tag:blogger.com,1999:blog-11430053734662893972024-03-19T03:49:55.984+00:00Sabotage NetworksYet another networking blogMatt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comBlogger59125tag:blogger.com,1999:blog-1143005373466289397.post-63888424008430944512023-10-22T10:48:00.002+01:002023-10-22T10:48:23.101+01:00Linux Shortcuts and Auto Updating AppImagesA minor annoyance with software deployed as AppImages that auto update is each
update breaks any shortcuts you've created.
The trick is not to create the shortcut directly to the file, e.g.
/home/me/software/myappname-v32831.38474-linux-x86_64.AppImage
Instead create
the shortcut to run the "find" command so it locates any file in that folder
starting with the same text and Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-19537898716841445012022-01-22T20:41:00.016+00:002022-01-23T09:45:59.682+00:003rd Party Firewalls in AzureYou can use 3rd party firewalls in Azure but there are some differences in how High Availability works.
Standard firewall H/A works via lower level network communication to move IP addresses between devices (e.g. gratiutous ARP), but the underlying network in Azure/AWS/etc won't support that approach. There are APIs to inform Azure that an IP address has moved to a different device, but at time Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-49089317510470633232021-05-20T20:54:00.001+01:002021-05-20T20:54:11.525+01:00GDPR and Appropriate Security ControlsGDPR article 32 requires "appropriate" controls to protect personal data, but what exactly is appropriate? The ICO has published various cases that can be used to gauge their expectations.
Having a risk assessment helps to qualify the approach and show due dilligence, but it's a subjective process so results will vary and if the ICO disagree with the outcome then the financial penalties can beMatt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comWilmslow SK9, UK53.328 -2.22940926.873246585076757 -37.385659 79.782753414923249 32.926841tag:blogger.com,1999:blog-1143005373466289397.post-29532085734947963402019-11-25T13:15:00.002+00:002019-11-25T13:15:25.058+00:00Powershell for AD QueryingPowershell commands for mucking about with AD:
Basic info on the user:Get-ADUser usernameList all groups a user is in:Get-ADPrincipalGroupMembership username | select nameList all users in a groupGet-ADGroupMember "Groupname" | select nameList all groups in the ADGet-ADGroup -searchbase "OU=GROUPS_OU,DC=domain,DC=com" -Property member -Filter * | select-object name, @{n='count';e={$_.Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-59022628100570741162016-05-12T11:17:00.001+01:002016-05-14T06:28:56.418+01:00Automated Install for OpenStack Kilo on Ubuntu ServerI've been messing around with OpenStack lately, there is the excellent Devstack system for building test deployments but I wanted something to survive a reboot which meant needing a full OpenStack. There's some great docs on OpenStacks website for installing Kilo on Ubuntu 14.04.
To automate things I've scripted the process above with a few tweaks, available on github:
https://github.com/Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-31511896045209959342016-01-02T13:50:00.000+00:002016-01-08T09:52:02.916+00:00Vagrant Lab for HAProxyThis article is about setting up a lab using Vagrant to play with the HAProxy load balancer.
If you want the TLDR version where you just copy/paste a few lines and the lab gets created then this will do the job, it's explained in more detail below. It's great with tools like Virtualbox and Vagrant that such a lab can be set up so easily, this would have taken days to build prior to Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-36934562271993798522015-02-10T08:54:00.001+00:002016-01-02T13:59:39.620+00:00Cisco IOS TCL - Reset Interface if DHCP FailsI've got some devices where DHCP doesn't always work properly for a number of reasons, running shut/no shut on the Cisco router seems to fix it. To automate that I've knocked up a TCL script:
The script itself:
#script to check if an interface has an IP address and reset it if not.
#copy to flash via TFTP or write it using the technique described here:
# http://Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-56599335316090813642013-02-17T17:00:00.001+00:002014-04-09T18:13:04.398+01:00Applying Cisco's New Licenses Without Network ServersCisco have a new licensing method that involves installing an XML license on the end device. The license you buy is a code but rather than just entering that onto the device you have to go to Cisco.com and associate the code with a device using part and serial number. Then they generate an XML license file which you are supposed to download and install on the device.
The ways they support doingMatt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-54339367663897851152012-10-31T19:33:00.000+00:002012-10-31T19:33:59.506+00:00Bluecoat Terminal LengthThe Bluecoat SGOS equivalent of term len 0 is line-vty in config mode:
Bluecoat#(config) line-vty
Bluecoat#(config line-vty) length ?
(0 for no pausing)
Bluecoat#(config line-vty) length 0
Handy for grabbing the text config.
Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-54268131480698578342012-06-27T20:44:00.002+01:002012-06-28T22:03:57.303+01:00EIGRP RTP Unicast FallbackHaving just started studying for ROUTE to refresh a variety of Cisco exams I had a look at EIGRP and got far too involved in RTP. Probably all you need to know for the ROUTE exam is that it's Reliable Transport Protocol in the context of EIGRP and that it's used to ensure reliable delivery of updates. But to dig a little deeper....
RTP (not the same as real-time-protocol) can use both unicast Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-20524562941103660942012-05-02T21:17:00.004+01:002012-07-03T17:59:38.375+01:00WCCP Redirect ACLs and Masks
This article is about WCCP redirect ACLs, masks and how they relate to TCAM usage on Cisco switches. It's quite important to understand if doing WCCP as you want to ensure forwarding is done in hardware which runs at wire speed and not software which will cause considerable CPU usage and potentially performance issues.
This is quite a difficult subject to explain and I'm not entirely sure I'veMatt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-87969098305846687732012-01-17T20:16:00.006+00:002012-02-26T08:55:50.460+00:00Network Notes - IBM PowerHA / HACMPSome info on the networking features of HACMP (High Availability Cluster Multiprocessing). This is now called PowerHA SystemMirror for AIX. It allows up to 16 nodes in a cluster. As of v7.1 the cluster can use multicast to communicate, previous versions used UDP broadcasts. The cluster heartbeats are sent both via LAN and SAN for redundancy.Terminology:Boot IP: The address bound to the physical Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-63969870732242615672011-08-17T13:06:00.006+01:002015-03-04T10:10:40.641+00:00Cisco ASA 8.4 - Global Access ListsHandy new feature in version 8.4 of the ASA software is the ability to do global access lists.
The Cisco ASA allows security levels to be applied to interfaces, traffic is automatically allowed from a high to low security level interface but not vice versa. It's probably designed for the fairly common use case of a perimeter device between a LAN and the internet. The internet link is set to Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-89330693283246485642011-04-13T16:17:00.029+01:002011-04-14T09:10:02.891+01:00Evaluation Assurance Levels - EALEAL stands for evaluation assurance level and is a certificate of security for IT products measured against a set of common security criteria. The main source of information on EAL levels is the common criteria portal where you can find details of approved products and information on the criteria used for the EAL certifications.Who uses it?Your average network bod may not come across EAL very Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-32556422897134518442011-02-14T13:41:00.007+00:002011-02-14T13:55:53.146+00:00Legacy FRTS & SubinterfacesFRTS and subinterfaces. This page follows on from the previous article on legacy FRTS configuration here and shows the default behaviour of FRTS with subinterfaces.The legacy frame-relay traffic shaping has to be enabled on a physical interface. Any subinterfaces will then inherit the configuration, which is 56kbps by default. The network is shown below:In the example below FRTS is turned on but Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-50913271577228453532011-02-13T15:38:00.012+00:002011-02-13T16:04:21.250+00:00Frame Relay Traffic Shaping - Legacy ConfigurationThis is a basic lab to play around with frame-relay traffic shaping, FRTS. It uses the legacy configuration method rather than MCQ. INE have a great article here describing the other options.This article assumes some knowledge of QoS terms such as CIR, Bc, Be and Tc.The lab used looks like this:I'll use the GNS3 built in frame switch to make life easier, the config is below:The basic router Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-29119766452525249662010-12-21T19:47:00.006+00:002010-12-22T09:23:38.604+00:00Zone Based Firewall & Port ForwardingThis article covers setting up port forwarding with Cisco Zone Based Firewall (ZBF) on a typical home connection.There are a couple of steps:1 - Give your LAN host a static IP.2 - Set up NAT to handle the port forwarding3 - Set up ZBF rules to allow the traffic1 - Static IPYou can either manually configure the client or use a DHCP reserved address.DHCP reservation is a royal pain on the Cisco 800Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-80818836140863813102010-05-27T20:36:00.003+01:002010-05-27T20:49:59.602+01:00MST - Multiple Spanning Tree - Don't change the mappings!MST allows you to create spanning-tree instances and map VLANs into them.Combined with VTP version 3 means you can advertise the MST mappings automatically, as shown here.MST has the concept of regions.Whether a switch is a member of a particular region depends on three things:The configured MST region name.The configured MST revision number.The VLAN to MSTI mappings.The entire VLAN to MSTI Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-43701327418462595822010-05-26T21:30:00.010+01:002010-05-27T21:28:34.680+01:00Bundling Frame Relay LinksFrame-relay study time!There are several ways to bundle links together in frame-relay:Frame-relay Multilink - FRF.16PPP MultilinkFRF16 requires configuration all along the path, so the service provider must support it. PPP multilink can be used on any frame-relay links and doesn't require anything from the SP. Frame-relay Multilink - FRF.16I'll be using the incredibly complicated topology shown Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-80484118216487649502010-05-24T19:59:00.012+01:002010-05-25T21:31:13.702+01:00SNMP Trap on VSS FailoverOne of the big things that Cisco VSS is missing is the ability to clearly see when it's failed over.You set up your spanking new 6500 with 10Gig supervisors, plug it into your network management, lose one of the boxes and get a few traps about routing problems. What you really want is a big in-your-face message saying "HELP ME THE VSS JUST FAILED OVER OH MY GOD THE SKY IS FALLING!!11!one" and Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-85427183287922186542010-03-22T20:05:00.004+00:002010-03-22T20:22:09.981+00:00Basic PPPoE LabConfigurations below for a PPPoE lab, directly connecting two routers. This uses the new broad-band access (bba) command instead of the old VPDN ones.Client:interface Dialer1 ip address 192.168.0.10 255.255.255.0 encapsulation ppp dialer pool 1interface FastEthernet0/0 pppoe-client dial-pool-number 1Server:interface Virtual-Template1 ip address 192.168.0.1 255.255.255.0bba-group pppoe global Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-70803477558818013672010-03-18T14:52:00.002+00:002010-03-18T14:55:12.795+00:00Generate Strong Passwords from a Unix BoxWorks from any form of unix that has a /dev/urandom and has uuencode installed.head -n 2 /dev/urandom | uuencode -m -Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-56989508745105237312010-02-20T11:31:00.012+00:002010-02-20T16:08:51.398+00:00IBM Blade Centers - CIGESM ConfigurationThere are lots of docs from IBM explaining the blade center architecture but it's a lot of information to filter through if you're only interested in the network side.The blade center in this example holds 14 blades which are best thought of as individual physical servers. It can use the Cisco switching module called a Cisco Systems Intelligent Gigabit Ethernet Switch Module, or CIGESM. They do Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-86905923752962092222010-02-17T20:03:00.007+00:002010-02-17T20:28:03.615+00:00Creating a CRL for an OSX keychain CAOSX has a handy keychain utility that can be used to create a CA among other things. I needed a CRL generated for my keychain-created CA in order to use certificate-based VPNs on a Netscreen box.There are probably 101 ways of doing this, mine is:Make a CA structure as per /opt/local/etc/openssl/openssl.cnf(or alternately you could provide the suitable CLI options to openssl each time)Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.comtag:blogger.com,1999:blog-1143005373466289397.post-90782931893497162552010-02-12T12:12:00.007+00:002010-02-12T12:30:36.389+00:00ToS DSCP MappingsReference table of ToS to DSCP mappings below..nobrtable br { display: none } PHB Value ToS Byte String DSCP Value CS0 0 Routine 0 CS1 32 PRIORITY 8 AF11 40 10 AF12 48 12 AF13 56 14 CS2 64 IMMEDIATE 16 AF21 72 18 AF22 80 20 AF23 88 22 CS3 96 FLASH 24 AF31 104 26 Matt Bennetthttp://www.blogger.com/profile/17975039074220496861noreply@blogger.com