septembrie 2009

Arhivă Lunară

septembrie 26, 2009

CONVENTII DE NUME PENTRU CISCO IOS

Posted by m4nt13 under CISCO stuff
[4] Comments 

Foarte util atunci cand trebuie sa stim ce servicii ne aduce o varianta sau alta de IOS.

Ne permite sa citim numele versiunilor anterioare 12.3 (incepand cu aceasta versione IOS-urile se divid in 8.

Daca, de exemplu avem un Cisco IOS c7200-ajs40-mz, utilizand lista putem sti ca:

c7200: E vorba de un IOS pentru un Router Cisco 7200.

a: APPN (Advanced Peer to Peer Networking).

j: Entreprise.

s: NAT, ISL, IBM, MMP, VPDN/L2F.

40: criptare pe 40 de biti.

m: software-ul se executa in RAM.

z: arhivat zip.

A

a

APPN

a2

ATM

a3

APPN replacement

B

b

Appletalk

boot

boot image

C

c

Comm-server/Remote Access Server
(RAS) subset (SNMP, IP, Bridging, IPX, Atalk, Decnet, FR, HDLC, PPP,
X,25, ARAP, tn3270, PT, XRemote, LAT) (non-CiscoPro)

c

CommServer lite (CiscoPro)

c2

Comm-server/Remote Access
Server (RAS) subset ( SNMP,
IP, Bridging,
IPX, Atalk, Decnet, FR, HDLC, PPP, X,25, ARAP, tn3270, PT, XRemote, LAT)
(CiscoPro)

c3

clustering

D

d

Desktop subset ( SNMP, IP, Bridging,
WAN, Remote Node, Terminal Services, IPX,
Atalk, ARAP) (11.2 – Decnet)

d2

reduced Desktop subset (SNMP,
IP, IPX, ATALK, ARAP)

diag

IOS based diagnostic images

E

e

IPeXchange (no longer used in 11.3 and later) – StarPipes
DB2 Access – Enables Cisco
IOS to act as a “Gateway” to

all IBM DB2 products for downstream clients/servers in 11.3T

eboot

ethernet boot image for mc3810
platform

F

f

FRAD subset (SNMP,
FR, PPP, SDLLC, STUN)

f2

modified FRAD subset, EIGRP, Pcbus, Lan Mgr removed, OSPF
added

G

g

ISDN subset (SNMP,
IP, Bridging,
ISDN, PPP, IPX, Atalk)

g2

gatekeeper proxy, voice and video

g3

ISDN subset for c800 (IP, ISDN, FR)

H

h

For Malibu(2910), 8021D, switch functions, IP Host

hdiag

Diagnostics image
for Malibu(2910)

I (used for image
names of platforms c2500 and large)

i

IP subset (SNMP,
IP, Bridging,
WAN, Remote Node, Terminal
Services)

i2

subset similar to IP subset for system controller image
(3600)

i3

reduced IP subset with BGP/MIB, EGP/MIB, NHRP, DIRRESP
removed.

i4

subset of IP (5200)

ipss7

IP subset with SS7 (2600)

J

j

enterprise subset (formerly bpx, includes protocol
translation)

*** not used until 10.3 ***

K

k

kitchen sink (enterprise for high-end) (same as bx) (Not
used after 10.3)

k1

Baseline Privacy key encryption (On 11.3 and up)

k2

high-end enterprise w/CIP2 ucode (Not used after 10.3)

k3

Triple DES (On 11.3 and up)

k4

56bit SSH encryption

k5

168bit SSH encryption

k6

Reserved for future encryption capabilities (On 11.3 and
up)

k7

Reserved for future encryption capabilities (On 11.3 and
up)

k8

Reserved for future encryption capabilities (On 11.3 and
up)

k9

Reserved for future encryption capabilities (On 11.3 and
up)

L

l

IPeXchange IPX, static routing, gateway

M

m

RMON (11.1 only)

m

Catalyst 2820-kernel, parser, ATM signaling, Lane Client, bridging

N

n

IPX

O

o

Firewall (formerly IPeXchange Net Management)

o2

Firewall (3xx0)

o3

Firewall with ssh (36×0 26×0)

