Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Best Practices


Assign next VLAN number via Outbound API

So, this is fairly basic, and there's definitely more that could be done here (ie, search for next "available", as opposed to simply increment to the "next" number), but it's a start, so I thought I'd post it out for the community to expand on as desired.


As this uses the Outbound API, an Ecosystem license is required.


The script is used to automate the assignment of the next VLAN number for a given site to an IPv4 network, either upon creation, or modification, if the "site" and "Assign_VLAN" EA's exist on said network, "Assign_VLAN" is set to "TRUE", and there is a matching IPv6 network matching "site", with "VLAN_Number" (as a starting point) defined to reference for information.


The script utilizes IPv6 networks in 2001:db8::/32 (see RFC 3849) with "site" and "VLAN_Number" EA's to track the last VLAN number assigned for any given site EA.  When a flagged IPv4 network is saved (via setting "Assign_VLAN" to "TRUE"), the script finds the IPv6 reference network with the same "site" EA, then references it's "VLAN_Number" EA, increments it, and saves that to the IPv4 network (and back to the IPv6 reference network), also removing the "Assign_VLAN" EA.  This allows the VLAN number to be incremented per site, as opposed to globally, as VLAN numbers are specific to a partiular switching infrastructure, and not globally "routed".


So, to "prep" this, you need to create an IPv6 network container for 2001:db8::/32, then create networks underneath, one for each "site".  On said networks, add the "site" EA with the value to match for the IPv4 networks discussed above, and the "VLAN_Number" EA with a starting value, either the highest currently assigned, or one less than the next you want assigned, as this value will be incremented when used.  You can use any netmask smaller than /32 for the networks, but be sure to have enough "room" to have one network for each "site" you need to define.  For my testing, I used /96 networks, but as long as they are under the network container, the script doesn't care. 


Script attached, and usage / explanation of the needed EA's below.


Contributions most definitely welcome!




EA’s needed:
Site (some site identifier)
Assign_VLAN (list, “TRUE” needs to be there.)
VLAN_Number (integer, bounded 1-4096)
IPv6 network container:
2001:db8::/32  (This is the RFC “documentation prefix” (RFC 3849), so it’s safe to use.)
IPv6 network:
something under there, I’m using /96’s, ie, 2001:db8:1::/96.
On the IPv6 network, add VLAN_Number with a starting value (eg, highest currently assigned), and a Site EA with some string.
Create (or edit) an IPv4 network, add the same Site EA (which is the tie to the v6 net for tracking) and set Assign_VLAN to TRUE.
On save, Assign_VLAN will be removed, VLAN_Number will be added as the value on the v4 network +1, and the value on the v6 network will be incremented as well.

Showing results for 
Search instead for 
Did you mean: 

Businesses are investing heavily into securing company resources from cyber-attacks form cybercrimin