EXOS Editor

On the CLI use command EDIT to view or change a policy or script file. For example, type edit script newvlan.xsf with a line in it that adds a new VLAN (create vlan yellow). Then use the command run script newvlan.xsf will apply the command and create the VLAN.

Type Ctrl & D and then “:” will allow you to quit without saving (:q!) or save the modified file (:wq!). 

Also, it is possible to save the running config to a script for ease of replaying maybe with a slight alteration using save configuration as-script config.xsf (and view using the EDIT command). 

Obviously, use show configuration should be used to view the running configuration. It is possible to compare differences between configuration files by adding the difference parameter and the names of the two configuration files to compare. And to show the factory defaults as well as the new configuration using the detail option.

 

Copy all text from XMC device terminal

XMC can connect direct to a device using the CLI Credentials but the web terminal is not easy to use if you want to select text from the terminal.

Until now. I found a way to select all the text from the top to the bottom of the screen.

Open a terminal to a switch and capture the show running config output. This can be done manually but is a real pain to have to scroll down the screen.

Instead, click the mouse at the top of the text, press Ctrl + Shift and select a few lines. Whilst still holding down Ctrl + Shift use the scroll bar and go right to the bottom and click at the bottom of the screen and then click “c”. The text will now be available in the clipboard and can be pasted elsewhere.

Adding new username to XMC

Check existing usernames on the Linux server before and after.

cat /etc/passwd | awk -F: ‘{print $1}’

Add a new username:

useradd -m <newadmin>

passwd <newadmin>

Enter password twice.

Add same username in XMC under Administration>Users and associate with NetSight Administration group. 

Logout of XMC and test login with new username.

https://extremeportal.force.com/ExtrArticleDetail?an=000077421&q=netsight%20user

 

 

ECIQ Configuration Failed

Reasons for configuration download failures will vary. Hover over the error message and it will show a reason for the failure.

When completing device templates make sure the syntax and text is permitted by the target operating system.

For example, EXOS restricts the characters allowed for the SysLocation and if the user fills out the SNMP Location in the template with illegal characters then the download will fail.

Tested the string on the CLI to confirm the validity of the string. In below case the apostrophe is not a valid character.

* EXOS-VM.12 # configure snmp syslocation “myhouse’s”
ERROR : Invalid characters are used in sysLocation.
Allowed characters: A-Z, a-z, 0-9, +-@_.,:;()/[]

EXOS Link-Local IP

Link-Local addressing (subnet 169.254.x.x) allows a host device to automatically and predictably derive a non-routable IP address for IP communication over Ethernet links.
By configuring the Ethernet management port “just out of the box” with an IP address, a user can connect a laptop directly to the management Ethernet port. If the laptop is not configured with a fixed IP address, it tries to get an IP address from a DHCP server. If it cannot, it assigns its own Link-Local address putting the switch and the laptop on the same subnet. The laptop can then use Telnet or a web browser to access the switch removing the need for the serial cable.
The IPv4 address format is used to make it simple for a user to determine the switch’s IP address. The formula is to use the lower 2 bytes of the MAC address as the last two numbers in the Link-Local IPv4 address.

• MAC address: 00:04:96:97:E9:EE
• Link-Local IP address: 169.254.233.238 or 0xa9fee9ee

Web browsers accept a hexadecimal value as an IPv4 address. (Microsoft IE displays the URL with the number dot notation 169.254.233.239.)

The web URL is http://0xa9fee9ee or just 0xa9fee9ee
The user documentation directs the customer to access the web browser by typing 0xa9fe followed by the last two number/letter groups in the MAC address found on the switch label. No hexadecimal translation is required.
With this information, you can connect the Ethernet port directly from a laptop to this switch using the temporary Link-Local address. You can communicate via web or Telnet to perform the initial switch configuration, if needed, and no longer needs a serial cable to configure a switch.

Ansible Tags

Placing tags inside playbooks will allow you to select specific tasks from within. 

Tip: It is possible to reuse the same tag in more than one task. Example below uses different tags to differentiate between tasks.

$ cat hello.yml

– name: Tags
hosts: localhost
tasks:

– name: Debug Module Message One

debug:
msg:
– “Welcome One!”

tags: one

– name: Debug Module Message Two

debug:
msg:
– “Welcome Two!”

tags: two

Example…

ansible-playbook hello.yml –tag two

$ ansible-playbook hello.yml –tag two

PLAY [Tags] *

TASK [Gathering Facts] ****
ok: [localhost]

TASK [Two] **
ok: [localhost] => {
“msg”: [
“Welcome Two!”
]
}

PLAY RECAP **
localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Remove and Reinstall Cygwin

Maybe time has come to remove Cygwin to free up space or to start over. Cygwin does not support an uninstall program but can be done manually.

  1. Open command prompt with administrator privilages
  2. Type takeown /r /d y /f cygwin64
  3. Type lcacls cygwin64 /t /grant everyone:f
  4. Type rmdir /s /q cygwi64
  5. Regedit and delete HKEY_CURRENT_USER_Software_Cygwin
  6. Regedit and delete HKEY_LOCAL_MACHINE_Software_Cygwin
  7. Delete shortcut on desktop
  8. Restart

Download latest setup-x86_64 and run it. Do not install everything! Only start by installing ‘gcc-core’, ‘make’, ‘openssl’ ‘openssh’, ‘vim’ and ‘python3.8’. Also, include the ‘python3.8-crypto’ file which will save you a lot of pain when adding packages with pip3 which rely on cryptography package. It is quite easy to go down a rat hole when a dependency fails and you get disheartened when a lot of red messages appear on screen. There are times you need to use the Cygwin setup program to install specific packages.

Open Cygwin terminal and type python should start python 3.8 shell.

Cygwin Virtualenv

Over time the number of Python packages installed becomes too high to understand their dependencies on each other. I tried to add a package and changed my environment where I lost the list of previously installed packages. Rather than go into detail all I can say is that it was a lesson learnt.

Because it is sometimes difficult to fix an issue and is time consuming I wanted to create a virtual environment in Cygwin so I could develop new applications and not impact my normal day to day setup.

Here are the steps I used to create a virtual environment in Cygwin:

  1. Check which pip to use for the Python version you use.
  2. pip3 install virtualenv
  3. mkdir PythonApp
  4. cd PythonApp
  5. virtualenv PythonAppVenv
  6. Check new environment folder PythonAppVenv created in PythonApp folder
  7. Activate the virtual environment by typing source PythonAppVenv/bin/activate
  8. (PythonAppVenv) should appear on the left side of the name prompt
  9. Check list of packages is different to normal list with pip3 list
  10. Install a new package and it will only add it to the virtual environment
  11. Check the PythonAppVenv lib/python3.8/site-packages folder or type pip3 list
  12. Once you are finished, you deactivate the virtual environment using the command deactivate

Filter ACL on VOSS

Following GNS3 simulation test to validate security ACL on VOSS. The goal is to only allow a range or specific IPs to communicate with a specific remote IP and to deny other IPs within the same VLAN subnet from communicating with other IPs inside and outside the VLAN.

# Filter Configuration

filter acl 101 type inVlan name “In vlan 101”
filter acl set 101 default-action deny
filter acl vlan 101 101

filter acl ace 101 1 name “arp req”
filter acl ace action 101 1 permit count
filter acl ace ethernet 101 1 ether-type eq arp
filter acl ace arp 101 1 operation eq arprequest
filter acl ace 101 1 enable

filter acl ace 101 2 name “arp resp”
filter acl ace action 101 2 permit count
filter acl ace ethernet 101 2 ether-type eq arp
filter acl ace arp 101 2 operation eq arpresponse
filter acl ace 101 2 enable

filter acl ace 101 3 name “192.168.101.10 to 192.168.101.20”
filter acl ace action 101 3 permit count
filter acl ace ethernet 101 3 ether-type eq ip
filter acl ace ip 101 3 src-ip eq 192.168.101.10
filter acl ace ip 101 3 dst-ip eq 192.168.101.20
filter acl ace 101 3 enable

filter acl ace 101 4 name “192.168.101.20 to 192.168.101.10”
filter acl ace action 101 4 permit count
filter acl ace ethernet 101 4 ether-type eq ip
filter acl ace ip 101 4 src-ip eq 192.168.101.20
filter acl ace ip 101 4 dst-ip eq 192.168.101.10
filter acl ace 101 4 enable

filter acl ace 101 5 name “Dst IP 10.10.10.1”
filter acl ace action 101 5 permit count
filter acl ace ethernet 101 5 ether-type eq ip
filter acl ace ip 101 5 dst-ip eq 10.10.10.1
filter acl ace 101 5 enable

filter acl ace 101 6 name “VLAN 190 Subnet”
filter acl ace action 101 6 deny count
filter acl ace ethernet 101 6 ether-type eq ip
filter acl ace ip 101 6 src-ip mask 192.168.101.0 24
filter acl ace 101 6 enable

 

GNS3 Lab Setup for Filter Test
Test Criteria / Outcome

Creating a VRF in VOSS

Assume you want to segment part of your network into its own isolated piece by using a VRF, how would you do this with VOSS?

ip vrf itstaff vrfid 1

vlan create 999 name “ITStaff” type port-mstprstp 0

vlan members add 999 1/8

interface vlan 999

vrf itstaff

ip address 192.168.99.2 255.255.255.0

exit

VRF “itstaff” includes VLAN 999 name “ITStaff” and is the only VLAN created so far in the VRF and the VRF has its own routing table.

VSP-1100:1(config)#show ip route vrf itstaff
************************************************************************************
Command Execution Time: Fri Apr 09 09:46:41 2021 UTC
************************************************************************************
=====================================================================================================
IP Route – VRF itstaff
=====================================================================================================
NH INTER
DST MASK NEXT VRF/ISID COST FACE PROT AGE TYPE PRF
—————————————————————————————————–
192.168.99.0 255.255.255.0 192.168.99.2 – 1 999 LOC 0 DB 0

1 out of 1 Total Num of Route Entries, 1 Total Num of Dest Networks displayed.
————————————————————————————————–
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route,
U=Unresolved Route, N=Not in HW, F=Replaced by FTN, V=IPVPN Route, S=SPBM Route
PROTOCOL Legend:
v=Inter-VRF route redistributed
VSP-1100:1(config)#

Note: To test connectivity from the CLI with ping or traceroute remember to specify the VRF on the command line otherwise it will use the GRT and results will not be as expected.