I have done integrating ArubaOS-CX OVA running on GNS3 with Simulated Comware (Simware) devices running on VirtualBox and this is the footprints.
Friday, April 02, 2021
Monday, August 04, 2014
HP Comware does not have system-view password on Console port (con0)
This is a journal on finding a way to set password on HP Comware when getting into System View from User View through Console port.
Started with:
google: hp comware command reference
found: http://www.cisco.leu.lt/wp-content/uploads/2011/06/HP_CLI_Ref_Guide_2010.pdf
In this document, on page-29, there is no equivalent Comware CLI command to IOS CLI 'enable secret' or 'enable password' command.
Checked the Console port default behavior with Simware5:
******************************************************************************
* Copyright (c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
User interface con0 is available.
Please press ENTER.
#Aug 4 13:23:53:098 2014 H3C SHELL/4/LOGIN:
Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1: login from Console
%Aug 4 13:23:53:114 2014 H3C SHELL/5/SHELL_LOGIN: Console logged in from con0.
<Switch>super
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
<Switch>
<Switch>display users
The user application information of the user interface(s):
Idx UI Delay Type Userlevel
+ 0 CON 0 00:00:00 3
+ : Current operation user.
F : Current operation user work in async mode.
<Switch>
Tested by forcing the console session to user privilege level 0:
#
user-interface con 0
authentication-mode password
user privilege level 0
set authentication password simple d0nttell
#
Result: failed. Once successfully login, user was right away in level 3 mode, although with 'user privilege level 0' configured on con 0.
User interface con0 is available.
Please press ENTER.
Login authentication
Password:
<Switch>
#Aug 4 13:30:16:268 2014 H3C SHELL/4/LOGIN:
Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1: login from Console
%Aug 4 13:30:16:284 2014 H3C SHELL/5/SHELL_LOGIN: Console logged in from con0.
<Switch>
<Switch>super
User privilege level is 3,User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
<Switch>
<Switch>system-view
System View: return to User View with Ctrl+Z.
[Switch]
Further testing by using local authentication with level 0 user:
#
user-interface con 0
authentication-mode scheme
user privilege level 0
#
local-user user_a
password simple pl5tell
service-type terminal
#
# authorization-attribute level 0 was input, but not shown in the display current config
#
Result: failed. The 'user_a' could have system-view access directly, once successfully login on console session.
User interface con0 is available.
Please press ENTER.
Login authentication
Username:user_a
Password:
<Switch>
#Aug 4 13:38:34:941 2014 H3C SHELL/4/LOGIN:
Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1:user_a login from Console
%Aug 4 13:38:34:956 2014 H3C SHELL/5/SHELL_LOGIN: user_a logged in from con0.
<Switch>
<Switch>super
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
<Switch>system-view
System View: return to User View with Ctrl+Z.
[Switch]
Google: comware con 0 user privilege level
Found: http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Switches/H3C_S5120_Series_Switches/Command/Command/H3C_S5120-SI_CR-Release_1101-6W105/201108/723527_1285_0.htm#_Toc300908380
In this document, page 1-25 (PDF page-26), it says "..By default, the commands of level 3 are available to the users logging into the AUX user interface. The
commands of level 0 are available to the users logging into VTY user interfaces. .."
Conclusion: for Comware, there is no way to place a password between User View and System View for access through Console port (user-interface con0), because the user-interface con0 is by default has been set to level 3.
Started with:
google: hp comware command reference
found: http://www.cisco.leu.lt/wp-content/uploads/2011/06/HP_CLI_Ref_Guide_2010.pdf
In this document, on page-29, there is no equivalent Comware CLI command to IOS CLI 'enable secret' or 'enable password' command.
Checked the Console port default behavior with Simware5:
******************************************************************************
* Copyright (c) 2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
User interface con0 is available.
Please press ENTER.
#Aug 4 13:23:53:098 2014 H3C SHELL/4/LOGIN:
Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1
%Aug 4 13:23:53:114 2014 H3C SHELL/5/SHELL_LOGIN: Console logged in from con0.
<Switch>super
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
<Switch>
<Switch>display users
The user application information of the user interface(s):
Idx UI Delay Type Userlevel
+ 0 CON 0 00:00:00 3
+ : Current operation user.
F : Current operation user work in async mode.
<Switch>
Tested by forcing the console session to user privilege level 0:
#
user-interface con 0
authentication-mode password
user privilege level 0
set authentication password simple d0nttell
#
Result: failed. Once successfully login, user was right away in level 3 mode, although with 'user privilege level 0' configured on con 0.
User interface con0 is available.
Please press ENTER.
Login authentication
Password:
<Switch>
#Aug 4 13:30:16:268 2014 H3C SHELL/4/LOGIN:
Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1
%Aug 4 13:30:16:284 2014 H3C SHELL/5/SHELL_LOGIN: Console logged in from con0.
<Switch>
<Switch>
User privilege level is 3,User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
<Switch>
<Switch>
System View: return to User View with Ctrl+Z.
[Switch]
Further testing by using local authentication with level 0 user:
#
user-interface con 0
authentication-mode scheme
user privilege level 0
#
local-user user_a
password simple pl5tell
service-type terminal
#
# authorization-attribute level 0 was input, but not shown in the display current config
#
Result: failed. The 'user_a' could have system-view access directly, once successfully login on console session.
User interface con0 is available.
Please press ENTER.
Login authentication
Username:user_a
Password:
<Switch>
#Aug 4 13:38:34:941 2014 H3C SHELL/4/LOGIN:
Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1
%Aug 4 13:38:34:956 2014 H3C SHELL/5/SHELL_LOGIN: user_a logged in from con0.
<Switch>
<Switch>
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
<Switch>
System View: return to User View with Ctrl+Z.
[Switch]
Google: comware con 0 user privilege level
Found: http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/Switches/H3C_S5120_Series_Switches/Command/Command/H3C_S5120-SI_CR-Release_1101-6W105/201108/723527_1285_0.htm#_Toc300908380
In this document, page 1-25 (PDF page-26), it says "..By default, the commands of level 3 are available to the users logging into the AUX user interface. The
commands of level 0 are available to the users logging into VTY user interfaces. .."
Conclusion: for Comware, there is no way to place a password between User View and System View for access through Console port (user-interface con0), because the user-interface con0 is by default has been set to level 3.
Thursday, July 31, 2014
Tuesday, September 17, 2013
A Perl script to collect information from Cisco IOS routers/switches
This is a journal about creating a perl script that establishes SSH session to Cisco IOS routers/switches and collect a list of information.
I started with:
google: perl script to ssh to cisco router
found: http://forums.freebsd.org/showthread.php?t=31396 posted by 'Business_Woman'.
As per the post, she needed advice to enter the privileged EXEC mode, after a successful SSH session login.
