Posts on Problem of Network

Getting the Goodix HTK32 Fingerprint Reader Working on Omarchy

Sun, 03 May 2026 00:00:00 +0000

TL;DR

Dell XPS 9370 with the Goodix HTK32 (USB 27c6:5385) on Omarchy:

sudo pacman -S glib2-devel
yay -S libfprint-goodix53x5
# Answer 'y' to remove the stock libfprint when prompted.
# If yay was wrapped with --noconfirm and bailed, install the cached build directly:
sudo pacman -U ~/.cache/yay/libfprint-goodix53x5/libfprint-goodix53x5-*.pkg.tar.zst

sudo systemctl restart fprintd
fprintd-enroll   # retry once if you hit a GTLS error on the first run
fprintd-verify

The package ships a udev rule that unbinds cdc_acm from the sensor on boot, so the fix survives reboots. If the sensor was previously paired with Windows Hello, expect more pain — see Stage 4.

Vault Transit Encryption

Sat, 18 Jan 2025 15:57:32 +0100

This post has a weird genesis. If I think back to the first time I heard of Transit Encryption I originally thought it was something else, and when I finally understood what the docs were telling me, I thought it was the dumbest idea ever.

Turns out I was way wrong. Over the next half an hour I hope to explain why.

The point of transit encryption is to provide a mechanism for requesting vault encrypt some content for you as a service, so that you can send that encrypted blob over untrustworthy, or observable channels. The recipient can then go back to vault, and request that content be decrypted for use.

Vault Audit Logging

Sun, 12 Jan 2025 23:07:17 +0100

I thought i was done with this series, but there are a few loose ends that I think we can clear up pretty quickly. The most important of which is Audit Logging, because what is the point of a secure secrets tool if you don’t track who does what (or most importantly, fails to do what) with it. Lets jump in!

Enabling audit logs

Enabling audit logging requires you to tell the vault server that it should use one of the audit “device types” that it offers with the required parameters. The system will then send audit events to all defined devices, and will consider the audit entry a success when at least one confirms the write.

Vault TLS With Network Appliances

Sun, 29 Dec 2024 17:25:58 -0500

Abstract

Now that we have a Vault, with a TLS Issuing CA, and some idea of how to get certs out of it, lets look at how we can use this in a “real” world scenario to put a valid TLS profile onto a Network Appliance (fancy word for a switch I guess).

Why did I say appliance, and not Router or Switch? Weeeeeell, think about it. You manage a lot of network stuff over HTTPS protocols these days, even when its not actually a web interface you are using to do it. We can also manage load balancers, Wireless Controllers, NAS devices etc etc etc. Lets not get bogged down in terminology and accept that network kit comes in all shapes and sizes these days. Trusted TLS is the goal here.

Using Vault PKI to Secure Devices

Sat, 14 Dec 2024 08:50:37 +0100

abstract

Following on from the Hashicorp Vault “how-to” series. Lets dial things up a notch, and setup a PKI in vault that can issue “real” certificates for your devices.

This has a couple of real tangible benefits.

No more verify=false and/or urllib hacks to connect to TLS secured endpoints
No need to fight openssl to wrangle self signed (or for the really brave, a manual CA)
Full automation support to enable estate wide renewal in minutes, not half a lifetime.

Much of this content was abstracted from the Original Hashi docs, which are brilliant, and can be found here.

Making Use of Vault: Ansible

Tue, 19 Nov 2024 18:00:00 +0100

As we come towards the end of this mini series, we talked about how to bootstrap a hashicorp vault for non-prod use, what primitives vault uses for secrets management, and how to talk to vault from python.

Here we will dig into how you can access vault content within an Ansible workflow, ensuring you never more have the pain of managing secrets with ansible-vault, or worse, storing them plain text in a repo somewhere.

Making Use of Vault: Python

Tue, 19 Nov 2024 09:00:00 +0100

It’s remarkably easy to get sucked into hardcoding things that probably should live outside your code.

It is clear to many of us that storing secrets anywhere that isn’t vault (or something like it), is a terrible practice. It is also true that the best laid plans of mice and men aft gan aglais.

In other words, the problem is rarely that we don’t want to do secure coding, its that we lack the time, talent, or awareness to do this right. Don’t dwell on that too much either - its just how the world works.

Hashi Vault Primitives

Mon, 18 Nov 2024 20:00:00 +0100

Some Vault Primitives

Pretty much everywhere you go in vault you will find you need a few building blocks to make anything work.

Env Vars

Regardless of how you choose to talk to vault (CLI/WebAPI/SDK), you will find that the most common way to “encode” the vault settings is in an Environment variable. This is a nod towards its “cloud native” upbringing, where config files are the devil or something.

Bootstrapping Hashi Vault

Mon, 18 Nov 2024 18:00:00 +0100

Recently I have spent a reasonable amount of time in Hashicorp vault. As part of a mini series on how to make better use of it in Network Automation, I started writing this as a “intro” to a post on the subject.

As per usual with me, it ended up being so long that it had to be its own post. So. Here you are.

Some of you might have opinions about Hashicorp and their licence changes. I do not (either professionally nor personally), compete with Hashicorp, and so it is my understanding I can use their products in an opensource sense. If you feel differently, feel free to use openbao.

My Updated Fiber7-X VyOS 1.5 Config

Wed, 12 Jun 2024 13:00:00 +0200

A while ago I wrote about my VyOS config for Init7’s Fiber7-X product. Since then there has been a number of breaking changes, and a few additions that I would like to cover.

I will copy/paste a lot of the narrative from that post, and avoid a bit of the abstract conversation that went with it, so that this stands on its own.

If you have questions or comments, hit me up.

Untangling My Brain From Autocon1

Thu, 06 Jun 2024 09:13:06 +0200

Last week I had some fun in Amsterdam, and at no point was there any debauchery.

For those who are unaware, Autocon is a conference put together by the Network Automation Forum. Autocon1 was the second event ever, and the first in Europe. They ran autocon0 in Denver in the Autumn of 2023.

TL:DR - if you are in the network automation space, you have to try and get yourself there. It’s a very valuable event.

Using VPP as a MACSEC Replacement

Fri, 25 Aug 2023 13:26:03 +0200

As part of my VPP Adventures series, we have talked about what VPP is, why its interesting, and how we can prove it works. Today we spend a bit of time on what we can actually do with it.

Who actually uses MACSEC these days?

My first interest for a real world test of VPP was straight BGP routing for DFZ connected services. Kinda obvious no? For long and complicated reasons, it actually wasn’t (more specifically it couldn’t - we use IS-IS as part of our edge routing environment and VPP has issues there). Blocked on that, we found ourselves looking at something more esoteric.

VPP Adventures Part 3 - The Testbed

Thu, 24 Aug 2023 13:20:25 +0200

So far we have covered what VPP is, and why its interesting to us.

Part of the story with any new service/implementation always centres around testing. How do you prove, definitively, that something does what it says on the tin. RFC2544 outlines a series of testing strategies and for the purpose of this work we try to keep it simple.

I have deployed a TRex traffic generator on Debian 11 (OFED 5.7-1 doesn’t build on deb12) with Mellanox 2x100G ConnectX5 CDAT cards with Trex v3.04. There are really nice instructions here for that. Happily ignore the CentOS7 religious texts - Debian is fine. Death to DeadRat.

VPP Adventures Part 2 - but why?

Wed, 23 Aug 2023 13:15:32 +0200

In the previous post we were talking about what VPP was. Here we explore a little why it matters.

What’s the point anyways?

It’s a fair question. Surely its not logical to invest so much time and effort into something that has been described numerous times as “janky”. One of my engineers even now says, “I understand why you want to do it, but I don’t agree that this is the right solution”. She’s right too btw.

VPP Adventures Part 1 - uwotm8?

Tue, 22 Aug 2023 22:29:17 +0200

Linux Routing is becoming a thing with me. I cant decide if the motivation is the extreme cost of dedicated hardware, or the knowledge that with a little effort you can make a free/cheap thing into a giant killer. David and Goliath is a fun story I guess.

VPP has been on my radar now for a few years. I have tried and failed a few times to get it into production typically on the internet edge of a datacentre in place of something expensive like a Cisco ASR or a Juniper MX.

10G Router7 Install

Fri, 02 Jun 2023 13:16:30 +0200

Last year I wrote extensively about my experience with deploying VyOS to support my new uber fast internet connection.

I learned a lot in the process, and for this past year it has mostly worked fine. I am one of those people that can’t leave things alone however, and I was always tinkering with the setup. The VyOS box itself was happily communicating at 10G, but I would find the internal LAN would get choked up a lot and rarely hit 1G even with extreme threading (say 50-60 conns). I got grumpy about this for no reason and started to tinker. TL:DR - This was a mistake…

Hugo Migration Done

Wed, 12 Apr 2023 01:02:35 +0200

Weird. In my first hugo post just two days ago I speculated it would take me weeks to get this content off blogger and into hugo.

It took me three evenings.

All the DNS has been switched and we are now fully on hugo with a gitops workflow, previews on a branch push and I was even able to retain the old URL paths as an alias, so anyone googling my stupid opinions can still read them on the new or the old path. Noice.

Starting Again

Sun, 09 Apr 2023 20:57:16 +0200

Over the past year or so I found myself returning to my own blog to remind myself how I did things in VyOS and how I configured this or that thing or whatever. Each time I sort of hated the fact the theme was crap. Blogger themes are so dated, they remind me a little of Geocities now. I know that dates me somewhat too, but anyways. They suck and brosing for something that isn’t terrible seems more and more futile.

node_exporter in VyOS 1.4

Mon, 04 Apr 2022 23:23:00 +0200

So it turns out that if you want metrics from VyOS, your two options are SNMP or Telegraf (towards InfluxDB).

SNMP is one of those things that has been around so long, you think its good, but really, its trash. Its a 1990s technology that is mostly singlethreaded and provides you very very fuzzy numbers. 5 min averages are not that useful in situations like today where clients plausibly have access to gigabit+ grades of connectivity. If you cant observe let alone react to a microburst, you’re pretty much blindfolded in a modern DC network setting.

My Fiber7-X VyOS Config

Tue, 30 Nov 2021 18:04:00 +0200

Updated Jun 2024: This Vyos 1.4 config is now broken if you use a recent vyos 1.5 rolling release. I made a new post here that mirrors this one, but with the correct syntax!

Updated Aug 2022: After moving house I have been able to split my install between the basement and the house, so I bought myself an Dell Optiplex 7050 to be the VyOS router (the OTO is in the house), and then run a 10G fibre to the basement for the rest of the stuff. I think I will leave the post as is because the VM method is more interesting, but I will add a block on that below.

10/25 Gbit Internet at Home - a very 21st Century Problem

Sun, 28 Nov 2021 22:24:00 +0200

When I first arrived in Switzerland in 2017, aside from the clean air, beautiful countryside, and the promise of a highly paid job with which to support my family, I was transfixed by something that seemed completely alien to me - Fibre to the Home. Yes, I am a nerd, and Yes somewhat parallel to a comfortable living space, and good local schools, I made sure each house viewing included a search for an OTO. No Fibre, no way.

The even-ended number problem in Go and Python

Tue, 20 Oct 2020 10:44:00 +0200

During the Go Essential Training course on LinkedIn, the instructor sets up a problem for you to solve. The solution is in the next slide of the course, and mine was ever so slightly different anyways, so I doubt that this needs to come with a spoiler alert, but anyways…

An even-ended number is one that starts and ends with the same digit. That is to say 1, 11, 121, and 10103921 are all even ended numbers as they all start and end with the same digit.

A Modern NetDevOps learning plan

Tue, 20 Oct 2020 10:19:00 +0200

Now that I have I have set up a sort of a learning plan to plug some gaps in my knowledge that I always wanted to plug, but didn’t have the time to do properly.

Mindful that I have an opportunity for learning without external influences on my time, but also that my Daughter only has Kindergarten until lunchtime every day, I really only get the morning before the family time kicks in.

End of an Era: The Solera Years

Mon, 19 Oct 2020 17:31:00 +0200

Two weeks ago I was made redundant. COVID and “shifting business priorities” meant a re-org of my department and for whatever reason, that is that. Over the last year or so I had assumed this day might come and the question I had internally was if I would jump or if I would be pushed. Since I was slap bang in the middle of a key project, I had assumed I might still have 9-12 months or so left to close that out. Turns out I was wrong. Thankfully my documentation is average enough for them to cope without me.

Doing YANG Wrong: Part 5 - Manufacturer/Model deviations

Thu, 02 Jul 2020 15:26:00 +0200

Part 5: Deviations

So we can talk to the device, and we can use candidate configs to stage and then apply configs in aggregate, but we still can’t make a CSR1000v take a simple openconfig IP address. At the beginning I deliberately called out I wanted to use generic models, and avoid the deviations. This is because the python model binding i then generate only works on that vendor’s box now. This isn’t terrible, but it’s not really what we want. Lets see if it works tho.

Doing YANG Wrong: Part 4 - Config stores

Wed, 01 Jul 2020 13:57:00 +0200

Part 4: Config stores

As we head down this rabbit hole, we start to get ever closer to something useful, but ever more deep into the weeds of NETCONF/YANG. For the uninitiated, config stores are a place where you can put config chunks either singularly, or in aggregate over a series of netconf pushes, to generate a new config that you will apply in one hit. In the SP world you might want to setup some interfaces, some BGP and then some overlay like an MPLS service. You may not want to do all this in one script since you might not need all of those things in one script. better to make a script per thing, and then call the ones your CMDB thinks it needs, place them all in a candidate config, validate that as a whole and then push that in one go. If anything fails, you can then throw it all away and not touch the operational running config. At this point juniper folks are shrugging their shoulders - this is very old hat to them, but for enterprise people, particularly the type who lived on the CLI for years, this is unimaginable.

Doing YANG Wrong: Part 3 - Using the python bindings

Sat, 27 Jun 2020 00:44:00 +0200

Part 3: Using the python bindings to push a config

Given we generated that python file locally in a machine, we assume here that you are still in that subdirectory.

The below code was stolen fully from the YANG Book. Much love and all credit to them for their work.

from interface_setup import openconfig_interfaces
from pyangbind.lib.serialise import pybindIETFXMLEncoder
from ncclient import manager

# device settings
username = 'yangconf'
password = 'my_good_password.'
device_ip = '192.168.70.21'

# config settings 
inside_interface = 'GigabitEthernet4'
inside_ip_addr = '109.109.109.2'
inside_ip_prefix = 24


def send_to_device(**kwargs):
    rpc_body = '<config>' + pybindIETFXMLEncoder.serialise(kwargs['py_obj']) + '</config>'
    with manager.connect_ssh(host-kwargs['dev'], port=830, username=kwargs['user'], password=kwargs['password'], hostkey_verify=False) as m:
        try:
            m.edit_config(target='running', config=rpc_body)
            print('Successfully configured IP on {}'.format(kwargs['dev']))
        except Exception as e:
            print('Failed to configure interface: {}'.format(e))


if __name__ == '__main__':
    # instanciate the openconfig model
    ocintmodel = openconfig_interfaces()

    # create an instance of the interfaces
    ocinterfaces = ocintmodel.interfaces

    # create a new interface instance in that parent object
    inside_if = ocinterfaces.interface.add(inside_interface)

    # even a routed interface required a subinterface, its just at index 0
    inside_if.subinterfaces.subinterface.add(0)

    # create an instance of that subinterface object to edit
    inside_sub_if = inside_if.subinterfaces.subinterface[0]

    # apply an IP to that object
    inside_sub_if.ipv4.addresses.address.add(inside_ip_addr)
    
    # read that ip object into an ip object
    ip = inside_sub_if.ipv4.addresses.address[inside_ip_addr]

    # set the IP and the subnet mask properly

    ip.config.ip = inside_ip_addr
    ip.config.prefix_length = inside_ip_prefix
    send_to_device(dev=device_ip, user=username, password=password, py_obj=ocinterfaces)

When I run this, it fails.

Doing YANG Wrong: Part 2 - Python Bindings

Sat, 27 Jun 2020 00:28:00 +0200

Part 2: Python bindings for models

Having a model is one thing. Using it requires you to ingest that model somewhere, apply values to its elements (leaves) as necessary/appropriate and then submit that completed model to the appliance for application to the config.

I’m a python guy, you might like Go, or ruby or whatever. thats up to you, but I use python right now, which means I use pyangbind and pyang to create pythonic modules I can import into a script, and then interact with the model attributes like I would any other object in python. We can then push that out to a device from that script.

Doing YANG Wrong - Part 1: Getting started

Thu, 25 Jun 2020 15:28:00 +0200

This is more of a discovery post than anything particularly useful. It charts my adventure from a problem statement, through discovery of a solution, to a dead end. I post it here to help people see the logic I followed, and why, against all wisdom, it didn’t work.

Note that if you are familiar with YANG, I know why this is NOT the right way to do this, but I only know that having done this as shown here. Please don’t waste your time in the comments with nerdsplaining that to me. This is to show people a process and to help people who feel stupid when this stuff doesnt work, to see that they’re not alone. I learn by making mistakes.

Network Automation: from spreadsheets to YANG and everything between

Mon, 22 Jun 2020 17:52:00 +0200

Over the last few years I have spent a significant amount of time in YAML and Ansible. I’m not an expert by any means, but I can probably get anything I need done in maybe a few days worth of tinker time. I’m what you would call a fair weather scripter.

One thing I learned from building about 30,000 lines of YAML whilst orchestrating ACI, was that Ansible is a square peg, and everything networking is a round hole. Sometimes it fits, sometimes it doesn’t, but it is never perfect. Never.

Software Defined Waffle with a gitops topping

Mon, 22 Jun 2020 12:51:00 +0000

Over the last two years or so, I have been on adventure with Data Centre Infrastructure renewal. As past posts may allude to, ACI was a big part of what we did, but before anyone gets all dogmatic about it, know that we didn’t go “All in” with that one product, since I personally don’t subscribe to the “DC Fabrics cure all ills” mantra.

CLOS fabrics and the various approaches to overlays within them are great at providing stable platforms with predictable properties for speed, latency and scale. Unsurprisingly, they go on to do a great job in server farms that can make the best use of that flexibility. During recent conversations on DC refresh, our Arista friends have been extremely keen to try and get us to run our Internet BGP border on the fabric as well. The 7280SR2K can handle 2M routes in FIB they say, just lob stuff into a VRF, bit of policy and voila. Yeah.

ACI: Controller Upgrades with Python

Thu, 28 Jan 2016 01:42:00 +0000

So I bought my ACI bundles so long ago that they’re still running 1.0(3f). Right now mainline is 1.2(1k), so i’m a bit behind.

Using the official Cisco doc I did the first staged upgrade from 1.0 to 1.1 using the Web GUI. I wanted to see what happened in a visual sense.

Basically you setup a connection between the APIC and a host that has staged the firmware files, then you setup a policy defining what versions the fabric should be on, and when that should be made active. For me it was 1.1(4f) and now basically.

ACI: Initial Design Considerations

Mon, 18 Jan 2016 11:49:00 +0000

ACI brings with it many different constructs for operating networks, some of which have analogous equivalence with classical networking, some of which are literally bat-poop crazy.

As per usual, you can find lots of resources on how to structure ACI fabrics elsewhere, i’m not going to waste time on what you can do and focus on what I am going to do (roughly).

The below Image was unceremoniously stolen from Cisco themselves, in the critical read ACI Fundamentals

ACI: Mini Rant to INSBU

Fri, 15 Jan 2016 14:34:00 +0000

Before I get too wound up I should probably say that all of this was directed to my friends there first, and whilst I won’t say much about their thoughts, I don’t think this is particularly new to them, or out of place.

I have a fondness for ACI. I think its innovative, and once you break through the naming conventions and the terminology, it’s exactly what I think Enterprise should be doing in terms of Next Generation Networking. That said, INSBU are not helping themselves penetrate the market, and as such, are putting themselves at risk of falling behind to Openstack.

ACI: Rack & Stack

Fri, 15 Jan 2016 12:31:00 +0000

Plumbing ACI is something that YouTube has you covered on. I wont reinvent that wheel. For the initial standup, I am doing the bare minimum connectivity; each leaf has one 40G uplink to each spine, meaning, 80G of North/South Bandwidth. This will double up when we are preparing for Production service, matching my UCS/FI Bandwidth between each Chassis (4x10G links to each side of my 2208XPs). My 3 APICs are configured as follows:

ACI: The Setup

Tue, 12 Jan 2016 12:30:00 +0000

On Friday last week we rolled out our ACI solution into one of our DCs. The setup is simple, comprising of;

2x Nexus 9336pq "Baby" Spines
4x Nexus 9396px Leaf Switches
3x APIC Controllers
2x ASA 5585x Firewalls

The compute behind it is UCS based and we have F5 LTMs in the ADC role.

Over the weekend I provisioned it. That did not go well. Today I had to go back and revisit the cabling, and then the Fabric initial setup, and then redid the entire thing from scratch again. Oops.

The ACI Adventure Begins

Sat, 09 Jan 2016 18:21:00 +0000

Starting yesterday I began to deploy our Nexus 9000 ACI solution into our Datacentre. Scary yet fun times are ahead.

Over the course of the project I will do my best to chronicle anonymised info that talks about what we did and how we did it. Some of that may be of use to another ACI hopeful, whereas some will be pretty specific to my environment. One thing I won’t be doing is reinventing the blogging wheel, and I will chose to refer to others that helped me, rather than rehash the same subjects over and over again.

Why I Bought an Airconsole

Mon, 29 Jun 2015 14:56:00 +0000

Today I was reminded what a great git of Kit the really is. Its essentially a box that gives you Serial Access to a device via an RJ45 (Cisco pin-out) using WiFi, Bluetooth or wired, using a web GUI, or a bonkers driver setup on your machine.

For me, I use the AirConsole at work in a jack of all trades way.

I cable the Serial Dongle to the Router
I have a WiFi client profile configured that will auto join my (pervasively configured) corporate dirty network.
I have a WiFi AP setup in the AirConsole that securely presents a new network that I can join to access the Serial Port
I have NAT configured on the AP->Client WiFi so that I can still access the internet from that client Laptop
I have the Ethernet port configured to bridge with the AP interface, so I can get a wired device to connect to the Serial setup, and the internet.

So, most of the time what I find myself doing is plugging in the AirConsole, then going to a nearby desk and connecting to the AirConsole Web interface via HTTPS over the dedicated WiFi. I can then configure my box, and still access the internet.

Using CallManager APIs for fun and profit: Part 4 - Python End to End

Mon, 29 Jun 2015 00:41:00 +0000

So by now you can use SoapUI and Python to read info out, and can utilise SoapUI Test Cases to validate, and deliver changes to the CallManager system. Again, please do ensure you have reviewed parts 1-3 before entering into this post. Its entirely contextualised within the series.

Up until now what we have been doing is quite focused on a single object being added or sense checked. In this, the final post in this mini series we will be looking at an end to end python script that can be used to add a new end user to the system, with pre and post validation.

Cisco Live 2015

Thu, 11 Jun 2015 19:55:00 +0000

This week is a first for me. I’m at Cisco Live in San Diego. It’s been pretty awesome so far I have to say!

Full Disclosure, I was brought here by Cisco to talk to Analysts about ACI. However, I should also point out my only session was closed door feedback on why we chose the solution, and how its helped us to date. Since we are only at the early stages, it was a short conversation. I thank Cisco for their hospitality, and for allowing me to access Conference Level sessions that my explorer level pass would not normally allow.

Using CallManager APIs for fun and profit: Part 3 - Changes

Mon, 01 Jun 2015 10:41:00 +0000

In this the third part of my mini series on using the CUCM API, we start to get further into the Ju-Ju, and check web app changes via the API, before then going on to make a change via the API itself.

As before if you haven’t gone through the previous two posts then please, head back to the start and we will see you back here shortly.

Whats your motivation today?

There are two reasons why you might want to use an API in your day to day changes.

Using CallManager APIs for fun and profit: Part 2 - Python

Sun, 31 May 2015 18:33:00 +0000

In this part 2 of my API adventure, I will be looking at repeating what we did Part 1 via SoapUI, but this time in python using the suds library. If you haven’t read that yet, then really, please go back and do that. This will not be wildly useful otherwise.

Getting SOAP-y with Python suds

Yeah I went there…

So, we have a process that allows us to programatically look stuff up. Only its not very repeatable, and therefore not much use yet. With this post I will take you through the creation of a python script that mimics what we did previously - finding things, and showing them to you.

Ciscoconfparse Wetdream

Sat, 30 May 2015 03:07:00 +0000

Ick, I know.

Python has long been the language of choice for engineers looking to make their day go that little bit quicker or easier. With deepening skill levels, more and more complex repetitive tasks can be disected and segmented into functions and reuable code, such that a competent scripting engineer can go from blank page to automated process in a matter of hours in most cases. It is for this reason that I sit here to write this - an advocacy for ALL Cisco engineers to down tools and spend however long you need to get good at this.

Using CallManager APIs for fun and profit: Part 1 - SoapUI

Fri, 29 May 2015 16:13:00 +0000

This is one of those posts that I will constantly refer back to… ;)

In my day job it’s clear to me that we need to automate more and more of the dumb day to day stuff. One of those things is Leavers and Starters on our phone system.

We employ Cisco CallManager, much like the rest of the world, and if you have ever spent any time with it, you will know that its VASTLY over-complicated to manage. A single extension on someones’ desk requires (at least):

The SDN Conundrum

Fri, 22 May 2015 02:48:00 +0000

Oh how the world has changed since I started out in the wonderful trade.

We used to have VLANs and subnets; switches, routers and firewalls. People would moan things didn’t work and we did a traceroute to figure out why. We would bash out a fix, and if it broke, we would bash out another. It was the wild west, and that was fun. Cowboy hats were standard issue.

Then along came the bad guys, and with them, the policy doctors. Changes became more structured and requirements became more complex. Environments spiraled out into wider geographical areas and management became less about break fix and more about tightly structured architecture. The industry responded with protocols and toolchains, each with their own use case, and bit by bit, the sector split up into the key areas of WAN, DC and Campus.

IPv6 on Cisco ASA

Fri, 22 May 2015 00:25:00 +0000

This is the first in what will no doubt be a many part series on deploying IPv6. This is a problem I have had to overcome recently, and still to this day I battle with the implementation subtleties. If you find yourself in my shoes, I hope you find this helpful.

So, firstly, you need to consider your architecture. Mine, I am reliably told is totally wrong.

I use ASAs as routers in the campus. Why? Cos shut up - that’s why! I like to maintain user group segmentation, and I also like to maintain security policy quite tightly. Therefore I put all users in VLANs managed by 802.1x, and all those VLANs gateway on an ASA trunk subinterface. I then provide an appropriately sized routed L3 subnets from a site specific IPv4 /21 and have ACLs as access-groups. Voila - policy is maintained at the gateway border.

Back Once Again

Wed, 02 Oct 2013 00:13:00 +0000

…for the renegade master!

Blogging is once again on my radar. Why I will never know, but I guess I have missed having the outlet of shouting into the massive empty room that is the interwebs. Its cathartic.

I am actually sitting here quite happily nodding along to Fatboy Slim now. Those were the days.

So, you know what really grinds my gears (no, not Lindsay Lohan), not having enough compute. I spend my days right now buried in VMware vCloud Director, trying to Architect a very old square peg into the newest of round holes.