Wednesday, November 1, 2017

PTT - Push To Talk

When was the last time you were looking for the unmute button in Webex and it took you more than two seconds to find it?

When was the last time you thought you are on mute but actually everyone can hear you snore?

I spend a lot of time in conference calls. This mute thing happens to me a lot.

PTT stands for Push To Talk like we used in walkie-talkies. The computer mic would be normally muted and as long as I press the PTT button, it will unmute the mic.

I couldn't find any such off the shelf device, so I decided to create one on my own.

To do so I had to integrate few components. Here is the flow of things:

When I press a button on my special device, it will send the key combination of "PrintScreen+F11". Then a special program called AutoHotKey will intercept that key combination and execute an application I wrote that controls the computer mic.

The PTT button


I am using an Arduino like microcontroller called Teensy LC. I value my time and my money, and there is nothing better than the Teensy line of microcontrollers which are very powerful, Arduino IDE based, excellent support and superb software quality.

I decided to use two buttons, as sometimes I am the star of the meeting and I don't want to keep pressing the PTT button all the time. The "toggle button" will flip the default mic state.

I also added a LED to show red when unmuted and green when muted.


AutoHotKey

AutoHotKey is a program that can run macros when a key is pressed. I use it to capture the keyboard signals from the button device and run the MuteMe.exe program.

Here is the code:






MuteMe.exe


I don't know how to write a program to mute, but Computer Cabal knows, and I shamelessly used his code.

I had to do some modifications:
  1. I found no need to mute and unmute before actually muting or unmuting. each and every time I run the program. I think he/she had a specific problem with their setup. It works on my laptop without.
  2. I added a method to detect what the current mic status is.
  3. I change the main program to accept a parameter. If its "0" then mute, if it is "1" then unmute.
Here is the code


CoreAudioMicMute.cs:



WindowsMicMute.cs:
MuteMe.cs:

Thursday, March 10, 2016

dt_aclcheck - Find a match in extended access list.

Some ACLs are short, some ACLs are really long!





Here is a question, would any to 8.7.109.176 port 443 match any of the ACEs?

With dt_aclcheck.tcl, it is easy:

IOU1#tclsh unix:dt_aclcheck.tcl 100 tcp any 8.7.109.176 1234 443
01
    950 permit tcp any host 8.7.109.176 eq 443
    4040 permit tcp any any established



How about icmp?

IOU1#tclsh unix:dt_aclcheck.tcl 100 icmp any any
01
    4010 deny icmp any any echo
    4020 deny icmp any any traceroute log
    4030 permit icmp any any
    4160 deny ip any any


Here is the syntax for the command:

IOU1#tclsh unix:dt_aclcheck.tcl                
Usage - dt_aclMatch.tcl <acl_name> <protocol> <source IP> <destination IP> [source port] [destination port]


Grab the file HERE, and upload it to the router. Enjoy!

And let me know if you need any help with this.


Thursday, September 24, 2015

Embedded packet capture and interface ACLs and Zone Based Firewall

Cisco IOS Embedded packet capture is a great tool for trouble shooting. Very similar to the ASA capture command.

It could be better, as it won't parse the packets as good as tpcdump, but it is way better than nothing.

However I couldn't figure out what the order of operation, with regards to ACLs and ZBF.

So I labbed it up, with IOU 15.4, and here are the results:

  • For incoming ACL, packets are captured before ACL is evaluated
  • For incoming ZBF policy, packets are captured before the policy is checked.

So it looks like the embedded packet capture is placed at the right place, right before incoming ACL/ZBF check. However more testing needed to be done: NAT, outgoing ACL/ZBF, IPS drops,  encryption, sanity checks

I wish Cisco would have published an official and full "order of operation". Here is the best I have found so far.

FYI....

Friday, July 31, 2015

FirePower management interface

While installing Cisco FirePOWER on 5545-X, I was following the "Install and Configure a FirePOWER Services Module on an ASA Platform" guide.

One of the steps was to configure an IP address to the FirePower management interface. However, nowhere in the document it was mentioned how would that interface connect to the outside world.

So I tired to google it, and it looks like no one was asking that question: How would an internal module connect to the outside world? Not a single blog post about it. It just worked for everyone, no questions asked!

After digging around I found this document: "Cisco ASA FirePOWER Module Quick Start Guide"

And there I have found my answers:
  1. For 5585-X, FirePOWER is installed on a dedicated slot with its own mgmt0 interface.
  2. For 5545-X, FirePOWER module (SRF) is using the 5545-X's management0/0 interface. Which means that we can not use that interface for managment and it must be dedicated to FirePOWER!
  3. For the rest, it will use the "inside" interface.
 I would have expected a command to allow me to set up a bridge between the SRF management interface and some ifname on the ASA. But no, it is hard wired! Why?

