Docker image – Python for network engineers

Lately I’m looking more and more into Python, with respect to automation implementations useful for network engineers. In the learning process I’ve used different materials, like the excellent video trainings Python Programming for Network Engineers from David Bombal which are available free on Youtube.

This training in particular relies on a Ubuntu Docker image in order to support Python learning following interaction with Cisco devices in GNS3. Everything is great, just that the image doesn’t contain all necessary tools (like Paramiko, Netmiko, Ansible…). As you can guess, whenever you close / open the Project in GNS3, all the installed packages installed in the Ubuntu Docker image are gone.

Since we’re talking automation, I got bored to install the necessary tools everytime I wanted to start a new project or I had to close GNS3 for some reason. I’ve tried to find a Docker image that suits my needs, but I couldn’t (please point me to one if you know it).

So, I’ve build a Docker image, based on Ubuntu 16.04, which contains the necessary tools to start learning Python programming oriented for network engineers:

  • Openssl
  • Net-tools (ifconfig..)
  • IPutils (ping, arping, traceroute…)
  • IProute
  • IPerf
  • TCPDump
  • NMAP
  • Python 2
  • Python 3
  • Paramiko (python ssh support)
  • Netmiko (python ssh support)
  • Ansible (automation)
  • Pyntc
  • NAPALM

The above list can be extended, but I would like to keep it to the minimum necessary (I want to keep the image size at decent level).

If you’re interested, please find the image at: https://hub.docker.com/r/yotis/ubuntu1604-pfne/, or you can download it:

$ docker pull yotis/ubuntu1604-pfne

I’ve tested the image for couple of days and it works fine. However if something doesn’t work as expected, please let me know and I’ll try to fix it.

For those using GNS3 is possible to import the image above directly into GNS3 using the PFNE Appliance.

F5 BIG-IP Plugin with Firefox 52 workaround

It’s not news anymore that Mozilla is stopping support for NPAPI (Netscape Plugin API). With the release of Firefox 52 version, I believe that only Flash plugin is enabled by default.

I’ll skip the discussion about NPAPI plugins and Mozilla’s decision to stop the support, however the reality is that for me it has a strong impact in certain areas. One of this areas is the F5 BIG-IP, specifically the APM and possibility to launch Application (like RDP) from the Webtop interface.

I’m relying heavily on a F5 BIG-IP VE machine to connect to my home lab when I’m remote. The Webtop functionality gives me the possibility to use only a Browser to connect to my applications at home, keeping me away from any F5 client installation on the machine that I use. Usually this machine is my MacBook or PC, and the F5 client installation should not be a big thing, however I like the clientless option.

The F5 Webtop functionality is possible due to a NPAPI plugin called “F5 Network Host Plugin” which usually installs in the browser when you access the F5 APM. So yes, you still need to install something, but this browser plugin is easy to install / remove when compared with a F5 client.

One morning I wake up to find out that my Firefox browser was silently upgraded in the background and instead of being able to launch an Application from the F5 Webtop interface I see this:

Useless to say that the plugin was already installed and everything seemed to be fine. Googling around I could find a lot of information why is not working, but no workaround until I read this article on the F5 DevCentral page.
F5 is aware of the problem, they are working on a solution but so far everything points out to use of the F5 client.

Until Firefox 51 everything was still fine but with the release of Firefox 52 you will get the error showed above. Long story short, for now, there is a workaround which suppose to work fine on Firefox 52 and the upcoming 53 version.

You need to create in Firefox 52 a configuration parameter called “plugin.load_flash_only” and set the value to “False”. Remember that this parameter is not there, so don’t just search for it…create it.

  1. Head to the Firefox URL bar and type about:config.
  2. Accept the responsibility that you’ll not destroy your Firefox installation.
  3. Right click
  4. Chose New > Boolean from the menu
  5. In the newly open window type: plugin.load_flash_only
  6. Set the value to: False

In the end you’ll see something like this:

Remember that I said in the first line that only Flash plugin is still enabled by default? This setting reverse that setting, by saying that not only Flash plugin should be enabled.

Not sure what I’ll do for future. Not to upgrade Firefox 52 (and possible 53) to the next release is not a long term option and from security perspective is a disaster. To keep a parallel installation of Firefox just to reach my trusted URL…doable, but still a bit of a hassle. I hope F5 will come up with a solution.

Draw network diagrams online [2016 Edition]

In this post from 2011 I was explaining that my preferred online tool to draw network diagrams is LucidChart.com. Since then LucidChart.com developed really good and added constantly new features. Unfortunately with the new great additions some not so nice restrictions appeared for the free account.
Those restrictions (like 5 active documents) really make it difficult for me to work with this tool as I got used to a different style.

I’m not a cheap guy! If I would use this tool professionally there would be no problem to buy a subscription package, but at work Visio is saint (unfortunately) and the rest of the time, especially when I’m on my Mac, I just need a fast tool to draw brief network diagrams like for my blog or fast explanation to somebody online.

LucidChart.com is my recommendation if you rely on online tool to work with Visio documents. Last time when I checked their Visio import tool was doing a great job.

Back to this story, I was looking online for another tool when I came across Draw.io.

Draw.io doesn’t need an account creation, rather it just give you direct access to the tool.
Since you don’t have an account you cannot save your work on the application, but it does offer you the option to save on Dropbox, Google Drive or OneDrive online or directly on your machine.
Later you can open your document from any of these locations.

In terms of shape the tool is pretty generous and the Cisco ones, really important for me, are there:

draw.io

The tool is very easy to use, it gives you a Visio feeling (if you’re used with this Microsoft software) and works pretty fast for me.

I tried to open a Visio document from my machine…did not work that well:

draw.io-visio-open

Importing the same document did not work better:

draw.io-import-visio

It seems that in both cases the Riverbed Steelhead shapes loaded fine, but not the Cisco ones.

Well, I would like to see this working, but in the end nothing to complain. I explained already that I don’t need the online tool to work with Visio. It’s nice if it can, but not mandatory for me. I’ll try some more tests with different Visio files, who knows maybe it’s something wrong with my test file.

One feature which I would like to see is the ability to add your own shapes. Who knows maybe in the future.

If you know a better alternative to LucidChart.com that has a free option and you consider it better than Draw.io please let me know.

Cisco ASA packet capture showing bidirectional traffic flow

Recently I had to troubleshoot some communication issues via a Cisco ASA device and the packet capture on the IOS comes in handy for this task.

When you have a lot of traffic over ASA and you’re interested in a particular IP address, the basic packet capture lesson says that you should configure an access-list to limit the captured packets for the interesting traffic only.

Let’s assume that I have a particular interest for the traffic to and from the IP address 10.0.0.10.

I created a standard ACL to match only the traffic related to 10.0.0.10:

access-list TS standard permit host 10.0.0.10

Afterward I attached the created ACL to a packet capture on a particular interface (let’s call it “lan”).

capture TSHOOT access-list TS interface lan

You can find the above lines in almost any how-to regarding packet capture on Cisco ASA.

Checking the capture I noticed that traffic is unidirectional captured:

FW# show capture TSHOOT

4 packets captured

   1: 20:15:32.757010       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   2: 20:15:33.759283       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   3: 20:15:34.761374       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   4: 20:15:35.823748       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request

This is not enough to troubleshoot complex communication scenarios.

Ok, maybe the standard ACL is not enough, so I tried to use extended one where 10.0.0.10 is source on one line and destination on another:

access-list TS extended permit ip host 10.0.0.10 any
access-list TS extended permit ip any host 10.0.0.10

This should do it…just that it doesn’t.

capture TSHOOT access-list TS interface lan

ERROR: Capture doesn't support access-list  containing mixed policies

Hmm, maybe it does not work with two lines in the ACL. I removed one, same error.

I was looking around to find a way to do it, but I couldn’t. This is why I wrote this article. Maybe my googling skills are not so good, as I’m sure it has to be an example somewhere out there.

However, here how I did it.

I gave up using the ACL. No, I’m was not going to capture the entire traffic :) Instead, I used inline restrictions for the IP address that I’m interested in.

capture TSHOOT interface lan match ip host 10.0.0.10 any

The result looks good now:

FW# show capture TSHOOT

8 packets captured

   1: 20:19:07.222553       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   2: 20:19:07.223392       802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply
   3: 20:19:08.229953       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   4: 20:19:08.230670       802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply
   5: 20:19:09.229327       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   6: 20:19:09.230121       802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply
   7: 20:19:10.252321       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   8: 20:19:10.253130       802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply

The packet capture shows now bidirectional traffic flow.

I hope you’ll find this useful during troubleshooting.

Remote desktop, GNS3 crashes when drag and drop topology objects

Couple of days ago I reinstalled my machine that I use as GNS3 server. It was about time as thing started to become a bit unstable after so many patches and updates to bring it up from Ubuntu 8.04.

I picked Xubuntu 14.04 LTS as my distro because I like XFCE and with the new GNS3 installed directly from PPA following https://www.gns3.com/support/docs/linux-installation it seems to be a piece of cake the entire story.

Unfortunately the reality was different. The above machine is sitting in my lab and most of the time I do just remote desktop on it via X2GO or XRDP. The issue that I encounter was that GNS3 was starting fine, everything looked to be working correctly, but when I was trying to drag and drop an object (like router, switch) to the topology the GNS3 would crash and the logs would show a nice segmentation fault.

I spent a lot of hours reading about and it seems I’m not the only one which had this strange behavior. However nobody could actually point out a real solution to this problem.

One workaround that I found to be working is to use Thinlinc, a remote desktop server provided by Cendio. The free version supports for up to 10 concurrent users and in my case this limitation should not pose a problem. One disadvantage can be seen that it’s not open source and you need to install also the client software. Again not a big deal, at least for my scope.

If you arrived to my post looking for a solution, the above workaround can be one and it’s working fine.

However, the engineer in me was not satisfied as why the solution would not work just using the included packages in Ubuntu 14.04 LTS.

Digging more, I found that the problem is not actually related to GNS3, but rather to the Qt version that comes with Ubuntu 14.04. Also it’s seems that not only GNS3 is affected by this issue, which appears to be a Qt Bug, but also other software used via a remote X11 connection – https://bugreports.qt.io/browse/QTBUG-38109

Now if you check the GNS3 Linux manual installation page, you’ll see that python3-pyqt5 must be installed. When you install it from PPA, the same python3-pyqt5 is installed, just that maybe you’ll miss it among the other packets that are added automatically.

Checking the Ubuntu 14.04 packages http://packages.ubuntu.com/trusty/python/ (search for python3-pyqt5 to avoid going via all packages) I noticed that the default version is 5.2.1 I’ve checked for particular Bugs with this version that can be related to my problems, unfortunately my search brought no conclusive result, so I had to assume that this version has a problem. I’m not a developer so this task was even harder for me.

I went to check the next Ubuntu release. 15.04 is out of the marked since January 2016 and the only alternative was 15.10. I’m not very keen on trying non-LTS versions, but desperate times require desperate measures. Searching for the same python3-pyqt5 (http://packages.ubuntu.com/wily/python/) I saw that this version is 5.4.2.

Next I tried to find a way to install the 5.4.2 python3-pyqt5 version on Ubuntu 14.04. No success here. I ran into more problems than solutions. If you have a solution to have these two versions working together, please let me know.

Having nothing to lose I downloaded the Xubuntu 15.10, installed it and…everything is working like a charm so farm. I can open GNS3 and drag and drop successfully via a remote connection (XRDP or X2GO).

As you can see I have no solution to the actual problem, but at least I can suggest 2-3 workarounds that may get you out of the woods. For me an article like this would have been very helpful while doing my research, but there was none out there, beside different community posts usually without any answer. This is the reason for which I wanted to share this story with you.

If you have this issue and found another solution, please let me know as I would like to use the 14.04 LTS version of Ubuntu, otherwise I need to wait for the release of 16.04 LTS scheduled for this year.