Re: configuration sanity check

[Chuck Anderson]

On Thu, Oct 29, 2015 at 09:16:48AM +0100, marcel.durega...@yahoo.fr wrote:
> Hi Nanogers,
> 
> Any recommendation about a software which check the live config of
> cisco/juniper devices against some templates ?
> 
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
> 
> And the software run once every day to check which device do not
> comply with those rules and generate an alert.

For Juniper at least, you can use "commit scripts" to enforce these
rules in real time each time a configuration commit is performed--if
the candidiate configuration change doesn't follow the rules, the
commit fails (or the configuration can be changed automatically to do
something).  For example "all interfaces must have a description on
them", or "changes to MSTI configuration are not allowed".

RE: configuration sanity check

[Naslund, Steve]

I use a system called Device Expert that does exactly what you say below.  I am 
not affiliated with them just a satisfied customer.

https://www.manageengine.com/network-configuration-manager/

Steven Naslund
Chicago IL

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of 
marcel.durega...@yahoo.fr
Sent: Thursday, October 29, 2015 3:17 AM
To: nanog
Subject: configuration sanity check

Hi Nanogers,

Any recommendation about a software which check the live config of 
cisco/juniper devices against some templates ?

The goal is to have a template about different function device, like:
- CORE device must have this bloc and this clock
- PE device must have at least that and that
- CPE must have this and that
- Distrib switch block 1 and block2
- etc...

And the software run once every day to check which device do not comply with 
those rules and generate an alert.

Thank,
- Marcel

Re: configuration sanity check

[chip]

I've used ansible for this and generated config based on roles.  It's a
little weird to get started but allows modularization of config.  You can
then go so far as have the same "functions" for different platforms and
software versions.  To be clear, this was just for config generation, not
verifying it was on the device or pushing it to the device.

--chip

On Thu, Oct 29, 2015 at 4:16 AM, marcel.durega...@yahoo.fr <
marcel.durega...@yahoo.fr> wrote:

> Hi Nanogers,
>
> Any recommendation about a software which check the live config of
> cisco/juniper devices against some templates ?
>
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
>
> And the software run once every day to check which device do not comply
> with those rules and generate an alert.
>
> Thank,
> - Marcel
>



-- 
Just my $.02, your mileage may vary,  batteries not included, etc

Re: configuration sanity check

[Justin Seabrook-Rocha]

On Oct 29, 2015, at 01:16, marcel.durega...@yahoo.fr wrote:
> 
> Hi Nanogers,
> 
> Any recommendation about a software which check the live config of 
> cisco/juniper devices against some templates ?
> 
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
> 
> And the software run once every day to check which device do not comply with 
> those rules and generate an alert.
> 
> Thank,
> - Marcel

We implemented an in-house solution using Cisco Template Manager 
(http://www.gelogic.net/cisco-template-manager/). Its basically a bunch of 
bash/perl scripts doing regex matching against the saved configs from RANCID. 
Works fine for both Cisco and Juniper.

It requires some hand tooling, but we have it doing exactly what you want 
(checking against different device function templates).

Justin Seabrook-Rocha
-- 
Xenith || xen...@xenith.org || http://xenith.org/
Jabber: xen...@xenith.org

Re: DDoS mitigation for ISPs

[Hugo Slabbert]

On Thu 2015-Oct-29 08:42:31 -0700, Mike  wrote:


Hello,

   Is there any DDoS mitigation service provider that can scrub 
traffic for an ISP network? I have an ASN and BGP and my own 
netblocks, and I have a 1gbps pipe. I was thinking the scenario would 
be during attack, we could bring up a tunnel and run bgp over it and 
advertise some portion of our ip space thru it. I realise getting it 
setup while attack is taking place would be a little hard and that we 
likely could expect at least some down time. What we have seen so far 
has been reflection attacks (dns and ssdp) and we have been able to 
do rate limiting on these and other protocols to sane values. This 
has worked well, although the primary risk is once the traffic flow 
exceeds the link capacity such limiting won't have any net effect. 
But if we could farm this out during times of trouble to a mitigation 
services provider, they could advertise our block(s) and rate limit 
and scrub for us and send us the result, it would be a far better 
than what we have now (which is effectively nothing). I asked 
cloudflare this and they stated they are focused on web traffic. My 
upstream can't help me, doesn't support RTBH and won't install 
filters anyways unless it's impacting THEIR network. Just wondering 
if anyone has any other ideas (short of ditching my provider, which I 
also can't do due at this time due to lack of competitive choice).


