Python Script Pulling AWS IP Prefixes – Part 3
The two previous posts described what the script does and modules used as well as how the script leverages YAML.
This time, we will go through the function that generates the access-list name. The code for this is below:
def generate_acl_name(interface_name: str) -> str:
"""Generate unique ACL name to avoid conflicts with any existing ACLs
by appending a random number to the outside interface name"""
# Create a random number between 1 and 999
random_number = random.randint(1, 999)
acl_name = f"{interface_name}_{random_number}"
return acl_name
The goal with this code is to generate a new access-list with a unique name. Note that the script doesn’t do any check if this access-list already exists which is something I will look into in an improved version of the script. I wanted to first start with something that works and take you through the process together with myself as I learn and improve on the existing code.
The function takes an interface_name which is a string. This is provided by the YAML data that we stored in the yaml_dict earlier. The function is then called like this:
acl_name = generate_acl_name(yaml_dict["outside_interface"])
The name is stored in the yaml_dict under the outside_interface mapping:
In [6]: yaml_dict Continue reading
Building a Separate Infrastructure for Guest Access
One of my readers sent me an age-old question:
I have my current guest network built on top of my production network. The separation between guest- and corporate network is done using a VLAN – once you connect to the wireless guest network, you’re in guest VLAN that forwards your packets to a guest router and off toward the Internet.
Our security team claims that this design is not secure enough. They claim a user would be able to attach somehow to the switch and jump between VLANs, suggesting that it would be better to run guest access over a separate physical network.
Decades ago, VLAN implementations were buggy, and it was possible (using a carefully crafted stack of VLAN tags) to insert packets from one VLAN to another (see also: VLAN hopping).
Building a Separate Infrastructure for Guest Access
One of my readers sent me an age-old question:
I have my current guest network built on top of my production network. The separation between guest- and corporate network is done using a VLAN – once you connect to the wireless guest network, you’re in guest VLAN that forwards your packets to a guest router and off toward the Internet.
Our security team claims that this design is not secure enough. They claim a user would be able to attach somehow to the switch and jump between VLANs, suggesting that it would be better to run guest access over a separate physical network.
Decades ago, VLAN implementations were buggy, and it was possible (using a carefully crafted stack of VLAN tags) to insert packets from one VLAN to another (see also: VLAN hopping).
RSA vs ECDSA in DNSSEC
Is it time to jump over from RSA to ECDSA in DNSSEC?Rockport’s Switchless Networking – Don’t Call It A SmartNIC
Rockport Networks has announced a switchless data center networking product that targets high-performance compute clusters running latency-sensitive workloads. Instead of switches in a leaf-spine or Clos fabric design, Rockport builds a multi-path mesh using network cards installed in the PCIe slots of servers and storage systems.
The post Rockport’s Switchless Networking – Don’t Call It A SmartNIC appeared first on Packet Pushers.
Bringing Security up to the Speed of the Cloud
There is no reason for security to lag behind and stick to old models when there are the capabilities and infrastructure to enable cloud-first network security.The 400G Era
As an industry leader in data-driven networking, Arista’s introduction of 400G platforms in 2019 intersected the emerging needs of hyper-scale cloud and HPC customers to dramatically increase bandwidth for specific ultra-high performance applications.
A Brief History of the Meris Botnet
Meris first got our attention due to an exceptionally large 17.2 million requests per second (rps) DDoS attack that it launched against one of our customers. This attack, along with subsequent attacks originated by the Meris botnet, was automatically detected and mitigated by our DDoS protection systems. Cloudflare customers, even ones on the free plan, are protected against Meris attacks.
Over the past months, we’ve been tracking and analyzing the activity of the Meris botnet. Some main highlights include:
- Meris targets approximately 50 different websites every single day with a daily average of 104 unique DDoS attacks.
- More than 33% of all Meris DDoS attack traffic targeted China-based websites.
- More than 12% of all websites that were attacked by Meris are operated by US-based companies.
View more Meris attack insights and trends in the interactive Radar dashboard.
So what is Meris?
Meris (Latvian for plague) is the name of an active botnet behind a series of recent DDoS attacks that have targeted thousands of websites around the world. It was originally detected in late June 2021 by QRator in joint research they conducted with Yandex. Their initial research identified 30,000 to 56,000 bots, but they estimated that the numbers Continue reading
Anycast in Segment Routing
MPLS or Anycast Routing – for a long time, you had to choose one. Segment Routing allows you to have both.
Introduction
It’s hard to overstate how important anycast routing is. DNS root servers and CDN rely on it to …
Creating BGP Multipath Lab with netsim-tools
I was editing the BGP Multipathing video in the Advanced Routing Protocols section of How Networks Really Work webinar, got to the diagram I used to explain the intricacies of IBGP multipathing and said to myself “that should be easy (and fun) to set up with netsim-tools”.
Fifteen minutes later1 I had the lab up and running and could verify that BGP works exactly the way I explained it in the webinar (at least on Cisco IOS).
Creating BGP Multipath Lab with netlab
I was editing the BGP Multipathing video in the Advanced Routing Protocols section of How Networks Really Work webinar, got to the diagram I used to explain the intricacies of IBGP multipathing and said to myself “that should be easy (and fun) to set up with netlab”.
Fifteen minutes later1 I had the lab up and running and could verify that BGP works exactly the way I explained it in the webinar.
Satyen Desai: Why I joined Cloudflare and why I am helping Cloudflare grow in Southeast Asia and Korea
I am excited to announce that I have joined Cloudflare as the Head of Southeast Asia and Korea (SEAK) region to help build a better Internet and to expand Cloudflare’s growing customer, partner and local teams across all the countries in SEAK. Cloudflare is at an emergence phase in this region, with immense growth potential, and this is just the beginning. Cloudflare has had a lot of success globally and our charter is to build on that success and momentum to grow our presence locally to address the demands in Singapore, Malaysia, Thailand, Indonesia, Philippines, Indochina and Korea. Customer engagements in each of the countries in SEAK presents a unique, rich and fulfilling engagement each with their own intricacies.
A little about me
I was born in India (Surat, Gujarat), and at the age of four our family moved to Bahrain where we lived for eight years. We then moved to New Zealand, which is where I completed my senior years of high school and also my Bachelor’s Degree in Information Engineering at Massey University. After graduation, we moved to Melbourne, Australia which is our family home and where my career started.
I love meeting and working with diverse and Continue reading
Utilizing BGP Communities for traffic steering – part 1: Firewalls
Overview:
I typically spend more time in the enterprise data center than most of our team members and this comes with its own unique set of problems. One discussion that seems to never fail to come up is “where do I put the Firewalls (FWs)?”. That is typically followed by I have a disaster recovery or backup site with FWs there as well. This inevitably leads to a state management problem. Let’s look at how we can utilize BGP to address this problem:
- what is a BGP standard community
- BGP best path selection process
- how to utilize them to steer traffic
This is something most service providers deal with on a daily basis but can be new to an enterprise.
BGP Standard communities
A BGP community is a route attribute that, essentially provides extra information for someone to take action or glean information from the route such as where it came from (location, type, organizational role).
By definition, a community is a 32 bit number that can be included with a route and when utilizing the new community format is displayed as (0-65535):(0-65535). It is recommend to utilize the new community format versus the old community format which is Continue reading