PowerShell with Windows DHCP Quick Win

Keep calm and import module dhcpserver

Recently I needed to check the lease duration for about 25 DHCP scopes on a Windows 2012 server. I’m not a PowerShell guru but I knew there must be an easier way than clicking myself to death. By the miracle of social networking, and thanks to the awesomely-smart Blake Krone, a single command worked for me:

PS C:\Users\swack> Get-DhcpServerv4Scope -ComputerName mydhcpserver-prd1

The output was a table with the following column headers:

  • ScopeId (basically the subnet)
  • SubnetMask
  • Name
  • State (Active or Inactive)
  • StartRange
  • EndRange
  • LeaseDuration (looks like format is either HH:MM:SS or D.HH:MM:SS where D=days)

In hindsight, I did a quick search for the command name and found a great post over at Windows OS Hub.

One of the other tricks I had to learn on my own was that the command wouldn’t work on my workstation nor on the DHCP server itself, but it did work on the domain controller. I think it may have to do with a missing PowerShell module (DHCPServer) but that also I couldn’t get to install, even with the commands I was finding through Google.

I’d love to hear your experience with this command, or any cool scripts you’ve written or found in your travels. Drop me a note on Twitter (@swackhap) or add a comment below. Thanks!

Advertisements

Launching Into Devops/Netops With Python and Ansible

AnsiblelogoPythonlogo

I’ve had the great fortune to take a Python and Ansible Programming for Network Engineers class from Kirk Byers (@kirkbyers) of PyNet over the last 9 weeks. I’m not a pro at either yet, but I see a future in my organization where we can take advantage of simple scripting, and perhaps more. An ideal case for our team would be to use Ansible to generate and push configurations based on templates to closet/IDF switches. This would save a lot of time and ensure all configs meet the given standard. The Ansible template can be crafted in such a way that we can audit existing switches and even push updates to them based on a template. 

We started off with the basics of the git version control system and Github, the online hub for many individuals’ and corporate repositories. These are essential to proper step-by-step code creation so we can write some code, test it, then commit the changes so we know we have something good to fall back on if our next change messes things up. We then went on to structured data formats such as JSON and YAML, which are common ways to represent things you want to send to (or get from) a router, switch, or flat configuration file. Since many of us network nerds use Cisco, we were introduced to the CiscoConfParse Python library as a way to translate a standard Cisco IOS configuration file a structured data format. This makes it much easier to script operations for Cisco configurations.

Throughout the 9-week course, Kirk added on more and more useful libraries with great examples in the videos and assigned exercises as well as his Github repo. The repo (short for repository) has all his solutions to the exercises, but as with any learning experience you learn the most by writing your own code and only “cheating” (wink, wink) periodically. Some of these libraries along with example use cases included:

  • telnetlib (allows telnet connections to a target network device)
  • pysnmp (execute SNMP GET requests for monitoring)
  • snmp_helper (Kirk’s handy-dandy SNMP function that manipulates output from pysnmp to make it more usable)
  • time (check via SNMP for any config changes that happened since the last change was made)
  • getpass (interactive way to ask user to input password while masking it on the screen and assigning it to a variable in the code)

More to come in future posts. I definitely recommend signing up for this course if you’re a network engineer and want to get started with Python and Ansible.

Some Things I Didn’t Know About Aruba ClearPass

So I just finished attending my second year of Aruba’s Atmosphere (a.k.a. “Airheads”) conference, and this time around my learning focus was on ClearPass.  In case you didn’t know, ClearPass is basically a glorified RADIUS authentication server. But it can also do SO MUCH MORE.

I have experience with ClearPass handing TACACS+ authentications for all our Cisco gear, and we use it for downloadable ACLs for our ASA firewalls. It’s pretty much the bee’s knees. I even had the opportunity to share a couple stories this week with Ten Talks, fashioned after Keith Parson’s use of TT’s at the annual Wireless LAN Professionals Conference (WLPC).

Thing #1 I didn’t know: There’s “hidden documentation” on the APIs built into the product. That’s right, you can go to https://clearpassIP/api-docs and see all sorts of lovely documentation on the APIs available in that particular version of ClearPass.  They first started with APIs for Guest, the element of CP used to handle guest registration and one-time time-limited access credentials and workflows. Apparently they’re also opening up APIs for the TIPS functionality of CP starting in April in v6.6. So basically anything you’d normally see or configure at https://ClearpassIP/tips will be available via a RESTful API. See below for some sample screenshots.

Screen Shot 2016 03 10 at 9 13 16 PM

 

Screen Shot 2016 03 10 at 9 13 58 PM

 

Screen Shot 2016 03 10 at 9 14 28 PM

Thing #2 I didn’t know: There’s apparently a “graphite” graphing utility available at https://clearpassIP/graphite that allows you to see how much data is being transferred between members of a ClearPass cluster. There’s a reference to it in Danny Jump’s Tech Note on Clustering Design Guidelines. Unfortunately when I tested on my system I get “Error 403 Forbidden.”

Thing #3 I didn’t know: Default ClearPass settings are NOT the same as recommended ClearPass settings. The Clustering Design Guidelines document mentioned above has some recommendations that I need to review and see if we need to make changes in our environment.

Thing #4 I didn’t know: Every ClearPass Policy Manager (CPPM) that uses Active Directory (AD) or other LDAP authentication should be joined to the domain via a domain controller that is LOCAL TO THE CPPM. This might explain why I experience timeouts with TACACS+ authentication every morning—because it’s having to traverse the WAN to complete the AD auth.

Thing #5 I didn’t know: Airwave can be added as an “Endpoint Context Server” to ClearPass. This enables a link to “Open in Airwave” when viewing a particular authentication in Access Tracker (see below). Clicking the link will open Airwave and, if the device is currently connected to an Airwave-managed device, will show you health status, connection path, etc. Pretty cool stuff.

Screen Shot 2016 03 10 at 9 18 27 PM

I took in a lot of info this week. Now I hope I can act on it back at the office before I start getting back into the grind!