Packetswitch Archives - Page 2 of 6

Setting up Proxmox Backup Server

If you follow my blog, you may know that I recently migrated to Proxmox as my hypervisor, and I absolutely love it. My Proxmox server runs on a custom-built PC with an i9-10900K, 128GB RAM, and 3 x 1TB SSDs. I’m not using anything fancy, just a good number of VMs spread across two of the SSDs.

In this post, we’ll go through the process of setting up Proxmox Backup Server and backing up all the VMs from my Proxmox server to this backup server.

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

Why Proxmox Backup Server?

I’ve been running Proxmox for a few months without any backups. I did create some snapshots inside Proxmox in case I messed up a VM, so I could roll back if needed. Continue reading

Running Unifi Network Application in Docker

As of January 2024, the linuxserver/unifi-controller Docker image has been deprecated and is no longer receiving updates. This means it may no longer be secure or compatible with newer versions of UniFi devices. Users are now advised to switch to the linuxserver/unifi-network-application image, which is actively maintained and provides the latest version of the UniFi Network Application.

In this blog post, we will cover how to run the new image in Docker and how to migrate from the old image to the new one without losing your existing configuration.

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

Overview

In my homelab, I have a USW Lite 8 PoE, U6-Pro, and U6 Mesh. I had been running the older linuxserver/unifi-controller Docker image since I first set them up. My controller was on version 8.0.34, if I remember correctly.

Recently, I moved to a new host, so I decided it was the right time to migrate to the new linuxserver/unifi-network-application image. While checking their GitHub page, I found this note.

You Continue reading

Using the Continue VSCode Extension and Local LLMs for Improved Coding

Welcome back to another post on local LLMs. In this post, we’ll look at setting up a fully local coding assistant inside VSCode using the Continue extension and Ollama. Let’s get started.

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

Overview

We’ve covered Ollama and Local LLMs in previous blog posts (linked below), but here’s a quick summary.

Ollama is a tool that lets you run large language models (LLMs) directly on your local machine. Local LLMs are language models that run on your computer instead of relying on cloud-based services like ChatGPT. This means you can use them without sending your data to external servers, which is great for privacy. They also work offline, so you’re not dependent on an Internet connection.

That said, it’s important to note that local models, especially on smaller setups, won’t match the speed or performance of cloud-based models like ChatGPT. These cloud models are powered by massive infrastructure, so they’re faster and often more accurate. However, the trade-off is privacy and offline access, which local LLMs provide.

In Continue reading

Using Ollama with a Web-Based GUI

When I first started using local LLMs with Ollama, I quickly realised it relies on a command-line interface to interact with the models. It also comes with an API, but let’s be honest, most of us, myself included, prefer a GUI, much like the one ChatGPT provides. There are plenty of options available, but I decided to try Open Web GUI. In this blog post, we’ll explore what Open-WebGUI is and how simple it is to set up a web-based interface for your local LLMs.

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

Overview

Ollama is a tool for running local LLMs, offering privacy and control over your data. Out of the box, it lets you interact with models via the terminal or through its API. Installing Ollama is straightforward, and if you’d like a detailed guide, check out my other blog post which is linked below.

This blog post assumes you already have Ollama set up and running. For reference, I’m running this on my MacBook (M3 Pro with 18GB of RAM).

open-webui

Open Continue reading

Running Large Language Models (LLM) on Your Own Machine Using Ollama

I’m going to start by saying I’m totally new to LLMs and running them locally, so I’m not going to pretend like I know what I am doing. I’ve been learning about Ollama for some time now and thought I would share it with my readers as always. This is such an interesting topic and I’m ready to go into the rabbit hole.

As always, if you find the content useful, don’t forget to press the ‘clap’ button to your left. This is one way for me to know that you like this type of content, which means a lot to me. So, let's get started.

Large Language Models (LLMs)

LLMs, or Large Language Models, are a type of artificial intelligence designed to process and generate natural language. They are trained on vast amounts of text data, enabling them to understand context, identify patterns, and produce human-like responses. These models can perform various tasks such as answering questions, translating languages, summarising text, generating creative content, and assisting with coding. LLMs have gained significant attention in recent years due to their impressive performance and versatility.

