If you knock, I'll let you in. Marking UDP traffic as Established.
By Brandon James on 2021-04-29 Tags: Security, Linux, Networking, GoPro
Despite being a connectionless protocol, many firewalls are able to track the state of UDP communication. One such firewall is IPtables on Linux. Let's consider a simple IPtables input policy permitting related and established traffic, but dropping everything else.
No luck? sad! The Problem with TCP Checksums
By Brandon James on 2020-12-30 Tags: Route/Switch, Security
It's simple to craft packets with identical checksums. TCP datagrams with UTF-8 encoded payloads 'No muck? rad!' and 'No luck? sad!' have identical checksums if the rest of the packet is identical. Changing the 'm' in muck to an 'l' and the 'r' in rad to a 's' results in a binary 1 being flipped to 0 and vice versa. Since these binary digits lie in the same position in different 16-bit words, the changes cancel each other out, resulting in the same checksum.
By Brandon James on 2020-06-26 Tags: NTN
Unless it's your first time here, you've probably noticed NTN has a new look and feel. A few weeks ago I decided to take some of my lessons learned from NTNv1 and rewrite a large part of the backend and all of the front end. I had several reasons for wanting to do this. NTNv1 was built around NTN Tools and NTN Notes was added after NTN Tools was finished. This pivot resulted in a few design decisions that I wasn't really happy about and a cluttered UI.
Practical Automation - mod_acl
By Brandon James on 2019-12-31 Tags: Route/Switch, Automation, Programming
Managing access lists is one of the more painful parts of being a network engineer. Once you've finishing working out what should or should not be allowed, you write the ACL and then paste it into all your devices. The minute you finish, the requirements change or the business lets you know what you just broke. In the future, SGTs and SDN promise to fix this problem, but you might not be there yet. `mod_acl` is a simple and fast way to manage ACLs.
Bootstrap Router Hash Function
By Brandon James on 2019-12-06 Tags: Route/Switch, Programming
RFC 7761 describes a hash function used to load balance multicast groups between Rendezvous Point (RP) candidates when you are using Bootstrap Router (BSR). The hash function isn't straight forward and I was unable to find a resource that described it in detail. One feature of the hash function is an adjustable hash mask length. I think it's important to understand what the function does and how adjusting the mask impacts RP selection. I do my best to describe it here and provide some resources to help you select the best hash mask length for your environment.
By Brandon James on 2019-11-23 Tags: Unfiled
A month ago I decided to submit NTN to Cisco's IT Blog Awards in the Best Newcomer Category. To my surprise it got selected as a finalist. Since I don't have an about page, I wanted to briefly write about who I am, what NTN is and my plans for the future of NTN.
A Power User's Guide to the Linux CLI
By Brandon James on 2019-10-10 Tags: Cheatsheets, Linux
I am a huge fan of Linux. In the office most of my real work happens through a Red Hat jumpbox, this website is hosted on Ubuntu and I've been using Linux on my personal machines since 2010. At first, I was using Linux because I'm a nerd and that's what we do, but I continue to use it because it increase my productivity.
Practical Automation - Netwatch
By Brandon James on 2019-09-12 Tags: Automation, Programming
Small data gathering utilities are one of my favorite forms of automation. They provide immediate value and have no risk of failure. Netwatch runs a set of commands periodically against a group of network devices. It features concurrency, error handling and just the right amount of customization. Netwatch was inspired by a post on Reddit and the *nix utility watch.
Locator/ID Separation Protocol - LISP
By Brandon James on 2019-09-04 Tags: Route/Switch
The Locator/ID Separation Protocol or LISP was originally designed to decrease the size of routing tables on the Internet. As the protocol matured it made it's way into the enterprise though solutions like Cisco Software Defined Access. In this article I provide a summary of the problem LISP solves and how LISP functions. The purpose of this article isn't to cover the protocol in it's entirety, but to build an awareness of how the protocol works.
By Brandon James on 2019-08-01 Tags: Automation, Programming
Interacting with Network Devices can often be I/O limited. A function runs, waits for a response from the device, then another function runs so on and so forth. This is made worse by the fact that scripts are often run against multiple devices. After all the purpose of scripting is to speed up repetitive tasks.
By Brandon James on 2019-07-30 Tags: Wireless, Cheatsheets
The WLC CLI can be a little less than intuitive at times. I put together this quick reference with some of my most used WLC commands.
Bitwise Operations and Subnetting
By Brandon James on 2019-07-29 Tags: Route/Switch, Programming
Back in September of 2016 I wrote a subnet calculator in C and then blogged about it. This entry is based on that old blog post.
Don't use FHRPs without Authentication
By Brandon James on 2019-02-17 Tags: Route/Switch, Security
You are most likely running a first hop redundancy protocol somewhere in your network. If you aren't routing at the access layer and your running a traditional redundant core (ie you aren't using a switch virtualization platform such as Cisco's VSS), one of those places is probably your user facing SVIs. If you aren't using encrypted authentication on your FHRP, you're putting your enterprise at risk.
How I Automate - Script Configuration using YAML
By Brandon James on 2019-02-17 Tags: Automation
In the past when I was using TCL/Expect as my primary automation language, I would do most of my configuration within the script itself and then I'd just have the script grab a list of devices from a text document. Lately, I've been using YAML to provide both my list of devices and to configure various parameters within the script itself.
By Brandon James on 2017-01-26 Tags: Route/Switch
Lately we've been hitting bugs that cause switches (specifically Cisco 4500-E's) to lose their SSH keys after reboots or crashes. Due to this we've changed our standard operating procedure for reboots to include enabling telnet. This workaround is great during planned outages, but it doesn't really help in the case of unplanned outages. I knew that it was possible to make configuration changes via SNMP, so today when I replaced a lab router and forgot to generate SSH keys, I took advantage of the situation and generated the keys via SNMP.