I checked my perl setup:
Platform: Windows 7
Perl: ActivePerl by ActiveState
Version: v5.10.1 (command: perl -v)
My perl doesn't support 'Net::SSH2'. Then:
google: Net::SSH2 for windows
found: http://www.perlmonks.org/?node_id=949926
I chose to try 1st option (cpan install) and as my network behind a proxy, then:
google: perl cpan set http_proxy
found: http://abhijit.name/setting_cpan_for_proxy.html
Followed the instructions, but got:
error: LWP failed with code[301] message[Moved Permanently]
Warning: no success downloading 'C:\Perl\cpan\sources\authors\01mailrc.txt.gz.tmp7232'. Giving up on it. at C:\Perl\lib/CPAN/Index.pm line 225
Next, I tried the 2nd option, which was using Strawberry Perl. I downloaded and installed Strawberry Perl, which is now v5.18.1 (http://strawberryperl.com/). Now that I've Net::SSH2 library on my perl, I prepared my script based on 'Business_Woman' post and saved it as cisco.pl as follow:
use Net::SSH2;
use warnings;
use strict;
my $host = "10.10.1.1"; ### 10.10.1.1 is my target device
my $user = "admin"; ### my ssh login is admin/cisco
my $password = "cisco";
my $ssh = Net::SSH2->new();
if(!$ssh->connect($host)){
print("Connection Failed\n");
exit(1);
}
if(!$ssh->auth_password($user,$password)){
print("Authentication Failed");
exit(1);
}
my $channel = $ssh->channel();
my $command = $channel->exec("sh ver") or die $_;
my $output;
my $len = $channel->read($output,2048);
Running it by the command: perl cisco.pl
Bingo! At this point, I got the same condition with 'Business_Woman'. The next step is to find way to enter the privileged EXEC mode:
Bingo! At this point, I got the same condition with 'Business_Woman'. The next step is to find way to enter the privileged EXEC mode:
google: perl script show running-config cisco ==>results: not on target
google: perl script cisco privilege mode ==>results: not on target
google: net::SSH2 documentation ==>results: not on target
google: perl net::ssh2 examples
found: http://www.perlmonks.org/?node_id=569657
On this URL, I came to the part '#to run multiple commands use a shell', then I modified my script as follow:
use Net::SSH2;
use warnings;
use strict;
my $host = "10.10.1.1"; ### 10.10.1.1 is my target device
my $user = "admin"; ### my ssh login is admin/cisco
my $password = "cisco";
my $ssh = Net::SSH2->new();
if(!$ssh->connect($host)){
print("Connection Failed\n");
exit(1);
}
if(!$ssh->auth_password($user,$password)){
print("Authentication Failed");
exit(1);
}
my $channel = $ssh->channel();
$channel->blocking(0);
$channel->shell();
print $channel "enable\n";
print $channel "cisco\n"; ### enable password is cisco
print $channel "term len 0\n";
print "LINE : $_" while <$channel>;
print $channel "show clock\n";
print "LINE : $_" while <$channel>;
print $channel "dir\n";
print "LINE : $_" while <$channel>;
After few trials and error, my script (last 9 lines) became:
my $channel = $ssh->channel();
$channel->blocking(0);
$channel->shell();
print $channel "enable\n";
print $channel "cisco\n"; ### enable password is cisco
print $channel "term len 0\n";
print $channel "show clock\n";
print $channel "dir\n";
print "$_" while <$channel>;
At this point, it had achieved my target. To further shape the script:
1) remove the passwords from the scripts
2) write the output to a file instead of screen
google: perl input argument
found: http://stackoverflow.com/questions/361752/how-can-i-pass-command-line-arguments-to-a-perl-program
google: perl write to file
found: http://perl.about.com/od/perltutorials/a/readwritefiles_2.htm
From the found URLs, I made my target host as input variable, as well as the SSH password and enable secret. With that my script has the flexibility to be used for any devices with any password (not hardcoded on the script). Secondly, I wrote the show information results onto a file and I kept it as a log file. My script became:
use Net::SSH2;
use warnings;
use strict;
my $host = $ARGV[0]; ### target host as input string1
my $user = "admin";
my $password = $ARGV[1]; ### ssh password as input string2
my $secret = $ARGV[2]; ### enable password as input string3
my $ssh = Net::SSH2->new();
if(!$ssh->connect($host)){
print("Connection Failed\n");
exit(1);
}
if(!$ssh->auth_password($user,$password)){
print("Authentication Failed");
exit(1);
}
my $channel = $ssh->channel();
$channel->blocking(0);
$channel->shell();
print $channel "enable\n";
print $channel "$secret\n"; ### enable password from input string3
print $channel "term len 0\n";
print $channel "show clock\n";
print $channel "dir\n";
open (my $OUTPUTFILE, ">$host.log") or die "Can't open $host.log: $!"; ### target host as filename
print $OUTPUTFILE "$_" while <$channel>;
close $OUTPUTFILE or die "$OUTPUTFILE: $!";
Running it by the command: perl cisco.pl 10.10.1.1 cisco cisco
(My target host is '10.10.1.1', ssh password is 'cisco', enable password is 'cisco'; generated output filename is '10.10.1.1.log')
At this point, the result written on the file contained many newlines between the messages, so:
(My target host is '10.10.1.1', ssh password is 'cisco', enable password is 'cisco'; generated output filename is '10.10.1.1.log')
At this point, the result written on the file contained many newlines between the messages, so:
google: perl trim empty lines ==>results: not on target
google: perl remove newline from $_ ==>results: not on target
google: perl $_ condition
found: http://perlmaven.com/the-default-variable-of-perl
This URL shows the elegant way of using $_ (perl default variable) and from the example, it shows the usage of 'chomp' too. I modified my script (last 6 lines) as follow:
open (my $OUTPUTFILE, ">$host.log") or die "Can't open $host.log: $!"; ### target host as filename
while (<$channel>) {
chomp;
print $OUTPUTFILE "$_";
} close $OUTPUTFILE or die "$OUTPUTFILE: $!";
This is the end of the journal, my script is now looks like the following:
#
# usage: perl cisco.pl (target_host) (ssl_password) (enable_password)
#
use Net::SSH2;
use warnings;
use strict;
my $host = $ARGV[0]; ### target host as input string1
my $user = "admin";
my $password = $ARGV[1]; ### ssh password as input string2
my $secret = $ARGV[2]; ### enable password as input string3
my $ssh = Net::SSH2->new();
if(!$ssh->connect($host)){
print("Connection Failed\n");
exit(1);
}
if(!$ssh->auth_password($user,$password)){
print("Authentication Failed");
exit(1);
}
my $channel = $ssh->channel();
$channel->blocking(0);
$channel->shell();
print $channel "enable\n";
print $channel "$secret\n"; ### enable password from input string3
print $channel "term len 0\n";
print $channel "show clock\n";
print $channel "dir\n";
open (my $OUTPUTFILE, ">$host.log") or die "Can't open $host.log: $!"; ### target host as filename
while (<$channel>) {
chomp;
print $OUTPUTFILE "$_";
}
close $OUTPUTFILE or die "$OUTPUTFILE: $!";
Thursday, August 27, 2009
High CPU on a Catalyst switch running IOS | Jeff Greene
High CPU on a Catalyst switch running IOS | Jeff Greene
When searching for High CPU caused by PIM Process, found the above URL explaining the steps of troubleshooting High CPU due to multicast configuration.
When searching for High CPU caused by PIM Process, found the above URL explaining the steps of troubleshooting High CPU due to multicast configuration.
Monday, August 10, 2009
Sys-reset Script:: Network Stuff
Sys-reset Script:: Network Stuff
When trying to reset the F5 Big-IP LTM to its factory default settings, found solutions from the above URL.
Note: on using "sys-reset" command, I encountered "unrecoverable error" in few attempts, hence I used "sys-reset -u" instead.
NIL - Designing Fast Converging BGP Networks
NIL - Designing Fast Converging BGP Networks
Found this URL, when handling queries about network convergence issue involving BGP protocol.
Monday, August 03, 2009
An Illustrated Guide to IPsec
An Illustrated Guide to IPsec
When looking for IPsec information found this very useful and easy-to-understand paper.
System Test Architecture Reference Manual for IP Telephony
When looking for Cisco IP Telephony UAT template, found the above URL
Cisco Unity Integration with Multiple Clusters of Cisco Unified Communications Manager (All Versions of Cisco Unity)� [Cisco Unity] - Cisco Systems
Cisco Unity Integration with Multiple Clusters of Cisco Unified Communications Manager (All Versions of Cisco Unity)� [Cisco Unity] - Cisco Systems
When looking for the maximum number of CallManager cluster supported by Cisco Unity, found the above URL.
QoS for the Cisco 6500 (Revisited)
QoS for the Cisco 6500 (Revisited)
Useful information about QoS implementation on Catalyst 6500 series.
Subscribe to:
Posts (Atom)