Re: A perl script to convert Cisco IOS/Nexus/ASA configurations to HTML for easier comprehension

[Hank Nussbacher]

On 07/10/2016 00:33, Lee wrote:
> dunno about creating web pages, but
> https://www.nanog.org/meetings/abstract?id=785
> has a section on showing filters that are defined but not referenced &
> referenced but not defined

In IOS-XR it is one command "sho rpl unused ?"
RP/0/RSP0/CPU0:petach-tikva-gp#show rpl unused ?
  as-path-set   Display as-path-set objects
  community-set Display community-set objects
  extcommunity-set  Display extended community objects
  prefix-setDisplay prefix-set objects
  rd-setDisplay rd-set objects
  route-policy  Display route-policy objects
  tag-set   Display tag-set objects

RP/0/RSP0/CPU0:petach-tikva-gp#show rpl unused prefix
Fri Oct  7 08:24:53.237 IDT

ACTIVE -- Referenced by at least one policy which is attached
INACTIVE -- Only referenced by policies which are not attached
UNUSED -- Not attached (directly or indirectly) and not referenced

-Hank
>
> Regards,
> Lee
>

EDNS compliance and BIND 9.11.0

[Mark Andrews]

BIND 9.11.0 was released this week.

BIND 9.11.0 and BIND 9.10.4 implement EDNS COOKIES.  They are on
by default in BIND 9.11.0 and BIND 9.10.4 Windows. For the non
Windows builds of BIND 9.10.4 they need to be enabled at configure
time.

If your nameservers are not EDNS compliant, especially for unknown
EDNS options, you could be seeing issues ranging from additional
traffic, slow DNS lookups to full blown lookup failures.  If you
having fixed your servers already you need to fix them now.

You can test your servers at https://ednscomp.isc.org/ednscomp/
to see if they are EDNS compliant.

You can see EDNS compliance trends and list of failing servers
at https://ednscomp.isc.org.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:  +61 2 9871 4742  INTERNET: ma...@isc.org

Re: A perl script to convert Cisco IOS/Nexus/ASA configurations to HTML for easier comprehension

[Larry Sheldon]

On 10/6/2016 15:26, Jesse McGraw wrote:

(This is me scratching an itch of my own and hoping that sharing it
might be useful to others on this list.  Apologies if it isn't)

  When I'm trying to comprehend a new or complicated Cisco router,
switch or firewall configuration an old pet-peeve of mine is how
needlessly difficult it is to follow deeply nested logic in route-maps,
ACLs, QoS policy-maps etc etc


A dim, weak voice from the past.  Has advantages of the plan proposed here.


To make this a bit simpler I’ve been working on a perl script to convert
these text-based configuration files into HTML with links between the
different elements (e.g. To an access-list from the interface where it’s
applied, from policy-maps to class-maps etc), hopefully making it easier
to to follow the chain of logic via clicking links and using the forward
and back buttons in your browser to go back and forth between command
and referenced list.


We used to (using a HB lead in a draftsman' lead holder and a stack for 
Forms SN 457* (Blank Spread Sheet, 11 x 17) sorted all of the requests, 
demands and other requirements into logical packages.


Then, using the blank back side of the spread sheet, we drew "flow 
diagrams depicting how we would code the requirements.  If a section got 
a little complicated and tedious, we'd put a symbol on the diagram, a 
title that made sense and a page number.


On a new sheet, we wrote that title and that page number and drew the 
flow diagram for that messy bit of business.


Then we would "desk check" the flow diagrams and in the process, note on 
the requirements sheet (s) the diagram number (and entry point if there 
was more than one) where the requirement was satisfied.


Then we would start with a new sheet working from the flow diagrams, 
write the code for the machine (noting on the flow diagram the page and 
line number in the code where the operation on the flow diagram occurred.


There are several advantages to this approach--hard to leave important 
stuff out, hard to include code that is never exercised, hard to make 
changes to the code because you don't know how to make HTML depict it 
correctly.


No need to lecture me on the folly of the old ways--it is why I got 
fired for being too old.


--
"Everybody is a genius.  But if you judge a fish by
its ability to climb a tree, it will live its whole
life believing that it is stupid."

--Albert Einstein

From Larry's Cox account.

Re: A perl script to convert Cisco IOS/Nexus/ASA configurations to HTML for easier comprehension

[Mike Hale]

Neat!

On Thu, Oct 6, 2016 at 1:26 PM, Jesse McGraw  wrote:
> Nanog,
>
> (This is me scratching an itch of my own and hoping that sharing it
> might be useful to others on this list.  Apologies if it isn't)
>
>   When I'm trying to comprehend a new or complicated Cisco router, switch or
> firewall configuration an old pet-peeve of mine is how needlessly difficult
> it is to follow deeply nested logic in route-maps, ACLs, QoS policy-maps etc
> etc
>
> To make this a bit simpler I’ve been working on a perl script to convert
> these text-based configuration files into HTML with links between the
> different elements (e.g. To an access-list from the interface where it’s
> applied, from policy-maps to class-maps etc), hopefully making it easier to
> to follow the chain of logic via clicking links and using the forward and
> back buttons in your browser to go back and forth between command and
> referenced list.
>
>
> I've put the script itself up here
> :
> https://github.com/jlmcgraw/network_configuration_navigator
>
> See here
> https://github.com/jlmcgraw/network_configuration_navigator/blob/master/examples/html_test_case_1.cfg.html>
> for output examples
> http://htmlpreview.github.com/?https://github.com/jlmcgraw/network_configuration_navigator/blob/master/examples/html_test_case_1.cfg.html
>
> Here's a quick web demo  on
> Heroku
> https://hidden-waters-8218.herokuapp.com/
> (This is just a simple web front-end to the script.  I'm not a web-savvy
> guy so I'm sure it's poorly coded and terribly insecure.
> Please don't upload anything sensitive to this, it's just for testing!)
>
> I know there is a lot of stuff that could be done better so let me know if
> you think of anything new or notice something I’ve done wrong.
>
> One unexpected thing that has come out of this script is the ability to
> catch items that are defined but never actually used, whether it's due to a
> fat-finger or just being leftover cruft. This has proven very valuable in
> catching mistakes that are otherwise hard to spot.  Unfortunately the script
> can't currently catch the inverse (things that are called but never defined)
> due to the way the regexes are constructed
>
> Surely this has all been done before but I couldn't find anything in a few
> brief moments of searching so here we are.
>
> -Jesse
>
>
>
> Notes:
> See the box on the right for a key and links to jump to the first line
> of the various types of sections or unused items
>
> There are some command-line options for reformatting (make some numbers
> that are hard to read into more human-readable ones, add colors to
> permits/denies, scrub sensitive info etc, remove some redundancy).  Try and
> see what you like.
>
> If you run it against multiple configuration files at once it will also
> attempt to link between them when applicable (e.g. BGP neighbors, route next
> hops, interfaces on the same subnet etc).  I regularly use it on a ~900
> configuration files set with no problems
>
> Developed under Ubuntu Linux, somewhat tested on Windows but not at all
> on OS
>
> Based on configs that I work with so it doesn't cover all possible
> commands.  Send patches!



-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Re: A perl script to convert Cisco IOS/Nexus/ASA configurations to HTML for easier comprehension

[Lee]

On 10/6/16, Jesse McGraw  wrote:
> Nanog,
>
>  (This is me scratching an itch of my own and hoping that sharing it
> might be useful to others on this list.  Apologies if it isn't)
>
>When I'm trying to comprehend a new or complicated Cisco router,
> switch or firewall configuration an old pet-peeve of mine is how
> needlessly difficult it is to follow deeply nested logic in route-maps,
> ACLs, QoS policy-maps etc etc
>
> To make this a bit simpler I’ve been working on a perl script to convert
> these text-based configuration files into HTML with links between the
> different elements (e.g. To an access-list from the interface where it’s
> applied, from policy-maps to class-maps etc), hopefully making it easier
> to to follow the chain of logic via clicking links and using the forward
> and back buttons in your browser to go back and forth between command
> and referenced list.
>
>
> I've put the script itself up here
> :
> https://github.com/jlmcgraw/network_configuration_navigator
>
> See here
> https://github.com/jlmcgraw/network_configuration_navigator/blob/master/examples/html_test_case_1.cfg.html>
>
> for output examples
> http://htmlpreview.github.com/?https://github.com/jlmcgraw/network_configuration_navigator/blob/master/examples/html_test_case_1.cfg.html
>
> Here's a quick web demo  on
> Heroku
> https://hidden-waters-8218.herokuapp.com/
>  (This is just a simple web front-end to the script.  I'm not a
> web-savvy guy so I'm sure it's poorly coded and terribly insecure.
>  Please don't upload anything sensitive to this, it's just for
> testing!)
>
> I know there is a lot of stuff that could be done better so let me know
> if you think of anything new or notice something I’ve done wrong.
>
> One unexpected thing that has come out of this script is the ability to
> catch items that are defined but never actually used, whether it's due
> to a fat-finger or just being leftover cruft. This has proven very
> valuable in catching mistakes that are otherwise hard to spot.
> Unfortunately the script can't currently catch the inverse (things that
> are called but never defined) due to the way the regexes are constructed
>
> Surely this has all been done before but I couldn't find anything in a
> few brief moments of searching so here we are.

dunno about creating web pages, but
https://www.nanog.org/meetings/abstract?id=785
has a section on showing filters that are defined but not referenced &
referenced but not defined

Regards,
Lee

A perl script to convert Cisco IOS/Nexus/ASA configurations to HTML for easier comprehension

[Jesse McGraw]

Nanog,

(This is me scratching an itch of my own and hoping that sharing it 
might be useful to others on this list.  Apologies if it isn't)


  When I'm trying to comprehend a new or complicated Cisco router, 
switch or firewall configuration an old pet-peeve of mine is how 
needlessly difficult it is to follow deeply nested logic in route-maps, 
ACLs, QoS policy-maps etc etc


To make this a bit simpler I’ve been working on a perl script to convert 
these text-based configuration files into HTML with links between the 
different elements (e.g. To an access-list from the interface where it’s 
applied, from policy-maps to class-maps etc), hopefully making it easier 
to to follow the chain of logic via clicking links and using the forward 
and back buttons in your browser to go back and forth between command 
and referenced list.



I've put the script itself up here 
:

https://github.com/jlmcgraw/network_configuration_navigator

See here 
https://github.com/jlmcgraw/network_configuration_navigator/blob/master/examples/html_test_case_1.cfg.html> 
for output examples

http://htmlpreview.github.com/?https://github.com/jlmcgraw/network_configuration_navigator/blob/master/examples/html_test_case_1.cfg.html

Here's a quick web demo  on 
Heroku

https://hidden-waters-8218.herokuapp.com/
(This is just a simple web front-end to the script.  I'm not a 
web-savvy guy so I'm sure it's poorly coded and terribly insecure.

Please don't upload anything sensitive to this, it's just for testing!)

I know there is a lot of stuff that could be done better so let me know 
if you think of anything new or notice something I’ve done wrong.


One unexpected thing that has come out of this script is the ability to 
catch items that are defined but never actually used, whether it's due 
to a fat-finger or just being leftover cruft. This has proven very 
valuable in catching mistakes that are otherwise hard to spot.  
Unfortunately the script can't currently catch the inverse (things that 
are called but never defined) due to the way the regexes are constructed


Surely this has all been done before but I couldn't find anything in a 
few brief moments of searching so here we are.


-Jesse



Notes:
See the box on the right for a key and links to jump to the first 
line of the various types of sections or unused items


There are some command-line options for reformatting (make some 
numbers that are hard to read into more human-readable ones, add colors 
to permits/denies, scrub sensitive info etc, remove some redundancy).  
Try and see what you like.


If you run it against multiple configuration files at once it will 
also attempt to link between them when applicable (e.g. BGP neighbors, 
route next hops, interfaces on the same subnet etc).  I regularly use it 
on a ~900 configuration files set with no problems


Developed under Ubuntu Linux, somewhat tested on Windows but not at 
all on OS


Based on configs that I work with so it doesn't cover all possible 
commands.  Send patches!

Re: AS47860 - 93.175.240.0/20 - Wiskey Tango Foxtrot

[Ronald F. Guilmette]

In message <20161006163137.uvcnzodrve6to...@cisco.com>, 
Joseph Karpenko  wrote:

>> 
>> P.S.  This crap appears to be be brought to us courtesy of AS29632,
>> NetAssist, LLC:
>> 
>> http://new.netassist.ua/
>> 
>
>assuming accuracy of records, etc...  ;-)

Right.  An that doesn't seem to be RIPE's strong suit.

>or courtesy of both AS43659 (who was peering with and announcing the prefix 
>to>)
>and AS29632 (who was then accepting and announcing to its upstreams)?  seems to
>be an interesting relationship between the two (2) of them; along with an even
>more interesting relationship/affiliation between AS43659 and AS57166 - and the
>upstream for both the ASNs is/was AS29632 (NetAssist LLC).  ;-)

Well, yes.  I tried to untangle the relationships here just by looking at
bgp.he.net, but as I looked at all of the relevant pages, nothing seemed
to be adding up, or even remaining consistant among all of the info that
bgp.he.net was showing me.  So I just shrugged, gave up, and reported the
few facts that I felt sure about here.

Specifically, bgp.he.net is reporting the name associated with AS47860 as
"Albino, LLC", but personally, I have no idea where they are getting that
name from.  (And it sure doesn't look like a European style of company
name... rather more American, I think.)

Then I looked at the bgp.he.net connectivity graph for AS47860:

http://bgp.he.net/AS47860#_graph4

This suggests that AS47860 is connected to the Internet only via AS43659,
D2 International Investment Ukraine Ltd.  (That AS, it seems, is currently
announcing -zero- routes of its own, which seems, well, odd.)

The connectivity graph for AS43659 is here:

http://bgp.he.net/AS43659#_graph4

This seems to indicate that AS43659 is only connected to the Internet via
AS29632 and that AS29632 is itself -only- connected to the Internet via
AS6939.  But then when I looked at the connectivity graph for AS29632
it actually appears to have -five- different IPv4 peers:

   http://bgp.he.net/AS29632#_graph4

But then I looked at the actual -list- of IPv4 peers of AS29632 and I see
it has 121 of them!

 http://bgp.he.net/AS29632#_peers

So, anyay, bottom line, there are clearly things about how bgp.he.net draws
connectivity graphs that I don't actually undetrstand.

That's OK.  I don't need to understand any of that in order to understand
that AS47860 is a bogus unregistered AS which is, and which has been, 
apparently,
for some long time, announcing a route (93.175.240.0/20) to unregistered RIPE
IPv4 space.

Sadly, announcing of bogons is not uncommon, so I wouldn't even have mentioned
this if it hadn't been for the fact that historical passive DNS data indicate
quite clearly that at least one snowshoe spammer was using that IPv4 space at
about this time last year.


Regards,
rfg

Re: AS47860 - 93.175.240.0/20 - Wiskey Tango Foxtrot

[Martin List-Petersen]

On 06/10/16 00:55, Ronald F. Guilmette wrote:

Anyway, it's rather annoying to me personally... and I hope I'm not the
only one who feels that way... to know that this has gone mostly unnoticed
for so long, that nobody within the RIPE region has ever bothered to -do-
anything about it, and that the AS and the bogus route are still being
announced, even as we speak.


I had a look in my feeds, then a few global BGP LG's and well, it's not 
in the BGP table.


In reality, it's the upstream, that feeds it in, that really needs to be 
penalised.


Kind regards,
Martin List-Petersen
--
Airwire Ltd. - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-865 968
Registered Office: Moy, Kinvara, Co. Galway, 091-865 968 - Registered in 
Ireland No. 508961