Masood Ahmad Shah

Recover BGP password (Juniper JUNOS)

# Get a root shell:

jahil@junos> start shell

% su - root

Password:

jahil@jahil%

# View the contents of /var/etc/keyadmin.conf

jahil@jahil% less /var/etc/keyadmin.conf

tcp 179 0.0.0.0 10.0.0.1 md5 instance default 0x6162636431323334

tcp 179 :: 2001:DB8:1::1 md5 instance default 0x313233717765727479

# Run the following command on a system with Perl :

jahil@jahil:~>perl -e 'print "Hex: ";$_=<>;print "MD5: ";s/(\w\w)/\1:/g;for (split(/:/)) {printf "%s", chr(hex($_))};print "\n"'

Hex: 0x6162636431323334

MD5: abcd1234

jahil@jahil:~>perl -e 'print "Hex: ";$_=<>;print "MD5: ";s/(\w\w)/\1:/g;for (split(/:/)) {printf "%s", chr(hex($_))};print "\n"'

Hex: 0x313233717765727479

MD5: 123qwerty

That's it! Many thanks for the person who provided me this code and to the person who developed it :)

The beauty of Juniper JUNOS

I'm actually a Cisco/Unix geek. But I'm working on some giant Juniper routers now a days. The beauty of Juniper router opearting system (JUNOS) is, indeed, based on FreeBSD. Upgrading opearting system is my favorite things, because I love impressive new features. I come from a unix background where such a thing is easily allowed. I'm gonna write a way how to fill USB devices with Junos software.

In Next Generation RE, upgrade from USB devices is available. You must have at least RE-A-1000 or RE-A-2000 to perform upgrade from USB devices.

Below is the simple manual:

The device name is /dev/rda0 instead of /dev/rad3.
jahil@jahil> start shell

Log into directory where the install media file is (ie: /var/tmp/)
jahil@jahil% cd <directory>

Issue the following commands:
jahil@jahil% dd if=/dev/zero of=/dev/rda0 count=20 ; initialize the media
jahil@jahil% dd if=install-media-9.1R2.4-export of=/dev/rda0 bs=64k ;

Finished

Create a direct shortcut to Network Connections (Windows Vista)

The new Network and Sharing Center in Windows Vista is great for the average Windows user but can be a huge headache for advanced users. When I need to make a change to my network settings I don't want to be forced to go through the networking interface for the average non-technical users.  I want to go right to the settings screen and make the change.

I am a big fan of the old Windows XP network approach where I could modify all of the network settings and connect to wireless network from the Network Connections screen.  In Windows Vista, the Network Connections screen still exists, but you have to go through the Network and Sharing Center screen first.  Using a very useful explorer trick I discovered when playing with "::" and explorer class IDs, you can create a shortcut that will take you directly to the Network Connections screen.

1. Right click on the desktop and select New and then Shortcut.
2. In the location box, copy and paste                         explorer.exe ::{7007ACC7-3202-11D1-AAD2-00805FC1270E} and hit Next.
3. Type in Network Connections or whatever as the name and Finish.

 

JNCIS-M Certification Cleared

 

so finally cleared Juniper’s JNCIS-M exam today. I hope to finish JNCIP-M within next 3-4 week. Wish me all the luck :)

Juniper Router On The Stick Configuration (JUNOS)

Router JAHIL is directly connected to a VLAN-capable switch and needs to be configured to talk to AHMIQ on one subnet and NAKAMA on another over the same Fast Ethernet port. The first step in configuring VLANs is to enable VLAN tagging on the physical interface, as shown below:

[edit interfaces fe-0/0/1]
lab@JAHIL# set vlan-tagging

[edit interfaces fe-0/0/1]
lab@JAHIL# show
vlan-tagging;
speed 100m;
link-mode full-duplex;

[edit interfaces fe-0/0/1]
lab@JAHIL#

The next steps are to create the units, assign the units to the appropriate VLAN, and then configure the IP addresses in the units. Since the scenario has VLANs 20 and 30, we can use those numbers for simplicity, but the unit number, as we have discussed, is up to the network administrator. It does make sense, however, to give the unit number some kind of significance for ease of use.

[edit interfaces fe-0/0/1]
lab@JAHIL# set unit 20 vlan-id 20

[edit interfaces fe-0/0/1]
lab@JAHIL# set unit 20 family inet address 1.1.1.1/24

[edit interfaces fe-0/0/1]
lab@JAHIL# set unit 30 vlan-id 30 family inet address 2.2.2.2/24

[edit interfaces fe-0/0/1]
lab@JAHIL# show
vlan-tagging;
speed 100m;
link-mode full-duplex;
unit 20 {
    vlan-id 20;
    family inet {
        address 1.1.1.1/24;
    }
}
unit 30 {
    vlan-id 30;
    family inet {
        address 2.2.2.2/24;
    }
}

[edit interfaces fe-0/0/1]
lab@JAHIL#

Fast Ethernet 0/0/1 now has two logical units configured in VLANs on unit 20 and unit 30.

How to recover password on Juniper Router's

In the real world, you always have a chance to lose a password. Recovring root password can be done by booting Juniper router under a specific mode: Single-User-Mode

 

·        From console, interrupt the boot routine:

 

prompt.

 

·        Enter into single-user mode:

 

·        Enter the shell:

 

·        Mount the virtual file systems (for JUNOS 5.4 and above, it is not

necessary to mount the jbase package, however the other packages still need to be mounted):

(with ^D)

 

·        Enter recovery mode:

 

·        Enter configuration mode and either delete or change the root

authentication password:

 

·        Commit the changes, and exit configuration mode

Exit recovery mode and enter "y" when prompted to reboot the system:

The system now reboots and changes made to root authentication are activated.

Retrieved from "http://juniper.cluepon.net/index.php/Password_recovery"

 

Goosh.org Unix-like Shell For Google

goosh.org - the unofficial google shell. This google-interface behaves similar to a unix-shell.
You type commands and the results are shown on this page.

=> http://goosh.org

Cisco && Magic Question Mark (?)

In Cisco IOS, Every mode (user mode, privileged mode etc) has help system built in. You can use the magic question mark (?) in user mode as well as in sub-configuration mode.

What if you want to use question mark (?) in description or aspath-regex. :)

Well, to write a question mark in IOS, the escape sequence CTRL-V or ESC-Q must be entered first, otherwise the IOS parser will interpret the question mark as an attempt to invoke the context sensitive help.

JAHIL#conf t     
Enter configuration commands, one per line.  End with CNTL/Z.
JAHIL(config)#int
JAHIL(config)#interface gi3/0/0
JAHIL(config-if)#des
JAHIL(config-if)#description ?
  LINE  Up to 240 characters describing this interface

JAHIL(config-if)#description

You see, when you write ? this will bring you to the help menu. What if you really want to write description along with ?. You can use CTRL-V or ESC-Q.

JAHIL#conf t     
Enter configuration commands, one per line.  End with CNTL/Z.
JAHIL(config)#int
JAHIL(config)#interface gi3/0/0
JAHIL(config-if)#des
JAHIL(config-if)#description (now press CTRL-V or ESC-Q)
JAHIL(config-if)#description ?IGotIt (oh it worked)

You can use CTRL-V or ESC-Q whenever or wherever it's needed :)

Cisco URL Blocking/Filtering

NBAR can be used to apply application based filters such as blocking youtube.com traffic. To accomplish this we can categorize traffic based on the HTTP hostname. Next we will create a policy-map that matches the youtube.com class and drops the traffic. Lastly the policy is applied outbound to the Internet. Syntax-wise this would read:

JAHIL-Router#
class-map match-all YOUTUBE
 match protocol http host "*youtube.com*"
!
policy-map DROP_YOUTUBE
 class YOUTUBE
   drop
!
interface FastEthernet0/0
 description TO INTERNET
 service-policy output DROP_YOUTUBE

How to Netflow with Csico 6500

The post has been written to answer Mr Drew's asked question. 

The NetFlow table on the route processor (RP) captures statistics for flows routed in software and the NetFlow table on the PFC (and on each DFC) captures statistics for flows routed in hardware. In PFC3A mode, NetFlow collects statistics only for routed traffic. With other PFCs, you can configure NetFlow to collect statistics for both routed and bridged traffic.

mls netflow

(Enables NetFlow on the PFC for packets forwarded in hardware) 
 

mls flow ip interface-full

(interface-full—The most-specific flow mask. The PFC creates and maintains a separate table entry for each IP flow on an interface. An interface-full entry includes the source IP address, destination IP address, protocol, and protocol ports.)

interface Vlan5
description Jahil-Flow-Test
 

ip route-cache flow

( Enables NetFlow for the specified interface. Netflow will collect statistics for packets for forwarded in software (RP) only.)
 

ip flow ingress

(Enables NetFlow for the specified interface. NetFlow will collect statistics for packets forwarded in hardware (PFC) or software (RP).)
 

no mls flow ipv6

( You can disable it for couple of years :)

If you want to enable NetFlow for ingress-bridged IP traffic in VLAN 5:

6500# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
6500(config)# ip flow ingress layer2-switched vlan 5

Note:

• mls netflow captures all traffic that is hardware switched, so make sure to catch anything that is CPU routed turn on "ip route-cache flow" on all possible interfaces that flows may be coming inbound.
• The flow mask determines the granularity of the statistics gathered, which controls the size of the NetFlow table. The less-specific flow masks result in fewer entries in the NetFlow table and the most-specific flow masks result in the most NetFlow entries.

How To Change Windows (Default Gateway/Route)

 

If you are using Windows (2000, XP, Vista and want to change the default gateway (default route); you can use the command below...

 c:\> route change 0.0.0.0 mask 0.0.0.0 x.x.x.x -p ( -p makes a route persistent across boot of the system)

:) (CCIE) :(

I just finished Vol 1 Bridging and Switching labs... again. I'm redoing all of Vol 1 labs, and repeating once more the ones I wasn't able to do without consulting the Doc cd or the lab solutions. My idea is to have an absolute mastership in all technologies focused on Vol 1's labs, before moving on to Vol 2.

Volume 1 labs are great to "solidify" my knowledge of a given technology. Vol 2 labs will surely continue to do this, but I'm hoping that Vol 2's labs will help me to understand exactly what I have to configure for a given requirement (specified in plain text).

From what I've read on Groupstudy's CCIE lab list, Cisco has the habit of formulating requirements with subtle indications of what's really pretended. So, it's not sufficient to master the technology, it's also needed to understand EXACTLY what Cisco wants you to do on their lab exam.

I've also started to use the Doc cd (actually I'm using the online doc cd). Since this is going to be the only reference I'll have during the actual lab, I want to know it inside out. From what I've read so far, this is a great resource. My knowledge in those little details that may matter someday has been increasing a lot.

How to identify/reset the stuck sessions in Cisco Router's

There are 5 max concurrent session in Cisco world. There can be a situation in life in which the max concurrent sessions reach the limits. When addressing such situations, it might help.

The following command on Unix will dump all the TCBs of the remote router:

 

jahil$ snmpwalk -v 2c -c your_readwrite_community router 1.3.6.1.2.1.6.13.1.1

 

The output will look somewhat like this:

RFC1213-MIB::tcpConnState.172.16.27.11.23.172.16.27.1.1855 = INTEGER: established(5)
RFC1213-MIB::tcpConnState.172.16.216.146.11018.172.16.216.145.179 = INTEGER: established(5)
RFC1213-MIB::tcpConnState.172.16.216.154.20081.172.16.216.153.179 = INTEGER: established(5)
RFC1213-MIB::tcpConnState.172.16.216.185.646.172.16.216.186.11028 = INTEGER: established(5)

 

Each line of output will have the local IP address, followed by the local TCP port, then the remote IP address and the remote TCP port. Of course, you're interested in local ports 22 (ssh) and 23 (telnet). Resetting BGP sessions will not gain you access to your router. So in this example, the first line is the interesting one. In a real case, there could be several pageful of output which you need to scan. Please note that you're only interested in the part to the left of the '='.

 

Once you have done the previous command and identified the interesting line(s), you have to issue the following command:

 

Jahil $ snmpset -v 2c -c your_readwrite_community router the_abovementioned_line i 12

 

So in this particular case, the command you'd have to issue would be:

 

Jahil $ snmpset -v 2c -c your_readwrite_community router RFC1213

MIB::tcpConnState.172.16.27.11.23.172.16.27.1.1855 i 12

 

The 'i 12' at the end of the line is what tells the router to clear the session. The router will reply with:

RFC1213-MIB::tcpConnState.172.16.27.11.23.172.16.27.1.1855 = INTEGER: deleteTCB(12)

You should now be able to log into the router. If not, it means you cleared the wrong session, and you need to repeat the procedure.

ARP entries are periodically refreshed if you use CEF switching

Generally there are no adverse side effects from enabling CEF. The main one to watch out for is that certain debugging will not work for packets that are fast switched. I have spent many unhappy hours struggling unsuccessfully to get the information that I wanted before I realized what the problem was.

As it turns out, the router will automatically refresh all ARP entries (and CEF adjacencies) as they expire from the ARP cache. This might become a problem on high-end devices with a lot of directly connected hosts if you set the arp timeout to a low value.
Here is a sample debugging printout verifying this behavior:

 Jun 16 11:34:49: IP ARP: sent req src 192.168.0.1 0016.c7fe.f150,dst 192.168.0.2 000c.293a.b455 FastEthernet0/0/0
 Jun 16 11:34:49: IP ARP: rcvd rep src 192.168.0.2 000c.293a.b455, dst 192.168.0.1 FastEthernet0/0/0
 Jun 16 11:34:49: IP ARP: creating entry for IP address: 192.168.0.2, hw: 000c.293a.b455

Here is some text from web...... 

When a router receives a packet on a routed interface, it first removes the Layer 2 (L2) frame information. It then stores the Layer 3 (L3) packet in Input/output (I/O) memory. What happens next depends on the switching path that the packet is following. Cisco's Express Forwarding (CEF) is an advanced, Layer 3 switching technology inside a router. It defines the fastest method by which a Cisco router forwards packets from ingress to egress interfaces. Process switching is the lowest common denominator in switching paths; it is available on every version of IOS, on every platform. I believe this is the default method used.

Process switching uses the CPU on every packet, CEF only needs to the CPU for the first packet of each session.

Note:  When you configure the device in certain ways, fast switching can beautomatically disabled for some packets. For example policy routing or fancy queuing may disable fast switching for the relevant traffic.

ADSL Line Attenuation

This is an email message, I have wrote to the one of our valued customer; Some of you may find useful this :)

The client has high PSTN line up-link attenuation, above 63 dB. Subscriber location might be exceeded the loop distance. Obviously the longer line then the greater the effect of the above characteristics and the greater the loss. This situation causes a signal loss due to the diminishing availability of signal energy, or signal power.

This is why we can’t have more data rate, although some of the following tweaks will apply to solve the issue, if we have not already done:

1. If splitter/filter is being used; try the connection without splitters.
2. Ensure that where you plug into cable sockets that the pins are clean.

Well, the distances from the exchange (MDF-TO-CPE) are based on the average signal losses versus line lengths and we may find that even if we are under the distance we may still have too much loss for the chosen service.
Conversely we may also find that even if we are outside the distance we may still get the speed. So just do your best :)