Quick ACL Entry Comparison Script

The ACL_compare function takes two lists of strings and compares the first to the second and returns a list comprising strings that are present in the first that are not in the second.

The listconvert function converts a file read into memory into a list of strings. Handy for when you use filenames as arguments when you run the script.

Essentially it’s all just string comparison really.

#Simple Python script to print absent ACL entries absent in a new rulebase when compared with an existing rulebase

import sys

def ACL_compare(fwsm_ACL,asa_ACL):
for line in fwsm_ACL:
if line in asa_ACL:
return comparison

def listconvert(file):
return newlist

def listprint(somelist):
for line in somelist:
print line

def main():
print("usage: ACL_compare.py fwsm_rulebase_file asa_rulebase_file")
print ("differing entries are")

if __name__=="__main__":

VRF Race Condition

A while ago I observed an interesting problem due to a routing misconfiguration. An asymmetric route was introduced across two discrete switches/routing instances. The route was then imported in a separate location.

Quick and dirty network diagram
Quick and dirty network diagram

When I began troubleshooting I was under the impression that the importer preferred one route over another because of admin distance or some other metric, or perhaps it was some sort of BGP esoterica you’d only encounter if you were using VRFs and MP-BGP to learn routes. However, the truth was probably something more prosaic.

Both routes were static routes. This meant their learning mechanism across importers was the same. The reason the importer preferred one route over another was probably due to one entering the routing table before the other.

Android Bugs

I have a little Samsung Galaxy S2 which is a perfectly adequate phone. I use the Google Apps on it to keep some semblance of order in my life. However, I run into some occasional bugs which require a bit of work to solve. So I’m putting in the fixes here so they’re easily available.

1. Weather widget displays an incorrect location. Documentation date 03.11.2014
This is fixed by going to Settings->Application Manager and performing a forced stop on the TouchWiz Home application.

2. Lockscreen displaying an incorrect location. Documentation date 03.11.2014
First I thought this was related to the first problem. However, this can be fixed by going to Applications->Security and changing the location detection to refresh automatically. It looks like adding a new city in the weather widget updates the location in the lockscreen, but removing it doesn’t force an update to the lockscreen.

More bugs will be documented here as they’re found.

Fun With Optics

I recently had a deployment where we needed to connect Cisco 6500s to Juniper MX960s.

There was a lot of confusion surrounding what fibre and optic modules needed to be used, so I’m documenting the initial state and the successful state here.

Initially, the Junipers had the following model numbers used for the optics:

XFP-10G-LR (identified using a “show chassis hardware”)

The 6500s:


Interestingly, one of the links came up between the devices, while one did not. I tried swapping the cable (Single Mode) for Multimode for the non-working link, and that did not fix the issue. We then swapped the Cisco optic for an LR optic and used Single Mode fibre which did the trick.

Confusingly for someone from a Cisco background like me, the Juniper optic was labelled  XFP-10G-L-OC192-SR1. I assumed the SR stood for short reach/range (it does) and tried to use Multimode fibre, as you would with Cisco SR optics. However, it turns out that the Juniper SR optic in this case used Single Mode fibre as its interface.

It is documented in this handy link here, which turned up with some Googling.

The confusion stems due to the reference to Short Reach differing between Cisco and Juniper. I need to figure out a simpler way to ID the type of fibre to be used. Perhaps using the core:cladding ratio is the best way? 9:125 micro meters seems to be what is used for SM fibre.

Quick’n’dirty Nslookup BASH Script

I’m always wondering if the addresses I’m assigning to interfaces aren’t already in DNS. So I came up with a little BASH script that takes a list of IP addresses and performs an nslookup on them to ensure they’re not in use already:

$nslookup < input-filename > output-filename

The addresses in the input file are carriage return delimited.

A better use for this would be to check if DNS entries already have an IP address assigned to them.

The 5 Year Plan

I was recently asked what my 5 year career plan was and whether I wanted to go down the architect route. It threw me a little bit because I’ve never really been a 5 year type person. I have real trouble seeing where I’ll be beyond a year to 18 months.

So, this is my attempt to try and put something together. It doesn’t hurt to have a plan right?

Ideally, you need a short, medium and long term plan. A couple of these could be tech related (e.g: get to CCIE), but the pace technology moves at means the longest term one (if it’s longer than 3 years could well have moved goalposts, or died out). So, without ado, I give you the 3 – 6- 12 – 24 – 36 plan. Or 3,6,1,2,3 plan. This is my way of putting down what I want to have achieved in the next 3-6 months, year, 2 and 3 years.

3-6 months: Get my CCNP Security finished with, and maybe another associate level non-Cisco vendor certification.

1 year: Complete my CCIE written and be on my way to lab revision.

2 years: Completed, or have attempted the CCIE lab once.

3 years: Who knows? CCDE? Become a technical leader? Or become professional level qualified with another vendor?

I don’t know how feasible these things are, but I’ll have a go.

Configuring SNMPv3 On NX-OS

We’re currently trying to allow a client to perform an operation using SNMP set commands on a Cisco NX-OS switch (namely a 5548).

It’s possible using SNMPv2c and community strings, but this does not generate a log message, making it completely unaccountable. SNMPv3 seems to have the answer. According to the documentation, it provides:

  • Integrity
  • Encryption
  • Authentication

I’ve tested using a set operation to change a MIB using the following command:

snmpset -v 3 -u test -l authpriv -a MD5 -A Testpass01 -x DES -X Testpass01 hostname system.sysLocation.0 s TESTLOCATION

Which works fine.

However, the problem arises when trying to back off the authentication of the SNMP operation to TACACS/RADIUS. My interpretation of the documentation suggests this is possible. My Cisco SE has not denied it either. However, I reckon some changes need to be made to the authentication server. According to what I’ve read:

You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Nexus 5000 Series switch using this format:

shell:roles="roleA roleB ..."

If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.

You can also specify your SNMPv3 authentication and privacy protocol attributes as follows:

shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128

The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are the default authentication protocols.

So, it looks like using an SNMPv3 set operation authenticated to TACACS/RADIUS will require additional specification of SNMPv3 authentication and privacy protocol parameters, and the corresponding role mapped to the user trying to perform the SNMPv3 operation.

OSPF Summary Routes and BGP

Recently I was in a situation where I needed to advertise some OSPF routes created using the area range command into BGP. When advertising routes into BGP there are a few considerations:

  • Does the routing table know the exact route you’re trying to advertise into BGP?
  • Is any route filtering being performed? Don’t forget to check at the source of the BGP route and the destination it’s being advertised to!
  • Is soft-reconfiguration supported on the software you’re running?
  • Will you need to do a “clear ip bgp neighbor”? Seems IOS 12.4 doesn’t require it but 12.2 does. I tested 12.4 on GNS3, and 12.2 on a live 6500.

Using the area range command will automatically generate an OSPF intra-area route to Null 0 IF the router the command is issued on is an ABR. This is visible here:

Switch#sh ip route 
Routing entry for
Known via "ospf 1", distance 110, metric 0, type intra area
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1

This route will not be created on a non-ABR router, so watch out if you’re using single area OSPF. You’ll need to create a static null route to the summary range  you’re trying to advertise on a non-ABR router.

Anyway, I was trying to clear up whether BGP would take an auto-generated null 0 route for a network advertisement. Seems it will!

Checksum Verification

Occasionally I have to install software that is no longer available for download via the official channels. This is due to us having pretty strict standards on which IOS versions are stable and suitable for use via a bug scrub process that Cisco are party to.

I could speak to our Cisco SE and ask for the image to be provided, but it’s simpler and quicker to find a similar piece of kit on the network and FTP/SCP the image across.

I did this today, and then realised that I couldn’t rely on CCO to give me the MD5 sum for the image. A quick google tells me that I can perform a checksum on the switch using this command:

verify /md5 <file-location>:<file-name>

Location choices are:

bs: File to be verified
cns: File to be verified
flash: File to be verified
ftp: File to be verified
http: File to be verified
https: File to be verified
null: File to be verified
nvram: File to be verified
rcp: File to be verified
scp: File to be verified
system: File to be verified
tar: File to be verified
tftp: File to be verified
tmpsys: File to be verified
xmodem: File to be verified
ymodem: File to be verified

Example: verify /md5 flash:c3560e-ipbasek9-mz.122-53.SE2.bin

This yields a checksum which can be compared to the file copied across using the following command if you’re on a UNIX based system:

md5 <filename> | grep <expected-checksum>