Friday, August 23, 2013

Cisco BGP - Prevent Transit AS

By default BGP will advertise all prefixes to EBGP (External BGP) neighbors. This means that if you are multi-homed (connected to two or more ISPs) that you might become a transit AS. Let me show you an example:

R1-two-ISPs-3-loopback

R1 is connected to ISP1 and ISP2 and each router is in a different AS (Autonomous System). Since R1 is multi-homed it’s possible that the ISPs will use R1 to reach each other. In order to prevent this we’ll have to ensure that R1 only advertises prefixes from its own autonomous system.

As far as I know there are 4 methods how you can prevent becoming a transit AS:
- Filter-list with AS PATH access-list.
- No-Export Community.
- Prefix-list Filtering
- Distribute-list Filtering

Prefix-lists or distribute-lists will work but it’s not a very scalable solution if  you have thousands of prefixes in your BGP table. The filter-list and no-export community work very well since you only have to configure them once and it will not matter if new prefixes show up. First we’ll configure BGP on each router:

R1(config)#router bgp 1
R1(config-router)#
neighbor 192.168.12.2 remote-as 2
R1(config-router)#neighbor 192.168.13.3 remote-as 3

ISP1(config)#router bgp 2
ISP1(config-router)#neighbor 192.168.12.1 remote-as 1

ISP2(config)#router bgp 3
ISP2(config-router)#neighbor 192.168.13.1 remote-as 1

The commands above will configure EBGP (External BGP) between R1 – ISP1 and R1 – ISP2. To make sure we have something to look at, I’ll advertise the loopback interfaces in BGP on each router:

R1(config)#router bgp 1
R1(config-router)#network 1.1.1.0 mask 255.255.255.0

ISP1(config)#router bgp 2
ISP1(config-router)#network 2.2.2.0 mask 255.255.255.0

ISP2(config)#router bgp 3
ISP2(config-router)#network 3.3.3.0 mask 255.255.255.0

With the networks advertised, let’s take a look at the BGP table of ISP1 and ISP2 to see what they have learned:

ISP1#show ip bgp
BGP table version is 4, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.12.1          0             0         1 i
*> 2.2.2.0/24       0.0.0.0                  0         32768       i
*> 3.3.3.0/24       192.168.12.1                                   0 1 3 i

ISP2#show ip bgp
BGP table version is 4, local router ID is 33.33.33.33
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight  Path
*> 1.1.1.0/24       192.168.13.1          0               0       1 i
*> 2.2.2.0/24       192.168.13.1                           0       1 2 i

*> 3.3.3.0/24       0.0.0.0                  0             32768   i

The ISP routers have learned about each other networks and they will use R1 as the next hop. We now have everything in place to play with the different filtering techniques.

 

Filter-list with AS PATH access-list

Using an filter-list with the AS PATH access-list is probably the most convenient solution. It will ensure that you will always only advertise prefixes from your own autonomous system.

Here’s how to do it:
R1(config)#ip as-path access-list 1 permit ^$

R1(config-router)#neighbor 192.168.12.2 filter-list 1 out
R1(config-router)#neighbor 192.168.13.3 filter-list 1 out

The ^$ regular expression ensures that we will only advertise locally originated prefixes. We’ll have to apply this filter to both ISPs.

Keep in mind that BGP is slow…if you are doing labs, it’s best to speed things up with clear ip bgp *

Let’s verify our configuration:

R1#show ip bgp
BGP table version is 4, local router ID is 22.22.22.22
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       0.0.0.0                  0         32768 i
*> 2.2.2.0/24       192.168.12.2             0             0 2 i
*> 3.3.3.0/24       192.168.13.3             0             0 3 i

R1 still knows about the prefixes from the ISP routers. What about ISP1 and ISP2?

ISP1#show ip bgp
BGP table version is 7, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.12.1          0                0      1 i
*> 2.2.2.0/24       0.0.0.0                  0         32768         i

ISP2#show ip bgp
BGP table version is 7, local router ID is 33.33.33.33
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.13.1                 0         0      1 i
*> 3.3.3.0/24       0.0.0.0                         0      32768     i

ISP1 and ISP2 only know about the 1.1.1.0 /24 network. Excellent, we are no longer a transit AS! On to the next method…

 

No-Export Community

Using the no-export community will also work pretty well. We will configure R1 so that prefixes from the ISP routers will be tagged with the no-export community. This ensures that the prefixes from those routers will be known within AS 1 but won’t be advertised to other routers.

