interface ethernet 0 were 10.10.10.1:
    router#telnet 10.10.10.1
Trying 10.10.10.1 ... Open


User Access Verification


Username: user2
Password:

!--- Password entered here is not displayed by the router
Posted by at No comments:

Configure cisco Local User-Specific Passwords

  1. From the privileged EXEC (or "enable") prompt, enter configuration mode and enter username/password combinations, one for each user for whom you want to allow access to the router: 
    router#configure terminal
 Enter configuration commands, one per line.  End with CNTL/Z.
 router(config)#username user1 password california
 router(config)#username user2 password texas
 router(config)#username user3 password arizona
  2. Switch to line configuration mode, using the following commands. Notice that the prompt changes to reflect the current mode. 
    router(config)#line vty 0 4
router(config-line)#logging synchronous
router(config-line)#exec-timeout 60 0
  3. Configure password checking at login. 
    router(config-line)#login local
  4. Exit configuration mode. 
    router(config-line)#end
router#
%SYS-5-CONFIG_I: Configured from console by console

Verify the Configuration

Examine the configuration of the router to verify that the commands have been properly entered:
  • show running-config - displays the current configuration of the router. 
    router#show running-config
Building configuration...
!

!--- Lines omitted for brevity



!
username user1 password 0 california
username user2 password 0 texas
username user3 password 0 arizona
!

!--- Lines omitted for brevity



!
line con 0
line 1 8
line aux 0
line vty 0 4
 login local
!
end
    To test this configuration, a Telnet connection must be made to the router. This can be done by connecting from a different host on the network, but you can also test from the router itself by telnetting to the IP address of any interface on the router that is in an up/up state as seen in the output of the show interfaces command.
    Here is a sample output if the address of interface ethernet 0 were 10.10.10.1:
    router#telnet 10.10.10.1
Trying 10.10.10.1 ... Open


User Access Verification


Username: user2
Password:

!--- Password entered here is not displayed by the router
Posted by at No comments:

Wednesday, March 25, 2015

Cisco Nexus 5548 SFP Validation Failed

During a recent Nexus deployment I came across a very small problem which was very easily solved.

When doing a sh int brief on the Nexus 5548 I saw the following
Eth1/17       1      eth  access down    SFP validation failed       10G(D) —
Eth1/18       1      eth  access down    SFP validation failed       10G(D) —

The SFP’s that are in these slots were DS-SFP-FC8G SW

The reason is that in a Nexus 5548 the ports can either run as Ethernet or Fiber Channel. The default configuration is Ethernet.  To change the mode of the port

NX5548-SW1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NX5548-SW1(config)# slot 1
NX5548-SW1(config-slot)# port 25-32 type fc
NX5548-SW1(config-slot)# end
NX5548-SW1# copy run start
[########################################] 100%
NX5548-SW1# reload

The Cisco doc is here
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/release/notes/Rel_5_0_3_N1_1/Nexus5000_Release_Notes_5_0_3_N1_1c.html#wp341614

Once the switch has reloaded the ports now show as FC and up!
fc1/31     1      auto   on      up               swl    F       8    —
fc1/32     1      auto   on      up               swl    F       8    —
Posted by at No comments:

Thursday, February 14, 2013

Cisco Router password recovery

The Recovery process is simple and it hardly takes five minutes, but time depends on how fast your router boots. 
  1. First of all connect to the console port, start  terminal application, and power on the router. When you see the boot process beginning, hit the Break sequence. (Break sequence is usually Ctrl+Page Break, but it might differ according to terminal settings.) Doing this interrupts the boot process and drops the router into ROMMON.
  2. At the ROMMON prompt, enter the command # config-register 0x2142 to set the configuration register to 0x2142.
  3. Restart the router by power cycling it or by issuing the command reset.
  4. When the router reloads, the configuration register setting of 0x2142 instructs the router to ignore the startup-config file in NVRAM. You will be asked if you want to go through Setup mode because the router thinks it has no startup-configuration file. Exit from Setup mode.
  5. Press Return and enable command enable to go into privileged EXEC command mode. No password is required because the startup config file was not loaded.
  6. Load the configuration manually by entering # copy startup-config running-config.
  7. Go into the Global Configuration mode using the command configure terminal and change the password with the command enable password password or enable secret password.
  8. Save the new password by entering # copy running-config startup-config.
  9. Go to the global config prompt, and change the configuration register back to the default setting with the command # config-register 0x2102. Exit back to the privileged exec prompt.
  10. Reboot the router using the reload command. You will be asked to save your changes; you can do so if you have made additional configuration changes.

Posted by at No comments:

Cisco ASA 55xx Firewall : Basic Configuration

Cisco ASA 5510 security appliance is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since is intended for small to medium enterprises. Like the smallest ASA 5505 model, the 5510 comes with two license options: The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.


Next we will see a simple Internet Access scenario which will help us understand the basic steps needed to setup an ASA 5510. Assume we assign a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected on the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch.

The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface (Step 4).

Required configuration steps for this basic scenario:

Step1: Configure a privileged level password (enable password)
 By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:

ASA5510(config)# enable password mysecretpassword


Step2: Configure the public outside interface
ASA5510(config)# interface Ethernet0/0
 ASA5510(config-if)# nameif outside
 ASA5510(config-if)# security-level 0
 ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
 ASA5510(config-if)# no shut


Step3: Configure the trusted internal interface
ASA5510(config)# interface Ethernet0/1
 ASA5510(config-if)# nameif inside
 ASA5510(config-if)# security-level 100
 ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
 ASA5510(config-if)# no shut

Step 4: Configure PAT on the outside interface
ASA5510(config)# global (outside) 1 interface
 ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0

Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP
ASA5510(config)# dhcpd dns 200.200.200.10
 ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
 ASA5510(config)# dhcpd enable inside

This is a basic configuration in order to make the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc.
Posted by at No comments:

Wednesday, February 13, 2013

using Cisco Alias exec commands

  1. Building a common alias list always helps when using multiple commands for studying. This is especially helpful with common show commands that can wear on your hands ... and your time limit. here is an alias list. The cool thing about aliases is that you can use them in configuration mode, and you can also append to the base commands.

    For example:

    R1(config)#do sir 192.168.0.0
R1(config)#do srs router eigrp
     
    alias exec srb show run | begin
alias exec sri show run | include
alias exec srs show run | section
     
    alias exec sir show ip route
alias exec siib show ip interface brief
alias exec sis show interfaces status
     
    alias exec sib show ip bgp
alias exec sibs show ip bgp summary
alias exec sibn show ip bgp neighbor
     
    alias exec sio show ip ospf
alias exec sion show ip ospf neighbor
alias exec sioi show ip ospf interface
alias exec siod show ip ospf database
     
    alias exec siet show ip eigrp topology
alias exec siei show ip eigrp interface
alias exec sien show ip eigrp neighbor
     
    alias exec sird show ip rip database
Posted by at 1 comment:
Subscribe to: Comments (Atom)