Cisco IPS – Inline VLAN Pair mode

  1. Setup Cisco IPS on EVE

    I failed to setup Cisco IPS on EVE(ver 2.0.3-53).

    What I did: Download Cisco IPS ova file via: http://certcollection.org/forum/topic/270568-ips-4240-ver-7-unholy-darkness/page__hl__%20cisco%20%20ips (https://mega.nz/#!W99UnTIa!-3k6bQwiD_DhNCDFfL6TWlU69KoRwIYeaJE9JlDOASY)

    Did everything been listed in following instructions for IPS Interfaces http://certcollection.org/forum/topic/266792-emulating-ips-on-unl/ http://www.cznetlab.cz/index.php?cat=cciesec&subcat=unlips

    My problem is:

    Cisco IPS failed to ping anything out of it, I run traffic capture on IPS’s interface, no packet out when I execute ping command.

    Question on EVE official forum: http://www.unetlab.com/forum/viewtopic.php?f=5&t=55&sid=25184c5b3a889925218c20bffb2f180f

    The official answer is: This image is currupted and not working nor UNL nor EVE

    So, I deploy it on VMware vShpere

    1

    Setup VM networks on vShpere

    2

    Setup IPS’s networks

    3.png

    Setup EVE’s networks

    4.png

    Setup EVE Lab

    5.png

  2. Initial Cisco IPS

    I initilized the device from Cisco IPS console interface.

    6.png

    Default username/password is : cisco/ciscoips123

    then enter command ‘setup‘ to initial the device.

    The most import thing is to disable HTTPS. Cisco IPS enabled https by default which is not supported by most browsers(Chrome/Firefox/IE) now. Execute following commands:

    service web-server

    enable-tls false

    port 80

    exit

    Then access the device by http, it will prompt you to lunch IDSM (* Java required)

    7.png8.png

  3. Interface Pairs

    Before Cisco IPS Interface Pair

    9

    Add Interface Pair

    10

    After Cisco IPS Interface Pair

    11.png

  4. Bind vs

    12

  5. Lab1- Recognize ICMP as Attack

    13.png141516.png

  6. Verify

    Execute ping command on R1

    17

    Cisco IPS Event

    18.png19.png

Advertisements

Running NX-OSv 9000 on eve (UNL)

Refer to how to add NX-OXv 9000 to GNS3

  1. Download necessary components
    • The NX-OSv9k image file from Cisco (nxosv-final.7.0.3.I5.1.qcow2). Please note that you must have a service contract with Cisco in order to download it. No, I can’t provide the image for you.
  2. Copy image to eve
    • change file name to ‘hda.qcow2’
    • copy source file to ‘/opt/unetlab/addons/qemu/nxosv9k-7.0.3.I5.1’
    • run ‘/opt/unetlab/wrappers/unl_wrapper -a fixpermissions’
  3. Add a New node of Cisco NX-OSv 9k
    • Console : ‘telnet’
  4. Start the node
    • This step needs your patient because the terminal will be shown as a blank screen for a while (about 15 – 20 seconds). The boot process takes about minutes.
    • It prompts you: Abort Auto Provisioning and continue with normal setup ?(yes/no)[n]: y
  5. Done
    • nx9kboot

The advantage of eve is it already improved Qemu with UEFI for Cisco Nexus9Kv.

More info:

Try ansible on Windows

Background:

Here is the environment about NetBrain performance testing:

1 windows server for License/Workspace server

5 windows servers for Network Server

5 windows servers for Automation server

QQ

It really took us a lot of time to deploy our product/collect logs on theses servers.

My colleague wrote a client-server application and try to do the things by it automatically.The application indeed works for log collection, but for product deployment, as the server end running as a service and fails to launch InstallShield  wizard, it doesn’t support the product installation.

At the same time, I read an article about Deployment Management Tools comparison between Puppet, Chef, Ansible, So I determine to try Ansible.

Note:

Ray Zhao shared me his experience that how he used Puppet in OpenStack Lab.

Brian Jin told me Linked In using Ansible.

Deploy Ansible

Ansible’s document is very easy to read/understand.

1 Install Ansible on Ubuntu

$ sudo apt-get install software-properties-common
$ sudo apt-add-repository ppa:ansible/ansible
$ sudo apt-get update
$ sudo apt-get install ansible

For windows management, Pywinrm is required, Offical instruction is:

pip install "pywinrm>=0.1.1"

Please pay attention about pywinrm version, because I met the issue:https://github.com/ansible/ansible/issues/15973  Error Accessing Windows Machine: “ssl: ‘Session’ object has no attribute ‘merge_environment_settings'”

I installed pywinrm by the command:

pip install pywinrm==0.1.1

Note: Currently, ansible doesn’t support Python3.

 

Windows System Prep

I chose win2012R2 to simple windows environment preparation. Just ran  ansible’s power shell for winRm setup and make sure port : 5986 is open:

case2

Note:

For powershell security issue:

File ConfigureRemotingForAnsible.ps1 cannot be loaded because running scripts is disabled on this system. For more
information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
 + CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecord
 Exception
 + FullyQualifiedErrorId : UnauthorizedAccess

Start Windows PowerShell with the “Run as Administrator” option. Only members of the Administrators group on the computer can change the execution policy.

