Posts about Uncategorized

Very basic MPLS Tutorial

October 2nd, 2014

I made this video a while ago and some people on YouTube seem to like it, so here is my very basic MPLS tutorial. Towards the end of the video there’s a live demonstration showing the concepts with Wireshark

Compliance with Cisco IOS Devices & Bulk Changes

July 18th, 2014

One of the biggest problems in the environment I work in is that almost all of the deployment of our 300+ devices is that everything has been hand crafted.  Usually this isn’t such a big problem, but add that with a design decision to route right to the access layer of our campus network with a multi-VRF network and you can start to see how mistakes, or changes in design along the deployment has meant inconsistencies.  Not only that, but when it comes time to go and change something, that means going through and altering near 300 devices, a massive pain that is hard to scale.

Usually this problem is solved with network management solutions.  We have Cisco NCM that’s used for this task, but I have to admit, it’s horrible and hard to do anything other than the basics (not to mention end-of-life’d, probably for good reason).

Now that I’ve got Rancid backing up my configs to git, I decided to write a (very simple) compliance manager myself that will allow us to build compliance checks in standard python.  This works by using my IOSDevice wrapper to load up the configuration files, then dynamically loading a list of classes that subclass the compliance check, and start loading them up to perform the check.

By over-riding specific methods (like checkRequired), you’re able to determine if the check is required on that device, then give a status of if it’s failed or not.  There’s methods for generating fix config (that will later be able to be executed on the end device) then the ability to run commands to check if it’s succeeded.

The reason I decided to write this is because we’re soon going to be ripping out and merging VRF’s and making our routing a lot simpler in the campus network (inter-vrf gateway, etc) and there is no way I’m going to be doing this by hand on each device.

If you’re a python head, check it out!

 

(env)scotto@netbox:/data/network/scripts/ioscompliance$ python complaince.py
Switchport Mode Access ........(211/301)
  * b123-ba-asw-01
  * b17-mr-wlc-01
  * sbs-18a-asw-01
  * beg-340-asw-01
...

Logging NAT Translations on the Cisco ASA

May 8th, 2014

It’s often handy when dealing with infringement notices and the like to have NAT translations logged.  Sure a better way would be to record netflow from these devices (and include the translations) but for a quick syslog solution, you can always:

logging enable
logging list ToSyslog level critical
logging list ToSyslog message 305011

See http://www.cisco.com/c/en/us/td/docs/security/pix/pix63/system/message/63syslog/pixemsgs.html#wp1054604

Messages will look something like:

May 08 13:01:20 freewifi-asa.net.uow.edu.au %ASA-6-305011: Built dynamic TCP translation from inside:10.64.37.96/53008 to outside:192.131.251.2/49520

 

Automating VLAN changes for ESXi Switchports in Cisco IOS.

January 29th, 2014

6500

At the organisation I’m currently working for, we recently experienced what appears to be a common issue, VLAN’s trunked down to ESXi nodes were inconsistent.

In our DC, we’re still running the old school Cisco Catalyst switches.  If we were running a fabric, or Nexus switches we could put port profiles to action or if we lucky enough to have some equipment running Junos <3 we could be using apply-groups for this.

Being stuck with 6500′s in the DC as our L2 platform (and a VSS for the L3 MPLS PE) this is a quick little hack job to automate configuration changes across switchports in Cisco IOS based on dynamically finding ports that are matching an interface description.

In our DC, we have a bunch of switches (defined at the top of this script) and all our switchports that go to ESXi switchports that should have this template applied are matched on the interface description containing ‘ESXHOST’

This relies on the python EXScript module

Download my script here Read more »

throttling guest internet on Apple Airport Extreme

December 18th, 2013

I’ve been happily running my Apple Airport Extreme as m home router for the past few years (since my debian router died, and I’ve been too lazy to replace it).  One of the cool features was the ability to create a guest network (SSID) to access the internet without being able to access your trusted network.  One feature I wanted was the ability to throttle the speed guests can access the internet at.  While I couldn’t do this with the Airport Extreme alone, Add a Juniper SRX100 into the mix that the awesome Cooper Lees gave me into the mix and problem solved.

apple-airport-extreme-base-station_1

Read more »