Friday, May 31, 2013

Solarized, Uniform Color Scheme

I've switched my vim's color scheme from oceandeep to solarized. Oceandeep is an eye-friendy dark color scheme great for people who prefer not to be distracted by highlighted text. However, it makes you feel a bit awkward when you launch vim from a console because it supports only gvim. I got hungry for "uniformity", and solarized came in.

Solarized - Precision colors for machines and people
http://ethanschoonover.com/solarized

Solarized is a color scheme maintained by Ethan Schoonover provides uniformity to your environment; it supports not only editors (not limited to vim!) but also other system development tools like terminal emulators and IDEs.

I've changed color schemes for vim and iTerm2, and they look coordinated. Awesome.

Sunday, May 19, 2013

How to upgrade IOS version/feature set on Cisco 3560

Assumption
1. The switch to be updated is in a factory default configuration.
2. IP address of the switch is 10.240.0.2/24.
3. IP address of the tftp/scp server is 10.240.0.3/24.
4. User name for scp server is switchadmin.
5. The feature set will be upgraded from ipbase to ipservice.
6. The switch will be updated to c3560-ipservicesk9-mz.122-55.SE7.bin.
7. The switch does not require a web console.

Procedure
1. Configure a ssh server or tftp server

2. Assign an IP address to a switch
> en
#conf t
(config)#int vlan 1
(config-if)#ip add 10.240.0.2 255.255.255.0
(config-if)#no sh
(config-if)#^z

3. Check whether the device can hold both current and new IOS images in the flash.
3.1. Check the new images size
3.2. Check a free space on the flash.
#dir flash:

If the switch has enough space, go to step 5

4. If the flash does not have sufficient free space, delete the current IOS image.
Delete the image file with "delete flash:/filename" or "delete /force /recursive flash:/dir_name"

5. Transfer the new image
! Assume the image is stored on tftp root directory.
! "copy " part can be omitted, in some IOS version.
! Don't use scp since it takes more time than you thought.
#copy tftp://10.240.0.3/c3560-ipservicesk9-mz.122-55.SE7.bin flash:

6. Verify the transfered image
! verify command was released 12.2(4)T, 12.0(22)S
#verify /md5 flash:/c3560-ipservicesk9-mz.122-55.SE7.bin

7. Change boot image
#conf t

! Just specify the path to the boot image.
(config)#boot system flash:/c3560-ipservicesk9-mz.122-55.SE7.bin
(config)#^z

! Verify boot configuration
#sh boot

! Save changes
#wr me

8. Reboot the switch
#reload

Note
1. If the boot loader needs update, it will be done automatically when the first time the switch is booted up with the new image (, and it causes a reboot).

2. Almost equivalent of step 5 to 7 is
! Assume the image is stored on "flash:/c3560-ipserviceslmk9-tar.122-55.SE7.tar/c3560-ipservicesk9-mz.122-55.SE7.bin"
#archive download-sw /imageonly /leave-old-sw tftp://10.240.0.3/c3560-ipserviceslmk9-tar.122-55.SE7.tar
(If the switch shows a feature set incompatibility error, add "/allow-feature-upgrade" option when upgrading/downgrading a feature set.)

Consideration
1. This method is faster than upgrading IOS with archive command since unnecessary files are not transfered. (=> The tar archive contains files for the web console as well.)

2. Downloading an image is a quite high load task. The CPU usage went up between 84%-77% while transferring. It should be done in a maintenance window.

Reference:
Catalyst 3750 Software Upgrade in a Stack Configuration with Use of the Command-Line Interface
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00804799d7.shtml

Upgrading a Cisco 3750 IOS from a .bin image file
http://thias.marmotte.net/2008/11/upgrading-a-cisco-3750-ios-from-a-bin-image-file/

MD5 File Validation
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_md5_ps6350_TSD_Products_Configuration_Guide_Chapter.html

Saturday, May 18, 2013

How to use UC-SGT on Mac OS X Mountain Lion 10.8.2 (15' rMBP 2012)

It's been ages since a serial port disappeared from a laptop PC. Nevertheless, network devices requires a serial connection as a our-of-band connection. I grabbed a USB serial adapter UC-SGT, but my laptop (15' rMBP 2012, Mountain Lion) needed a trick to recognize it.
  1. Download a driver from a prolific's website
    http://prolificusa.com/pl-2303hx-drivers/
  2. Install the driver following README
  3. Add an entry for UC-SGT to the driver
    cd /System/Library/Extensions/ProlificUsbSerial.kext/Contents
    sudo cp -p Info.plist Info.plist.ori
    sudo vim Info.plist Info.plist.ori