R1(config)#route-map NO-EXPORT
R1(config-route-map)#set community no-export

R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 route-map NO-EXPORT in
R1(config-router)#neighbor 192.168.13.3 route-map NO-EXPORT in

I’m only using one router in AS 1, if you have other routers and are running IBGP (Internal BGP) then don’t forget to send communities to those routers with the neighbor <ip> send-community command.

Let’s see what ISP1 and ISP2 think about our configuration:

ISP1#show ip bgp
BGP table version is 11, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.12.1          0               0      1  i
*> 2.2.2.0/24       0.0.0.0                  0             32768     i

ISP2#show ip bgp
BGP table version is 11, local router ID is 33.33.33.33
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.13.1          0             0         1 i
*> 3.3.3.0/24       0.0.0.0                  0         32768         i

They only know about network 1.1.1.0 /24. Onto the next method!

 

Prefix-List Filtering

Using a prefix-list we can determine what prefixes are advertised to our BGP neighbors. This works fine but it’s not a good solution to prevent becoming a transit AS. Each time you add new prefixes you’ll have to reconfigure the prefix-list. Anyway let me show you how it works:

R1(config)#ip prefix-list NO-TRANSIT permit 1.1.1.0/24

R1(config-router)#neighbor 192.168.12.2 prefix-list NO-TRANSIT out

R1(config-router)#neighbor 192.168.13.3 prefix-list NO-TRANSIT out

The prefix-list above will only advertise 1.1.1.0 /24 to the ISP routers. Let’s verify the configuration:

ISP1#show ip bgp
BGP table version is 17, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.12.1             0             0 1 i
*> 2.2.2.0/24       0.0.0.0                  0         32768 i

ISP2#show ip bgp
BGP table version is 17, local router ID is 33.33.33.33
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.13.1          0               0       1 i
*> 3.3.3.0/24       0.0.0.0                  0         32768         i

The prefix-list is working as it should, onto the last exercise!

 

Distribute-list Filtering

This method is similar to using the prefix-list but this time we’ll use an access-list.

R1(config)#ip access-list standard NO-TRANSIT
R1(config-std-nacl)#permit 1.1.1.0 0.0.0.255

R1(config-router)#neighbor 192.168.12.2 distribute-list NO-TRANSIT out
R1(config-router)#neighbor 192.168.13.3 distribute-list NO-TRANSIT out

Time to check the ISPs:

ISP1#show ip bgp
BGP table version is 23, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.12.1          0               0       1 i
*> 2.2.2.0/24       0.0.0.0                  0          32768        i

ISP2#show ip bgp
BGP table version is 23, local router ID is 33.33.33.33
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       192.168.13.1          0             0        1 i
*> 3.3.3.0/24       0.0.0.0                  0         32768        i

That’s all there is to it. I hope this has been helpful for you, if you know of any other methods to prevent becoming a BGP transit AS please leave a comment!

Taken From: http://networklessons.com/bgp/bgp-prevent-transit-as/

Thursday, August 22, 2013

Cisco IOS Resilient Image and Configuration

Last week, we looked at Recovering a Router with the Password Recovery Service Disabled. Today we're going to examine a related Cisco IOS security feature, dubbed resilient configuration. This feature enables critical router files, namely the IOS image and configuration, to persist despite destructive events such as deletion of the startup configuration or a format of the Flash filesystem. The feature does not require any external services; all persistent files are stored locally on the router.

Enabling Resilient Configuration

First, a quick review of how Cisco ISR (x800 series) routers work. The binary IOS image used to boot the router is stored on the Flash filesystem, which is a type of memory very similar to that found inside a USB thumbdrive. The startup configuration file is stored on a separate filesystem, NVRAM. The contents of both filesystems can be viewed with the dir command.

