One of our engineers wanted to get debug information about ISAKMP after a system reboot but found it was difficult to login quickly enough after the reboot. He found a way to get debug running without needing to login to the router and manually enter the debug commands.
For IOS devices which support the "do" command it is possible to put "do debug ..." into a text copy of the config file and then TFTP this file to startup. When the router reboots the debugs run. It worked well for him, in terms of getting debug output when he wanted it.
This release allows you to filter directly on SNMP OIDs, export IO graphs, follow UDP
streams. It also has improved Vista support. For more information, click the following link :
Release 4.5 of NMAP, an open source utlity for network mapping or security auditing, is now available. Major new features since 4.00 include the Zenmap cross-platform GUI, 2nd Generation OS Detection, the Nmap Scripting Engine, a rewritten host discovery system, performance optimization, advanced traceroute functionality, TCP and IP options support, and nearly 1,500 new version detection signatures. For more information, click the following link :
We noticed that Priscilla Oppenheimer has written up an annotated Cisco LAN-to-LAN IPsec tunnel configuration document. If you would like to review this document, click the following link :
Folks may want to look at the configuration change tracking feature in IOS. Introduced in 12.3T is the ability to track config changes to show what command was entered, who entered it, when they entered it.
This link has information about this feature:
Getting AAA enable authentication to work on ASAs
07/2007
One of our consultants suggest these steps to get AAA TACACS enable authentication to work on ASAs:
1. Click on "Interface Configuration"
2. Click on "TACACS+ (Cisco IOS)
3. Click on the "Advanced TACACS+ Features" checkbox
4. Click on "Submit"
5. Click on "Group Setup"
6. Open group to be modified
7. In the "Enable Options" section click on the "Max Privilege for any AAA Client" radio button and choose "Level 15" in the drop down box
8. Click on "Submit + Restart"
9. Click on "User Setup"
10. Click on user id
11. In the "Advanced TACACS+ Settings" section choose the "Use Group Level Setting" radio button
12. In the "Advanced TACACS+ Settings", "TACACS+ Enable Password" subsection choose the "Use CiscoSecure PAP password" radio button
13. Click "Submit"
Have you notived that there are multiple configuration options in CIsco IOS? Maybe one is appropriate for you?
router1#conf ?
confirm Confirm replacement of running-config with a new config file
memory Configure from NV memory
network Configure from a TFTP network host
overwrite-network Overwrite NV memory from TFTP network host
replace Replace the running-config with a new config file
terminal Configure from the terminal
router1#
The Windows Memory Diagnostic tests the Random Access Memory (RAM) on your computer for errors. The diagnostic includes a comprehensive set of memory tests. If you are experiencing problems while running Windows, you can use the diagnostic to determine whether the problems are caused by failing hardware, such as RAM or the memory system of your motherboard. Windows Memory Diagnostic is designed to be easy and fast. On most configurations, you can download the diagnostic, read the documentation, run the test and complete the first test pass in less than 30 minutes.
To run Windows Memory Diagnostic, you must reboot your computer with the disk or CD-ROM on which you installed Windows Memory Diagnostic in the drive. After the reboot, Windows Memory Diagnostic will load and its interface will appear. After loading, the first test pass will begin, using the default standard test suite, and continue until complete, unless Windows Memory Diagnostic is either paused or exited. Once the first test pass is complete, Windows Memory Diagnostic will begin a second test pass using the same settings as before. Windows Memory Diagnostic will continue to run test passes until you exit..
Don't Believe that WEP is Securing Wireless
04/2007
WEP should not be considered as a tool for securing wireless networks, as WEP key discovery has gotten very sophisticated. Some German security researchers can crack WEP in 3 seconds.
WEP has been superseded by WPA and WPA2 or 802.11i. Wi-Fi Protected Access (WPA) uses message exchanges like those in WEP, but uses either TKIP (new key every packet) or AES encryption for confidentiality. WPA also adds a method called Michael for message integrity checking and replay prevention, making it harder to alter selected bits in order to try to learn the key that way. WPA comes in industrial and home strengths. The former requires 802.1x with a RADIUS back end to authenticate users. This is much stronger than the SOHO version, which uses Pre-Shared Keys (WPA-PSK).
