sh access-list outside-acl | e \ \ access-list 101; 86 elements; name hash: 0xe7d586b5 access-list 101 line 1 extended permit ip object-group WHITELIST-IPS any 0xc4d2a54e access-list 101 line 2 extended permit icmp any any object-group ICMP-ALLOWED (hitcnt=576916) 0x994c9516 access-list 101 line 3 extended deny ip any host 192.168.199.254 (hitcnt=31708) 0x8e8cc2a6 access-list 101 line 5 remark !*!*!*!*!*!*!*!*!*! access-list 101 line 6 remark RULES CONTROLLED BY AUTOMATION access-list 101 line 7 remark !*!*!*!*!*!*!*!*!*! access-list 101 line 8 extended permit ip host 1.1.1.1 host 10.179.72.125 (hitcnt=0) 0xa9809ff7 access-list 101 line 9 extended permit ip any host 10.179.72.125 (hitcnt=0) 0xa9809ff7
Search This Blog
Monday, March 31, 2014
How to list numbers next to ACL rules on Cisco
How to list numbers next to the ACL rules on Cisco
Sunday, March 30, 2014
How to automatically prefill command on the Linux bash
Linux Bash is one of the most famous Linux shells. It offers a great number of features like for example spawning and controlling process, redirecting streams, supporting scripts and a flexible way to control you editing line.
Problem
How to automatically pre-populate a command on the shell after prompt.
Solution description
The shell has tree default streams: stdout, stdin and stderr. By manipulating the stdin of the process we can simulate typing a command.
Reference implementation
The original script can be found here: https://github.com/rtomaszewski/experiments/blob/master/type-command.c
Demonstration
References
http://stackoverflow.com/questions/10866005/bash-how-to-prefill-command-line-input
http://stackoverflow.com/questions/11198603/inject-keystroke-to-different-process-using-bash
http://unix.stackexchange.com/questions/48103/construct-a-command-by-putting-a-string-into-a-tty
http://fossies.org/linux/misc/old/console-tools-0.3.3.tar.gz%3at/console-tools-0.3.3/vttools/writevt.c
http://man7.org/linux/man-pages/man4/tty_ioctl.4.html
http://man7.org/linux/man-pages/man3/tcflush.3.html
http://www.tldp.org/LDP/lpg/node143.html
Problem
How to automatically pre-populate a command on the shell after prompt.
Solution description
The shell has tree default streams: stdout, stdin and stderr. By manipulating the stdin of the process we can simulate typing a command.
Reference implementation
The original script can be found here: https://github.com/rtomaszewski/experiments/blob/master/type-command.c
Demonstration
- Compile first the program
gcc -o type-command type-command.c
- Run for the firs time
# ./type-command type-command: the variable TYPE_CMD_ENABLED is not set, set it to 'no' to surpress this message; set the TYPE_CMD_TYPE for the command to type Example: export TYPE_CMD_ENABLED=yes; export TYPE_CMD_TYPE=date
- Export the variable to controls if the program should try to type a command or not
# export TYPE_CMD_ENABLED=yes # ./type-command #
- Specify the command that you wish to be typed
# export TYPE_CMD_ENABLED=yes; export TYPE_CMD_TYPE=date # ./type-command # date Sun Mar 30 19:27:55 UTC 2014>
References
http://stackoverflow.com/questions/10866005/bash-how-to-prefill-command-line-input
http://stackoverflow.com/questions/11198603/inject-keystroke-to-different-process-using-bash
http://unix.stackexchange.com/questions/48103/construct-a-command-by-putting-a-string-into-a-tty
http://fossies.org/linux/misc/old/console-tools-0.3.3.tar.gz%3at/console-tools-0.3.3/vttools/writevt.c
http://man7.org/linux/man-pages/man4/tty_ioctl.4.html
http://man7.org/linux/man-pages/man3/tcflush.3.html
http://www.tldp.org/LDP/lpg/node143.html
Labels:
automation,
bash,
cli,
linux
Saturday, March 29, 2014
How to create a sequence of replace commands to change your file
Use existing plugin: RegReplace
We could write a custom plugin using the Sublime API or try to use a plugin that promises to offer this functionality already: https://github.com/facelessuser/RegReplace
Demonstration
We have a following structured but not consistently formatted data that we would like to adjust so it is easier toread and work with.
To reformat the text we can use the above plugin and define a series of regex that match and modify text.
We could write a custom plugin using the Sublime API or try to use a plugin that promises to offer this functionality already: https://github.com/facelessuser/RegReplace
Demonstration
We have a following structured but not consistently formatted data that we would like to adjust so it is easier toread and work with.
To reformat the text we can use the above plugin and define a series of regex that match and modify text.
- Installed RegReplace plugin.
- Create a reg_replace.sublime-settings in your Sublime2\Data\Packages\User\ directory and define the regex commands we want to use.
{ "replacements": { // add teh .<digit> when is missing "ig_order_add_dot_digit": { "find": "([0-9][0-9]) at", "replace": "\\1.0 at" // "greedy": true, // "case": false }, "ig_order_add_dot_digit2": { "find": "([0-9][0-9]) *- ", "replace": "\\1.0 - ", "greedy": true }, "ig_order_fix_spaces": { "find": "/(201[0-9]) *", "replace": "/\\1 " }, "ig_order_fix_spaces2": { "find": "- - - ", "replace": "- - - " }, "ig_order_change_android_str": { "find": "AndroidApp", "replace": "AndrAp" }, "ig_order_remove_str": { "find": "/s ", "replace": " ", "greedy": true }, "ig_order_fix_header": { "find": "(Date) *(Time) *(Activity) *(Market) *(Period) *(Channel) *(Currency) *(Size) *(Level) *(Stop) *(Type) *(Limit) *(Result)", "replace": "Date Time Activity Market Period Channel Cur Size Level Stop Type Limit Result", "greedy": true }, "ig_transactions_fix_header": { "find": "(Type) *(Date) *(Ref) *(Market) *(Period) *(Opening) *(Ccy) *(Size) *(Closing) *(P/L)", "replace": "Type Date Ref Market Period Opening Ccy Size Closing P/L", "greedy": true }, "ig_transactions_add_dot_digit": { "find": "([0-9][0-9]) +£", "replace": "\\1.0 £" }, "ig_transactions_add_dot_digit2": { "find": "(£ +.*\\..* +)([0-9]+) +", "replace": "\\1\\2.0 " }, "ig_transactions_fix_plus_minus_sign": { "find": "([0-9]+\\.[0-9]+ +[0-9]+\\.[0-9]+ +)([0-9]+\\.[0-9]+)", "replace": "\\1 \\2" } } }
- Define the final regex command to run and associate a a keyboard short in Default (Windows).sublime-keymap file
[ { { "keys": ["alt+ctrl+t"], "command": "reg_replace", "args": {"replacements": [ // orders "ig_order_add_dot_digit", "ig_order_add_dot_digit2", "ig_order_fix_spaces", "ig_order_fix_spaces2", "ig_order_change_android_str", "ig_order_remove_str", "ig_order_fix_header", // transactions "ig_transactions_fix_header", "ig_transactions_add_dot_digit", "ig_transactions_add_dot_digit2", "ig_transactions_fix_plus_minus_sign" ], "find_only": true} } ]
- When you activate the regex chain command it will first show what part of the file are going to be changed
- Accept the "yes" option at the bottom and reformat the file
Labels:
plugin,
programming,
regex,
sublime
How to write a plugin for Sublime editor
Below is a list of links for Sublime API and Sublime commands if you want to write a custom plugins.
Sublime API
https://www.sublimetext.com/docs/api-reference
https://www.sublimetext.com/docs/2/api_reference.html
Commands
http://sublimetext.info/docs/en/core/commands.html
http://www.sublimetext.com/docs/commands
Debug best practices
Once you follow the steps below everything you do in the editor will be logged on the console.
Sublime API
https://www.sublimetext.com/docs/api-reference
https://www.sublimetext.com/docs/2/api_reference.html
Commands
http://sublimetext.info/docs/en/core/commands.html
http://www.sublimetext.com/docs/commands
Debug best practices
Once you follow the steps below everything you do in the editor will be logged on the console.
- Open Sublime console: Ctrl+~
- Enable verbose and debug within the editor
sublime.log_commands(True) sublime.log_input(True)
- Example commands to try on the console
view.run_command("goto_line", {"line": 7}) view.window().run_command("show_minimap", {"key": True})
Labels:
api,
programming,
sublime
Friday, March 14, 2014
Interface redundancy on the host with TCP Multipath
TCP and UDP protocols are used exchange data between hosts. They have been used for a decade or longer and are very well documented how they work.
Everyone knows the problem that when you lost your active link on the server all your TCP sessions are going to die as well. Let's say your server has 2 active interfaces. There is no way to move/migrate a TCP session to use another active interface (by default). The other link can't be used automatically as a fail back mechanism.
There are couple of reasons behind why it isn't to works, the simplest one is that the new link used a different IP address. Even if the Linux kernel would start using the new interface and start sending IP/TCP packets sourced with the new IP address these packets wouldn't be recognized on the remote site. The remote site expect tcp segments from one and only one IP source.
Problem
How to provide a link level redundancy on the server to keep a TCP session alive even if one interface experience an error.
Analysis and solution Demonstration
The problem could be see as a more generic issue: how to implement multihoming or link redundancy. There are couple of working solution out there. The simplest example:
References
http://multipath-tcp.org/
Decoupled from IP, TCP is at last able to support multihomed hosts
https://devcentral.f5.com/articles/multipath-tcp-mptcp
https://devcentral.f5.com/articles/the-evolution-of-tcp
Everyone knows the problem that when you lost your active link on the server all your TCP sessions are going to die as well. Let's say your server has 2 active interfaces. There is no way to move/migrate a TCP session to use another active interface (by default). The other link can't be used automatically as a fail back mechanism.
There are couple of reasons behind why it isn't to works, the simplest one is that the new link used a different IP address. Even if the Linux kernel would start using the new interface and start sending IP/TCP packets sourced with the new IP address these packets wouldn't be recognized on the remote site. The remote site expect tcp segments from one and only one IP source.
Problem
How to provide a link level redundancy on the server to keep a TCP session alive even if one interface experience an error.
Analysis and solution Demonstration
The problem could be see as a more generic issue: how to implement multihoming or link redundancy. There are couple of working solution out there. The simplest example:
- Link bonding(link aggregation) on the server; requires support and proper configuration on the switch and the server
References
http://multipath-tcp.org/
Decoupled from IP, TCP is at last able to support multihomed hosts
https://devcentral.f5.com/articles/multipath-tcp-mptcp
https://devcentral.f5.com/articles/the-evolution-of-tcp
Labels:
high availability,
kernel,
linux,
network,
redundancy,
tcp
Saturday, March 8, 2014
How to build a high performance network appliance like routers using commodity hardware and off the shelf components
You can assemble a server from off the shelf components that will be able to sent and receive traffic in multi Gigabit speed. Here is an example of an 10Gps net card from Intel.
But can we turn this server into a high performance network appliance? Do we still need a dedicated hardware like for example ASIC, FPGA, low latency RAM and TCAM RAM in network devise so they can efficiently switch and forward packets with maximum wire speed.
Router hardware design plan
Looking at this presentation from 2012 https://ripe64.ripe.net/presentations/18-ripe-64-router-architecture-challenges.pdf you would think that yes. These would be the obvious reasons (screenshots taken from the presentation):
Network processing unit (NPU) and new hardware design
The key points listed above still hold. But the next generation network appliances will be rather build with a help of a multicore generic NPU using the power of parallel processing than expensive and purposely design ASIC. With the right software (OS - often Linux, drivers, firmware, SDK, and API libraries) you will be able to turn a conventional x86 server with a modern PCIe data bus into a high performance, low latency and high speed network appliance.
Netronome Network Cards Accelerate SDN and NFV Designs
100Gps FlowNIC-6xxx network card
Hardware reference designs for FlowProcessor NPU chips
But can we turn this server into a high performance network appliance? Do we still need a dedicated hardware like for example ASIC, FPGA, low latency RAM and TCAM RAM in network devise so they can efficiently switch and forward packets with maximum wire speed.
Router hardware design plan
Looking at this presentation from 2012 https://ripe64.ripe.net/presentations/18-ripe-64-router-architecture-challenges.pdf you would think that yes. These would be the obvious reasons (screenshots taken from the presentation):
Network processing unit (NPU) and new hardware design
The key points listed above still hold. But the next generation network appliances will be rather build with a help of a multicore generic NPU using the power of parallel processing than expensive and purposely design ASIC. With the right software (OS - often Linux, drivers, firmware, SDK, and API libraries) you will be able to turn a conventional x86 server with a modern PCIe data bus into a high performance, low latency and high speed network appliance.
Netronome Network Cards Accelerate SDN and NFV Designs
100Gps FlowNIC-6xxx network card
Hardware reference designs for FlowProcessor NPU chips
Labels:
architecture,
cpu,
hardware,
network os,
npu
Sunday, March 2, 2014
How to do URL based load balancing on F5
There are many load balancers out there. Some of them offer a great flexibility to control the traffic by allowing a user to upload a custom script that implement the load balancing algorithm to solve a particular problem.
Problem
How to do HTTP URL based load balancing on F5.
Solution and demonstration
This is an iRule script that inspects the HTTP GET URL string to decided where to load balance it: https://github.com/rtomaszewski/f5/blob/master/lb-based-on-url.tcl.
Create default pool
Create VIP
Create custom pools
Testing
To verify that our iRule is working properly we can enable debugging by changing the iRule variable DEBUG to 1.
Next we can simulate traffic
curl -v http://vip/
curl -v http://vip/url1
curl -v http://vip/url2
curl -v http://vip/url3
And watch the logs on the lb.
tail -f /var/log/ltm
Reference
https://devcentral.f5.com/wiki/iRules.HomePage.ashx
Problem
How to do HTTP URL based load balancing on F5.
Solution and demonstration
This is an iRule script that inspects the HTTP GET URL string to decided where to load balance it: https://github.com/rtomaszewski/f5/blob/master/lb-based-on-url.tcl.
Create default pool
Create VIP
Create custom pools
Testing
To verify that our iRule is working properly we can enable debugging by changing the iRule variable DEBUG to 1.
Next we can simulate traffic
curl -v http://vip/
curl -v http://vip/url1
curl -v http://vip/url2
curl -v http://vip/url3
And watch the logs on the lb.
tail -f /var/log/ltm
Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /
Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80
Mar 2 15:49:37 local/tmm info tmm[5231]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /url1
Mar 2 15:49:37 local/tmm info tmm[5231]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80-url1
Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /url2
Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80-url2
Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': HTTP::uri eq /url3
Mar 2 15:49:37 local/tmm1 info tmm1[5232]: Rule rule-url-lb-vip-80 <HTTP_REQUEST>: '11.22.33.44': sent traffic to pool pool-vip-80-url3
Reference
https://devcentral.f5.com/wiki/iRules.HomePage.ashx
Labels:
adc,
development,
f5,
irules,
network,
programming
Subscribe to:
Posts (Atom)