Router# dir flash:
Directory of flash:/

    1  -rw-    23587052   Jan 9 2010 17:16:58 +00:00  c181x-advipservicesk9-mz.124-24.T.bin
    2  -rw-         600  Sep 26 2010 07:28:12 +00:00  vlan.dat

128237568 bytes total (104644608 bytes free)
Router# dir nvram:
Directory of nvram:/

  189  -rw-        1396                      startup-config
  190  ----          24                      private-config
  191  -rw-        1396                      underlying-config
    1  -rw-           0                      ifIndex-table
    2  -rw-         593                      IOS-Self-Sig#3401.cer
    3  ----          32                      persistent-data
    4  -rw-        2945                      cwmp_inventory
   21  -rw-         581                      IOS-Self-Sig#1.cer

196600 bytes total (130616 bytes free)

The resilient image and configuration features are enabled with one command each.

Router(config)# secure boot-image
Router(config)#
%IOS_RESILIENCE-5-IMAGE_RESIL_ACTIVE: Successfully secured running image


Router(config)# secure boot-config
Router(config)#
%IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive [flash:.runcfg-20101017-020040.ar]

The combination of the secured IOS image and configuration file is referred to as the bootset. We can verify the secure configuration with the command show secure bootset.

Router# show secure bootset
IOS resilience router id FHK110913UQ

IOS image resilience version 12.4 activated at 02:00:30 UTC Sun Oct 17 2010
Secure archive flash:c181x-advipservicesk9-mz.124-24.T.bin type is image (elf) []
  file size is 23587052 bytes, run size is 23752654 bytes
  Runnable image, entry point 0x80012000, run from ram

IOS configuration resilience version 12.4 activated at 02:00:41 UTC Sun Oct 17 2010
Secure archive flash:.runcfg-20101017-020040.ar type is config
configuration archive size 1544 bytes

At this point, we notice that our IOS image file on Flash is now hidden.

Router# dir flash:
Directory of flash:/

2  -rw-         600  Sep 26 2010 07:28:12 +00:00  vlan.dat

128237568 bytes total (104636416 bytes free)

Restoring an Archived Configuration

Now suppose that the router's startup configuration file is erased (accidentally or otherwise) and the router is reloaded. Naturally, it boots with a default configuration. The resilient configuration feature will even appear to be disabled.

Router# erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete

Router# show startup-config
startup-config is not present
Router# reload

System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]
...
Router> enable
Router# show secure bootset
%IOS image and configuration resilience is not active

To restore our original configuration, we simply have to extract it from the secure archive and save it to Flash. Next, we can replace the current running configuration with the archived config using the configure replace command.

Router(config)# secure boot-config restore flash:archived-config
ios resilience:configuration successfully restored as flash:archived-config
Router(config)# ^C

Router# configure replace flash:archived-config
This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: y
Total number of passes: 1
Rollback Done

Router#

Don't forget to save the running configuration once the restoration is complete (copy run start).

Be aware that the resilient configuration file is not automatically updated along with the startup configuration. To update it, you must first delete the existing resilient configuration and issue the secure boot-config command again.

Router(config)# no secure boot-config
%IOS_RESILIENCE-5-CONFIG_RESIL_INACTIVE: Disabled secure config archival [removed
flash:.runcfg-20101017-020040.ar]

Router(config)# secure boot-config
%IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive
[flash:.runcfg-20101017-024745.ar]
Finally, note that the secure bootset features can only be disabled from the console line.

Router(config)# no secure boot-config
%You must be logged on the console to apply this command

In fact, attempting to disable either part of the secure bootset generates a handy syslog message to alert administrators:

%IOS_RESILIENCE-5-NON_CONSOLE_ACCESS: Non console configuration request denied for command "no secure boot-config "

What About the IOS Image?

It turns out that the secure boot image feature works pretty well too. Here we can see that it persists even when the Flash filesystem appears to have been formatted.

Router# format flash:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "flash:".  Continue? [confirm]
Writing Monlib sectors...
Monlib write complete

Format: All system sectors written. OK...

Format: Total sectors in formatted partition: 250848
Format: Total bytes in formatted partition: 128434176
Format: Operation completed successfully.

