Wednesday, 8 August 2018

Arista FHRP: VRRP

VRRP

  • Advantages of using VRRP:
  • If one router goes down, we don’t need to manually configure in the many devices downstream. We use the virtual IP as the gateway on the devices.

  • Process:
  • We give a ID on the routers which we want to be part of VRRP. If we have the same ID on the routers, then, they both create a virtual Mac. (the SRC mac is a new Mac and dest mac is a well-known mac. Also, the destination IP is a well-known multicast IP (224.0.0.18)
  • Then, depending on the priority, physical IP on the routers, the Master and Backup router is determined. The router which has higher priority will win the election (In Arista, the default priority is 100)

  • Note:
  • The routers are expensive.
  • Also, the probability of a complete router going down is less as compared to a link going down
  • So, to use resources effectively, use a different router for different vlan
  • Also, VRRP is interface specific

  • Reelection Process:
  • If the election process is completed and then, the master router goes down, the Backup becomes the new master.
  • Now, if the master comes back up again, will re-election happen?

  • Other than the VRRP control packets, for any data that is being sent to outside network, the packet rewriting at the current Master Router uses the physical Mac address of that router.
  • http://www.programering.com/a/MDM2IzNwATc.html 

Wednesday, 1 August 2018

Linux Networking Utilities for Arista EOS- Part 2

Linux Networking Utilities for Arista EOS 

LINUX NETWORKING UTILITIES:

.

ip netns: (Linux Namespaces or VRF)

  • A network namespace is logically another copy of the network stack, with its own routes, firewall rules, and network devices.
  • By default a process inherits its network namespace from its parent. Initially all the processes share the same default network namespace from the init process.
  • NOTE: If a VRF was created in EOS, then, in order to access then via Linux; append ‘ns-’ to the VRF name.
  • NOTE: If a namespace was created in Linux, then, it won’t show up in EOS.
  • So, always create a VRF in EOS and use it in Linux by appending ‘ns-’ to the VRF name
  • 1. ip netns list - show all of the named network namespaces
  • This command displays all of the network namespaces in /var/run/netns
  • Note that the VRF named ‘tmod’ when viewed in Linux has the name ‘ns-tmod’

[admin@ck338 ~]$ ip netns list

ns-newvrf

ns-tmod

ns-trident

ns-arad

default

  • 2. ip netns add NAME - create a new named network namespace
  • If NAME is available in /var/run/netns/ this command creates a new network namespace and assigns NAME.

[admin@ck338 ~]$ sudo ip netns add testvrf

[admin@ck338 ~]$ ip netns list

testvrf

ns-newvrf

ns-tmod

ns-trident

ns-arad

default

  • 3. ip [-all] netns delete [ NAME ] - delete the name of a network namespace(s)
  • If NAME is present in /var/run/netns it is umounted and the mount point is removed.
  • If -all option was specified then all the network namespace names will be removed.

[admin@ck338 ~]$ sudo ip netns delete testvrf

  • 4. Assigning Interfaces to network namespace (VRF)
  • Bring up the loopback interface in the vpn network namespace.
  • [IMP] 5. Accessing interface in another VRF or namespace via Linux:
  • ip [-all] netns exec [ NAME ] [cmd]
  • If we want to run a command on any VRF, then, use this command. For example, if you want to do tcpdump via Linux on an interface in another VRF
  • If -all option was specified then cmd will be executed synchronously on the each named network namespace even if cmd fails on some of them.
  • ip netns exec ns-tmod ip addr list will show only the related interfaces and addresses, and will not show any interfaces or addresses from the global namespace.

[admin@ck338 ~]$ sudo ip netns exec ns-tmod ip addr list

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default

    link/ipip 0.0.0.0 brd 0.0.0.0

[admin@ck338 ~]$

  • Another useful command that this can be used with is for tcpdump and piping it to Wireshark:
  • The below command does packet capture on interface Vlan10 (which is in VRF dhcpvrf) only on port 67 and port 68 (since dhcp control messages use these ports)
  • ip netns exec ns-dhcpvrf tcpdump -i vlan10 port 67 or port 68
  • Now, in order to view the tcpdump on Wireshark:

ssh root@mc327 "ip netns exec ns-dhcpvrf tcpdump -i vlan10 port 67 or port 68 " | wireshark -k -i -

Tcpdump:

The various flags that can be used with tcpdump are:

  • -i <interface>
  • # tcpdump -i eth0
  • -i any
  • Listen on all interfaces just to see if you’re seeing any traffic.
  • # tcpdump -i any
  • -c <count> -i <interface>
  • Used to capture a specified number of packets
  • # tcpdump -c 5 -i eth0
  • -D
  • Used to display all available iinterfaces for tcpdump
  • # tcpdump -D
  • -e [useful]
  • To get ethernet header as well
  • Should be used if filtering packets based on L2 headers or for L2-only packets
  • -w [useful]
  • Used to capture and save packets in a pcap file
  • # tcpdump -w 0001.pcap -i eth0
  • -r
  • Used to read captured packets file
  • # tcpdump -r 0001.pcap
  • -n
  • Usually when we do tcpdump, the IP address is replaced with the DNS address
  • In order to get the IP address, use -n flag. It will ignore the hostname and print out IP address itself
  • # tcpdump -n -i eth0
  • [useful] To filter packets based on type of packet:
  • To capture packets based on TCP port, run the following command with option tcp.
  • # tcpdump -i eth0 tcp
  • Similarly, replace tcp with icmp to check for ping packets only
  • Similarly, replace with ether for checking only LLDP or LACP packets. You can increase further filtering by adding destination address so that only LLDP or LACP packets destined to me shows up:
  • tcpdump -nevvvi et1 ether dst host 01:80:c2:00:00:0e
  • The -n -e -vvv -i flags are used in above to get advanced tuning
  • dst host is used to filter based on destination mac address
  • Other types that can be used are: fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp
  • [useful] To capture based on port, src ip, dst ip:
  • Similarly, for packets on particular port: # tcpdump -i eth0 port 22
  • Similarly, for packets from particular source IP: # tcpdump -i eth0 src 192.168.0.2
  • Similarly, for packets from a particular destination IP: # tcpdump -i eth0 dst 50.116.66.139
  • [useful] -v, -vv, -vvv:
  • To select amount of packet information in verbose mode

resolv.conf:

  • resolv.conf is the name of a computer file used in various operating systems to configure the system's Domain Name System (DNS) resolver.
  • The file is a plain-text file usually created by the network administrator or by applications that manage the configuration tasks of the system.
  • The file resolv.conf typically contains directives that specify the default search domains; used for completing a given query name to a fully qualified domain name when no domain suffix is supplied. It also contains a list of IP addresses of nameservers available for resolution. An example file is:

search example.com local.lan
nameserver 127.0.0.1
nameserver 172.16.1.254
nameserver 172.16.2.254
nameserver 192.168.137.
2

  • resolv.conf is usually located in the /etc directory of the file system.
  • The file is either maintained manually, or when DHCP is used, it is usually updated with the utility resolvconf.

Monday, 30 July 2018

Linux Networking Utilities for Arista EOS- Part 1

Linux Networking Utilities for Arista EOS 

LINUX NETWORKING UTILITIES:

.

Ifconfig:

  • ifconfig in short “interface configuration” utility for system/network administration in Unix/Linux operating systems to configure, manage and query network interface parameters via command line interface or in a system configuration scripts.
  • The “ifconfig” command is used for displaying current network configuration information, setting up an ip address, netmask or broadcast address to an network interface, creating an alias for network interface, setting up hardware address and enable or disable network interfaces.
  • 1. View All Network Setting
  • The “ifconfig” command with no arguments will display all the active interfaces details. The ifconfig command also used to check the assigned IP address of an server.

[root@tecmint ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0B:CD:1C:18:5A
inet addr:172.16.25.126  Bcast:172.16.25.63  Mask:255.255.255.224
inet6 addr: fe80::20b:cdff:fe1c:185a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:2341604 errors:0 dropped:0 overruns:0 frame:0
TX packets:2217673 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:293460932 (279.8 MiB)  TX bytes:1042006549 (993.7 MiB)
Interrupt:185 Memory:f7fe0000-f7ff0000
lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:5019066 errors:0 dropped:0 overruns:0 frame:0
TX packets:5019066 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2174522634 (2.0 GiB)  TX bytes:2174522634 (2.0 GiB)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.1  P-t-P:10.1.1.2  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

  • 2. Display Information of All Network Interfaces
  • The following ifconfig command with -a argument will display information of all active or inactive network interfaces on server. It displays the results for eth0, lo, sit0 and tun0.

[root@tecmint ~]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:0B:CD:1C:18:5A
inet addr:172.16.25.126  Bcast:172.16.25.63  Mask:255.255.255.224
inet6 addr: fe80::20b:cdff:fe1c:185a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:2344927 errors:0 dropped:0 overruns:0 frame:0
TX packets:2220777 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:293839516 (280.2 MiB)  TX bytes:1043722206 (995.3 MiB)
Interrupt:185 Memory:f7fe0000-f7ff0000
lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:5022927 errors:0 dropped:0 overruns:0 frame:0
TX packets:5022927 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2175739488 (2.0 GiB)  TX bytes:2175739488 (2.0 GiB)
sit0      Link encap:IPv6-in-IPv4
NOARP  MTU:1480  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.1  P-t-P:10.1.1.2  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

  • 3. View Network Settings of Specific Interface
  • Using interface name (eth0) as an argument with “ifconfig” command will display details of specific network interface.

[root@tecmint ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0B:CD:1C:18:5A
inet addr:172.16.25.126  Bcast:172.16.25.63  Mask:255.255.255.224
inet6 addr: fe80::20b:cdff:fe1c:185a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:2345583 errors:0 dropped:0 overruns:0 frame:0
TX packets:2221421 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:293912265 (280.2 MiB)  TX bytes:1044100408 (995.7 MiB)
Interrupt:185 Memory:f7fe0000-f7ff0000

  • 4. How to Enable an Network Interface
  • The “up” or “ifup” flag with interface name (eth0) activates an network interface, if it is not in active state and allowing to send and receive information. For example, “ifconfig eth0 up” or “ifup eth0” will activate the eth0interface.

[root@tecmint ~]# ifconfig eth0 up
OR
[root@tecmint ~]# ifup eth0

  • 5. How to Disable an Network Interface
  • The “down” or “ifdown” flag with interface name (eth0) deactivates the specified network interface. For example, “ifconfig eth0 down” or “ifdown eth0” command deactivates the eth0 interface, if it is in active state.

[root@tecmint ~]# ifconfig eth0 down
OR
[root@tecmint ~]# ifdown eth0

  • 6. How to Assign a IP Address to Network Interface
  • To assign an IP address to an specific interface, use the following command with an interface name (eth0) and ip address that you want to set. For example, “ifconfig eth0 172.16.25.125” will set the IP address to interface eth0.

[root@tecmint ~]# ifconfig eth0 172.16.25.125

  • 7. How to Assign a Netmask to Network Interface
  • Using the “ifconfig” command with “netmask” argument and interface name as (eth0) allows you to define an netmask to an given interface. For example, “ifconfig eth0 netmask 255.255.255.224” will set the network mask to an given interface eth0.

[root@tecmint ~]# ifconfig eth0 netmask 255.255.255.224

  • 8. How to Assign a Broadcast to Network Interface
  • Using the “broadcast” argument with an interface name will set the broadcast address for the given interface. For example, “ifconfig eth0 broadcast 172.16.25.63” command sets the broadcast address to an interface eth0.

[root@tecmint ~]# ifconfig eth0 broadcast 172.16.25.63

  • 9. How to Assign a IP, Netmask and Broadcast to Network Interface
  • To assign an IP address, Netmask address and Broadcast address all at once using “ifconfig” command with all arguments as given below.

