Wednesday, May 25, 2016

ACLs by Country

 on  with 1 comment 
In , ,  
Have you ever wanted to create an ACL by country?  There's a number of different ways you can go about it.  Certain models of firewalls have this functionality built in.  IOS based routers and ASA firewalls have no such capability, so we'll have to do this a bit more manually.  I'll present two methods.

The first method is detailed here.  In this post, wget goes out to the Internet and grabs the necessary data from the applicable RIR.  Some custom Perl code pulls out the subnets associated with that country and then builds the ACL.  This one is probably not for the faint of heart nor someone not very fluent in Unix command lines.

A simpler way is through a website called Country IP Blocks.  Navigate to The Create Country ACL page on their site and you can select one or more countries to build an ACL for.  Then pick which format you want the results in.  Cisco ACL is just one of 12 options here, and then click "Create ACL" and you're done.  Other sites such as and provide similar functionality.

These lists get pretty long. Want one that that will permit or deny United States based addresses?  That'll be 55,348 lines.  Want to create an ACL that will block Russia and China?  That's 27,386 lines.  Hope your router is maxed out on RAM.

Wednesday, May 18, 2016

TCL Scripting

 on  with 2 comments 
In , ,  
According to it's man page, "tclsh is a shell-like application that reads TCL commands from its standard input or from a file and evaluates them. If invoked with no arguments then it runs interactively, reading TCL commands from standard input and printing command results and error messages to standard output. It runs until the exit command is invoked or until it reaches end-of-file on its standard input."  The TCL Developer Xchange describes the TCL language as  "a very powerful but easy to learn dynamic programming language, suitable for a very wide range of uses, including web and desktop applications, networking, administration, testing and many more. Open source and business-friendly, TCL is a mature yet evolving language that is truly cross platform, easily deployed and highly extensible. "

The language was created John Ousterhout at the University of California, Berkley.  It's either installed by default or available through the package repositories in nearly every Linux distribution and flavor of BSD.  ActiveState maintains an edition called ActiveTcl.  The community edition has precompiled binaries for Windows, Mac and Linux.  The Enterprise Edition adds binaries for HP-UX, Solaris and AIX.  ActiveState also the home of ActivePerl and ActivePython, which are solid editions of Perl and Python for the same platforms.

Tclsh was added to Cisco IOS in version 12.3(2)T and 12.2(25)S, and to Cisco NX-OS in Release 5.1(1) to provide scripting capability.  With it, you are able to run TCL commands directly from the Cisco IOS prompt, or to create and execute scripts written in the TCL language.  Just about anything you can do in tclsh on a Linux or BSD system can be done in tclsh on a Cisco router.  This of course assumes you're using straight TCL and not any add-on packages.

To use tclsh, simply type the command tclsh at the exec prompt.  To exit tclsh, type tclquit.  While within tclsh you can create scripts with the proc command, by typing proc script_name {, and then ending your script with a closing }.  A great example of the power of this scripting environment can be found in this post at INE, where Brian McGahan, along with an assist from reader Jason Cook, demonstrates a TCL script to generate a number of random IP addresses and subnet masks tied to Loopback interfaces.  I've used this script several times in the lab to quickly add routes into a routing protocol.  If you're feeling really adventurous, you can even get your router to Tweet.  And that's the beauty of scripting, you are able to quickly and easily automate the mundane tasks that aren't what you are working on and interested in, but still need accomplished.

And though it is not suggested, you can change your login shell on a Linux, BSD or Unix system to tclsh and do your day to day work in it as a means of learning the language and environment.  However, as noted, its not suggested as it's not really suited as being used a login script wasn't in the design goals.  See this article for more details.

I'll be getting more into TCL on IOS in the near future.

Some Good References to Get Started:

The official reference from Cisco:
Cisco IOS Scripting with TCL Command

The Cisco book:
Tcl Scripting for Cisco IOS

Some books that come recommended by the TCL Developer Exchange:

Practical Programming in Tcl and Tk, 4th ed.
Tcl/Tk, Second Edition: A Developer's Guide
Tcl and the Tk Toolkit, 2nd ed.
Tcl/Tk 8.5 Programming Cookbook

Saturday, May 14, 2016

Hard Code DNS Servers with PowerShell

 on  with No comments 
In , ,  
The following is a PowerShell script to quickly hard code DNS servers for every network interface present on a computer. It will overwrite the existing DNS servers configured on that machines interfaces.  In this example, we'll be using the IP addresses for OpenDNS servers.

# The servers that we want to use
$newDNSServers = "",""

# Get all network adapters that already have DNS servers set
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.DNSServerSearchOrder -ne $null}

# Set the DNS server search order for all of the previously-found adapters
$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)}

Thursday, May 12, 2016

Do the Google

 on  with 1 comment 
In , , ,  

It still surprises me that in 2016, there are still people out there who cannot, or will not, use Google to find the answer to their question.  I'm the admin of a large group on Facebook that exists primarily for people pursuing the CCNA certification, though most technical discussion that stays on the right side of the law is permitted.  Since we get at least one question a day that involves something that could be solved in 10 seconds with Google such as "what is the CCNA?" or "what is Spanning Tree?" I've decided to put together a page explaining how to use Google to find what you're looking for.  And for the Microsoft slappies out there, you are more than welcome to try that other "search engine" as long as you're enjoying it's crap results.  I for one very rarely got good results when I tried it a couple times in the past.

In case you were wondering, the title of this post, "Do the Google" came from a poster on Reddit by the name of /u/sajaschi, in the Tales from Tech Support sub-reddit, that he heard from a family member who's computer he supported.   I liked the term and immediately told him that I'm stealing it. The thread is here for completeness.