P

p

Service Provider (IP
RIP/IGRP/EIGRP/OSPF/BGP, CLNS ISIS/IGRP)

p2

Service
Provider w/CIP2 ucode

p3

as5200 service
provider

p4

5800 (Nitro) service
provider

p5

Service
Provider (6400 NRP)

p7

Service
Provider with PT/TARP (2600, 3640)

Q

q

Async

q2

IPeXchange Async

R

r

IBM base option (SRB, SDLLC, STUN, DLSW, QLLC) – used with
i, in, d (See note below.)

r2

IBM variant for 1600 images

r3

IBM variant for Ardent images (3810)

r4

reduced IBM subset with BSC/MIB, BSTUN/MIB, ASPP/MIB,
RSRB/MIB removed

S

s

source route switch (SNMP,
IP, Bridging,
SRB) (10.2 to 11.1)

s

Additions by Platform via PLUS packs

c1000

(OSPF, PIM, SMRP, NLSP, ATIP, ATAURP, FRSVC, RSVP, NAT)

c1005

(X.25, full WAN, OSPF, PIM, NLSP, SMRP, ATIP, ATAURP, FRSVC,
RSVP, NAT)

c1600

(OSPF, IPMULTICAST, NHRP, NTP, NAT, RSVP,
FRAME_RELAY_SVC)

AT “s” images also have: (SMRP,ATIP,AURP)

IPX “s” images also have: (NLSP,NHRP)

c2500

(NAT, RMON, IBM, MMP, VPDN/L2F)

c2600

(NAT, IBM, MMP, VPDN/L2F, VOIP and ATM)

c3620

(NAT, IBM, MMP, VPDN/L2F) In 11.3T added VOIP

c3640

(NAT, IBM, MMP, VPDN/L2F) In 11.3T added VOIP

c4000

(NAT, IBM, MMP, VPDN/L2F)

c4500

(NAT, ISL, LANE, IBM, MMP, VPDN/L2F)

c5200

(PT, v.120, managed modems, RMON, MMP, VPDN/L2F)

c5300

(MMP, VPDN, NAT, Modem Management, RMON, IBM)

c5rsm

(NAT, LANE and VLANS)

c7000

(ISL, LANE, IBM, MMP, VPDN/L2F)

c7200

(NAT, ISL, IBM, MMP, VPDN/L2F)

rsp

(NAT, ISL, LANE, IBM, MMP, VPDN/L2F)

T

t

AIP w/ modified Ucode to connect to Teralink 1000 Data
(11.2)

t

Telco return (12.0)

U

u

IP with VLAN RIP (Network Layer 3 Switching Software,
rsrb, srt, srb, sr/tlb)

V

v

VIP and dual RSP (HSA) support

v2

Voice V2D

v3

Voice Feature Card

v4

Voice (ubr920)

W

w

WBU Feature Sets

i

IISP

l

LANE & PVC

p

PNNI

v

PVC trafffic shaping

w2

Cisco Advantage ED train Feature Sets

a

IPX, static routing, gateway

b

Net Management

c

FR/X25

y

Async

w3

Distributed Director Feature Sets

X

x

X.25 in 11.1 and earlier releases and on c800 in 12.0T

x

FR/X.25 in 11.2 (IPeXchange)

x

H.323 Gatekeeper/Proxy in 11.3 and later releases for
2500, 3620, 3640, mc3810

Y (used for image
names of platforms smaller than c2500)

y

reduced IP (SNMP,
IP RIP/IGRP/EIGRP, Bridging,
ISDN, PPP) (C1003/4)

y

reduced IP (SNMP,
IP RIP/IGRP/EIGRP, Bridging,
WAN – X.25) (C1005) (11.2 – includes X.25) (c1005)

y

IP variant (no Kerberos, Radius, NTP, OSPF, PIM, SMRP,
NHRP…) (c1600)

y2

IP variant (SNMP,
IP RIP/IGRP/EIGRP, WAN – X.25, OSPF, PIM) (C1005)

y2

IP Plus variant (no Kerberos, Radius, NTP, …) (c1600)

y3

IP/X.31

y4

reduced IP variant (Cable, Mibs, DHCP, EZHTTP)

y5

reduced IP variant (Cable, Mibs, DHCP, EZIP) Home Office

y6

reduced IP variant(c800)

