Automation of switch configuration

Configuring access switches in an enterprise may involve deploying a bunch of identical settings to a load of devices, this kind of work is time consuming and not to say BORING AS HELL!
In case you are working with Cisco or Juniper as the vendor of the devices there is a way of deploying the configuration automatically by using a DHCP+TFTP server.
The process is very simple, at their default configuration a switch will try to receive an IP via DHCP at this moment we can use DHCP in order to point it to the tftp server with a predefined configuration file, after getting this file the device will load it automatically

I'll start with Cisco being the simplest, in case you have a Cisco router and a Cisco switch you can use the router as both the DHCP and the TFTP server, to do so:

P2P interface facing the switch, all we need here is an IP
Interface GigabitEthernet x/y
Ip address x.x.x.1
DCHP scope
ip dhcp pool <SCOPE NAME>
   network x.x.x.0
   bootfile network-confg
   option 150 ip x.x.x.1 
Enable TFTP server function of the router (don’t forget to put the file in the local flash of the Router)
tftp-server flash: network-confg
In case there is no Router, the Router doesn't support the TFTP-Server function or you just have a dedicated servers you want to use
All you need is to use all you need is to is to configure the pool with option 150 pointing to the TFTP server and put a config file on the TFTP root folder.
Note that Cisco will first load a file with one of the following names:  network-confg\  router-confg\ ciscortr.cfg \ cisconet.cfg
I suggest including "no service config" in the base configuration file, otherwise as the configuration is loaded the device will try to load a new file with its' new host-name every time it renews the DHCP lease.

 Now let's move to another vendor – Juniper, in this case it's a bit more complicated as we need a couple more DHCP options.
In Juniper's case the process is very similar, with the difference that the switch includes a software upgrade as part of the process so we need more free space on the tftp server, for this example I used Red Hat Linux for both the DHCP and the TFTP, here is the configuration the DHCP side, first of all DHCPD has to be ISC 4 and above.

Edit /etc/dhcp/dhcpd.conf

Under "# Define Custom Options"

Configure new option group, in my case named Juniper
option space JUNIPER; #option;
configure all the suboptions to be "text" type
option JUNIPER.config-file-name code 1 = text; 
option JUNIPER.image-file-type code 2 = text; 
option JUNIPER.transfer-mode code 3 = text; 
option JUNIPER.image-file-name code 00= text; 
option JUNIPER.alt-image-file-name code 4= text;
add options 43 and 150 to the group
option JUNIPER -encapsulation code 43 = encapsulate JUNIPER; 
option option-150 code 150 = ip-address;
*Note the type of option 150 is IP.

After we configured the group we can use it in the scope itself, in the same file add the scope configuration 
subnet x.x.x.0 netmask  
option routers                  <Default Gateway IP>; 
option host-name                "default";
host-name option will change the hostname of the switch, note that the switch will only load the configuration file with the name of its hostname.
option subnet-mask    ;
option domain-search    "";
option domain-name-servers      <DNS SERVER IP>; 
option ntp-servers              <NTP SERVER IP>; 
option option-150               <TFTP SERVER IP>; 
option tftp-server-name         "<TFTP SERVER IP/HOSTNAME>";
option JUNIPER.config-file-name "/<CONFIG FILE, MUST BE HOST-NAME.config>";
Image type is the Vendor requirement.
option JUNIPER.image-file-type "symlink";
The transfer more can be http/ftp/tftp/sftp but must be defined.
option JUNIPER.transfer-mode "tftp"; 
Define the range of IP's for the DHCP server.
range x.x.x.100  x.x.x.150; 

In FTP transfer mode request will be made via anonymous user.

Big thanks to Omer Shtivi for the resources and help with implementation.

Hope this post was helpful, If it was please consider a donation
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

"Recovering" F5 from Appliance mode

When a device is activated with license that include App Mode the root user and all access to the BASH is being blocked.

In case the activation of the app mode was not wanted we need to install a different license without this feature and modify the DB to disable this mode, to do so just run the following command after installing the new key : 
(tmos)# modify /sys db systemauth.disablerootlogin value false
in case a key is yet to be changed you'll get an error :
01070356:3: Root Account feature not licensed.
To better secure the device it is recomended to keep it in this mode.
Enable this mode by running:
(tmos)# modify /sys db systemauth.disablerootlogin value true
Hope this post was helpful, If it was please consider a donation
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

Cisco Line Menu

Hi all,

Here is a nice feature you can use on a Cisco device to make the usage easier in case of a console server or just for limiting access for an experienced user - We can create a menu with pre-configured commands \ actions.

