Category: Work Diary

Cisco Periodic Reboot Using Perl

A request to reboot a Cisco ASA every week came in today. Under Cisco IOS there is a kroon which would accommodate us here, however there appears to be no such thing under the ASA OS (is it still called FOS?). The next best thing is to run a Perl script which utilises the Net::SSH::Expect module to negotiate the SSH login.

As we are using an ASA without any kind of AAA usernames we also need to get past uplifting our privileges using en.

I’m on a FreeBSD server so I need to install the correct Perl module via the ports first:

# cd /usr/ports/net/p5-Net-SSH-Expect/

# make install

Now we can write and test the script:

#! /usr/bin/perl -w

 

use strict;

use Net::SSH::Expect;

 

my $host_ip = “1.1.1.1”;

my $login_name = “xxxx”;

my $login_password = “yyyy”;

my $en_password = “zzzz”;

 

my $ssh = Net::SSH::Expect->new (

host => $host_ip,

password=> $login_password,

user => $login_name,

raw_pty => 1

);

 

my $login_output = $ssh->login();

if ($login_output !~ /Type help/) {

die “Login has failed. Login output was $login_output”;

}

 

$ssh->send(“en”);

$ssh->waitfor(‘Password:’, 1) or die “prompt ‘Password:’ not found after 1 second”;

$ssh->send($en_password);

$ssh->exec(“reload noconfirm”);

Add the script to the crontab and we’re away!

Work Diary: VPN, VPN and more VPN

This last week has been a week of many VPNs. We started with encrypting our L2TPv3 VPN over  a tunnel based IPSec VPN between two Cisco IOS routers – now my preferred method of site to site VPN. The next configuration was a Cisco ASA to Cisco IOS router which, unfortunately, does not support the tunnel method so a ‘traditional’ style was needed on the router to match up with ASA. Site-to-site VPNs are fairly straightforward but we have  had several requests this week for modifications and changes to Remote Access VPN setups.

The RA VPN can have a lot of configuration to include split tunnelling, split DNS, Active directory Authentication and the list goes on, and on, and on. The requirements this week were for data hair-pinning and reaching other site to site destinations from a remote access user. At Gconnect we have traditionally deployed the Cisco IPSec VPN client mainly due to licensing constraints but recently have bee using the SSL VPN, both client-less and with the AnyConnect client – but as one client found out this week, there is a significant RAM requirement for some of these features.

Gconnect can manage your Cisco IOS and security devices – for more information see here

cisco_partner

Work Diary: Layer2 VPNs

We had an enquiry this week from somebody who had found us on the Cisco website (Thanks Cisco!) who needed a layer2 VPN setting up. As the story unfolded, he wanted a layer2 VPN to run over a couple of broadband lines. This type of VPN solves a lot of problems in certain situations, in his case, there are 2 devices which have only MAC addresses and need to communicate over ethernet. Other uses include, extending the company LAN back to remote sites or home offices – meaning the remote users can use telephone systems, DHCP servers and the like over the link. Normally we would have delivered it over our MPLS network but as we are not the connectivity provider here we had to come up with a new solution. We used a technique using the open standard L2TPv3 (Layer 2 Tunneling Protocol v 3) which supports Layer 2 VPN and pseudo wires and ended up with a fully configured Lab setup deployed on 2 Cisco routers and 2 Gconnect broadband lines.

Gconnect Cisco Consultancy
L2TPv3 Layer 2 Tunneling Protocol v3
Cisco Cloud and Managed Services Partners

Cisco_Powered_Universal_145px_225_RGB

 

Work Diary: A bit of BGP (Border Gateway Protocol)

We manage a couple of BGP Autonomous Systems (AS) for a service provider client. Today we have been advertising some new prefixes out of  1 autonomous system, ensuring that we have multiple connections announcing the same ranges for resiliency and diversity. Gconnect , as Cisco Cloud and Managed Service Partners, can leverage our experience in managing large Cisco networks whilst maintaining controls, checks and balances. Although we use a formal change control process, stringent backup and configuration archiving we are still agile enough to perform an update like this in a couple of hours, rather than days. You can find out more about how the internet is glued together with BGP (Border gateway Protocol) here.

Gconnect Cisco Consultancy
Cisco Cloud and Managed Services Partners

Cisco_Powered_Universal_145px_225_RGB

Work Diary: Making sense of NFSen

We recently took on new client who was hosting a SOAP server on the end of 2mbps leased line. The line was being completely flat-lined and the service was all but unavailable. Unfortunately, the networking hardware on site was pretty ‘basic’ so it was not possible to see what the issues were. The client had decided that as this service was mission critical they would move the 2 servers into the cloud, and then the extra bandwidth available would probably solve the issue. After the  initial install and server setup, we were able to analyse the data going to and from the server using a Netflow collector. This analysis identified the issue and the customer was able resolve the issue by speaking to the owner of the offending server. By using proprietary Cisco networking equipment and firewalls we are able to export Netflow data to our collectors which run on FreeBSD and NFSen, giving customers access to a wealth of data to help keep their businesses running at their best.

The NFSen Project at Sourceforge
The FreeBSD Project
Gconnect Hosting

Work Diary: Redhat and CentOS

This week we’re working on a project for a customer to replace their very old, very poorly Linux Redhat 4 server with a sparkling new server running the latest Redhat 6. During the transition the customer has a temporary cloud backup solution for protecting critical data as the tape drive has failed. We have built a new CentOS based storage appliance on the customer site to keep 7 days worth of full backups using rsync over SSH and will change the Cloud Backup solution over when the new server is commissioned. Another requirement is to provide an CIFS share for the windows network using Samba – this if for the MS Exchange server to write backup jobs to. Its an interesting project combining open source software, proprietary software and cloud technology, yet still keeping backup data where the customer can ‘see’ it.

Gconnect Cloud Backup products
Gconnect UNIX/Linux Consultancy
Linux Redhat
CentOS Linux