Z

z

managed modems

0-9

40

40 bit encryption

56

56 bit encryption

56i

56 bit encryption with IPSEC

Obsolet

h

reduced desktop subset (SNMP,
IP RIP/IGRP/EIGRP, Bridging,
ISDN, PPP, IPX, Atalk) 1003/4

h

reduced desktop subset (SNMP,
IP RIP/IGRP/EIGRP, Bridging,
WAN – X.25, IPX, Atalk) 1005

 

septembrie 25, 2009

Tabele cu clasele de IP-uri si cantitatea de subretele si host-uri suportate…

Posted by m4nt13 under Networking | Etichete: , |
[2] Comments 

Clasa A – Prefix, Subretele, Host si Masca de retea

CIDR

Cantitate Retele Clasa A

Cantitate de Hosts

Masca de retea

/32

16.777.216

1

255.255.255.255

/31

8.388.608

2

255.255.255.254

/30

4.194.304

4

255.255.255.252

/29

2.097.152

8

255.255.255.248

/28

1.048.576

16

255.255.255.240

/27

524.288

32

255.255.255.224

/26

262.144

64

255.255.255.192

/25

131.072

128

255.255.255.128

/24

65.536

256

255.255.255.0

/23

32.768

512

255.255.254.0

/22

16.384

1.024

255.255.252.0

/21

8.192

2.048

255.255.248.0

/20

4.096

4.096

255.255.240.0

/19

2.048

8.192

255.255.224.0

/18

1.024

16.384

255.255.192.0

/17

512

32.768

255.255.128.0

/16

256

65.536

255.255.0.0

/15

128

131.072

255.254.0.0

/14

64

262.144

255.252.0.0

/13

32

524.288

255.248.0.0

/12

16

1.048.576

255.240.0.0

/11

8

2.097.152

255.224.0.0

/10

4

4.194.304

255.192.0.0

/9

2

8.388.608

255.128.0.0

/8

1

16.777.216

255.0.0.0

/7

2

33.554.432

254.0.0.0

/6

4

67.108.864

252.0.0.0

/5

8

134.217.728

248.0.0.0

/4

16

268.435.456

240.0.0.0

/3

32

536.870.912

224.0.0.0

/2

64

1.073.741.824

192.0.0.0

/1

128

2.147.483.648

128.0.0.0

/0

256

4.294.967.296

0.0.0.0

Clase B – Prefix, Subretele, Host si Masca de retea

CIDR

Cantitate Retele Clasa B

Cantitate de Hosts

Masca de retea

/32

65.536

1

255.255.255.255

/31

32.768

2

255.255.255.254

/30

16.384

4

255.255.255.252

/29

8.192

8

255.255.255.248

/28

4.096

16

255.255.255.240

/27

2.048

32

255.255.255.224

/26

1.024

64

255.255.255.192

/25

512

128

255.255.255.128

/24

256

256

255.255.255.0

/23

128

512

255.255.254.0

/22

64

1.024

255.255.252.0

/21

32

2.048

255.255.248.0

/20

16

4.096

255.255.240.0

/19

8

8.192

255.255.224.0

/18

4

16.384

255.255.192.0

/17

2

32.768

255.255.128.0

/16

1

65.536

255.255.0.0

/15

2

131.072

255.254.0.0

/14

4

262.144

255.252.0.0

/13

8

524.288

255.248.0.0

/12

13

1.048.576

255.240.0.0

/11

32

2.097.152

255.224.0.0

/10

64

4.194.304

255.192.0.0

/9

128

8.388.608

255.128.0.0

/8

256

16.777.216

255.0.0.0

/7

512

33.554.432

254.0.0.0

/6

1.024

67.108.864

252.0.0.0

/5

2.048

134.217.728

248.0.0.0

/4

4.096

268.435.456

240.0.0.0

/3

8.192

536.870.912

224.0.0.0

/2

16.384

1.073.741.824

192.0.0.0

/1

32.768

2.147.483.648

128.0.0.0

/0

65.536

4.294.967.296

0.0.0.0

Clase C – Prefix, Subretele, Host si Masca de retea

CIDR

Cantitate Retele Clasa C

Cantitate de Hosts

Masca de retea

/32

256

1

255.255.255.255

/31

128

2

255.255.255.254

