Techno, tech, and life

Category: Nerd stuff

Cisco IOS Tcl ios_config command

I was recently faced with the task that a lot of experienced network admins have to deal with — being able to execute multiple commands on a router/switch, but commands that may temporarily break connectivity to said device as each line is pasted.

In the past…

Traditionally, one would achieve this “device-side chained execution” by using TFTP, as the “script” is only executed once uploaded to the device.  Conceptually, this is the same as being able to chain multiple commands at a Unix shell prompt, delimiting them with a semicolon.

Why oh why, silly auto-negotiate?!?

My example of needing to do this lately was to remotely change an interface’s speed and duplex — commands that typically knock ones telnet/ssh out for a period of time, or completely.  They were both set to auto, but was ethernet on one side, and gigabit ethernet on the other… whicih is always a major fail in autonegotiation land.

Of course, the seasoned router guy, purely by habit, will schedule a “reload in” just in case, but in their rare wisdom, Cisco brought the wonderfully-underrated language Tcl to their codebase.

Well hello, Tcl!

I’ve got a long and wonderous history with Tcl, and it’s graphical partner, Tk.  I forgot Tcl was available on more recent IOSs.  After some googling, I found though that a lot of sites didn’t talk about using it for remote work, where you need the classic chaining of commands.

Enough jabbering on.  This is how I used it for the speed and duplex change:

router(tcl)#ios_config "interface gi0/1" "speed 100" "duplex full"

You may even want to combine that with a “reload in” 😉


Firewall Builder (fwbuilder) and fwbedit tricks

So I’m a huge fan of fwbuilder, having been a security guy for many years, and having been spoilt by Checkpoint’s SmartDashboard GUI (one of the few things they do well).

Up until recently, I’ve not really needed a GUI for firewall management as we did most firewalling via the CP boxes.  Now, with the advent of having to admin over 150 (and growing) Linux VMs, and the iptables instances therein, fwbuilder fits the bill perfectly.

Great design

One of the best things about fwbuilder is its use of XML for configuration files.  This means all sorts of useful fun can be had when bulk changes are needed.  Still, XML can be hard at the best of times, due to the multi-line structure of it — a topic for another day of hackery.

Bulk import/discovery

fwbuilder has a few options in this regard, and I ended up using SNMP, so that the interfaces themselves (and names) are also brought in.  The other option was a painful import of the iptables save/restore stuff, but that would have still meant manual, or automated hackery, to config interfaces.

The issue is that the imports are left pretty raw; you can’t choose a firewall type, which is the management interface, and so on.  fwbuilder is lacking in this area of bulk change — fwbedit gets you some of the way, but not all of the way.

Good ole sed

I’m a Unix guy; always have been, always will be.  One of my favourite things is regexps, and with that, sed.

Here’s what I used to at least bulk change platform and host_OS on the XML:

sed -ie '/platform="unknown" name="au-/s@platform="unknown"@platform="iptables"@; s@host_OS="unknown"@host_OS="linux24"@' yourconfig.fwb

It’s a little lazy, but does the job, using the unknown text as an anchor.  The part of the pattern matching for au- is just a common starting name for all of our firewalls.


The next issue was bulk-changing the management interface of all the 150+ firewalls.  fwbedit has this capability, but the documentation isn’t the best, hence this blog post.

This format seems to have worked for me:

fwbedit.exe modify -f yourconfig.fwb -o /User/Firewalls/somefirewall -a 0,,1

The syntax for doing modify’s is not all that clear.  The doco says:

modify -f file.fwb -o object -c comment [-a attrs]

Modifies object specified by its full path in the tree or object ID. Object can not be renamed using this operation.
-f file.fwb: data file
-o object: object to be deleted, full path or ID
-c txt:  specify comment for the new object
-a attribute1[,attribute2…]  :  specify attributes that
define parameters of the new object (see below)

A few things here — firstly, the comment argument appears entirely optional, but isn’t indicated thusly via the traditional use of square brackets around it.  Secondly, the attribute stuff is confusing:

-t Interface -a security level,address type (dynamic or unnumbered),management

It doesn’t show here what arguments are mandatory, their format (boolean, “true/false” etc).  After hunting the source, using integers is what seems to work.

Now, with that in mind, we loop over all management interfaces, and set them right:

fwbedit.exe list -f yourconfig.fwb -r -o /FWObjectDatabase/User/Firewalls | grep '.*au-.*/eth0$' | while read id; do fwbedit.exe modify -f yourconfig.fwb -o $id -a 0,,1; done

Here we’re just iterating over the firewalls we’re interested in to get their ID, and then modify accordingly.

I hope this helps someone 🙂

20 Years of Internet in Australia!

Yes yes, it has already been twenty years of net in Oz. Wow.

Tracking the Internet into the 21st Century with Vint Cerf

And while I’m on a YouTube posting spree, this too is a fascinating presentation by Vint. For those of you that weren’t on the net back in the 90s, it has some funny historical info too (bet you’ve never heard of, or used, an acoustic coupler — I have! :P)

Bush administration annexes internet

theregister reports that the US government has decidede to reneg on its promise to hand over DNS root name server control to countries… joy.

ASCII Star Wars!

This is gold! Requires telnet out access, so may not work from work.

Click here, or telnet to!

Mars, Spirit rover, and photos

There has been debate recently on Slashdot (and no doubt elsewhere) about the legitimacy of doctoring photos that come from NASA, specifically the Rover/Mars thing.

Just another reason to get rid of NetBSD…

After finally completing the task of cutting my network routing over to the DSL service fully, I am reminded yet again why I need to trash NetBSD and put something useful on my firewall.

Page 2 of 2

Powered by WordPress & Theme by Anders Norén