Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
View
Sort
Coming soon
23 points · 17 days ago

It's ok, best practice is still to use plywood and a cabinet/shelf if you can.

see more

The CVD says to use plywood.

A cabbie along with a lass

Must now go and save the earth's ass

With 'Great Evil' it's dire

Ruby Rhod, make some fire

yes she knows it is a multipass!

Yea Cisco 2960s can create port-channels using ports from different switches in the same stack. The quantity of port-channels may be limited though.

You said that the links are on different switches in a stack. You should be able to port-channel them if the switches are in the same stack

I work for a (Cisco focused) VAR so I install different firewall products regularly. My two cents:

¢ #1: Palo Alto has (by far) the best customer satisfaction. I have never seen a customer be unhappy with their Palo Alto. Easy to use, intuitive to configure, easy scripting and API usage. The only real downside is the price.

¢ #2: Cisco Firepower is a dumpster fire. Horrible stability (full of critical bugs in every release), no local configuration ability on the appliance (all configuration must come from the controller when a central controller is used), no text-based configuration export, no scripting abilities, the list goes on. If you can’t afford Palo Alto, make sure to steer clear of Firepower.

Check out the newer ASAs with FTD (or Firepower Appliances) and the Firepower Management Center. They're a lot more comparable to the PA setup compared to the old and garbage ASDM.

see more

Firepower takes garbage to a whole new level. Steer clear.

Load more comments

“Excuse me. Can you take a selfie of me?”

If you are just looking for a small amount of bandwidth, then DM me. We have a Datacenter at One Wilshire in LA you can peer with for cheap and a new DC coming online in Denver if you want to multihome.

How much data do you plan to push through the tunnel?

Adding to the route lookup question:

Routers will recurse their routing table until a directly connected next hop IP is found. For example:

Router receives a packet destined for 10.0.0.1. It looks up the route for 10.0.0.0/8. The next hop is 192.168.1.1.

It then does a route table lookup for 192.168.1.1. 192.168.1.0/24 is directly connected on eth0. Then it will ARP for 192.168.1.1 on eth0.

If the original 192.168.1.1 is not directly connected, then it will continue to recurse until it finds a directly connected next hop IP for the route of the last next hop IP.

Sorry is I made that confusing to read.

296

Started this service a few months ago. Hopefully it helps some people out. Works with TELNET, SSH, and HTTP (curl or wget).

Usage:

telnet telnetmyip.com

ssh telnetmyip.com

curl telnetmyip.com

wget -qO- telnetmyip.com

It always returns a JSON formatted response that is easy to read but can be picked up with a JSON library if you want to use it programmatically.

The service works for IPv4 and IPv6 so it is up to your client to decide if it likes the A or AAAA DNS record returned. If you want to test a specific stack, then you can use ipv4.telnetmyip.com or ipv6.telnetmyip.com.

sshmyip.com also contains all the same DNS records so you can use that if it is easier to remember.

Code can be found at the GitHub Page

296
99 comments

Not heard of STUN?

This seems like reinventing a wheel that is already on version 4.

Not really helpful for routers as your internal routers shouldn't have internet access, especially on ports 22 or 23. For a router at the internet edge we already have this:

sh ip int brief

see more
Original Poster1 point · 3 months ago

I haven’t heard of STUN. What is it?

Disagree on internet access for internal routers. Blocking outbound ports and access is an old security model that no longer has relevance. Almost all machines need internet access in the future for updates, call home, etc

Am i only one around here who used ifconfig.me for same thing?

see more
Original Poster1 point · 3 months ago

With telnet and ssh?

Load more comments

73

Wrote a tool a while back to help find unused configuration items in an ASA config. It can find unused items in the config as well as find unused ACE's in each ACL.

Compiled binaries available for Windows and Mac.

Available on its GitHub page

73
19 comments

Looks interesting - I'll have to try this out during my next lab session.

see more
Original Poster2 points · 3 months ago

Keep in mind it makes no changes. It will generate commands to help you do the cleanup, but cannot make changes itself.

2 points · 3 months ago

I thought ASDM did this built in?

see more
Original Poster1 point · 3 months ago

Yea I don’t know of it. The new Palo Alto software has something for ACLs, but that’s it.

275

I finally got around to publishing this project I have been working on for a while.

It is an open-source zero-touch provisioning system for Cisco IOS which allows you to create unique configs for your switches by serial number. The GitHub page has all the info as well as a link to the install demo video.

Check out the GitHub Page

275
55 comments

So, the templating etc is all neat but this sort of "packaging" is the stuff that makes sysadmins cry and take away admin rights from network engineers. Some feedback from someone who straddles both worlds follows...

I'd heartily recommend re-evaluating how you interact with your DHCP server and how you configure/install. You could look at Kea as a DHCP server - it has an API you can interact with directly if you really need to configure it, but I'd really recommend using a static config for your DHCP server with anything dynamic delegated to your Python service. This will let you actually deploy this in most networks and won't make initial setup that hard.

Python 2 isn't going to be supported in major new operating systems much longer - next RH release will officially remove it, for instance. 2to3 will help get your code in order.