Cisco has published several portable product sheets that summarize device performance including router performance numbers (mbps & pps), supervisor information, module compatibility, and a bunch more information.The reference link is below:
IEEE Sandard Link Level Discovery Protocol (LLDP)
12/2006
The IIEEE 802.1AB Link Layer Discovery Protocol (LLDP) is an emerging standard which provides a solution for the configuration issues caused by expanding LANs. LLDP specifically defines a standard method for Ethernet network devices such as switches, routers and wireless LAN access points to advertise information about themselves to other nodes on the network and store the information they discover. LLDP runs on all 802 media. The protocol runs over the data-link layer only, allowing two systems running different network layer protocols to learn about each other.
Cisco plans to LLDP on both IP phones and LAN switches to provide multi-vendor interoperability. Because Cisco Discovery Protocol (CDP) is widely deployed and provides some additional capabilities, Cisco will continue to fully support CDP.
The VTP feature in certain versions of Cisco IOS software is vulnerable to a buffer overflow condition and potential execution of arbitrary code. If a VTP summary advertisement is received with a Type-Length-Value (TLV) containing a VLAN name greater than 100 characters, the receiving switch will reset with an Unassigned Exception error. The packets must be received on a trunk enabled port, with a matching domain name and a matching VTP domain password (if configured).
Note: If the VTP mode is "transparent", there is no exposure. More information is available here:
Cisco Systems IOS contains a bug when parsing GRE packets with GRE source routing information. A specially crafted GRE packet can cause the router to reuse packet packet data from unrelated ring buffer memory. The resulting packet is reinjected in the routing queues. More information is available here:
Dell is replacing for free certain batteries sold with Dell Latitude™, Inspiron™, XPS™ and Dell Precision Mobile Workstation™ notebook computers due to an overheating/fire hazard. More information is available here:
Mozilla has released updates to its Firefox browser and
Thunderbird e-mail client that fix a number of critical security
flaws in the open-source products. The Firefox update, which was
in the process of being automatically delivered to Firefox 1.5
users Friday, addresses 12 security flaws. The release also
includes some fixes designed to make the browser more stable,
Mozilla said on its Web site. For more information, click on:
This Routing Working Group document proposes that with the current implementations of BGP flap damping, the application of flap damping in ISP networks is NOT recommended. The recommendations given in ripe-229 and previous documents [2] are considered obsolete henceforth.
If flap damping is implemented, the ISP operating that network will cause side-effects to their customers and the Internet users of their customers' content and services as described in the previous sections. These side-effects would quite likely be worse than the impact caused by simply not running flap damping at all.
[..]
Upgrade Recommended for Cisco VPN Windows Client
(cisco-sa-20060524-vpnclient)
05/06
The Cisco VPN Client for Windows is affected by a local privilege escalation vulnerability that allows non-privileged users to gain administrative privileges.
A user needs to authenticate and start an interactive Windows session to be able to exploit this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
A new version of Sendmail is available. Internet Security Systems said it has uncovered a flaw in a recent version of the Sendmail open source code used
primarily in Unix-based and some Windows-based e-mail gateways.. For more information, click on:
Free rack time available here - there do not appear to be catches. Good lab with a large range of routers and
switches and a Pix. For more information, click on:
One of our engineers has been looking for a small, fast, cheap, and easy to use utility to graph interface utilization. He reports that he found a pretty good one in PRTG Traffic Grapher. It is free, has a small footprint (<10 MB), and has a customizable GUI. It can also "Classify Bandwidth Usage by IP, Protocol or Connection". For more information, click on:
Network General is offeriing a free one year license for Sniffer Portable Software (LAN only) for active CCIEs. This offer runs until April 30, 2006 - so if you aren't a CCIE now, maybe this is a bit of an inducement! For more information, cliick on:
Cisco has implemented some interesting enhancements to control the login procedure. These enhancements include the ability to slow down the rate of login attempts, to stop accepting login requests (for a configured period of time) after a configurable_number of failed attempts, and the ability to generate syslog messages for failed and/or successful logins:
Did You Know about the Cisco Power Calculator?
