The Network Stack

October 10, 2017 0 Comments ansible, cisco

Note: There is a newer guide for VLAN provisioning with Ansible 2.5

Ansible is such a powerfull tool that it can be easy to get lost in all the possibilities. Running your "network infrastructure as code" with full configs auto-generated and checked into git is the dream, but we can start simple with automating time-consuming tasks. This post will focus on getting ansible up and running with a playbook to configure new vlans across your switches.

If

September 29, 2017 0 Comments cisco

This is my first post in a series I'm calling Cisco Config Basics. These posts will serve as a reference for anyone new to Cisco, or those of you just looking to compare your current configs. After the full config, I will explain each config item line-by-line.

In a campus network, the User Port has a lot riding on it - vlan config, security controls, DHCP protection, PoE settings...not to mention new IPv6 policy that is needed even if

September 19, 2017 0 Comments nfd16

Formal verification. Two words unfamiliar to me before Networking Field Day. To provide a brief summary, formal verification uses mathematical proofs to verify a system is working as designed – the same process used to create hacker-proof code. Veriflow has taken this method and applied it to networking to verify the intended design or operation of the network.

But what does this actually mean to us as network operators? Instead of monitoring isolated metrics like an interfaces’ utilization, we can monitor

August 30, 2017 0 Comments duo, mfa, ubuntu, active-directory

Duo has thorough documentation for adding MFA to your SSH sessions, but there are a couple additional steps needed to also integrate with Active Directory. This post will go through the installation for both Duo and Active Directory for Ubuntu 16.04. For other Linux distros, the Duo documentation linked above has you covered.

System components:

  • Ubuntu 16.04 server
  • Duo MFA account
  • Duo Unix package
  • Centify Express for Active Directory integration

Duo Installation:

Install OpenSSL development headers and libraries:

August 22, 2017 0 Comments

A couple years ago, Ivan Pepelnjak wrote an interesting blog showing how all you need are two top-of-rack switches. Iwan Rahabok followed up on the systems side, with the perspective that 1000 VM per rack is the new minimum.

Now in mid 2017, I'd like to show you how we can fit 2M network routes, 1PB of storage, and over 1000 VM's in a half rack. Don't worry, I included redundancy as well.

Disclaimer: My examples use specific vendor equipment

August 04, 2017 0 Comments powershell, active-directory, windows

Using this page to keep track of all the useful powershell "mini-scripts" I've used:

Copy users from one security group to another security group

Add-ADGroupMember -Identity destination-group-name -Members (Get-ADGroupMember -Identity source-group-name -Recursive)

Add enabled users from an OU to a security group

Get-ADUser -SearchBase 'OU=Your-OU,DC=corp,DC=company,DC=com' -Filter {Enabled -eq $true} | ForEach-Object {Add-ADGroupMember -Identity 'your-group-name' -Members $_ }

Add users from a CSV file to a security group (username column is called "name"

July 23, 2017 0 Comments ansible

For network automation, I believe the best tool out there right now is Ansible. Ansible is open-source, agentless, has a large community, and is easy to get started quickly. For the major networking vendors, there are already pre-built modules making it simple to interface with their equipment. This post will focus on getting Ansible up and running on a Ubuntu 16.04 server (in three steps), and following posts will show how to use Ansible to automate network configuration.

  1. Assuming

June 27, 2017 0 Comments palo alto networks

Palo Alto firewalls have a neat feature called "DBL" - Dynamic Block List. This feature allows the firewall to grab a list of ip addresses or domains from an http page. You have to format the web page cleanly (https://live.paloaltonetworks.com/t5/Learning-Articles/Working-with-External-Block-List-EBL-Formats-and-Limitations/ta-p/58795), but it allows you to update the web page dynamically, and the firewall will update it's policy accordingly.

For my use case, we had some new dynamic dev services being tested in

May 26, 2017 0 Comments adfs, duo, mfa

We wanted to implement MFA (multi-factor authentication) for our ADFS servers when authenticating to Office 365. If you just want basic “MFA for all users” then the AD FS GUI will allow you to select your MFA provider and enable. I needed a more granular policy:

Only enable MFA if the user is a member of a specific security group AND the user is coming from outside the corporate network AND it is a browser based authentication request

The third