You should also consider using pylint/autopep8 which will highlight areas where you're diverging from the Python style guide. 2700 LOC in a single file is unmaintainable - split that file up into a set of files and follow pep8's guidance ( https://www.python.org/dev/peps/pep-0008/ )

There's a potential security issue in that you appear to be listening globally for commands on port 10000 with no authentication - this is really not good practice. Using the Python socket library in non-network-specific code (ie, code where you're not trying to do clever things with packets/datagrams) is usually a sign you're doing something wrong - stick to higher level abstractions. If you need an RPC implementation, don't try and invent one from scratch, pick something off the shelf like http://spyne.io/ or RPyC https://rpyc.readthedocs.io/en/latest/

You also appear to have invented a new database from scratch in here, so stop that and again, use an existing tool. There are numerous SQLite libraries for Python.

Likewise logging - there is a standard module library for logging which supports doing everything you've written from scratch.

Either package this as a native Python library, or if you really need a running service, consider the various packaging tools that will help you build RPMs, DEBs, and more - CMake/CPack works great. "Just run this 'install' command as root!" is something no sane sysadmin will countenance.

see more
Original Poster2 points · 3 months ago · edited 3 months ago

I'd heartily recommend re-evaluating how you interact with your DHCP server

  • I'll check out Kea. I looked a bit for a DHCP server when I decided to build that functionality into FreeZTP, but couldn't find a library that did what I need. It seems like they all require to be run as root since it needs raw sockets. Thanks for the suggestion. I will check it out

Python 2 isn't going to be supported in major new operating systems

  • The TFTP library I am using had some issues with Py3. I believe everything else is (or is very close to) Py3 compatible. It is definately on the road map.

You should also consider using pylint/autopep8

  • Yes the style and size is something worth mentioning. Style is no biggie. I can work on getting that pep8 standard pretty quick. Splitting to multiple files is going to suck. I get the purpose but I just hate having a bunch of files to manage. I mull that one over a bit

listening globally for commands on port 10000

  • Good catch here. I meant to bind that socket to localhost so it is only accessible from the OS. I will fix that immediately. The IPC functionality here is so simple that IDK if it is worth trying to use a formal RPC lib. I'll have to look into that.

new database from scratch in here

  • The database here is stupid simple. I will look at SQLite but I'd really rather not have a database service running in the background. Do you have a suggestion for anything that can run purely in the main Python process?

standard module library for logging

  • I played with that logging module a bit and hated it. I may revisit eventually, but not a high priority.

Either package this as a native Python library

  • I really like the idea of making a RPM instead of the current install process. I am going to see if I can move it over to that model for v2.0

I really appreciate all of the feedback. I can tell you actually took the time to look at the code and evaluate it. I'm relatively new to Python and programming in general and don't have an environment where I can easily get any kind of code review, so again, I really appreciate your suggestions here.

Does this support configuring switch stack members (like 3850s)? That config isn’t stored in the running config.

I want to connect all the switches in a stack up and have them pull down their configs automatically. The issue is that I can’t find a way to do this without first logging in and setting the switch number and priority manually on each switch or they get assigned the wrong values (depending on the order they boot). If there was a way to do this with ZTP, that would be awesome and would save me so much time!!

see more
Original Poster1 point · 4 months ago

It isn't really possible to do this with AutoInstall (as far as I know). AutoInstall downloads the config from the TFTP server and I don't believe you can manipulate the switch number from there.

Load more comments

TBH this design seems overly complex for a small network. The design principle I always follow is As Simple as Possible, and as Complex as Necessary.

Start off by building the simplest possible design to meet the absolute requirements. Then add design features only when you can justify them against the cost of the added complexity. Remember that complexity in a network carries a very high cost. Much more than it seems up front.

Design elements you can probably remove:

  • EIGRP - Use one routing protocol everywhere and make sure it is an open standard (OSPF or BGP most likely).

  • ISR Routers - What is the purpose of having those routers? Just to queue packets for your QOS policy you might one day need? You can run a routing protocol on a switch.

  • Port-Security - This feature always carries problems and complaints with it and doesn't really solve for any modern security vulnerabilities.

  • Dist/Access - For a 60 user office, a switch stack with 2-3 switches will likely be plenty. Anything more than that will be wasted hardware.

With all of this in mind, if this is an assignment for a Cisco Networking Academy class or something similar, then your original design is probably right on the money. Those professors love to see you implement all the little features that Cisco has created over the years. But never implement something like this in the real world.

I agree with you. Complexity is cool, but as you said, expensive.

I would maybe still keep Port-Security, as I think it is easy to implement, and provides you some protection against some basic layer 2/3 attacks.

see more

Port-Security protects you against MAC flooding. I don't believe I have ever seen a MAC flooding attack happen in real life.

Load more comments

AWS Route53 is an excellent registrar and DNS service. Then just use Lambda to build a Dynamic DNS service to update your Route53 records.

https://aws.amazon.com/blogs/startups/building-a-serverless-dynamic-dns-system-with-aws/

I'd go 48 port. Less complexity and less cost.

Your minecraft server might be using Universal Plug-n-Play to open the port on the router.

https://en.wikipedia.org/wiki/Universal_Plug_and_Play

u/packetsar
Karma
592
Cake day
June 17, 2016
Trophy Case (2)
Two-Year Club

Verified Email

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.