Archived entries for cisco

blocking certain MAC addresses from joining your Cisco AP

In hope for an energy to revive this blog, a quick post.

If you need to block an abuser flood-trying to connect to your AP, resulting in multiple radius connections and error messages, you can make ACL on AP like this:

# access-list 760 deny 0002.725f.93c3 0000.0000.0000
# dot11 association mac-list 760

where 0002.725f.93c3 is the abusers mac address.

Happy banning,
S.

automatic login to Cisco routers / firewalls

Since many of you are still connecting to your Cisco boxes with the plain ssh/telnet command (typing password every time) and since Cisco boxes don’t have SSH public key authentication, the tool to use comes from Rancid (Really Awesome New Cisco confIg Differ) package.

It’s called “clogin” as Cisco login script.

It requires all the credentials in ~/.cloginrc file (protocol / password / enable).

Syntax of .cloginrc file can be found here.

and usage is simple, just clogin hostname

And besides loging it’s very usefull for multiple box configuration. Let’s say you just need to write configs of your 5 routers.

clogin -c "write;exit" router1 router2 router3 router4 router5

and Voila !

S.

Cisco ASA failover fail if IPv6 enabled

I can’t believe it…

Failover on Cisco ASA silently stops working after you enable ipv6 configuration.

We’re used of stupid Cisco bugs, but this wins it all !

S.

IPv6 over IPv4 tunnel with Mikrotik & Cisco router

Time when native IPv6 network will come right to your home is still far away. So tunneling IPv6 network over IPv4 to some IPv6 enabled site is a way to go.

Configuration is easier than expected and it worked right away. In my case Cisco 7600 series is at the data center where native IPv6 is established and Mikrotik RB450 ( a choice for home router – really powerful and really cheap).

One /64 subnet is assigned for the tunnel (point-to-point) and /48 is then routed to it. Yes. In IPv6 /64 subnet of 18446744073709551616 IPs is used for point-to-point tunnel (2 IPs).

On Cisco 7600 – interface (99.. is a 7600 public IP as 22.. is my home public IP):
interface Tunnel0
description --- test ipv6 in ipv4 tunnel ---
no ip address
ipv6 address 2AAA:BABA:101:1::1/64
tunnel source 99.99.99.99
tunnel destination 22.22.22.22
tunnel mode ipv6ip

and route:
ipv6 route 2AAA:BABA:BEEF::/48 2AAA:BABA:101:1::2

and on Mikrotik:
/interface 6to4 add disabled=no local-address=22.22.22.22 mtu=1280 name=ipv6tunnel remote-address=99.99.99.99
/ipv6 address add address=2AAA:BABA:101:1::2/64 interface=ipv6tunnel
/ipv6 route add disabled=no dst-address=::/0 gateway=ipv6tunnel

And that’s it. You can configure local interface on Mikrotik, like this:
/ipv6 add address=2AAA:BABA:BEEF:DEAD:1/64 advertise=yes interface=ether2

Local machines, if properly configured should receive advertised IPv6 prefix and configure itself for IPv6.

That’s for now, more about IPv6 soon ! HaveAnice !!

S.

skriptna pomoč pri konfiguraciji Cisco opreme

Žal starejše verzije Ciscotovega IOS sistema ne poznajo “interface range” ukaza, ki omogoča da več portov konfigurirate naenkrat, zato si je potrebno pomagati drugače.

da bi vsak port konfigurirali ročno, je prezamudno, še posebaj, če imate switch z 48-imi porti.

Pomagate si lahko z enovrstičnico (bash), kot je recimo tale:

i=1; while [ $i -lt 49 ]; do echo "int fast0/$i"; echo "span portfast"; echo "switchport mode access" ; echo "switchport access vlan 934" ; let i+=1; done;

koda zgoraj bo za vsak port izpisala konfiguracijo, izpis lahko copy-paste-ate v cisco switch in marsikatera minuta vam bo prihranjena. Seveda si kodo preuredite za željeno število portov in seveda za željene ukaze.

Kakorkoli, gre samo za prikaz zanke – štetja v ukazni lupini, kar lahko s pridom uporabljate za veliko stvari.

Ponedeljek je dela prost dan ! ;-)



Copyright © 2004–2009. All rights reserved.

RSS Feed. This blog is proudly powered by Wordpress and uses Modern Clix, a theme by Rodrigo Galindez.