Dan's Network Archives - NetworkingNexus.net

PTT – Push To Talk

When was the last time you were looking for the unmute button in Webex and it took you more than two seconds to find it?

When was the last time you thought you are on mute but actually everyone can hear you snore?

I spend a lot of time in conference calls. This mute thing happens to me a lot.

PTT stands for Push To Talk like we used in walkie-talkies. The computer mic would be normally muted and as long as I press the PTT button, it will unmute the mic.

I couldn't find any such off the shelf device, so I decided to create one on my own.

To do so I had to integrate few components. Here is the flow of things:

When I press a button on my special device, it will send the key combination of "PrintScreen+F11". Then a special program called AutoHotKey will intercept that key combination and execute an application I wrote that controls the computer mic.

The PTT button

I am using an Arduino like microcontroller called Teensy LC. I value my time and my money, and there is nothing better than the Teensy line of microcontrollers which are very powerful, Arduino Continue reading

dt_aclcheck – Find a match in extended access list.

Some ACLs are short, some ACLs are really long!

access-list 100 permit gre host 4.2.4.66 host 4.55.3.1 access-list 100 permit ip any host 8.7.110.3 access-list 100 permit icmp any host 4.1.72.186 access-list 100 permit tcp any any eq 22 established access-list 100 permit ip host 64.251.10.175 host 8.7.108.94 access-list 100 permit tcp host 2.201.145.67 any eq telnet access-list 100 deny   tcp host 202.156.182.196 host 8.7.109.70 log access-list 100 deny   tcp host 202.156.2.18 host 8.7.109.70 log access-list 100 deny   ip 10.0.0.0 0.255.255.255 any access-list 100 deny   ip 127.0.0.0 0.255.255.255 any log access-list 100 deny   ip 169.254.0.0 0.0.255.255 any access-list 100 deny   ip 172.0.0.0 0.31.255.255 any access-list 100 deny   ip 192.168.0.0 0.0.255.255 any access-list 100 deny   ip 8.7.108.0 0.0.0.252 any log access-list 100 permit tcp host 75.149.49.36 any access-list 100  <a href="http://dans-net.blogspot.com/2016/03/dtaclcheck-find-match-in-extended.html#more-76599" class="more-link"></a><a class="btn dark medium" href="http://dans-net.blogspot.com/2016/03/dtaclcheck-find-match-in-extended.html"><span>Continue reading</span></a>

Embedded packet capture and interface ACLs and Zone Based Firewall

Cisco IOS Embedded packet capture is a great tool for trouble shooting. Very similar to the ASA capture command.

It could be better, as it won't parse the packets as good as tpcdump, but it is way better than nothing.

However I couldn't figure out what the order of operation, with regards to ACLs and ZBF.

So I labbed it up, with IOU 15.4, and here are the results:

For incoming ACL, packets are captured before ACL is evaluated
For incoming ZBF policy, packets are captured before the policy is checked.

So it looks like the embedded packet capture is placed at the right place, right before incoming ACL/ZBF check. However more testing needed to be done: NAT, outgoing ACL/ZBF, IPS drops, encryption, sanity checks

I wish Cisco would have published an official and full "order of operation". Here is the best I have found so far.

FYI....

FirePower management interface

While installing Cisco FirePOWER on 5545-X, I was following the "Install and Configure a FirePOWER Services Module on an ASA Platform" guide.

One of the steps was to configure an IP address to the FirePower management interface. However, nowhere in the document it was mentioned how would that interface connect to the outside world.

So I tired to google it, and it looks like no one was asking that question: How would an internal module connect to the outside world? Not a single blog post about it. It just worked for everyone, no questions asked!

After digging around I found this document: "Cisco ASA FirePOWER Module Quick Start Guide"

And there I have found my answers:

For 5585-X, FirePOWER is installed on a dedicated slot with its own mgmt0 interface.
For 5545-X, FirePOWER module (SRF) is using the 5545-X's management0/0 interface. Which means that we can not use that interface for managment and it must be dedicated to FirePOWER!
For the rest, it will use the "inside" interface.

I would have expected a command to allow me to set up a bridge between the SRF management interface and some ifname on the ASA. But no, it is hard wired! Why?

Alteon AppShape++ persistency and multiple scripts per service

Lab goal

Create new VIP on 10.136.6.17.

Using an AppShape++ script to choose the preconfigured group/pool "10".

Once the laodbalancer chooses a server, all requests from the client's source IP should go to the same server. This is called persistence or stickiness.

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Notice the group and hosts are preconfigured:

/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

Alteon configuration

First the AppShape++ script:

/cfg/slb/appshape/script take_10/en/import


attach group 10

when HTTP_REQUEST {
    group select 10
}

-----END

Line 1 - This allows to just copy paste the whole text to Alteon's CLI. It defines a script if its not exists, enable it and imports it.
Line 7 - Selects Continue reading

ACS 5.X REST API

For a typical network engineer, reading Cisco's REST API documentation looks really simple. All you need to do is to issue the following CLI command

acs config-web-interface rest enable.

But now what? Where are the examples? Thats easy, all you need to do is to download example code directly from the ACS administration UI. But that code is in Java, and several pages long for each example.

So let me do you a favor and show you how to extract a list of all ACS users without even writing a single line of code:

wget -O user-list.xml --auth-no-challenge --http-user=acs_admin_user --http-password=admin_pass --no-check-certificate https://acs.ip.address.x/Rest/Identity/User

Few things to notice:

Its a one line command UNIX command. A windows version can be found here.
The output is XML file called user-list.xml
--no-check-certificate is needed because ACS has its own self generated SSL certificate, and wget will fail to authenticate that certificate. This can be changed, but how many are actually using anything else?
--auth-no-challenge is used because ACS expects to use preemptive authentication.

Enjoy!

CCIE Lab or dual CCIE written preferred

I got this sent from a friend of mine who is looking for a job. The job description asked for "CCIE Lab or dual CCIE written".

I wonder who wrote this stuff?

CCIE written is easy. It is not a certification exam.

The exam is not intendant to mean anything other than a ticket for the lab or to recert and existing CCIE certification, so Cisco is not putting too much effort into it. For example there are no simulations, everything is a multi-choice, so it is easy to eliminate absurd answers.

Most if not all CCIE candidates, who are already CCNPs, are surprised how easy it is. Many are fooled to believe that the lab is anywhere close to being at the same level of difficulty and depth.

If I was a CCNP, I would have preferred to take CCIE written to recert over the CCNP exams.

If I was hiring, I would prefer a dual CCNP over dual CCIE written anytime. In fact, I would prefer a humble CCNP than someone who passed the written and brags about it.

VIRL – A slow greatness

I had a migration project from 6500 to ASRs. I have decided to check out VIRL.

My migration setup requires 14 routers and a test server. Reading the system requirements for such a setup made me decide not to install on my laptop.

I went ahead and installed it on a not so small ESX server: A new UCS machine (24 cores, 380G memory, running 4 VMs, including VIRL), ESX 5.1.

I have allocated VIRL 4vCPU, 16GB memory.

The installation was not that short, but not that hard either. After the installation was over, I installed VM Maestro and started building my lab. Working with VM Maestro, which is VIRL's GUI, was really easy. The only annoying thing was my inability to set the interface numbers for the connections between routers.

Here is how my final setup looks like:

The setup is running 12 vIOS, 2 CSR1K, and one Ubuntu server, from where I ran my automated tests.

I pressed on "Start simulation" and then when trouble started. It took about 40 minutes for all the routers to load. Then the CLI felt like 2400 baud. It was crawling!

Notice that each time you start Continue reading

Docker for network engineers. Part 1 – What is Docker?

Forget OpenStack, forget VMWare, Docker is the new kid on the block.

TL;DR

Docker and Linux containers result in more dense VMs per physical servers, increasing the network load per physical server and developers use it to run more VMs than ever before.

Also, there is no vSwitch (that is the most important peace of information).

What is Docker?

Docker is an echo system built on top Linux containers. To tell the tale, we need to start with Hypervisors.

Hypervisors

The "regular" virtualization is a hardware virtualization. That means that a hypervisor such as ESX, or even your laptop running vmware/vbox, emulates several virtualized physical servers running side by side on a single physical machine.

Notice that each virtual machine is running it own OS. That is wasteful. Especially because it is very rare to find two applications running inside a single server, so for each application, we run the OS too.

The plus side is that you can run any mix of OSes side by side on the same physical server.You can run Windows, Linux, Solaris, IOSv, ASAv, CSR1000v, vMX, Alteon VA, F5, Vyatta, etc.... concurrently on one physical server.

Linux Continue reading

Alteon’s REST API

AlteonOS has a reach REST API for monitor, operation, and configuration.

REST can be used/called with verity of programming languages, or even just using wget. However, since this blog was already using TCL for AppShape++ scripting, we may as well keep using TCL for REST too. However, RESTing with TCL is a bit pain in the ..., so this time I'll use python instead.

All most forgot to explain what REST is. Its a way to run remote procedures calls using HTTP. Example calls:

Read interface counters
Update real's weight
Bring down a real inside a group

I strongly recommend using a browser plugin for testing out REST calls. I use HttpRequest for firefox.

Here are two screenshots. The first is how I get the current status of real 1, and the second is how I disable real 1.

Lab goal

Using the base setup, create python script to toggle the status of real 1 from not enabled to enabled and from disable to enable.

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can Continue reading

GNS3 – ASAv and XRv and IOU and XEv

I am able to run ASAv and XRv and IOU and XEv on my la;ptop, forming OSPF neighbor relationship between them.

I then pinged each loopback from the ASA and also pinged each loopback from IOU. This test shows:

One way broadcast and one way unicast are working - ARP
Unicast is working - ICMP
Multicast is working - OSPF

All thanks for GNS3 v1.1. Isn't it great?

Here is the topology:

And here is some show commands from the ASA:

GNS3 integration with Virtual box is very useful. Whatever you can run inside Virtualbox, you can connect to each other with endless possibilities.

My system76 laptop is running Ubuntu 14.04, 16GB, i7 and SSDs.

I was using the following resources:

Install these items from https://github.com/GNS3/

gns3-gui
gns3-server
iouyap
dynamips (this is needed even if not using dynamips for IOS)
vboxwrapper
vpcs (optional, but very handy to test connectivity)

Virtualbox integration with GNS3 won't work without virtualbox SDK: http://forum.gns3.net/topic6145.html

Set permissions for dynamips and iouap:
cd /usr/local/bin
sudo setcap cap_dac_override,cap_net_admin,cap_net_raw+eip dynamips
sudo setcap cap_net_raw,cap_net_admin+eip iouap

CSR1K install: http://herdingpackets.net/2014/02/06/using-the-cisco-csr1000v-in-gns3-with-virtualbox/

XRv install: http://www.noshutdown.ma/ios-xrv-step-step-install-gns3-integration/
Notice the NIC type. It should be MT server.
Notice Continue reading

Alteon – each server is different

Lab goal

Create VIP 10.136.6.16 with the following servers/reals:

"r8080" - 10.136.85.1 port 8080
"r8081" - 10.136.85.2 port 8081
"r8082" - 10.136.85.3 port 8082

The group name should be "gMulti".

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Alteon configuration

First lets add the reals.

/c/slb/real r8080
       ena
       ipver v4
       rip 10.136.85.1
       addport 8080
/c/slb/real r8081
       ena
       ipver v4
       rip 10.136.85.2
       addport 8081
/c/slb/real r8082
       ena
       ipver v4
       rip 10.136.85.3
       addport 8082
/c/slb/group gMulti
       ipver v4
       add r8080
       add r8081
       add r8082
/c/slb/virt 6_16
       ena
       ipver v4
       vip 10.136.6.16                   
/c/slb/virt 6_16/service 80 http
       group gMulti
       rport 0

Lines 1-15 : Configure the real servers

Notice the addport command, which sets the port being used by the server.

Lines 16-20: Create a new group and adds the previously defined servers

Lines Continue reading

Alteon SSL key import wows

I was trying to import a new certificate with an SSL key, but it was without success.

But as usual, before trying that on production, I tried that on my lab setup. It was done without any problems.

But when trying with the production Alteon, running the same 29.5.1 version, I got this message:

> -----END RSA PRIVATE KEY-----
Enter key passphrase:
Error: The private key is not a valid RSA key

Error: Failed to extract key XXXXX

After trying it several times, comparing some random strings inside the key I noticed a lag when I pasted the key to the production Alteon. The reason for the lag was SecureCRT that was configured to insert delays between keys. This feature is extremely useful with pasting large text into NX-OS.

My lab setup is with the default Line Send delay of 5ms and Character send delay of 0ms.

So I tried to use the lap SecureCRT delay setup on my production Alteon, and to my surprise it worked!

So to sum up: when pasting to Alteon 29.5.1, you better use the default SecureCRT delay settings.

One more thing and this will save you precious time digging through the command reference:

"key" and "srvrcert" names must be identical

GNS3 1.1

I was never a big fan of GUI tools, so I used dynagen and dynamips for my network designs. But since 15.2 was the last version released for 7200, dynamips is no longer useful (especially for IKEv2 and OSPFv3 stuff)

I was hoping that Cisco would release VIRL, and they promised to do so for the past year and a half, but it looks like it will never come. Shelling out 10K$ for CML (the payed version of VIRL) is a bit too much for most of us. But there is a good alternative:

Not long time ago GNS3 version 1.0 was released and soon after version 1.1. was released too. And after long time of being a backer for their funding campaign I have decided to try GNS3 with IOU.

After installing GNS3 on both linux and windows (vmware required), I found that GNS3 is really easy to use, and that IOU is AMAZING. IOU is sooooo fast, and everything just works(tm). I wish I had it years ago!

Goodbye dynamips and dynagen, and thank you so much.

Hello IOU and GNS3. I know it will be a start of a wonderful friendship :)

IPv6 to IPv4 basic setup

Lab goal

Configure Alteon to serve IPv6 clients. The servers should use IPv4.

The IPv6 VIP should be fc00:85::10.

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Below is the IPv4 real servers configuration which we will use as a base config.

/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

Alteon configuration

All we need to do is create a new virt/VIP and assign it with IPv6 address.

 /c/slb/virt v6_85_10
        ena
        ipver v6
        vip fc00:85:0:0:0:0:0:10
 /c/slb/virt v6_85_10/service 80 http
        group 10
        rport 80
        dbind forceproxy
 /c/slb/virt v6_85_10/service 80 http/pip
        mode address
        addr v4 10.136.85.200 255.255.255.255 persist disable

Notice that we need the pip which is Proxy IP, a.k.a SNAT. Since we translating from IPv6 to IPv4 we need Alteon to act as a proxy and for that it needs IPv4 address to communicate with the real servers.

Test

Summary

That was really simple, wasn't it? Just change the virt/VIP to be IPv6 and we have IPv6 to IPv6 gateway.

Change HTTP reply content with AppShape++

Lab goal

When a clients asks for beta/a2.html, return "Hello" instead.

Use VIP 10.136.85.14

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Notice the group and hosts are preconfigured:

/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

Alteon configuration

First, lets configure the VIP/virt.

Remember routing! The returning traffic needs to go through the Alteon, otherwise TCP will break. So we also need to configure Proxy IP/SNAT so return traffic will go through the Alteon.

