Python 1. Lambda, list and dictionary comprehensions.

Lambda 

Lambda is a small anonymous function which can accept any number of arguments but can only have one expression:

>>> g = lambda a,b,c :  a**b - c # literally this means lambda accepts a, b and c variables, and returns "a**b-c"
>>> g
<function <lambda> at 0x7fe8640b5410>
>>> g(1,2,3) # 1**2 - 3 = 1 - 3 = -2
-2
>>>

List comprehension

>>> squares = [n**2 for n in range(10)] 

>>> squares

[0, 1, 4, 9, 16, 25, 36, 49, 64, 81]

>>> squares = [ # more readable form of list comprehensions

... n**2 # like SQL SELECT

... for n in range(10) # like SQL FROM

... ]

>>> squares

[0, 1, 4, 9, 16, 25, 36, 49, 64, 81]

>>> squares = [

... n**2 # SELECT

... for n in range(10) # FROM

... if n%2 == 0 # WHERE

... ]

>>> squares

[0, 4, 16, 36, 64]

>>> type(squares)

<type 'list'>

>>> letters = [letter for idx,letter in enumerate("ABCDEFGHIJKLMNOPQRSTUVWXYZ")]

>>> letters

['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z']

>>> 

Dictionary comprehension

>>> test_dict = {index+1 : letter for index, letter in enumerate(letters)}

>>> test_dict

{1: 'A', 2: 'B', 3: 'C', 4: 'D', 5: 'E', 6: 'F', 7: 'G', 8: 'H', 9: 'I', 10: 'J', 11: 'K', 12: 'L', 13: 'M', 14: 'N', 15: 'O', 16: 'P', 17: 'Q', 18: 'R', 19: 'S', 20: 'T', 21: 'U', 22: 'V', 23: 'W', 24: 'X', 25: 'Y', 26: 'Z'}

>>> 

Linux 1. Using Linux screen utility.

Screen is utility allowing you to open several terminal instances inside a single terminal window connection.

To install screen:
yum install screen -y

Using screen

1. Opening new screen session: 
1. Create screen with default name (screen will be named <pid>.<tty>.<host>):
1. screen
2. Create screen with custom name (<pid>.<custom-name>), i.e. wget-download. This gives ability to distinguish between present screens by name:
1. screen -S wget-download
2. To view all screen options:
1. hit and release Ctrl+A and then hit ?
3. To detach (disconnect) from current screen (you'll see "[detached from ..]" message):
1. hit and release Ctrl+A and then hit d
4. To list all available screens (number left to the ".pts" is screen id). (Detached) means nobody connected, (Attached) means that somebody is currently in that screen:
1. screen -ls
5. To reattach (reconnect) to the needed screen:
1. By id:
1. screen -r 12215
2. By custom-name:
1. screen -r wget-download
3. Connect to already attached screen:
1. screen -d -r 12215
6. To lock current screen (password of the local user will be needed):
1. hit and release Ctrl+A and then hit x
7. To work with nested screen (screen id remains the same but you can switch between nested screens and prompt will show: screen 0 / screen 1 etc. when switching):
1. To create nested screen:
1. being inside screen hit and release Ctrl+A and then hit c
2. To switch between nested screens:
1. being inside screen hit and release Ctrl+A and then hit n (for next nested screen) or p (for previous nested screen)
3. To list all nested screens:
1. being inside screen hit and release Ctrl+A and then hit " (double quote - Shift+single quote)
8. To "kill" screen:
1. to terminate current screen type exit
2. to terminate any screen using it's id (scree id is system pid): 
1. kill pid

ASA 1. Active/Standby Failover.

1. Small FAQ

ASA Services Module is not considered in this blog post.
Failover can be Active/Active or Active/Standby. Active/Active failover must be setup in multi-context mode (per security context) and doesn't support VPN failover. Active/Standby failover supports VPN failover but all traffic goes only through ASA in active role (load-balancing is not supported). Primary and secondary units doesn't change their types (primary or secondary), only their state/role can change (i.e. secondary unit can be in active state/role due to primary unit fail).
Units have one dedicated physical port to be used as failover control link, this links must be interconnected (back-to-back without an intermediate switch). Failover control link is used for:

1. initial failover peer discovery and negotiation
2. replication of the configuration from active to the standby peer
3. unit health monitoring

Both Active/Active and Active/Standby failover can be configured in stateless (no connections states are tracked) or stateful (packets and connections states are tracked and connections are not dropped when failover is done) manner. By default failover operates in stateless manner. To support stateful failover - Stateful Link must be setup.

Active unit accepts configuration changes and places the same commands to the standby unit, no configuration changes must be performed on a standby unit. If stateful failover is configured - active ASA monitors, builds and tears down all connections. Also this info also tracked and synchronized:

1. stateful table for UDP and TCP connections
2. ARP table and MAC mapping table
3. routing table
4. certain application inspection data
5. most VPN data structures (only some client-less VPN info remains stateless)

When Active/Standby failover is used - for a  switchover to occur automatically - the active unit must become less operational than standby unit, at least one of following must occur:

1. one of the internal (monitored) interfaces goes down
2. an interface expansions slot fails
3. an IPS, CSC or CX application module fails

Health messages by default are exchanged in 1 second interval. If failover control link fails, failover becomes disabled. By default, a switchover occurs when at least one interface on the active unit or within an active failover group fails.

Failover provides very effective first-hop redundancy capabilities by allowing the MAC and IP address pair on each data interface to move between the failover peers based on which unit is active at any given time. Because all physical interface connections and their configurations are identical between the members of a failover pair, active ASA unit switchovers are completely transparent to the adjacent network devices and endpoints. When you enable failover, the IP address configured on each data interface becomes the active one. When the active unit fails, the standby peer automatically assumes ownership of these addresses upon taking over the active role and seamlessly picks up transit traffic processing.

In Active/Standby failover secondary unit in active state remains active even if primary unit becomes operationally healthy. The primary unit takes over an active role only if secondary unit becomes unhealthy or if switchover is done manually.

All configuration changes must be done on the active unit (either in Primary or Secondary state).

2. Preparation

1. When grouping two devices in failover, the following hardware parameters must be identical:
1. exact model number
2. number and type of physical interfaces must be the same (also expansion modules must be the same if any)
3. all cables must be connected appropriate to the Layer 2 on both units for unit health monitoring to be held properly
4. all hardware or software modules and software must be the same on both units
5. amount of RAM and system flash must be the same on both units
6. both failover peers should run the same software image during normal operation (different images are supported during upgrade) 
7. prior to ASA8.3(1) licence features on both units must to be the same
8. Cisco ASA 5505, ASA 5510, and ASA 5512-X appliances must have the Security Plus license installed.
9. The state of the Encryption-3DES-AES license must match between the units. In other words, it must be either disabled or enabled on both failover peers.
2. Choose roles for each ASA- one ASA will be primary and the other - secondary (i.e. old ASA - primary / new ASA - secondary). 
3. Dedicate one physical interface (the same, i.e. Gi0/3 on both) on each unit for the failover control link and connect them back-to-back without an intermediate switch.  
4. If you plan to use stateful failover - dedicate another physical interface to be used as stateful link
5. Choose IP addresses for the primary and secondary units, used failover subnet cannot overlap with any data interfaces (one subnet per failover control and failover state links)
6. Choose security key to encrypt failover traffic

3. Setup

3.1 Setup with separate physical interface for Failover Link and State Link

Start failover configuration on the primary node (also consider maintenance window as interface will go down while transiting to the failover active state - it takes roughly 1 minute to go into active state):

interface GigabitEthernet0/2

 no shutdown

interface GigabitEthernet0/3

 no shutdown

failover lan unit primary 

failover lan interface FailoverControl GigabitEthernet0/2 

failover link FailoverState GigabitEthernet0/3 

failover interface ip FailoverControl 172.20.0.1 255.255.255.0 standby 172.20.0.2 

failover interface ip FailoverState 172.20.1.1 255.255.255.0 standby 172.20.1.2 

failover ipsec pre-shared-key *****

failover 

     No Active mate detected

show failover | grep host

     This host: Primary - Active

     Other host: Secondary - Not Detected

Then configure failover on standby unit:

interface GigabitEthernet0/2

 no shutdown

interface GigabitEthernet0/3

 no shutdown

failover lan unit secondary 

failover lan interface FailoverControl GigabitEthernet0/2 

failover replication http 

failover link FailoverState GigabitEthernet0/3 

failover interface ip FailoverControl 172.20.0.1 255.255.255.0 standby 172.20.0.2 

failover interface ip FailoverState 172.20.1.1 255.255.255.0 standby 172.20.1.2 

failover ipsec pre-shared-key *****

failover 

     Detected an Active mate

     Beginning configuration replication from mate. 

     End configuration replication from mate.

show failover | grep host

     This host: Secondary - Standby Ready

     Other host: Other host: Primary - Active

The failover key command enables password failover encryption. Use either a string of letters, numbers, and punctuation with 1 to 63 characters or a hexadecimal value of up to 32 digits. Only use this option when running Cisco ASA Software versions earlier than 9.1(2) or deploying stateless failover.
IPSec site-to-site tunnel is more secure approach to failover link protection, so always use it in Cisco ASA Software version 9.1(2) and later. The failover ipsec pre-shared-key command enables this method of failover encryption. You must deploy stateful failover to use this feature. When using IPSec as encryption method - this tunnel is not counted in ASA maximum supported VPN count.

3.2 Setup with 1 redundant interface for both Failover Link and State Link

If you want to use redundant interface:

On primary unit:

interface GigabitEthernet0/2

 no shutdown

interface GigabitEthernet0/3

 no shutdown
interface Redundant 1
  member-interface GigabitEthernet 0/2
  INFO: security-level and IP address are cleared on GigabitEthernet0/2
  member-interface GigabitEthernet 0/3
  INFO: security-level and IP address are cleared on GigabitEthernet0/3

failover lan unit primary 

failover lan interface FailoverLink Redundant1
INFO: Non-failover interface config is cleared on Redundant1 and its sub-interfaces
failover interface ip FailoverLink 172.20.0.1 255.255.255.0 standby 172.20.0.2

failover link FailoverLink

failover ipsec pre-shared-key *****

failover 

     No Active mate detected

show failover | grep host

     This host: Primary - Active

     Other host: Secondary - Not Detected

Then configure failover on standby unit:

interface GigabitEthernet0/2

 no shutdown

interface GigabitEthernet0/3

 no shutdown

interface Redundant 1
  member-interface GigabitEthernet 0/2
  INFO: security-level and IP address are cleared on GigabitEthernet0/2
  member-interface GigabitEthernet 0/3
  INFO: security-level and IP address are cleared on GigabitEthernet0/3

failover lan unit secondary 

failover lan interface FailoverLink Redundant1
INFO: Non-failover interface config is cleared on Redundant1 and its sub-interfaces
failover interface ip FailoverLink 172.20.0.1 255.255.255.0 standby 172.20.0.2

failover link FailoverLink

failover ipsec pre-shared-key *****

failover 

     Detected an Active mate

     Beginning configuration replication from mate.

     End configuration replication from mate.

show failover | grep host

     This host: Secondary - Standby Ready

     Other host: Other host: Primary - Active

3.3 Disabling failover monitoring for interface

You can have an interface which can't be replicated (i.e. like fiber optic coming directly from an ISP). This interfaces must be unplugged from failed ASA and then plugged into currently active ASA. To exclude interface from the failover monitoring:

asa (config)# no monitor interface interface_name_here

By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can check this via: sh run all | grep monitor-interface

If you can replicate your interface (ex. Gi0/0), then on primary node:
# conf t
# int gi0/0
# ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
To check:
find name of the gi0/0:
sh nameif | grep G.*0/0
GigabitEthernet0/0       inside                   100
Check this name in failover:
sh failover | grep inside
  Interface inside (192.168.0.1): Normal (Monitored)
  Interface inside (192.168.0.2): Normal (Monitored)

You also can use standby IP to access node in Standby state.

4. Test and operate

Use the show failover command to monitor the operational state of the failover.
You can use show failover history command to investigate failover events.

Use failover execute mate command_to_execute_remotely to execute command on the standby unit (i.e.: failover exec mate show version | grep Serial). Do not execute configuration commands on the standby unit.

Use write standby - to restore standby unit proper state after accidentally performing configuration on a standby unit, this command replaces all configuration with the copy of the configuration from the active unit.

Use the failover active command on the standby unit to transit unit to the active state.
Use the no failover active command on the currently active unit  to transit unit to the standby state.