Enable running unsigned scripts by entering:

set-executionpolicy remotesigned

This will allow running unsigned scripts that you write on your local computer and signed scripts from Internet.

 

Ansible Inventory

create my hosts file by command :

vi /etc/ansible/hosts

Refer samples to add one server for testing:

[windows]
10.10.6.12 ansible_user="user_name" ansible_password="password" ansible_port="5986" ansible_connection="winrm"

Note: I also tried configure username/password by group vars by command:

vi /etc/ansible/group_vars/windows.yml
# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml

ansible_user: user_name
ansible_password: password
ansible_port: 5986
ansible_connection: winrm
# The following is necessary for Python 2.7.9+ (or any older Python that has backported SSLContext, eg, Python 2.7.5 on RHEL7) when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore

Test

ansible windows -m win_ping 

Playbook

create a playbook by the command:

vi /etc/ansible/playbook.yml

Enter the content

- name: test raw module
hosts: windows
tasks:
- name: run ipconfig
# query session for RDP session
raw: CMD /C "PSExec.exe \\127.0.0.1 -u user_name -p password -d -i 1 c:\Automation\Install\InstallLatestBuildWith1WS_AllInOneClick.bat"
register: ipconfig
- debug: var=ipconfig

 

Ansible has the same behavior as my colleague’s application,  InstallShield  wizard windows does not pop up when I called it by ‘raw: CMD /C’ even it newed a process to run the command.

Refer to the articles:

PowerShell – Using psexec to automate UI tasks on remote machines

PsExec2.11 // detail about PsExec parameters

Query Session //command to figure out the id of Remote Desktop session which referenced by PsExec parameter : -i

I update raw command and it works.

Conclusion

PsExec should be the solution for both ansible and my colleague’s application which execute a command by a background service to call a GUI application.

 

Add Comment #1:

I found that there is an option “Local System account -> Allow service to interact with desktop” in service property:

20161212162247

It failed to launch windows RM service with this enabled this option:

20161212162400

 

Adding Realtek 8139 Driver to ESXi 6

Note: This is not an official guide, Backup data is required before you apply the driver.

My PC has two NICs:

  1. Intel I217-LM
  2. Realtek RTl-8139

and #2 Realtek 8139 is not supported by VMware.

There are some guides about customize EXSi installation ISO to support the NIC, I’m trying to find a way apply the driver without reinstall EXSi.

 

Here is a page: https://vibsdepot.v-front.de/wiki/index.php/List_of_currently_available_ESXi_packages which contains many NIC drivers. I downloaded the offline bunlde driver for Realteck 8139

 

Follow the instruction: http://www.vladan.fr/patch-esxi-5-5-to-esxi-6-0/ to upload offline bundle to EXSi host and change EXSi host to maintance mode

 

SSH to EXSi and apply the driver by command:

esxcli software vib install -d /vmfs/volumes/storage name/net-r8139too-0.9.28-1-offline_bundle.zip –no-sig-check

It prompts me:

VIB Realtek_bootbank_net-r8139too_0.9.28-1’s acceptance level is community, which is not compliant with the ImageProfile acceptance level partner
To change the host acceptance level, use the ‘esxcli software acceptance set’ command.

 

Change the Host Acceptance Level

Follow the instruction to update host acceptance level:https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.install.doc%2FGUID-6A3AD878-5DE9-4C38-AC86-78CAEED0F710.html

Command:

esxcli software acceptance set –level=CommunitySupported

 

 

Apply the driver again:

esxcli software vib install -d /vmfs/volumes/storage name/net-r8139too-0.9.28-1-offline_bundle.zip –no-sig-check
Installation Result
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
VIBs Installed: Realtek_bootbank_net-r8139too_0.9.28-1
VIBs Removed:
VIBs Skipped:

 

 

Reboot EXSi host and Exit maintenance mode

The NIC can be recognized by VMware now:

20161129130451

New To Oracle DB

Oracle Database XE 11.2 on Windows 2008 64 bit

  1. run imp or impdp command in windows command line, not SQL command line

  2. It failed to import dmp file by command : imp, impdp works

  • Issue: ORA-01918: user does not exist 

Create user manually by instruction

  • ORA-00959: tablespace does not exist

Create tablespace by instruction

Be careful about ORA-12953: The request exceeds the maximum allowed database size of 11 GB

  • ORA-01950: no privileges on tablespace

Grant permission by instruction

Note: Assign privilege to database owner.

Difference of SNMP get route entry[forward-MIB] between Cisco and Juniper

Cisco设备,通过snmp walk 1.3.6.1.2.1.4.21 (route table)节点获取设备路由

Juniper设备,通过snmp walk 1.3.6.1.2.1.4.24(IP-FORWARD-MIB)节点获取路由
后遇到Cisco 7609 (12.0 IOS),及Cisco IOS 15.2版本的3560通过1.3.6.1.2.1.4.21获取路由时失败,SNMP walk 1.3.6.1.2.1.4.24获取成功,但是通过Juniper方式使用1.3.6.1.2.1.4.24.1 + network address (as index) 的SNMP Get单条时获取失败;反复尝试后发现 Cisco  SNMP get route entry 需要使用 1.3.6.1.2.1.4.24.1 + network address + net mask 时设备都有值返回。