Friday, February 20, 2015

Alteon AppShape++ persistency and multiple scripts per service

Lab goal

Create new VIP on 10.136.6.17.

Using an AppShape++ script to choose the preconfigured group/pool "10".

Once the laodbalancer chooses a server, all requests from the client's source IP should go to the same server. This is called persistence or stickiness.

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Notice the group and hosts are preconfigured:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

 

Alteon configuration

First the AppShape++ script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
/cfg/slb/appshape/script take_10/en/import


attach group 10

when HTTP_REQUEST {
    group select 10
}

-----END

Line 1 - This allows to just copy paste the whole text to Alteon's CLI. It defines a script if its not exists, enable it and imports it.
Line 7 - Selects group 10.

Next, lets configure VIP/virt with its services:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
/c/slb/virt 6_17
       ena
       ipver v4
       vip 10.136.6.17
/c/slb/virt 6_17/service 80 http
       group 1
       rport 80
       pbind clientip norport
       dbind forceproxy
/c/slb/virt /service 80 http/appshape
       add 10 take_10

Line 8 - Add the stickiness/persistence part, based on the clients IP address.
Line 11- Add AppShape++ script.

 

Test


This didn't go well. We still see that all servers were used and not just one.

The reason for that is that once we select a group/pool using AppShape++, Alteon will ignore pbind settings.

 

Another try

AppShape++ has the following command : persist

This command can be used to create a persistence/stickiness .

One way we can use this command is by fixing our script. Another way would be to create another script and add it to the service. Using a separate script will allow us to reuse that script on more than on service / VIP.


1
2
3
4
5
6
7
/cfg/slb/appshape/script persist/en/import

when HTTP_REQUEST {
    persist source_addr 255.255.255.255
}

-----END

Line 4 - Create persistence/stickiness by using the source IP address with /32 mask.

Now lets add it to the service:

1
2
/c/slb/virt 6_17/service 80 http/appshape
       add 16 persist

Line 2 - We have added the new AppShape++ script to the service. We use priority 16  which means this will run after priority 10 which was take_10 script.

 

Another Test 

It works! SRV3 was selected for all HTTP requests.

We can also have a look at the persistance table:


1
2
3
4
5
>> LB1 - Persistency Information# /i/slb/persist/dump 

 Printing Data Table Entries for SP 1
key-10.136.3.1,vs:10.136.6.17,80,g:10,value-g:10 rs:3 80, age 178
Total number of session IDs: 1

Line 1 - Is the command to show all persistence object, in yellow.
Line 4 - Me in red, is using SRV3 in green, and the idle timeout is 178 seconds in blue.

 

Summary

So we learned that not everything we configure on the VIP/virl service applies when we use AppShape++.

We also learned how and why to use more than one script per service.

Enjoy...

Monday, February 2, 2015

ACS 5.X REST API

For a typical network engineer, reading Cisco's REST API documentation looks really simple. All you need to do is to issue the following CLI command
acs config-web-interface rest enable.
But now what? Where are the examples? Thats easy, all you need to do is to download example code directly from the ACS administration UI. But that code is in Java, and several pages long for each example.
So let me do you a favor and show you how to extract a list of all ACS users without even writing a single line of code:
wget -O user-list.xml --auth-no-challenge --http-user=acs_admin_user --http-password=admin_pass --no-check-certificate https://acs.ip.address.x/Rest/Identity/User 
Few things to notice:
  • Its a one line command UNIX command. A windows version can be found here.
  • The output is XML file called user-list.xml
  • --no-check-certificate is needed because ACS has its own self generated SSL certificate, and wget will fail to authenticate that certificate. This can be changed, but how many are actually using anything else?
  • --auth-no-challenge is used because ACS expects to use preemptive authentication.
Enjoy!

Thursday, January 29, 2015

CCIE Lab or dual CCIE written preferred

I got this sent from a friend of mine who is looking for a job. The job description asked for "CCIE Lab or dual CCIE written".

I wonder who wrote this stuff?

CCIE written is easy. It is not a certification exam.

The exam is not intendant to mean anything other than a ticket for the lab or to recert and existing CCIE certification, so Cisco is not putting too much effort into it. For example there are no simulations, everything is a multi-choice, so it is easy to eliminate absurd answers.

Most if not all CCIE candidates, who are already CCNPs, are surprised how easy it is. Many are fooled to believe that the lab is anywhere close to being at the same level of difficulty and depth.

If I was a CCNP, I would have preferred to take CCIE written to recert over the CCNP exams.

If I was hiring, I would prefer a dual CCNP over dual CCIE written anytime. In fact, I would prefer a humble CCNP than someone who passed the written and brags about it.