Month: July 2023

SSH’ing to Older Cisco Access Points

Trying to ssh into our Cisco access points, we get an error saying “no matching key exchange method found. Their offer: diffie-hellman-group1-sha1” … to one-off enable older, deprecated algorithms, we added a cisco.conf to /etc/ssh/ssh_config.d (/etc/ssh/ssh_config includes /etc/ssh/ssh_config.d/*.conf)

Host <IP>
     Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
     KeyAlgorithms diffie-hellman-group1-sha1

And restart sshd — voila*, you can SSH into the router / access point / etc.

* — you may get an invalid key length error. In this case, you need to regenerate the key on the Cisco device using a 2048-bit key:

config term
crypto key zeroize rsa
crypto key generate rsa modulus 2048
end

Hazelnut Pollen

A few years after we planted our hazelnuts, I was eagerly awaiting the time when they would have pollen-y bits. Except I couldn’t find anything online about what I was looking for. We did, finally, see the developed bits over the winter … but, this year, I can actually see them starting to develop in late July.

Dragon Chow

I calculated the “best deal” on dragon chow berries per fake gold coin in Anya’s DragonMania Legends game — I always tell her to get Clan Blue Hazel because you don’t need to keep “re-planting” them every couple of minutes, but the spikey cherries that grow in 30 seconds are actually the best “deal”.

 

Type Berries Coins Hours Berries Coins Berries per Coin
Spikey Cherry 65 195 0.008333 5 15 0.333333333
Purplemon 352 1950 0.083333 27.0769231 150 0.180512821
Clan Blue Hazel       2,860          19,500 2          220.00          1,500.00 0.146666667
Blue Hazel       2,600          19,500 2          200.00          1,500.00 0.133333333
Clan Sour Cone 1105 9750 0.5 85 750 0.113333333
Sour Cone 975 9750 0.5 75 750 0.1
Dragonscale       5,200          52,000 6          400.00          4,000.00 0.1
Dragonlandic Berry     19,500        195,000 12       1,500.00        15,000.00 0.1
Clan Star Fruit     71,500        780,000 24       5,500.00        60,000.00 0.091666667
Star Fruit     65,000        780,000 24       5,000.00        60,000.00 0.083333333
Sweetroot   650,000   10,400,000 48     50,000.00      800,000.00 0.0625
Candied Pear   390,000     7,500,000 42   130,000.00   2,500,000.00 0.052
Spring Cherry     97,500     2,600,000 1       7,500.00      200,000.00 0.0375
Clan Royal Fig   396,000   10,800,000 24   132,000.00   3,600,000.00 0.036666667
Royal Fig   360,000   10,800,000 24   120,000.00   3,600,000.00 0.033333333
Squarey Berry   120,000     4,800,000 6     40,000.00   1,600,000.00 0.025

Cisco Catalyst 2960-S: Capturing All Traffic Sent Through a Port

We had an issue where an IOT device was not able to establish the connection it wanted — it would report it couldn’t connect to the Internet. I knew it could connect to the Internet in general; but, without knowing what tiny part of the Internet it used to determine ‘connected’ or ‘not connected’, we were stuck. Except! We recently upgraded the switch in our house to a Cisco Catalyst 2960S — which allows me to do one of the cool things I’d seen the network guys at work do but had never been able to reproduce at home: using SPAN (Switched Port ANalyzer). When we’d encounter strange behavior with a network device where we couldn’t just install Wireshark and get a network capture, the network group would basically clone all of the traffic sent to the device’s port to another switch port where we could capture traffic. They would send me a capture file, and it was just like having a Wireshark capture.

You can set up SPAN from the command line configuration, but I don’t have a username/password pair to log into SSH (and can only establish this from the command line configuration). Before breaking out the Cisco console cable, I tried running Cisco Network Assistant (unfortunately, a discontinued product line). One of the options under “Configure” => “Switching” is SPAN:

Since there was no existing SPAN session, I had to select a session number.

Then find the two ports — in the Ingress/Egress/Destination column, the port that is getting the traffic you want needs to either have Ingress (only incoming traffic), Egress (only outgoing traffic), or Both (all traffic). The port to which you want to clone the traffic is set to Destination. And the destination encapsulation is Replicate. Click apply.

In the example above, the laptop plugged in to GE1/0/24 gets all of the traffic traversing GE1/0/5 — running tshark -w /tmp/TheProblem.cap writes the packet capture to a file for later analysis. Caveat — the destination port is no longer “online” — it receives traffic but isn’t sending or receiving its own traffic … so make sure you aren’t using remote access to control the device!

To remove the SPAN, change the Ingress/Egress/Destination values back to “none”, change the destination encapsulation back to select one, and apply.

Since the source port is connected to one of our wireless access points, the network capture encompasses all wireless traffic through that access point.

And we were easily able to identify that this particular device uses the rule “I can ping 8.8.8.8” to determine if it is connected to the Internet. We were able to identify a firewall rule that prevented ICMP replies; allowing this traffic immediately allowed the devices to connect as expected.