09/05
Did you know that there is a power calculator available to help you estimate what size power supply you will need for a specific configuration? The Power Calculator supports the following Cisco product series: Cisco
Catalyst® 6500, Catalyst 4500, Catalyst 3750, and Catalyst 3560 series switches, and the Cisco 7600 Series Router. We have found it to correlate within a percent to the 'show power' results of actual devices.
Cisco Announces IOS Software Modularity for Catalyst 6500s
08/29/05
Cisco is announcing IOS Software Modularity for the Catalyst 6500s that combines subsystems into individual processes and enhances the ability to provide process-level fault isolation. The Embedded Event Manager (EEM) included in IOS Software Modularity can use TCL scripts to implement EXEC commands, send SMTP, poll SNMP, run logic based on reply, send SNMP trap, etc.This enhancement is expected in the 12.2(18)SXF release.
A Useful Hidden Command - show ip eigrp timers
08/14/05
One of our engineers pointed out the "show ip eigrp timers" command. It is not documented, but it does provide some useful information:
router1#sh ip eigrp timer
IP-EIGRP timers for process 101
Hello Process
Expiration Type
| 0.420 (parent)
| 0.420 Hello (GigabitEthernet1/1)
| 3.828 Hello (POS2/0/0)
| 3.931 Hello (GigabitEthernet6/2)
Update Process
Expiration Type
| 12.944 (parent)
| 12.944 (parent)
| 12.944 Peer holding
SIA Process
Expiration Type
| 0.000 (parent)
router1#
Issues with Some Compact Flash Cards on Cisco Devices
06/24/05
A limited quantity of Cisco 1841, Cisco 2691, Cisco 2800, Cisco 3700 and Cisco 3800 series routers that recently shipped with a 64 Megabyte Compact Flash card, may fail under certain operational conditions. The failure of a Compact Flash card could result in an interruption of the host router's services.
.
Battery-Biz announced a voluntaryrecall of some of their high capacity laptptop batteries. Consumers should stop using recalled products immediately unless otherwise instructed, bcause an internal short can cause the battery cells to overheat,
posing a fire hazard to consumers
.
Ever Had Problems Sniffing Packets from VLANs?
06/01/05
One of our engineer was having some trouble with his Dell D800 laptop passing VLAN tags to a Sniffer. As it turns out, the Windows XP Dell driver removes the VLAN tag and so do the Broadcom drivers. He read up on this, and believes it also impacts the D600 which uses the same NIC. For sniffing VLAN packets now, he is using an inexpensive TrendNet dongle free PCMCIA NIC that passes the tags along just fine.
.
Changes Made in Cisco Certifications Retake Policy
05/20/05
You now have to wait five calendar days before retaking a Cisco certification test. Also, folks needing to recertify the CCIE written have to wait six months after passing one exam to take the exact same exam again.
Vulnerabilities in Firewall Service Module
05/11/05
The Cisco Firewall Services Module (FWSM) is a high-speed, integrated firewall module for Catalyst 6500 series switches and Cisco 7600 series routers. A vulnerability exists in the Cisco Firewall Services Module when URL, FTP, or HTTPS filtering is enabled in which inbound TCP packets can bypass access-list entries intended to explicitly filter them.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
More information at this link:
Update to Windows XP Provides Support for WPA2
04/29/05
This update to Windows XP provides support for Wi-Fi Protected Access 2 (WPA2), which is the latest standards-based wireless security solution derived from the IEEE 802.11i standard. It also contains Wireless Provisioning Services (WPS) Information Element support, which enables improvements in wireless network discoverability.
More info here:
Based on some component upgrades and
feature enhancements, there are free upgrades available
on some of the oldest Sup720s. Review this field notice
for more information:
Multiple
SPAN Destination Ports on 6500 / 7600s
04/06/05
Depending on the software version you are running (IOS train
18SXD or later), you can configure multiple SPAN destination
ports on 6500s / 7600s using:
