Tuesday, June 30, 2015

Cisco - NAT Overload on the Loopback (exit with different Public IP)

The Loopback Interfaces are very usefull to troubleshoot, it allows you to do test without using physical interfaces that may or may not be up. You can even shutdown manually / administratively a physical interface and enter it’s IP addresses on a loopback, and do your tests (like anouncing network via a dynamic routing protocol)

You can take the loopback interfaces and take them one step further, and make them part of the solution, and avoid having an extra routers, this is possible because the traffic goes in and out like it was entering and exiting another router.

In this example I will show you how to do NAT Overload to an IP different from the one in the WAN interface, this means that you will exit to the Internet with diferent Public IP from the one in the WAN interface. This is usefull for example when you want your guest wifi users to exit to the Internet with an Public IP that is different from the one the employes use.

Without NAT Overload on the Loopback (NAT Outside) you would have to implement a cenário like this:NO_NAT_LOOPBACK

where you need an extra router (R0) to do the NAT Overload to the Public IP (100.0.0.1). Besides the aditional router you spend four Public IPs in the interconection between R0 and R1.

With NAT Overload on the Loopback interface you only need a cenário like this:NAT_LOOPBACK_PLUS

Below I will show you how to accomplish this in two ways:

  • PBR with Set Next Hop – You also spend four Public IPs like in the cenario with a real router
  • PBR with Set Inteface – You only spend one Public IP (the 100.0.0.1)

we use PBR to force the traffic we want to NAT with a different Public IP through to the Loopback Interface in order to get Nated. You could point the default route to the Loopback Interface, but when the traffic returned it wouldn’t be sent out through the WAN Interface (Fa0/1 on R1), It would be sent again to the Loopback.

 

NAT Overload on the Loopback - PBR with Set Next Hop 

In this cenario we have a /30 Public IP in the Loopback this implies the following network:

  • One IP for the network – 100.0.0.0
  • One IP for R1 Loopback Interface  (NAT Target) – 100.0.0.1
  • One IP for the Next Hop (wich does not exist) - 100.0.0.2
  • Once IP for Broadcast - 100.0.0.2

the IP for the Next Hop (100.0.0.2) at first glance look quite unuseful, but if you look PBR route map we use this IP even though it does not exist, because this forces the traffic to go out the Loopback (100.0.0.1) because it’s directly connected to the netwok (10.0.0.0/30) of the next hop set in the PBR route map.

## PC1 ###########################
hostname PC1

interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.0.254

 
## ISP ###########################
hostname ISP

interface FastEthernet0/1
ip address 200.0.0.2 255.255.255.252
no shutdown
 
ip route 0.0.0.0 0.0.0.0 200.0.0.1

 
## R1 ############################
interface loopback 111
ip address 100.0.0.1 255.255.255.252
ip nat outside
no shutdown
 
interface FastEthernet 0/0
description *** LAN ***
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip policy route-map Nat-Loopback
no shutdown

interface FastEthernet 0/1
description *** WAN ***
ip address 200.0.0.1 255.255.255.252
ip nat outside
no shutdown

access-list 102 remark *** Traffic for NAT Overload on The Loopback ***
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
 
ip nat inside source list 102 interface loopback 111 overload
ip route 0.0.0.0 0.0.0.0 200.0.0.2
 
route-map Nat-Loopback permit 10
match ip address 102
 set ip next-hop 100.0.0.2

 
## TEST ##########################
ISP# debug ip icmp
ISP# terminal monitor


PC1#ping 200.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/160/220 ms
PC1#


ISP#
*Mar  1 00:28:33.051: ICMP: echo reply sent, src 200.0.0.2, dst 100.0.0.1
*Mar  1 00:28:33.255: ICMP: echo reply sent, src 200.0.0.2, dst 100.0.0.1
*Mar  1 00:28:33.387: ICMP: echo reply sent, src 200.0.0.2, dst 100.0.0.1
*Mar  1 00:28:33.551: ICMP: echo reply sent, src 200.0.0.2, dst 100.0.0.1
*Mar  1 00:28:33.671: ICMP: echo reply sent, src 200.0.0.2, dst 100.0.0.1

 

 

NAT Overload on the Loopback - PBR with Set Interface

In this cenario we have a /32 Public IP in the Loopback this implies the following network:

  • One IP for R1 Loopback Interface  (NAT Target) – 100.0.0.1

this achives the same result but using only one IP, and saving the other three for other usages.

 

In RED you have the changes from the previous cenario (PBR with Set Next Hop )

## PC1 ###########################
hostname PC1

interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.0.254

 
## ISP ###########################
hostname ISP

interface FastEthernet0/1
ip address 200.0.0.2 255.255.255.252
no shutdown
 
ip route 0.0.0.0 0.0.0.0 200.0.0.1

 
## R1 ############################

interface loopback 111
ip address 100.0.0.1 255.255.255.255
ip nat outside
no shutdown
 
interface FastEthernet 0/0
description *** LAN ***
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip policy route-map Nat-Loopback
no shutdown

interface FastEthernet 0/1
description *** WAN ***
ip address 200.0.0.1 255.255.255.252
ip nat outside
no shutdown

access-list 102 remark *** Traffic for NAT Overload on The Loopback ***
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
 
ip nat inside source list 102 interface loopback 111 overload
ip route 0.0.0.0 0.0.0.0 200.0.0.2
 
route-map Nat-Loopback permit 10
match ip address 102
set interface loopback 111
%Warning:Use P2P interface for routemap set
                interface clause

 
## TEST ##########################
ISP# debug ip icmp
ISP# terminal monitor


PC1#ping 200.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/160/220 ms
PC1#


ISP#
*Mar  1 00:28:33.051: ICMP: echo reply sent, src 200.0.0.2, dst 100.0.0.1
*Mar  1 00:28:33.255: ICMP: echo reply sent, src 200.0.0.2, dst 100.0.0.1
*Mar  1 00:28:33.387: ICMP: echo reply sent, src 200.0.0.2, dst 100.0.0.1
*Mar  1 00:28:33.551: ICMP: echo reply sent, src 200.0.0.2, dst 100.0.0.1
*Mar  1 00:28:33.671: ICMP: echo reply sent, src 200.0.0.2, dst 100.0.0.1

Saturday, June 6, 2015

Huawei - Switch: Basic QinQ Tunnel (aka 802.1Q Tunneling)

How to Configure Basic QinQ?

Posted on December 8, 2014

 

Networking Requirements

As shown in the below figure, there are two enterprises on the network, Enterprise 1 and Enterprise 2. Enterprise 1 has two office locations, and Enterprise 2 has 2 office locations. The office locations of the two enterprises access SwitchA and SwitchB of the ISP network. A non-Huawei device with the TPID value 0x9100 exists on the public network.

The requirements are as follows:

  • Enterprise 1 and Enterprise 2 plans their VLANs independently.
  • Traffic of the two branches is transparently transmitted on the public network. Users using the same services in the two branches are allowed to communicate and users using different services are isolated.

You can configure QinQ to meet the preceding requirements. VLAN 100 provided by the public network can be used to implement communication of Enterprise 1 in the two branches and VLAN 200 is used for Enterprise 2. You can set the TPID value in the outer VLAN on the interface that connects the non-Huawei device to implement communication between devices.

Note: This example can be applied to Huawei switches higher level than Quidway S2700 and with EI version.

 

Configuring basic QinQ

configuring-basic-qinq

 

Configuration Roadmap

The configuration roadmap is as follows:

  • Configure VLAN 100 and VLAN 200 on both SwitchA and SwitchB. Set the link type of the interface to QinQ and add the interfaces to VLAN. In this way, different outer VLAN tags are added to different services.
  • Add interfaces connecting to the public network on SwitchA and SwitchB to VLAN 100 and VLAN 200 to permit packets from these VLANs to pass through.
  • Set the TPID values in the outer VLAN tag on interfaces connecting to the public network on SwitchA and SwitchB to implement communication between the device with devices from other vendors.

Procedure

 

Create VLANs.

# Create VLAN 100 and VLAN 200 on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 200

# Create VLAN 100 and VLAN 200 on SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 200

 

Set the link type of the interface to QinQ.

# Configure GE0/0/1 and GE0/0/2 of SwitchA as QinQ interfaces. Set the VLAN of GE0/0/1 to VLAN 100 and the VLAN of GE0/0/2 to VLAN 200. The configuration of SwitchB is similar to the configuration of SwitchA, and the configuration details are not mentioned here.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type dot1q-tunnel
[SwitchA-GigabitEthernet0/0/1] port default vlan 100
[SwitchA-GigabitEthernet0/0/1] quit

[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type dot1q-tunnel
[SwitchA-GigabitEthernet0/0/2] port default vlan 200
[SwitchA-GigabitEthernet0/0/2] quit

Configure the interface connecting to the public network on the switch.

# Add GE0/0/3 of SwitchA to VLAN 100 and VLAN 200. The configuration of SwitchB is similar to the configuration of SwitchA, and the configuration details are not mentioned here.
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
[SwitchA-GigabitEthernet0/0/3] quit

Configure the TPID value for an outer VLAN tag

# Set the TPID value of an outer VLAN tag to 0x9100 on SwitchA.
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] qinq protocol 9100

# Set the TPID value of an outer VLAN tag to 0x9100 on SwitchB.
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] qinq protocol 9100

Verify the configuration.

In Enterprise 1, ping a PC of a VLAN in a branch from a PC of the same VLAN in another branch. If the two PCs can ping each other, internal users of Enterprise 1 can communicate.

In Enterprise 2, ping a PC of a VLAN in a branch from a PC of the same VLAN in another branch. If the two PCs can ping each other, internal users of Enterprise 2 can communicate.

Ping a PC in a VLAN of Enterprise 2 in a branch from a PC in the same VLAN of Enterprise 1 in either branch. If the two PCs cannot ping each other, users in Enterprise 1 and Enterprise 2 are isolated.

 

Configuration Files

# Configuration file of SwitchA
sysname SwitchA
#
vlan batch 100 200
#
interface GigabitEthernet0/0/1
port link-type dot1q-tunnel
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type dot1q-tunnel
port default vlan 200
#
interface GigabitEthernet0/0/3
qinq protocol 9100
port link-type trunk
port trunk allow-pass vlan 100 200
#
return


#Configuration file of SwitchB
sysname SwitchB
#
vlan batch 100 200
#
interface GigabitEthernet0/0/1
port link-type dot1q-tunnel
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type dot1q-tunnel
port default vlan 200
#
interface GigabitEthernet0/0/3
qinq protocol 9100
port link-type trunk
port trunk allow-pass vlan 100 200
#
return

The more information about technical support you can consult with our engineer – Bill, and his e-mail address is as below:

bill@huanetwork.com

Taken From: http://www.huanetwork.com/blog/how-to-configure-basic-qinq/

Huawei - Router: Traffic Shapping

How to Configure Traffic Shaping for Huawei AR Routers?

Applicability

This example applies to all versions and Huawei AR routers.

 

Networking Requirements

As shown in the below figure, the LAN of an enterprise connects to Eth2/0/0 of RouterA through Switch. RouterA connects to the WAN through GE3/0/0. The voice, video, and data services are deployed on the LAN.

Packets of different services are identified by 802.1p priorities on the LAN. RouterA sends service packets to queues based on 802.1p priorities. When packets reach the WAN through GE3/0/0, jitter may occur. To prevent jitter and ensure bandwidth for services, perform the following configuration:

  • Set the CIR on each interface to 8000 kbit/s.
  • Set the CIR for voice service packets to 256 kbit/s and the CBS to 6400 bytes.
  • Set the CIR for video service packets to 4000 kbit/s and the CBS to 100000 bytes.
  • Set the CIR for data service packets to 2000 kbit/s and the CBS to 50000 bytes.


clip_image001

Traffic shaping networking diagram

Procedure

Configure RouterA.

sysname RouterA
#
vlan batch 10

# Create a queue profile qp1.
qos queue-profile qp1

# Set the CIR for queue 2 to 2000 kbit/s and the CBS to 50000 bytes.                
queue 2 gts cir 2000 cbs 50000

# Set the CIR for queue 5 to 4000 kbit/s and the CBS to 100000 bytes.
queue 5 gts cir 4000 cbs 100000

# Set the CIR for queue 6 to 256 kbit/s and the CBS to 6400 bytes.
queue 6 gts cir 256 cbs 6400

# Set the scheduling mode to queues 0 to 5 to weighted fair
# queuing (WFQ), and set the scheduling mode for queue 6 and
# queue 7 to priority queuing (PQ).

schedule wfq 0 to 5 pq 6 to 7
  


interface Vlanif10
ip address 192.168.1.1 255.255.255.0


interface Ethernet2/0/0
# Set the link type of the interface to trunk.
port link-type trunk
 
# Add the trunk interface to VLAN 10.
port trunk allow-pass vlan 10
 
# Trust 802.1p priorities of packets on the interface.
trust 8021p


interface GigabitEthernet3/0/0
ip address 192.168.4.1 255.255.255.0 

# Apply the queue profile qp1 to the interface.
qos queue-profile qp1 

# Set CIR for the interface to 8000 kbit/s and the CBS to 200000 bytes.
qos gts cir 8000 cbs 200000  

Verify the configuration

Run the display qos queue statistics interface gigabitethernet 3/0/0 command on RouterA to check packet statistics in queues on GE3/0/0. You can see that the output rate of each queue is within the configured limit. When a queue is full, excess packets are discarded.

 

Configuration Notes

Configure the interface of the switch connected to RouterA as a trunk interface and add the interface to service VLANs.

Configure RouterB to ensure that it can communicate with RouterA.

The traffic shaping CIR value configured on an interface must be larger than or equal to the sum of CIR values of all queues on the interface. Otherwise, packets in high-priority queues may fail to be scheduled.

The more information about technical support you can consult with our engineer – Bill, and his e-mail address is as below:

bill@huanetwork.com

Taken From: http://www.huanetwork.com/blog/how-to-configure-traffic-shaping-for-huawei-ar-routers/

Huawei - Switch: Voice Vlan and LLDP Config

How to Configure LLDP on Huawei Switch to Provide VoIP Access?
Posted on December 16, 2014

Networking Requirements

Flows of the HSI, VoIP, and IPTV services are transmitted on the network. Users require high quality of the VoIP service. Therefore, voice data flows must be transmitted with a high priority. If a voice device supports LLDP and has a high 802.1p priority (for example, 5), you can configure LLDP and Voice VLAN on the switch. Then the switch uses the LLDP protocol to deliver the Voice VLAN ID to the voice device and does not change the packet priority.

As shown in the below figure, after a Voice VLAN is configured on the Switch, the voice device learns the Voice VLAN ID using LLDP.

 

Configuring LLDP to provide VoIP access


clip_image001

Note: It can be applied to all Huawei Switches, like Huawei S2700, Huawei S3700 switches and Quidway S5700, etc.

 

Configuration Roadmap

The configuration roadmap is as follows:

  • Create VLANs.
  • Configure the link type and default VLAN of the interface connected to the IP phone.
  • Enable the Voice VLAN function on the interface.
  • Configure the interface to join the Voice VLAN in manual mode.
  • Set the working mode of the Voice VLAN.
  • Configure the interface to trust the 802.1p priority of packets.
  • Enable LLDP globally and on the interface.

 

Procedure

Configure VLANs and interface on the Switch.

# Create VLAN 2 and VLAN 6.
<HUAWEI> system-view
[HUAWEI] vlan batch 2 6

# Configure the link type and default VLAN of GigabitEthernet0/0/1.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port hybrid pvid vlan 6
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 6

Configure the Voice VLAN on the Switch.

# Enable the Voice VLAN on GigabitEthernet0/0/1.
[HUAWEI-GigabitEthernet0/0/1] voice-vlan 2 enable

# Configure the mode in which GigabitEthernet0/0/1 is added to the Voice VLAN.
[HUAWEI-GigabitEthernet0/0/1] voice-vlan mode manual
[HUAWEI-GigabitEthernet0/0/1] port hybrid tagged vlan 2

# Configure the working mode of the Voice VLAN.
[HUAWEI-GigabitEthernet0/0/1] undo voice-vlan security enable

#Configure the interface to trust the 802.1p priority of packets.
[HUAWEI-GigabitEthernet0/0/1] trust 8021p (inner)
[HUAWEI-GigabitEthernet0/0/1] quit

NOTE: The format of the trust 8021p (inner) command varies depending on the device model.

 

Enable LLDP

[HUAWEI] lldp enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] lldp enable
[HUAWEI-GigabitEthernet0/0/1] return

 

Verify the configuration.

Run the display voice-vlan 2 status command to check the Voice VLAN configuration, including the mode in which the interface is added to the Voice VLAN, working mode, and aging time of the Voice VLAN.

<HUAWEI> display voice-vlan 2 status
Voice VLAN Configurations:
—————————————————
Voice VLAN ID           : 2
Voice VLAN status       : Enable
Voice VLAN aging time   : –
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark   : 46
———————————————————-
Port Information:
———————————————————–
Port                     Add-Mode Security-Mode Legacy   PribyVLAN Untag
——————————————————————————-
GigabitEthernet0/0/1     Manual     Normal         Disable Enable     Disable

Configuration File

#Configuration file of the Switch

vlan batch 2 6
#                                   
lldp enable                       
#                                 
interface GigabitEthernet0/0/1     
voice-vlan 2 enable               
port hybrid pvid vlan 6           
port hybrid tagged vlan 2
port hybrid untagged vlan 6
trust 8021p (inner)
#
return

The more information about technical support you can consult with our engineer – Bill, and his e-mail address is as below:

bill@huanetwork.com

Taken From: http://www.huanetwork.com/blog/how-to-configure-lldp-on-huawei-switch-to-provide-voip-access/

Huawei - Switch: Local Port Mirroring (aka SPAN)

How to Configure Local Port Mirroring?

As shown in Figure 1, HostA is connected to GigabitEthernet0/0/1 on SwitchA, and Server is directly connected to GigabitEthernet0/0/2 on SwitchA.

Users want to use the monitoring device (Server) to monitor packets sent from HostA.

networking-diagram-of-local-port-mirroring

Figure 1 Networking diagram of local port mirroring

Note: e example can be applied to Huawei Switches (like Huawei S2700, Huawei S3700 switches and Quidway S5700, etc )

 

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure GigabitEthernet0/0/2 on SwitchA as the local observing port so that Server can receive mirrored packets.
  2. Configure GigabitEthernet0/0/1 on SwitchA as the mirrored port to monitor packets passing through the mirrored port.

Procedure

  1. Configure an observing port.

# Configure GigabitEthernet0/0/2 on SwitchA as the local observing port.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] observe-port 1 interface gigabitethernet 0/0/2

  1. Configure a mirrored port.

# Configure GigabitEthernet0/0/1 on SwitchA as the mirrored port to monitor packets sent from HostA.

[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound
[SwitchA-GigabitEthernet0/0/1] return

  1. Verify the configurations.

# Check the observing port configuration.

<SwitchA> display observe-port

———————————————————————-
Index         : 1
Untag-packet   : No
Interface     : GigabitEthernet0/0/2
———————————————————————-


# Check the mirrored port configuration.

<SwitchA> display port-mirroring
———————————————————————-
Observe-port 1 : GigabitEthernet0/0/2
———————————————————————-
Port-mirror:
———————————————————————-
Mirror-port               Direction Observe-port
———————————————————————-
1   GigabitEthernet0/0/1     Inbound   Observe-port 1
———————————————————————-

 

Configuration File

# Configuration file of SwitchA

sysname SwitchA
#
observe-port 1 interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/1
port-mirroring to observe-port 1 inbound
#
return

The more information about technical support you can consult with our engineer the e-mail address is as below:

support@huanetwork.com

Taken From: http://www.huanetwork.com/blog/how-to-configure-local-port-mirroring/

Huawei - Router: Password Recovery - BootROM (aka ROMmon)

How do I Log into the Device Using BootROM If I Forget the Console Login Password?
The console interface on RouterA connects to the PC and the console login password is forgotten. It is required that BootROM (aka ROMmon) be used to log in to the device. This example applies to V200R003C00 and later versions, and all Huawei AR routers.

clip_image001Figure 1 - Networking for login through BootROM when the console login password is forgotten

Log in to the router through the console port.

NOTE: When performing operations, ensure that users on the serial port are kept online.
Restart RouterA. Press Ctrl+B to enter the BootROM menu when the following information is displayed:

BIOS Creation Date : Nov 10 2011, 14:41:12                                   
DDR DRAM init : OK                                                           
Start Memory Test ? (‘t’ or ‘T’ is test):skip                                 
Copying Data : Done                                                           
Uncompressing : Done                                                           
USB2 Host Stack Initialized.                                                 
USB Hub Driver Initialized                                                   
USBD Wind River Systems, Inc. 562 Initialized                               
Octeon Host Controller Initialize……Done.                                 

Press Ctrl+B to break auto startup … 3   

After pressing Ctrl+B, you need to enter the password

  • Versions earlier than V200R005C00: huawei,
  • V200R005C00 and later versions: Admin@huawei

to enter the BootROM menu.

 

In general the default user and password are:

in new equipments or with a updated image the password is “Password2”.


Select choice 7 to enter the Password Manager menu.

Main Menu 
1. Default Startup                                                         
2. Serial Menu                                                           
3. Network Menu                                                           
4. Startup Select                                                         
5. File Manager                                                           
6. Reboot                                                                 
7. Password Manager

Enter your choice(1-6):7                                                     
Select choice 2 to delete the console login password.

PassWord Menu                                                         
1. Modify the menu password                                               
2. Clear the console login password                                       
3. Return                                                                 
Enter your choice(0-1):2

Clear the console login password Succeed!

PassWord Menu                                                         
1. Modify the menu password                                               
2. Clear the console login password                                       
3. Return
           
Enter your choice(0-1):0
Select 1 and wait for a while. Then you can log in to the device.

Main Menu                                                             
1. Default Startup                                                         
2. Serial Menu                                                           
3. Network Menu                                                           
4. Startup Select                                                         
5. File Manager                                                           
6. Reboot                                                                 
7. Password Manager

Enter your choice(1-6):1

The more information about technical support you can consult with our engineer the e-mail address is as below:

support@huanetwork.com


Taken From: http://www.huanetwork.com/blog/how-do-i-log-into-the-device-using-bootrom-if-i-forget-the-console-login-password/