Tuesday, July 26, 2011

Router Security - Password Recovery for Cisco FWSM

We firstly boot the FWSM into the maintenance partition (cf:1) with this command:

Router#hw-module module 7 reset cf:1
Device BOOT variable for reset = <cf:1>
Warning: Device list is not verified.
Proceed with reload of module?[confirm]
% reset issued for module 7
Router#
*Jul  7 08:41:06.103: SP: The PC in slot 7 is shutting down. Please wait ...
*Jul  7 08:41:06.191: SP: PC shutdown completed for module 7
*Jul  7 08:41:06.199: %C6KPWR-SP-4-DISABLED: power to module in slot 7 set off (Reset)
*Jul  7 08:43:09.539: SP: OS_BOOT_STATUS(7) MP OS Boot Status: finished booting
*Jul  7 08:43:36.623: %DIAG-SP-6-RUN_MINIMUM: Module 7: Running Minimal Diagnostics...
*Jul  7 08:43:43.687: %DIAG-SP-6-DIAG_OK: Module 7: Passed Online Diagnostics
*Jul  7 08:43:59.667: %OIR-SP-6-INSCARD: Card inserted in slot 7, interfaces are now online

Then we connect to the FWSM with username root password cisco


Router#session slot 7 processor 1  
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.71 ... Open
Cisco Maintenance image
login: root
Password:
Maintenance image version: 2.1(2)

Then we clear the passwords on cf:4 partition which holds the system configuration.This command will only clear the passwords, not all the system configurations.

Do you wish to erase the passwords? [yn] y
The following lines will be removed from the configuration:
        enable password jDUXMyqeIzxQIVgK encrypted
        passwd jDUXMyqeIzxQIVgK encrypted
Do you want to remove the commands listed above from the configuration? [yn] y
Passwords and aaa commands have been erased.
root@localhost.localdomain#exit
logout
[Connection to 127.0.0.71 closed by foreign host]

Then reboot the FWSM:

Router#hw-module module 7 reset
Device BOOT variable for reset = <empty>
Warning: Device list is not verified.
Proceed with reload of module?[confirm]
% reset issued for module 7
Router#
*Jul  7 08:46:58.783: SP: PC shutdown completed for module 7
*Jul  7 08:46:58.799: %C6KPWR-SP-4-DISABLED: power to module in slot 7 set off (Reset)
*Jul  7 08:49:14.540: %DIAG-SP-6-RUN_MINIMUM: Module 7: Running Minimal Diagnostics...
*Jul  7 08:49:17.424: %DIAG-SP-6-DIAG_OK: Module 7: Passed Online Diagnostics
*Jul  7 08:49:29.535: %OIR-SP-6-INSCARD: Card inserted in slot 7, interfaces are now online

Login as default:

Router#session slot 7 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.71 ... Open

User Access Verification
Password:

TEST-FWSM> en
Password:
TEST-FWSM#
at 1:25 PM 0 comments
Labels:

Friday, July 22, 2011

QOS - Policing Example on Cisco IOS XR

In this example, we have policed mpls labeled traffic according to mpls labels on a Cisco IOS XR router.

The Mpls labeled packets that have Mpls Experimental bits value of 5 will be policed to 100 Mbps.

The Mpls labeled packets that have Mpls Experimental bits value of 2 will be policed to 10 Mbps.

The Mpls labeled packets that have Mpls Experimental bits value of 1 will be policed to 1 Mbps.

class-map match-any experimental-1
 match mpls experimental topmost 1
 end-class-map
!
class-map match-any experimental-2
 match mpls experimental topmost 2
 end-class-map
!
class-map match-any experimental-5
 match mpls experimental topmost 5
 end-class-map
!



policy-map qos
 class experimental-5
  police rate 100000000 bps
  !
class experimental-2
  police rate 10000000 bps
  !
 !
 class experimental-1
  police rate 1000000 bps
  !
class class-default
 !
 end-policy-map

interface tenGigE 0/0/0/1                     
service-policy output qos
at 6:54 PM 0 comments
Labels:

QOS - Marking Example 2 on Cisco IOS XR

These configurations classify the IP packets based on the DSCP values.These IP packets are tagged with MPLS labels when they pass through the router.MPLS experimental bits of these labels are marked according to the DSCP classes.

class-map match-any dscp-0
 match dscp 0
 end-class-map
!
class-map match-any dscp-ef
 match dscp ef
 end-class-map
!
class-map match-any dscp-af11
 match dscp af11
 end-class-map


policy-map Qos-marking
 class dscp-ef
  set mpls experimental topmost 5
 !
 class dscp-af11
  set mpls experimental topmost 1
 !
 class dscp-0
  set mpls experimental topmost 2
 !
 class class-default
 !
 end-policy-map        
!
interface gigabitEthernet 0/1/0/20.1
service-policy input marking
at 8:32 AM 0 comments
Labels:

QOS - Marking Example on Cisco IOS XR

In this example customer traffic is marked on a Service Provider Router:


If the customer is taking Voip/Gold/Premium service than all traffic that comes from attachment circuit will be marked with Mpls Label value of 5.

policy-map marking-exp-5
class class-default
set mpls experimental imposition 5
end-policy-map

If the customer is taking other types of service, than all traffic that comes from attachment circuit will be marked with Mpls Label value of 0.

policy-map marking-exp-0
class class-default
set mpls experimental imposition 0
end-policy-map

Then these policy-maps should attached the related interfaces through inbound direction

Service-policy input marking-exp-0

or

Service-policy input marking-exp-0

at 8:16 AM 0 comments
Labels:
Subscribe to: Posts (Atom)