Category: Networking

Cisco Periodic Reboot Using Perl

A request to reboot a Cisco ASA every week came in today. Under Cisco IOS there is a kroon which would accommodate us here, however there appears to be no such thing under the ASA OS (is it still called FOS?). The next best thing is to run a Perl script which utilises the Net::SSH::Expect module to negotiate the SSH login.

As we are using an ASA without any kind of AAA usernames we also need to get past uplifting our privileges using en.

I’m on a FreeBSD server so I need to install the correct Perl module via the ports first:

# cd /usr/ports/net/p5-Net-SSH-Expect/

# make install

Now we can write and test the script:

#! /usr/bin/perl -w

 

use strict;

use Net::SSH::Expect;

 

my $host_ip = “1.1.1.1”;

my $login_name = “xxxx”;

my $login_password = “yyyy”;

my $en_password = “zzzz”;

 

my $ssh = Net::SSH::Expect->new (

host => $host_ip,

password=> $login_password,

user => $login_name,

raw_pty => 1

);

 

my $login_output = $ssh->login();

if ($login_output !~ /Type help/) {

die “Login has failed. Login output was $login_output”;

}

 

$ssh->send(“en”);

$ssh->waitfor(‘Password:’, 1) or die “prompt ‘Password:’ not found after 1 second”;

$ssh->send($en_password);

$ssh->exec(“reload noconfirm”);

Add the script to the crontab and we’re away!

Transit Update! Out with Global Crossing and in with Hurricane Electric

As Global Crossing were purchased by Level3 some time ago, and Gconnect were using both Global Crossing and Level3 as two of our four transit providers, we decided to use Hurricane Electric as a new provider to replace Global Crossing. Hurricane Electric have been long time IPv6 advocates and have a global peering network which is almost unmatched. We have connected from our Telecity Reynolds POP and so far the results have been excellent. This now restores our 4 independent ‘Tier 1′ transit provider policy leaving our AS33941 object showing:

aut-num:        AS33941
as-name:        GCONNECT
org:            ORG-CTL6-RIPE
descr:          Challenger Technology Ltd
descr:          Gconnect Autonomous System
remarks:
remarks:        ------------------------------------------
remarks:        -- TRANSIT: Level 3 Communications --
remarks:        ------------------------------------------
remarks:
import:         from AS3356 accept ANY
export:         to AS3356 announce AS-GCONNECT
mp-import:      afi ipv6.unicast from AS3356 accept ANY
mp-export:      afi ipv6.unicast to AS3356 announce AS-GCONNECT
remarks:
remarks:        ------------------------------------------
remarks:        -- TRANSIT: Hurricane Electric --
remarks:        ------------------------------------------
import:         from AS6939 accept ANY
export:         to AS6939 announce AS-GCONNECT
mp-import:      afi ipv6.unicast from AS6939 accept ANY
mp-export:      afi ipv6.unicast to AS6939 announce AS-GCONNECT
remarks:
remarks:        ------------------------------------------
remarks:        -- TRANSIT: Cogent Communications --
remarks:        ------------------------------------------
import:         from AS174 accept ANY
export:         to AS174 announce AS-GCONNECT
mp-import:      afi ipv6.unicast from AS174 accept ANY
mp-export:      afi ipv6.unicast to AS174 announce AS-GCONNECT
remarks:
remarks:        ------------------------------------------
remarks:        -- TRANSIT: Tiscali International --
remarks:        ------------------------------------------
import:         from AS3257 accept ANY
export:         to AS3257 announce AS-GCONNECT
mp-import:      afi ipv6.unicast from AS3257 accept ANY
mp-export:      afi ipv6.unicast to AS3257 announce AS-GCONNECT

Managed Services Update

cisco_managed_banner_small

Citrix_consultancy_banner_small

linux_banner_small

We’re starting on our new marketing campaign this week and the subject matter is our 3 core managed service offerings:

Its all go with website updates, new printed literature and technical specs and PDF data sheets brought up to date. The products themselves are not something new for Gconnect but its nice to have it formalised. Our management services utilise our many years of industry experience, ITIL compliant support system, vendor accreditations and certified engineers to provide a reliable, polished experience. So if you need some help with managing those non-mainstream applications and operating systems, let us know!

Work Diary: VPN, VPN and more VPN

This last week has been a week of many VPNs. We started with encrypting our L2TPv3 VPN over  a tunnel based IPSec VPN between two Cisco IOS routers – now my preferred method of site to site VPN. The next configuration was a Cisco ASA to Cisco IOS router which, unfortunately, does not support the tunnel method so a ‘traditional’ style was needed on the router to match up with ASA. Site-to-site VPNs are fairly straightforward but we have  had several requests this week for modifications and changes to Remote Access VPN setups.

The RA VPN can have a lot of configuration to include split tunnelling, split DNS, Active directory Authentication and the list goes on, and on, and on. The requirements this week were for data hair-pinning and reaching other site to site destinations from a remote access user. At Gconnect we have traditionally deployed the Cisco IPSec VPN client mainly due to licensing constraints but recently have bee using the SSL VPN, both client-less and with the AnyConnect client – but as one client found out this week, there is a significant RAM requirement for some of these features.

Gconnect can manage your Cisco IOS and security devices – for more information see here

cisco_partner

Work Diary: Layer2 VPNs

We had an enquiry this week from somebody who had found us on the Cisco website (Thanks Cisco!) who needed a layer2 VPN setting up. As the story unfolded, he wanted a layer2 VPN to run over a couple of broadband lines. This type of VPN solves a lot of problems in certain situations, in his case, there are 2 devices which have only MAC addresses and need to communicate over ethernet. Other uses include, extending the company LAN back to remote sites or home offices – meaning the remote users can use telephone systems, DHCP servers and the like over the link. Normally we would have delivered it over our MPLS network but as we are not the connectivity provider here we had to come up with a new solution. We used a technique using the open standard L2TPv3 (Layer 2 Tunneling Protocol v 3) which supports Layer 2 VPN and pseudo wires and ended up with a fully configured Lab setup deployed on 2 Cisco routers and 2 Gconnect broadband lines.

Gconnect Cisco Consultancy
L2TPv3 Layer 2 Tunneling Protocol v3
Cisco Cloud and Managed Services Partners

Cisco_Powered_Universal_145px_225_RGB

 

Work Diary: A bit of BGP (Border Gateway Protocol)

We manage a couple of BGP Autonomous Systems (AS) for a service provider client. Today we have been advertising some new prefixes out of  1 autonomous system, ensuring that we have multiple connections announcing the same ranges for resiliency and diversity. Gconnect , as Cisco Cloud and Managed Service Partners, can leverage our experience in managing large Cisco networks whilst maintaining controls, checks and balances. Although we use a formal change control process, stringent backup and configuration archiving we are still agile enough to perform an update like this in a couple of hours, rather than days. You can find out more about how the internet is glued together with BGP (Border gateway Protocol) here.

Gconnect Cisco Consultancy
Cisco Cloud and Managed Services Partners

Cisco_Powered_Universal_145px_225_RGB

Work Diary: Making sense of NFSen

We recently took on new client who was hosting a SOAP server on the end of 2mbps leased line. The line was being completely flat-lined and the service was all but unavailable. Unfortunately, the networking hardware on site was pretty ‘basic’ so it was not possible to see what the issues were. The client had decided that as this service was mission critical they would move the 2 servers into the cloud, and then the extra bandwidth available would probably solve the issue. After the  initial install and server setup, we were able to analyse the data going to and from the server using a Netflow collector. This analysis identified the issue and the customer was able resolve the issue by speaking to the owner of the offending server. By using proprietary Cisco networking equipment and firewalls we are able to export Netflow data to our collectors which run on FreeBSD and NFSen, giving customers access to a wealth of data to help keep their businesses running at their best.

The NFSen Project at Sourceforge
The FreeBSD Project
Gconnect Hosting

Gconnect are “Cisco Powered”!

Gconnect have now achieved Cisco Cloud and  Managed Services Express Partner with ‘Cisco Powered’ MPLS-VPN status. What does that mean? Well, Cisco sent down some auditors to check out our processes and procedures along with our technical setup to ensure we are operating in a manner that meets their standards. In order to start the process we also had to meet other pre-requisites such as certified engineers and a proven track record in delivering Cisco based services. Gconnect are the smallest Cisco Cloud and  Managed Services Express Partner in the UK making us the ideal partner for companies wanting the assurance of third party audit and the responsiveness of  small dynamic ISP.

Gconnect MPLS and connectivity products
‘Cisco-Powered’ Information
Cisco Cloud and  Managed Services Information

Cisco_Powered_Universal_145px_225_RGB

Gconnect attain Cisco ‘Select’ partnership status

Gconnect have attained the Cisco Small Business Specialisation making us ‘Select’ partners. This means that we have proved to Cisco we have the skills and experience to service SME’s with products and services ‘fit for and built for’ their needs. The scope covers all aspects of Cisco’s product portfolio including:

  • Switching
  • Routing
  • Collaboration
  • Security
  • Wifi

Gconnect continue to work with Cisco on future projects and accreditations.

Postfix woes with IPv6

Since adding IPv6 capabilities to our spam scanning system, we have had a handful of issues with customers running Postfix mail servers. In some versions of Postfix, the software will try to get a quad A records (AAAA) whether or not the mail server has IPv6 connectivity. This error will be highlighted by messages like:

Network Is Unreachable

There are a couple of options, but the easiest option is to force Postfix to run in IPv4 only by editing the /etc/postfix/mail.cf and ensuring the line starting with inet_protocols is:

inet_protocols=ipv4

This will ensure the system only asks for ipv4 (A) records and should resolve the issue.