Network Archives - Page 6 of 12

Concurrency Vs Parallelism

While trying to understand the difference between Concurrency & Parallelism, I came across this 30 minute talk by Rob Pike that clearly explains the differences.

My previous crude understanding of it was like this:

Usain Bolt’s personal best time for 400m & 100m is 45.28s & 9.28s respectively.

If we had 1 Usain Bolt running 400m at his personal best, we can cover 400m in 45.28s.

If we had 4 Usain Bolt clones running 4*100m in a relay style i.e., 1st 100m is covered by Usain Bolt-1 and the next 100m by Usain Bolt-2 and so on, it will take 4*9.58s = 38.32s to cover 400m. We save 6.96s (45.28-38.32) Concurrency !

If we had 4 Usain Bolt clones running 4*100m but this time simultaneously instead of the usual relay fashion, we should be able to cover 400m in 9.58s. We save 35.7s (45.28-9.28) : Parallelism !

iRule – Redirects

#Different Redirects

########################
 302 Redirects
########################
when HTTP_REQUEST {
    HTTP::redirect https://www.domain.com/
}

########################
 301 Redirects
########################
when HTTP_REQUEST {
    HTTP::respond Location 301 https://www.domain.com/
}

############################
IF-Conditional Redirect:
############################
# Matching a condition
when HTTP_REQUEST {
    if {[HTTP::host] eq "domain.com"} {
        HTTP::respond Location 301 https://www.domain.com/
    }
}

# NOT matching a condition
when HTTP_REQUEST {
    if { not ([HTTP::host] eq "domain.com") } {
        HTTP::respond Location 301 https://www.domain.com/
    }
}

# Multiple conditions
when HTTP_REQUEST {
    if { ([HTTP::host] eq "domain.com") and ([HTTP::uri] eq "/login")} {
        HTTP::respond Location 301 https://www.domain.com/login/
    }
}

#if & elseif
when CLIENT_ACCEPTED {
   set default_pool [LB::server pool]
}
when HTTP_REQUEST {
    if { ([HTTP::host] eq "domain1.com") } {
        HTTP::respond Location 301 https://www.domain1.com/login/
    } elseif { ([HTTP::host] eq "domain2.com") } {
        HTTP::respond Location 301 https://www.domain1.com/login/
    } else {
        pool $default_pool
    }
}

##################################
Switch-Conditional Redirect:
##################################

#Check multiple unique domains
when CLIENT_ACCEPTED {
   set default_pool [LB::server pool]
}
when HTTP_REQUEST {
   switch -glob [HTTP::path] {
      "domain1.com" {
         HTTP::respond Location 301 https://www.domain1.com/
      }
      "domain2.com" {
         HTTP::respond Location 301 https://www.domain2.com/
      }
      default {
         pool $default_pool
      }
   }
}

#Redirect to same URL
when CLIENT_ACCEPTED {
   set default_pool [LB::server pool]
}
when HTTP_REQUEST {
   switch -glob [HTTP::path] {
      "domain1.com" -
      "domain2.com" {
         HTTP::respond Location 301 https://www.domain.com/
      }
      default {
         pool $default_pool
      }
   }
}

############################
Data Group
############################

class CLASS_HSF { 
   { 
      "/str1" { "domain1.com" } 
      "/str2" { "domain2.com" } 
   } 
}


when CLIENT_ACCEPTED {
set DEFAULT [LB::server pool]
}

when HTTP_REQUEST {                                                         
set HOST [string tolower [HTTP::host]]                                      
set URI [string tolower [HTTP::uri]]                                                               
                                                                            
if  { $HOST equals "www.domainhs.com" }{                                         
    HTTP::respond 301 Location "http://www.domain.com[HTTP::uri]"
    } elseif { [class match $URI starts_with CLASS_HSF] } {
        set DOMAIN [class match -value $URI contains CLASS_HSF]
        HTTP::respond 301 Location "http://$DOMAIN"
    } else {
        pool $DEFAULT
    }
}

Reference:

Github Link

F5 iRule – URI, Path & Query

F5 iRule has the following 3 command list that can be a bit confusing. This is a short post to remember the differences between the 3 of them.

[HTTP::uri] – everything from “/” after the domain name to the end.

[HTTP::path]– everything from “/” after the domain name to the character before the “?”

[HTTP::query]– everything after the “?”

[HTTP::host] – domain name

In short:
[HTTP::uri] == [HTTP::path] + ? + [HTTP::query]

Example:
http://www.example.com/main/index.jsp?user=test&login=check

 [HTTP::uri]   - URI:   /main/index.jsp?user=test&login=check
 [HTTP::path]  - PATH:  /main/index.jsp
 [HTTP::query] - Query: user=test&login=check
 [HTTP::host]  - Host:  www.example.com

F5 TMM Crash

F5’s TMM crashes when we run any of these 2 commands:

show ltm persistence persist-records

show sys conn

and escaping the execution with “ctrl+c” or any other similar escape character will cause the tmm to crash as noted in the solution article.

Reference:

SOL16387

Cisco FirePower 9300

Cisco FP9300 is a chassis based enterprise grade firewall that provides high availability, scalability and throughput over 100+ Gbps depending on the hardware configuration.

A FP9300 chassis can have the following hardware components:

Chassis
Supervisor Module (SUP, Max 1 per chassis)
Security Module (SM, Max 3 per chassis)
Network Module (NM, Max 2 per chassis)

FP9300 Chassis

A Supervisor Module has the following ports:

RJ45
1G Management Port.
8*10G Built-in Ports

Network Modules (NM) can have the following port configuration:

4*40G
8*10G
2*100G

Sup_NM_FP9300

Supervisor Module:

SUP attaches the SM to the Network.

SUP_HW_Diagram_FP9300

Security Module:

Security Modules (SM) comes in 2 main flavors:

SM-36: 2 CPU, each with 36 cores for a total of 72 cores, 80Gbps
SM-24: 2 CPU, each with 24 cores for a total of 48 cores, 60Gbps

Dual 800GB SSD in Raid-1 by default. SM modules have built-in Smart NIC & Crypto Accelerator.

SM_HW_Diagram_FP9300

Software:

Supervisor Module runs the FXOS software. An agent of the FXOS software will run on each of the Security Modules in order to enable the Supervisor to monitor and manage the SM.

Software_FP9300

Reference:

BRKSEC-3010 – Firepower 9300 Deep Dive (2016 Berlin)

Speaker(s) Andrew Ossipov – Principal Engineer, Cisco

Git Basics

If you are new to Git, I would recommend the following links:

This is a book on git

This is a good interactive git site to learn the basics of github:

git-cheat-sheet-large

Git Cheat Sheet

Cisco ASA – SNMP OID List

# show snmp-server oidlist

————————————————-
[0]   1.3.6.1.2.1.1.1.   sysDescr
[1]   1.3.6.1.2.1.1.2.   sysObjectID
[2]   1.3.6.1.2.1.1.3.   sysUpTime
[3]   1.3.6.1.2.1.1.4.   sysContact
[4]   1.3.6.1.2.1.1.5.   sysName
[5]   1.3.6.1.2.1.1.6.   sysLocation
[6]   1.3.6.1.2.1.1.7.   sysServices
[7]   1.3.6.1.2.1.1.8.   sysORLastChange

The above hidden command will provide the oid list in Cisco ASA.

F5 v11.x Device Trust Group

A week ago, I was upgrading HA F5 pair from 11.5.1 to 11.5.3 and noticed the existence of default “device_trust_group” in sync-only mode in GUI. I did not create it but it just showed up and there wasn’t a way to delete it. Apparently, this always existed in the background but was exposed via GUI in the later 11.x versions. Based on my experience, it wasn’t exposed via GUI in 11.5.1 but was exposed via GUI from 11.5.6

Device_Trust_Group

Reference: DevCentral

F5 Pool & Nodes

A Node is an IP address. Example: 10.10.10.10

A Pool Member is an IP Address + Port. Example: 10.10.10.10:8080

A Pool is a collection of Pool Members.

If you are managing an enterprise grade F5 infrastructure, there may come a time when you may have to replace a specific IP address with another IP address or replace multiple IP addresses in an F5 or multiple F5 devices.

This is a quick one-liner that will help you to identify all the pools that contain an IP address:

tmsh -q list ltm pool one-line | grep -E '($node_hostname|$node_ip)' | awk '{ print $3 }'

The above command should be run from “bash”.

Accessing F5’s bash:

root@LB1(/S1-green-P:Active)(tmos)# run util bash

[root@LB1:/S1-green-P:Active] ~ #

NOTE: The “list ltm pool one-line” is available in 11.x code and not available in 10.x code. The command will list each pool in a single line.

An Example:

[root@LB1:/S1-green-P:Active] ~ # tmsh -q list ltm pool one-line | grep -E '10.10.10.19' | awk '{ print $3 }'
 POOL_ta_lt_http_private
 POOL_ta_lt_private
 POOL_ta_lt_public
 POOL_ta_lt-maintainance
 POOL_ta_lt-private
 POOL_ta_lt-public

Reference: Devcentral – Pool

What if you want the pool member alongside the pool ?

tmsh -q list ltm pool one-line | egrep -E "$check:[0-9]+"  | while read line; do myipport=$(echo $line | egrep -oE "$check:[0-9]+"); echo $line | awk '{printf "%s ",$3}'; echo "$myipport "; done

In the above line, replace “$check” with the IP Address that you are checking.

[root@LB1:/S1-green-P:Active] ~ #tmsh -q list ltm pool one-line | egrep -E "10.10.10.19:[0-9]+"  | while read line; do myipport=$(echo $line | egrep -oE "10.10.10.19:[0-9]+"); echo $line | awk '{printf "%s ",$3}'; echo "$myipport "; done

POOL_ta_lt_http_private 10.10.10.19:10542 
POOL_ta_lt_public 10.10.10.19:10253 
POOL_ta_lt_maintainance 10.10.10.19:10251 
POOL_ta_lt_private 10.10.10.19:10092 
POOL_ta_lt_public 10.10.10.19:10093

F5 CLI Display Length

While running cli commands on F5, you may run into display length issues:

(tmos.ltm)# show pool members | grep "10.10.10.10:"
Display all 158 items? (y/n) y

If you are executing the script on the F5 to obtain data, the "Display all xxx items? (y/n)" could be a problem. We can alter the display threshold using the following command:

(/Common)(tmos)# modify cli preference pager disabled display-threshold ?

Specifies the maximum number of objects that tmsh will display without requiring a user response to the question, "Display all <number> items? (y/n)". You can specify from 0 (zero) through 4,294,967,265 objects. 0 (zero) specifies that tmsh will display any number of objects without the warning.

(/Common)(tmos)#  modify cli preference pager disabled display-threshold 0