CCNP study books?

Ready for CCNP Enterprise 350-401 certification? So there are three things. Three (3) things you need to pass the CCNP. Let me show them in pictures:

Ok, so the three (3) things are:

  1. IPV6 book by Microsoft. Understanding IPV6. Great book and essential to know ipv6. Has the theory and then shows actual packet captures. The packet captures are great for me to keep the concepts straight. IPV6 ND packets can be confusing and hard to grasp. Few here in America use IPV6 on a daily basis, so you have to learn it somehow. Use a lab and this book. Yes this is a Microsoft book. You know what, they have the best book on IPV6. Microsoft has been using IPV6 since before sliced bread. They know this stuff. Just buy it and read it.
  2. CCNP study guide by Cisco. Havent read the whole thing yet. . .but this is one of the best single study books. It is on sale right now on Amazon.
  3. Create a lab. You will need several Cisco routers and cisco switches. Cost should be under $1000.00 if you buy on a budget. I also use a older Cyclades IP serial Alterpath ACS 16 device to connect to the serial ports. You can get by with a USB to seral converter, you could even buy a few of them and have them connected to the important parts of your lab. For cisco switches, i have several 2960, and also trying to get a newer switch. In the picture you might notice a old 2900 series XL. Someone gave it to me, don’t laugh! For most, I use newer equipment. I have to do some VTP labs myself and not sure all versions of VTP are covered on a 2960. I think they are if you have a cisco account and can get new IOS code on them. I suggest a real lab, not virtual. Routers I am using Cisco 2911. I also have a Cisco 4321 that I got for $50.00 dollars. ***** VIRTUAL LABS ARE LAME*** For me I need a real lab just so I get off the internet. Using a virtual lab on the internet, it may work for some. I like the actual equipment. Yes its loud. Yes it uses alot of power. But it truly is the best experience, I think. A stand alone lab can be a god send for those who have internet distraction disease (IDD). Most of us have a a mild for of IDD and show some symptoms. The symptoms of IDD? If ever on a internet enabled computer, you need to check something on the internet that not necessary. That is IDD. Its a big deal. Having a separate lab keeps you focused. You can write your notes on a non internet connected computer and save them to USB when you need to pull them to your other devices. Your large hardware store like Lowes has the steel racks shown in the picture, they run around $200.00. For me I like having alot of space to put various things. My laptops, my books, cables, my lunch, my water, my backpack, so on. Copyright 2022, Rod Deluhery

wireless

Need better signal? app not loading? Try forcing the wireless driver to use 5ghz (instead of 2ghz).   Or the 2ghz if using 5ghz.  Usually can do that in driver parameters/settings under the NIC.

This will show channels and frequencies available:    C:\Users\rod_deluhery>netsh wlan show all

For example,  I can see that my output shows that the wireless that I use at home,  it does offer two (2) different channels:

SSID 2 : SpectrumSetup-F8

    Network type            : Infrastructure

    Authentication          : WPA2-Personal

    Encryption              : CCMP

    BSSID 1                 : 44:ad:b1:56:36:ff

         Signal             : 40%

         Radio type         : 802.11ac

         Channel            : 157

         Basic rates (Mbps) : 6 12 24

         Other rates (Mbps) : 9 18 36 48 54

    BSSID 2                 : 44:ad:b1:56:36:fe

         Signal             : 67%

         Radio type         : 802.11n

         Channel            : 1

         Basic rates (Mbps) : 1 2 5.5 11

         Other rates (Mbps) : 6 9 12 18 24 36 48 54

Copyright 2021 Rod Deluhery

Cisco eem script

eem details and how to do it on a switch or router. The best part? You can have the script send an email on the details, using

R1(config-applet)#action 4.0 mail server “11.0.0.2” to “info@auda.com” from ” eem@cisco.com” subject “kokowawa” body “current users $_cli_result”

example one :

Lets create manually triggerd applet , once we run it will trun router interface up and give it ip address .

R1#config terminal

R1(config)#event manager applet set_ip

(this commands create EEM applet with name set_ip )

R1(config-applet)#event none sync yes

(event none mean this eem applet is to be manual trigger

sync yes mean run the commands synchronously which mean run each command and wait tell it execute then run the nest one.)

now we start typing our Actions which will be like this

1.0 is just number of actions and better to use gaps between numbers so maybe you return back to add another missing action

cli mean we will use cli to type a command , this command will be typed on your behalf .

command “enable” is your command

R1(config-applet)#action 1 cli command “enable”

R1(config-applet)#action 2 cli command “config t”

R1(config-applet)#action 3 cli command “interface fa0/0”

R1(config-applet)#action 4 cli command “ip add 10.1.1.1 255.255.255.0”

R1(config-applet)#action 5 cli command “no sh”

R1(config-applet)#action 6 cli command “end”

R1(config-applet)#exit

finally once you want to run this EEM Applet , just type the following command :

R1#event manager run set_ip

you can run R1#show event manager policy available , to see the eems in your router.

