configuration sanity check
Hi Nanogers, Any recommendation about a software which check the live config of cisco/juniper devices against some templates ? The goal is to have a template about different function device, like: - CORE device must have this bloc and this clock - PE device must have at least that and that - CPE must have this and that - Distrib switch block 1 and block2 - etc... And the software run once every day to check which device do not comply with those rules and generate an alert. Thank, - Marcel
Re: configuration sanity check
"marcel.durega...@yahoo.fr" writes: > Hi Nanogers, > > Any recommendation about a software which check the live config of > cisco/juniper devices against some templates ? > > The goal is to have a template about different function device, like: > - CORE device must have this bloc and this clock > - PE device must have at least that and that > - CPE must have this and that > - Distrib switch block 1 and block2 > - etc... > > And the software run once every day to check which device do not > comply with those rules and generate an alert. > > Thank, > - Marcel You can also catch and minimize mistakes in real-time by: 1) Implementing and enforcing a proper change control system 2) Implementing tools like Rancid, which are designed to scrape router configs and E-Mail changes in the format of a unified diff to everyone in your engineering team. 3) Make liberal use of tools like RtConfig so routine changes aren't a painful (read: manual) time-consuming process.
Re: configuration sanity check
Salut Marcel, On Oct 29, 2015, at 04:16, "marcel.durega...@yahoo.fr" wrote: > Any recommendation about a software which check the live config of > cisco/juniper devices against some templates ? > > The goal is to have a template about different function device, like: > - CORE device must have this bloc and this clock > - PE device must have at least that and that > - CPE must have this and that > - Distrib switch block 1 and block2 > - etc... Not precisely what you wanted but some pointers for doing it yourself: https://www.nanog.org/meetings/nanog26/presentations/stephen.pdf The example code was still on ftp.isc.org last time I checked. Joe Aue Te Ariki! He toki ki roto taku mahuna!
RE: configuration sanity check
I use a system called Device Expert that does exactly what you say below. I am not affiliated with them just a satisfied customer. https://www.manageengine.com/network-configuration-manager/ Steven Naslund Chicago IL -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of marcel.durega...@yahoo.fr Sent: Thursday, October 29, 2015 3:17 AM To: nanog Subject: configuration sanity check Hi Nanogers, Any recommendation about a software which check the live config of cisco/juniper devices against some templates ? The goal is to have a template about different function device, like: - CORE device must have this bloc and this clock - PE device must have at least that and that - CPE must have this and that - Distrib switch block 1 and block2 - etc... And the software run once every day to check which device do not comply with those rules and generate an alert. Thank, - Marcel
Re: configuration sanity check
On Thu, Oct 29, 2015 at 09:16:48AM +0100, marcel.durega...@yahoo.fr wrote: > Hi Nanogers, > > Any recommendation about a software which check the live config of > cisco/juniper devices against some templates ? > > The goal is to have a template about different function device, like: > - CORE device must have this bloc and this clock > - PE device must have at least that and that > - CPE must have this and that > - Distrib switch block 1 and block2 > - etc... > > And the software run once every day to check which device do not > comply with those rules and generate an alert. For Juniper at least, you can use "commit scripts" to enforce these rules in real time each time a configuration commit is performed--if the candidiate configuration change doesn't follow the rules, the commit fails (or the configuration can be changed automatically to do something). For example "all interfaces must have a description on them", or "changes to MSTI configuration are not allowed".
DDoS mitigation for ISPs
Hello, Is there any DDoS mitigation service provider that can scrub traffic for an ISP network? I have an ASN and BGP and my own netblocks, and I have a 1gbps pipe. I was thinking the scenario would be during attack, we could bring up a tunnel and run bgp over it and advertise some portion of our ip space thru it. I realise getting it setup while attack is taking place would be a little hard and that we likely could expect at least some down time. What we have seen so far has been reflection attacks (dns and ssdp) and we have been able to do rate limiting on these and other protocols to sane values. This has worked well, although the primary risk is once the traffic flow exceeds the link capacity such limiting won't have any net effect. But if we could farm this out during times of trouble to a mitigation services provider, they could advertise our block(s) and rate limit and scrub for us and send us the result, it would be a far better than what we have now (which is effectively nothing). I asked cloudflare this and they stated they are focused on web traffic. My upstream can't help me, doesn't support RTBH and won't install filters anyways unless it's impacting THEIR network. Just wondering if anyone has any other ideas (short of ditching my provider, which I also can't do due at this time due to lack of competitive choice). Mike-
Re: configuration sanity check
Either of these might come in handy.. https://www.nanog.org/meetings/abstract?id=2673 https://www.nanog.org/meetings/abstract?id=2678 > On Oct 29, 2015, at 4:16 AM, marcel.durega...@yahoo.fr wrote: > > Hi Nanogers, > > Any recommendation about a software which check the live config of > cisco/juniper devices against some templates ? > > The goal is to have a template about different function device, like: > - CORE device must have this bloc and this clock > - PE device must have at least that and that > - CPE must have this and that > - Distrib switch block 1 and block2 > - etc... > > And the software run once every day to check which device do not comply with > those rules and generate an alert. > > Thank, > - Marcel
Re: configuration sanity check
On 10/29/2015 09:16 AM, marcel.durega...@yahoo.fr wrote: Hi Nanogers, Any recommendation about a software which check the live config of cisco/juniper devices against some templates ? The goal is to have a template about different function device, like: - CORE device must have this bloc and this clock - PE device must have at least that and that - CPE must have this and that - Distrib switch block 1 and block2 - etc... And the software run once every day to check which device do not comply with those rules and generate an alert. Thank, - Marcel http://www.gelogic.net/cisco-template-manager/
Re: configuration sanity check
I've used ansible for this and generated config based on roles. It's a little weird to get started but allows modularization of config. You can then go so far as have the same "functions" for different platforms and software versions. To be clear, this was just for config generation, not verifying it was on the device or pushing it to the device. --chip On Thu, Oct 29, 2015 at 4:16 AM, marcel.durega...@yahoo.fr < marcel.durega...@yahoo.fr> wrote: > Hi Nanogers, > > Any recommendation about a software which check the live config of > cisco/juniper devices against some templates ? > > The goal is to have a template about different function device, like: > - CORE device must have this bloc and this clock > - PE device must have at least that and that > - CPE must have this and that > - Distrib switch block 1 and block2 > - etc... > > And the software run once every day to check which device do not comply > with those rules and generate an alert. > > Thank, > - Marcel > -- Just my $.02, your mileage may vary, batteries not included, etc
Re: configuration sanity check
On Oct 29, 2015, at 01:16, marcel.durega...@yahoo.fr wrote: > > Hi Nanogers, > > Any recommendation about a software which check the live config of > cisco/juniper devices against some templates ? > > The goal is to have a template about different function device, like: > - CORE device must have this bloc and this clock > - PE device must have at least that and that > - CPE must have this and that > - Distrib switch block 1 and block2 > - etc... > > And the software run once every day to check which device do not comply with > those rules and generate an alert. > > Thank, > - Marcel We implemented an in-house solution using Cisco Template Manager (http://www.gelogic.net/cisco-template-manager/). Its basically a bunch of bash/perl scripts doing regex matching against the saved configs from RANCID. Works fine for both Cisco and Juniper. It requires some hand tooling, but we have it doing exactly what you want (checking against different device function templates). Justin Seabrook-Rocha -- Xenith || xen...@xenith.org || http://xenith.org/ Jabber: xen...@xenith.org
Re: DDoS mitigation for ISPs
On Thu, Oct 29, 2015 at 08:42:31AM -0700, Mike wrote: > Is there any DDoS mitigation service provider that can scrub traffic > for an ISP network? Yeah, plenty. A non-exhaustive list: Prolexic, Incapsula, Staminus or Nexusguard. There is no lack of choice. > I have an ASN and BGP and my own netblocks, and I have a 1gbps pipe. I > was thinking the scenario would be during attack, we could bring up a > tunnel and run bgp over it and advertise some portion of our ip space > thru it. I realise getting it setup while attack is taking place would > be a little hard and that we likely could expect at least some down > time. It is more common to set up the GRE tunnel before hand, and just send out the BGP announcement of the /24 when an IP within that /24 is under attack. Kind regards, Job
Re: DDoS mitigation for ISPs
On Thu 2015-Oct-29 08:42:31 -0700, Mike wrote: Hello, Is there any DDoS mitigation service provider that can scrub traffic for an ISP network? I have an ASN and BGP and my own netblocks, and I have a 1gbps pipe. I was thinking the scenario would be during attack, we could bring up a tunnel and run bgp over it and advertise some portion of our ip space thru it. I realise getting it setup while attack is taking place would be a little hard and that we likely could expect at least some down time. What we have seen so far has been reflection attacks (dns and ssdp) and we have been able to do rate limiting on these and other protocols to sane values. This has worked well, although the primary risk is once the traffic flow exceeds the link capacity such limiting won't have any net effect. But if we could farm this out during times of trouble to a mitigation services provider, they could advertise our block(s) and rate limit and scrub for us and send us the result, it would be a far better than what we have now (which is effectively nothing). I asked cloudflare this and they stated they are focused on web traffic. My upstream can't help me, doesn't support RTBH and won't install filters anyways unless it's impacting THEIR network. Just wondering if anyone has any other ideas (short of ditching my provider, which I also can't do due at this time due to lack of competitive choice). Mike- In no particular order: - Prolexic (Akamai) - Arbor Networks - Staminus - Black Lotus - Incapsula - Radware This is not an endorsement for any of the above. Alternatively: http://lmgtfy.com/?q=ddos+protection -- Hugo h...@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on textsecure & redphone) signature.asc Description: Digital signature
Re: DDoS mitigation for ISPs
On 10/29/2015 08:54 AM, Hugo Slabbert wrote: On Thu 2015-Oct-29 08:42:31 -0700, Mike wrote: Hello, Is there any DDoS mitigation service provider that can scrub traffic for an ISP network? I have an ASN and BGP and my own netblocks, and I have a 1gbps pipe. I was thinking the scenario would be during attack, we could bring up a tunnel and run bgp over it and advertise some portion of our ip space thru it. I realise getting it setup while attack is taking place would be a little hard and that we likely could expect at least some down time. What we have seen so far has been reflection attacks (dns and ssdp) and we have been able to do rate limiting on these and other protocols to sane values. This has worked well, although the primary risk is once the traffic flow exceeds the link capacity such limiting won't have any net effect. But if we could farm this out during times of trouble to a mitigation services provider, they could advertise our block(s) and rate limit and scrub for us and send us the result, it would be a far better than what we have now (which is effectively nothing). I asked cloudflare this and they stated they are focused on web traffic. My upstream can't help me, doesn't support RTBH and won't install filters anyways unless it's impacting THEIR network. Just wondering if anyone has any other ideas (short of ditching my provider, which I also can't do due at this time due to lack of competitive choice). Mike- In no particular order: - Prolexic (Akamai) - Arbor Networks - Staminus - Black Lotus - Incapsula - Radware This is not an endorsement for any of the above. Alternatively: http://lmgtfy.com/?q=ddos+protection Actually I did the google thing first and followed up with several of the top results, and not once did I see anyone offering a bgp tunnel + scrub which is why I asked. I did get some good off list responses however, thanks all. Mike-
Re: configuration sanity check
Historically there was RAT (Router Audit Tool). You'll have to do some googling to see where it's hosted now and whether or not it's still being developed as I haven't looked at it in years. On 10/29/2015 04:16 AM, marcel.durega...@yahoo.fr wrote: Hi Nanogers, Any recommendation about a software which check the live config of cisco/juniper devices against some templates ? The goal is to have a template about different function device, like: - CORE device must have this bloc and this clock - PE device must have at least that and that - CPE must have this and that - Distrib switch block 1 and block2 - etc... And the software run once every day to check which device do not comply with those rules and generate an alert. Thank, - Marcel
Re: configuration sanity check
Be careful in your search for RATs -- in the security world it also stands for Remote Access Trojan. :-) - ferg On October 29, 2015 3:06:23 PM EDT, Jesse McGraw wrote: >Historically there was RAT (Router Audit Tool). You'll have to do some > >googling to see where it's hosted now and whether or not it's still >being developed as I haven't looked at it in years. > > >On 10/29/2015 04:16 AM, marcel.durega...@yahoo.fr wrote: >> Hi Nanogers, >> >> Any recommendation about a software which check the live config of >> cisco/juniper devices against some templates ? >> >> The goal is to have a template about different function device, like: >> - CORE device must have this bloc and this clock >> - PE device must have at least that and that >> - CPE must have this and that >> - Distrib switch block 1 and block2 >> - etc... >> >> And the software run once every day to check which device do not >> comply with those rules and generate an alert. >> >> Thank, >> - Marcel >> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: DDoS mitigation for ISPs
Alternatively: http://lmgtfy.com/?q=ddos+protection Actually I did the google thing first and followed up with several of the top results, and not once did I see anyone offering a bgp tunnel + scrub which is why I asked. I did get some good off list responses however, thanks all. Mike- Apologies for the snarky link. A Google search on my end turned up several of the solutions I listed manually and which definitely do GRE + BGP. Apparently my past searches on the subject have coloured my current results more than I expected... -- Hugo h...@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on textsecure & redphone) signature.asc Description: Digital signature
Re: DDoS mitigation for ISPs
Hello! Could recommend folks from EU - http://qrator.net/en/ Two years without any issues. Perfect SSL and http filtration. On Thu, Oct 29, 2015 at 10:53 PM, Hugo Slabbert wrote: >>> Alternatively: http://lmgtfy.com/?q=ddos+protection >>> >> Actually I did the google thing first and followed up with several of the >> top results, and not once did I see anyone offering a bgp tunnel + scrub >> which is why I asked. I did get some good off list responses however, thanks >> all. >> >> >> Mike- > > > Apologies for the snarky link. A Google search on my end turned up several > of the solutions I listed manually and which definitely do GRE + BGP. > Apparently my past searches on the subject have coloured my current results > more than I expected... > > > -- > Hugo > > h...@slabnet.com: email, xmpp/jabber > PGP fingerprint (B178313E): > CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E > > (also on textsecure & redphone) > -- Sincerely yours, Pavel Odintsov
[CenturyLink][Proto UDP] Blockage of UDP Outbound from Source Port 53
Could a CenturyLink network admin/engineer contact me off list. We have multiple locations receiving DNS queries over UDP where we see the connections making into our server and back out to our CenturyLink edge routers but never completes back to the connecting client at multiple locations. Connections Failing From Digital Ocean NY, Time Warner WI, Rackspace DFW TX (Hartford CT)# dig +short +novc @208.46.135.X domain.com A (Cleveland OH)# dig +short +novc @65.112.236.X domain.com A Connections from Chicago Rackspace to the above locations work as expected. CenturyLink Orlando FL to Hartford CT or Cleveland OH, CenturyLink circuits work as expected. Contact off list for domain and ip information used above. Thanks -- Jason Hellenthal JJH48-ARIN
RE: configuration sanity check
What is the opinion about CatTools? > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of > marcel.durega...@yahoo.fr > Sent: Thursday, October 29, 2015 3:17 AM > To: nanog > Subject: configuration sanity check > > Hi Nanogers, > > Any recommendation about a software which check the live config of > cisco/juniper devices against some templates ? > > The goal is to have a template about different function device, like: > - CORE device must have this bloc and this clock > - PE device must have at least that and that > - CPE must have this and that > - Distrib switch block 1 and block2 > - etc... > > And the software run once every day to check which device do not comply with > those rules and generate an alert. > > Thank, > - Marcel
Re: NANOG list attack
On 10/26/2015 03:17 PM, Larry Blunk wrote: As Job Snijders (a fellow Communications Committee member) noted in an earlier post, we will be implementing some additional protection mechanisms to prevent this style of incident from happening again. We will be more aggressively moderating posts from addresses who have not posted recently, in addition to other filtering mechanisms. For what it's worth, while I did see all of these that made it through the list itself, the larger portion that I saw did not come through the list but were sent directly to me, and the Received header trail shows that those did not come through the nanog mailman. So I applaud what you do with the list itself, but it wouldn't have made (and won't make, in the future) much difference, since e-mails were sent out bypassing the list server. And thanks for this note.
