Syed Jahanzaib Personal Blog to Share Knowledge !

December 16, 2019

TACACS+ Cisco centralized authentication server

Filed under: Cisco Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:29 PM

tacacs plus server.png

Disclaimer:

My humble request, Kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others


TACACS+

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe) refers to a authentication / authorization related services for cisco switches/routers/firewalls access control through a centralized server. With the help of Tacacs+ you can set up a much more granular level access for the users, groups, subnets or device type etc. Example which user can issue which commands on switches etc.

 

central auth server.jpeg

 

Hardware Software Components used in this guide:

In this post I have used

  • Ubuntu 18 server edition for TACACS+ deployment / IP: 101.11.11.254
  • Cisco WS-C3850-24T switch / IOS Version 16.3.9 [Denali]

Quick Notes:

TACACS Server installation

apt-get -y install tacacs+

Once the installation is done , we will modify or add the tacacs+ server default config file to to suite our needs. On default installation, the configuration file is found here /etc/tacacs+/tac_plus.conf

nano /etc/tacacs+/tac_plus.conf

Remove existing configuration, and use below sample config, make sure to change the KEY, id pass as required

# Key is like password or shared secret, make sure to make it strong

key = testing123
accounting file = /var/log/tacplus.log
#default authentication = file /etc/passwd
group = admins {
default service = permit
service = exec {
priv-lvl = 15
}
}

# For support group, we are allowing only specific sets of CMD only
group = support {
default service = deny
service = shell {
priv-lvl = 15
}
cmd = show {
permit version.*
permit clock.*
permit interface.*
permit running-config.*
permit logging.*
}
cmd = configure {
permit .*
}
cmd = interface {
permit .*
}
cmd = vlan {
permit .*
}
cmd = switchport {
permit .*
}
cmd = write {
permit .*
}
}

#Create local user here
user = admin {
login = cleartext admin123
name = "Admin Group"
member = admins
}
user = support {
login = cleartext support123
name = "Network Support"
member = support
}<span style="color:var(--color-text);">


 

& if all configuration is OK , you should get something like below …

 * Checking TACACS+ authentication daemon configuration files successful tacacs+

Restart tacacs+ service

/etc/init.d/tacacs_plus restart

Next up we will make changes to the Cisco switch ,
in this example am using a Cisco switch WS-C3850-24T and the one working configuration look like this:

Note: This is just basic example. It may be not well tuned insecure too but for test it will work fine.


Switch configuration

enable
conf t

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization commands 1 support group tacacs+ local
aaa authorization commands 15 admins group tacacs+ local
aaa accounting commands 1 support-act1 start-stop group tacacs+
aaa accounting commands 15 admins-act15 start-stop group tacacs+
login on-success log

# change tacacs IP address / KEY as per your local network
tacacs-server host 101.11.11.254
tacacs-server key 0 testing123

!
line con 0
exec-timeout 35791 0
privilege level 15
stopbits 1
line aux 0
no exec
stopbits 1
line vty 0 3
privilege level 15
authorization commands 1 support
authorization commands 15 admins
accounting commands 1 support-act1
accounting commands 15 admins-act15
length 0
transport input ssh
line vty 4
exec-timeout 35791 0
privilege level 15
authorization commands 1 support
authorization commands 15 admins
length 0
transport input ssh
line vty 5 15
length 0
!

do wr

Done.

Now try to login to switch with support account & execute try to permitted / non-permitted commands.

Result for SUPPORT ACCOUNT

login as: support
Using keyboard-interactive authentication.
Password:

spare-sw#ping 101.11.11.254
Command authorization failed.

spare-sw#show clock
*10:24:07.527 UTC Mon Dec 16 2019

spare-sw#sh inter
spare-sw#sh interfaces status

Port Name Status Vlan Duplex Speed Type
Gi1/0/1 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/2 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/3 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/4 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/5 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/6 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/7 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/8 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/9 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/10 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/11 notconnect 1 auto auto 10/100/1000BaseTX

spare-sw#

 



Regard’s
Syed Jahanzaib

December 13, 2019

Mikrotik – Packet Chain Topology

Filed under: Mikrotik Related — Syed Jahanzaib / Pinochio~:) @ 9:36 AM

 


Firewall Mangle

Firewall mangle is used to mark IP packet. These marks are used by other router facilities like routing, firewall filter and bandwidth management to identified the packets. Moreover it also used to modify some fields in the IP header, like TOS (DSCP) and TTL fields. There are 5 default chain in firewall mangle.