Format of flash: complete
Router# dir
Directory of flash:/

No files in directory

128237568 bytes total (104640512 bytes free)
Router# reload
Proceed with reload? [confirm]

*Oct 17 02:37:37.127: %SYS-5-RELOAD: Reload requested  by console. Reload Reason
: Reload Command.
System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
C1800 platform with 131072 Kbytes of main memory with parity disabled

Upgrade ROMMON initialized
program load complete, entry point: 0x80012000, size: 0xc0c0

Initializing ATA monitor library.......
program load complete, entry point: 0x80012000, size: 0xc0c0

Initializing ATA monitor library.......

program load complete, entry point: 0x80012000, size: 0x167e724
Self decompressing the image : #################################################
################################################################################
################################################################ [OK]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T,
RELEASE SOFTWARE (fc1)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Thu 26-Feb-09 03:22 by prod_rel_team
...
Router> enable
Password:
Router# dir
Directory of flash:/

No files in directory

128237568 bytes total (104640512 bytes free)
Router# show version
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T,
RELEASE SOFTWARE (fc1)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Thu 26-Feb-09 03:22 by prod_rel_team
...

Taken From: http://packetlife.net/blog/2010/oct/18/ios-resilient-configuration/

 

Saturday, August 17, 2013

Cisco VLC Multicast Streaming Demo – PIM Sparse Mode

Topology

[Multicast-realdemo.jpg]

Howto

Configurations

This is the how to for this lab: here
R1
!
ip multicast-routing
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip pim sparse-mode
!
interface FastEthernet1/0
description wan
ip address 10.0.12.1 255.255.255.0
ip pim sparse-mode
duplex auto
speed auto
!
interface FastEthernet2/0
description lan
ip address 192.168.1.1 255.255.255.0
ip pim sparse-mode
duplex auto
speed auto
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 1
network 10.0.12.0 0.0.0.255 area 0
network 10.0.13.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 1
!
!Define this router as a RP
ip pim rp-candidate Loopback0
!


R2

ip multicast-routing
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip pim sparse-mode
!
!
interface FastEthernet1/0
description wan
ip address 10.0.12.2 255.255.255.0
ip pim sparse-mode
duplex auto
speed auto
!
interface FastEthernet1/1
description lan
ip address 192.168.2.2 255.255.255.0
ip pim sparse-mode
duplex auto
speed auto
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 2
network 10.0.12.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 2
!
!Define router as a Bootstrap Router Candidate
ip pim bsr-candidate Loopback0 0

!

Note:
ip pim bsr-candidate and ip pim rp-candidate can both be added to the same router if you wish. Therefore in this lab we could of defines both on R1 and left R2 with only ip pim sparseon its interfaces.
Here are the batch files used in VLC:
StartMulticast.bat:

"C:\Program Files\VideoLAN\VLC\vlc.exe" -vvv test.m4v :sout=#transcode{vcodec=h264,vb=800,scale=1,acodec=mp4a,ab=128,channels=2,samplerate=44100}:std{access=udp,mux=ts,dst=239.0.0.1:1234} --ttl 12

StartVideo.bat

call "C:\Program Files\VideoLAN\VLC\vlc.exe" -vvv udp://@239.0.0.1:1234

Taken From: http://roggyblog.blogspot.pt/2009/10/multicast-lab-with-vlc-howto.html

For info on setting up VLC via the graphical interface check out this post: http://myhowtosandprojects.blogspot.pt/2013/08/vlc-multicast-streaming.html

Saturday, August 10, 2013

Cisco IOS on UNIX (IOU) - Installing and Running (Lite)

Cisco IOS on UNIX (IOU) is a fully working version of IOS that runs as a user mode UNIX/LINUX process. IOU is built as a native system image and run just like any other program. IOU supports all platform independent protocols and features.

With regard to functionality, it is very similar to GNS3 but it does not require nearly the resources that several virtual routers running under dynamips does.
IOU allows you to build out a network topology on a single PC without the need for physical routers. This is useful for validating network designs, proof-of-concept testing, and certification self-study.