Mike-



In no particular order:

- Prolexic (Akamai)
- Arbor Networks
- Staminus
- Black Lotus
- Incapsula
- Radware

This is not an endorsement for any of the above. 


Alternatively: http://lmgtfy.com/?q=ddos+protection

--
Hugo

h...@slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E

(also on textsecure & redphone)



signature.asc
Description: Digital signature

Re: configuration sanity check

[Jason Lixfeld]

Either of these might come in handy..

https://www.nanog.org/meetings/abstract?id=2673
https://www.nanog.org/meetings/abstract?id=2678

> On Oct 29, 2015, at 4:16 AM, marcel.durega...@yahoo.fr wrote:
> 
> Hi Nanogers,
> 
> Any recommendation about a software which check the live config of 
> cisco/juniper devices against some templates ?
> 
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
> 
> And the software run once every day to check which device do not comply with 
> those rules and generate an alert.
> 
> Thank,
> - Marcel

Re: DDoS mitigation for ISPs

[Job Snijders]

On Thu, Oct 29, 2015 at 08:42:31AM -0700, Mike wrote:
>  Is there any DDoS mitigation service provider that can scrub traffic
>  for an ISP network?

Yeah, plenty. A non-exhaustive list: Prolexic, Incapsula, Staminus or
Nexusguard. There is no lack of choice.

> I have an ASN and BGP and my own netblocks, and I have a 1gbps pipe. I
> was thinking the scenario would be during attack, we could bring up a
> tunnel and run bgp over it and advertise some portion of our ip space
> thru it. I realise getting it setup while attack is taking place would
> be a little hard and that we likely could expect at least some down
> time.

It is more common to set up the GRE tunnel before hand, and just send
out the BGP announcement of the /24 when an IP within that /24 is under
attack.

Kind regards,

Job

Re: configuration sanity check

[Michal Loncek]

On 10/29/2015 09:16 AM, marcel.durega...@yahoo.fr wrote:

Hi Nanogers,

Any recommendation about a software which check the live config of 
cisco/juniper devices against
some templates ?

The goal is to have a template about different function device, like:
- CORE device must have this bloc and this clock
- PE device must have at least that and that
- CPE must have this and that
- Distrib switch block 1 and block2
- etc...

And the software run once every day to check which device do not comply with 
those rules and
generate an alert.

Thank,
- Marcel




http://www.gelogic.net/cisco-template-manager/

DDoS mitigation for ISPs

[Mike]

Hello,

Is there any DDoS mitigation service provider that can scrub 
traffic for an ISP network? I have an ASN and BGP and my own netblocks, 
and I have a 1gbps pipe. I was thinking the scenario would be during 
attack, we could bring up a tunnel and run bgp over it and advertise 
some portion of our ip space thru it. I realise getting it setup while 
attack is taking place would be a little hard and that we likely could 
expect at least some down time. What we have seen so far has been 
reflection attacks (dns and ssdp) and we have been able to do rate 
limiting on these and other protocols to sane values. This has worked 
well, although the primary risk is once the traffic flow exceeds the 
link capacity such limiting won't have any net effect. But if we could 
farm this out during times of trouble to a mitigation services provider, 
they could advertise our block(s) and rate limit and scrub for us and 
send us the result, it would be a far better than what we have now 
(which is effectively nothing). I asked cloudflare this and they stated 
they are focused on web traffic. My upstream can't help me, doesn't 
support RTBH and won't install filters anyways unless it's impacting 
THEIR network. Just wondering if anyone has any other ideas (short of 
ditching my provider, which I also can't do due at this time due to lack 
of competitive choice).


Mike-

Re: DDoS mitigation for ISPs

[Mike]

On 10/29/2015 08:54 AM, Hugo Slabbert wrote:


On Thu 2015-Oct-29 08:42:31 -0700, Mike 
 wrote:



Hello,

   Is there any DDoS mitigation service provider that can scrub 
traffic for an ISP network? I have an ASN and BGP and my own 
netblocks, and I have a 1gbps pipe. I was thinking the scenario would 
be during attack, we could bring up a tunnel and run bgp over it and 
advertise some portion of our ip space thru it. I realise getting it 
setup while attack is taking place would be a little hard and that we 
likely could expect at least some down time. What we have seen so far 
has been reflection attacks (dns and ssdp) and we have been able to 
do rate limiting on these and other protocols to sane values. This 
has worked well, although the primary risk is once the traffic flow 
exceeds the link capacity such limiting won't have any net effect. 
But if we could farm this out during times of trouble to a mitigation 
services provider, they could advertise our block(s) and rate limit 
and scrub for us and send us the result, it would be a far better 
than what we have now (which is effectively nothing). I asked 
cloudflare this and they stated they are focused on web traffic. My 
upstream can't help me, doesn't support RTBH and won't install 
filters anyways unless it's impacting THEIR network. Just wondering 
if anyone has any other ideas (short of ditching my provider, which I 
also can't do due at this time due to lack of competitive choice).


Mike-



In no particular order:

- Prolexic (Akamai)
- Arbor Networks
- Staminus
- Black Lotus
- Incapsula
- Radware

This is not an endorsement for any of the above.
Alternatively: http://lmgtfy.com/?q=ddos+protection

Actually I did the google thing first and followed up with several of 
the top results, and not once did I see anyone offering a bgp tunnel + 
scrub which is why I asked. I did get some good off list responses 
however, thanks all.



Mike-

Re: configuration sanity check

[Paul Ferguson]

Be careful in your search for RATs -- in the security world it also stands for 
Remote Access Trojan. :-)

- ferg 


On October 29, 2015 3:06:23 PM EDT, Jesse McGraw  wrote:
>Historically there was RAT (Router Audit Tool).  You'll have to do some
>
>googling to see where it's hosted now and whether or not it's still 
>being developed as I haven't looked at it in years.
>
>
>On 10/29/2015 04:16 AM, marcel.durega...@yahoo.fr wrote:
>> Hi Nanogers,
>>
>> Any recommendation about a software which check the live config of 
>> cisco/juniper devices against some templates ?
>>
>> The goal is to have a template about different function device, like:
>> - CORE device must have this bloc and this clock
>> - PE device must have at least that and that
>> - CPE must have this and that
>> - Distrib switch block 1 and block2
>> - etc...
>>
>> And the software run once every day to check which device do not 
>> comply with those rules and generate an alert.
>>
>> Thank,
>> - Marcel
>>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: DDoS mitigation for ISPs

[Hugo Slabbert]

Alternatively: http://lmgtfy.com/?q=ddos+protection

Actually I did the google thing first and followed up with several of 
the top results, and not once did I see anyone offering a bgp tunnel 
+ scrub which is why I asked. I did get some good off list responses 
however, thanks all.



Mike-


Apologies for the snarky link.  A Google search on my end turned up several 
of the solutions I listed manually and which definitely do GRE + BGP.  
Apparently my past searches on the subject have coloured my current results 
more than I expected...


--
Hugo

h...@slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E

(also on textsecure & redphone)



signature.asc
Description: Digital signature

Re: configuration sanity check

[Jesse McGraw]

Historically there was RAT (Router Audit Tool).  You'll have to do some 
googling to see where it's hosted now and whether or not it's still 
being developed as I haven't looked at it in years.



On 10/29/2015 04:16 AM, marcel.durega...@yahoo.fr wrote:

Hi Nanogers,

Any recommendation about a software which check the live config of 
cisco/juniper devices against some templates ?


The goal is to have a template about different function device, like:
- CORE device must have this bloc and this clock
- PE device must have at least that and that
- CPE must have this and that
- Distrib switch block 1 and block2
- etc...

And the software run once every day to check which device do not 
comply with those rules and generate an alert.


Thank,
- Marcel

Re: DDoS mitigation for ISPs

[Pavel Odintsov]

Hello!

Could recommend folks from EU - http://qrator.net/en/ Two years
without any issues. Perfect SSL and http filtration.

On Thu, Oct 29, 2015 at 10:53 PM, Hugo Slabbert  wrote:
>>> Alternatively: http://lmgtfy.com/?q=ddos+protection
>>>
>> Actually I did the google thing first and followed up with several of the
>> top results, and not once did I see anyone offering a bgp tunnel + scrub
>> which is why I asked. I did get some good off list responses however, thanks
>> all.
>>
>>
>> Mike-
>
>
> Apologies for the snarky link.  A Google search on my end turned up several
> of the solutions I listed manually and which definitely do GRE + BGP.
> Apparently my past searches on the subject have coloured my current results
> more than I expected...
>
>
> --
> Hugo
>
> h...@slabnet.com: email, xmpp/jabber
> PGP fingerprint (B178313E):
> CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
>
> (also on textsecure & redphone)
>



-- 
Sincerely yours, Pavel Odintsov

[CenturyLink][Proto UDP] Blockage of UDP Outbound from Source Port 53

[Jason Hellenthal]

Could a CenturyLink network admin/engineer contact me off list.

We have multiple locations receiving DNS queries over UDP where we see the 
connections making into our server and back out to our CenturyLink edge routers 
but never completes back to the connecting client at multiple locations.

Connections Failing From Digital Ocean NY, Time Warner WI, Rackspace DFW TX
(Hartford CT)# dig +short +novc @208.46.135.X domain.com A
(Cleveland OH)# dig +short +novc @65.112.236.X domain.com A


Connections from Chicago Rackspace to the above locations work as expected.

CenturyLink Orlando FL to Hartford CT or Cleveland OH, CenturyLink circuits 
work as expected.


Contact off list for domain and ip information used above.


Thanks

-- 
 Jason Hellenthal
 JJH48-ARIN

RE: configuration sanity check

[Andrew Bosch]

What is the opinion about CatTools?


> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
> marcel.durega...@yahoo.fr
> Sent: Thursday, October 29, 2015 3:17 AM
> To: nanog
> Subject: configuration sanity check
> 
> Hi Nanogers,
> 
> Any recommendation about a software which check the live config of
> cisco/juniper devices against some templates ?
> 
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
> 
> And the software run once every day to check which device do not comply with
> those rules and generate an alert.
> 
> Thank,
> - Marcel

Re: NANOG list attack

[Lamar Owen]

On 10/26/2015 03:17 PM, Larry Blunk wrote:

   As Job Snijders (a fellow Communications Committee member) noted
in an earlier post, we will be implementing some additional protection
mechanisms to prevent this style of incident from happening again. We
will be more aggressively moderating posts from addresses who have
not posted recently, in addition to other filtering mechanisms.

For what it's worth, while I did see all of these that made it through 
the list itself, the larger portion that I saw did not come through the 
list but were sent directly to me, and the Received header trail shows 
that those did not come through the nanog mailman.  So I applaud what 
you do with the list itself, but it wouldn't have made (and won't make, 
in the future) much difference, since e-mails were sent out bypassing 
the list server.


And thanks for this note.

configuration sanity check

[marcel.durega...@yahoo.fr]

Hi Nanogers,

Any recommendation about a software which check the live config of 
cisco/juniper devices against some templates ?


The goal is to have a template about different function device, like:
- CORE device must have this bloc and this clock
- PE device must have at least that and that
- CPE must have this and that
- Distrib switch block 1 and block2
- etc...

And the software run once every day to check which device do not comply 
with those rules and generate an alert.


Thank,
- Marcel

Re: configuration sanity check

[Daniel Corbe]

"marcel.durega...@yahoo.fr"  writes:

> Hi Nanogers,
>
> Any recommendation about a software which check the live config of
> cisco/juniper devices against some templates ?
>
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
>
> And the software run once every day to check which device do not
> comply with those rules and generate an alert.
>
> Thank,
> - Marcel

You can also catch and minimize mistakes in real-time by:

1) Implementing and enforcing a proper change control system

2) Implementing tools like Rancid, which are designed to scrape router
configs and E-Mail changes in the format of a unified diff to everyone
in your engineering team.

3) Make liberal use of tools like RtConfig so routine changes aren't a
painful (read: manual) time-consuming process.

Re: configuration sanity check

[Joe Abley]

Salut Marcel,

On Oct 29, 2015, at 04:16, "marcel.durega...@yahoo.fr"
 wrote:

> Any recommendation about a software which check the live config of 
> cisco/juniper devices against some templates ?
>
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...

Not precisely what you wanted but some pointers for doing it yourself:

https://www.nanog.org/meetings/nanog26/presentations/stephen.pdf

The example code was still on ftp.isc.org last time I checked.


Joe

Aue Te Ariki! He toki ki roto taku mahuna!