Category Archives: VSP

Redirecting incoming traffic using advanced filters

Posted on by
Reply

Sometimes it is required to test traffic through an alternative path before committing to it and allows for testing and monitoring of a specific application. So, in VOSS it is possible to create an ACL which can redirect source and destination traffic to a next-hop which overrides the routes in the GRT.

Below is an example filter which I tested using a VSP VM in GNS3 that redirects traffic with a source IP 10.10.10.10 towards a destination IP 30.30.30.30 with a next-hop of 20.20.20.20. Verified it works by using the statistics on the ACL and Wireshark on the outbound link in the topology.

filter acl 1 type inVlan

filter acl vlan 1 10

filter acl ace 1 100

filter acl ace action 1 100 permit redirect-next-hop 20.20.20.20

filter acl ace action 1 100 permit count

filter acl ace ethernet 1 100 ether-type eq ip

filter acl ace ip 1 100 src-ip eq 10.10.10.10

filter acl ace ip 1 100 dst-ip eq 30.30.30.30

filter acl ace 1 100 enable

Changing SNMP strings in VOSS

Posted on by
Reply

VSP:1>enable
VSP:1#config t
Enter configuration commands, one per line. End with CNTL/Z.
VSP:1(config)#no snmp-server community public
VSP:1(config)#no snmp-server community private
VSP:1(config)#snmp-server community ExtremeRead group readgrp index first secname readview
VSP:1(config)#snmp-server community ExtremeWrite group v1v2grp index second secname initialview

Netmiko Running-Config

Posted on by
Reply

from netmiko import ConnectHandler
voss1 = {‘device_type’: ‘extreme_vsp’, ‘host’: ‘192.168.1.11’, ‘username’: ‘rwa’, ‘password’: ‘rwa’}
net_connect = ConnectHandler(**voss1)
net_connect.find_prompt()
net_connect.enable()
net_connect.send_command(‘terminal more disable’)
output = net_connect.send_command(‘show run’)
print(output)
net_connect.send_command(‘terminal more enable’)
savedoutput = open(“switch” + voss1[‘host’], “w”)
savedoutput.write(output)
savedoutput.close

Parsing Running Configs

Posted on by
Reply

https://pypi.org/project/ciscoconfparse/

Example 1:
from ciscoconfparse import CiscoConfParse
parse = CiscoConfParse(‘voss1run.log’, syntax=’ios’)
for intf_obj in parse.find_objects(‘^interface GigabitEthernet’):
print(“Interfaces: ” + intf_obj.text)
Interfaces: interface GigabitEthernet 1/1
Interfaces: interface GigabitEthernet 1/8
Example 2:
from ciscoconfparse import CiscoConfParse
parse = CiscoConfParse(‘exampleswitch.conf’, sytax=’ios’)
global_obj = parse.find_objects(r’^prompt’)[0]
hostname = global_obj.re_match_typed(r’^prompt\s+(\S+)’, default=”)
hostname
‘”VOSS1″‘

Ansible and Templates

Posted on by
Reply

Building configuration files from a template…

VOSS.J2

prompt {{ item.value.hostname }}
boot config flags tftpd
{% if item.value.sflow_enable %}
sflow agent-ip 192.168.211.10
sflow enable
{% endif %}
###
Playbook…

– name: Template Looping
hosts: localhostvars:
voss_devices: {
“vsp1”: {
“hostname”: “vsp1”,
“sflow_enable”: True
},
“vsp2”: {
“hostname”: “vsp2”,
“sflow_enable”: False
}
}
tasks:
– name: create switch config file
template:
src=/cygdrive/c/cygwin64/bin/voss.j2
dest=/cygdrive/c/cygwin64/bin/{{ item.key }}.config
with_dict: “{{ voss_devices }}”

-bash-4.4$ cat vsp1.config
prompt vsp1
boot config flags tftpd
sflow agent-ip 192.168.211.10
sflow enable
-bash-4.4$ cat vsp2.config
prompt vsp2
boot config flags tftpd
-bash-4.4$

Ansible and VOSS

Posted on by
Reply

This took me some time to get to work using Windows / Cygwin and my GNS3 VOSS simulated switch.

I struggled with getting Ansible + SSH to work from within Cygwin using key based authentication. But I wanted to test Ansible and Ansible-Playbook against VOSS so I persevered with simple user and password authentication which I got to work using a combination of files (ansible.cfg, inventory file = hosts and a test.yml file to run a single show command and display the output).

Hosts file

-bash-4.4$ cat ./inventory/hosts
[voss]
192.168.211.10
[voss:vars]
ansible_ssh_common_args=’-o StrictHostKeyChecking=no’
ansible_network_os=voss
ansible_connection=network_cli
ansible_ssh_pass=rwa
Ansible.cfg
-bash-4.4$ cat ansible.cfg
[defaults]
inventory = inventory
host_key_checking = False
[ssh_connection]
ansible_connection=network_cli
ssh_args = -o ControlMaster=no

First stage, was to get a ‘Pong’ response to my ‘Ping’:

-bash-4.4$ ansible -i ./inventory/hosts voss -u rwa -m ping -c network_cli -e ansible_network_os=voss

192.168.211.10 | SUCCESS => {
“ansible_facts”: {
“discovered_interpreter_python”: “/usr/bin/python”
},
“changed”: false,
“ping”: “pong”

Next, I wanted to run Ansible which would login to the switch and run a simple command:

-bash-4.4$ ansible -i ./inventory/hosts voss -u rwa -m voss_command -a “commands=’show clock'”

192.168.211.10 | SUCCESS => {
“ansible_facts”: {
“discovered_interpreter_python”: “/usr/bin/python”
},
“changed”: false,
“stdout”: [
“Sat Jun 13 13:02:15 2020 UTC”
],
“stdout_lines”: [
[
“Sat Jun 13 13:02:15 2020 UTC”
]
]
}

Now that Ansible could login and carry out a task I progressed to put a task into a Playbook:

-bash-4.4$ cat test.yml

– hosts: voss
  tasks:
– name: run show clock on remote devices
voss_command:
commands: show clock
           register: output
      – name: show output
debug:
var: output
-bash-4.4$ ansible-playbook test.yml
PLAY [voss] *********************************************************************
TASK [Gathering Facts] **********************************************************
ok: [192.168.211.10]
TASK [run show clock on remote devices] *****************************************
ok: [192.168.211.10]
TASK [show output] **************************************************************
ok: [192.168.211.10] => {
“output”: {
“changed”: false,
“failed”: false,
“stdout”: [
“Sat Jun 13 15:00:37 2020 UTC”
],
“stdout_lines”: [
[
“Sat Jun 13 15:00:37 2020 UTC”
]
]
}
}
PLAY RECAP **********************************************************************
192.168.211.10             : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
Checking stdout for a string…

– hosts: voss
gather_facts: false
  tasks:
– name: show run pipe prompt
voss_command:
commands:
– enable
– show run | i promptregister: output- name: show output

        when: output.stdout is search(‘VOSS1’)

debug:

            msg: ‘{{ output.stdout.1 }}’
###
Output snippet includes…
TASK [show output] *************************************************************
ok: [192.168.211.10] => {
“msg”: “prompt \”VOSS1\””
}
###
Add VLANs…

– hosts: voss
gather_facts: false
vars:
vlan_numbers: [100, 200]
tasks:
– name: add vlans
voss_config:
commands:
– vlan create {{ item }} type port-mstprstp 0
with_items: “{{ vlan_numbers }}”
become: yes
     register: output
###
-bash-4.4$ ansible-playbook test3.yml
PLAY [voss] ********************************************************************
TASK [add vlans] ***************************************************************
changed: [192.168.211.10] => (item=100)
changed: [192.168.211.10] => (item=200)
PLAY RECAP *********************************************************************
192.168.211.10             : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
###
VOSS1:1#show vlan basic | i ‘100’
100   VLAN-100         byPort       0       none         N/A             N/A             0
VOSS1:1#show vlan basic | i ‘200’
200   VLAN-200         byPort       0       none         N/A             N/A             0
###
Looping over a dictionary…

– hosts: voss
gather_facts: falsevars:
vlans: {
“100”: {“description”: “floor1”, “ip”: “1.1.1.1”},
“200”: {“description”: “floor2”, “ip”: “1.1.2.1”}
}
  tasks:
– name: add vlans
voss_config:
commands:
– vlan create {{ item.key }} type port-mstprstp 0
with_dict: “{{ vlans }}”
become: yes- name: configure vlans
voss_config:
commands:
– ip address {{ item.value.ip }}/24
parents: interface vlan {{ item.key }}
with_dict: “{{ vlans }}”
become: yes- name: name vlans
voss_config:
commands:
– vlan name {{ item.key }} {{ item.value.description }}
with_dict: “{{ vlans }}”
become: yes

###
Create a results folder and write results to a file using each host in the filename.

$ cat playbook1.yml

– name: “Play 1: Capture sys-info”

hosts: routers

connection: network_cli

tasks:

– name: “Task 1: Show sys-info”

voss_command:

commands: show sys-info

register: result

– name: “Task 2: Print output”

debug:

msg: “{{ result }}”

– name: “Task 3: Create files folder”

file:

path: “outputs”

state: directory

run_once: true

– name: “Task 4: Write stdout to file”

copy:

content: “{{ result.stdout[0] }}\n”

dest: “outputs/{{ inventory_hostname }}.txt”

###
References:

Auditing VSP and ERS switches (show commands)

Posted on by
Reply

VOSS (VSP)

The following CLI commands were used to gather information from the VOSS switches in the network:

terminal more disable

# CONFIGURATION, SERVERS, LICENSE and TECH

show running-config

show boot config flags

show ntp

show ntp server

show ntp statistics

show license

show web-server

show sys setting

show tech

# SNMP

show snmplog

show snmp-server

show snmp-server community

show snmp-server host

# RADIUS

show radius

show radius snmp

show radius reachability

show radius-server

show radius-server statistics

# KHI

show khi performance cpu

show khi performance memory

show khi performance buffer-pool

# QOS and RESOURCES

show filter acl statistics

show filter acl statistics all

show sys mgid-usage

show sys stats ipmc-threshold-exceeded-cnt

show qos cosq-stats cpu-port

show qos cosq-stats interface

show qos 802.1p-override

show qos egressmap

show qos ingressmap

show qos queue-profile

show qos rate-limiting interface gigabitEthernet

show qos shaper interface gigabitEthernet

# HARDWARE and SOFTWARE

show software

show software detail

show sys-info card

show sys-info temperature

show sys-info fan

show sys-info power

show sys-info uboot

show sys software

show sys power

show sys power power-supply

show alarm database

show alarm statistics

# TOPOLOGY

show autotopology nmm-table

# LLDP

show lldp

show lldp local-sys-data

show lldp port

show lldp neighbor

show lldp stats

# IPv4 ARP and ROUTE

show ip interface vrfids 0-512

show ip arp vrfids 0-512

show ip vrf

show ip vrf max-routes

show ip route count-summary vrfids 0-512

show ip route vrfids 0-512

show ip route alternative vrfids 0-512

show interfaces gigabitethernet vrfs

show interfaces vlan vrfs

# IPv6 INFO

show ipv6 address interface

# VRRP

show ip vrrp vrfids 0-512

show ip vrrp interface vrfids 0-512

show ip vrrp address vrfids 0-512

# RSMLT

show ip rsmlt vrfids 0-512

show ip rsmlt edge-support

# MSTP

show spanning-tree mstp config

show spanning-tree mstp status

show spanning-tree mstp msti config

show spanning-tree mstp statistics

# SLPP

show slpp

show slpp interface gigabitEthernet

# INTERFACES

show interfaces gigabitEthernet channelize

show interfaces gigabitEthernet private-vlan

show interfaces gigabitEthernet rate-limit

show interfaces gigabitEthernet shape

show interfaces gigabitEthernet high-secure

show interfaces gigabitEthernet statistics

show interfaces gigabitEthernet statistics dhcp-relay

show interfaces gigabitEthernet statistics lacp

show interfaces gigabitEthernet statistics rate-limiting

show interfaces gigabitEthernet statistics rmon

show interfaces gigabitEthernet statistics verbose

show interfaces gigabitEthernet error

show interfaces gigabitEthernet error verbose

show interfaces gigabitEthernet error collision

# VLAN

show vlan name

show port vlans

# MLT, SMLT and IST

show mlt

show mlt error main

show mlt stats

show smlt mlt

show virtual-ist

show virtual-ist stat

# LACP

show lacp

show lacp interface

# VLACP

show vlacp

show vlacp interface gigabitethernet

# RIP

show ip rip vrfids 0-512

# OSPF

show ip ospf vrfids 0-512

show ip ospf area vrfids 0-512

show ip ospf authentication interface vlan

show ip ospf ifstats vrfids 0-512

show ip ospf interface vrfids 0-512

show ip ospf neighbor vrfids 0-512

show ip ospf stats vrfids 0-512

# BGP

show ip bgp aggregates vrfids 0-512

show ip bgp conf vrfids 0-512

show ip bgp neighbors vrfids 0-512

show ip bgp networks vrfids 0-512

show ip bgp peer-group vrfids 0-512

show ip bgp redistributed-routes vrfids 0-512

show ip bgp route vrfids 0-512

show ip bgp stats vrfids 0-512

show ip bgp summary vrfids 0-512

# MROUTE

show ip mroute hw-resource-usage vrfids 0-512

show ip mroute interface vrfids 0-512

show ip mroute route vrfids 0-512

show ip mroute next-hop vrfids 0-512

show ip mroute static-source-group

# IGMP

show ip igmp interface vrfids 0-512

show ip igmp group vrfids 0-512

show ip igmp cache vrfids 0-512

show ip igmp sender vrfids 0-512

show ip igmp snooping vrfids 0-512

show ip igmp snoop-trace vrfids 0-512

show ip igmp static vrfids 0-512

show ip igmp stream-limit interface vrfids 0-512

show ip igmp sys vrfids 0-512

# SPBM

show spbm

show isis

show isis area

show isis manual-area

show isis system-id

show isis net

show isis interface

show isis adjacencies

show isis statistics

show isis spb-mcast-summary

show isis logical-interface

show isis int-l1-cntl-pkts

# SPBm

show isis spbm

show isis spbm nick-name

show isis spbm unicast-tree 4051

show isis spbm unicast-tree 4052

show isis spbm ip-unicast-fib

show isis spbm i-sid all

show isis spbm unicast-fib

show isis spbm unicast-fib summary

show isis spbm multicast-fib summary

show isis spbm ip-multicast-route

show isis spbm ip-multicast-route group 239.255.255.250

show cfm maintenance-endpoint

show vlan i-sid

show ip ipvpn vrfids 1-512

# FA

show fa

show fa interface

# PLUGGABLE

show pluggable-optical-modules basic

show pluggable-optical-modules detail

# DIRECTORY

dir /intflash -l -r

#END

terminal more enable terminal more enable

###############################################################

BOSS (ERS)

The following CLI commands were used to gather information from the BOSS stacks:

terminal length 0

terminal width 132

# CONFIGURATION, SERVERS, LICENSE and TECH

show cpu-utilization

show running-config

show sntp

show logging config

show autosave

show stack health

show stack forced-mode

show ssh global

show license all

show tech

# SNMP

show snmp-server

show snmp-server host

# RADIUS

show radius reachability

show radius use-management-ip

show radius-server

# KHI

show cpu-utilization

show environmental

# QOS and RESOURCES

show qos acl-assign

show qos diag

show qos queue-set

show qos queue-set-assignment

show qos queue-statistics

show qos queue-statistics non-zero

show qos egressmap

show qos ingressmap

show qos classifier

show qos classifier-block

show qos action all

show qos agent

show qos if-group

show qos if-assign

show qos traffic-profile

show qos traffic-profile interface

show qos capability shaper

show qos if-queue-shaper

show qos if-shaper

show qos capability meter

show qos policy

show qos port ALL

show rate-limit

# HARDWARE and SOFTWARE

show memory-utilization

show nvram block

show port-mirroring

show boot image

show interfaces gbic-info

show flash history

show flash history unit 2

show flash history unit 3

show flash history unit 4

show flash history unit 5

show flash history unit 6

show flash history unit 7

show flash history unit 8

# STACKING INFO

show stack-info

show stack-info uptime

show stack-monitor

show stack auto-unit-replacement-image

show stack port-statistics

show stack port-statistics unit 2

show stack port-statistics unit 3

show stack port-statistics unit 4

show stack port-statistics unit 5

show stack port-statistics unit 6

show stack port-statistics unit 7

show stack port-statistics unit 8

# TOPOLOGY

show autotopology nmm-table

# LLDP

show lldp

show lldp local-sys-data

show lldp mgmt-sys-data

show lldp neighbor

show lldp stats

# IP

show ip

show ip routing

show route-map

show ipmgr

show arp

show arp-table

show ip ipfix

show brouter

show ip directed-broadcast

show ip mgmt route

show ip arp-proxy interface

show ip arp-inspection

# MLT, SMLT, SLT and IST

show mlt

# DHCP

show ip dhcp-relay fwd-path

show ip dhcp-relay counters

show vlan dhcp-relay

show ip dhcp client lease

# IGMP

show ip igmp interface

show ip igmp group

show ip igmp snooping

# RIP

show ip rip

# OSPF

show ip ospf

# LACP

show lacp system

show lacp stats

show lacp port

show lacp stats

# VLACP

show vlacp

show vlacp interface

# VLAN

show vlan ip

show auto-pvid

show vlan configcontrol

show vlan summary

show vlan interface vids

show vlan interface info

show mac-address-table

# INTERFACES

show port-statistics

# STP

show spanning-tree mode

show spanning-tree config

show spanning-tree port-mode

show spanning-tree port

show spanning-tree vlans

# MSTP

show spanning-tree mstp config

show spanning-tree mstp status

show spanning-tree mstp statistics

show spanning-tree mstp port role

# BPDU

show spanning-tree bpdu-filtering

# SLPP

show slpp-guard

# POE

show poe-main-status

show poe-main-status unit 1

show poe-main-status unit 2

show poe-main-status unit 3

show poe-main-status unit 4

show poe-main-status unit 5

show poe-main-status unit 6

show poe-main-status unit 7

show poe-main-status unit 8

# END

terminal length 20

Static OSPF Redistribute

Posted on by
Reply

Snippet from R1 acting as ASBR with static route towards external router showing the redistribution of the external route into OSPF.

R1

ip route 3.3.3.3 255.255.255.255 10.10.10.2 weight 1
ip route 3.3.3.3 255.255.255.255 10.10.10.2 enable

ip prefix-list StaticOSPFRedistribute 3.3.3.3/32 ge 32 le 32

route-map “OSPFStatic” 1
enable
match network “StaticOSPFRedistribute”
exit

router ospf
as-boundary-router enable

redistribute static route-map “OSPFStatic”
redistribute static metric 10
redistribute static metric-type type1
redistribute static enable
exit

#WARNING: Routes will not be injected until apply command is issued after enable command

ip ospf apply redistribute static

show ip route
show ip ospf redistribute
show ip prefix-list
show route-map
show route-map detail

VSP transceivers and autonegotiation

Posted on by
Reply

Autonegotiation

Use Autonegotiation to allow the device to automatically negotiate the best common data rate and duplex mode to use between two Autonegotiation-capable Ethernet devices.

When you use a 1 Gigabit SFP transceiver on a 10 Gigabit SFP+ port, you must enable autonegotiate if it is not enabled already. However, if you use 1 Gigabit SFP transceivers on a VSP 4000 switch that is connected to third party switches at the remote end, you must have autonegotiate enabled at all times; this applies to SFP transceivers installed in a 1 Gigabit SFP port or a 10 Gigabit SFP+ port.

For VSP 7254XSQ, auto-negotiation is always disabled for 1 Gigabit Ethernet transceivers. If using a 1000BASE-T SFP, the remote 1000BASE-T interface must have auto-negotiation enabled. If not, the link will not be established. Also note that because the SFP+ ports on the VSP 7254XSQ only support 1 and 10 Gbps speeds, the AA1419043-E6 1000BASE-T SFP will only operate at 1G speeds.

If you use 1 Gbps fiber SFP transceivers, auto-negotiation is always disabled so the remote end must also have auto-negotiation disabled. Otherwise this is not a supported configuration with VSP 7254XSQ.

Connecting VSP 7254XSQ with 1 Gbps fiber SFP to EXOS switches will require autonegotiation to be disabled on EXOS switch.

configure port <port#> auto off speed < speed > duplex <half | full>

VSP Flight-recorder

Posted on by
Reply

voss01:1#flight-recorder ?
Perform actions on flight-recorder data
all       Create flight-recorder snapshot, trace, and archive
archive   Create tarball of flight-recorder files, log file, config file, etc.
snapshot  Take snapshot of flight-recorder PMEM data
trace     Take snapshot of always-on-trace data
voss01:1#flight-recorder all ?
{slot[-slot][,…]}  Slot – Valid slot is 1

Example…

flight-recorder all 1

Processing Flight-recorder snapshot for 1 ….

Flight-recorder snapshot for slot 1 complete, filename is /intflash/PMEM/1/pmem.20190311115209.1.tar.gz.

Processing Flight-recorder trace for 1 ….

Flight Recorder trace taken for namServer on slot 1. File: /intflash/flrec/1/trace.20190311115210.namServer-1.txt
Flight Recorder trace taken for cbcp-main.x on slot 1. File: /intflash/flrec/1/trace.20190311115210.cbcp-main.x-1.txt
Flight Recorder trace taken for ssio on slot 1. File: /intflash/flrec/1/trace.20190311115211.ssio-1.txt
Flight Recorder trace taken for logServer on slot 1. File: /intflash/flrec/1/trace.20190311115211.logServer-1.txt
Processing Flight-recorder archive for slot 1 ….

NOTE: Deleting Flight-recorder trace files (if any) from /intflash/flrec/1/ and adding them to the archive
NOTE: Deleting Flight-recorder snapshot files (if any) from /intflash/PMEM/1/ and adding them to the archive

Flight-recorder archive for slot 1 complete, filename is /intflash/archive/1/archive.20190311115212.1.tar