    * Insert the following entry before the entry for <key>067B_2303</key>
             <key>056E_5004</key>
             <dict>
                 <key>CFBundleIdentifier</key>
                 <string>com.prolific.driver.PL2303</string>
                 <key>IOClass</key>
                 <string>com_prolific_driver_PL2303</string>
                 <key>IOProviderClass</key>
                 <string>IOUSBInterface</string>
                 <key>bConfigurationValue</key>
                 <integer>1</integer>
                 <key>bInterfaceNumber</key>
                 <integer>0</integer>
                 <key>idProduct</key>
                 <integer>20484</integer>
                 <key>idVendor</key>
                 <integer>1390</integer>
             </dict>

  4. Rebuild kext cache
    sudo touch /System/Library/Extentions/
    sudo reboot
Caution: kext cache needs to be rebuilt; otherwise, you need to issue kextload /System/Library//Extensions/ProlificUsbSerial.kext  command every time you boot the box.

Note: TU-S9 from TRENDnet works on prolific's driver without changing plist.

Friday, May 17, 2013

How to transfer files from/to cisco devices

There are several options for transferring files to a cisco device. Tftp is a traditional way. Scp is also supported by IOS from 12.3(2)T, 12.2(14)S (encryption needs to be supported by the feature set). If no in-band connection is available, xmodem will become an option for it.

scp
Pro: Transfered files are encrypted
Con: Not supported by all platforms, in-band connection is necessary

tftp
Pro: Supported by all platforms
Con: Files are transfed in plain text, tftp protocol does not have authentication, in-band connection is necessary

xmodem
Pro: Supported by all platforms, No need for in-band connection
Con: Slow transmission

Whenever transferring a start-up configuration, it's better to think about using scp in favor of tftp since not a few passwords are on the config in a plain text or in an obscured form. Type 7 encryption is just an obfuscation that is cracked within a second, and even type 5 encryption can be decrypted with a massive computation power since the salt is also on the same file.


Reference:
Cisco IOS Configuration Fundamentals Command Reference
http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_c1.html#wp1064741

Cisco Password Cracker (For type 5 encryption)
https://www.google.com/search?q=cisco+type+7+crack&ie=utf-8&oe=utf-8&aq=t

Decrypting Cisco type 5 password hashes
http://retrorabble.wordpress.com/2011/02/09/decrypting-cisco-type-5-password-hashes/

Thursday, May 16, 2013

How to enable native tftpd on Mac OS X Mountain Lion 10.8.2

I needed to tftp server to update IOS images for switches in my home lab. Mac OS X has its native tftp daemon and will do for the purpose.

To launch tftpd,
$ sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist
# Default tftp root directory, in which data files are stored, is /private/tftpboot/

To check tftp is up and running,
$ lsof -i:69

To stop tftpd
$ sudo launchctl unload /System/Library/LaunchDaemons/tftp.plist
or reboot the system.

Note:
1. tftpd will not start next time the system is booted. To make tftpd persistant, issue
$ sudo launchctl load -w /System/Library/LaunchDaemons/tftp.plist
1.1. -w option erases <key>Disabled</key> entry in tftp.plist and launch tftpd.
1.2. If you want to make tftpd persistant, think about security concerns since there is no authentication in tftp protocol. (i.e. at least adding -l option to tftpd.plist for logging, caring about permissions for files/directories.


To disable it,
$ sudo launchctl unload -w /System/Library/LaunchDaemons/tftp.plist

2. -F option is needed since /System/Library/LaunchDaemons/tftp.plist has <key>Disabled</key> entry.

3. The owner of /private/tftpboot/ is root and its permission is 755.

Reference:
man tftpd
man launchctl
man launchd.plist


Wednesday, May 15, 2013

How to enable sshd on Mac OS X Mountain Lion 10.8.2

It's an easy step with GUI.

1. Go to System Preferences => Sharing => Remote Login
2. Turn on Remote Login
3. Check sshd is running
$ sudo lsof -i:22

Note: The firewall on the system is automatically adjusted to pass an incoming ssh connection.

Tuesday, May 14, 2013

How to rebuild kext cache on Mountain Lion 10.8

kext cache rebuild is just a two-step task.
  1. sudo touch /System/Library/Extensions/
  2. sudo reboot

It's NOT recommended to execute kextcache manually.
KEXTCACHE(8)              BSD System Manager's Manual             KEXTCACHE(8)
Caution: Incorrect use of kextcache can render a volume incapable of startup.  Installers and administrators should not use this program to
     update system kext caches.  Instead they should run touch(1) on the /System/Library/Extensions/ directory of the installation target volume
     after they have finished, which invalidates the existing caches and causes the system to update all necessary kext caches.