/30

64

4

255.255.255.252

/29

32

8

255.255.255.248

/28

16

16

255.255.255.240

/27

8

32

255.255.255.224

/26

4

64

255.255.255.192

/25

2

128

255.255.255.128

/24

1

256

255.255.255.0

/23

2

512

255.255.254.0

/22

4

1.024

255.255.252.0

/21

8

2.048

255.255.248.0

/20

16

4.096

255.255.240.0

/19

32

8.192

255.255.224.0

/18

64

16.384

255.255.192.0

/17

128

32.768

255.255.128.0

/16

256

65.536

255.255.0.0

/15

512

131.072

255.254.0.0

/14

1.024

262.144

255.252.0.0

/13

2.048

524.288

255.248.0.0

/12

4.096

1.048.576

255.240.0.0

/11

8.192

2.097.152

255.224.0.0

/10

16.384

4.194.304

255.192.0.0

/9

32.768

8.388.608

255.128.0.0

/8

65.536

16.777.216

255.0.0.0

/7

131.072

33.554.432

254.0.0.0

/6

262.144

67.108.864

252.0.0.0

/5

524.288

134.217.728

248.0.0.0

/4

1.048.576

268.435.456

240.0.0.0

/3

2.097.152

536.870.912

224.0.0.0

/2

4.194.304

1.073.741.824

192.0.0.0

/1

8.388.608

2.147.483.648

128.0.0.0

/0

33.534.432

4.294.967.296

0.0.0.0
 

septembrie 24, 2009

Ieri am fost la SIMO…

Posted by m4nt13 under Aberatii | Etichete: |
Leave a Comment 

…unde un nene care vorbea spaniola aproximativ ne explica…tot aproximativ… ce minunat e windows 7. Cum aveam o durere de cap cumplita, n-am stat sa-l contrazic, mai ales ca experienta mea cu windows 7 se rezuma la cateva ore de butoneala pe o masina virtuala si alte cateva pe un netbook.

Ce mi-a placut la SIMO:

1. Diversitatea firmelor care isi prezentau produsele (software, hardware, logistica…)

2. Avand in vedere imensitatea locului, totul era extrem de bine organizat, astfel incat sansele de a te rataci erau minime…

3. Aveau parcare… asa ca bombita mea a stat bine merci la umbra….

Ce nu mi-a placut la SIMO:

1.Diversitatea firmelor care isi prezentau produsele. Erau atat de multe incat uitai de unde ai inceput…

2.Imensitatea locului… era atat de mare ca oboseai mergand. Iar scarile rulante nu te ajutau… Te apuca seara pana ajungeai unde aveai nevoie.

3. Aveau parcare… scumpa ca dracu´ . A stat bombita mea la umbra, dar pe banii mei! Si nu putini!

Dar a fost interesant….

 

septembrie 22, 2009

Windows to USB – varianta simpla…

Posted by m4nt13 under Sisteme | Etichete: |
[2] Comments 

…pentru ca am citit pana acum o gramada de tutoriale care, pentru novicele in informatica se finalizeaza intotdeauna cu nervi si cu un stick de pe care nu se poate boot-a.

Varinata simpla implica un singur programel numit  WinToFlash pe care il puteti descarca de aici, si care funtioneaza la modul urmator:

Pasul 1 – Montati imaginea de windows intr-un disc virtual, sau dupa caz introduceti cd-ul in unitate.

Pasul 2 – selectionati in WinToFlash discul cu windows si stick-ul USB.

Pasul 3 – Celebra comanda “next” si gata… va beti cafeaua linistiti, timp in care flash-ul este formatat, este facut bootabil si sunt copiate fisierele de windows.

Nu va ramane decat sa boot-ati de e stick si sa va instalati windows-ul unde vreti… Apropo, merge si cu Vista sau Windows 7…

Succes!

P.S. Apropo, daca va trece cumva prin tartacuta ideea sa va instalati Windows 7 intr-un netbook s-ar putea sa aveti surpriza ca stimabilul SO de la Microsoft sa nu va recunoasca bateria si sa fiti nevoit sa stati cu el in priza nonstop. Solutia : nu exista…inca…

 

septembrie 18, 2009

Trucuri CISCO de care uitam uneori:

Posted by m4nt13 under CISCO stuff, Routere CISCO
Leave a Comment 
In acest articol voi recompila cateva truciri pentru a asegura un router Cisco.
Inainte de toate, tot ceea ce urmeaza este evidente…sau poate un…

Utilizarea protocoalelor sigure

Conexiunile TELNET,HTTP,FTP,etc. Pot fi interceptate si citite pentru ca totul se transmite in text plan. Alternativele sunt SSH,HTTPS,FTPS, etc.

Activarea SSH y SCP:

Nu toate  IOS-urile  soporta SSH, SCP sau HTTPS

ip domain-name domeniultau.net
!
crypto key generate rsa modulus 2048
!
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh source-interface Loopback0
ip scp server enable
!
line vty 0 4
 transport input ssh

Activarea HTTPS:

crypto key generate rsa modulus 2048
!
ip http secure-server

Utilizarea unui syslog centralizat

Putem trimite mesajele de log unei statii de lucru folosing urmatoarea comanda:

logging host <directie-ip>

Utilizarea parolelor bazate pe hash

Comanda secret poate fi o idee buna.

Dezactivarea serviciilor nesigure sau neutilizate

Cateva exemple:

no ip http server
no service tcp-small-servers
no service udp-small-servers
no ip finger
no ip bootp server
no mop enabled
no ip domain-lookup
no service pad
no service config
no cdp run
no lldp run global

Dezactivarea  TCL

Daca avem un IOS recent, avem si posibilitatea de a lucra cu scripturi TCL. Daca nu stim sa le folosim, ar fi recomandata dezactivarea

no scripting tcl init
no scripting tcl encdir

Comenzile nu vor putea fi vazute in  running-config, dar e bine sa nu uitam de ele.

Asigurarea terminalelor

Timeout pentru lipsa de activitate

Daca avem activata o consola de administrare, aceasta se poate incide automat dupa o anumita perioada de timp:

line con 0
 exec-timeout <minute> [secunde]
line vty 0 4
 exec-timeout <minute> [secunde]

Dezactivarea portului AUX

line aux 0
 transport input none
 transport output none
 no exec
 exec-timeout 0 1
 no password

Alta posibilitate e aceea de a-i pune o parola, la fel ca la portul de consola .

Dezactivarea recuperarii parolei

Un este o idee rea in conditiile in care cineva ar putea avea acces la consola si ar putea schimba registrul de configurare si avea acces la NVRAM

Dar, daca ai uitat parola… atunci ai o problema:

no service password-recovery

Configurarea algoritmului Nagle

Ar trebui activat in toate routerele pentru eficienta sesiunilor Telnet:

service nagle

Configurarea keepalives pentru serviciile TCP

service tcp-keepalives-in
service tcp-keepalives-out

Folosirea loopbacks pentru management

Fiind vorba de interfete virtuale, au avantajul ca sunt intotdeauna disponibile:

interface Loopback0
 description Loopback de management
 ip address 192.168.254.254 255.255.255.255
!
ip ftp source-interface Loopback0
ip tftp source-interface Loopback0
ip telnet source-interface Loopback0
ip ssh source-interface Loopback0
logging source-interface Loopback0
ntp source Loopback0

Pragurile de memorie

SUnt disponibile incepand cu versiunea 12.3(4)T de IOS.

Ne permite realizarea diferitelor actiuni atunci cand un dispunem de memorie suficienta in router. Exista doua metode pentru realizarea lor:

Notificarea pragurilor de memorie:

Genereaza un log in care avizeaza ca s-a ajuns sub pragul stabilit in configuratie:

memory free low-watermark processor <prag>
memory free low-watermark io <prag>

Rezervarea de memorie pentru procesele importante:

memory reserve critical <valor>

Pentru consola:

Disponibil incepand cu versiunea 12.4(15)T de IOS.

memory reserve console <valoare>

Access Lists

O idee despre ce liste de acces ar trebui sa avem configurate in router:

ip access-list extended ACL-UN NUME-IN
 permit tcp host <peer-bgp> host <directie-locala-bgp> eq 179
 permit tcp host <peer-bgp> eq 179 host < directie-locala -bgp>
 permit tcp host <pc-ul-administratorului> any eq 22
 permit udp host <server-de-monitorizare> any eq 161
 permit icmp host <retea-de-incredere> any echo
!
 deny ip any <retea-de-dispozitive-de-infrastructura> <wilcard>
!
 permit ip any any

Cateva idei mai aparte

Nu sunt foarte cunoscute dar pot fi de mare ajutor in anumite cazuri. In altele insa, pot da probleme.

