This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bob_Zimmerman
Authority
Authority
‎2019-03-26 06:02 AM

Finding interfaces with empty networks

I recently had the need to find all of the interfaces on one of my VSX clusters which aren't used, so I can delete them and reclaim some networks and VLANs. I banged together this little script to get that information for me.

If there are VSs, it goes through them one by one. In each VS (or in the default routing table if there are not VSs), it then goes through the interfaces one by one, finds their IP address, skips them if they don't have one, or does a ping/ARP sweep if they do.

The Linux network kernel has an infuriating limitation—there's no way to actually delete an ARP entry short of disabling ARP on the whole interface. The scan works by trying to resolve a bunch of IPs via ARP and checking if they respond. This can fill up the ARP cache if you go too quickly, which can prevent new real entries from being added. To work around this, I have to sleep for five minutes between interface scans. This lets the garbage collector catch up with all the junk entries I add, but it makes the scan
v
e
r
y

s
l
o
w.

If Check Point eventually moves to a real OS, the 'sleep 300s' can be removed and scanNetworkfor scanAddressif [ $(arp -n $scanAddress can be modified to add 'else; arp -d $scanAddress' to immediately purge incomplete entries.

It outputs one line per interface. The line will either be in the form "eth0 has no IP address. Skipping.", or in the form "29 items in eth0 10.20.30.40/24". If it's on VSX, the line will include the VSID.

The recommended way to run it is like this:

nohup ./scanInts.sh &

That will write the output to nohup.out in the current directory, or ~/nohup.out if the user can't create files in the current directory.

 

I have tested this on VSX R67 and on an R77.30 system. It hasn't caused any observed issues on any of my systems. Still, be careful if you use it. It could definitely still overflow the ARP cache.

It will require minor modification to work on 3.10 kernel systems, as they use network namespaces rather than VRFs. The test for whether it's VSX or not would have to be something like 'if [ $(ip netns list | wc -l) -gt 1 ]', and the VSID would be 'cat /proc/self/nsid' rather than 'cat /proc/self/vrf'.

Preview file
5 KB
0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2019-03-27 04:53 PM

Nice to see you over here Zimmie 😁
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2019-03-27 05:27 PM
In response to PhoneBoy

A friend recommended I share the code here, and I thought it was about time for me to make a personal account. Probably won’t post a huge amount of stuff, but any time I write more than a few lines of code to solve a problem, I’ll probably post it.

Should be fun!

Kind of tempted to set this stuff up as a public repo on Github or something just for change tracking purposes.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events