Branch Code Paths with if/else

EEM variables can be used to control the execution flow of EEM scripts. Consider this EEM script:

event manager applet snmp_cpu authorization bypass
event timer watchdog time 60
action 0010 info type snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.3.1 get-type exact
action 0020 if $_info_snmp_value ge "50"
action 0030 syslog msg "This syslog message will be sent if CPU utilization is above 50%"
action 0040 elseif $_info_snmp_value ge "30"
action 0050 syslog msg "This syslog message will be sent if CPU utilization is above 30% and below 50%"
action 0060 else
action 0070 syslog msg "This syslog message will only be sent if CPU utilization is below 30%"
action 0080 end

This script will run every minute, examine the value of the SNMP OID for CPU utilization, and then enter one of three different execution paths based on the value of the OID. Similar statements can be used on any other legal EEM variable to build complex execution flows in EEM scripts.

Here is the summary of commands, this is for a simple script that enables an interface and adds an ip address. Automagic!

So to learn eem, I suggest read eem-by-examples. Link below. This shows some details on how to create the script. Two web pages. First is this one on learning network:

https://learningnetwork.cisco.com/s/article/understanding-cisco-eem-by-examples-part-1

Then read article for some more examples of scripts.

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-16/216091-best-practices-and-useful-scripts-for-ee.html

After that, do some labs on your equipment. And then you are master of EEM.

Cisco security news

If you are a communications person, you should subscribe to SANS Newsbites. The news and the commentary are worth your time, trust me. Or have zero trust, your choice. Here is this weeks newsbites. Subscribe!! https://www.sans.org

Top of The News
NSO’s Pegasus Spyware Found on iPhones of US State Department EmployeesFBI Warning on Critical Infrastructure Ransomware AttacksMicrosoft Dismantles APT Group’s InfrastructureThe Rest of the Week’s News
Gen. Nakasone: US Military Has Taken Action Against Ransomware ActorsGAO: Government Must Take Steps to Protect Critical InfrastructureHHS Launches Healthcare Sector Cybersecurity WebsiteSpar Supermarkets Hit with CyberattackCyberattack Hits Colorado UtilityCyberattack Hits Maryland Dept. of Health

Gen. Nakasone: US Military Has Taken Action Against Ransomware Actors
GAO: Government Must Take Steps to Protect Critical Infrastructure
HHS Launches Healthcare Sector Cybersecurity Website
Spar Supermarkets Hit with Cyberattack
Cyberattack Hits Colorado Utility
Cyberattack Hits Maryland Dept. of Health

IPS on your network, today?

Become the IPS expert for your network? It is not easy. None of the products on the market make IPS easy, and it really should not be easy. You have to know the protocols, how the alerts work, and be able to tweak them.

Do you know snort? Do you know Talos / FMC rules are snort–but they also have some differences how cisco applies them. One difference – “Connectivity default policy and disabled in the Connectivity over Security default policy. Talos sometimes uses a rule update to change the default action of one or more rules in a default policy.” That means you cant just edit some of the Talos rules!

For cisco firepower IPS, I suggest this. You can always go “turbo security” or super security and move the Snort/Talos rules to high security. This is done by choosing the “Balanced Security and Connectivity” and change it to “Security Over Connectivity”. If you have emergency malware breakout and can not figure out exactly what is causing it, then do something. Raise your security by flipping the switch. Picture is shown below on where to do it. Thank me next time.

Read more

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/asa-fp-services/asafps-local-mgmt-config-guide-v64/understanding_network_analysis_and_intrusion_policies.html

Copyright 2021 Rod Deluhery

Using radius?

You should check out Cisco ISE. It is radius and many other things. Cisco ISE is not easy to learn and its also not easy to try. I suggest a cisco lab offering to learn the product.

Also check out Piotr (Piotr Kaluzny) class on ISE over at ine.com http://www.ine.com. Piotr class is pretty good and he made me laugh at least once. Its not too deep and not too shallow. It covers most of the functions of ISE. Check out the INE.com t-shirts also.

Unfortunate for you learning ISE, there are no learning labs for ISE. Cisco please fix this. Its not always easy to get vmware running ISE. People need a good way to learn it. The cisco learning labs link is below. The ccna labs are pretty good.

https://learningnetworkstore.cisco.com/cisco-learning-labs

Copyright 2021 Rod Deluhery

ssh hackers

SSH hacking. Amazed at the amount of ssh hackers. Its common to get people to try to hack you root account. THe internet is an amazing thing allowing us to learn a vast amount of information and content. It also is the biggest distraction ever made with youtube, chat rooms and general blackholes. And the internet allows us to hack the hell out of each other. A internet connected device will constantly get hacked, almost no matter what IP address you have!!

You will constantly see it in the logs. You see ‘Failed password for root from 103.152.242.19 port 40834 ssh2’ entries. This happens on every host. It happens on hosts that have little valuable information. I found this information on a persons cloud host they use to host a personal site. . . nothing worth of value at ALL, yet it gets hacked all the time.

What else?
The hackers use other names that are common in software found on systems, like admin, test, and other common names. And they do this
24 hours a day, every day of the week, never ending. You can block them with ip address blocking, IP geo blocking, or simply don’t let anyone connect except valid users.
How? You can only allow certain IP addresses to connect to your host. Only allow the vendor or your own IP into the server. A great method.
How else? You can limit when people connect and WHO can connect, as well.
Do prevent anyone on the internet to connect, you can limit the time that connections are allowed. This is similiar to a ‘time lock’ on a bank safe.
A time lock prevents anyone from trying to get into the safe, except during business hours.
Same concept as a time-lock, you can restrict when you allow connections to your machine at all.
Use a ‘just in time’ authentication method to only allow your host to be connected to the device, when you need it.
On Microsoft Azure, look up ‘just in time’ authentication for this service.

Here is some data I found in the auth.log file. This file shows valid and invalid connection attempts. I sorted this file using several unix commands. It was found with unix commands looking at auth.log file.  Cmd was as follows:

grep ‘invalid user’ auth.log.1 | awk ‘{print $13}’ | sort -n -r | uniq -c >  out19_cc.txt”

Here is the attack data. In little less than a week (six day), some statistics on this host:

20 seconds. The host was hacked about every 20 seconds.

25,375 connections. A total of 25,375 connection requests in these period.

2023 different and unique ip addresses try to connect

38 tries. Each IP address tried an average of 38 times to connect (usually using different passwords)

5014 different usernames. The system was given 5014 different, invalid usernames.

2663 usernames were used more than once.

738 usernames were used more than ten (10) times. The list of those usernames (not including ROOT) are below that tried to SSH to this machine:

Two columns. First, the number of times using that username. Next column, is the username attempted.

10 zb
10 yw
10 yo
10 wx
10 wc
10 wb
10 vg
10 vf
10 ue
10 ts3server
10 testftp
10 te
10 students
10 storm
10 service
10 sd
10 rw
10 ru
10 ro
10 rl
10 rj
10 qt
10 qr
10 qa
10 ov
10 nginx
10 ng
10 nf
10 nexus
10 na
10 mh
10 lm
10 le
10 kv
10 ku
10 kf
10 kevin
10 kafka
10 jz
10 jt
10 jk
10 jd
10 jboss
10 iq
10 ih
10 hp
10 hl
10 fn
10 ez
10 et
10 ek
10 ei
10 dw
10 da
10 cy
10 cr
10 cl
10 chris
10 cg
10 ce
10 br
10 aw
11 zu
11 zg
11 zc
11 ys
11 ye
11 yc
11 xx
11 xm
11 xi
11 xc
11 wpyan
11 wj
11 vt
11 vk
11 vh
11 tu
11 tc
11 sk
11 sf
11 rt
11 rq
11 qm
11 qi
11 qg
11 qd
11 px
11 pu
11 po
11 pl
11 pe
11 pb
11 ox
11 oq
11 on
11 ob
11 node
11 ly
11 lq
11 ll
11 kt
11 kh
11 jv
11 jg
11 ir
11 ia
11 hk
11 he
11 hd
11 gz
11 gmodserver
11 gk
11 gi
11 gd
11 fu
11 eu
11 er
11 ep
11 dy
11 df
11 deployer
11 cz
11 cx
11 cp
11 confluence
11 cj
11 au
11 asterisk
11 aq
11 ad
12 yy
12 yg
12 xz
12 xp
12 xh
12 xe
12 xbmc
12 xb
12 wv
12 wt
12 wd
12 vyatta
12 vy
12 vv
12 vmail
12 vm
12 vb
12 ut
12 ui
12 tz
12 tx
12 tk
12 td
12 sz
12 st
12 ss
12 sr
12 speech-dispatcher
12 rp
12 robert
12 qw
12 qv
12 qs
12 qo
12 qn
12 py
12 ps
12 ph
12 pf
12 pd
12 oj
12 oi
12 nh
12 nc
12 ls
12 lc
12 kp
12 kl
12 kj
12 ki
12 jo
12 jj
12 is
12 il
12 hv
12 hu
12 hj
12 gx
12 go
12 ey
12 ex
12 eq
12 ec2-user
12 ea
12 dx
12 dh
12 dg
12 ct
12 csgoserver
12 by
12 bn
12 aj
12 ah
12 adm
12 ab
13 zw
13 zr
13 yq
13 ym
13 xy
13 xo
13 xl
13 wr
13 ve
13 vd
13 ux
13 uv
13 tr
13 th
13 temp
13 sx
13 sv
13 sq
13 so
13 rs
13 qu
13 pz
13 pv
13 pt
13 pp
13 oo
13 og
13 oe
13 od
13 ny
13 nb
13 mv
13 mk
13 mb
13 m
13 lw
13 lu
13 kz
13 kr
13 kq
13 jx
13 jh
13 ja
13 im
13 ik
13 ie
13 hh
13 hb
13 fv
13 ft
13 fq
13 fd
13 fb
13 eb
13 dt
13 ds
13 dn
13 dl
13 dk
13 dj
13 de
13 dc
13 cpanelphpmyadmin
13 cc
13 bu
13 bo
13 bl
13 bg
13 al
13 ag
14 zy
14 zs
14 zl
14 zj
14 yh
14 xk
14 xd
14 wi
14 vi
14 uy
14 um
14 uj
14 uc
14 ty
14 tv
14 tt
14 toor
14 tn
14 stackato
14 sinusbot
14 si
14 sconsole
14 sb
14 sansforensics
14 sans
14 samurai
14 rh
14 ra
14 qj
14 qh
14 qe
14 qc
14 pyimagesearch
14 pq
14 pn
14 plexuser
14 pk
14 oy
14 ow
14 osboxes
14 osbash
14 openhabian
14 om
14 nv
14 nq
14 nexthink
14 netscreen
14 NetLinx
14 nao
14 myshake
14 my
14 mt
14 misp
14 maint
14 mailman
14 m202
14 lt
14 localadmin
14 lg
14 ld
14 la
14 kx
14 kw
14 ju
14 js
14 jr
14 if
14 id
14 hz
14 hy
14 hxeadm
14 hq
14 ho
14 hg
14 hduser
14 hacker
14 gu
14 gh
14 fw
14 fl
14 fe
14 daniel
14 cw
14 cu
14 cq
14 cirros
14 bi
14 bb
14 ax
14 as
15 zi
15 yl
15 xv
15 wy
15 wk
15 wf
15 vs
15 vo
15 ts3bot
15 sl
15 se
15 rz
15 redmine
15 ql
15 qk
15 pc
15 ou
15 of
15 oc
15 nt
15 mr
15 michael
15 mg
15 ma
15 lx
15 lb
15 ks
15 kc
15 ka
15 jw
15 iy
15 iw
15 informix
15 info
15 hunter
15 ht
15 hn
15 hf
15 gn
15 ethos
15 eh
15 ed
15 dz
15 dr
15 do
15 device
15 dd
15 david
15 cloudera
15 ch
15 bw
15 bs
15 bj
15 ay
15 ao
15 ac
15 aa
16 zp
16 ze
16 za
16 yt
16 yd
16 xa
16 ww
16 wg
16 vx
16 vq
16 vps
16 vl
16 va
16 uu
16 uploader
16 uk
16 uf
16 tm
16 tg
16 ta
16 sh
16 sg
16 s
16 ry
16 rk
16 rg
16 re
16 q
16 pm
16 or
16 nn
16 nj
16 ms
16 mo
16 mn
16 mm
16 kn
16 k
16 jf
16 hs
16 gm
16 fa
16 ec
16 docker
16 ci
16 bv
16 bf
16 be
16 ba
16 am
16 ai
17 zd
17 yx
17 yv
17 yf
17 xu
17 wl
17 wh
17 vr
17 uz
17 up
17 uh
17 ub
17 tl
17 system
17 sw
17 su
17 steam
17 solr
17 sc
17 rf
17 qx
17 ok
17 oh
17 no
17 nl
17 nk
17 mi
17 me
17 jb
17 j
17 gl
17 gb
17 el
17 ef
17 dp
17 cs
17 cm
17 cd
17 cb
17 ca
17 c
17 bt
17 bm
17 ak
18 zx
18 yj
18 wu
18 we
18 vw
18 vu
18 vc
18 v
18 uw
18 un
18 ti
18 tf
18 telecomadmin
18 rx
18 rv
18 qy
18 qf
18 qb
18 pa
18 oz
18 os
18 nx
18 nw
18 mx
18 mu
18 lo
18 lj
18 ko
18 km
18 ii
18 hr
18 gitlab-runner
18 fy
18 ftp
18 es
18 eo
18 contador
18 bd
19 zk
19 zf
19 yb
19 y
19 xf
19 ws
19 uq
19 to
19 teste
19 redhat
19 r
19 prueba
19 leo
19 jq
19 jm
19 ix
19 iv
19 ic
19 gw
19 fk
19 fh
19 ff
19 ew
20 zv
20 zq
20 xt
20 xg
20 wq
20 wp
20 us
20 ri
20 redis
20 profile1
20 pj
20 p
20 MikroTik
20 jp
20 jn
20 fr
20 fj
20 en
20 em
20 d
20 cisco
20 bx
21 ya
21 x
21 testing
21 qp
21 o
21 n
21 mp
21 minecraft
21 lk
21 li
21 kb
21 f
21 e
21 dq
21 developer
21 bq
21 bp
21 an
21 a
22 yn
22 yi
22 vnc
22 vn
22 vj
22 user3
22 stack
22 rd
22 rb
22 md
22 ip
22 gv
22 g
22 eg
22 bk
22 at
22 alex
23 yp
23 upload
23 ul
23 t
23 sm
23 rm
23 operator
23 oa
23 mw
23 mq
23 ml
23 iz
23 gq
23 gp
23 fc
23 ck
23 centos
23 bh
23 b
24 web1
24 wa
24 w
24 user01
24 tom
24 tech
24 rabbitmq
24 mc
24 h
24 ej
24 cv
24 ar
24 ap
24 admin1
25 z
25 uftp
25 tester
25 pr
25 john
26 user2
26 u
26 apache
27 svn
27 rr
27 public
27 ga
27 du
27 cssserver
28 user0
29 ts
29 teamspeak3
29 l
29 elastic
29 db2inst1
29 Administrator
30 xn
30 ftptest
31 webadmin
31 ftpadmin
31 elasticsearch
33 testuser
34 zabbix
34 vagrant
35 odoo
35 i
35 db
37 webmaster
39 dev
40 spark
41 weblogic
41 jira
44 web
48 tomcat
48 teamspeak
49 student
50 default
52 ts3
52 server
56 www
57 mysql
60 demo
67 jenkins
69 administrator
72 nagios
85 user1
85 support
85 debian
93 ubnt
100 pi
106 hadoop
110 guest
114 deploy
143 test2
144 for
156 usuario
164 git
172 test1
231 ftpuser
424 oracle
700 postgres
725 ubuntu
852 user
938 test
1276 admin

cisco built in RFID

Using a 9300 cisco switch? keep track of them using the built-in RFID tag.

from 9300 manual

RFID Tag

The chassis has a built-in,passive RFID tag that uses UHF RFID technology and requires an RFID reader with compatible software. It provides auto-identification capabilities for asset management and tracking. The RFID tags are compatible with the Generation 2 GS1 EPC Global Standard and are ISO 18000-6C compliant. They operate in the 860- to 960-MHz UHF band. For more information, see Radio Frequency Identification (RFID) on Cisco Catalyst 9000 Family

Switches White Paper.

Looked like TSL.com has pretty good software and readers you could use. Unfortunate that most modern phones don’t have reader capability, even though they have 800 mhz software defined radios. I like this bluetooth reader with optical scanner.

https://www.tsl.com/products/1153-bluetooth-wearable-uhf-rfid-reader/

network cable – stretched antenna

A high speed network cable is a antenna. To me, a network cable is in essence a wave-guide, or antenna. The network cable allows a path from the one network card to the other network card. These strands of wire don’t just allow electrical signals, they allow radio waves to transverse, reflect, and be absorbed. Each wire pair needs to be considered as a wave-guide and treated as such. Minor kinks or length changes cause serious issues with signal degradation. These guys at Quabbin have a pretty good explanation. I will try to post some practical examples using damaged wire pairs, and graphs (from analyzers/cable testers.)

https://www.quabbin.com/tech-briefs/what-return-loss-why-it-important