Here is an example for I used for a terminal access server
  • Configure aliases for the host which we'll connect to 
ip host <Device-Name> <Connection-Port> <Device-IP>
ip host R2 23
ip host R3 23
  • Create a banner for the menu 
menu Menu-1 title ^
    You have reached NetworkLabs-R1
Please use the menu bellow
  • And now we create the menu 
menu Menu-1 prompt ^C Your selection : ^C
menu Menu-1 text 1 Connect to R2 - 23
menu Menu-1 text s show active sessions
menu Menu-1 text e exit the menu
menu Menu-1 text q close the connection
menu Menu-1 command 1 resume R2 /connect telnet R2
menu Menu-1 command s show sessions
menu Menu-1 command e menu-exit
menu Menu-1 command q exit
First we configured the prompt for the command selection, then the text for "1,s,e,q' then the commands that will be issued according to the selection.
  • Suggest to add the following for the menu to clear the screen and allow only and loop back to the prompt after each selection
menu Menu-1 clear-screen
menu Menu-1 line-mode
At this point the menu can be activated by running "menu Menu-1" from the command line.
you may want to add the menu to be activated automatically on VTY login by adding 
line vty 0 4
 autocommand  menu Menu-1
Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

F5 BigIP Cluster

Here is a sort of "Best practices guide" for a Cluster configuration on F5's Big-IP devices, I will refer to the configuration of two devices but same applyed to a larger cluster.

First of all we need to make sure

  • Our license is valid
GUI - System ›› License
CLI - show /sys license 
  • Date and time are synced 
GUI - System ›› Configuration ›› Device ›› NTP
CLI - tmsh list /sys ntp servers or ntpq -npdate or date -s "Day Month Year HH:mm:ss"
  • both devices have a VLAN for the sync, hopefully it's a point to point link connected between both devices

Layer 2 - Network ›› VLAN ›› Create

CLI > tmsh create net vlan Sync interfaces add { 1.1 }
Layer 3 - Netwok ›› Self IPs ›› Create

CLI > tmsh create net self Sync vlan Sync allow-service default address
An important note here is the "Port Lockdown" - make not to use "allow none" as it will not allow sync traffic between the devices. other than that - only the IP\Subnet configuration.

Append the P2P to the cluster mechanism - Device Management ›› Devices ››<DEVICE_NAME> ››Device Connectivity 
ConfigSyn (The interface will be used for synchronizing the configuration between the devices) 

**It is highly recommended to use a "real" network Vlan for the failover interface this way a problem with the Vlan which is actually used for traffic will cause a faileover.

Mirroring ( the interface used to synchronize connection tables between the devices ) :

CLI > tmsh modify cm device <Device_Name> configsync-ip mirror-ip unicast-address { { effective-ip effective-port cap ip } }

I like to resetting the device trust prior configuring the cluster so that any leftovers of privious config will be cleared and the local certificate will be regenerated.
To do so - Device Management ›› Device Trust  ›› Reset Device Trust

At this point we are done with the preparations.

From one of the devices go to -  Device Management ›› Device Trust : Peer List ›› Create
I Like using the P2P IP's but it's an identifier only so Management IP are good as well.

After clicking "Retrieve Device Information" we should get the 2nd device's certificate, IP  and couple more details. 
To make sure connectivity is correct, go to Device Management ›› Devices 
In case of a problem one of the devices will be red ( disconnected )  in which case check steps above the steps above

Next group the devices - Device Management ›› Device Groups
    CLI - tmsh create cm device-group sync-fail devices add { <Device_Names> } network-failover enabled
    The Type should be Sync-Failover and both devices are selected.

    Now one of the devices will become standby ( If not - check steps above)

    Now all we have to do is initiate a sync between the devices - Device Management ›› Overview  ›› Sync
    CLI - run cm config-sync to-group sync-fail
    Select the device containing the newest configuration, select "Sync Device to Group" and click "Sync"

    I like to create a more proactive configuration by adding a pool which consists of a couple of servers as the representation of the LAN and the ISP \ FW as the representation of the WAN, so as long as this pool is active we have both LAN and WAN connectivity from the device and if the pool fails F5 lost WAN\LAN access so we need to failover.
    Then add the pool as a trigger for a failover - System ›› High Availability 
    CLI - create sys ha-group HA active-bonus 0 enabled pools add { <Pool_Name> { weight 80 } }
    *The highest Weight will become active

    Hope this post was helpful, If it was please consider a donation:
    BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
    LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

    F5 - SSL offloading and intermediate Certificates

    The concept of the ssl offloading is very simple, we perform the encryption before reaching the end server,
    in other words let's say we have a Data Center with 50 Web servers, we want to make the data more secure by implementing SSL encryption on our HTTP data, at this point we can configure each server to work with https OR we can add a device that adds the SSL on an outgoing packet and removes it from the once coming back, that way our traffic is secured and we save on server resources.

    before getting to the configuration part i want to spend a moment on the CA-Bundle or also known as intermediate Certificates .. There are some CA's out there that in order to use them we have to append an Intermediate certificate to the  Certificate we have, the intermediate is sort of a reference of our CA pointing it to the root that will verify it, in other words it's the certificate of the CA that authorized our certificate.
    for example some browsers will not have the root of Go-daddy even though they're CA is well known and authorized so in case a website using one of there certificates (but no intermediate is installed)  will be accessed by and old browser it will show the certificate is not verified and we'll have an error message accessing.

    Using the intermediate in the F5 is very simple, all we need to do is import it to the device and append it in the client profile as "Chain Certificate"

    Importing the Certificate to the device:
    System > File Management > SSL Certificate List > Import

    We'll group the intermediate to the certificate and the key using a Profile
    Local Traffic > Profiles > SSL > Client

    Name the Profile mark Certificate, Key and Chain
    Certificate is the certificate we just loaded
    key is the private key associated to the certificate, in case we uploaded the certificate that includes the key (for example a 'p12') choose the certificate
    and the Chain is the intermediate certificate of our CA

    Now all we have to do is apply the Profile on the wanted traffic by adding it to the appropriate virtual server
    Local Traffic > Virtual Server

    Basic config, Name IP and port

    Just need to make sure we choose an HTTP profile and the SSL profile we have configured earlier.

    Don't forget to point the Virtual server to the pool you need,
    other than that we're all done.

    Hope this post was helpful, If it was please consider a donation:
    BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
    LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

    Cisco MacSec over Juniper\Cisco MPLS

    I would like to share a case I had involving MacSec over a layer 3 link.

    The equipment was: 2 Cisco Switches (3750X), Cisco 2821 Router, Juniper J4350 Router.

    Objective: establish MacSec between the Switches.

    First of all MacSec will not work on layer 3, to make it work we need to emulate layer 1 between the switches, I did this VIA MPLS (Ethernet over MPLS).

    OSPF configuration :
    Router-1 (Juniper)
    # Set interfaces ge-0/0/1 unit 0 family inet address
    # Set interfaces lo0 unit 0 family inet address
    # Set protocols ospf area interface ge-0/0/1
    # Set protocols ospf area interface lo0
    Router-2 (Cisco)
    interface FastEthernet0/0
      ip address
    interface Loopback1
      ip address
    router ospf 10
      network area 0
      network area 0
    At this point we should see the OSPF neighboring is up and the loopbacks are known to both routers

    MPLS configuration :

    # set interfaces ge-0/0/1 unit 0 family mpls
    # set interfaces ge-0/0/2 encapsulation ethernet-ccc;
    # set interfaces ge-0/0/2 unit 0 family ccc;
    # set protocols mpls interface all
    # set protocols ldp interface ge-0/0/1
    # set protocols ldp interface lo0
    # set protocols l2circuit neighbor interface ge-0/0/2.0 virtual-circuit-id 10
    mpls ldp router-id Loopback1 force
    interface FastEthernet0/0
      mpls ip
    interface FastEthernet0/1
      xconnect 10 encapsulation mpls
    Now we should see the MPLS is also up, both the LDP and the virtual circuit
    In case the VC is not up try to change the circuit number..

    Finally the MacSec itself..

    From Both Switches
    interface GigabitEthernet2/0/1
      switchport trunk encapsulation dot1q
      switchport mode trunk
        cts manual
             no propagate sgt
             sap pmk [MacSec Key] mode-list gcm-encrypt null no-encap
    Let's test..!
    Switch-1#show macsec summary
    Interface                Transmit SC              Receive SC
    GigabitEthernet2/0/1      1                              1

    For more info:
    Switch-2#show macsec interface gigabitEthernet 1/0/1
    MACsec is enabled
    Replay protect : enabled
    Replay window : 0
    Include SCI : yes
    Cipher : GCM-AES-128
    Confidentiality Offset : 0
    Max. Rx SA : 16
    Max. Tx SA : 16
    Validate Frames : strict
    PN threshold notification support : Yes
    Ciphers supported : GCM-AES-128
    Transmit Secure Channels
    SCI : 503DE58713810000
    Elapsed time : 03:58:49
    Current AN: 1 Previous AN: -
    SC Statistics
    Auth-only (0 / 0)
    Encrypt (30755 / 0)
    Receive Secure Channels
    SCI : C89C1D66EF010000
    Elapsed time : 03:58:49
    Current AN: 1 Previous AN: -
    SC Statistics
    Notvalid pkts 0 Invalid pkts 0
    Valid pkts 3044 Late pkts 0
    Uncheck pkts 0 Delay pkts 0
    Port Statistics
    Ingress untag pkts 0 Ingress notag pkts 1852
    Ingress badtag pkts 0 Ingress unknownSCI pkts 0
    Ingress noSCI pkts 0 Unused pkts 0
    Notusing pkts 0 Decrypt bytes 6953955
    Ingress miss pkts 1852

    Hope this post was helpful, If it was please consider a donation:
    BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
    LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

    Cisco Catalyst 3560 - IPv6

    A quick tip on IPv6 support in a Cisco 3560 Switch, unlike other devices (such as the 3750) the default configuration of the 3560 switch has all IPv6 functionality disabled, 
    In order to enable the IPv6 on this Catalyst all we need to do is apply the correct template on the device
    this can be achieved by running the following command from Global config mode
    sdm preferdual-ipv4-and-ipv6 {default |routing | vlan}
    After we apply the template the device needs to be rebooted, take into consideration the boot will  take about 8-10 minutes...

    to read more about this - Visit Cisco's article on the matter:

    Hope this post was helpful, If it was please consider a donation:
    BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
    LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR