Thursday, December 14, 2017

Show cisco 2950 switch info from rommon mode

This is how to show the MAC and serial number while you are in rommon mode of Cisco 2950 switch:


switch: flash_init


switch: more flash:env_vars

BOOT=flash:c2950-i6k2l2q4-mz.121-22.EA13.bin
MAC_ADDR=00:0B:FD:60:C0:40
MODEL_NUM=WS-C2950C-24
MODEL_REVISION_NUM=G0
MOTHERBOARD_ASSEMBLY_NUM=73-5710-11
MOTHERBOARD_REVISION_NUM=A0
MOTHERBOARD_SERIAL_NUM=FO1170307Z7
POWER_SUPPLY_PART_NUM=34-091165-01
POWER_SUPPLY_SERIAL_NUM=PHI0648051JE
SYSTEM_SERIAL_NUM=FOC07013AZ0N1

switch:

Thursday, November 30, 2017

SSH to Cisco WLC using Python (3.6) - simple example

import paramiko
import netmiko
from netmiko import ConnectHandler

host = "IP address"
user = "admin"
pw = "xxxxxxx"
platform = "cisco_wlc"


device = ConnectHandler(device_type=platform, ip=host, username=user, password=pw)


output = device.send_command('show wlan 1')

print(output)


device.disconnect()

Tuesday, October 31, 2017

Cisco AP power level 1 in UNII-1 and Level 4 in UNII-3

I was testing two Cisco 3602e access points. In The RF profile I had set min and max power to be 14dBm. Therefore I would expect the RRM will set the same power level in both APs



But when I checked the two APs one has power level 4 and the other has power level 1



Then I checked the output of command "show advanced 802.11a txpower". The output below explains why the two APs show two different power level. Because one is using an UNII-1 channel and the other is using a UNI-3 channel.





Tuesday, October 24, 2017

Set time zone in Cisco ISE 2.3

Cisco ISE has a CLI interface very similar to Cisco IOS.

1) SSH in to ISE 

2) show time zones 


ise-1/admin# show timezones

Australia/NSW
Australia/North
Australia/Perth
Australia/Queensland
Australia/South
Australia/Sydney



3) Set the time zone

ise-1/admin(config)# clock timezone Australia/Sydney

% On ise distributed deployments, it is recommended all nodes be
% configured with the same time zone.
Continue with time zone change?  Y/N [N]: y
System timezone was modified. You must restart ISE for change to take effect.
Do you want to restart ISE now? (yes/no) no

ise-1/admin(config)#
ise-1/admin(config)# end
ise-1/admin#
ise-1/admin# show clock
Tue Oct 24 20:47:09 AEDT 2017

Monday, October 16, 2017

PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID - Cisco vWLC

I installed a fresh copy of Cisco vWLC version  AIR_CTVM-K9_8_2_151_0. But my AP3502i refused to connect to this controller and returns the error "PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID" in the console output.

Then I checked the WLC self signed certificate (SSC) and it is not valid yet !!!



I thought I could regenerate the certificate with correct time but could find any CLI command or GUI option to do that.

Then I thought, lets change the time so that the certificate will be valid.



After few minutes that changed the AP's time as well and the AP connected to the controller !!!





Saturday, April 15, 2017

IPsec capture with decryption information

This is a capture I did from a StrongSwan net-to-net IPsec VPN I setup for testing.

Packet capture : pkt capture link





Phase 1 main mode - IKEv1 

Initiator cookie : 751b83775c20d140
Encryption key : d38c64bef9facf441f8ad9080e2bb157



Phase 2 quick mode 

Src IP : 172.16.1.70
Dest IP : 172.16.1.71
SPI : 0xc04af751
Encryption : AES-CBC
Encryption key : 0x7c60aad1e87addb04ce8030de87c95aa
Authentication : HMAC-SHA-1
Authentication key : 0x7d46f88c672d660d7a36d5a1a756f4e10ba6c29d


Src IP : 172.16.1.71
Dest IP : 172.16.1.71
SPI : 0xce38569e
Encryption : AES-CBC
Encryption key : 0x9b6eeff11d56d9e7e658d9b09c78d19a
Authentication : HMAC-SHA-1
Authentication key : 0x8ff0d9ff940d81198d555e3574e51a6354f9d7f6





If you want to do this your self follow the steps below to capture encryption keys from StrongSwan.


Edit /etc/sysctl.conf and uncomment "net.ipv4.ip_forward=1"  to enable routing

enter the command "ipsec up net-net" to start the IPsec tunnel




1) To get the two values to decrypt ISAKMP (IKE phase 1 and 2 )


Initiator cookie : can be found in the first pkt sent.



























Edit  /etc/ipsec.conf and add debug level 4 for IKE


# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        charondebug="ike 4,enc 4"
        uniqueids=yes
        strictcrlpolicy=no

conn %default
        ikelifetime=60m
        keylife=8h
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret

conn net-net
        left=172.16.1.70
        leftsubnet=10.1.0.0/24
        leftid=@moon.strongswan.org
        leftfirewall=yes
        right=172.16.1.71
        rightsubnet=10.2.0.0/24
        rightid=@sun.strongswan.org

        auto=add



Restart the IPsec session and check /var/log/syslog file for the encryption key







2) To get keys data to decrypt the ESP data payload enter the command "ip xfrm state". You need enter data for the two security association.


root@ubuntu-1-ipsec:/home/ruwanindika# ip xfrm state
src 172.16.1.70 dst 172.16.1.71
proto esp spi 0xc39e664b reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x6cd0b2f0fa5a81642150b059b6333a3919426da7 96
enc cbc(aes) 0x392c130f3fc8b82c7552e12746cfcf36
anti-replay context: seq 0x0, oseq 0x1f8, bitmap 0x00000000

src 172.16.1.71 dst 172.16.1.70
proto esp spi 0xc2709853 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xf9f4ab8729ce3f844f5d59de64ba30b24a99ca92 96
enc cbc(aes) 0x63ce266892721d11301631c504d63979

anti-replay context: seq 0x1f8, oseq 0x0, bitmap 0xffffffff





Sunday, April 9, 2017

OSPF adjacency not forming ?

Router ID 3.3.3.3 (172.16.1.1) and router ID 4.4.4.4 (172.16.1.2) is not forming adjacency. I was thinking how to troubleshoot this.




Then I did a packet capture and saw that both routers are sending OSPF hello pkts



So why are they not forming adjacency ???  Let's look in to the hello pkts to see whether there is any obvious  difference between the hellos 




Then I corrected the configuration


R4#show running-config | section ospf
router ospf 1
 router-id 4.4.4.4
 area 172 stub
 redistribute eigrp 1 subnets
 network 172.16.1.0 0.0.0.255 area 172
R4#

R4#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#
R4(config)#router  ospf 1 
R4(config-router)#no area 172 stub 
R4(config-router)# 
R4(config-router)#area 172 nssa 
R4(config-router)#
R4(config-router)#end
R4#
*Apr  9 11:42:17.315: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Apr  9 11:42:18.311: %SYS-5-CONFIG_I: Configured from console by console
R4# 
R4#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           1   FULL/BDR        00:00:38    172.16.1.1      FastEthernet0/0
R4#

Wednesday, April 5, 2017

Microwave oven interference

I visited this site because they were complaining about connectivity issues in a staff common area. I was sitting there looking at the spectrum analyser and someone came in and started the microwave oven. This is what I saw in the spectrum analyser.








Wednesday, March 29, 2017

Packet capture samples

Some times I want to quickly look at a sample packet capture of some protocol but its not readily available somewhere in internet to download. So I thought of making a list.


1) BGP packet capturehttps://drive.google.com/open?id=0B3ctVg8ubiwUa0FBZm5OM3dndE0

2) RADIUS packet capturehttps://drive.google.com/open?id=0B3ctVg8ubiwUQlA5R0tEQWtTdmc

3) IPsec - isakmp - ESP  capture  https://drive.google.com/open?id=0B3ctVg8ubiwUYWxkWTNJMER2dEk

4) Wifi 4-way handshake https://drive.google.com/file/d/0B3ctVg8ubiwUMDYwWXJ2c2taMlE/view?usp=sharing

5) RSTP synchronization proposal and root election - https://drive.google.com/open?id=0B3ctVg8ubiwUMlQ4dHBPM1dGSEk

6) OSPF-with-LSA-types-1, 3, 4 and 5 -  https://drive.google.com/open?id=0B3ctVg8ubiwUVGNXeEQwNUdOd1k

7) Multiple spanning tree (MST) - https://drive.google.com/open?id=0B3ctVg8ubiwUeTVHLW0wQmZLeEU

8) RADIUS CoA, captured from Cisco ISEhttps://drive.google.com/open?id=0B3ctVg8ubiwUYkE2ZEFVTGFBcTQ

9) EAP-FAST authentication RADIUS pkt capture from Cisco ISEhttps://drive.google.com/open?id=0B3ctVg8ubiwUX3A3dVJrdU55MXc

10) WIFI CoA with RADIUS pktshttps://drive.google.com/open?id=0B3ctVg8ubiwUWG1nWHBfRmVoTDQ

11) AWS Greengrass IoT MQTT - https://drive.google.com/open?id=1W8n23dJAxhcrgwnMbFAcEaO6cEQQL2Ga

Monday, January 30, 2017

Aerohive HMNG API "Refreshing a Token"

based on :  https://developer.aerohive.com


1)  Using endpoint https://cloud.aerohive.com/services/oauth2/token

POST : https://cloud.aerohive.com/services/oauth2/token?grant_type=refresh_token&refresh_token=VephPaRwBhTR60Zg14cCIbWsB7SCqPnV


Content-Type : application/x-www-form-urlencoded
Authorization : Basic OTU4NzY4NDE6ODY0OTM4MA4YTU3NzlkNzEwY2QwNDdjNmIxMTlkZTg=
























2) [NOT recommended] Using endpoint : https://cloud.aerohive.com/services/acct/thirdparty/refreshtoken 

POST : https://cloud.aerohive.com/services/acct/thirdparty/refreshtoken?refreshToken=0-GI5UcUKqi9foTrE_-k6z6OMLDDnJtK

X-AH-API-CLIENT-ID : 9587841
X-AH-API-CLIENT-SECRET : 86493008a5779d710cd047c6b119de8
X-AH-API-CLIENT-REDIRECT-URI : https://apache.testneta.local