Scott O'Brien

Ramblings and resources of my online life

Very basic MPLS Tutorial

2014-10-02 06:34:14 +0000 +0000

I made this video a while ago and some people on YouTube seem to like it, so here is my very basic MPLS tutorial. Towards the end of the video there’s a live demonstration showing the concepts with Wireshark

Compliance with Cisco IOS Devices & Bulk Changes

2014-07-19 00:11:38 +0000 +0000

One of the biggest problems in the environment I work in is that almost all of the deployment of our 300+ devices is that everything has been hand crafted.  Usually this isn’t such a big problem, but add that with a design decision to route right to the access layer of our campus network with a multi-VRF network and you can start to see how mistakes, or changes in design along the deployment has meant inconsistencies.  Not only that, but when it comes time to go and change something, that means going through and altering near 300 devices, a massive pain that is hard to scale.

Usually this problem is solved with network management solutions.  We have Cisco NCM that’s used for this task, but I have to admit, it’s horrible and hard to do anything other than the basics (not to mention end-of-life’d, probably for good reason).

Now that I’ve got Rancid backing up my configs to git, I decided to write a (very simple) compliance manager myself that will allow us to build compliance checks in standard python.  This works by using my IOSDevice wrapper to load up the configuration files, then dynamically loading a list of classes that subclass the compliance check, and start loading them up to perform the check.

By over-riding specific methods (like checkRequired), you’re able to determine if the check is required on that device, then give a status of if it’s failed or not.  There’s methods for generating fix config (that will later be able to be executed on the end device) then the ability to run commands to check if it’s succeeded.

The reason I decided to write this is because we’re soon going to be ripping out and merging VRF’s and making our routing a lot simpler in the campus network (inter-vrf gateway, etc) and there is no way I’m going to be doing this by hand on each device.

If you’re a python head, check it out!

1
2
3
4
5
6
Switchport Mode Access ........(211/301)
  * b123-ba-asw-01
  * b17-mr-wlc-01
  * sbs-18a-asw-01
  * beg-340-asw-01
...

User Accounting with Netflow

2014-07-08 05:54:52 +0000 +0000

At UOW we had a challenge.  We wanted to allow proxy-free internet, but wanted to keep an eye on how much data was being consumed by what sort of users.  For this we built Project Herbert http://uowits.github.io/herbert-gui/docs.html.

It uses netflow from inside our network and some syslog monitoring scripts to match up our private RFC1918 address space to the users who have it at that time, process the flows in near-realtime so we can adjust throttling and firewall policy to be reactive with the environment.

The idea was to build this as a distributed system and allow it to scale-out to deal with more load

Project Herbert

Logging NAT Translations on the Cisco ASA

2014-05-08 06:14:09 +0000 +0000

It’s often handy when dealing with infringement notices and the like to have NAT translations logged.  Sure a better way would be to record netflow from these devices (and include the translations) but for a quick syslog solution, you can always:

1
2
3
logging enable
logging list ToSyslog level critical
logging list ToSyslog message 305011

See http://www.cisco.com/c/en/us/td/docs/security/pix/pix63/system/message/63syslog/pixemsgs.html#wp1054604

Messages will look something like:

1
May 08 13:01:20 freewifi-asa.net.uow.edu.au %ASA-6-305011: Built dynamic TCP translation from inside:10.64.37.96/53008 to outside:192.131.251.2/49520