 /c/slb/virt 85_14
        ena
        vip 10.136.85.14
 /c/slb/virt 85_14/service 80 http
        group 10
 /c/slb/virt 85_14/service 80 http/pip
        mode address
        addr v4 10.136.85.200

Next we need to write the Appshape++ script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
 Continue reading

Using AppShape++ to change a request’s URL

Lab goal

When a clients asks for /cgi-bin/* change that to /alpha/a1.html, and serve it from SRV1
Fix the 404 page not found.

Use VIP 10.136.6.13.

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Notice the group and hosts are preconfigured:

/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

Alteon configuration

Lets first create the VIP/virt and test it out.

 /c/slb/virt 6_13
        ena
        vip 10.136.6.13
 /c/slb/virt 6_13/service 80 http
        group 10

To fix the 404 at the bottom of the webpage, we need to change the request URL from /not_here to /here.html.

So lets write the AppShape++ script:

attach group  Continue reading

HTTP to HTTPs redirect with a twist

Lab goal

Create a new VIP/virt - 10.136.85.13.

The main page should be using HTTP but all the other elements should be using SSL.

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Alteon configuration

We will reuse group 10 which includes all web servers.

So all is left is to create a VIP/virt with services HTTP and HTTPS

 /c/slb/virt 86_13
        ena
        ipver v4
        vip 10.136.85.13
 /c/slb/virt 86_13/service 80 http
        group 10
        rport 80
 /c/slb/virt 86_13/service 80 http/pip
        mode address
        addr v4 10.136.85.200 
 /c/slb/virt 86_13/service 443 https
        group 10
        rport 443
 /c/slb/virt 86_13/service 443 https/pip
        mode address
        addr v4 10.136.85.200

Lines 8-10 - Source NAT. Without it traffic from the server will go directly to client without going first through the Alteon.

Now for the AppShape script:

when HTTP_REQUEST {
    # exctract the fields from the HTTP headers
    set url [ Continue reading

Alteon AppShape++ Redirects

Lab goals

In the lab we will practice:

Redirection - r.dans-net.com should be redirected to 3.dans-net.com
Decision by URL matching:

If URL length is 1 or 2, not including the leading "/", then redirect to 3.dans-net.com
If URL is "/images/number.jpg" or "/icons/number.jpg" then select SRV1
URL begins with "/alpha" or with "/beta" then select SRV2
URL contains "cgi-bin" or "gamma" then select SRV3

Both r.dans-net.com and 3.dans-net.com should resolve to 10.136.6.11.

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

Here is the /etc/hosts or c:windowssystem32driversetchosts resolve snippet:

1 2	10.136.6.11 3.dans-net.com 10.136.6.11 r.dans-net.com

Alteon configuration

Fist lets create 3 groups, one for each SRV:

/c/slb/group g1
        ipver v4
        add 1
/c/slb/group g2
        ipver v4
        add 2
/c/slb/group g3
        ipver v4
        add 3

Next, lets configure create the VIP/virt:

 /c/slb/ Continue reading

Select group/pool by query URI

Lab goal

When a request looks like this: http://a3.dans-net.com/group=GROUPNAME then the group/pool will be selected by the following name:

group_GROUPNAME

For example for http://10.136.5.10/group=g1 the selected group will be group_g1

The following groups should be defined:

g1 - SRV1
g2 - SRV2
g3 - SRV3

The VIP should be 10.136.5.10

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Alteon configuration

First, lets configure the groups.

/c/slb/group g1

add 1

/c/slb/group g2

add 2

/c/slb/group g3

add 3

Next lets write the script.

attach group g1
attach group g2
attach group g3

when HTTP_REQUEST {
    set group_exists [regexp -nocase {group=(g[0-9]+)(&.*)*$} [HTTP::query] a group_name]
    if {$group_exists == 1} {
        group select $group_name
     Continue reading

1 2 Next »