[root@tecmint ~]# ifconfig eth0 172.16.25.125 netmask 255.255.255.224 broadcast 172.16.25.63

  • 10. How to Change MTU for an Network Interface
  • The “mtu” argument set the maximum transmission unit to an interface. The MTU allows you to set the limit size of packets that are transmitted on an interface. The MTU able to handle maximum number of octets to an interface in one single transaction. For example, “ifconfig eth0 mtu 1000” will set the maximum transmission unit to given set (i.e. 1000). Not all network interfaces supports MTU settings.

[root@tecmint ~]# ifconfig eth0 mtu 1000

  • 11. How to Enable Promiscuous Mode
  • What happens in normal mode, when a packet received by a network card, it verifies that the packet belongs to itself. If not, it drops the packet normally, but in the promiscuous mode is used to accept all the packets that flows through the network card.
  • Most of the today’s network tools uses the promiscuous mode to capture and analyze the packets that flows through the network interface. To set the promiscuous mode, use the following command.

[root@tecmint ~]# ifconfig eth0 promisc

  • 12. How to Disable Promiscuous Mode
  • To disable promiscuous mode, use the “-promisc” switch that drops back the network interface in normal mode.

[root@tecmint ~]# ifconfig eth0 -promisc

  • 13. How to Add New Alias to Network Interface
  • The ifconfig utility allows you to configure additional network interfaces using alias feature. To add alias network interface of eth0, use the following command. Please note that alias network address in same sub-net mask. For example, if your eth0 network ip address is 172.16.25.125, then alias ip address must be 172.16.25.127.

[root@tecmint ~]# ifconfig eth0:0 172.16.25.127

  • Next, verify the newly created alias network interface address, by using “ifconfig eth0:0” command.

[root@tecmint ~]# ifconfig eth0:0
eth0:0    Link encap:Ethernet  HWaddr 00:01:6C:99:14:68
inet addr:172.16.25.123  Bcast:172.16.25.63  Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
Interrupt:17

  • 14. How to Remove Alias to Network Interface
  • If you no longer required an alias network interface or you incorrectly configured it, you can remove it by using the following command.

[root@tecmint ~]# ifconfig eth0:0 down

  • 15. How to Change the MAC address of Network Interface
  • To change the MAC (Media Access Control) address of an eth0 network interface, use the following command with argument “hw ether“. For example, see below.

[root@tecmint ~]# ifconfig eth0 hw ether AA:BB:CC:DD:EE:FF

Thursday, 26 July 2018

Advanced Event Management on Arista EOS

Advanced Event Management

  • Proactive tools include Event Manager and the Scheduler; which focus on automation.  Both tools enable scripted actions to take place in response to a pre-defined trigger.  
  • When leveraged alongside SYSDB and the wealth of Linux tools that can be run on an the EOS platform, the user is offered the capability to trigger actions on virtually any aspect of system state, all without the requirement for real time user input !

Event Manager:

  • Event Manager provides a platform to enable automation of actions in response to pre-defined event triggers.  
  • It allows the creation of an event, the definition of under which circumstances the event should trigger and what action should occur in such a situation.
  • See the below link for complete details and configuration guide: https://eos.arista.com/introduction-to-managing-eos-devices-automation-and-extensibility/
  • Once an event has been triggered the configured action will be executed, this action will be initiated natively from the Linux bash shell, which means the action is not limited by the EOS CLI syntax, but rather any function or action achievable natively in the Linux bash shell.  Typical examples of actions would be to call a file, call a script, execute a native bash command or even EOS CLI commands.
  • Call a bash script – action bash /mnt/flash/EmailOnLinkDown
  • Call a python script to run as a daemon – action bash daemonize /mnt/flash/IntfMonitor
  • Execute a single CLI command, which sends an IM to all Network admins – action bash FastCli -p15 -c ‘xmpp send NetworkAdmins command Interface Ethernet1 is down’
  • Execute a series of CLI commands, which bring down a particular interface – action bash FastCli -p15 -c $’conf\n interface ethernet2\n shut’

Email Client Configuration in EOS:

Scheduler:

  • While the Advance Event Manager enables actions based on complex triggers, the scheduler provides a similar functionality to repetitive time based triggers.
  • The major addition to the Scheduler is that it captures the standard output of an action to a gzipped file in flash, and enables the user to configure how many of these files they wish to keep at any one time.
  • To create a scheduled job, a user simply defines how often a task should run, how many log files it should store, and what the job should be.
  • Unlike Event-manager, this command is executed natively in EOS, however by prepending the ‘bash’ argument   we can execute bash commands and call scripts, for example ‘command bash /mnt/flash/ConfigBackup’.
  • By default EOS has a scheduled task configured to collect a show tech every 60 minutes and store up to 100 instances of the show tech, ensuring that following an issue we have both the pre and post issue data that we need to assist with analysis.

switch#show run all | grep schedule
schedule tech-support interval 60 max-log-files 100 command show tech-support


Sunday, 15 July 2018

ACL / Access Control Lists

  • To see existing IP access lists: #show ip access-list
  • To create new ACL:
  • #ip access-list <name> //creates extended ACL
  • #ip access-list standard <name> //creates standard ACL

  • Standard ACL:
  • Here, we cannot specify the destination IP address
  • We can specify only the source IP address
  • #ip access-list standard test1
  • (test1)#permit 10.10.10.10 0.0.0.0  //ip and wildcard
  • (test2)#deny any any
  • //The sequence matters. If we had used deny first, then, the deny rule itself matches, so it won’t go to the permit. Note: deny is an implicit rule. SO, no need to configure that on any ACL

  • To apply the IP address, we should use on the specific interface
  • If we don’t even want the packet to enter the switch and not use that switch, use the ingress interface. This is recommended as we prefer to do so near the source
  • If we have another path via the switch and want the packet to take that, then, use this ACL on the not-used interface
  • #int et 2/1
  • #ip access-group test in //ACL is configured for the packet and doesn’t allow the IP address ‘in’
  • We can see it in the counters of ACL using #show ip access-list test2

  • Extended ACL:
  • #ip access-list test2
  • (test2)#permit ? //we can even specify higher layer protocols like TCP, UDP, OSPF, IP, ICMP, etc…
  • test1)#permit tcp 10.10.10.3/32 host 10.10.10.4 eq ssh
  • //Source IP for which TCP ACL is being configured
  • //host tells us that the ACL is for a single destination host
  • //Next we give the destination IP
  • //eq is for telling which port number. We can either use the port number itself or tell the name of protocol. Eg) ssh
  • Note: deny is an implicit rule. So, no need to configure that on any ACL
  • The above ACL will work if the protocol is TCP and the Source and destination IP are matching and blocks ssh
  • Now, try to ssh from 1st switch to 3rd switch
  • We configured ssh on 2nd switch’s  egress port using:

#int et 14/1

#ip access-group test2 out

  • We can see that only ssh will work, ping and all won’t work.
  • We can see it in the counters of ACL using #show ip access-list test2

  • Resequence: We can go into an ACL and use resequence command to resequence the ACL options
  • We should optimize ACLs as TCAMs are expensive
  • For example, Requirements: All VLANs should be able to communicate with each other but not to gateway.
  • If we have 4 VLANs, then, if we give 4 ACLs; then, it is not optimal
  • 10.10.0.X                 //vlan 10 IP
  • 10.10.10.X                 //vlan 20 IP
  • 10.10.20.X                 //vlan 30 IP
  • 10.10.30.X                 //vlan 40 IP
  • So, we can use IP address and wildcard masks carefully.
  • #deny 10.10.10.254 10.10.(00011110)b.0  →
  •  #deny ip any 10.10.10.254 10.10.30.0
  • Also, we have implicit deny, so we need to give #permit ip any any
  • Thus, ACL summarization is important
  • Now, to deny all odd IP address only:
  • #deny <ip address> 10.10.10.0 0.0.0.254  //this wildcard applies only to all odd IP addresses
  • Now to match only 4,8,16,32,64,128 IP address:
  • Wildcard is X.X.X.(1111 1100)b
  • See this: