Category Archives: Juniper

Connecting to another node in a Juniper HA Cluster

When your logged in to one node of  Juniper cluster which has multiple nodes since its a HA Cluster. Below prompt show shell connection to node0.
To move to the another node let say node0 to node1, you just need this command below.

— JUNOS 11.4R10.3 built 2013-11-15 06:56:20 UTC
{primary:node0}
root@FIREWALL-PRI-SRX240> 

root@FIREWALL-PRI-SRX240> request routing-engine login node 1

— JUNOS 11.4R10.3 built 2013-11-15 06:56:20 UTC
{secondary:node1}
root@FIREWALL-PRI-SRX240>

As you can see, the shell now indicates that the prompt is now om node1 (which is the secondary).

Juniper SRX – Minimal Downtime Upgrade of an HA Cluste

Please note that this describes the process to upgrade an HA pair at JunOS code pre-11. Newer versions of the JunOS code allow for upgrading without corrupting the policy of the peer devices.

!! Note: interface names are the physical and not logical names
!! The following assumes node0 is master and node1 is backup
01.) download package to /var/tmp on both devices
02.) Disable node1\'s interfaces by running the following on node0. Commit will replicate to node1
  set interfaces ge-8/0/0 disable        [-- Should be node1's interfaces, NOT node0's
  set interfaces ge-8/0/1 disable
  set interfaces ge-8/0/2 disable
  set interfaces ge-8/0/3 disable
  set interfaces ge-8/0/4 disable
  set interfaces ge-8/0/5 disable
  set interfaces ge-8/0/6 disable
  set interfaces ge-8/0/7 disable
  set interfaces ge-8/0/8 disable
03.) Disable requiring three way handshake for session on node 0 (primary)
  set security flow tcp-session no-syn-check
  set security flow tcp-session no-sequence-check
04.) Save on node 0 (primary)
  commit
05.) Disconnect the fiber link (fab# interfaces) and the control interface cables
06.) Commit on both devices
07.) Upgrade node 1 (Backup)
  request system software add /var/tmp/junos-srx1k3k-10.4R3.4-domestic.tgz no-validate no-copy
  request system reboot
08.) Perform the following on node 1 (currently backup and now newly upgraded) to verify
  show version
  show chassis cluster status
  show chassis fpc pic-status
09.) After running "show chassis fpc pic-status," wait for the slots to come online, not Present before going to step 10
10.) Node 0 then Node 1, perform ALL the following commands
  delete interfaces ge-8/0/0 disable
  delete interfaces ge-8/0/1 disable
  delete interfaces ge-8/0/2 disable
  delete interfaces ge-8/0/3 disable
  delete interfaces ge-8/0/4 disable
  delete interfaces ge-8/0/5 disable
  delete interfaces ge-8/0/6 disable
  delete interfaces ge-8/0/7 disable
  delete interfaces ge-8/0/8 disable
  set interfaces ge-0/0/0 disable
  set interfaces ge-0/0/1 disable
  set interfaces ge-0/0/2 disable
  set interfaces ge-0/0/3 disable
  set interfaces ge-0/0/4 disable
  set interfaces ge-0/0/5 disable
  set interfaces ge-0/0/6 disable
  set interfaces ge-0/0/7 disable
  set interfaces ge-0/0/8 disable
11.) Save on both devices at same time  !! IMPORTANT TO BE DONE AT THE SAME TIME !!
  commit
12.) Verify that node1 has correctly taken over as master (if input increasing on monitor command, it has taken over)
  show security flow session summary
  run monitor interface traffic
13.) On node 0:
  request system software add /var/tmp/junos-srx1k3k-10.4R3.4-domestic.tgz no-validate no-copy
  request system reboot
14.) On node 0, after upgrade:
  show version
  show chassis cluster status
  show chassis fpc pic-status
15.) Wait for all interfaces to come "online" after "show chassis fpc pic-status" command
16.) Node 1 then Node 0 (this will failover so node0 is now master again)
  delete interfaces ge-0/0/0 disable
  delete interfaces ge-0/0/1 disable
  delete interfaces ge-0/0/2 disable
  delete interfaces ge-0/0/3 disable
  delete interfaces ge-0/0/4 disable
  delete interfaces ge-0/0/5 disable
  delete interfaces ge-0/0/6 disable
  delete interfaces ge-0/0/7 disable
  delete interfaces ge-0/0/8 disable
  set interfaces ge-8/0/0 disable
  set interfaces ge-8/0/1 disable
  set interfaces ge-8/0/2 disable
  set interfaces ge-8/0/3 disable
  set interfaces ge-8/0/4 disable
  set interfaces ge-8/0/5 disable
  set interfaces ge-8/0/6 disable
  set interfaces ge-8/0/7 disable
  set interfaces ge-8/0/8 disable
17.) Save on both devices at same time
  committ
18.) Reconnect control plane cable
19.) Veryify node0 is primary
  run show chassis cluster status
20.) Reboot Node1 and connect fab# interface cables between nodes while device is rebooting
21.) Verify node0 is still passing traffic
  run monitor interface traffic
22.) Wait for all interfaces to come "online"
  show chassis fpc pic-status
23.) Verify group 2 failover shows priority
24.) Re-enable interfaces on node1 and check for proper tcp sequence checks (run on node0, commit will replicate to node1)
  delete interfaces ge-8/0/0 disable
  delete interfaces ge-8/0/1 disable
  delete interfaces ge-8/0/2 disable
  delete interfaces ge-8/0/3 disable
  delete interfaces ge-8/0/4 disable
  delete interfaces ge-8/0/5 disable
  delete interfaces ge-8/0/6 disable
  delete interfaces ge-8/0/7 disable
  delete interfaces ge-8/0/8 disable

  delete security flow tcp-session no-syn-check
  delete security flow tcp-session no-sequence-check
25.) commit
26.) Verify failover group (group 0 and 1 should show primary or secondary and priorities)
  run show chassis cluster status
    26.a) If group 2 is not showing with priorities and status on node1 is "disabled", another reboot may be necessary. This is related to the fab# interfaces
    26.b) When node1 comes back online, verify fab interfaces are showing up and give a minute or 2 for "show chassis cluster status" to show priorities and status
    26.c) May take time due to sessions being synchronized
27.) Run on node0 to download and install IDP updates if needed. Status is for verifying progress of download or install
  run request security idp security-package download full-update
  run request security idp security-package download status

  run request security idp security-package install
  run request security idp security-package install status
28.) Verify versions match on both nodes and verify they are up to date
  run show security idp security-package-versionrun show
  run request security idp security-package download check-server
    28.a) Failover may be required to download IDP if no internet access on node0 (Per Juniper) or versions do not match

Transparent Proxy Redirection with JunOS

Transparent Proxy Redirection with JunOS

I have to say, I love proxy servers. Transparent proxy is my preference. Of all the Proxy servers in the world, the best in my opinion is Blue Coat’s ProxySG appliance. With the Blue Coat ProxySG as your proxy in transparent mode, this allows us to inspect content, without the need for user input, and to direct the traffic to a proxy so you get all the benefits of Web Pulse, Web Filter, ProxyAV, Wan Optimisation and Flash Caching. Plus the use of CPL (Content Policy Language) to decide whether users should be allowed access to a site or not. With transparent proxy that responsibility is dealt with by the network, and quite right too. There are some applications which don’t, however, respond well to transparent proxy, especially those which don’t understand authentication (are you reading this Google, Apple and Adobe!!!) so they have to be handled on the ProxySG with some custom CPL, however these little issues shouldn’t’ stop you considering transparent proxy as an option if you are planning a Blue Coat deployment or any other proxy which supports transparent redirect.

As both EX and SRX use JunOS, the implementation on each is exactly the same and this is one of the great reasons to love JunOS. In order to do WCCP-like transparent redirect on EX switches or SRX firewalls, there are several configuration items to consider:

  • The Filter Based Forwarding entry
  • A Virtual Routing Instance
  • A RIB group entry to combine the routing-instances
  • Some failover monitoring in-case the proxy fails such as an RPM probe with Event Monitoring

In the PoC lab, the following subnets/VLANs were used:

  • VLAN1 – 10.11.20.0/24 – Egress route subnet (an SRX firewall is connected and the EX switch has a default route to it)
  • VLAN2 – 10.11.30.0/24 – Proxy subnet used for the routing-instance configuration. PROXYSG ip is 10.11.30.2. PROXYSG2 ip is 10.11.30.3
  • VLAN3 – 10.11.40.0/24 – Client subnet

 

 

First off, we setup a firewall filter to assign to an interface. The interface can be either family inet interface, or a virtual (VLAN) interface. This filter redirects anything from source subnet 10.11.40.0/24 (the client subnet) destined for anywhere on port 80, 443 or 21 to the proxy on routing-instance ‘PROXYSG’.

family inet {
filter proxysg-fbf {
term t1 {
from {
source-address {
10.11.40.0/24;
}
destination-address {
0.0.0.0/0;
}
destination-port [ http ftp https ];
}
then {
count redirected;
routing-instance PROXYSG;
}
}

In display set form, that looks like;

set firewall family inet filter proxysg-fbf term t1 from source-address 10.11.40.0/24
set firewall family inet filter proxysg-fbf term t1 from destination-address 0.0.0.0/0
set firewall family inet filter proxysg-fbf term t1 from destination-port http
set firewall family inet filter proxysg-fbf term t1 from destination-port ftp
set firewall family inet filter proxysg-fbf term t1 from destination-port https
set firewall family inet filter proxysg-fbf term t1 then count redirected
set firewall family inet filter proxysg-fbf term t1 then routing-instance PROXYSG
set firewall family inet filter proxysg-fbf term default then accept

Next, we need to have some way of redirecting the traffic ‘off-path’ to the proxy server. This is handled by a routing-instance, in this case to proxy server 10.11.30.2.

PROXYSG {
instance-type virtual-router;
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop 10.11.30.2 {
metric 5;
}
}
}
}
}
set routing-instances PROXYSG instance-type virtual-router
set routing-instances PROXYSG routing-options static route 0.0.0.0/0 qualified-next-hop 10.11.30.2 metric 5
set routing-instances PROXYSG routing-options static route 0.0.0.0/0 qualified-next-hop 10.11.20.2 metric 20

Next, in order to combine the two routing-instances, we create a rib-group entry.

interface-routes {
rib-group inet PROXYSG;
}
static {
route 0.0.0.0/0 next-hop 10.11.20.2;
}
rib-groups {
PROXYSG {
import-rib [ inet.0 PROXYSG.inet.0 ];
}
}
set routing-options interface-routes rib-group inet PROXYSG
set routing-options static route 0.0.0.0/0 next-hop 10.11.20.2
set routing-options rib-groups PROXYSG import-rib inet.0
set routing-options rib-groups PROXYSG import-rib PROXYSG.inet.0

Finally, the filter we created earlier is assigned to an interface, in this case, the ingress interface which client traffic appears from.

vlan {
unit 3 {
family inet {
filter {
input proxysg-fbf;
}
address 10.11.40.1/24;
}
}
}

In order to have some failover capabilities, were the proxy to fail, we can use event monitoring probes on the EX switch to force a configuration change on the forwarding filter in the event the proxy fails. This is done using a custom monitoring script which was originally designed for use with Juniper WXC appliances.

The WXC-Healthcheck.slax file can be downloaded from here

The script should be uploaded to the EX switch using FTP or SCP and placed into /config/db/scripts/event/ (or whichever is relevant to the JunOS version you are running – tested on 11.4R2.14). Once loaded, you can create the RPM probe and event policy actions.

The event probe is setup as follows under the ‘services’ stanza within the configuration.

rpm {
probe proxysg {
test proxy-ping {
probe-type icmp-ping;
target address 10.11.30.2;
probe-count 3;
probe-interval 1;
test-interval 10;
thresholds {
total-loss 1;
}
}
}
set services rpm probe proxysg test proxy-ping probe-type icmp-ping
set services rpm probe proxysg test proxy-ping target address 10.11.30.2
set services rpm probe proxysg test proxy-ping probe-count 3
set services rpm probe proxysg test proxy-ping probe-interval 1
set services rpm probe proxysg test proxy-ping test-interval 10
set services rpm probe proxysg test proxy-ping thresholds total-loss 1

This will log either ‘PING_TEST_COMPLETED’ or ‘PING_TEST_FAILED’ in the ‘messages’ log on the switch.

Next, we create the event-options section to tell the switch what to do in the event of it seeing the ‘PING_TEST_COMPLETED’ or ‘PING_TEST_FAILED’ in the messages system log. The following two configuration options show what the EX switch will do in the event of each.

* In the event of a failure, disable the firewall filter.

policy rpm_down {
events PING_TEST_FAILED;
within 10 {
trigger on 1;
}
attributes-match {
PING_TEST_FAILED.test-owner matches "^proxysg$";
PING_TEST_FAILED.test-name matches "^proxy-ping$";
}
then {
event-script WXC-Healthcheck.slax {
arguments {
filter proxysg-fbf;
term t1;
action inactive;
}
}
}
}

* When the failure is fixed, re-enable the filter.

policy rpm_up {
events PING_TEST_COMPLETED;
within 20 {
trigger on 1;
}
attributes-match {
PING_TEST_COMPLETED.test-owner matches "^proxysg$";
PING_TEST_COMPLETED.test-name matches "^proxy-ping$";
}
then {
event-script WXC-Healthcheck.slax {
arguments {
filter proxysg-fbf;
term t1;
action active;
}
}
}
}
event-script {
file WXC-Healthcheck.slax;
}
traceoptions {
file wxc.out;
}

In display set for, that looks like;

set event-options policy rpm_down events PING_TEST_FAILED
set event-options policy rpm_down within 10 trigger on
set event-options policy rpm_down within 10 trigger 1
set event-options policy rpm_down attributes-match PING_TEST_FAILED.test-owner matches "^proxysg$"
set event-options policy rpm_down attributes-match PING_TEST_FAILED.test-name matches "^proxy-ping$"
set event-options policy rpm_down then event-script WXC-Healthcheck.slax arguments filter proxysg-fbf
set event-options policy rpm_down then event-script WXC-Healthcheck.slax arguments term t1
set event-options policy rpm_down then event-script WXC-Healthcheck.slax arguments action inactive
set event-options policy rpm_up events PING_TEST_COMPLETED
set event-options policy rpm_up within 20 trigger on
set event-options policy rpm_up within 20 trigger 1
set event-options policy rpm_up attributes-match PING_TEST_COMPLETED.test-owner matches "^proxysg$"
set event-options policy rpm_up attributes-match PING_TEST_COMPLETED.test-name matches "^proxy-ping$"
set event-options policy rpm_up then event-script WXC-Healthcheck.slax arguments filter proxysg-fbf
set event-options policy rpm_up then event-script WXC-Healthcheck.slax arguments term t1
set event-options policy rpm_up then event-script WXC-Healthcheck.slax arguments action active
set event-options event-script file WXC-Healthcheck.slax
set event-options traceoptions file wxc.out

If the proxy fails, the EX switch ‘event-options’ setting will see and act upon the following message log entry;

Apr 16 08:14:06 rmopd[992]: PING_TEST_FAILED: pingCtlOwnerIndex = proxysg, pingCtlTestName = proxy-ping

Every 20 seconds, it will re-check the message log, looking for the fail or success. If it sees a PING_TEST_COMPLETED, it will re-enable the filter.

Apr 16 08:21:13 rmopd[992]: PING_TEST_COMPLETED: pingCtlOwnerIndex = proxysg, pingCtlTestName = proxy-ping

You can view the filter counters to see traffic being redirected as we added a counter to the firewall filter term.

root> show firewall filter proxysg-fbf
Filter: proxysg-fbf
Counters:
Name Bytes Packets
redirected 68424 479

FAILOVER TO A SECOND PROXY
You can add failover to a second proxy by adding a second routing-instance and firewall filter term quite easily in order to ensure that traffic is always proxied (thus, your corporate AUP is always enforced).

For example, here term t2 is added after term t1 on the forwarding filter –

filter proxysg-fbf {
term t1 {
from {
source-address {
10.11.40.0/24;
}
destination-address {
0.0.0.0/0;
}
destination-port [ http ftp https ];
}
then {
count redirected;
routing-instance PROXYSG;
}
}
term t2 {
from {
source-address {
10.11.40.0/24;
}
destination-address {
0.0.0.0/0;
}
destination-port [ http ftp https ];
}
then {
count redirected2;
routing-instance PROXYSG2;
}
}
term default {
then accept;
}
}

The new routing instance looks like the following –

PROXYSG2 {
instance-type virtual-router;
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop 10.11.30.3 {
metric 5;
}
qualified-next-hop 10.11.20.2 {
metric 20;
}
}
}
}
}

The RIB group is amended to add the second PROXYSG2 routing-instance.

rib-groups {
PROXYSG {
import-rib [ inet.0 PROXYSG.inet.0 PROXYSG2.inet.0 ];
}
}

Once this is done, the EX switch will continue to monitor the PROXYSG ip (10.11.30.2) and set it as inactive should it fail. If it does, the second term of the firewall filter (term t2) will become active.

family inet {
filter proxysg-fbf {
inactive: term t1 { <<<<<<<<<<<<<<<<<<<<<<<<<<<
from {
source-address {
10.11.40.0/24;
}
destination-address {
0.0.0.0/0;
}
destination-port [ http ftp https ];
}
then {
count redirected;
routing-instance PROXYSG;
}
}
term t2 {
from {
source-address {
10.11.40.0/24;
}
destination-address {
0.0.0.0/0;
}
destination-port [ http ftp https ];
}
then {
count redirected2;
routing-instance PROXYSG2;
}
}
term default {
then accept;
}
}
}

You can, of course, setup a second event-option monitor to monitor the second PROXYSG2 proxy (10.11.30.3) so that it also is set as inactive were the proxy to fail.

Conclusion
So there it is, transparent redirect in a WCCP-like manner using JunOS. The implementation above has worked on both a test EX switch and an SRX. I’m still working on whether we can emulate the load-balancing functions available from WCCP, via JunOS but for now the above configuration would certainly give you failover if you were to have two proxies.

FULL SWITCH CONFIG

set version 11.4R2.14
set system root-authentication encrypted-password "REMOVED"
set system name-server 208.67.222.222
set system scripts op traceoptions file wxc.out
set system scripts op file WXC-Healthcheck.slax
set system services ssh protocol-version v2
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system ntp server 194.164.127.6
set interfaces ge-0/0/0 description EXTERNAL_INTERFACE
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VLAN1
set interfaces ge-0/0/1 description INTERNAL_PROXY_INTERFACE
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members VLAN2
set interfaces ge-0/0/2 description INTERNAL_CLIENT_INTERFACE
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members VLAN3
set interfaces ge-0/0/3 description INTERNAL_PROXY2_INTERFACE
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members VLAN2
set interfaces ge-0/0/4 unit 0 family ethernet-switching
set interfaces ge-0/0/5 unit 0 family ethernet-switching
set interfaces ge-0/0/6 unit 0 family ethernet-switching
set interfaces ge-0/0/7 unit 0 family ethernet-switching
set interfaces ge-0/0/8 unit 0 family ethernet-switching
set interfaces ge-0/0/9 unit 0 family ethernet-switching
set interfaces ge-0/0/10 unit 0 family ethernet-switching
set interfaces ge-0/0/11 unit 0 family ethernet-switching
set interfaces ge-0/0/12 unit 0 family ethernet-switching
set interfaces ge-0/0/13 unit 0 family ethernet-switching
set interfaces ge-0/0/14 unit 0 family ethernet-switching
set interfaces ge-0/0/15 unit 0 family ethernet-switching
set interfaces ge-0/0/16 unit 0 family ethernet-switching
set interfaces ge-0/0/17 unit 0 family ethernet-switching
set interfaces ge-0/0/18 unit 0 family ethernet-switching
set interfaces ge-0/0/19 unit 0 family ethernet-switching
set interfaces ge-0/0/20 unit 0 family ethernet-switching
set interfaces ge-0/0/21 unit 0 family ethernet-switching
set interfaces ge-0/0/22 unit 0 family ethernet-switching
set interfaces ge-0/0/23 unit 0 family ethernet-switching
set interfaces ge-0/1/0 unit 0 family ethernet-switching
set interfaces xe-0/1/0 unit 0 family ethernet-switching
set interfaces ge-0/1/1 unit 0 family ethernet-switching
set interfaces xe-0/1/1 unit 0 family ethernet-switching
set interfaces ge-0/1/2 unit 0 family ethernet-switching
set interfaces ge-0/1/3 unit 0 family ethernet-switching
set interfaces me0 unit 0 family inet
set interfaces vlan unit 0 family inet
set interfaces vlan unit 1 family inet address 10.11.20.1/24
set interfaces vlan unit 2 family inet address 10.11.30.1/24
set interfaces vlan unit 3 family inet filter input proxysg-fbf
set interfaces vlan unit 3 family inet address 10.11.40.1/24
set event-options policy rpm_down events PING_TEST_FAILED
set event-options policy rpm_down within 10 trigger on
set event-options policy rpm_down within 10 trigger 1
set event-options policy rpm_down attributes-match PING_TEST_FAILED.test-owner matches "^proxysg$"
set event-options policy rpm_down attributes-match PING_TEST_FAILED.test-name matches "^proxy-ping$"
set event-options policy rpm_down then event-script WXC-Healthcheck.slax arguments filter proxysg-fbf
set event-options policy rpm_down then event-script WXC-Healthcheck.slax arguments term t1
set event-options policy rpm_down then event-script WXC-Healthcheck.slax arguments action inactive
set event-options policy rpm_up events PING_TEST_COMPLETED
set event-options policy rpm_up within 20 trigger on
set event-options policy rpm_up within 20 trigger 1
set event-options policy rpm_up attributes-match PING_TEST_COMPLETED.test-owner matches "^proxysg$"
set event-options policy rpm_up attributes-match PING_TEST_COMPLETED.test-name matches "^proxy-ping$"
set event-options policy rpm_up then event-script WXC-Healthcheck.slax arguments filter proxysg-fbf
set event-options policy rpm_up then event-script WXC-Healthcheck.slax arguments term t1
set event-options policy rpm_up then event-script WXC-Healthcheck.slax arguments action active
set event-options policy rpm1_down events PING_TEST_FAILED
set event-options policy rpm1_down within 20 trigger on
set event-options policy rpm1_down within 20 trigger 1
set event-options policy rpm1_down attributes-match PING_TEST_FAILED.test-owner matches "^proxysg1$"
set event-options policy rpm1_down attributes-match PING_TEST_FAILED.test-name matches "^proxy1-ping$"
set event-options policy rpm1_down then event-script WXC-Healthcheck.slax arguments filter proxysg-fbf
set event-options policy rpm1_down then event-script WXC-Healthcheck.slax arguments term t2
set event-options policy rpm1_down then event-script WXC-Healthcheck.slax arguments action inactive
set event-options policy rpm1_up events PING_TEST_COMPLETED
set event-options policy rpm1_up within 20 trigger on
set event-options policy rpm1_up within 20 trigger 1
set event-options policy rpm1_up attributes-match PING_TEST_COMPLETED.test-owner matches "^proxysg1$"
set event-options policy rpm1_up attributes-match PING_TEST_COMPLETED.test-name matches "^proxy1-ping$"
set event-options policy rpm1_up then event-script WXC-Healthcheck.slax arguments filter proxysg-fbf
set event-options policy rpm1_up then event-script WXC-Healthcheck.slax arguments term t2
set event-options policy rpm1_up then event-script WXC-Healthcheck.slax arguments action active
set event-options event-script file WXC-Healthcheck.slax
set event-options traceoptions file wxc.out
set routing-options interface-routes rib-group inet PROXYSG
set routing-options static route 0.0.0.0/0 next-hop 10.11.20.2
set routing-options rib-groups PROXYSG import-rib inet.0
set routing-options rib-groups PROXYSG import-rib PROXYSG.inet.0
set routing-options rib-groups PROXYSG import-rib PROXYSG2.inet.0
set protocols igmp-snooping vlan all
set protocols rstp
set protocols lldp interface all
set protocols lldp-med interface all
set firewall family inet filter proxysg-fbf term t1 from source-address 10.11.40.0/24
set firewall family inet filter proxysg-fbf term t1 from destination-address 0.0.0.0/0
set firewall family inet filter proxysg-fbf term t1 from destination-port http
set firewall family inet filter proxysg-fbf term t1 from destination-port ftp
set firewall family inet filter proxysg-fbf term t1 from destination-port https
set firewall family inet filter proxysg-fbf term t1 then count redirected
set firewall family inet filter proxysg-fbf term t1 then routing-instance PROXYSG
set firewall family inet filter proxysg-fbf term t2 from source-address 10.11.40.0/24
set firewall family inet filter proxysg-fbf term t2 from destination-address 0.0.0.0/0
set firewall family inet filter proxysg-fbf term t2 from destination-port http
set firewall family inet filter proxysg-fbf term t2 from destination-port ftp
set firewall family inet filter proxysg-fbf term t2 from destination-port https
set firewall family inet filter proxysg-fbf term t2 then count redirected2
set firewall family inet filter proxysg-fbf term t2 then routing-instance PROXYSG2
set firewall family inet filter proxysg-fbf term default then accept
set routing-instances PROXYSG instance-type virtual-router
set routing-instances PROXYSG routing-options static route 0.0.0.0/0 qualified-next-hop 10.11.30.2 metric 5
set routing-instances PROXYSG routing-options static route 0.0.0.0/0 qualified-next-hop 10.11.20.2 metric 20
set routing-instances PROXYSG2 instance-type virtual-router
set routing-instances PROXYSG2 routing-options static route 0.0.0.0/0 qualified-next-hop 10.11.30.3 metric 5
set routing-instances PROXYSG2 routing-options static route 0.0.0.0/0 qualified-next-hop 10.11.20.2 metric 20
set services rpm probe proxysg test proxy-ping probe-type icmp-ping
set services rpm probe proxysg test proxy-ping target address 10.11.30.2
set services rpm probe proxysg test proxy-ping probe-count 3
set services rpm probe proxysg test proxy-ping probe-interval 1
set services rpm probe proxysg test proxy-ping test-interval 10
set services rpm probe proxysg test proxy-ping thresholds total-loss 1
set services rpm probe proxysg1 test proxy1-ping probe-type icmp-ping
set services rpm probe proxysg1 test proxy1-ping target address 10.11.30.3
set services rpm probe proxysg1 test proxy1-ping probe-count 3
set services rpm probe proxysg1 test proxy1-ping probe-interval 1
set services rpm probe proxysg1 test proxy1-ping test-interval 10
set services rpm probe proxysg1 test proxy1-ping thresholds total-loss 1
set ethernet-switching-options storm-control interface all
set vlans VLAN1 vlan-id 1
set vlans VLAN1 l3-interface vlan.1
set vlans VLAN2 vlan-id 2
set vlans VLAN2 l3-interface vlan.2
set vlans VLAN3 vlan-id 3
set vlans VLAN3 interface ge-0/0/2.0
set vlans VLAN3 l3-interface vlan.3
set vlans default l3-interface vlan.0
set poe interface all

SSL VPN configuration on SRX running 15.1X49-D80.4 or higher

Starting with version 15.1X49-D80.4 the Juniper SRX supports dialup vpn over a connection to port 443 with the NCP client. It needs some specific configuration to get that working and we found out the hard  way. So, we have decided to share it here.  Thank you Valentijn and Jasper for helping me.

The situation we want to achieve is this one:

To prepare for configuring a demo setup you need two things: A gateway running a Junos version that supports this feature and a NCP client. You should know how to get and install the SRX software, you can get the client here: https://www.ncp-e.com/en/resources/download-vpn-client/

The configuration we’re about to make gives us a dialup vpn where the client tries to connect to with standard IPsec. If that fails it will try to move the connection to SSL, which in many networks is allowed to travel freely…

Two profiles are configured to authenticate the user:
1)             lpdap-users: to authenticate against the AD control on 172.27.72.10, domain wsa.local

2)             local-users: In which two local users are defined.

Both profiles hand out IP addresses and DNS servers from the address assignment pool dyn-vpn-address-pool.
Please note we use rather weak proposals, just for testing purposes, in real life adjust them to your (companies) policy!

Phase 1 config
set security ike proposal my_ncp_proposals authentication-method pre-shared-keys

set security ike proposal my_ncp_proposals dh-group group2

set security ike proposal my_ncp_proposals authentication-algorithm md5

set security ike proposal my_ncp_proposals encryption-algorithm aes-128-cbc

set security ike proposal ncp-client authentication-method pre-shared-keys

set security ike proposal ncp-client dh-group group2

set security ike proposal ncp-client authentication-algorithm md5

set security ike proposal ncp-client encryption-algorithm aes-128-cbc

set security ike policy ike_ncp_client mode aggressive

set security ike policy ike_ncp_client proposals my_ncp_proposals

set security ike policy ike_ncp_client pre-shared-key ascii-text <key>

set security ike gateway ncp_test ike-policy ike_ncp_client

set security ike gateway ncp_test dynamic user-at-hostname “vpnuser@wsa.local”

set security ike gateway ncp_test dynamic ike-user-type shared-ike-id

set security ike gateway ncp_test external-interface ge-0/0/0.0

set security ike gateway ncp_test aaa access-profile ldap-users   *

set security ike gateway ncp_test version v1-only

set security ike gateway ncp_test tcp-encap-profile ssl-vpn

* You can change this to profile local-users to authenticate the users locally instead of against LDAP.

The last line of configuration tells the device to accept TCP encapsulated traffic according the mentionedprofile. Here is how to configure that profile:

set security tcp-encap profile ssl-vpn log

Since ike and tcp encapsulated traffic will arrive at the external interface, both should be accepted as host inbound traffic:

set security zones security-zone untrust host-inbound-traffic system-services ike

set security zones security-zone untrust host-inbound-traffic system-services tcp-encap

Because we want ssl vpn traffic on the interface no other listener should be enabled on the interface: make sure system service web-management https is not enabled on the external interface. Enabling it   on that interface would be a bad idea anyway.

Let’s take a look at the authentication profiles, starting with the ldap profile:

set access profile ldap-users authentication-order ldap

set access profile ldap-users authentication-order password

set access profile ldap-users domain-name-server 172.27.72.16

set access profile ldap-users domain-name-server 172.27.72.17

set access profile ldap-users client mtepper firewall-user password “$9$.PQ30ORSyK36pB1hKv4aJ”

set access profile ldap-users address-assignment pool dyn-vpn-address-pool

set access profile ldap-users ldap-options base-distinguished-name DC=wsa,DC=local

set access profile ldap-users ldap-options search search-filter sAMAccountName=

set access profile ldap-users ldap-options search admin-search distinguished-name CN=administrator,CN=Users,DC=wsa,DC=local

set access profile ldap-users ldap-options search admin-search password “$9$Cze7uIheK87NbM8ZUDjq.uOB1SreKM”

set access profile ldap-users ldap-server 172.27.72.10 port 389

set access profile ldap-users ldap-server 172.27.72.11 port 389

As you can see the administrator account is used here for a lookup. In real life you might want to create an account with just the necessary rights in the Active Direcory domain. Also note that you need to adjust the base-distinguished-name to your own domain.

For a simple test you could use a profile with local users like this:

set access profile local-users client jverdonk firewall-user password “$9$m5nCOBESlMz3EyeW-dZUjkmTQFn/Ap”

set access profile local-users client mtepper firewall-user password “$9$xXNNbYDjqf5FYgGiHmF3cyr”

set access profile local-users address-assignment pool dyn-vpn-address-pool

Both profiles use the same address pool for address assignment configuring this pool isn’t a hard task as well:

set access address-assignment pool dyn-vpn-address-pool family inet network 192.168.3.0/24

set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 172.26.72.16/32

set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes secondary-dns 172.27.72.17/32

This makes the configuration complete for phase 1 and phase 1½ (meaning for Xauth, which asks for    authentication between phase 1 and phase 2). Time to look at phase 2 config then. According the documentation about SSL VPN we found a route based VPN with tunnel interface in point to point mode is needed to get things working. So, we configured this:

An interface in the security zone trust (best practice for production is creating a zone called VPN and use that to make clear what happing in your policies) and an intrazone security policy:

set interfaces st0 unit 0 family inet

set security zones security-zone trust interfaces st0.0

set security policies from-zone trust to-zone trust policy default-permit match source-address any

set security policies from-zone trust to-zone trust policy default-permit match destination-address any

set security policies from-zone trust to-zone trust policy default-permit match application any

set security policies from-zone trust to-zone trust policy default-permit then permit

 

Finally for the SRX we can configure the phase 2: (As in phase 1 in real use stronger proposols!)

set security ipsec proposal dialup-ncp protocol esp

set security ipsec proposal dialup-ncp authentication-algorithm hmac-md5-96

set security ipsec proposal dialup-ncp encryption-algorithm aes-128-cbc

set security ipsec proposal dialup-ncp lifetime-seconds 3600

set security ipsec policy ipsec_ncp perfect-forward-secrecy keys group2

set security ipsec policy ipsec_ncp proposals dialup-ncp

set security ipsec vpn Ipsec_ncp bind-interface st0.0

set security ipsec vpn Ipsec_ncp ike gateway ncp_test

set security ipsec vpn Ipsec_ncp ike ipsec-policy ipsec_ncp

set security ipsec vpn Ipsec_ncp traffic-selector test local-ip 0.0.0.0/0

set security ipsec vpn Ipsec_ncp traffic-selector test remote-ip 0.0.0.0/0

The gateway  is ready now, time to move to the client.

After installing the software, start it and go into the configuration of a profile. Configure things like shown here: any tab not shown is left default!

The relevant part of the config of the SRX should look like this:

security {
    ike {
        proposal my_ncp_proposals {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm aes-128-cbc;
        }
        proposal ncp-client {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm aes-128-cbc;
        }
        policy ike_ncp_client {
            mode aggressive;
            proposals my_ncp_proposals;
            pre-shared-key ascii-text "$9$MB7WdbUDk5T3P5M8"; ## SECRET-DATA
        }
        gateway ncp_test {
            ike-policy ike_ncp_client;
            dynamic {
                user-at-hostname "vpnuser@wsa.local";
                ike-user-type shared-ike-id;
            }
            external-interface ge-0/0/0.0;
            aaa {
                access-profile ldap-users;
            }
            version v1-only;
            tcp-encap-profile ssl-vpn;
        }
    }
    ipsec {
        proposal dialup-ncp {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        policy ipsec_ncp {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals dialup-ncp;
        }
        vpn Ipsec_ncp {
            bind-interface st0.0;
            ike {
                gateway ncp_test;
                ipsec-policy ipsec_ncp;
            }
            traffic-selector test {
                local-ip 0.0.0.0/0;
                remote-ip 0.0.0.0/0;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    tcp-encap {
        profile ssl-vpn {
            log;
        }
    }
    zones {
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ike;
                    tcp-encap;
                }
            }
        }
        security-zone trust {
            interfaces {
                st0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.2.3.4/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}

access {
    profile ldap-users {
        authentication-order [ ldap password ];
        domain-name-server {
            172.27.72.16;
            172.27.72.17;
        }
        client mtepper {
            firewall-user {
                password "$9$.PQ30ORSyK36pB1hKv4aJ"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
        ldap-options {
            base-distinguished-name DC=wsa,DC=local;
            search {
                search-filter sAMAccountName=;
                admin-search {
                    distinguished-name CN=administrator,CN=Users,DC=wsa,DC=local;
                    password "$9$Cze7uIheK87NbM8ZUDjq.uOB1SreKM"; ## SECRET-DATA
                }
            }
        }
        ldap-server {
            172.27.72.10 port 389;
            172.27.72.11 port 389;
        }
    }
    profile local-users {
        client jverdonk {
            firewall-user {
                password "$9$m5nCOBESlMz3EyeW-dZUjkmTQFn/Ap"; ## SECRET-DATA
            }
        }
        client mtepper {
            firewall-user {
                password "$9$xXNNbYDjqf5FYgGiHmF3cyr"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.3.0/24;
                xauth-attributes {
                    primary-dns 172.26.72.16/32;
                    secondary-dns 172.27.72.17/32;
                }
            }
        }
    }
}

Juniper EX switches configuration examples

General commands

show mac-address table

show ethernet-switching table brief

show switches that directly conected

show lldp neighbors

config vlan

set vlans  Floor_Users vlan-id 90
set vlans Floor_Users l3-interface vlan.90
set interfaces vlan unit 90 family inet address 10.10.10.254/24

assign vlan to port

set interfaces  unit 0 family ethernet-switching vlan members

upgrade (mybe needed – set system services ftp, when upgrading 8200 need to upgrage both Route Engines)

request system software add ftp://a:123456@10.10.10.81/jinstall-ex-3200-9.6R1.13-domestic-signed.tgz

enable SSH

set system services ssh

show ip addresses

show interfaces terse

show all ports info

show interfaces extensive

load factory-default

load factory-default

show rollback 10

file show /var/db/config/juniper.conf.10.gz

show int statistics at real time

run monitor interface ge-0/0/0

like tcpdump

run monitor traffic interface ge-0/0/0

to add config from notepad

load update terminal

static route

 set routing-options static route 192.168.16/24 next-hop 1.1.1.1

start terminal monitor

monitor start /var/log/messages

stop terminal monitor

monitor stop

check what is going to be commited

show | compare

time

show system uptime

show modules / hardware

show chassis hardware

Show ospf interfaces

show ospf interface

ospf – redis static

set protocols ospf export redistribute-into-OSPF
set policy-options policy-statement redistribute-into-OSPF term static from protocol static
set policy-options policy-statement redistribute-into-OSPF term static then accept?

LACP -switches

set chassis aggregated-devices ethernet device-count 5
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-0/0/1 ether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 10.10.0.254/24

LACP – J routers

set chassis aggregated-devices ethernet device-count 5
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ge-0/0/0 gigether-options 802.3ad ae0
set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 10.10.0.254/24

password recovery

* reload the switch
* stop the boot by presing the "space bar"
* choose 'recovery'
boot -s

NTP

set system ntp server 1.1.1.1
exit
set date ntp

create rescue config

request system configuration rescue save

set managment ip at stack

set interfaces vme unit 0 family inet address 10.10.10.235/24

connect to a specific switch from a stack

request session member

install image from USB

1. Put the new code(desired version of JUNOS) on a USB which is formatted under FAT32 and insert on the back of the switch where you can find the USB slot.
2. Reboot the device and when it says loading press spacebar to take us to loader prompt (loader>).
3. Type the following command to reinstall junos from this prompt
    loader>install --format file:///filename.tgz
    * where filename is like eg: jinstall-ex-9.2R1.5-domestic-signed.tgz

copy log files from specific unit

request session member 5
start shell user root
! -Password-
tar -zcvf varlog-mem5.tar.gz /var/log/
mv varlog-mem5.tar.gz /var/tmp/
exit
file copy fpc5:/var/tmp/varlog-mem5.tar.gz fpc0:/var/tmp 
! Then open with web - Maintain --> Files --> temp

show alarms

(use to check why the alarm led is red)-

show system alarms

vrrp

set interfaces vlan unit   family inet address x.x.x.x /24 vrrp-group  virtual-address x.x.x.x  priority < priority>

vrrp – backup master (Specify that the backup router can process packets with an IP destination address of the virtual address)

ip vrrp 22 accept-data

ECMP

(equal cost multi path)

set policy-options policy-statement load-balancing-policy then load-balance per-packet
set routing-options forwarding-table export load-balancing-policy

allow NSM to connect to the switch

set system services netconf ssh

dhcp snooping

set ethernet-switching-options secure-access-port vlan all examine-dhcp

bpdu guard

set protocols rstp bpdu-block-on-edge  
set protocols rstp interface all edge

port mirroring

set ethernet-switching analyzer analyzer1 input ingress interface ge-0/0/0
set ethernet-switching analyzer analyzer1 input egress interface ge-0/0/0
set ethernet-switching analyzer analyzer1  output interface ge-0/0/2

LLDP – MED

(the switch tells the ip phone what is the voice vlan)

set vlans  description voice-vlan
set vlans  interface ge-0/0/2.0
set interfaces  unit 0 family ethernet-switching vlan members 
set interfaces   unit 0 family ethernet-switching port-mode access
set ethernet-switching-options voip interface  .0 vlan 
set ethernet-switching-options voip interface  .0 forwarding-class assured-forwarding
set protocols lldp-med interface 

tacacs

(use “load merge terminal” to load this format of config)

system {
    time-zone Asia/Jerusalem;
    authentication-order tacplus;
    root-authentication{
        encrypted-password "$1$gzwtefgipDYmub7XcCTEU4/"; ## SECRET-DATA
    }
    tacplus-server {
          secret "$9$y45645XxjqfT9CRhSyMX-dsYgJ"; 
         secret "$9$vD4574745dV.5Fnu0ylKvxdsYoaZj"; 
    }

    accounting {
        events [ login change-log interactive-commands ];
        destination {
            tacplus;
        }
    }
}

Voip QOS marking

class-of-service{
	classifiers {
	    dscp juniper_dscp_classifier {
	        import default;
	        forwarding-class voice {
	            loss-priority low code-points 101110;
	        }
	    }
	    ieee-802.1 juniper_ieee_classifier {
	        import default;
	        forwarding-class voice {
	            loss-priority low code-points 011;
	        }
	    }
	}
	forwarding-classes {
	    class voice queue-num 7;
	    class expedited-forwarding queue-num 5;
	    class assured-forwarding queue-num 1;
	    class best-effort queue-num 0;
	}
	interfaces {
	    vlan {
	        unit 12 {
	            classifiers {
	                dscp juniper_dscp_classifier;
	            }
	        }
	    }
	}
}

access-lists of ip addresses that allowd to access the switch (use “load merge terminal” to load that format of config)

interfaces{
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input Telnet-access-filter;
	}
           }
        }
    }
}
firewall {
  family inet {
    filter Telnet-access-filter {
        term team_X {
            from {
                source-address {
                    x.x.x.x/32;
                    x.x.x.x/32;
                  }
                protocol tcp;
            }
            then accept;
        }
        term team_Y {
            from {
                source-address {
                    y.y.y.y/32;
                    y.y.y.y/32;
                }
                protocol tcp;
            }
            then accept;
        }
        term Access_from_forbidden_addresses {
            from {
                source-address {
                    127.0.0.0/8;
                }
                protocol tcp;
            }
            then discard;
        }
        term OSPF {
            from {
                protocol ospf;
            }
            then accept;
        }
        term icmp {
            from {
                protocol icmp;
            }
            then accept;
        }
        term accept_DHCP {
            from {
                protocol udp;
            }
            then accept;
        }
    }
  }
}

4200 EX Switches

set that if disconnecting cascade cables from stack of 2 switches that the switches will not became layer 2

set virtual-chassis no-split-detection

show units at stack

show virtual-chassis                                   
0 (FPC 0)  Prsnt    BQ0209341890 ex4200-48p      128  Master*    1  vcp-0      
1 (FPC 1)  Prsnt    BN0209364440 ex4200-24p      128  Linecard   3  vcp-0      
2 (FPC 2)  Prsnt    BQ0209341900 ex4200-48p      128  Backup     0  vcp-0      
3 (FPC 3)  Prsnt    BQ0209341917 ex4200-48p      128  Linecard   2  vcp-0      

Member ID for next new member: 4 (FPC 4)

change units number

(the serial is also at the back of the switch, no restart needed, the new master became master after few minutes)

set virtual-chassis preprovisioned
set virtual-chassis member 0 serial-number BN0209364440 role routing-engine
set virtual-chassis member 1 serial-number BQ0209341917 role routing-engine
set virtual-chassis member 2 serial-number BQ0209341900
set virtual-chassis member 3 serial-number BQ0209341890

8200 EX Switches

set managment ip when having 2 routing engines

delete int me0
edit groups 
set re0 system host-name Name1 
set re0 interfaces me0 unit 0 family inet address 10.10.10.12/24 
set re1 system host-name Name2
set re1 interfaces me0 unit 0 family inet address 10.10.10.22/24 
top 
set apply-groups [re0 re1]

turn off a module

(disable)

set chassis fpc  power off

set the switchover without only 10 packet loss

set chassis redundancy graceful-switchover

connect to backup routing engine

request routing-engine login backup

show modules

show chassis hardware

change active CPU

request chassis routing-engine master switch

cancel switchover at fuiler/reload command

deactivate chassis redundancy graceful-switchover

Auto save config aldo to backup

(“commit” saves only to the present Routing Engine)

commit synchronize

Run commands at a linecard

root@st-grande06-scb0:RE:0% lcdd 2 chassism
chassism#show mac ge-2/0/1 
chassism#show phy ge-2/0/1

Junos Basics – Aggregated Ethernet Interfaces (LACP)

In my previous Junos Basics post I covered configuring an 802.1Q Trunk between a Juniper EX2200C and a Cisco 2960S. This post will expand upon the previous one by bundling two interfaces together on each switch to form an aggregated link for the trunk.

There are a few proprietary standards for aggregating ethernet links, but Juniper uses the IEEE 802.3ad standard and Cisco can also be configured to use this. The 802.3ad standard is known as Link Aggregation Control Protocol (LACP). LACP can be configured in either Active or Passive mode – in Active mode a switch will always try and form an LACP link with the other side, and in Passive mode a switch will form an LACP link if the other side is in Active mode.

microbfd-sessions

On the Cisco side, the config steps are very simple:

  • specify the interfaces to be aggregated
  • set the protocol to LACP
  • create a Channel Group and specify the LACP mode
  • set the Port Channel interface as a trunk
  • specify which VLAN’s are allowed over the trunk
Cisco2960S(config)#int range gi1/0/47-48
Cisco2960S(config-if-range)#channel-protocol lacp
Cisco2960S(config-if-range)#channel-group 1 mode passive
Cisco2960S(config)#interface po1
Cisco2960S(config-if)#switchport mode trunk
Cisco2960S(config-if)#switchport trunk allowed vlan 100,200

Onto the Juniper side, the first step is to specify the number of aggregated links on the switch:

rich@EX2200C# set chassis aggregated-devices ethernet device-count 1

Next, we have to remove the logical unit configuration from the interfaces that are to be bundled, as logical units are not allowed on aggregated links:

delete interfaces ge-0/1/1 unit 0
delete interfaces ge-0/1/0 unit 0

Next, set the interfaces to use LACP (802.3ad) and to be members of a logical aggregated ethernet port (ports begin with ae):

set interfaces ge-0/1/0 ether-options 802.3ad ae0
set interfaces ge-0/1/1 ether-options 802.3ad ae0

Then we need to set the LACP mode for our new aggregated interface. We’ll make the Juniper side Active, so that it initiates the transmissison of LACP packets:

set interfaces ae0 aggregated-ether-options lacp active

Finally, we need to set the aggregated link to be a trunk, and tell it which VLAN’s to trunk:

set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members [SALES IT]

To verify our config, we’ll start on the Cisco side and check the Etherchannel summary:

Cisco2960S#show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+------------------------
1      Po1(SU)         LACP      Gi1/0/47(P) Gi1/0/48(P)

Then we can confirm the trunk config:

Cisco2960S#show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Po1         on               802.1q         trunking      1

Port        Vlans allowed on trunk
Po1         100,200

Port        Vlans allowed and active in management domain
Po1         100,200

Port        Vlans in spanning tree forwarding state and not pruned
Po1         100,200

And on the Juniper side:

rich@EX2200C> show lacp interfaces
Aggregated interface: ae0
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-0/1/0       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/1/0     Partner    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-0/1/1       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/1/1     Partner    No    No   Yes  Yes  Yes   Yes     Slow   Passive
    LACP protocol:        Receive State  Transmit State          Mux State
      ge-0/1/0                  Current   Slow periodic Collecting distributing
      ge-0/1/1                  Current   Slow periodic Collecting distributing

From the above output we can see that our individual interfaces are both Active, with the partner end Passive. For a detailed explanation of the output see this article from Juniper, but suffice to say the Mux State of Collecting and Distributing means the LACP protocol is working correctly.

We can also confirm the trunk is up and trunking for VLAN’s 100 and 200:

rich@EX2200C> show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ae0.0        up     IT                  200   tagged   unblocked
                    SALES               100   tagged   unblocked

I hope this has been a useful explanation.  In my next Junos Basics post I’ll cover first hop redundancy using VRRP.

JunOS: Copy & Paste configuration directly on terminal.

The command load replace terminal can be used to copy a configuration from a text file to a Juniper device.

After executing this command the router will start accepting configuration data via the paste option.

To exit this mode use the CTRL-D or ^D, this will exit from the terminal mode and return back to device prompt.

Example Follows:

root@gw-srx-01# load replace terminal   
[Type ^D at a new line to end input]
interfaces {
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                filter {
                    input INPUT_RETH0.0_Filter;
                }
                address 10.0.0.1/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
}
^D
load complete
 
[edit]
root@gw-srx-01# commit

VLAN Difference between Juniper and Cisco Switches

A VLAN (Virtual Local Area Network) is a logical LAN segment which have unique broadcast domain. Basically, VLAN divides one physical switch to multiple logical switch. You can configure hundreds of VLANs in one EX series switch. No matter if its EX4200, EX3200 or EX2200. Today I will show you VLAN difference between Juniper and Cisco switches.

VLAN Difference between Juniper and Cisco Switches

There are two port modes in Juniper switch i.e. access mode or trunk mode. The interface in access mode connects to a network device, such as laptop or an IP phone. The interface in trunk mode connects to other switches in the network. There are many differences between Juniper and Cisco switches.

  1. In Cisco switches the default port mode is dynamic desirable auto but in Juniper switch the default port mode is access mode.
  2. In Cisco switches the default VLAN is untagged and is the native VLAN i.e. VLAN 1 but in Juniper there is no default native VLAN. You must configure it manually.
  3. In Cisco switches the trunk ports accept all VLANs in the range of 1 to 4095 by default but in Juniper, trunk ports do not support any VLANs. You have to make it support manually.
  4. In Juniper switches, VLAN named Default is present by default and all the interfaces are under this default VLAN.
  5. Unlike Cisco switches Juniper switches doesn’t support VTP (VLAN Trunking Protocol) or DTP (Dynamic Trunking Protocol). Juniper switches support GVRP (Generic Attribute Registration Protocol) though.
  6. Juniper switches has two port modes i.e. access and trunk mode. Cisco switches have five port modes i.e. dynamic auto, dynamic desirable, access, trunk and nonegotiate mode.
  7. Juniper switches support 802.1Q protocol for trunk ports. Cisco switches support both 802.1Q and ISL (Inter Switched Link) protocols.

Juniper SRX Simple Internet Gateway Setup Guide

This guide was written for someone that wants to configure a Juniper SRX firewall as a simple home or business Internet gateway. You will need some tech savvy since I have written the instructions for the CLI and not J-Web, by doing it this way I can keep the instructions short and to the point.

SRXEnviroment

General Configuration

Thse are things that we need to take care of before getting to far into things.
set system host-name Internet_Gateway
set system root-authentication plain-text-password

#I like to have domain name services so that I do name resolution although this is not really needed and can be omitted.

set system name-server 8.8.8.8

#Setup a user other than root for administration, this is a good practice since it is never good for root to login remotely.

set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication plain-text-password

#For accurate date and time in logs configure an NTP server, in my case I used a publicly available server.

 set system ntp server 192.95.20.208 

Interface Configuration

#This is our internet facing link and it will pull IP configuration via DHCP from our provider.

 set interfaces ge-0/0/0 description Internet_Link
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server

#I would like interface fe-0/0/2 to 0/0/7 to be a member of vlan 100 and behave like a switch.

set interfaces interface-range interface-trust member fe-0/0/2
set interfaces interface-range interface-trust member fe-0/0/3
set interfaces interface-range interface-trust member fe-0/0/4
set interfaces interface-range interface-trust member fe-0/0/5
set interfaces interface-range interface-trust member fe-0/0/6
set interfaces interface-range interface-trust member fe-0/0/7

#Family ethernet-switching will allow the range of ports to behave like a switch while belonging to vlan-trust which is where they will find the gateway IP.

set interfaces interface-range interface-trust unit 0 family ethernet-switching vlan members vlan-trust

#This will be the gateway for the LAN devices on fe-0/0/2 to 0/0/7.

set interfaces vlan unit 100 family inet address 192.168.1.1/24

#Let’s create the vlan-trust and attache vlan.100 which was the L3 interface we created above.

set vlans vlan-trust vlan-id 100
set vlans vlan-trust l3-interface vlan.100

Test

To see if DHCP is working on ge-0/0/0 issue the following command, you should see IP information from you Internet Service Provider.
admin@Internet_Gateway show system services dhcp client

Logical Interface name         ge-0/0/0.0
Hardware address        80:71:1f:b4:07:c0
Client status           bound
Address obtained        10.5.5.5
Update server           enabled
Lease obtained at       2013-05-08 19:14:06 UTC
Lease expires at        2013-05-08 23:14:06 UTC

DHCP options:
Name: server-identifier, Value: 10.5.5.254
Code: 1, Type: ip-address, Value: 255.255.255.0
Name: router, Value: [ 10.5.5.1 ]
Name: domain-name, Value: corp.test.com
Name: name-server, Value: [ 10.5.5.253 ]

LAN DHCP

Since we just finished configuring the LAN we should setup DHCP which will provide local addresses to devices in vlan-trust.

set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.50
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 default-lease-time 3600
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1

#This statement propagate-settings will take configuration from the client DHCP on ge-0/0/0 if not otherwise specified, most importantly name-server which changes from ISP to ISP and is very important otherwise name resolutions on the LAN won’t work.

set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0

Test

Lets see if the PC(s) connected to ports fa-0/02 to 0/0/7 are getting DHCP leases.
admin@Internet_Gateway> show system services dhcp binding
IP address       Hardware address   Type     Lease expires at
192.168.1.50     32:aa:a7:5e:17:45  dynamic  2013-05-08 20:14:02 UTC

Security Zones

We are going configure a zone for the LAN (Trust) and for our Internet (Untrust)

set security zones security-zone untrust description "Internet Link - DHCP Configured"

#Note we are allowing DHCP since the Internet facing interface will be a client.

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

#Allow any service/protocol to the internal interface. (Should be safe in our case)

set security zones security-zone trust description "Local Area Network"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

#Attach vlan.100 to the trust zone.

set security zones security-zone trust interfaces vlan.100

Source NAT

Since 19.168.1.0/24 is private and won’t be routed on the Internet we will need to source NAT this internal subnet to our Internet facing egress interface.
set security nat source rule-set internal-to-internet description “NAT anything from trust zone to untrust (LAN to Internet)”

set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface

Policies

Allow anything from trust to untrust (LAN to Internet) Since there is an implicit deny by default traffic from trust to untrust will automatically be dropped and doesn’t need a policy.

set security policies from-zone trust to-zone untrust policy defaul-permit match source-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match destination-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match application any
set security policies from-zone trust to-zone untrust policy defaul-permit then permit

Management

This is a simple Internet gateway so lets enable SSH and HTTPS access from the inside LAN only.

set system services ssh protocol-version v2
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.100

Full Configuration

For those who would just like to copy and paste the entire configuration into the SRX.

set system host-name Serenity
set system root-authentication encrypted-password "$1$QgzUP4DH$dbmMYIKqw.I0b2KSIK1gB0"
set system name-server 8.8.8.8
set system login user lleroux uid 2000
set system login user lleroux class super-user
set system login user lleroux authentication encrypted-password "$1$FKKuZxhz$j0Yu8AYMW0x4JbH0CxkVZ1"
set system services ssh protocol-version v2
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.100
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.50
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 default-lease-time 3600
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0
set system ntp server 192.95.20.208
set interfaces interface-range interface-trust member fe-0/0/2
set interfaces interface-range interface-trust member fe-0/0/3
set interfaces interface-range interface-trust member fe-0/0/4
set interfaces interface-range interface-trust member fe-0/0/5
set interfaces interface-range interface-trust member fe-0/0/6
set interfaces interface-range interface-trust member fe-0/0/7
set interfaces interface-range interface-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/0 description Internet_Link
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server
set interfaces vlan unit 100 family inet address 192.168.1.1/24
set security nat source rule-set internal-to-internet description "NAT anything from trust zone to untrust (LAN to Internet)"
set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface
set security policies from-zone trust to-zone untrust policy defaul-permit match source-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match destination-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match application any
set security policies from-zone trust to-zone untrust policy defaul-permit then permit
set security zones security-zone untrust description "Internet Link - DHCP Configured"
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust description "Local Area Network"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.100
set vlans vlan-trust vlan-id 100
set vlans vlan-trust l3-interface vlan.100

Virtual Chassis on EX2200 switches

The Juniper Virtual Chassis technology allows you to combine multiple physical switches into one logical switch stack, which reduces the management overhead of dealing with many switches. Because all members are acting as a single device, with a proprietary control protocol underneath, there is no need for Spanning Tree and its blocked links. It also has dual routing engine support, albeit with some feature limitations on the EX2200 platform.

Continue reading