Posts about networking

User Accounting with Netflow

July 8th, 2014

At UOW we had a challenge.  We wanted to allow proxy-free internet, but wanted to keep an eye on how much data was being consumed by what sort of users.  For this we built Project Herbert http://uowits.github.io/herbert-gui/docs.html.

It uses netflow from inside our network and some syslog monitoring scripts to match up our private RFC1918 address space to the users who have it at that time, process the flows in near-realtime so we can adjust throttling and firewall policy to be reactive with the environment.

The idea was to build this as a distributed system and allow it to scale-out to deal with more load

Project Herbert

Finding overlaps in address space

February 24th, 2014

We have an interesting problem at my workplace, we have an MPLS VPN design for separation of security zones (e.g., staff from students.) and we don’t have MPLS support on our edge. With a L3 to the edge design though this means that while every edge switch has its own address space (per VRF), it also has a /30 uplink (once again, per VRF) back to the PE device.

While this (rightly or wrongly decided) slightly more complicated design in itself isn’t a problem, I’ve been working on programatically putting all of this data into an IPAM (IP Address Management) solution. Doing this from the devices themselves (as apposed to a spreadsheet where it was previously kept) has provided the best way moving forward, so good in fact, that my IPAM started throwing exceptions when duplicate IP addresses and overlapping spaces were attempted to be added in the system.

The following Python script uses my Cisco IOS python library to be able to identify IP address overlaps from a bunch of my saved device configs.

It works by the following:

  1. Adds all L3 interfaces addresses and secondary addresses to a list
  2. Sorts list such that larger subnets are at the front, smaller (/32′s and the such) are at the back of the list.
  3. Walks through each subnet, if the network addresses is not in the routing table, add it in, if it is, add it to a list of colliding subnets.
  4. With the list of colliding subnets (subnets that have been multiply defined, or are of overlapping size):
    1. If they are /30′s and there are only two places of definition, skip
    2. if the subnet values are not equal OR an address appears twice in the subnet.  Print it out as a colliding address (space)

You can find the script as a ghist here (note:  This assumes the devices have been picked and loaded as a Picked list of IOSDevice’s)

What is Anycast?

April 9th, 2013

I’ve never found a really simple video on what exactly Anycast is with a basic examples when exploring the concepts.  I decided to lab it up and figured this might help some of you starting out with the concepts.  Any comments feel free to let me know!

Config Attached for IOS lab HERE.

My experiences of managing a Cisco switch with Puppet

December 8th, 2012

One recent pet gripe of mine has been having to add a new VLAN into our datacenter for our vSphere platform.  Not that I trust my DCs switches with puppet just yet, this is a proof of concept post about how we could be using puppet to centrally manage this configuration and push it out across our DC.

Read more »