INPUT

Packet that come into router will check with input chain. It is used to process packets entering the router. For example If we want to filter packet that telnet or ssh to router we need to use input chain in firewall filter.– Used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router addresses. Chain input is useful for limiting the configuration access to Mikrotik Router.
or
– The connection that occurs from local to router and ends in router
example: use of the internal proxy (internal proxy right in the router)

PREROUTING

Prerouting is looked at before the router makes a routing decision. It’s happen before input chain. The packet that forward passthrough the router will match prerouting first.Pre-routing means that the connection will enter the router (no matter from where / depends on the settings mangle in interface later) . this connection will be in the process inside the router, can the process of bending to the external proxy, can filtering port, can anything, anyway there is a process, prerouting it marks the connection before the process occurs.

FORWARD

After prerouting, packet that passthrough router will process by forward chain. Used to process packets passing through the router. Example we want to block users to open facebook. We will use firewall forward chain to do it.– Used to process data packets through routers, connections that occur from the public to local
or
– The connection that occurs from local to public
with the provision that there is no process inside the router, it means that the connection is direct and only passing in the router does not happen a process inside the router.

POSTROUTING

Postrouting is a connection that will exit the router after a process occurs inside the router. It’s happen after forward. Postrouting is looked at after the router makes a routing decision.

OUTPUT

OUTPUT is used to process packets that originated from the router. Normally we rarely use this chain. Example we ping from router to Internet that’s output traffic.

or to process data packets originating from the router and left through one of the interfaces, connections that occur from the router to the public. It is used to process packets that originated from the router

============================================================================

Firewall Filter

Most of the time we use it for filter traffic simply say to protect our network from unauthorized user or bad guy. There are three default chain in firewall filter. It’s input, output and forward.

 

Does it matter where you mark?

Yes, because sometimes you might overmark and sometimes you might undermark. Choose the right place for the right classification/marking

 

December 10, 2019

Short notes for UNBOUND Caching DNS Server under Ubuntu 18

Filed under: Linux Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 12:05 PM

unbound.PNG

Installation of UNBOUND dns server for local network is fairly simple but I encountered some hurdles setting it up with Ubuntu 18 therefore I took notes on how I resolved it in this post for reference purposes.

After fresh installation of Ubuntu 18, It’a a good idea to keep your system TIME with any NTP source.

apt-get -y install ntp ntpdate
# Change timezone as per your local
cp /usr/share/zoneinfo/Asia/Karachi /etc/localtime
sudo /etc/init.d/ntp restart

Install UNBOUND DNS Server

Step#1

apt-get install -y unbound

Step#2

#Additional notes for Ubuntu 18 version

The problem with Ubuntu 18.04 is the systemd-resolved service which is listening on port 53 and therefore conflicts with unbound service

Edit the file /etc/systemd/resolved.conf

nano /etc/systemd/resolved.conf 

& modify this

DNSStubListener=no

Now reboot

shutdown -r now

You can now confirm if 53 port is now free up

netstat -tulpn | grep :53

Step#3

Some housekeeping stuff

sudo service systemd-resolved stop
sudo rm -f /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo service systemd-resolved start

Step#4

Edit the existing UNBOUND configuration file for customization…

nano /etc/unbound/unbound.conf

Example of unbound.conf

# Unbound configuration file for Debian.
server:
# Use the root servers key for DNSSEC
#auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Enable logs
chroot: ""
#verbosity (log level from 0 to 4, 4 is debug)
#verbosity: 1
#logfile: /var/log/unbound/unbound.log
#log-queries: yes
#use-syslog: (do not write logs in syslog file in ubuntu /var/log/syslog -zaib)
use-syslog: no
#interface (interfaces on which Unbound will be launched and requests will be listened to)
# Respond to DNS requests on all interfaces
interface: 0.0.0.0
# DNS request port, IP and protocol
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# Authorized IPs to access the DNS Server / access-control (determines whose requests are allowed to be processed)
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/16 allow
access-control: 101.0.0.0/8 allow

# Root servers information (To download here: ftp://ftp.internic.net/domain/named.cache)
#root-hints: "/var/lib/unbound/root.hints"

# Hide DNS Server info
hide-identity: yes
hide-version: yes

# Improve the security of your DNS Server (Limit DNS Fraud and use DNSSEC)
harden-glue: yes
harden-dnssec-stripped: yes

# Rewrite URLs written in CAPS
use-caps-for-id: yes

# TTL Min (Seconds, I set it to 7 days)
cache-min-ttl: 604800
# TTL Max (Seconds, I set it to 14 days)
cache-max-ttl: 1209600
# Enable the prefetch
prefetch: yes

# Number of maximum threads CORES to use / zaib
num-threads: 4

### Tweaks and optimizations
# Number of slabs to use (Must be a multiple of num-threads value)
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Cache and buffer size (in mb)
rrset-cache-size: 51m
msg-cache-size: 25m
so-rcvbuf: 1m

# Make sure your DNS Server treat your local network requests
#private-address: 101.0.0.0/8

# Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000

# Authorize or not the localhost requests
do-not-query-localhost: no

# Use the root.key file for DNSSEC
#auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-clean-additional: yes
include: "/etc/unbound/unbound.conf.d/*.conf"

Example of /etc/unbound/myrecords.conf

You can use this file to add your custom records as well.

Create new file at

nano /etc/unbound/myrecords.conf
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 127.0.0.1"
local-zone: "googlesyndication.com" redirect
local-data: "googlesyndication.com A 127.0.0.1"
local-zone: "googleadservices.com" redirect
local-data: "googleadservices.com A 127.0.0.1"
local-zone: "google-analytics.com" redirect
local-data: "google-analytics.com A 127.0.0.1"
local-zone: "ads.youtube.com" redirect
local-data: "ads.youtube.com A 127.0.0.1"
local-zone: "adserver.yahoo.com" redirect
local-data: "adserver.yahoo.com A 127.0.0.1"
local-zone: "1.com" redirect
local-data: "1.com A 0.0.0.0"
local-data: "zaib.com A 1.2.3.4"
local-data: "zaib2.com A 1.2.3.4"

Once all done, restart the unbound service by

service unbound restart
OR
service unbound reload

Test if UNBOUND service is started successfully.

service unbound status

Result:

â unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-12-10 12:28:59 PKT; 2s ago
Docs: man:unbound(8)
Process: 1588 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Process: 1576 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
Main PID: 1610 (unbound)
Tasks: 4 (limit: 2290)
CGroup: /system.slice/unbound.service
ââ1610 /usr/sbin/unbound -d

Dec 10 12:28:58 u18 systemd[1]: Starting Unbound DNS server...
Dec 10 12:28:59 u18 package-helper[1588]: /var/lib/unbound/root.key has content
Dec 10 12:28:59 u18 package-helper[1588]: success: the anchor is ok
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 0: subnet
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 1: validator
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 2: iterator
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] info: start of service (unbound 1.6.7).
Dec 10 12:28:59 u18 systemd[1]: Started Unbound DNS server.

Test if DNS server is responding to DNS queries

dig @127.0.0.1 bbc.com

1st Result: [check the Query time]

;  DiG 9.11.3-1ubuntu1.11-Ubuntu  @127.0.0.1 bbc.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16313
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.com. IN A

;; ANSWER SECTION:
bbc.com. 86400 IN A 151.101.192.81
bbc.com. 86400 IN A 151.101.128.81
bbc.com. 86400 IN A 151.101.0.81
bbc.com. 86400 IN A 151.101.64.81

;; Query time: 971 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 10 07:04:21 UTC 2019
;; MSG SIZE rcvd: 100

2nd Result: [check the Query time]

root@u18:/etc/unbound/unbound.conf.d# dig @127.0.0.1 bbc.com

;  DiG 9.11.3-1ubuntu1.11-Ubuntu  @127.0.0.1 bbc.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14171
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.com. IN A

;; ANSWER SECTION:
bbc.com. 86398 IN A 151.101.192.81
bbc.com. 86398 IN A 151.101.128.81
bbc.com. 86398 IN A 151.101.0.81
bbc.com. 86398 IN A 151.101.64.81

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 10 07:04:23 UTC 2019
;; MSG SIZE rcvd: 100

See the difference between 1st & second response which shows that cache is working

 


Enabling LOG File [recommended for troubleshoot purposes only]

Create a Log file and assign rights to write logs:

mkdir /var/log/unbound
touch /var/log/unbound/unbound.log
chmod -R 777  /var/log/unbound/

Now enable it in the unbound config file. I have commented it in the configuration file.

An example of viewing logs:

sudo tail -f /var/log/unbound/unbound.log
sudo tail -f /var/log/syslog

UNBOUND.LOG

[1575963664] unbound[1962:3] info: 101.11.11.161 bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: resolving bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: response for bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: reply from  193.0.14.129#53
[1575963664] unbound[1962:3] info: query response was NXDOMAIN ANSWER
[1575963664] unbound[1962:3] info: validate(nxdomain): sec_status_secure
[1575963664] unbound[1962:3] info: validation success bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: 101.11.11.161 bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: resolving bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: response for bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: reply from  199.7.83.42#53
[1575963664] unbound[1962:3] info: query response was NXDOMAIN ANSWER
[1575963664] unbound[1962:3] info: validate(nxdomain): sec_status_secure
[1575963664] unbound[1962:3] info: validation success bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:1] info: 101.11.11.161 bbc.com. A IN
[1575963664] unbound[1962:1] info: resolving bbc.com. A IN
[1575963664] unbound[1962:1] info: resolving bbc.com. DS IN
[1575963664] unbound[1962:1] info: NSEC3s for the referral proved no DS.
[1575963664] unbound[1962:1] info: Verified that unsigned response is INSECURE
[1575963672] unbound[1962:0] info: 101.11.11.161 bbc.com. AAAA IN

Example of cache export and import:

unbound-control dump_cache > backup
unbound-control load_cache < backup

#Clear one site from cache

unbound-control flush_zone google.com

# View cached DNS contents or count

unbound-control dump_cache
unbound-control dump_cache | wc -l

Regard’s
Syed Jahanzaib

December 5, 2019

Intervlan Routing with Mikrotik DHCP Option 121 & 249

Filed under: Mikrotik Related — Syed Jahanzaib / Pinochio~:) @ 12:18 PM

network.jpg

Disclaimer! This is important!

My humble request is that kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others


This post is a sequel of Prevent Mikrotik from Chocking with Cisco Inter-Vlan Routing

If you are running mikrotik DHCP along with VLAN, & you want to get benefits of intervlan routing to avoid local traffic (same network but different subnets/vlans) hitting mikrotik by routing local resource requests through switch level directly. There are 2 options to sort this issue. Either provide the static routes for each vlan which becomes useless if you are using pppoe because as soon as client connected with pppoe, it will get preference over your existing default gateway thus all traffic even the local one will be passing via mikrotik resulting in excessive usage of mikrotik resources. This was discussed in details here.

Far better solution is to avoid providing any default routes to DHCP users but assign them CLASSLESS ROUTES for local resources via your DHCP options, either via Cisco or Mikrotik DHCP server. A classless route adds specified route in clients routing table

In this post we will discuss only about Mikrotik DHCP option 121/249.

  • 121 – Generally used for devices / Linux / Mikrotik etc. Option 121 is a RFC3442 *standard*.However, note that DHCP Option 121 is ignored by DHCP clients prior to Windows Vista. O
  • 249 – It is the pre-standard Microsoft implemented option for Classless Static Routes (CSRs). It was eventually standardized as option 121. I think 249 is for microsoft only.

Personnel Note: Don’t use both.  I think this causes routes to be ignored. If you need to support both older and newer OS, use the option 249.

Scenario:

We assume you have working DHCP for each vlan under Mikrotik.

  • Mikrotik interface VLAN-x IP : 192.168.100.1/24
  • Cisco switch Vlan-x IP : 192.168.100.2/24
  • Mikrotik DHCP assignment for VLAN-x: 192.168.100.10 – 192.168.100.255 [no dns, no gateway]
  • Local sharing servers: We have some sharing servers on different subnet on local switch port: 101.0.0.0/8

Now what we want is that our DHCP LAN client 192.168.100.0/24 can access 101.0.0.0/8 via switch intervlan routing directly [via switch vlan port 192.168.100.2]. To achieve this we will assign stateless routes using DHCP options.

Side Note: It strikes me that you have to use classful routes in the Classless Static Routes DHCP Option for older version of windows like XP/2000.


Step # 1

To transfer classless routes to the Mikrotik DHCP server, the option with code 121/249 is used First we need to convert IP to hexadecimal HEX code. If you are a beginner you can simply get the ready made code using this site.

https://ip-pro.eu/en/mikrotik_dhcp_option_121_generator

Enter the details as per your local network scheme

For single Subnet:

dhcp option hex code via web site.PNG

For multiple Subnet:

You can add ADD NEW ROW to add multiple subnet and gateways to get combined HEX value . Z

multiple subnet routes in single line.PNG

Or try

https://billing-beta.galaxy.net.pk/public/option121/


Step # 2

Now we got the HEX value & we can use it in mikrotik dhcp option 121-249 .

  • Goto IP / DHCP / OPTIONS / + Add new

dhcp options for 121-249.PNG

Note: Make two entries, one for 121 & second for 249. As shown above !

Step # 3

Now we will add the above option in OPTION SETS , we can include multiple options in the OPTION SETS window

  • Goto IP / DHCP / OPTION SETS / + Add new

dhcp options set 2.PNG

Step # 4

Now goto IP / DHCP / Double Click on required DHCP & under DHCP OPTION SETS, select the option set we created in Step # 4


Testing …

At client end, renew the IP and you will get all the routes you configured in above steps.

For single Subnet entry:

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
101.0.0.0 255.0.0.0 192.168.100.2 192.168.100.254 11 ***************
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.100.0 255.255.255.0 On-link 192.168.100.254 266
192.168.100.254 255.255.255.255 On-link 192.168.100.254 266
192.168.100.255 255.255.255.255 On-link 192.168.100.254 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.100.254 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.100.254 266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

For Multiple Subnet entry:

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
10.0.0.0 255.0.0.0 192.168.100.1 192.168.100.254 11 ***************
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.10.0 255.255.255.0 192.168.100.1 192.168.100.254 11 ***************
192.168.100.0 255.255.255.0 On-link 192.168.100.254 266
192.168.100.254 255.255.255.255 On-link 192.168.100.254 266
192.168.100.255 255.255.255.255 On-link 192.168.100.254 266
221.132.112.8 255.255.255.255 192.168.100.1 192.168.100.254 11 ***************
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.100.254 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.100.254 266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Regard’s
Syed Jahanzaib

December 3, 2019

Cisco Switch: Upgrading Firmwares & Recovering from Failed ones !

Filed under: Cisco Related — Tags: , , , , , , , , — Syed Jahanzaib / Pinochio~:) @ 9:56 AM

If it ain’t broke, don’t fix it ! So true 🙂 Z@ib


advise on upgrade of switch fw.PNG


Quick notes for myself: Disclaimer! This is important!

My humble request is that kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. When you are enslaved by private job & working as one man army, you have to perform many task in which you are not formally trained for. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others

Maybe this post will help some other novice like me

Regard’s
Syed Jahanzaib


WS-C3650-48PD

Fortunately this model have nice GUI which supports easy upgrade of firmwares , therefore I used it to upgrade to latest stable build Fuji-16.9.4

365048pdl fw upgrade.PNG


SG300-28PP/SG500-52PP

This model also have nice GUI which supports easy upgrade of firmwares , therefore I used it to upgrade to latest stable build

https://www.cisco.com/c/en/us/support/switches/sg500-52-52-port-gigabit-stackable-managed-switch/model.html#~tab-downloads

sg300-500.PNG


3750X-48T-S

.

WS-C3750E-24TD

OLD version:

WS-C3750E-24TD     12.2(40)SE

3750 fw old.PNG

Steps for Upgrade:

First setup new or use existing TFTP server, download the new firmware from

https://software.cisco.com/download/home/280831016/type/280805680/release/15.0.2-SE11?i=!pp

& copy the firmware file (.BIN format) in TFTP root folder. Now from switch console , copy the file from TFTp into switch FLASH

copy tftp: flash:

It will ask the tftp server IP, and source/destination file name, fill them up as per your local scenario

>Address or name of remote host? <IP_ADDRESS_OF_TFTP_SERVER>
>source filename? <IMAGE_NAME.bin>
>Destination filename? <IMAGE_NAME.bin>
conf t
boot system flash:<IMAGE_NAME.bin>
exit
wr
reload

after this switch will reboot , and new firmware will be overwritten.

New version:

Release 15.0.2-SE11 MD

3750 fw new.PNG

 


WS-C3850-24T

Notes:

With this model, I encountered few issues in upgrading 3850 switch.

  • Gibralter 16.12.1 ED : 3850 / Switch was doing reboot in loop with following error

Kernel panic – not syncing: VFS: Unable to mount root fs on unknown-block(1,0)

  • Fuji 16.9.4 MD : 3850 / Switch Port Orange Light issue

With this upgrade , switch booted but all ports lights runed to amber.

  • Denali 16.3.9 MD : 3850 / Well tested , worked OK

Therefore I reverted back to to Denali-16.3.9 which worked fine & stable.

Steps for Upgrade:

First setup new or use existing TFTP server, download the new firmware from

https://www.cisco.com/c/en/us/support/switches/catalyst-3850-24t-s-switch/model.html#~tab-downloads

>Address or name of remote host? <IP_ADDRESS_OF_TFTP_SERVER>
>source filename? <IMAGE_NAME.bin>
>Destination filename? <IMAGE_NAME.bin>
conf t
software install file flash:cat3k_caa-universalk9.16.03.09.SPA.bin new force verbose

after this switch will ask to reload , do so to apply changes

New version:

16.3.9

3850 new ver.PNG


Recovering from IOS FAILED upgrade on 3850 Switch

after the Gibralter firmware upgrade , 3850 switch wen into reboot loop.

Kernel panic – not syncing: VFS: Unable to mount root fs on unknown-block(1,0)

More infor on this issue mentioned here @ https://community.cisco.com/t5/switching/catalyst-c3850-gibraltar-16-12-1-ed/td-p/3907723

After entering recovery mode , I made the situation worsen by deleting some flash files. This is how I recovered from this situation.

from the switch Management port, connect a cable directly to your laptop/desktop & assign any private IP on the system like 192.168.99.1/24. Install any free TFTP server like SOLARWINDS TFTP Server. copy the stable firmware like DENALI 16.0.3.09 in the tftp root folder.

cat3k_caa-universalk9.16.03.09.SPA.bin

Now using any terminal tool like putty, connected to switch via CONSOLE port, press MODE button while booting & entered RECOVERY mode. & issued following CMD’s

  • flash_init
  • mgmt_init
  • set IP_ADDR 192.168.99.2/255.255.255.0
  • set default_router 192.168.99.1
  • emergency-install tftp://192.168.99.1/cat3k_caa-universalk9.16.03.09.SPA.bin

There was another easy method by connecting USB into usb port of switch, but since switch may not recognize most modern usb’s , therefore I had to take a long route of TFTP.

To read in more details , refere following post

http://blog.unolution.com/networking/how-to-recover-a-cisco-switch-3560x-3750x-from-boot-loader/


Regard’s
Syed Jahanzaib

 

%d bloggers like this: