Technical Tips and Tricks: Junos

Showing posts with label Junos. Show all posts

Sunday, May 24, 2015

Juniper, Zero Touch Provisioning, and Raspberry Pi

Recently, a client had the need to replace about 500 switches at multiple remote sites. ZTP came to mind as a possible shortcut to getting this done with the littlest possible work effort. After doing some reading about automation and Junos, I started playing around with python, jinja, and yaml. During this time period, it turned out that a colleague of mine was actually going through the same exercise with one of his clients. Special thanks to Vince Loschiavo, who came up with a way to build device-specific configuration files while also leveraging ZTP. His Git repository can be found here, which goes over all the steps one must take to get things working. I would highly recommend reading through his, and other documentation prior to moving forward, but in a nutshell, here's how ZTP works:

By default, when a new Juniper switch's management interface is plugged in, it attempts to go through the ZTP process.

It requests an IP address.
It attempts to download and upgrade the Junos OS.
It attempts to download and install a configuration.

This process can be manipulated to satisfy more complex requirements. Below is a brief overview:

A user scans/enters the MAC address of each switch's management interface into a CSV file, along with other device-specific data (i.e. host name, IP addressing, VLANs, etc.).
This CSV file is then placed on a server somewhere on the network where python, jinja2, apache2, the required Junos OS version, and a DHCP server are installed/loaded.
Two jinja templates exist on this server that allow for the generation of device-specific configuration files.

A configuration template that contains variables for all data that differs per device.
A DHCP reservation template that contains variables for certain device-specific information (i.e MAC address of a switch's management interface).

A single python script exists on this server, which when executed, analyzes the CSV file, generates configuration files, as well as creates DHCP reservations for each switch.
Upon plugging each switch into the network, the ZTP process is triggered, and switches are deployment-ready in minutes.

This is awesome! However, in my case the customer did not have a management network built, and time constraints would not allow it...

Discussing my constraints with Vince and other team members, we came to the conclusion that a small, portable mini-computer just might work for this type of scenario. Enter Raspberry Pi!

Together we were able to validate that a Raspberry Pi gets the job done. It is super cheap and can be powered via a USB port on a switch. Once everything is loaded and the python script is executed, it is very plug and play. The Raspberry Pi can then be shipped from site to site to perform OS upgrades and provision configuration data.

In effort to make things a little simpler for network engineers that would like to try this out, I have taken a snapshot of my 8GB microSD with all the necessary applications installed and configured. It even has a sample CSV file, and generated samples from the python script. If you would like a copy just let me know. If you would like to build your own, here is what I installed:

Snappy Ubuntu Core - https://wiki.ubuntu.com/ARM/RaspberryPi
apache2 - used to transfer files via http
python - used to generate files
jinja2 - used to create templates
isc-dhcp-server - used to serve IP addresses
openssh-server - used to allow SSH access

Enjoy!

Monday, February 16, 2015

Juniper Lab Environment - Part V - OSPF NSSA and Totally NSSA

This post is a continuation of my last post, which consisted of multiple OSPF areas, and specifically stub and totally stubby configuration. The fifth part in this series of blog posts will cover a topology that consists of seven vSRXs in my lab network, and a PA-200 that resides at the perimeter of my home network. The goal of this post is to explore the benefits of making area 56 a NSSA and then totally NSSA area. We will then verify connectivity and reach-ability out to the internet from SRX6.

First, let's make area 56 a NSSA area, which will make area 56 almost like a stub area. The main difference is that NSSA's allow redistribution of external routes from the same area.

SRX6 Configuration:

set routing-options static route 10.66.0.0/24 discard
set routing-options static route 10.66.1.0/24 discard
set routing-options static route 10.66.2.0/24 discard
set routing-options static route 10.66.3.0/24 discard
set policy-options policy-statement static term 1 from protocol static
set policy-options policy-statement static term 1 then accept
set protocols ospf export static
set protocols ospf area 0.0.0.56 nssa
set protocols ospf area 0.0.0.56 interface ge-0/0/0.0
set protocols ospf area 0.0.0.56 interface ge-0/0/1.0

Note that above we are adding some static routes and exporting them from the route table to OSPF so that we can simulate the need for configuring a NSSA.

SRX5 Configuration:

set protocols ospf area 0.0.0.56 nssa default-lsa default-metric 10
set protocols ospf area 0.0.0.56 interface ge-0/0/1.0

Here is how the database looks now:

root@6> show ospf database

OSPF database, Area 0.0.0.56
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 5.5.5.5 5.5.5.5 0x80000004 694 0x20 0x64fe 36
Router *6.6.6.6 6.6.6.6 0x80000004 688 0x20 0x3cd 84
Network *10.10.56.6 6.6.6.6 0x80000001 693 0x20 0x2f76 32
Summary 10.7.0.0 5.5.5.5 0x80000002 274 0x20 0x6aa9 28
Summary 10.7.1.0 5.5.5.5 0x80000002 136 0x20 0x5fb3 28
Summary 10.7.2.0 5.5.5.5 0x80000001 1165 0x20 0x56bc 28
Summary 10.7.3.0 5.5.5.5 0x80000001 1165 0x20 0x4bc6 28
Summary 10.10.23.0 5.5.5.5 0x80000001 1165 0x20 0x36c6 28
Summary 10.10.27.0 5.5.5.5 0x80000001 1165 0x20 0x14e3 28
Summary 10.10.34.0 5.5.5.5 0x80000001 1165 0x20 0xb240 28
Summary 10.10.45.0 5.5.5.5 0x80000001 1165 0x20 0x2fb9 28
NSSA 0.0.0.0 5.5.5.5 0x80000003 413 0x20 0x49c9 36
NSSA *10.66.0.0 6.6.6.6 0x80000003 115 0x28 0x4aa7 36
NSSA *10.66.1.0 6.6.6.6 0x80000002 882 0x28 0x41b0 36
NSSA *10.66.2.0 6.6.6.6 0x80000002 882 0x28 0x36ba 36
NSSA *10.66.3.0 6.6.6.6 0x80000002 882 0x28 0x2bc4 36

Now let's take it one step further to make area 56 a totally NSSA, which will shrink the database even more by blocking external routes from other areas, as well as inter-area routes from other areas.

SRX5 Configuration:

set protocols ospf area 0.0.0.56 nssa no-summaries

Here is how the database looks now:

rroot@6> show ospf database

OSPF database, Area 0.0.0.56
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 5.5.5.5 5.5.5.5 0x80000008 3 0x20 0x5c03 36
Router *6.6.6.6 6.6.6.6 0x8000000a 3 0x20 0xb36e 84
Network *10.10.56.6 6.6.6.6 0x80000007 3 0x20 0x237c 32
Summary 0.0.0.0 5.5.5.5 0x80000001 17 0x20 0x75ab 28
NSSA *10.66.0.0 6.6.6.6 0x80000005 3 0x28 0x46a9 36
NSSA *10.66.1.0 6.6.6.6 0x80000004 3 0x28 0x3db2 36
NSSA *10.66.2.0 6.6.6.6 0x80000004 3 0x28 0x32bc 36
NSSA *10.66.3.0 6.6.6.6 0x80000004 3 0x28 0x27c6 36

root@6> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=50 time=26.088 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=15.279 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=10.849 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=50 time=10.458 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=50 time=13.091 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.458/15.153/26.088/5.734 ms

Saturday, February 14, 2015

Juniper Lab Environment - Part IV - OSPF Stub and Totally Stubby

This post is a continuation of my last post, which consisted of an OSPF virtual link configuration. The fourth part in this series of blog posts will cover a topology that consists of six vSRXs in my lab network, and a PA-200 that resides at the perimeter of my home network. The goal of this post is to explore the benefits of making area 27 a stub area, and then taking it a step further to make it a totally stubby area. We will then verify connectivity and reach-ability out to the internet from SRX7.

Based on the current configuration (see previous posts), we will see all LSA types:

root@7> show ospf database

OSPF database, Area 0.0.0.27
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 2.2.2.2 2.2.2.2 0x80000005 220 0x22 0x8234 36
Router *7.7.7.7 7.7.7.7 0x80000003 1742 0x22 0xc439 84
Network *10.10.27.7 7.7.7.7 0x80000001 1747 0x22 0xb40f 32
Summary 10.10.23.0 2.2.2.2 0x80000004 1257 0x22 0x58ad 28
Summary 10.10.34.0 2.2.2.2 0x80000002 813 0x22 0xec0f 28
Summary 10.10.45.0 2.2.2.2 0x80000003 368 0x22 0x7b73 28
ASBRSum 3.3.3.3 2.2.2.2 0x80000003 516 0x22 0xba6a 28
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 0.0.0.0 3.3.3.3 0x80000001 497 0x22 0xa6ff 36

Now let's make area 27 a stub area, which will prevent all external routes, as well as local redistribution.

SRX7 Configuration:

set protocols ospf area 0.0.0.27 stub

SRX2 Configuration:

set protocols ospf area 0.0.0.27 stub default-metric 10

Here is how the database looks now:

root@7> show ospf database

OSPF database, Area 0.0.0.27

Type ID Adv Rtr Seq Age Opt Cksum Len

Router 2.2.2.2 2.2.2.2 0x80000006 9 0x20 0x9e19 36

Router *7.7.7.7 7.7.7.7 0x80000005 8 0x20 0x6697 84

Network *10.10.27.7 7.7.7.7 0x80000003 8 0x20 0xcef4 32

Summary 0.0.0.0 2.2.2.2 0x80000001 181 0x20 0xcf5d 28

Summary 10.10.23.0 2.2.2.2 0x80000001 181 0x20 0x7c8e 28

Summary 10.10.34.0 2.2.2.2 0x80000001 181 0x20 0xdf1 28

Summary 10.10.45.0 2.2.2.2 0x80000001 181 0x20 0x9d55 28

Now let's take it one step further to make area 27 a totally stubby area, which will also prevent inter-area routes.

SRX2 Configuration:

set protocols ospf area 0.0.0.27 stub default-metric 10 no-summaries

Here is how the database looks now:

root@7> show ospf database

OSPF database, Area 0.0.0.27

Type ID Adv Rtr Seq Age Opt Cksum Len

Router 2.2.2.2 2.2.2.2 0x8000000a 4 0x20 0x961d 36

Router *7.7.7.7 7.7.7.7 0x8000000a 3 0x20 0x5c9c 84

Network *10.10.27.7 7.7.7.7 0x80000007 3 0x20 0xc6f8 32

Summary 0.0.0.0 2.2.2.2 0x80000001 19 0x20 0xcf5d 28

root@7> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=51 time=21.304 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=11.713 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=10.351 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=10.280 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=51 time=12.657 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.280/13.261/21.304/4.118 ms

Monday, March 31, 2014

Juniper BGP Over IPSec Multipoint

In my lab, I wanted to utilize a dynamic routing protocol for my hub and spoke VPN topology. I decided to try it with BGP. The requirements were to utilize only one tunnel interface on the hub device for all IPSec tunnels, as well as deny all traffic between spoke sites. Below is the configuration, and it is based on the topology below:

SRX 1 (Hub Device):

Interface configuration (please note that the tunnel interface is configured as multipoint, which allows for the termination of multiple IPSec tunnels to a single logical interface.):
interfaces {
ge-0/0/0 {
unit 0 {
description "*** TRUST ***";
family inet {
address 10.1.1.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
description "*** UNTRUST ***";
family inet {
address 172.16.1.1/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 1.1.1.1/32;
}
}
}
st0 {
unit 0 {
description "*** VPN ***";
multipoint;
family inet {
address 192.168.1.1/24;
}
}
}
}

Default route configuration:

routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.1.2;
}
router-id 1.1.1.1;
autonomous-system 65001;
}

BGP configuration:

protocols {
bgp {
group 1 {
type external;
neighbor 192.168.1.3 {
hold-time 30;
export 1;
peer-as 65003;
local-as 65001;
}
neighbor 192.168.1.4 {
hold-time 30;
export 1;
peer-as 65004;
local-as 65001;
}
}
}
}

Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.1.1.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}

}

VPN configuration:
security {
ike {
policy 1-3 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$rV4KWXVwgUjq7-jqmfn6revW7-"; ## SECRET-DATA
}
policy 1-4 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$ZCDH.QF/0BEP5BEcyW8ZUjHP5"; ## SECRET-DATA
}
gateway 3 {
ike-policy 1-3;
address 172.16.3.1;
external-interface ge-0/0/1.0;
}
gateway 4 {
ike-policy 1-4;
address 172.16.4.1;
external-interface ge-0/0/1.0;
}
}
ipsec {
policy 1-3 {
proposal-set standard;
}
policy 1-4 {
proposal-set standard;
}
vpn 1-3 {
bind-interface st0.0;
ike {
gateway 3;
ipsec-policy 1-3;
}
establish-tunnels immediately;
}
vpn 1-4 {
bind-interface st0.0;
ike {
gateway 4;
ipsec-policy 1-4;
}
establish-tunnels immediately;
}
}

}

Security zone configuration (please note that for my lab testing, I am allowing almost everything. In a production environment it is required to enable the necessary services and protocols at the zone level in order for things to function properly (i.e. BGP, IKE, etc.)):

zones {

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

lo0.0;

ge-0/0/0.0;

}

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

interfaces {

ge-0/0/1.0;

}

security-zone vpn {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

st0.0;

}

Security policy configuration (please note that there is a policy which denies traffic from spoke to spoke):

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy default-deny {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone vpn to-zone vpn {

policy deny-intra-spoke-traffic {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone vpn to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

SRX 3 (Spoke Device):

Interface configuration:

interfaces {

ge-0/0/0 {

unit 0 {

description "*** TRUST ***";

family inet {

address 10.3.3.1/24;

}

ge-0/0/1 {

unit 0 {

description "*** UNTRUST ***";

family inet {

address 172.16.3.1/30;

}

lo0 {

unit 0 {

family inet {

address 3.3.3.3/32;

}

st0 {

unit 0 {

description "*** VPN ***";

family inet {

address 192.168.1.3/24;

}

Default route configuration:

routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.3.2;
}
router-id 3.3.3.3;
autonomous-system 65003;
}

BGP configuration:

protocols {
bgp {
group 1 {
type external;
neighbor 192.168.1.1 {
hold-time 30;
export 1;
peer-as 65001;
local-as 65003;
}
}
}
}

Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.3.3.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}

}

VPN configuration:

security {

ike {

policy 3-1 {

mode main;

proposal-set standard;

pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA

}

gateway 3-1 {

ike-policy 3-1;

address 172.16.1.1;

external-interface ge-0/0/1.0;

}

ipsec {

policy 3-1 {

proposal-set standard;

}

vpn 3-1 {

bind-interface st0.0;

ike {

gateway 3-1;

ipsec-policy 3-1;

}

establish-tunnels immediately;

}

Security zone configuration:

zones {

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

interfaces {

ge-0/0/1.0;

}

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

lo0.0;

ge-0/0/0.0;

}

security-zone vpn {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

st0.0;

}

Security policy configuration:

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy default-deny {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone trust to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

SRX 4 (Spoke Device):

Interface configuration:

interfaces {

ge-0/0/0 {

unit 0 {

description "*** TRUST ***";

family inet {

address 10.4.4.1/24;

}

ge-0/0/1 {

unit 0 {

description "*** UNTRUST ***";

family inet {

address 172.16.4.1/30;

}

lo0 {

unit 0 {

family inet {

address 4.4.4.4/32;

}

st0 {

unit 0 {

description "*** VPN ***";

family inet {

address 192.168.1.4/24;

}

Default route configuration:

routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.4.2;
}
router-id 4.4.4.4;
autonomous-system 65004;
}

BGP configuration:

protocols {
bgp {
group 1 {
type external;
neighbor 192.168.1.1 {
hold-time 30;
export 1;
peer-as 65001;
local-as 65004;
}
}
}
}

Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.4.4.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}

}

VPN configuration:

security {

ike {

policy 4-1 {

mode main;

proposal-set standard;

pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA

}

gateway 4-1 {

ike-policy 4-1;

address 172.16.1.1;

external-interface ge-0/0/1.0;

}

ipsec {

policy 4-1 {

proposal-set standard;

}

vpn 4-1 {

bind-interface st0.0;

ike {

gateway 4-1;

ipsec-policy 4-1;

}

establish-tunnels immediately;

}

Security zone configuration:

zones {

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

interfaces {

ge-0/0/1.0;

}

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

lo0.0;

ge-0/0/0.0;

}

security-zone vpn {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

st0.0;

}

Security policy configuration:

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy default-deny {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone trust to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

Verification:

Here are some commands that can be run from operational mode for verification purposes:
show security ike security-associations
show security ipsec security-associations
show bgp neighbor
show bgp summary
show route

Thursday, February 14, 2013

Juniper Static Route Failover

In this scenario, we are doing static routing, but we want the capability to provide fast failover in the event of an outage. We can use Bi-directional Forwarding Detection, but this requires it to be set up on both ends. Let's assume for this exercise that BFD is not an option for our neighbor routers.

As you can see (from left to right), we have one core Juniper router (10.0.0.1) and 2 next hops. Lets pretend that these next hops are both ISPs that we want in place for business continuity in the event that one ISP should experience an outage.

Core Juniper Router Configuration:

Configure a static route:
set routing-options static route 0.0.0.0/0 next-hop 10.0.0.2

Configure Real-time Performance Monitoring:

set services rpm probe ROUTE1 test ROUTE1 target address 10.0.0.2

set services rpm probe ROUTE1 test ROUTE1 probe-count 3

set services rpm probe ROUTE1 test ROUTE1 probe-interval 15

set services rpm probe ROUTE1 test ROUTE1 test-interval 10

set services rpm probe ROUTE1 test ROUTE1 thresholds successive-loss 3

set services rpm probe ROUTE1 test ROUTE1 thresholds total-loss 3

set services rpm probe ROUTE1 test ROUTE1 next-hop 10.0.0.2

Configure IP Monitoring:

set services ip-monitoring policy ROUTE1 match rpm-probe ROUTE1

set services ip-monitoring policy ROUTE1 then preferred-route route 0.0.0.0/0 next-hop 10.0.0.3

With the above configuration, we are telling our router to monitor the connection to our next hop. Should our performance monitoring metrics fail, then our policy that we create under the services ip-monitoring hierarchy will be applied.

We can verify that RPM is running properly by issuing the following command from operational mode:
show services rpm history-results

Owner, Test Probe received Round trip time
ROUTE1, ROUTE1 Wed Feb 6 01:26:34 2013 1461 usec

ROUTE1, ROUTE1 Wed Feb 6 01:26:49 2013 1477 usec

ROUTE1, ROUTE1 Wed Feb 6 01:27:04 2013 7215 usec

ROUTE1, ROUTE1 Wed Feb 6 01:27:14 2013 1420 usec

We can verify whether or not our IP monitoring policy has been applied by issuing the following command from operational mode:
show services ip-monitoring status

Policy - ROUTE1
RPM Probes:
Probe name Address Status
---------------------- ---------------- ---------
ROUTE1 10.0.0.2 PASS
Route-Action:
route-instance route next-hop State
----------------- ----------------- ---------------- -------------
inet.0 0.0.0.0 10.0.0.3 NOT-APPLIED

Enjoy!

How to Verify TCP Traffic on EX Switches

On EX Series switches, you can configure firewall filters to monitor traffic between 2 devices. Let's pretend there are 2 devices (1 server and 1 PC) connected to our EX4200 switch, and we want to verify that traffic is passing from the PC to Server.

Configure a firewall filter for the server and apply it to the port that the server is plugged into:

set firewall family ethernet-switching filter F1 term T1 from source-address 1.1.1.1/32
set firewall family ethernet-switching filter F1 term T1 from destination-address 2.2.2.2/32
set firewall family ethernet-switching filter F1 term T1 from protocol tcp
set firewall family ethernet-switching filter F1 term T1 from tcp-flags "syn&ack"
set firewall family ethernet-switching filter F1 term T1 then count ack-count
set firewall family ethernet-switching filter F1 term T2 then accept
set interfaces ge-0/0/5 unit 0 family ethernet-switching filter input F1

Configure a firewall filter for the server and apply it to the port that the PC is plugged into:

set firewall family ethernet-switching filter F2 term T1 from source-address 1.1.1.1/32
set firewall family ethernet-switching filter F2 term T1 from destination-address 2.2.2.2/32
set firewall family ethernet-switching filter F2 term T1 from protocol tcp
set firewall family ethernet-switching filter F2 term T1 from tcp-flags "syn&ack"
set firewall family ethernet-switching filter F2 term T1 then count ack-count
set firewall family ethernet-switching filter F2 term T2 then accept
set interfaces ge-0/0/22 unit 0 family ethernet-switching filter output F2

We can then run a ping from the PC to the server and verify whether or not traffic is traversing the ports we are monitoring.

show firewall:

Filter: F1
Counters:
Name Bytes Packets
ack-count 2310 33

Filter: egress
Counters:
Name Bytes Packets
ack-count 2310 33

Enjoy!

Sunday, May 20, 2012

Juniper Networks SRX Sample Configuration

Below is a sample remote site configuration of a Juniper SRX100 firewall along with explanations. I used this template configuration to deploy multiple firewalls in a multi-site, retail-type deployment. You will see 4 separate subnets/VLANs for voip, data, corporate wireless, and guest wireless. In this particular example, the VoIP deployment was ShoreTel, and the wireless technology used was that of Aruba Networks. You will also see a route-based VPN configuration bound to the untrust interface, allowing for communication between the HQ and remote site.

Note: You can view the configuration in the format below any time by issuing the command, "show | display set". I changed a bit of how it is displayed in order to better show what each line means.

To set the host name:

set system host-name

To set the root password:

set system root-authentication plain-text-password

To set the name server:

set system name-server

To set additional user names and passwords:

set system login user example uid 2000

set system login user example class super-user

set system login user example authentication plain-text-password

To allow different global services:

set system services ftp

set system services ssh

set system services web-management https system-generated-certificate

set system services web-management https interface vlan.5

(vlan.5 allows web management from that logical interface only. You will see below that vlan.5 is also known as the data vlan)

To set other system policies:

set system syslog archive size 100k

set system syslog archive files 3

set system syslog user * any emergency

set system syslog file messages any critical

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands error

set system max-configurations-on-flash 5

set system max-configuration-rollbacks 5

set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval

(The settings above are actually there by default, but can be changed as needed.)

To configure interfaces:

set interfaces fe-0/0/0 description "WAN"

set interfaces fe-0/0/0 unit 0 family inet dhcp

(In this example, I am using interface fe-0/0/0 as the WAN interface.)

set interfaces fe-0/0/1 description "VOIP/DATA"

set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk

set interfaces fe-0/0/1 unit 0 family ethernet-switching native-vlan-id 5

(Interface fe-0/0/1 is a trunk port for both the VOIP and DATA VLANs.)

set interfaces fe-0/0/2 disable

set interfaces fe-0/0/3 disable

set interfaces fe-0/0/4 disable

set interfaces fe-0/0/5 disable

set interfaces fe-0/0/6 disable

(The interfaces above are disabled since they are not in use in this example.)

set interfaces fe-0/0/7 description "CORP WIRELESS/GUEST WIRELESS"

set interfaces fe-0/0/7 unit 0 family ethernet-switching port-mode trunk

set interfaces fe-0/0/7 unit 0 family ethernet-switching native-vlan-id 6

(Interface fe-0/0/7 is a trunk port for both the CORP WIRELESS and GUEST WIRELESS VLANs.)

To configure an interface for route-based VPN:

set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.254 ipsec-vpn routebasedvpn

set interfaces st0 unit 0 family inet address 10.10.10.5/24

(The 10.10.10.254 IP is the address of the HQ st0 interface. The 10.10.10.5 IP is the address of the local st0 interface)

To configure a gateway/subnet for each VLAN:
set interfaces vlan unit 1 family inet address 192.168.4.1/24

set interfaces vlan unit 2 family inet address 192.168.5.1/24

set interfaces vlan unit 3 family inet address 192.168.6.1/24

set interfaces vlan unit 4 family inet address 192.168.7.1/24

To configure DHCP options:

set forwarding-options helpers bootp relay-agent-option

set forwarding-options helpers bootp description "DHCP SERVER"

set forwarding-options helpers bootp server 10.10.100.10

set forwarding-options helpers bootp vpn

set forwarding-options helpers bootp interface vlan.4

set forwarding-options helpers bootp interface vlan.5

set forwarding-options helpers bootp interface vlan.6

set forwarding-options helpers bootp interface vlan.7

(In the example above, the SRX is doing a relay from a centralized DHCP server at HQ.)

To configure routing options:
set routing-options static route 192.168.4.0/24 next-hop st0.0

(In the example above, the subnet for the VoIP VLAN is being routed over the VPN tunnel interface.)

To set protocols:
set protocols igmp interface vlan.4

set protocols lldp interface all

set protocols lldp-med interface all

To configure IPSEC VPN:

set security ike proposal phase1-prop authentication-method pre-shared-keys

set security ike proposal phase1-prop dh-group group2

set security ike proposal phase1-prop authentication-algorithm sha1

set security ike proposal phase1-prop encryption-algorithm 3des-cbc

set security ike policy ike-policy1 mode main

set security ike policy ike-policy1 proposal-set standard

set security ike policy ike-policy1 pre-shared-key ascii-text test1234

set security ike gateway ike-gateway1 ike-policy ike-policy1

set security ike gateway ike-gateway1 address 1.1.1.1

set security ike gateway ike-gateway1 external-interface fe-0/0/0.0

set security ipsec proposal phase2-prop protocol esp

set security ipsec proposal phase2-prop authentication-algorithm hmac-sha1-96

set security ipsec proposal phase2-prop encryption-algorithm 3des-cbc

set security ipsec policy ipsec-policy1 perfect-forward-secrecy keys group2

set security ipsec policy ipsec-policy1 proposal-set standard

set security ipsec vpn routebasedvpn bind-interface st0.0

set security ipsec vpn routebasedvpn ike gateway ike-gateway1

set security ipsec vpn routebasedvpn ike ipsec-policy ipsec-policy1

set security ipsec vpn routebasedvpn establish-tunnels immediately

To configure NAT:

set security nat source rule-set voip-to-untrust from zone voip

set security nat source rule-set voip-to-untrust to zone untrust

set security nat source rule-set voip-to-untrust rule source-nat-rule1 match source-address 192.168.4.0/24

set security nat source rule-set voip-to-untrust rule source-nat-rule1 then source-nat interface

set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule source-nat-rule2 match source-address 192.168.5.0/24

set security nat source rule-set trust-to-untrust rule source-nat-rule2 then source-nat interface

set security nat source rule-set corp_wireless-to-untrust from zone corp_wireless

set security nat source rule-set corp_wireless-to-untrust to zone untrust

set security nat source rule-set corp_wireless-to-untrust rule source-nat-rule3 match source-address 192.168.6.0/24

set security nat source rule-set corp_wireless-to-untrust rule source-nat-rule3 then source-nat interface

set security nat source rule-set guest_wireless-to-untrust from zone guest_wireless

set security nat source rule-set guest_wireless-to-untrust to zone untrust

set security nat source rule-set guest_wireless-to-untrust rule source-nat-rule3 match source-address 181.168.7.0/24

set security nat source rule-set guest_wireless-to-untrust rule source-nat-rule3 then source-nat interface

To configure screen options:

set security screen ids-option untrust-screen icmp ping-death

set security screen ids-option untrust-screen ip source-route-option

set security screen ids-option untrust-screen ip tear-drop

set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200

set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048

set security screen ids-option untrust-screen tcp syn-flood timeout 20

set security screen ids-option untrust-screen tcp land

To configure zones:

set security zones security-zone voip host-inbound-traffic system-services all

set security zones security-zone voip host-inbound-traffic protocols all

set security zones security-zone voip interfaces vlan.4
set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces vlan.5

set security zones security-zone untrust screen untrust-screen

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic protocols router-discovery

set security zones security-zone corp_wireless host-inbound-traffic system-services all

set security zones security-zone corp_wireless host-inbound-traffic protocols all

set security zones security-zone corp_wireless interfaces vlan.6

set security zones security-zone vpn address-book address hq_network 10.10.0.0/16

set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services all

set security zones security-zone vpn interfaces st0.0 host-inbound-traffic protocols all

set security zones security-zone guest_wireless host-inbound-traffic system-services all

set security zones security-zone guest_wireless host-inbound-traffic protocols all

set security zones security-zone guest_wireless interfaces vlan.7

To configure policies from zone to zone:

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any

set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any

set security policies from-zone trust to-zone trust policy trust-to-trust match application any

set security policies from-zone trust to-zone trust policy trust-to-trust then permit

set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any

set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any

set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any

set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit

set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any

set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any

set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any

set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit

set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match source-address any

set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match destination-address any

set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match application any

set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust then permit

set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match source-address any

set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match destination-address any

set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match application any

set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn then permit

set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match source-address any

set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match destination-address any

set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match application any

set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless then permit

set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match source-address any

set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match destination-address any

set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match application any

set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust then permit

set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match source-address any

set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match destination-address any

set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match application any

set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless then permit

set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match source-address any

set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match destination-address any

set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match application any

set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless then permit

set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match source-address any

set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match destination-address any

set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match application any

set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless then permit

set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match source-address any

set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match destination-address any

set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match application any

set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust then permit

set security flow tcp-mss ipsec-vpn mss 1350

To configure VLANs:
set vlans VOIP description "VOIP"

set vlans VOIP vlan-id 4

set vlans VOIP interface fe-0/0/1.0

set vlans VOIP l3-interface vlan.4

set vlans DATA description "DATA"

set vlans DATA vlan-id 5

set vlans DATA l3-interface vlan.5

set vlans CORP_WIRELESS description "CORP_WIRELESS"

set vlans CORP_WIRELESS vlan-id 6

set vlans CORP_WIRELESS l3-interface vlan.6

set vlans GUEST_WIRELESS description "GUEST_WIRELESS"

set vlans GUEST_WIRELESS vlan-id 7

set vlans GUEST_WIRELESS interface fe-0/0/7.0

set vlans GUEST_WIRELESS l3-interface vlan.7

(You will notice that interface fe-0/0/1.0 is bound to the VOIP VLAN. However, if you take a look at the "set interfaces" section again you will see that interface fe-0/0/1 has a native VLAN ID of 5. This means that both VLANs can exist on this interface, but that by default devices will receive an IP in VLAN 5 unless otherwise specified (i.e. In this example a custom DHCP option was created for the voip VLAN, assigning a VLAN ID of 4.).)