Filtrarea fragmentelor

In general, datorita particularilatilor fragmentelor, acestea sunt permise in acces-list. Fragmentarea este uneori folosita in cazul incercarilor de a pacali IDS-ul:

ip access-list extended ACL-ALTNUME-IN
 deny tcp any any fragments
 deny udp any any fragments
 deny icmp any any fragments
 deny ip any any fragments
 !
 permit ip any any

Filtrarea pe baza valorilor de TTL

Se pot filtra pachetele care vin din reteaua proprie sau de la directie apropiata, dar are o valoare de TTL foarte mica. Sau clar, in cazul in care originea este departe:

ip access-list extended ACL-ALTALTNUME-IN
 deny ip <reteaua-mea> any ttl lt 30

Filtrarea in functie de Optiunea de pachet IP (traducere aproximativa J)

Optiunile IP sunt un real pericol deoarece sunt tratate ca exceptii, si prin urmare procesate. Asta inseamna CPU mai incarcat. Prezenta optiunii intr-un pachet poate insemna si ca se incearca eludarea controlului de securitate sau alterarea caracteristicilor de tranzit:

ip access-list extended ACL-NUME-IN
 deny ip any any option any-options
 !
 permit ip any any

Daca avem IOS 12.3(4)T, 12.0(22)S, sau de la 12.2(25)S si inainte, putem folosi comanda:

ip options drop

Si astfel toate pachetele care contin optiuni IP sunt aruncate.

Management Plane Protection

Disponibil incepand cu versiunea 12.4(6)T de IOS

Permite ca un administrador sa restranga accesul la o interfata care permite traficul de Management.

Exemplu:  se permite  https si ssh doar pe  GigabitEthernet 0/1:

control-plane host
 management-interface GigabitEthernet 0/1 allow ssh https

Activarea DHCP snooping

Putem filtra toate pachetele DHCP in vlan-ul ales si definim in switch in ce port putem avea un DHCP :

ip dhcp snooping vlan 1
interface FastEthernet0/1
 description DHCP Server
 ip dhcp snooping trust

Se va actualiza….

 

septembrie 18, 2009

Cum sa gasesti IOS-uri cu Google

Posted by m4nt13 under CISCO stuff | Etichete: , , , |
Leave a Comment 

Am primit cateva mail-uri in care mi se cereau diferite variante de IOS. Asa cum am scris si in respectivele mailuri, va spun si voua ca IOS-urile nu sunt gratuite. Sunt sisteme proprietare si e normal sa coste bani, in functie de caracteristici si implementari.

Totusi, daca vrei sa inveti cate ceva despre CISCO, un simulator nu iti este intotdeauna suficient. Asa ca apelezi la routere fizice sau la emulatoare tip GNS3. IAr pentru ele ai nevoie de IOS-uri.

Nu incurajez pirateria, ci doar ofer cateva sugestii, cum ar fi de exemplu amicul nostru Google, suficient de destept incat sa gaseasca ce ai nevoie…

De ex., o cautare generala dupa IOS ar putea avea urmatoarea sintaxa:

intitle:index.of ios parent directory bin

Bineinteles ca poti cauta si ceva mai specific, cum ar fi o anumita generatie de IOS-uri:

intitle:index.of c7200*.bin -site:cisco.com

sau

intitle:index.of c3640*.bin -site:cisco.com

Sa nu uitam nici de firewall:

intitle:index.of cisco pix*.bin -site:cisco.com

Sper ca v-am fost de ajutor! :)

 

septembrie 3, 2009

Tocmai am primit…

Posted by m4nt13 under Uncategorized
Leave a Comment 

invitatia la SIMO. Abia astept sa vad ce mai e nou…

In alta ordine de idei…s-a terminat vacanta! Naspa!

In curand… noi articole!