[c-nsp] cisco-nsp Digest, Vol 131, Issue 17

Josh jastrckl at gmail.com
Tue Oct 8 11:44:30 EDT 2013


In reply to Saku Ytti, I know of at least one tacacs implementation that
allows for restricting configuration of members of a port channel.

https://rubyforge.org/projects/tacacs-plus/

-J


On Tue, Oct 8, 2013 at 6:59 AM, <cisco-nsp-request at puck.nether.net> wrote:

> Send cisco-nsp mailing list submissions to
>         cisco-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
>         cisco-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
>         cisco-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
>
>
> Today's Topics:
>
>    1. Re: "reload" command doesn't check command line parameters
>       (Octavio Alvarez)
>    2. Re: "reload" command doesn't check command line parameters
>       (Pete Lumbis)
>    3. freezing ASR1002 when generating RSA keys (Darius Seroka)
>    4. IP SLA FTP doesn't finish the download? (Luis Miguel Cruz Miranda)
>    5. Re: "reload" command doesn't check command line parameters
>       (Octavio Alvarez)
>    6. Re: "reload" command doesn't check command line parameters
>       (Sander Steffann)
>    7. Re: "reload" command doesn't check command line parameters
>       (Saku Ytti)
>    8. Re: "reload" command doesn't check command line parameters
>       (Saku Ytti)
>    9. Re: "reload" command doesn't check command line parameters
>       (Sigurbj?rn Birkir L?russon)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 07 Oct 2013 08:46:43 -0700
> From: Octavio Alvarez <alvarezp at alvarezp.ods.org>
> To: Pete Lumbis <alumbis at gmail.com>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] "reload" command doesn't check command line
>         parameters
> Message-ID: <5252D763.5090207 at alvarezp.ods.org>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 10/07/2013 05:30 AM, Pete Lumbis wrote:
> > If we fix the behavior what does the fix look like? Do we not allow any
> > reason that starts with "i"(in) "c" (cancel) or "a"(at)? But then what if
> > you want a reload reason of "reload installing new software"? Should this
> > be blocked?
>
> Create "reload reason blahblah" and deprecate "reload blahblah". Issue a
> warning each time "reload blahblah" happens.
>
> Also have different confirmation messages. "Reload in 10" could have
> "Proceed with reload in 10?" while the other could be "Proceed with
> immediate reload?"
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 7 Oct 2013 15:05:16 -0400
> From: Pete Lumbis <alumbis at gmail.com>
> To: Octavio Alvarez <alvarezp at alvarezp.ods.org>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] "reload" command doesn't check command line
>         parameters
> Message-ID:
>         <CAB0xJrMFS7=
> TQKAHw6nT5HLP1ws0Uqnz-h5H41ja9613xstuZQ at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> The two outputs do have different warnings:
>
> reload reason:
> ===========================
> Router#reload
> Proceed with reload? [confirm]
> ===========================
>
> ===========================
> Router#reload in 5
> Reload scheduled in 5 minutes by console
> Reload reason: Reload Command
> Proceed with reload? [confirm]
> ===========================
>
>
>
> On Mon, Oct 7, 2013 at 11:46 AM, Octavio Alvarez
> <alvarezp at alvarezp.ods.org>wrote:
>
> > On 10/07/2013 05:30 AM, Pete Lumbis wrote:
> > > If we fix the behavior what does the fix look like? Do we not allow any
> > > reason that starts with "i"(in) "c" (cancel) or "a"(at)? But then what
> if
> > > you want a reload reason of "reload installing new software"? Should
> this
> > > be blocked?
> >
> > Create "reload reason blahblah" and deprecate "reload blahblah". Issue a
> > warning each time "reload blahblah" happens.
> >
> > Also have different confirmation messages. "Reload in 10" could have
> > "Proceed with reload in 10?" while the other could be "Proceed with
> > immediate reload?"
> >
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 8 Oct 2013 09:43:49 +0200
> From: Darius Seroka <dariusjs at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] freezing ASR1002 when generating RSA keys
> Message-ID:
>         <CAJeUwaabmTs=
> 3ZFWAiZdCQeENCNoFC8PP5koFD0yKQkcgwr-xA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi,
>
> Has anyone experienced an issue where generating keys on an ASR1002 just
> freezes the box? I am configuring it through the console port. The software
> is the 15.1(3) xe-rommon stuff. Does cisco do anything weird with their
> images like Junos does here ssh is available only on the domestic images?
> I've generated theys keys a lot in the past past but have not seen this
> yet, usually its instantanous. Have tried three times now with each time
> needing a power cycle to get life into the box again. There nothing in the
> logs to indicate what could be going wrong.
>
>
> asr1002-r01(config)#crypto key generate rsa general-keys modulus 2048
> The name for the keys will be: asr1002-r01
>
> % The key modulus size is 2048 bits
> % Generating 2048 bit RSA keys, keys will be non-exportable...Oct  8
> 09:14:18 ts01 event_notify: EVT[4]:Session terminated. Command issued by
> user: ?. Terminated user: root.
> Connection to ts1 closed.
>
> --
> Regards,
> Darius
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 08 Oct 2013 09:51:39 +0200
> From: Luis Miguel Cruz Miranda <luismcm at imasd.net>
> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] IP SLA FTP doesn't finish the download?
> Message-ID: <5253B98B.8050202 at imasd.net>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Ok,
>
> The situations is this...
> Router 3825 running 12.4(24)T5 advipsrv., with several VRFs.
> Each vrf is connected to a different modem, configured in a different
> service.
>
> The router has configured several IP SLAs... icmp, http, and off course
> ftp.
> All those probes are being monitored over SNMP to obtain perfomance
> metrics.
>
> The issue is related with the IP SLA FTP...
> For an unknown reason is mostly failing, from the output of "ip sla
> stats 50", the line "Number of failures" is not 0.
>
> Well, said that, it could be and end-to-end issue... I discarded it,
> there is no packet loss between the remote router and the ftp server.
>
> The weird thing is...
> I am downloading a 5MB.zip file which is exacly...
> -rwxrwxrwx 1 aaaa aaaa 5242880 Apr 14  2011 5MB.zip
>
> The log of the FTP server (pure-ftpd) is showing...
>
>  cat /var/log/syslog | grep bytes
> Oct  7 16:19:48 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/possiblesources.pcap downloaded  (1705710 bytes, 105.25KB/sec)
> Oct  7 16:25:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 97.14KB/sec)
> Oct  7 16:35:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 97.24KB/sec)
> Oct  7 16:45:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2490368 bytes, 96.52KB/sec)
> Oct  7 16:55:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 97.52KB/sec)
> Oct  7 17:05:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 98.08KB/sec)
> Oct  7 17:15:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2490368 bytes, 96.54KB/sec)
> Oct  7 17:25:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 98.38KB/sec)
> Oct  7 17:35:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 96.98KB/sec)
> Oct  7 17:45:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2490368 bytes, 96.48KB/sec)
> Oct  7 17:55:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2359296 bytes, 86.69KB/sec)
> Oct  7 18:05:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2490368 bytes, 96.06KB/sec)
> Oct  7 18:15:23 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 99.28KB/sec)
> Oct  7 18:25:23 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 96.46KB/sec)
> Oct  7 18:35:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 97.27KB/sec)
> Oct  7 18:45:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2490368 bytes, 95.46KB/sec)
> Oct  7 18:55:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 97.22KB/sec)
> Oct  7 19:05:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2490368 bytes, 94.53KB/sec)
> Oct  7 19:15:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2490368 bytes, 96.48KB/sec)
> Oct  7 19:25:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2490368 bytes, 93.80KB/sec)
> Oct  7 19:35:23 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 97.53KB/sec)
> Oct  7 19:45:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2490368 bytes, 96.46KB/sec)
> Oct  7 19:55:22 DEV012002 pure-ftpd: (aaaa at 172.30.96.162) [NOTICE]
> //home/aaaa/5MB.zip downloaded  (2621440 bytes, 98.43KB/sec)
>
> The router never downloads the complete file.
> Futher more, the sniffer capture shows multiple RST, then FP, more RST,
> in that order, from router to the ftp.
>
> Other info is...
> Timeout for SLA operation is big enough to download the file, that was
> checked manually.
> FTP passive is always used, and it is working fine too, checked manually
> too.
>
> any idea?
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 08 Oct 2013 00:53:50 -0700
> From: Octavio Alvarez <alvarezp at alvarezp.ods.org>
> To: Pete Lumbis <alumbis at gmail.com>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] "reload" command doesn't check command line
>         parameters
> Message-ID: <5253BA0E.5040506 at alvarezp.ods.org>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Wait a minute... My router supports "reload reason" already and rejects
> "reload int 10".
>
> Check later IOS versions.
>
> On 10/07/2013 12:05 PM, Pete Lumbis wrote:
> > The two outputs do have different warnings:
> >
> > reload reason:
> > ===========================
> > Router#reload
> > Proceed with reload? [confirm]
> > ===========================
> >
> > ===========================
> > Router#reload in 5
> > Reload scheduled in 5 minutes by console
> > Reload reason: Reload Command
> > Proceed with reload? [confirm]
> > ===========================
> >
> >
> >
> > On Mon, Oct 7, 2013 at 11:46 AM, Octavio Alvarez
> > <alvarezp at alvarezp.ods.org <mailto:alvarezp at alvarezp.ods.org>> wrote:
> >
> >     On 10/07/2013 05:30 AM, Pete Lumbis wrote:
> >     > If we fix the behavior what does the fix look like? Do we not
> >     allow any
> >     > reason that starts with "i"(in) "c" (cancel) or "a"(at)? But then
> >     what if
> >     > you want a reload reason of "reload installing new software"?
> >     Should this
> >     > be blocked?
> >
> >     Create "reload reason blahblah" and deprecate "reload blahblah".
> Issue a
> >     warning each time "reload blahblah" happens.
> >
> >     Also have different confirmation messages. "Reload in 10" could have
> >     "Proceed with reload in 10?" while the other could be "Proceed with
> >     immediate reload?"
> >
> >
>
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 8 Oct 2013 10:57:02 +0200
> From: Sander Steffann <sander at steffann.nl>
> To: Pete Lumbis <alumbis at gmail.com>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] "reload" command doesn't check command line
>         parameters
> Message-ID: <1A328ECC-3C7E-4E41-AAB9-7DAAA7A13300 at steffann.nl>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > The two outputs do have different warnings:
> >
> > reload reason:
> > ===========================
> > Router#reload
> > Proceed with reload? [confirm]
> > ===========================
>
> If this warning would be changed to:
> ===========================
> Router#reload int 5
> Proceed with IMMEDIATE reload? [confirm]
> ===========================
>
> Then it would be much clearer.
>
> Cheers,
> Sander
>
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 8 Oct 2013 13:55:26 +0300
> From: Saku Ytti <saku at ytti.fi>
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] "reload" command doesn't check command line
>         parameters
> Message-ID: <20131008105526.GA25562 at pob.ytti.fi>
> Content-Type: text/plain; charset=us-ascii
>
> On (2013-10-08 10:57 +0200), Sander Steffann wrote:
>
> > > The two outputs do have different warnings:
> > >
> > > reload reason:
> > > ===========================
> > > Router#reload
> > > Proceed with reload? [confirm]
> > > ===========================
> >
> > If this warning would be changed to:
> > ===========================
> > Router#reload int 5
> > Proceed with IMMEDIATE reload? [confirm]
> > ===========================
> >
> > Then it would be much clearer.
>
> Implication here is, you made typo in the original command and you are
> aware
> of it. I guess if you are aware of the typo, you didn't make it.
> If you are not aware of the typo you made, you'll just punch the 'y' from
> muscle memory without looking at the display.
>
> I don't think it would actually help. What does help, is taking humans our
> of
> the equation as much as possible. Break network less often but more
> thoroughly
> through automation.
>
> --
>   ++ytti
>
>
> ------------------------------
>
> Message: 8
> Date: Tue, 8 Oct 2013 14:51:29 +0300
> From: Saku Ytti <saku at ytti.fi>
> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] "reload" command doesn't check command line
>         parameters
> Message-ID: <20131008115129.GA611 at pob.ytti.fi>
> Content-Type: text/plain; charset=iso-8859-1
>
> On (2013-10-08 11:22 +0000), Sigurbj?rn Birkir L?russon wrote:
>
> > I think the best solution here is tacacs+ with command authorization
> where
> > reload in X is allowed, but all other forms are not, forcing you to
>
> Fully agreed.
>
> > This is also highly preferable for many other things (switchport trunk
> > allowed vlan X instead of switchport trunk allowed vlan add X springs to
> > mind)
>
> Couldn't agree more. As well as 'no router isis' etc. :)
>
>
> Maybe worth putting up somewhere BCP TACACS deny for dangerous commands.
> Sadly
> I think it's not possible in TACACS to deny configuring member ports of
> port-channels.
>
> --
>   ++ytti
>
>
> ------------------------------
>
> Message: 9
> Date: Tue, 8 Oct 2013 11:22:40 +0000
> From: Sigurbj?rn Birkir L?russon <sigurbjornl at vodafone.is>
> To: Saku Ytti <saku at ytti.fi>, "cisco-nsp at puck.nether.net"
>         <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] "reload" command doesn't check command line
>         parameters
> Message-ID:
>         <80122D01C22CF34F8F7FF852589E9F9466E920B3 at EXCH1003.ITNET.IS>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I think the best solution here is tacacs+ with command authorization where
> reload in X is allowed, but all other forms are not, forcing you to
> authenticate as a higher privilege user to be able to do that, that way
> tacacs+ will simply prevent you from making a mistake.
>
> This is also highly preferable for many other things (switchport trunk
> allowed vlan X instead of switchport trunk allowed vlan add X springs to
> mind)
>
> Kind regards,
> Sibbi
>
> On 8.10.2013 10:55, "Saku Ytti" <saku at ytti.fi> wrote:
>
> >On (2013-10-08 10:57 +0200), Sander Steffann wrote:
> >
> >> > The two outputs do have different warnings:
> >> >
> >> > reload reason:
> >> > ===========================
> >> > Router#reload
> >> > Proceed with reload? [confirm]
> >> > ===========================
> >>
> >> If this warning would be changed to:
> >> ===========================
> >> Router#reload int 5
> >> Proceed with IMMEDIATE reload? [confirm]
> >> ===========================
> >>
> >> Then it would be much clearer.
> >
> >Implication here is, you made typo in the original command and you are
> >aware
> >of it. I guess if you are aware of the typo, you didn't make it.
> >If you are not aware of the typo you made, you'll just punch the 'y' from
> >muscle memory without looking at the display.
> >
> >I don't think it would actually help. What does help, is taking humans
> >our of
> >the equation as much as possible. Break network less often but more
> >thoroughly
> >through automation.
> >
> >--
> >  ++ytti
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> ------------------------------
>
> End of cisco-nsp Digest, Vol 131, Issue 17
> ******************************************
>


More information about the cisco-nsp mailing list