Legal Warnings

If you are not an authorized Cisco employee (or trusted partner), usage of Cisco IOU is prohibited. From an old, internal-only Cisco web page:
Cisco IOS on Unix is a tool intended for internal use only. Distribution of IOU images to customers or external persons, or discussion of IOU with customers or external persons, is prohibited. Don’t do it or we’ll have to come and kill you.
Cisco IOU, just like IOS, is copyrighted software that belongs to cisco Systems, Inc. Distribution of copyrighted software is a federal crime in the United States. I cannot speak regarding the laws of other countries.
In addition, any requests for Cisco IOU images in the comments section of this blog will be deleted, regardless if distribution is legal in your country.
 
Installing and Running IOU

Checking the Distro
$ cat /etc/issue
Ubuntu 11.04 \n \l


Checking the CPU
$ uname -a
Linux ltsp180 2.6.38-13-generic #55-Ubuntu SMP Tue Jan 24
15:34:24 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux


Installing 32 bit Libs on a 64 bit Distro
$ sudo apt-get install ia32-libs

Installing BBE
$ sudo apt-get install bbe

OR

http://packages.ubuntu.com/
- Your distro | Editors | BBE

Download the file (bbe\_0.2.2-1\_i386.deb)
And install it manually

$ sudo dpkg -i bbe_0.2.2-1_i386.deb

Installing and Linking the "libcrypto" Library
You either do not have libssl installed or your version is much newer than what Cisco has linked against when building the IOU images.
First, ensure that libssl is installed. On Debian and Ubuntu:

$ sudo apt-get install libssl0.9.8
Next, youll need to make a symbolic link pointing to the "libcrypto.so.4" file that IOU is looking for.

On 32-bit distros:
$ sudo ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.4

On 64-bit distros:
$ sudo ln -s /usr/lib32/libcrypto.so.0.9.8 /usr/lib32/libcrypto.so.4

NETMAP File
The network topology map, or NETMAP, file describes the topology of your virtual network. It is used for controlling the layout of the virtual cabling. If you have used dynagen, this is the equivalent of the .net file.

NETMAP
----------------

100:0/0 200:0/1

The above netmap file means that you are connecting port 0/0 of router 100, to port 0/1 of router 200:

[Router 100]--Ethernet 0/0------Ethernet 0/1--[Router 200]

Checking the Hostname For the "iourc" File
$ hostname -s
chaos


The "iourc" File
iourc
-------------------------
[license]
chaos = 4C5556554353434F;


The IOURC file is a configuration file for Cisco IOU. Cisco IOU looks in this file for your license key at startup.

Note: The method below for patching the IOU image for your machine's hostname, implies that, the license is "4C5556554353434F" and the only change is the hostname.

Giving Execution Permitions to the IOU Image
$ chmod +x i86*

Executing the IOU Image For Router 100 - Non Patched
$ ./i86bi_linux-adventerprisek9-ms.151-4.M 100
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers. To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************
IOU License Error: invalid license
License for key 7f030f required on host ?chaos?.
Obtain a license for this key and host from the following location:
http://wwwin-enged.cisco.com/ios/iou/license/index.html
Place in your iourc file as follows (see also the web page
for further details on iourc file format and location)
[license]
chaos = <16 char license>;
This attempt didn't work because the IOU image hasn't been patched for your hostname

Patching IOU Image For Key "4C5556554353434F"

$ for F in i86bi_linux-*;do bbe -b "/\xfc\xff\x83\xc4\x0c\x85\xc0\x75\x14\x8b/:10"
-e "r 7 \x90\x90" -o $F.x $F;mv $F.x $F;done;chmod +x ./i86bi_linux-*

Note: This works for the following IOU images (didn’t worked for Layer 2 Images):

  • i86bi_linux-adventerprisek9-ms
  • i86bi_linux-ipbase-ms
For the i86bi_linuxl2-upk9-ms, you need to use something like IOUGEN.

Executing the IOU Image For Router 100 - Patched IOU
$ ./i86bi_linux-adventerprisek9-ms 100
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers. To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************
Port 0 is not connected to anything
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M),
Version 15.1(4)M, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 25-Mar-11 16:44 by prod_rel_team
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Warning: the compile-time code checksum does not appear to be present.
Linux Unix (Intel-x86) processor with 140260K bytes of memory.
Processor board ID 2048042
8 Ethernet interfaces
8 Serial interfaces
64K bytes of NVRAM.

Executing the IOU Image For Router 200 - Patched IOU
$ ./i86bi_linux-adventerprisek9-ms 200
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers. To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************
Port 0 is not connected to anything
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M),
Version 15.1(4)M, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 25-Mar-11 16:44 by prod_rel_team
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Warning: the compile-time code checksum does not appear to be present.
Linux Unix (Intel-x86) processor with 140260K bytes of memory.
Processor board ID 2048042
8 Ethernet interfaces
8 Serial interfaces
64K bytes of NVRAM.
If you dont need/want to have access to the equipments via network (telnet) this is enough, for you, add a couple more equipments and connections to the NETMAP file you are good to go.

IOU Image Options
./i86bi_linux-adventerprisek9-ms
Usage: <image> [options] <application id>
<image>: unix-js-m | unix-is-m | unix-i-m | ...
<application id>: instance identifier (0 < id <= 1024)
Options:
-e <n> Number of Ethernet interfaces (default 2)
-s <n> Number of Serial interfaces (default 2)
-n <n> Size of nvram in Kb (default 16KB)
-b <string> IOS debug string
-c <name> Configuration file name
-d Generate debug information
-t Netio message trace
-q Suppress informational messages
-h Display this help
-C Turn off use of host clock
-m <n> Megabytes of router memory (default 128MB)
-L Disable local console, use remote console
-u <n> UDP port base for distributed networks
-R Ignore options from the IOURC file
-U Disable unix: file system location
-W Disable watchdog timer
-N Ignore the NETMAP file

NVRAM Files
The IOU instances on the above example created the following files:
  • nvram_00100 -->Router 100
  • nvram_00200 -->Router 200

as you migth recall the nvram, is the were the startup-config is stored so these files are more or less the startup config for router 100 and 200.

If you type:
$ cat nvram_00100
????
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router100
!
boot-start-marker
boot-end-marker
<...>
you can see the startup-config, plus a bit off jiberish.

TSHOOT - Cisco IOU Error Messages

  • What does ``UNIX ERR:tcgetattr:Invalid argument''mean? Im not sure, honestly, but it doesnt seem to hurt anything or cause any loss of functionality. It appears that it can be safely ignored.
  • i86bi_linux_adventerprisek9-ms: No such file or directory Youre probably running a 64-bit version of Linux. On Debian and Ubuntu, installing the ia32-libs package will fix this for you (for other distros, youre on your own):

$ sudo apt-get install ia32-libs

  • i86bi_linux_adventerprisek9-ms: error while loading shared libraries You either do not have libssl installed or your version is much newer than what Cisco has linked against when building the IOU images.
First, ensure that libssl is installed. On Debian and Ubuntu:
$ sudo apt-get install libssl0.9.8
Next, youll need to make a symbolic link pointing to the libcrypto.so.4 file that IOU is looking for.

On 32-bit hosts:
$ sudo ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.4

On 64-bit hosts:
$ sudo ln -s /usr/lib32/libcrypto.so.0.9.8 /usr/lib32/libcrypto.so.4
  • Im getting a host not found in iourc file error message. Use the correct hostname in your IOURC file. See above.
  • How can I Add an NM-16ESW module? You cant.
  • Oh, come on! There Must be Some Way to add ATM or NM-16ESW modules! Nope.
  • Wrapper-linux: No such file or directory error message.
Provide the correct path to the IOU image as the -m option. If it is in the current directory, refer to it as ./i86bi_linux-adventerprisek9-ms, for example.
  • Ive tried everything and I cant get it to work. What should I do? Use GNS3 instead.
  • Will you send me a copy ? No. In addition, if you post any comments below asking for or offering IOU images, they will be deleted whenever I see them.
 
 

Wrapping the IOU Image Execution for Telnet Access

Wrapper - What it is And How It Works
When you start up an IOU router from the command-line, it will stay in the foreground and youll be connected to the console. This may not always be the desired behavior, especially if you wish to telnet to the console from another host on the network (similar to dynamips).
The wrapper program can be used to redirect a TCP port to the console of the router so that you can do exactly this.

How do I use the Wrapper
$ ./wrapper
Usage: ./wrapper [-v] -m<image name> -p<port number> -- [iou options] <router ID>
where <port number> is in the range <1024-65550>
all options after the '--' are passed to iou
[-v] Display version

For example, instead of just running ./imagename <application id>, you would use something like this:

$ ./wrapper -m ./imagename -p 2000 -- -e0 -s1 -m 64 100

This would instruct the wrapper to startup the IOU image named ./imagename and listen on TCP port 2000. Any options after the double-hyphen (-) are passed off to the IOU image so, in this case, our IOU instance would start up with zero Ethernet interfaces (-e0), one serial interface (-s1), which actually means four serial interfaces in newer images, due to a feature called “Wide Port Adapters'', and 64 MB of RAM (-m 64).

The “Application ID”, which we'll use to refer to this instance in the NETMAP file (see above), is 100.
The wrapper is most useful in a shell script to start up and background a number of IOU instances at once. For a complete example showing a NETMAP file and a corresponding shell script to startup all IOU instances, see my article iou2net.pl, an IOUlive replacement:

  • http://evilrouters.net/2011/09/22/iou2net-pl-ioulive-replacement-netmap-startup-script/

Stopping the IOU's When Using the Wrapper
If you are using the wrapper and have background the IOU instances, you'll need to find the process ID of the instance you want to stop and use the kill command.
To see all of your running IOU instances, use this command:
$ ps -ef | grep [w]rapper

Find the instance you want to stop and pass the corresponding process IDs to the kill command.
To stop all running IOU instances in a single fell swoop, use the following:
$ ps -ef | grep [w]rapper | awk '{ print $2 }' | xargs kill

Executing the IOU Image For Router 100 - via Wrapper
$ ./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2100
-- -e3 -s3 -m 128 -n 16 100 > /dev/null 2>&1 &


Command Dissected:
-m ./i86bi_linux-adventerprisek9-ms - Wrapped IOU Image
-p 2005 - Wrapper's telnet port for remote access
-- - IOU image options
-e3 - 3 ethernet interfaces (in some IOU is 3x4)
-s3 - 3 ethernet interfaces (in some IOU is 3x4)
-m 128 - Megabytes of router memory (default 128MB)
-n 64 - Size of nvram in Kb (default 16KB)
100 - IOU router id on the NETMAP file > /dev/null 2>&1 - Redirecting the STDOUT and STDERR into the null file (blackhole)
& - Running the wrapper in background

$ telnet localhost 2100
Trying 127.0.0.1?
Connected to localhost.
Escape character is ?^]?.
?- System Configuration Dialog ?-
Would you like to enter the initial configuration dialog? [yes/no]:
% Please answer ?yes? or ?no?.

Executing the IOU Image For Router 200 - via Wrapper
$ ./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2200 -- -e3 -s3 -m 128 -n 16 200 > /dev/null 2>&1 &

Command Dissected:
-m ./i86bi_linux-adventerprisek9-ms - Wrapped IOU Image
-p 2005 - Wrapper's telnet port for remote access
-- - IOU image options
-e3 - 3 ethernet interfaces (in some IOU is 3x4)
-s3 - 3 ethernet interfaces (in some IOU is 3x4)
-m 128 - Megabytes of router memory (default 128MB)
-n 64 - Size of nvram in Kb (default 16KB)
100 - IOU router id on the NETMAP file > /dev/null 2>&1 - Redirecting the STDOUT and STDERR into the null file (blackhole)
& - Running the wrapper in background

$ telnet localhost 2100
Trying 127.0.0.1?
Connected to localhost.
Escape character is ?^]?.
?- System Configuration Dialog ?-
Would you like to enter the initial configuration dialog? [yes/no]:
% Please answer ?yes? or ?no?.

Note: This example is same as the one above but via wrapper and some IOU options.

 

Connecting IOU to the Real World

The are several options: 

 

Graphical Interfaces

There are at least two that I know about:

 

Now IOU is supported on GNS3, check out how to set it up here:

 

Based On:

Customize Your Windows 8 Installation Disc

Customize Your Windows 8 Installation Disc and Slipstream Updates With WinReducer

windows-8-installation-disc

Windows installation disc-customizing tools are always useful. They allow you to add Windows updates to your installation media, streamline the installation process by filling in your product key and other information, and customize Windows’ default settings.

We previously covered RT Se7en Lite for Windows 7, and WinReducer works similarly for Windows 8. Both tools work similarly to the nLite tool for Windows XP — WinReducer is like an nLite for Windows 8.

Setup

First, download WinReducer 8. This software is technically in beta at the moment because of how new Windows 8 is, but it worked fine for us. That said, WinReducer includes a warning that it shouldn’t yet be used for production purposes. It’s okay to experiment with it on your own, but don’t use it to customize an entire organization’s mission-critical Windows 8 installer discs just yet.

Launch WinReducer after extracting it and you’ll immediately see an error message. The message tells you you’ll have to manually download certain tools that WinReducer requires — click OK to continue.

Click the Download links to visit each program’s website and download the appropriate software. Just download the software and install it as you normally would, then click each check box and point WinReducer at each installed program’s .exe file. ImageX and osdimg are both included in the same package, so you only really have to download four different tool packages. This is the most tedious part of the process — it’s smooth sailing after this.

You’ll next have to copy the contents of a Windows 8 installation disc to a folder on your computer and point WinReducer at that folder. You can also click the Extract an ISO box and point WinReducer at the ISO file — it will automatically extract the ISO file to a temporary folder.

After pointing WinReducer at the Windows 8 installation files, select the edition of Windows 8 you’ll be using and click the Mount button.

WinReducer will read the data from your Windows 8 installation files and then you can get started.

Minimizing Your Installation Media

As its name suggests, WinReducer is focused on reducing the size of your Windows 8 installation disc by removing components from it. This is possible — for example, you could remove the default Modern apps, language files you don’t use, and various other things. You should be extra careful if you start removing stuff — you could easily remove too much and cause problems with your resulting Windows system.

We don’t recommend removing things — sure, you could shrink your ISO image, but either way it would fit on a DVD. You could perhaps fit it on a smaller USB drive, if you’re lucky. The resulting Windows system may use less space when you install it, but the difference shouldn’t be significant.

Customization

The options on the Customization tab are more interesting. On the Appearance tab, you can set a custom background you’ll see during the installation process and also set a custom desktop wallpaper, lock-screen background, theme, and system properties logo that you’ll see on the installed system. Other tabs allow you to customize Internet Explorer 10, including setting a different home page and changing a variety of its settings.

Slipstreaming Updates

On the System tab, you’ll find options for integrating drivers and updates. This process of integrating updates is known as “slipstreaming.” It saves you time later by integrating Windows updates with the installation media, so you won’t have to install them after installing Windows. To start slipstreaming updates, click the Updates checkbox and choose a folder for your updates.

Click the Update Download Tool button and use the integrated tool to download the Windows 8 updates to your computer. They’ll be integrated into your Windows 8 installation media when you create the media.

Unattended Installation Options

WinReducer allows you to set up unattended Windows installation options. These allow your Windows installation media to automatically select various options. For example, you can have the Windows installation process automatically accept the EULA, select your preferred language, and enter your serial number — your serial key will be inserted directly into your Windows installation image.

If you opt to integrate your serial number, be sure you only use your Windows 8 installation media for a single computer or you’ll be violating the Windows license agreement. You’ll also run into issues activating Windows 8 if you use the same key on multiple systems.

Other tabs here allow you to set up your final Windows installation setup, including automatically creating user accounts and selecting passwords, enabling autologin, and selecting a computer name.

Creating Your Installation Media

Once you’re done configuring your Windows 8 installation media, click the button on the Apply tab to create your customized ISO file.

You can then burn the resulting ISO file to a disc or copy it to a USB drive the same way you’d create a Windows 8 USB drive from a standard Windows 8 ISO image. The resulting installation media will work just like standard Windows 8 installation media, but will be customized with all the options you chose.


Before installing your customized Windows installation disc onto a standard computer, you may want to test by installing it on a virtual machine created by VirtualBox or VMware Player. WinReducer is still in beta, so it’s a good idea to be careful and double-check everything worked properly.

Taken From: http://www.howtogeek.com/169522/customize-your-windows-8-installation-disc-and-slipstream-updates-with-winreducer/