Hot Downloads

×

Notice

The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me

TOPIC: how to start cisco lab

Re: how to start cisco lab 9 years 4 months ago #34241

  • Nevins
  • Nevins's Avatar
  • Offline
  • Expert Member
  • Expert Member
  • Posts: 438
  • Karma: 4
  • Thank you received: 9
jmalacko as far as the IOS's go there are some within cisco's sites that they do not charge for if you create an account.


www.cisco.com/en/US/products/sw/iosswrel...e_category_home.html


I'm honestly not sure what access level you need for it because I use the packet tracer software and actual hardware for the most part which both come with flashes but let me clear up the fact that I wasn't suggesting that the "free" method was to steal the software. I was simply stating that "The only thing with GNS3 is that it does not come with free flashes so you have to find those your self. " and that may be your "cost".

I understand what you mean however there is a cost "metric" if you will in any action weather that be time, effort, money, freedom or some other tangible or intangible asset. I'm just saying that usually when someone refers to something as free they don't include time, effort, freedom(licensing) they generally mean it won't cost you a dime. It's true that you'll run into many situations where the term free is tagged along with "with purchase of" but to be honest thats just crappy marketing.


I appreciate the gesture of good will but personally I have a lab already at my disposal and don't really need such a robust system for my studies at the moment. However I did notice that your schedule lab.ghoudakis.com/schedule/roschedule.php is relatively blank at the moment and I would like to help you out by offering a suggestion: Aside from monthly subscriptions for router access sell hourly time blocks and also create labs for users to work with. You may find that it gets used a bit more.

One thing you may want to look into is writing a reset macro as it seems clear to me that your worried about people messing with configurations:

You agree that you will not allow anyone to damage lab equipment, delete necessary boot images or configuration from flash, or generally anything that would be considered harmful.
You agree that if you are unable to use your reserved time that you will delete your reservation.
You agree that all administrative logins will use "cisco" for a username and/or "cisco" for a password. This way if you don't reset some of your configuration the next user doesn't need to do a password recovery.
You agree that if you change the configuration register you will set it back to 0x2102 before your session ends.
You agree to not change the Frame Relay (FR) configuration unless specifically authorized to do so.
You agree to remove your configuration from both the startup-config and the running-config prior to your session ending.
Routers and Switches - issuing a "configure replace [flash:|disk0:|slot0:]_DO_NOT_DELETE_baseconfig" followed by a "copy running-config startup-config" then reload.
ASA Firewalls - issuing a "copy [flash:|disk0:|slot0:]_DO_NOT_DELETE_bry-defaultonfig startup-config" and then reload.
PIX Firewall - issuing a "configure terminal", "configure factory-default", "write memory", and then reload.

Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html

Re: how to start cisco lab 9 years 4 months ago #34247

Nevins I think you and I are on the same page and I appreciate your feedback and complement (the robust system remark). Thank you. As far as I know when you download IOS images from Cisco using any registered account you agree that you are a licensed user. Do you know of a way to get in contract form that Cisco will grant you the right to use their software without financial compensation. If you do I am eager to learn more. Please don't read any sarcasm as I am quite sincere in understanding how to have an agreement with Cisco that I (or anyone else) may use their software for "free".


The reset macro is a good idea that you suggest but more difficult to implement than you may think. For instance if someone sets an enable password to something that no one else knows then the only way to recover (that I know of) on fixed configuration Catalyst switches for instance is to reboot it while holding down a particular button which is not easily done over the Internet or by a macro that doesn't know the password that a lab user set so it can't elevate its privileges to reset. Maybe you or someone else here has some ideas there. I'm looking at this:
http://www.cisco.com/en/US/products/hw/switches/ps628/products_password_recovery09186a0080094184.shtml


Thanks!

Re: how to start cisco lab 9 years 4 months ago #34251

  • Nevins
  • Nevins's Avatar
  • Offline
  • Expert Member
  • Expert Member
  • Posts: 438
  • Karma: 4
  • Thank you received: 9
Okay so here is the main thing you can't use a reload/reboot if you can't get into enable so your going to need something that can toggle on and off a power switch. I'm not sure what you already have for that aspect but let me know and we can work from there.

I have no problem helping you out with the code it will pretty much look like this using autohotkey(assuming you chose to use that).

[code:1]
Winactivate x //where x is the system that automates remote power shutdown
//Insert code used to power on and off the device here *will differ based on what device software you have*
Winactivate RouterX //where X is the device your working with note that your actually activating a hyperterminal window
Sleep x // where x is the amount of time before you send interrupt to enter rommon
Send {CtrlBreak} //Interrupt sequence (if using usb converters see below)
Sleep x // Where x is the amount of time it takes to go into recovery mode
SEND {raw} O/R 0x2142 //Code to skip password requirement
Send {enter} //return for that code
Winactivate x //where x is the system that automates remote power shutdown
//Insert code used to power on and off the device here *will differ based on what device software you have*
Sleep x // Where x is the amount of time it takes to get to user mode
Send {raw} Enable //Command for privileged mode
Send {enter} //Return
Send {raw} Config t //Command for configuration terminal mode
Send {enter} //Return
//Sequence for removing passwords
Send {raw} no enable secret
Send {enter}
Send {raw} no enable Pasword
Send {enter}
Send {raw} enable password cisco
Send {enter}
Send {raw} Exit
Send {enter}

//Sequence for saving changes and reverting register
Send {raw} Config t //Command for configuration terminal mode
Send {enter} //Return
Send {raw} Config-reg 0x2102
Send {enter}
Send {raw} Exit
Send {enter}
Send {raw} copy run start
Send {enter}
Send {raw} disable
send {enter}



// if using usb/serial converter you may be required to use something other than ctrl+break
//http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a0080174a34.shtml#topic2
[/code:1]


Additional configuration would be required clearly but as you can see by looking at the code it's not rocket science to make these macros.
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html

Re: how to start cisco lab 9 years 4 months ago #34260

Nevins that's a good start. My point is that someone could be malicious or ignorant and render the system inoperable so I think its reasonable to ask people to take care. There are lots of corner cases. Some examples. You're sample macro isn't doing any type of checking of terminal settings. If the serial port was set to something other than say 9600 baud your macro simply wouldn't work. Another case - someone could delete all the boot images and set the system to stop in rommon which would make your sample macro unable to complete. So if no one did anything malicious and followed some reasonable guidelines resetting the configuration is a one line command "configure replace ..." hardly seems worth automating to me.

I don't want to sound unappreciative of the ideas - I'm just trying to point out that if someone is making Cisco devices available to the public over the internet there lots of things to consider.

My approach to this is to first determine all the possibilities and then develop the software. Pressing a button remotely over the internet for password recovery of a Catalyst switch is certainly doable but at what cost?

I suspect the reason the free public lab is off line here may have something to do with the fact that its becoming too much of a burden to reset the thing and the new improved setup will greatly improve upon that area as well as others.

Again thanks for the feedback.

Re: how to start cisco lab 9 years 4 months ago #34265

  • Nevins
  • Nevins's Avatar
  • Offline
  • Expert Member
  • Expert Member
  • Posts: 438
  • Karma: 4
  • Thank you received: 9
To be completely honest figuring out the code to work around these issues isn't that hard. The hard part is figuring out the types of damages that can be done.


I'm not going to break into the long code right now I'm just going to go into some simple logic modules but clearly define a structure for figuring this sort of issue out.



In the main status module the first thing you want to figure out is what mode you are in. Once you have figured that out you can use that information to get to the mode you want to be in. Your always going to one way or another end up in rommon mode because that is the most basic control center. I suggest instead of waisting time trying to figure out the damage thats been done every time you simply clean slate it each time and rebuild.


So lets have it what are the types of damages that can be done to a router with logical access but no physical access?

Starting a list:

Change Configuration (basic damage fixable with configure replace)
Delete Images
Change Configuration Register Restart in different mode


To be honest I don't know of 1000 things they can do to actually cause damage to a router and would be curious to see the list because I can't imagine it being that long.
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html

Re: how to start cisco lab 9 years 4 months ago #34271

Another case would be modifying the ROMMON boot image. I know that sounds strange as doesn't ROM mean Read Only Memory? In this case apparently not.

Take a look at http://www.cisco.com/en/US/customer/ts/fn/620/fn62573.html as an example. The ROMMON issue is not isolated to just some particular CFs. You need a certain ROMMON version to support USB drives on a 2800 router for instance.

So I'd add to the list:
Change ROMMON boot to impair booting process


From what I've read the forum founder Chris was saying people were putting more effort into breaking things than learning with respect to the free lab.

I've never really investigated this but its clearly possible to upgrade the ROMMON and there are two banks of memory for this. I'd bet someone could figure out how to erase both banks so the system simply wouldn't boot and that the only way of recovery would be moving that memory module to another device and copying it unto it and moving it back. I don't even know if this particular module is easily moved as it may may soldered on directly to the PCB.

Also the Cisco Catalyst physical button press to recover is non-trivial issue to solve from a software coding perspective as it requires some hardware development.


So from my perspective I'm happy to help people out but I don't want to expose myself to the risk of burning up huge amounts of time. My philosophy is make it inexpensive and that will likely eliminate the malicious users. Obviously the definition of inexpensive is relative. From where I sit the size of lab we're talking about is most useful to a professional who is likely making > US$60,000 (I understand there are exceptions). A catalyst 1900 in my mind is frankly worthless (technologically not financially), as you already pointed out pick one up off of eBay for US$5. So asking someone to pay $1/hr for a lab that includes some luxury items like a network impairment generator is not asking much (in my mind). I bet many people in these forums spend more than that on coffee every day.

I appreciate Nevis well thought out approach to this. So how do we deal with the physical switch issue for a password reset?
Time to create page: 0.117 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup