A simple way to clear the contents of ssh key file without deleting the file:
echo -n > /home/user/.ssh/known_hostsBasic VTP
VTP stands for VLAN Trunk Protocol. VTP is used to propagate VLAN cconfiguration. VTP advertisements are multicasted. They are sent every 5 minutes or whenever there is a change in VLAN configuration. VTP revision number is included in these advertisements. Whenever a client receives a VTP advertisement with a higher revision number, the client will update its vlan configuration with the vlan information being advertised.
There are 3 modes:
- Server
- Client
- Transparent
VLAN cannot be edited on a switch operating as a client.
VLAN can be edited on a switch operating as a server. This information is propagated to the switches operating as clients.
VLAN can be edited on a switch operating in transparent mode. However, these changes are not propagated. Switches operating in transparent mode do not update their configuration based on advertisements from the switch operating in server mode. All change are local for a switch operating in transparent mode.
Basic DHCP Configuration
This is a simple DHCP configuration on a Layer 3 Switch:
SW1(config)# ip dhcp excluded-address 10.10.10.1 SW1(config)# ip dhcp pool VLAN20POOL SW1(dhcp-config)# network 10.10.10.0 255.255.255.0 SW1(dhcp-config)# default-router 10.10.10.1 SW1(dhcp-config)# lease 2
Lease is in hours. Default-router IP indicates the default hop for the 10.10.10.0/24 network. The excluded-address will not be available to the DHCP client hosts.
DHCP negotiation utilizes the following DHCP messages:
DISCOVER – Broadcast – Client to Server
OFFER – Unicast – Server to Client
REQUEST – Broadcast – Client to Server
ACK – Unicast – Server to Client
F5 GTM – DNS Query Processing Order
When a DNS query arrives at a F5 GTM/DNS, this is the processing order for the DNS query.
1 – DNS Query is processed by the Listener.
2- If Recursion Desired (RD) flag is set in the incoming query and if the DNS Profile associated with the Listener has “Process Recursion Desired” enabled, the following is done:
a. DNS iRule
b. DNSSEC Key Processing
c. DNS Express
d. DNS Profiles
3 – If Recursion Desired (RD) flag is set in the incoming query and if the DNS Profile associated with the Listener has “Process Recursion Desired” disabled, the query is considered “Un-handled” and dispatched according to “Unhanded Query Action” set in DNS Profile.
4 – DNS Cache is used to handle any DNS query that doesn’t match Big-IP GTM/DNS or DNS Express Records.
Reference: K14510
Ansible Playbook Optimizing
$ cat ansible.cfg [defaults] hostfile = ./hosts host_key_checking = False timeout = 5 log_path = ./logfile.txt forks = 50 gathering = smart [ssh_connection] pipelining = True
The above file shows the content of ansible.cfg file. I have added the following to make my playbook run faster:
forks gathering pipelining
Forks indicate the number of parallel processes spawned to communicate with remote hosts. Default forks is 5 in Ansible.
Gathering indicates the default policy for fact gathering. When “gather_facts” is True within the playbook, facts are gathered for each host. The facts associated with each host will be discovered only once even when the host is referred in multiple plays when we use “smart” within the ansible.cfg file.
Pipelining enabled will reduce the number of SSH operations required to execute a module on a remote host.
Ansible & Python 3
While using Ansible 2.2 and Python 3.x, I ran into the following error:
ERROR! Unexpected Exception: No module named 'urlparse'
Workaround:
1. Downgrade Python to 2.x
2. If there is no root level permission, use virtual env:
virtualenv --python=python2.7
Terraform in Ubuntu
I have utilized the following steps to install terraform in Ubuntu 16.04
Download Terraform for Linux 64 bit version.
Save the downloaded version in a specific folder. (Example: /home/user/terra)
Within the folder where the downloaded version is saved, use “unzip” command:
unzip terraform
Set the path:
export PATH=$PATH:/home/user/terraform
iRule HTTP Referer
This is a simple iRule that performs redirects based on HTTP Referer:
when HTTP_REQUEST {if { ([HTTP::header exists "Referer"]) and ([URI::host [HTTP::header value Referer]] eq"special.com") } { HTTP::redirect https://www.site.com/special-client/ } else { HTTP::redirect https://www.site.com/generic-client } }
Ansible Components
What?
Ansible is a simple IT automation tool. Ansible exists as CLI & GUI. GUI is called the Ansible Tower and Ansible, Inc., which is owned by RedHat, officially supports this.
Controlling Nodes:
The Network infrastructure is managed from these Controlling Nodes. In an Enterprise environment, Controlling Nodes are typically Linux bastion servers.
Managed Nodes:
Managed Nodes are the Network Devices that is being managed by the Controlling Nodes. Managed Nodes are typically of Cisco, Juniper, and Arista make and can be classified as Switches, Routers, Firewalls and Load Balancers based on their function from a Network Engineer’s perspective.
Why?
There are many automation tools like Chef, Puppet, and CFEngine but in my opinion, Ansible is suited for Network Automation for the following reasons:
- Ansible does not require an agent to be installed in the Managed Node (Network Device).
- Ansible requires Python on the Managed Node and most Network Devices support Python.
- Ansible relies on YAML as the descriptive language and Jinja2 for templates.
Among the points mentioned above, most Network Vendors do not support the installation of agents and even if they did support the installation, it would be tough to get the relevant permissions within an organization to install the agents in an Enterprise environment that has different Network Teams managing different aspects of the infrastructure.
Fortunately, most network vendors provide native support for Python and Ansible rely on this to execute automation tasks on the “Managed Nodes”.
As a Network Engineer working in an environment with significant scale (1,000s of Network Devices across multiple datacenters), Ansible has been quite useful in obtaining data and deploying configuration. Ansible seems to have widespread support among the Network Engineers seeking automation to manage at scale and there are resources online that can be leveraged to implement Network Automation Solutions.
Ansible Components
Ansible requires the following components in order to automate Network Infrastructure:
- Controlling Nodes
- Managed Nodes
- Ansible Playbook
As noted earlier, Controlling Nodes are usually Linux Bastion Servers that are used to access the switches/routers and other Network Devices. These Network Devices are referred to as the Managed Nodes. Managed Nodes are stored in the hosts file for Ansible automation.
Ansible Playbook:
Ansible Playbooks are expressed in YAML format and serve as the repository for the various tasks that will be executed on the Managed Nodes (hosts). Playbooks are a collection of tasks that will be run on one or more hosts.
Setting up Ansible:
After installing Ansible, I recommend creating a separate directory from which Ansible is executed. For this process, let’s create a directory named “AnsiblePlay”. Within the “AnsiblePlay” directory, I will have the following files:
- ansible.cfg
- hosts
and the following directories ./AnsiblePlay/
- templates
- hosts_var
Ansible Configuration File:
An Ansible Playbook utilizes the Ansible Configuration File in order to access resources required for the Ansible Playbook. For example, the configuration file stores location information for the hosts file that contains the Managed Nodes (hosts) on which the playbook is executed.
Ansible Configuration File can exist in the following locations and is utilized by the Ansible playbook in the following order.
* ANSIBLE_CONFIG (an environment variable) * ansible.cfg (in the current directory) * .ansible.cfg (in the home directory) * /etc/ansible/ansible.cfg
I would recommend creating your own Ansible configuration file in the Ansible directory. I use the following:
$ cat ansible.cfg
[defaults] hostfile = ./hosts host_key_checking=False timeout = 5
Inventory File or Hosts File:
Inventory File or Hosts File is a text file that contains the Managed Nodes (Hosts) that will be subjected to automation tasks defined in the playbook.
Inventory File can be static or dynamic. For now, the examples use static inventory files.
This is an inventory/host file example:
$ cat hosts [ios] Switch-1 Switch-2 Switch-3 Switch-4 [distro] Distro1 Distro2 [aggr] Aggr1 Aggr2
Lists: [ ]
Dictionaries: { }. Dictionary has “Key: Value” pair.
YAML – Anything is a string. Quoting strings is optional most of the times.
FACTS:
FACTS are data about the Managed Nodes. Example: Code Version running on Managed Node.
TASK:
Ansible playbook contains one or more tasks. A task makes sure that the hosts exist in a specific state. When there are multiple tasks and if any task fails, subsequent tasks will not be executed.
Idempotent:
Running a task once or multiple times is the same in terms of the final output. For example, a task that involves creating a user in the Managed Node will create the user only once no matter how many times the task is executed.
F5 Logs
F5 logs are available under /var/log/ directory.
If you are looking for LTM traffic related logs, look under /var/log/ltm
If you are looking for GTM traffic related logs, look under /var/log/gtm
GTM has been renamed as DNS from 12.x code version.
The logs are rotated every 24 hours. There will be one ltm file that contains the latest logs and multiple ltm.gz files like: ltm.1.gz, ltm.2.gz etc. The ltm.1.gz files can be opened by using the following command: zcat ltm.1.gz
(tmos)# run util bash ~# cd /var/log ~# cat ltm
Other such logs are outlined in this article – K16197