Palo Alto URL Filtering and SSL Decryption

Without SSL decryption, the Palo Alto firewall Continue reading

Running Containerlab in macOS (Cisco IOL/cEOS)

Let me start by saying that I usually run Containerlab on a dedicated Ubuntu 22.04 VM, which sits on top of Proxmox. All my labs run on this setup. However, I recently wanted to try running Containerlab directly on my MacBook (M3 Pro with 18GB of RAM) for a few reasons. For example, I might need to run labs while I’m away, work offline, or use a MacBook at work where I can’t access my home network. So, I decided to test whether I could run Cisco IOL and Arista EOS on macOS. The answer is yes, and here’s how you can do it.

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

If you’re new to Containerlab and trying to understand what it is, I highly recommend checking out my introductory post, which is linked below. It covers the basics and will help you get started.

Containerlab - Creating Network Labs Can’t be Any Easier

What if I tell you that all you need is just a YAML file with just a bunch Continue reading

Palo Alto How to Configure SSL Decryption?

Most websites we access today use HTTPS, and to fully leverage a Next-Generation Firewall (NGFW) like Palo Alto, inspecting encrypted HTTPS sessions is crucial. Configuring SSL decryption isn't just a set-it-and-forget-it task. It requires careful consideration and ongoing improvements. In this blog post, we'll explore how to configure SSL decryption in Palo Alto firewalls and highlight some pitfalls to be aware of. So, let's get to it.

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

SSL Decryption Considerations

As I mentioned earlier, configuring SSL decryption isn’t as simple as flipping a switch. Decryption allows your firewall to inspect the contents of encrypted sessions. Normally, HTTPS traffic is encrypted from your browser to the server, ensuring the sessions are private. However, with SSL decryption, the firewall acts as a man-in-the-middle, inspecting the traffic in plain text. It’s crucial Continue reading

Running EVE-NG in Proxmox

If you follow my blogs, you might know that I recently switched to Proxmox from VMware Workstation Pro for my home lab. I’ve already migrated most of my VMs, including Cisco CML, to Proxmox, and the last piece left was EVE-NG. In this blog post, we’ll go through the steps to install EVE-NG in Proxmox. Let’s get started!

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

Overview

EVE-NG doesn’t have official documentation for Proxmox, but it works perfectly fine, and I haven’t faced any issues so far. For this example, I’m using

Proxmox version 8.3.0
EVE-NG Community Edition 6.2.0

Most of the VM’s settings can be left at their default values, but there are a couple of changes I had to make. Before diving in, let's have a quick look at Nested Virtualization.

Nested Virtualization

Nested virtualization allows you to run virtual machines Continue reading

InfraHub Schema Library

In my previous InfraHub introductory post, we covered installation and the basics of InfraHub. In this second post, let’s explore the ‘Schema Library’ provided by OpsMill, the team behind InfraHub. As mentioned in the previous post, InfraHub doesn’t include any user-defined schemas out of the box, so we need to create our own. However, the Schema Library repository offers a collection of schemas that we can easily import into InfraHub. In this post, we’ll take a closer look at the Schema Library and how to use it.

If you are new to Infrahub and want to learn the basics of what it is and how to install it, feel free to check out my introductory post below.

Recap on Schema

The way I think about schema is that it is a blueprint that defines the structure of your data. It specifies the nodes (like devices and interfaces), their attributes, and the relationships between them. This allows you to customize how you Continue reading

Palo Alto URL Filtering and SSL Decryption

In my previous blog posts (linked below), we looked at how to allow or block specific websites using URL filtering. In this post, we'll look into how to use URL filtering with SSL decryption for more granular control.

Why Do We Need SSL Decryption?

Previously, we saw how to block sites like facebook.com or cnn.com, or allow specific websites blocked by a URL Filtering profile. However, these methods fall short when more granular access is required. Most website traffic today is encrypted with HTTPS, meaning the firewall cannot inspect what's happening within those sessions.

Without SSL decryption, the Palo Alto firewall (or any NGFW) relies on the SNI or CN of the certificate Continue reading

Palo Alto How to Block Specific URLs?

When working with Next-Generation Firewalls (NGFWs), you may come across situations where you need to block specific websites. In this blog post, we'll explore how to block specific sites using a Palo Alto firewall. There are two ways to achieve this, and we'll cover both options.

A Quick Recap on URL Filtering

Depending on your security requirements, you might block entire categories such as gambling, terrorism, or proxy sites. However, there are times when you only need to block specific sites rather than an entire category.

In this blog post, we'll use cnn.com and samsung.com as examples (no hard feelings toward them, these were just the first sites that came to mind, haha 🙂).

💡

Please Continue reading

Palo Alto Allow Access To Certain URLs Matching A Blocked URL Category

If you use URL filtering on your Palo Alto firewalls, you may come across situations where a specific URL category is set to block, but you need to allow certain sites. For example, you might block the 'social networking' category but still want to allow access to Facebook. Similarly, you may block 'newly registered domains,' but need immediate access to a site categorized as such. While you can request Palo Alto to re-categorize the site, sometimes you need a quicker solution.

In this blog post, we'll look at how to allow access to specific URLs that match a blocked URL category. There are two ways to achieve this, and I’ll cover both.

A Quick Recap on URL Filtering

This blog post assumes you have some familiarity with URL filtering. In a typical setup, you create a URL Filtering profile, configure the categories to allow or block, and attach this profile to your security policies. For instance, if you block the 'proxy-avoidance' category and try to access a site like expressvpn.com, the traffic will be blocked.

To demonstrate this, I'll set the 'proxy-avoidance' category to block. This means that if I try to access expressvpn.com, it will be blocked. Continue reading

XtendISE Key Features – Simplifying Cisco ISE Management

XtendISE is a user-friendly web application integrated with Cisco ISE and designed to simplify daily tasks and common challenges related to 802.1X without requiring extensive training on Cisco ISE. XtendISE helps manage MAC addresses, troubleshoot 802.1X authentication issues, and simplify the management of switch 802.1X configurations. It also validates configurations to ensure they are set up correctly and as intended.

We covered the basics of XtendISE in a previous article linked below. In this blog post, we will explore in detail three key features that XtendISE offers.

MAC address management
Enhanced Troubleshooting Capabilities
Configuration and Auditing of the network access devices

💡

Disclaimer - XtendISE sponsors my blog, and this is a sponsored post. However, I had the final say on the content and personally liked their product.

Mac Address Management

Typically, when a device doesn’t support 802.1X, we collect its MAC address and add it to a specific group in Continue reading

Running Cisco CML in Proxmox

For the past few years, I’ve been running all my virtual machines on VMware Workstation Pro, installed on Windows 11. While it worked well for the most part, there were a few recurring issues. Windows would occasionally reboot to install updates, and when it did, my VMs would go down with it. This dependency on Windows to keep my VMs running became frustrating. Recently, I switched to Proxmox, a type-1 hypervisor, and the difference has been night and day.

In this blog post, we'll go through how to install Cisco CML (specifically CML 2.8 Free Tier) on Proxmox. If you're looking to install Cisco CML on VMware Workstation, check out my other blog post linked below.

Download the Cisco CML Image

Head over to the Cisco download page and select CML (2.8 Free Tier). You need a Cisco account, which is easy to create. Once you create the account and log Continue reading

Getting Started with Infrahub

If you're in the Network Automation space or attended one of the last two Autocon events, you might have come across a new tool called 'Infrahub' from OpsMill. I've been keeping an eye on it and experimenting with the product for some time now. In this blog post, we'll cover how to install Infrahub, what it is, and walk through a simple example to get you started. Let's dive in.

Infrahub Installation

Installing Infrahub is straightforward if you're familiar with Docker and have it installed. For this example, I'm using an Ubuntu 22.04 server with Docker and Docker Compose already set up. Here's all I had to do.

Clone the Infrahub repository
Run a single docker command to bring up the services

suresh@infrahub:~$ git clone https://github.com/opsmill/infrahub.git
Cloning into 'infrahub'...
remote: Enumerating objects: 95389, done.
remote: Counting objects: 100% (5707/5707), done.
remote: Compressing objects: 100% (2801/2801), done.
remote: Total 95389 (delta 3698), reused 4482 (delta 2877), pack-reused 89682
Receiving objects: 100% (95389/95389), 136.18 MiB | 40.26 MiB/s, done.
Resolving deltas: 100% (69451/69451), done.

suresh@infrahub:~$ cd infrahub/
suresh@infrahub:~/infrahub$ docker-compose up -d

[+] Running 70/7
 ✔ message-queue 10 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿]      		0B/0B      Pulled
 ✔ task-manager 13 layers  Continue reading

Why You Should Change Palo Alto Master Key?

Palo Alto firewalls come with a default master key used to encrypt passwords, secrets, and certificates. If your firewall is compromised or someone gains unauthorized access, they can easily decrypt these secrets, posing a significant security risk. In this blog post, let's explore why you should change the master key, important considerations, and how to configure it. Let's get started.

Why Change the Master Key?

Palo Alto firewalls come with a default master key. Anyone with unauthorized access to the firewall can easily decrypt your secrets or export the configuration to another firewall to retrieve those secrets. For this reason, Palo Alto strongly recommends changing the master key as soon as possible.

Master Key Considerations

Configuring the master key isn’t something you can just set and forget; it requires careful consideration. Here are some important points to keep in mind.

The new master key must be exactly 16 characters long.
If your firewalls are in an HA pair, you need to disable 'Config Sync' before configuring the key, as the key does not sync across the pair. You must configure the exact same key on each firewall individually.
If the master key expires, the firewall or Panorama will Continue reading

Palo Alto Auto-Tagging to Automate Security Actions

Auto-tagging allows the firewall to tag a policy object when it receives a log that matches specific criteria, creating an IP-to-tag or user-to-tag mapping. For example, when the firewall generates a traffic or threat log, you can configure it to tag the source IP address or User associated with that log using a specific tag name. These tags can then be used to automatically populate policy objects like Dynamic User Groups or Dynamic Address Groups, which in turn can automate security actions within security policies.

For example, let's say I have a policy that denies traffic from the Internet to the firewall's public IP or subnet whenever someone attempts to access random ports. This policy blocks the traffic and generates a traffic log. Now, if someone tries to target our public IP on port 22 (SSH), we might want to add them to a blacklist, which is a Dynamic Address Group. We can then create another policy that references this Dynamic Address Group to block any further traffic from this IP address.

A Realistic Use Case

A realistic use case is when you want to block a source IP after multiple failed authentication attempts to GlobalProtect. Typically, you can use Continue reading

Cisco CML Free Tier (No Kidding)

I first came across this on LinkedIn that Cisco is introducing a free tier of their Cisco CML platform (starting from version 2.8). My initial reaction was, 'Cisco giving something away for free? That can't be true!' But it turns out, it is. I couldn't wait to try it. I believe it’s limited to five nodes, but I’ll take it.

I could never justify paying $199 per year when there are free alternatives available (EVE-NG, GNS3, Containerlab). If it were a one-time purchase, I might have gone for it, but $199 every year is just too much for me.

In this post, I'll cover how to get the free version and how to install it on VMware Workstation.

💡

Downloading the CML image requires a Cisco account, which you can create for free. Also, make sure to add your address to your profile, or you might not be able to download it.

Downloading the Image

Head over to the Cisco download page and select CML version 2.8 Free Tier. As I mentioned earlier, you need a Cisco account, which is easy to create. Depending on your installation method, you can choose either the bare-metal or OVA Continue reading

Introduction to Arista PyeAPI

The Python Client for eAPI (pyeapi) is a Python library that simplifies working with Arista eAPI, removing the need to deal with the specifics of its implementation. It's straightforward to configure and use. In this blog post, we'll look at how to install pyeapi and go through some examples.

If you're familiar with Arista's eAPI, you know that you can browse to the device's IP in a browser, run commands, and get the output directly. You can also achieve the same result using Python, but it typically requires understanding which libraries to use and how to construct the REST API requests.

However, pyeapi simplifies all of this. You don't need to worry about what's happening behind the scenes. Below is a screenshot of running show vlan command via the REST API, and in the following examples, we'll see how to get the same output using pyeapi.

PyeAPI Installation

To install pyeapi, you can use pip, which is the standard package manager for Python. It's a good practice to use a virtual environment (venv) to keep your dependencies isolated and avoid conflicts with other projects. First, create and activate a virtual environment. Once your virtual Continue reading

Juniper EX Switch Port Mirroring

In this blog post, we will look at how to set up port mirroring on Juniper EX switches. The goal is to mirror all the traffic coming in and going out of one switch port to another port. By doing this, we can connect a laptop to the mirrored port and capture all the traffic. This is particularly useful when you can't directly capture traffic from a device, such as a CCTV camera, TV, or other similar devices. Let's get started.

In this example, we have a database server connected to port ge-1/0/1, and we want to mirror all traffic going in and out of this port to port ge-1/0/4, where our laptop is connected. With this setup, we can use Wireshark on the laptop to capture the mirrored traffic.

configure
edit forwarding-options
edit analyzer my_capture

set input ingress interface ge-1/0/1
set input egress interface ge-1/0/1
set output interface ge-1/0/4

commit

The ingress and egress parts of the configuration refer to the traffic coming into the port (ingress) and leaving the port (egress). Ideally, we want to capture traffic in both directions, but you have the option to mirror traffic in only one direction if needed.

If you Continue reading

« Previous 1 2 3 4 … 6 Next »