Some ACLs are short, some ACLs are really long!
Here is a question, would any to 8.7.109.176 port 443 match any of the ACEs?
With dt_aclcheck.tcl, it is easy:
IOU1#tclsh unix:dt_aclcheck.tcl 100 tcp any 8.7.109.176 1234 443
01
950 permit tcp any host 8.7.109.176 eq 443
4040 permit tcp any any established
How about icmp?
IOU1#tclsh unix:dt_aclcheck.tcl 100 icmp any any
01
4010 deny icmp any any echo
4020 deny icmp any any traceroute log
4030 permit icmp any any
4160 deny ip any any
Here is the syntax for the command:
IOU1#tclsh unix:dt_aclcheck.tcl
Usage - dt_aclMatch.tcl <acl_name> <protocol> <source IP> <destination IP> [source port] [destination port]
Grab the file HERE, and upload it to the router. Enjoy!
And let me know if you need any help with this.
Showing posts with label cisco. Show all posts
Showing posts with label cisco. Show all posts
Thursday, March 10, 2016
Thursday, September 24, 2015
Embedded packet capture and interface ACLs and Zone Based Firewall
Cisco IOS Embedded packet capture is a great tool for trouble shooting. Very similar to the ASA capture command.
It could be better, as it won't parse the packets as good as tpcdump, but it is way better than nothing.
However I couldn't figure out what the order of operation, with regards to ACLs and ZBF.
So I labbed it up, with IOU 15.4, and here are the results:
So it looks like the embedded packet capture is placed at the right place, right before incoming ACL/ZBF check. However more testing needed to be done: NAT, outgoing ACL/ZBF, IPS drops, encryption, sanity checks
I wish Cisco would have published an official and full "order of operation". Here is the best I have found so far.
FYI....
It could be better, as it won't parse the packets as good as tpcdump, but it is way better than nothing.
However I couldn't figure out what the order of operation, with regards to ACLs and ZBF.
So I labbed it up, with IOU 15.4, and here are the results:
- For incoming ACL, packets are captured before ACL is evaluated
- For incoming ZBF policy, packets are captured before the policy is checked.
So it looks like the embedded packet capture is placed at the right place, right before incoming ACL/ZBF check. However more testing needed to be done: NAT, outgoing ACL/ZBF, IPS drops, encryption, sanity checks
I wish Cisco would have published an official and full "order of operation". Here is the best I have found so far.
FYI....
Friday, July 31, 2015
FirePower management interface
While installing Cisco FirePOWER on 5545-X, I was following the "Install and Configure a FirePOWER Services Module on an ASA Platform" guide.
One of the steps was to configure an IP address to the FirePower management interface. However, nowhere in the document it was mentioned how would that interface connect to the outside world.
So I tired to google it, and it looks like no one was asking that question: How would an internal module connect to the outside world? Not a single blog post about it. It just worked for everyone, no questions asked!
After digging around I found this document: "Cisco ASA FirePOWER Module Quick Start Guide"
And there I have found my answers:
One of the steps was to configure an IP address to the FirePower management interface. However, nowhere in the document it was mentioned how would that interface connect to the outside world.
So I tired to google it, and it looks like no one was asking that question: How would an internal module connect to the outside world? Not a single blog post about it. It just worked for everyone, no questions asked!
After digging around I found this document: "Cisco ASA FirePOWER Module Quick Start Guide"
And there I have found my answers:
- For 5585-X, FirePOWER is installed on a dedicated slot with its own mgmt0 interface.
- For 5545-X, FirePOWER module (SRF) is using the 5545-X's management0/0 interface. Which means that we can not use that interface for managment and it must be dedicated to FirePOWER!
- For the rest, it will use the "inside" interface.
Monday, February 2, 2015
ACS 5.X REST API
For a typical network engineer, reading Cisco's REST API documentation looks really simple. All you need to do is to issue the following CLI command
But now what? Where are the examples? Thats easy, all you need to do is to download example code directly from the ACS administration UI. But that code is in Java, and several pages long for each example.
So let me do you a favor and show you how to extract a list of all ACS users without even writing a single line of code:
wget -O user-list.xml --auth-no-challenge --http-user=acs_admin_user --http-password=admin_pass --no-check-certificate https://acs.ip.address.x/Rest/Identity/User
Few things to notice:
- Its a one line command UNIX command. A windows version can be found here.
- The output is XML file called user-list.xml
- --no-check-certificate is needed because ACS has its own self generated SSL certificate, and wget will fail to authenticate that certificate. This can be changed, but how many are actually using anything else?
- --auth-no-challenge is used because ACS expects to use preemptive authentication.
Enjoy!
Thursday, January 29, 2015
CCIE Lab or dual CCIE written preferred
I got this sent from a friend of mine who is looking for a job. The job description asked for "CCIE Lab or dual CCIE written".
I wonder who wrote this stuff?
CCIE written is easy. It is not a certification exam.
The exam is not intendant to mean anything other than a ticket for the lab or to recert and existing CCIE certification, so Cisco is not putting too much effort into it. For example there are no simulations, everything is a multi-choice, so it is easy to eliminate absurd answers.
Most if not all CCIE candidates, who are already CCNPs, are surprised how easy it is. Many are fooled to believe that the lab is anywhere close to being at the same level of difficulty and depth.
If I was a CCNP, I would have preferred to take CCIE written to recert over the CCNP exams.
If I was hiring, I would prefer a dual CCNP over dual CCIE written anytime. In fact, I would prefer a humble CCNP than someone who passed the written and brags about it.
I wonder who wrote this stuff?
CCIE written is easy. It is not a certification exam.
The exam is not intendant to mean anything other than a ticket for the lab or to recert and existing CCIE certification, so Cisco is not putting too much effort into it. For example there are no simulations, everything is a multi-choice, so it is easy to eliminate absurd answers.
Most if not all CCIE candidates, who are already CCNPs, are surprised how easy it is. Many are fooled to believe that the lab is anywhere close to being at the same level of difficulty and depth.
If I was a CCNP, I would have preferred to take CCIE written to recert over the CCNP exams.
If I was hiring, I would prefer a dual CCNP over dual CCIE written anytime. In fact, I would prefer a humble CCNP than someone who passed the written and brags about it.
Monday, January 26, 2015
VIRL - A slow greatness
I had a migration project from 6500 to ASRs. I have decided to check out VIRL.
My migration setup requires 14 routers and a test server. Reading the system requirements for such a setup made me decide not to install on my laptop.
I went ahead and installed it on a not so small ESX server: A new UCS machine (24 cores, 380G memory, running 4 VMs, including VIRL), ESX 5.1.
I have allocated VIRL 4vCPU, 16GB memory.
The installation was not that short, but not that hard either. After the installation was over, I installed VM Maestro and started building my lab. Working with VM Maestro, which is VIRL's GUI, was really easy. The only annoying thing was my inability to set the interface numbers for the connections between routers.
Here is how my final setup looks like:
The setup is running 12 vIOS, 2 CSR1K, and one Ubuntu server, from where I ran my automated tests.
I pressed on "Start simulation" and then when trouble started. It took about 40 minutes for all the routers to load. Then the CLI felt like 2400 baud. It was crawling!
Notice that each time you start the simulation, for example after adding or removing a link, all the routers are rebuild from scratch. They are not just powered on. They are cloned from a template and go through lengthy installation process. Especially the ASRs which take forever to install themselves.
So I tried to run just 4 routers. That was working well and everything was snappy.
Then I tried to upgrade the VM to 6 vCPUs. Now it took just 3 minutes to load all the routers. The CLI felt much better at 9600 baud.
Then I tried to upgrade the VM to 8 vCPUs. Now everything works almost as fast as GNS3 with IOU!
After setting up the lab foundation, it was time actually to start configuring the lab. I have configured OSPF and BGP. Everything worked, but the response time was slower. Although the response time was slower, the lab was very usable.
To run the test, I am using some VRF magic and bash scripting on the Linux machine. I think it worth a blog entry on its own. Then after 30 minute of stepping away from the lab, I noticed that most OSPF and BGP sessions were lost. I had to press "enter" several times on each router's prompt to wake everything up:
Just when I wake the routers:
After 30 minutes:
My migration setup requires 14 routers and a test server. Reading the system requirements for such a setup made me decide not to install on my laptop.
I went ahead and installed it on a not so small ESX server: A new UCS machine (24 cores, 380G memory, running 4 VMs, including VIRL), ESX 5.1.
I have allocated VIRL 4vCPU, 16GB memory.
The installation was not that short, but not that hard either. After the installation was over, I installed VM Maestro and started building my lab. Working with VM Maestro, which is VIRL's GUI, was really easy. The only annoying thing was my inability to set the interface numbers for the connections between routers.
Here is how my final setup looks like:
The setup is running 12 vIOS, 2 CSR1K, and one Ubuntu server, from where I ran my automated tests.
I pressed on "Start simulation" and then when trouble started. It took about 40 minutes for all the routers to load. Then the CLI felt like 2400 baud. It was crawling!
Notice that each time you start the simulation, for example after adding or removing a link, all the routers are rebuild from scratch. They are not just powered on. They are cloned from a template and go through lengthy installation process. Especially the ASRs which take forever to install themselves.
So I tried to run just 4 routers. That was working well and everything was snappy.
Then I tried to upgrade the VM to 6 vCPUs. Now it took just 3 minutes to load all the routers. The CLI felt much better at 9600 baud.
Then I tried to upgrade the VM to 8 vCPUs. Now everything works almost as fast as GNS3 with IOU!
After setting up the lab foundation, it was time actually to start configuring the lab. I have configured OSPF and BGP. Everything worked, but the response time was slower. Although the response time was slower, the lab was very usable.
To run the test, I am using some VRF magic and bash scripting on the Linux machine. I think it worth a blog entry on its own. Then after 30 minute of stepping away from the lab, I noticed that most OSPF and BGP sessions were lost. I had to press "enter" several times on each router's prompt to wake everything up:
Just when I wake the routers:
16:54:20 +++++-+---+-+---+--++++--++--+-+++++++++
16:54:33 +++++++++++++++++++++++--+++++++++++++++
16:54:36 +++++++++++++++++++++++--+++++++++++++++
16:54:40 ++++++++++++++++++++++++++++++++++++++++
16:54:42 ++++++++++++++++++++++++++++++++++++++++
16:54:43 ++++++++++++++++++++++++++++++++++++++++
16:54:45 ++++++++++++++++++++++++++++++++++++++++After 30 minutes:
17:21:53 ++++++++++++++++++++++++++++++++++++++++
17:21:55 ++++++++++++++++++++++++++++++++++++++++
17:21:56 ++++++++++++++++++++++++++++++++++++++++
17:21:58 ++++++++++++++++++++++++++++++++++++++++
17:22:00 ++++++++++++++++++++++++++++++++++++++++
17:22:01 ++++++++++++++--+------++++--+--+-++++++
time 111112222222333333444445555666677788899B
%H:%M:%S 589BC34679BC4679BC679BC89BC79BC9BC9BCBCC
17:22:17 +++++-----+-----+------++++--+--+-++++++
17:22:40 +++++-----+-----+------++++--+--+-++++++
17:23:02 +++++-----+-----+------++++--+--+-++++++
17:23:24 +++++-----+-----+------++++--+--+-++++++Tuesday, October 28, 2014
GNS3 1.1
I was never a big fan of GUI tools, so I used dynagen and dynamips for my network designs. But since 15.2 was the last version released for 7200, dynamips is no longer useful (especially for IKEv2 and OSPFv3 stuff)
I was hoping that Cisco would release VIRL, and they promised to do so for the past year and a half, but it looks like it will never come. Shelling out 10K$ for CML (the payed version of VIRL) is a bit too much for most of us. But there is a good alternative:
Not long time ago GNS3 version 1.0 was released and soon after version 1.1. was released too. And after long time of being a backer for their funding campaign I have decided to try GNS3 with IOU.
After installing GNS3 on both linux and windows (vmware required), I found that GNS3 is really easy to use, and that IOU is AMAZING. IOU is sooooo fast, and everything just works(tm). I wish I had it years ago!
Goodbye dynamips and dynagen, and thank you so much.
Hello IOU and GNS3. I know it will be a start of a wonderful friendship :)
Subscribe to:
Posts (Atom)