make sure ip domain name is set
generate your rsa key pair (crypto key generate)
make sure you allow the public IP you are coming from
Make sure you have username setup
aaa authentication ssh console LOCAL
Always test before leaving site
Wednesday 25 October 2017
Monday 23 October 2017
packet capture on cisco router/switch
*** Setup ACL
ip access-list extended CAP_ACL
permit ip host x host y
*** Setup buffer
monitor capture buffer CAP_BUFF circular
*** Filter the buffer with the ACL
monitor capture buffer CAP_BUFF filter access-list CAP_ACL
*** Setup the cap point and on what interface
monitor capture point ip cef CAP_POINT fa0/0 both
*** Assign the buffer to point
monitor capture point associate CAP_POINT CAP_BUFF
*** Show the setup
show monitor capture buffer CAP_BUFF
*** Start the cap
monitor capture point start CAP_POINT
*** Send the test traffic
send test traffic ping or telnet on the port etc
*** Stop the cap
monitor capture point stop CAP_POINT
*** show brief
show monitor capture buffer CAP_BUFF brief
*** export the capture to tftp server
monitor capture buffer CAP_BUFF export tftp://10.50.50.22/mycap.pcap
*** Open the pcap in wireshark
ip access-list extended CAP_ACL
permit ip host x host y
*** Setup buffer
monitor capture buffer CAP_BUFF circular
*** Filter the buffer with the ACL
monitor capture buffer CAP_BUFF filter access-list CAP_ACL
*** Setup the cap point and on what interface
monitor capture point ip cef CAP_POINT fa0/0 both
*** Assign the buffer to point
monitor capture point associate CAP_POINT CAP_BUFF
*** Show the setup
show monitor capture buffer CAP_BUFF
*** Start the cap
monitor capture point start CAP_POINT
*** Send the test traffic
send test traffic ping or telnet on the port etc
*** Stop the cap
monitor capture point stop CAP_POINT
*** show brief
show monitor capture buffer CAP_BUFF brief
*** export the capture to tftp server
monitor capture buffer CAP_BUFF export tftp://10.50.50.22/mycap.pcap
*** Open the pcap in wireshark
For 3850 - but it didn't work for me
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/xe-16/epc-xe-16-book/nm-packet-capture-xe.html#GUID-DCB20ADF-1F8E-434B-AE97-54802879F34F
Thursday 12 October 2017
list of DHCP options and other voice bits
list of DHCP options
https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
Common options
option 3 = router
option 6 = DNS servers
option 15 = domain_name
option 150 = TFTP server
option 128 = PXE - undefined (vendor specific)
Vendor options
some phone systems use their own option for example
nortel use 128 and 191
How to set options
You can set them on the domain controller under DHCP -> Scope -> scope options
Cisco phone registration process
Step 1: Phone Loads Software (Image) and Starts the Configuration Process
Step 2a: Phone Sends DHCP Request
Step 2b: DHCP Server Sends DHCP Response
Step 3a: Phone Sends TFTP Request for a Configuration File
Step 3b: TFTP Server Sends the Default Configuration File
Step 4a: TFTP Server Sends the Specific Configuration File of the Phone
Step 4b: Phone Registration Finishes
Check voice vlan is allow and native vlan matches
Cisco
switchport mode trunk
switchport trunk allowed vlan 102
switchport trunk native vlan 102
3Com on other side
port trunk permit vlan 102 (allowed vlan)
port trunk pvid vlan 102 (native vlan)
https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
Common options
option 3 = router
option 6 = DNS servers
option 15 = domain_name
option 150 = TFTP server
option 128 = PXE - undefined (vendor specific)
Vendor options
some phone systems use their own option for example
nortel use 128 and 191
How to set options
You can set them on the domain controller under DHCP -> Scope -> scope options
Cisco phone registration process
Step 1: Phone Loads Software (Image) and Starts the Configuration Process
Step 2a: Phone Sends DHCP Request
Step 2b: DHCP Server Sends DHCP Response
Step 3a: Phone Sends TFTP Request for a Configuration File
Step 3b: TFTP Server Sends the Default Configuration File
Step 4a: TFTP Server Sends the Specific Configuration File of the Phone
Step 4b: Phone Registration Finishes
Check voice vlan is allow and native vlan matches
Cisco
switchport mode trunk
switchport trunk allowed vlan 102
switchport trunk native vlan 102
3Com on other side
port trunk permit vlan 102 (allowed vlan)
port trunk pvid vlan 102 (native vlan)
Wednesday 4 October 2017
Upgrading the firepower
New method is FMC, deploy, sensor, deploy.
Step1
Update your VDB and geolocation to the latest.
Run a backup and download
Its a good idea to take screenshots of ACL and other policy settings rules just in case.
Since 6.2 you need to upgrade FMC first, then sensor.
To upgrade from the web GUI the FMC sh upgrade file can be downloaded here
Downloads Home > Products > Security > Firewalls > Firewall Management > Firepower Management Center > Virtual Appliance > FireSIGHT System Software-6.2.0
See here
Network sensor sh files available here
Downloads Home > Products > Security > Firewalls > Next-Generation Firewalls (NGFW) > ASA 5500-X with FirePOWER Services > ASA 5525-X with FirePOWER Services > FirePOWER Services Software for ASA-6.2.0
see here
In later versions you can run a readiness check first. Most logs are found in /var/log/sf
From version 6.3.0 you can upgrade direct to major versions
Lets say we are on 6.2.1 and want to go to 6.4.0.2
We can upgrade directly to 6.4.0 and then up to 6.4.0.2
Remember you need to deploy after each install.
Subscribe to:
Posts (Atom)