Search This Blog

Monday, March 31, 2014

How to list numbers next to ACL rules on Cisco

How to list numbers next to the ACL rules on Cisco

sh  access-list outside-acl | e \ \
access-list 101; 86 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit ip object-group WHITELIST-IPS any 0xc4d2a54e
access-list 101 line 2 extended permit icmp any any object-group ICMP-ALLOWED (hitcnt=576916) 0x994c9516
access-list 101 line 3 extended deny ip any host 192.168.199.254 (hitcnt=31708) 0x8e8cc2a6
access-list 101 line 5 remark !*!*!*!*!*!*!*!*!*!
access-list 101 line 6 remark RULES CONTROLLED BY AUTOMATION
access-list 101 line 7 remark !*!*!*!*!*!*!*!*!*!
access-list 101 line 8 extended permit ip host 1.1.1.1 host 10.179.72.125 (hitcnt=0) 0xa9809ff7
access-list 101 line 9 extended permit ip any host 10.179.72.125 (hitcnt=0) 0xa9809ff7

Sunday, March 30, 2014

How to automatically prefill command on the Linux bash

Linux Bash is one of the most famous Linux shells. It offers a great number of features like for example spawning and controlling process, redirecting streams, supporting scripts and a flexible way to control you editing line.

Problem

How to automatically pre-populate a command on the shell after prompt.

Solution description

The shell has tree default streams: stdout, stdin and stderr. By manipulating the stdin of the process we can simulate typing a command.

Reference implementation

The original script can be found here: https://github.com/rtomaszewski/experiments/blob/master/type-command.c

Demonstration
  • Compile first the program
gcc -o type-command type-command.c
  • Run for the firs time
# ./type-command
type-command: the variable TYPE_CMD_ENABLED is not set, set it to 'no' to surpress this message; set the TYPE_CMD_TYPE for the command to type

Example: export TYPE_CMD_ENABLED=yes; export TYPE_CMD_TYPE=date
  • Export the variable to controls if the program should try to type a command or not
# export TYPE_CMD_ENABLED=yes
# ./type-command
#
  • Specify the command that you wish to be typed
# export TYPE_CMD_ENABLED=yes; export TYPE_CMD_TYPE=date
# ./type-command
# date
Sun Mar 30 19:27:55 UTC 2014>

References

http://stackoverflow.com/questions/10866005/bash-how-to-prefill-command-line-input
http://stackoverflow.com/questions/11198603/inject-keystroke-to-different-process-using-bash
http://unix.stackexchange.com/questions/48103/construct-a-command-by-putting-a-string-into-a-tty

http://fossies.org/linux/misc/old/console-tools-0.3.3.tar.gz%3at/console-tools-0.3.3/vttools/writevt.c

http://man7.org/linux/man-pages/man4/tty_ioctl.4.html
http://man7.org/linux/man-pages/man3/tcflush.3.html
http://www.tldp.org/LDP/lpg/node143.html

Saturday, March 29, 2014

How to create a sequence of replace commands to change your file

Use existing plugin: RegReplace

We could write a custom plugin using the Sublime API or try to use a plugin that promises to offer this functionality already: https://github.com/facelessuser/RegReplace

Demonstration

We have a following structured but not consistently formatted data that we would like to adjust so it is easier toread and work with.



To reformat the text we can use the above plugin and define a series of regex that match and modify text.
  • Installed RegReplace plugin.
  • Create a reg_replace.sublime-settings in your Sublime2\Data\Packages\User\ directory and define the regex commands we want to use.
{
    "replacements": {
        // add teh .<digit> when is missing
        "ig_order_add_dot_digit": {
            "find": "([0-9][0-9]) at",
            "replace": "\\1.0 at"
//            "greedy": true,
//            "case": false
        },
        "ig_order_add_dot_digit2": {
            "find": "([0-9][0-9]) *- ",
            "replace": "\\1.0 - ",
            "greedy": true
        },
        "ig_order_fix_spaces": {
            "find": "/(201[0-9]) *",
            "replace": "/\\1 "
        },
        "ig_order_fix_spaces2": {
            "find": "-   -    -  ",
            "replace": "-    -    -     "
        },
        "ig_order_change_android_str": {
            "find": "AndroidApp",
            "replace": "AndrAp"
        },
        "ig_order_remove_str": {
            "find": "/s ",
            "replace": " ",
            "greedy": true
        },
        "ig_order_fix_header": {
            "find": "(Date) *(Time) *(Activity) *(Market) *(Period) *(Channel) *(Currency) *(Size) *(Level) *(Stop) *(Type) *(Limit) *(Result)",
            "replace": "Date        Time    Activity Market                                               Period              Channel Cur Size Level  Stop Type Limit Result",
            "greedy": true
        },



        "ig_transactions_fix_header": {
            "find": "(Type) *(Date) *(Ref) *(Market) *(Period) *(Opening) *(Ccy) *(Size) *(Closing) *(P/L)",
            "replace": "Type    Date        Ref         Market                                                  Period            Opening Ccy Size    Closing P/L",
            "greedy": true
        },
       "ig_transactions_add_dot_digit": {
            "find": "([0-9][0-9]) +£",
            "replace": "\\1.0 £"
        },
        "ig_transactions_add_dot_digit2": {
            "find": "(£ +.*\\..* +)([0-9]+) +",
            "replace": "\\1\\2.0 "
        },
        "ig_transactions_fix_plus_minus_sign": {
            "find": "([0-9]+\\.[0-9]+ +[0-9]+\\.[0-9]+ +)([0-9]+\\.[0-9]+)",
            "replace": "\\1 \\2"
        }

    }
}
  • Define the final  regex command to run and associate a a keyboard short in Default (Windows).sublime-keymap file
[
{ 
    {
        "keys": ["alt+ctrl+t"],
        "command": "reg_replace",
        "args": {"replacements": [
                                    // orders
                                    "ig_order_add_dot_digit",
                                    "ig_order_add_dot_digit2",
                                    "ig_order_fix_spaces",
                                    "ig_order_fix_spaces2",
                                    "ig_order_change_android_str",
                                    "ig_order_remove_str",
                                    "ig_order_fix_header",

                                    // transactions
                                    "ig_transactions_fix_header",
                                    "ig_transactions_add_dot_digit",
                                    "ig_transactions_add_dot_digit2",
                                    "ig_transactions_fix_plus_minus_sign"


                                ],  "find_only": true}
    }
]
  • When you activate the regex chain command it will first show what part of the file are going to be changed
  • Accept the "yes" option at the bottom and reformat the file

How to write a plugin for Sublime editor

Below is a list of links for Sublime API and Sublime commands if you want to write a custom plugins.

Sublime API

https://www.sublimetext.com/docs/api-reference
https://www.sublimetext.com/docs/2/api_reference.html

Commands

http://sublimetext.info/docs/en/core/commands.html
http://www.sublimetext.com/docs/commands

Debug best practices

Once you follow the steps below everything you do in the editor will be logged on the console.
  • Open Sublime console: Ctrl+~
  • Enable verbose and debug within the editor
sublime.log_commands(True)
sublime.log_input(True)
  • Example commands to try on the console 
view.run_command("goto_line", {"line": 7})
view.window().run_command("show_minimap", {"key": True})



Friday, March 14, 2014

Interface redundancy on the host with TCP Multipath

TCP and UDP protocols are used exchange data between hosts. They have been used for a decade or longer and are very well documented how they work.

Everyone knows the problem that when you lost your active link on the server all your TCP sessions are going to die as well. Let's say your server has 2 active interfaces. There is no way to move/migrate a TCP session to use another active interface (by default). The other link can't be used automatically as a fail back mechanism.

There are couple of reasons behind why it isn't to works, the simplest one is that the new link used a different IP address. Even if the Linux kernel would start using the new interface and start sending IP/TCP packets sourced with the new IP address these packets wouldn't be recognized on the remote site. The remote site expect tcp segments from one and only one IP source.

Problem

How to provide a link level redundancy on the server to keep a TCP session alive even if one interface experience an error.

Analysis and solution Demonstration

The problem could be see as a more generic issue: how to implement multihoming or link redundancy. There are couple of working solution out there. The simplest example:
  • Link bonding(link aggregation) on the server; requires support and proper configuration on the switch and the server
We will look at another one: TCP Multipath. What is cool about this is that it is transparent to your application. It visualizes a session and provide a single TCP session to the application that can benefit from built-in multipath redundancy on the kernel level.


References

http://multipath-tcp.org/
Decoupled from IP, TCP is at last able to support multihomed hosts
https://devcentral.f5.com/articles/multipath-tcp-mptcp
https://devcentral.f5.com/articles/the-evolution-of-tcp


Saturday, March 8, 2014

How to build a high performance network appliance like routers using commodity hardware and off the shelf components

You can assemble a server from off the shelf components that will be able to sent and receive traffic in multi Gigabit speed. Here is an example of an 10Gps net card from Intel.

But can we turn this server into a high performance network appliance? Do we still need a dedicated hardware like for example ASIC, FPGA, low latency RAM and TCAM RAM in network devise so they can efficiently switch and forward packets with maximum wire speed.

Router hardware design plan

Looking at this presentation from 2012 https://ripe64.ripe.net/presentations/18-ripe-64-router-architecture-challenges.pdf you would think that yes. These would be the obvious reasons (screenshots taken from the presentation):





Network processing unit (NPU) and new hardware design

The key points listed above still hold. But the next generation network appliances will be rather build with a help of a multicore generic NPU using the power of parallel processing than expensive and purposely design ASIC. With the right software (OS - often Linux, drivers, firmware, SDK, and API libraries) you will be able to turn a conventional x86 server with a modern PCIe data bus into a high performance, low latency and high speed network appliance.

Netronome Network Cards Accelerate SDN and NFV Designs
100Gps FlowNIC-6xxx network card
Hardware reference designs for FlowProcessor NPU chips



Sunday, March 2, 2014

How to do URL based load balancing on F5

There are many load balancers out there. Some of them offer a great flexibility to control the traffic by allowing a user to upload a custom script that implement the load balancing algorithm to solve a particular problem.

Problem

How to do HTTP URL based load balancing on F5.

Solution and demonstration

This is an iRule script that inspects the HTTP GET URL string to decided where to load balance it: https://github.com/rtomaszewski/f5/blob/master/lb-based-on-url.tcl.

Create default pool

Create VIP

Create custom pools

Testing

To verify that our iRule is working properly we can enable debugging by changing the iRule variable DEBUG to 1.

Next we can simulate traffic

curl -v http://vip/
curl -v http://vip/url1
curl -v http://vip/url2
curl -v http://vip/url3

And watch the logs on the lb.

tail -f /var/log/ltm

Mar  2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /
Mar  2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80
Mar  2 15:49:37 local/tmm info tmm[5231]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /url1
Mar  2 15:49:37 local/tmm info tmm[5231]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80-url1
Mar  2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /url2
Mar  2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80-url2
Mar  2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /url3
Mar  2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80-url3



Reference

https://devcentral.f5.com/wiki/iRules.HomePage.ashx