Wednesday, December 21, 2011

Find Unique Interface Configs on Switches

Recently I needed to find all of the interfaces with non-standard configurations on a bunch of Catalyst 3750 switches. I wrote a simple Python script to automate the process. To run this, save it in a directory with all of the configurations you want to check. Then edit the name.startswith() section near the bottom to match the naming convention for your config files; in my case all of my configs start with "c3750". Then run the script from your CLI:

>python dup_conf.py

If you're on a Mac or Linux system, Python should be installed by default. On Windows, you'll need to install it or run Cygwin. Note that in the default version, the script ignores SVIs and Gigabit interfaces; uncomment the appropriate lines to include them.

The output looks like this:


in config file c3750-1A.txt

interfaces

interface FastEthernet1/0/35

configured like

switchport trunk encapsulation dot1q
switchport trunk native vlan 76
switchport mode trunk
switchport voice vlan 65
no logging event link-status
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust dscp
auto qos voip cisco-phone
no mdix auto
spanning-tree portfast

**************************************************
interfaces

interface FastEthernet1/0/11
interface FastEthernet1/0/12

configured like

switchport trunk encapsulation dot1q
switchport trunk native vlan 80
switchport mode trunk
switchport voice vlan 65
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust dscp
auto qos voip cisco-phone
no mdix auto
spanning-tree portfast

**************************************************
interfaces

interface FastEthernet1/0/1
interface FastEthernet1/0/2
interface FastEthernet1/0/3
interface FastEthernet1/0/4
interface FastEthernet1/0/5
interface FastEthernet1/0/6
interface FastEthernet1/0/7
interface FastEthernet1/0/8
interface FastEthernet1/0/9
interface FastEthernet1/0/10
interface FastEthernet1/0/13
interface FastEthernet1/0/14
interface FastEthernet1/0/15
interface FastEthernet1/0/16

configured like

switchport access vlan 64
switchport voice vlan 65
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust dscp
auto qos voip cisco-phone
no mdix auto
spanning-tree portfast

**************************************************


Thursday, November 10, 2011

Summarize Router Throughput in Packets/Second

Here's a quick one-liner to summarize the current packets-per-second throughput on an entire IOS router:

$ ssh 10.1.2.3 'sh int summ' | awk '/^*/{RXPPS+=$8;TXPPS+=$10} END {print "RXPPS=" RXPPS,"TXPPS=" TXPPS}'
jswan@10.1.2.3's password:
RXPPS=1613 TXPPS=1539

Friday, June 10, 2011

Zone Based Firewall Configuration Example

There aren’t a ton of examples available for IOS Zone-Based Firewall configurations, so I thought I’d put up one with which I’ve been working recently.

My test network looks like this:

R4 ------------------- R5 ----------------------- R6

R4 Loopback: 4.4.4.4
R4 to R5 link: 1.1.45.0/24
R5 Loopback: 5.5.5.5
R5 to R6 link: 1.1.56.0/24
R6 Loopback: 6.6.6.6


My goal is to express this policy:
  1. Hosts in group X on the OUTSIDE network can initiate sessions to hosts on the INSIDE network. Return traffic for those sessions should be statefully permitted. In the lab, group X is represented by R4's loopback address.
  2. Any host on the INSIDE network can initiate sessions to hosts in group X on the OUTSIDE network. Return traffic for those sessions should be statefully permitted. In the lab, the inside hosts are represented by R6's loopback address.
  3.  Permitted traffic should be logged. All other traffic should be dropped and logged.
The network on which the production version of this lab test will be deployed currently uses extended access-lists to implement the policy. Access-lists have the advantage of being familiar to anyone with a basic knowledge of IOS, but they have a lot of disadvantages:

  1. Hard to read and troubleshoot as they grow. 
  2. No stateful awareness. Trying to retrofit statefulness onto extended ACLs to allow return traffic requires ugly hacks with source port restrictions, filtering on ACK bits, etc. This path eventually leads to mind-numbing troubleshooting problems, and is less than optimal in its security. 
  3. Extended ACLs don’t have application-layer awareness.

There are several tools in IOS to facilitate stateful traffic inspection, but Zone-Based Firewalls are the newest and most flexible, so it made sense to use them.

Most of the examples I found via Google show the simple case of inside hosts having unfettered access to the outside, and outside hosts having no access to the inside--a classic stateful firewall design. My case is only slightly more complex, but it still took me a couple of tries to make it work.

First, I built access-lists defining the traffic to be allowed. I decided to use the relatively new IOS object-group support to make it easier to add and delete hosts on the respective networks:


object-group network OG_INSIDE_HOSTS
  host 6.6.6.6
object-group network OG_OUTSIDE_ALLOWED
  host 4.4.4.4
ip access-list extended INSIDE_TO_OUTSIDE
  permit ip object-group OG_INSIDE_HOSTS object-group OG_OUTSIDE_ALLOWED
ip access-list extended OUTSIDE_TO_INSIDE
  permit ip object-group OG_OUTSIDE_ALLOWED object-group OG_INSIDE_HOSTS


You might notice that there’s no “deny ip any any log” statement in these ACLs, which is strange given requirement #3 above. It turns out that when using ZBFW, you configure drop logging elsewhere; I’ll cover that below.

I couldn’t find a way to express protocol inspection policy and IPv4 address policy in the same class-map, so I had to use a hierarchical configuration. To express the protocol inspection policy, I built a class-map to define the layer 4 protocols that will be inspected by the firewall:


class-map type inspect match-any CM_INSPECTED_PROTOCOLS
  match protocol icmp
  match protocol tcp
  match protocol udp


This class-map does simple generic TCP/UDP/ICMP inspection, but it could easily be extended or rewritten to use much more complex inspection rules.

Next, I built class-maps for each direction that match the appropriate ACL and the inspection policy configured above:


class-map type inspect match-all CM_OUTSIDE_INSIDE
  match access-group name OUTSIDE_TO_INSIDE
  match class-map CM_INSPECTED_PROTOCOLS
class-map type inspect match-all CM_INSIDE_OUTSIDE
  match access-group name INSIDE_TO_OUTSIDE
  match class-map CM_INSPECTED_PROTOCOLS


To meet the packet permit-log requirement, we need a “parameter-map” that will be applied in the policy-map that references the previous class-maps:


parameter-map type inspect PARAM_AUDIT_LOG
  audit-trail on


Next, the class-maps and parameter-map are referenced in a pair of policy-maps:


policy-map type inspect PM_ZBFW_OUTSIDE_INSIDE
  class type inspect CM_OUTSIDE_INSIDE
    inspect PARAM_AUDIT_LOG
  class class-default
    drop log
policy-map type inspect PM_ZBFW_INSIDE_OUTSIDE
  class type inspect CM_INSIDE_OUTSIDE
    inspect PARAM_AUDIT_LOG
  class class-default
    drop log


Note the “drop log” statement in the final section. Similar to the implicit deny rule in ACLs, ZBFW policies include a class-default with a drop statement. If you want packet drops to be logged, however, you need to explicitly add the “log” parameter to the drop command.

At this point, the policies are configured. Now they need to be linked to interfaces and traffic direction. This is where the “zones” come in:


zone security INSIDE
  description to R6
zone security OUTSIDE
  description to R4
interface FastEthernet0/0
  zone-member security OUTSIDE
interface FastEthernet0/1
  zone-member security INSIDE


Finally, I created zone pairs that associate zones, traffic direction, and traffic policy:


zone-pair security ZP_OUTSIDE_INSIDE source OUTSIDE destination INSIDE
  service-policy type inspect PM_ZBFW_OUTSIDE_INSIDE
zone-pair security ZP_INSIDE_OUTSIDE source INSIDE destination OUTSIDE
  service-policy type inspect PM_ZBFW_INSIDE_OUTSIDE


At this point, the zone-based firewall should be working and ready to test. Based on the policy defined above, traffic from R4’s loopback address should be able to reach R6’s loopback address, but traffic from other interfaces on R4 should be dropped:


R4#ping 6.6.6.6 source 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#
R4#ping 6.6.6.6 source 1.1.45.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 1.1.45.4
.....
Success rate is 0 percent (0/5)


So far, this looks good. The log on R5 should verify the results above:


*Jun 10 14:29:02.604: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(ZP_OUTSIDE_INSIDE:CM_OUTSIDE_INSIDE):Start icmp session: initiator (4.4.4.4:0) -- responder (6.6.6.6:0)
*Jun 10 14:29:13.100: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(ZP_OUTSIDE_INSIDE:CM_OUTSIDE_INSIDE):Stop icmp session: in
itiator (4.4.4.4:8) sent 360 bytes -- responder (6.6.6.6:0) sent 360 bytes

*Jun 10 14:29:16.420: %FW-6-DROP_PKT: Dropping icmp session 1.1.45.4:0 6.6.6.6:0 on zone-pair ZP_OUTSIDE_INSIDE class class-default due to  DROP action found in policy-map with ip ident 0
*Jun 10 14:29:19.812: %FW-6-LOG_SUMMARY: 2 packets were dropped from 1.1.45.4:8 => 6.6.6.6:0 (target:class)-(ZP_OUTSIDE_INSIDE:class-default)


The first two lines show the permitted session; the second pair of lines show the dropped session. I haven’t had the chance yet to examine log entries for traffic types other than TCP/UDP/ICMP, but at first glance it looks like the log entries are formatted in a way that’s friendly to machine parsing.

My next step should probably be to get the Cisco Press eBook on ZBFW by the formidable Ivan Pepelnjak, which I’m a little embarassed about not having read.

Sunday, May 22, 2011

Links of Interest

I decided to start a periodic link post, mainly to keep track of tech stuff I might want to reference again later.

HTTP Load Testing

Website Security for Webmasters

Reading List on Bayesian Methods

JavaScript PC Emulator < Run VMs in your browser?! We live in the future!

Machine Learning: A Love Story a talk by Hilary Mason

Friday, May 13, 2011

Reverse DNS Lookups with Python


Update 12/22/2014 -- Today I would recommend using the dnspython module instead of PyDNS.

I am neither a professional programmer nor a Python expert, but it's currently my language of choice for quick log parsing projects. I couldn't find an example of how to do reverse DNS queries from the PyDNS library, so I figured I'd post my solution here.

First, install the PyDNS library. Python has some native DNS stuff, but PyDNS just seems a lot nicer overall.

Here's my code to do a PTR query, looking up a IPv4 address to find the corresponding DNS name. This code implements a global dictionary of addresses that have been previously resolved, avoiding the need to query the server repeatedly for the same address. You could remove that part if you're feeding a set of unique addresses into the function.

import  DNS
SERVER = '8.8.8.8' # put your DNS server address here
global ptr_cache

ptr_cache = {}

def get_ptr(address):
    # check cache.    
    if ptr_cache.has_key(address):
         return ptr_cache[address]
   
    #reverse fields in IP address for use with in-addr.arpa query
    fields = address.split('.')
    fields.reverse()
    flippedaddr = '.'.join(fields)

    #query DNS
    d = DNS.DnsRequest(server=DNS_SERVER,timeout=1)
    try:
        r = d.req(flippedaddr+'.in-addr.arpa',qtype='PTR')
    except:
        return "DNS Error"
   
    name = r.answers[0]['data']
    if name:
        ptr_cache[address] = name
    return name

Friday, April 8, 2011

Converting text to number in Excel

It took me too long to figure out how to typecast a string to a number in Excel. Preserving it here for posterity; use the "=VALUE()" function.

Wednesday, January 12, 2011

Find Active Hostnames Per Network

Here's a quick trick I use to find the hostnames of all active IPv4 devices in a subnet:

$ ssh routerIP.test.local 'sh arp | i Vlan70' | awk '{print $2}' | xargs -i dig -x {} +short
Password:
foo-tstsrv-01.test.local.
foo-gissrv-01.test.local.
foo-appsrv-01.test.local.
foo-filsrv-03.test.local.
foo-filsrv-02.test.local.

Translated into English:
  1. ssh routerIP.test.local 'sh arp | i Vlan70' displays the ARP table for Vlan 70 on the router acting as the default gateway for that VLAN.
  2. awk '{print $2}' extracts the second field from the output, which is the IPv4 address for the ARP entry.
  3. xargs -i dig -x {} +short takes each one of those IPv4 addresses and queries DNS for the hostname associated with the IP address (that is, the PTR record), using the "dig -x" command, with the +short parameter to display only the hostname. The {} syntax is a part of the xargs command which causes the output from the previous command (that is, the awk command output which produces just an IPv4 address) to be inserted in the place of the {} characters.
To run this on Windows, you need to have both Cygwin and the dig command installed.

Tuesday, January 4, 2011

Troubleshoot Your Corporate-Speak

A friend of mine recently told me that I "have a hang-up about the meanings of words".

Guilty as charged. I just read yet another press release that uses the idiotic expression "best-of-breed"--I'm at the point where seeing that phrase makes me want to throw a rock at the monitor.

Here's a simple test for a CorporateSpeak buzzphrase: could you say the opposite, without sounding like a crazy person? If not, then your buzzphrase is meaningless. For example:

"Best-of-Breed Vendors Offer Tested and Validated Solutions for Multiple Cisco VXI Deployment Options"

Now, try the opposite:

"Mediocre Vendors With More Successful Competitors Offer Tested and Validated Solutions for Multiple Cisco VXI Deployment Options"

or

"Worst-of-Breed Vendors Offer Tested and Validated Solutions for Multiple Cisco VXI Deployment Options"

No sane person would write that. Thus, the result of the test is that the changed phrase, "best-of-breed", obscures rather than enhances meaning.

Another one I hear all the time is "IT should work to serve the needs of the business." This one doesn't have any suspicious buzzphrases in it, but it's still completely meaningless: can you imagine saying "IT should not work to serve the needs of the business"? Of course not; you'd sound insane. Compare that with a similar, but meaningful and concrete sentence: "IT should work to reduce costs by improving the performance of the accounting servers." With this sentence, IT is still "serving the needs of the business", but you could clearly state the opposite and still have meaning: one could certainly argue that IT's efforts are better spent in areas other than accounting without sounding crazy.

One final example from a friend at a software firm. He received this in email from a guy in sales:

"We need to write software that customers want to buy."

The utter poverty of meaning in that waste of bits is left as an exercise for the reader.

Now, I realize that these sorts of expressions have purposes other than enhancing meaning: they might serve to solicit agreement from the reader as a prelude to a more controversial assertion, or they might simply be not-so-subtle attempts at marketing tricking the reader into a positive first impression. I don't really accept those excuses, though: rational people seek to create meaning, not to obscure it. Get into the habit of troubleshooting your meaning. One way is to test the opposite.

Endnote:
I have no idea if this idea is original or not. It seems like a simple enough idea that I may have gotten it from someone else, but if so, I don't remember and can't attribute the source.