Connexion to SSH device with python and paramiko

Previously, I was using 'pexpect' in order to connect and gather information from a router or a switch.
However, I have often encountered several issues (timeout, SSH key gestion...).

It's why, now I'm using 'paramiko' (a python SSH library).
You will find below an example of the paramiko utilisation.
This script connects to a switch and returns it version.
Don't hesitate to share examples.

import paramiko
import time

username = 'user'
pwd = 'password'
cmd = 'show version \n'
ip_switch = '10.10.20.17'
remote_conn_pre=paramiko.SSHClient()
remote_conn_pre
remote_conn_pre.set_missing_host_key_policy(paramiko.AutoAddPolicy())
remote_conn_pre.connect(ip_switch, username=username, password=pwd)
remote_conn = remote_conn_pre.invoke_shell()
time.sleep(1)
trash = remote_conn.recv(5000)
remote_conn.send(cmd)
time.sleep(2)
output = remote_conn.recv(5000)
chain = output.split()
print chain[9]

Windows Automatic Metric for IP routes

I was wondering why sometimes my traffic was going on wireless interface and sometimes on copper interface.
This behavior is due to the automatic Metric feature on windows.
As you can see on the table below if I am connected on a 100Mb, my metric on the copper is 20.


On our site, we have 802.11a/g and 802.11a/g/n access points.

• When I'm on an a/g antenna (max 54Mbps) and a 100Mb copper inteface, I have the following routing table:

C:\Users\ABCD>netstat -rn

IPv4 Route Table
========================================================================
Active Routes:
Network      Destination        Netmask          Gateway       Interface  Metric
0.0.0.0          0.0.0.0        10.1.1.254       10.1.1.32     20
0.0.0.0          0.0.0.0        10.1.2.254       10.1.2.68     25

• When I'm on a a/g/n antenna (and my bandwith is more than 200Mb) and a 100Mb copper inteface, I have the following routing table:

C:\Users\ABCD>netstat -rn
IPv4 Route Table
========================================================================
Active Routes:
Network      Destination        Netmask          Gateway       Interface  Metric
0.0.0.0          0.0.0.0        10.1.2.254       10.1.2.68     10
0.0.0.0          0.0.0.0        10.1.1.254       10.1.1.32     20
As you can see the wireless is preferred with a metric of 10. I have chosen the solution to fix by myself the metric on networks interfaces (copper 1 and wireless 20).

start>control Panel>Network and Sharing Center>Change adpater settings
Right click on the Copper card>Properties>Internet Protocol Version 4>Properties>Advanced
Uncheck 'Automatic metric' and fix the metric

For my case, I'm only using the interface metric. But the result in metric seen with the command 'netstat -rn' is the result of an addition (Gateway metric + InterfaceMetric).
In order to find the gateway metric, you can use the command 'netsh int ip show config':
C:\Users\ABCD>netsh int ip show config

Configuration for interface "Local Area Connection"
    DHCP enabled:                         Yes
    IP Address:                           10.1.1.32
    Subnet Prefix:                        10.1.1.0/24 (mask 255.255.255.0)
    Default Gateway:                      10.1.1.254
    Gateway Metric:                       0
    InterfaceMetric:                      20
    DNS servers configured through DHCP:  10.1.2.5
    Register with which suffix:           Primary only
    WINS servers configured through DHCP: None

Configuration for interface "Wireless Network Connection"
    DHCP enabled:                         Yes
    IP Address:                           10.1.2.68
    Subnet Prefix:                        10.1.2.0/25 (mask 255.255.255.0)
    Default Gateway:                      10.1.2.254
    Gateway Metric:                       0
    InterfaceMetric:                      25
    DNS servers configured through DHCP:  10.1.2.5
    Register with which suffix:           Primary only
    WINS servers configured through DHCP: None

Unable to connect to an 802.11n Wi-Fi network if WMM is disabled

If WMM (Wireless Multimedia Extensions) is disabled on a WLAN, devices are not able to connect on 802.11n.

On a Cisco wireless, it's necessary to enable WMM by SSID:
WLANs>Choose WLAN>QoS>WMM>
Choose 'Allowed'

Configure Network Equipment to use Radius for authentication

Following my recent article on 'How to configure install and configure Freeradius', you will find below several examples of 'How to configure network equipment to use Radius for authentication'.

Cisco Catalyst

aaa new-model
ip radius source-interface vlan XXX
radius-server host <IP_address_radius_server> auth-port <port-number> acct-port <port-number>
radius-server key SharedKey
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated => directly upgrade privilege to 'enable'
!
line vty 0 15
 login authentication default


Switch HP Procurve

radius-server host <IP_address_radius_server> key " SharedKey " acct-port <port-number> auth-port <port-number>
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication login privilege-mode

Switch Nexus

ip radius source-interface mgmt 0
 radius-server host <IP_address_radius_server> auth-port <port-number> acct-port<port-number>
 radius-server key SharedKey
!
aaa group server radius FREE-RADIUS
 server <IP_address_radius_server>
 use-vrf management
 source-interface mgmt 0
!
aaa authentication login default group FREE-RADIUS

Generate logs messages when a MAC address appears on an interface

Today, I was facing an issue on a client network. After some troubleshooting, I was supposing that a MAC address was duplicated on the network and appears randomly on a physical interface.
But as I didn't would like pass my day to check the mac database of the switch for this specific interface, I have decided to use an EEM script. This EEM script detects new entry in MAC database for the specific interface and generates a log message with an alert level of priority. These levels messages are forwarded by the syslog server to my mailbox! Once I have received the message, I can check manually on the switch which MAC appears on the interface. Below, the script used in order to troubleshoot this issue:

event manager applet MAC-ADD
 event mat interface GigabitEthernet0/24 type add
 action 1.0 syslog priority alerts msg "NEW MAC on ADD Gi0/24"
!
event manager applet MAC-DEL
 event mat interface GigabitEthernet0/24 type delete
 action 1.0 syslog priority alerts msg "MAC DELETED on Gi0/24"

Cisco and Freeradius configuration

 Installation description

In our case, the Freeradius aims to authenticate a remote access on network equipment. I have decided to use an existing database (Active directory).

FreeRadius paquets installations:

apt-get install freeradius

apt-get install freeradius-utils

apt-get install freeradius-ldap

Configure the radiusd.conf file

Modify the file radiusd.conf (/etc/freeradius/radiusd.conf) in order to specify the listen ports:

-          Authentification (2050)

-          Accounting (2051)

 listen {

        type = auth

        ipaddr = *       

       port = 2050

}

listen {

        ipaddr = *

        port = 2051

        type = acct

}

       auth = yes

 Uncomment the following lines in order to have more details in logs messages:

        msg_goodpass = "Host %n"

        msg_badpass = "Host %n"

Configure the Users file

Modify the file users (/etc/freeradius/users) .

This file includes users which are authorized to take control on 'client' (network equipment for us).

- We can use a local database:

Username Cleartext-Password := "Password"

       Service-Type = NAS-Prompt-User,

       Cisco-AVPair = "shell:priv-lvl=15"

- Or an external database. In this example, only members of groups 'Group_Network_Admin' (Active Directory) are authorized to access:

DEFAULT         LDAP-Group == "Group_Network_Admin"

                Service-Type = Administrative-User,

                Cisco-AVPair = "shell:priv-lvl=15"

DEFAULT    LDAP-Group != "Group_Network_Admin", Auth-Type := Reject

Enable authentication via LDAP:

Modify the file ldap (/etc/freeradius/sites-enabled/ default) by uncommenting the following lines :

ldap

        Auth-Type LDAP {

                ldap

        }

Create clients of the radius server

Modify the file users (/etc/freeradius/users). Clients are hosts which forward request of authentication to the radius server (ex: Cisco switch).

In the example below, I have added a complete subnet. All hosts in this subnet are authorized to send request.

We also defined the share key in this file:

client 10.110.22.0/24 {

        secret          = SharedKey

        nastype         = cisco

        shortname       = SWITCH-Branch-London

}

Configure request to Active Directory

Modify the file ldap (/etc/freeradius/modules/ldap). You will find below an example of configuration :

ldap {

        server = 'ldap://mydomain.com'

        identity = "Username@mydomain.com"

        password = "Password"

        basedn = "DC=mydomain,DC=com"

        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"

  

       groupname_attribute = cn

       groupmembership_attribute = "memberOf"

Uncomment the following lines:

       chase_referrals = yes

        rebind = yes

Command Line Tricks for HP Procurve Switchs

Below some helpful commands.

• Display logs or debug on current session:
• terminal monitor (Cisco)
• debug destination session (HP Procurve)
• By default HP Procurve switch don't display packets drops by queue. You can enable the monitoring only on 1 interface with the command below:
• qos watch-queue xx out (where XX is the interface you want to monitor)
• Obtain 'show tech':
• copy command-output "show tech all" sftp user ftpuser 10.10.10.10 show-tech.txt
• Filter a 'show runnning' command:
• Like Cisco, it's possible to use '|' after the 'show running'

Switch# show running-config | include router

ip router-id 1.1.1.1

router ospf

router vrrp

Switch# show running-config | begin router

ip router-id 1.1.3.1

Play with MACSEC on copper interface with 3750X

The Cisco documentation is not clear on the switch-to-switch (via copper) macsec feasibility.
Also, I have decided to test it between two 3750x:

• 3750X-24TS (without service module)
• 3750X-48TS (without service module)

I have applied the following configuration on each switch:

I have plugged the cable between this 2 switchs and checked that SAP 'succeeded':

Interface is up and configuration looks fine. But I have prefer checked by myself that the traffic is well encrypted. The best way to do this is to use a hub. But this equipment has disappeared from IT services and is very rare!! Also we have designed our own RJ45 TAP:).

I have used this magic TAP and wireshark to sniff the traffic between our both switchs.
Below, you can see the result of a packet when it's encrypted by MACSEC (802.1ae). We can see the Ethertype (88e5) used by this protocol.

To resume, MACSEC is available on Cisco Switch (switch-to-switch) on copper interface without Service Module. This configuration is not available on 3560X. I guess, the service module is mandatory for it.

TCN received from stackport1 on 3750

I was troubleshooting a network issue and during this time, I have done the following command on a 3750 stack:

show spanning-tree vlan 200 detail

Bridge Identifier has priority 20480, sysid 200, address a8b1.d36f.c670

  Configured hello time 2, max age 20, forward delay 15

  Current root has priority 8392, address 0021.e809.0670

  Root port is 568 (Port-channel11), cost of root path is 3

  Topology change flag not set, detected flag not set

  Number of topology changes 27 last change occurred 1w2d ago

          from StackPort1

As you can see, the source of the TCN is the StackPort1 on the switch!!!

But what is the meaning of this StackPort1 and how to determinate the real source of the topology change ?

In fact as my SSH session is open on the master and the TCN come from another switch of the stack, the source for my session is the stack port of the master switch. In order to determine which interface is really the source I have to open a session on each switch in order to find the TCN source.

For example, I have opened a session on the 2nd switch of the stack:

C3750#session 2

C3750-2# show spanning-tree detail | i from|exec|occur

 VLAN0001 is executing the ieee compatible Spanning Tree protocol

  Number of topology changes 26 last change occurred 1w2d ago

          from GigabitEthernet2/0/52

 VLAN0040 is executing the ieee compatible Spanning Tree protocol

  Number of topology changes 26 last change occurred 1w2d ago

          from GigabitEthernet2/0/52

As you can see above, we have found the real source of the TCN.

Install Netflow collector on Cacti

This tuto explains how to install the flowview plugin on Cacti. I have worked with Cacti 0.8.8b installed on an Ubuntu server.

Install and configure flow-capture

In order to capture netflow traffic, I have used flow-capture. In order to install it on Ubuntu, you can use apt:
apt-get install flow-capture

Once flow-capture is installed, you can configure the flow-capture.conf file:
vim /etc/flow-tools/flow-capture.conf

# Example 1:
# Capture flows from router at 10.1.1.10, listening at port 3000.
# Store flows in /var/netflow/flows/myrouter.
-w /var/netflow/flows/myrouter 0/10.1.1.10/3000

Add the file in dedicated folder:
mkdir /var/netflow/flows/myrouter

Configure a Router in order to export netflow

This configuration is different for each constructor. For example, I have configured an netflow export on a Cisco 4500:

flow record R1
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 collect counter bytes
!
flow exporter CACTI
 destination 10.10.10.10
 export-protocol netflow-v5 => flow-capture is only v5 capable
!
flow monitor M1
 exporter CACTI
 cache entries 1000
 record R1
!
interface Port-channel1
 ip flow monitor M1 input

Install and configure flowview on Cacti

Download the flowview plugin (http://docs.cacti.net/plugin:flowview) and untar it in:
/usr/share/cacti/site/plugins

Go to the Cacti console
Configuration>Plugin Management
And enable Flowview

Configure the path in order to read the netflow file created by flow-capture:
Go to the Cacti console
Configuration>Settings>Misc
Under Flows directory, specified your folder (for example /var/netflow/flows/)

Not able to execute 'copy running-config startup-config' command

Today, I have encountered the following problem:

MY-SWITCH#copy running-config startup-config
startup-config file open failed (Device or resource busy)

In a first step, I was thinking that the nvram: was corrupted because I was not able to see files in the nvram (dir nvram:). In fact, we were 2 users connected on the switch.


MY-SWITCH#show users
    Line       User       Host(s)              Idle       Location
*  1 vty 0     admin      idle                 00:00:00 10.10.10.10 => My session
   2 vty 1     admin      idle                 00:07:09 10.10.20.10

 Also, I have just ejected my colleague with the following command:

MY-SWITCH#clear line 2

After that, I was able to backup my configuration.

Troubleshoot OSPF neighbors (Hellos check)

In order to become neighbors, routers perform several checks. If this check fails, we have to troubleshoot and find the cause of this issue. You will find below several examples of neighbor failed. I have added logs messages and debug messages in order to easily find the cause.

• Area mismatch:

• Authentication key mismatch:

• Duplicate Router-id:

• Subnet/mask Mismatch:

• Area Type Mismatch:

How a phone choose the voice vlan ?

Just by listening the CDP announce coming from the switch: