EVE-NG and the vQFX

      10 Comments on EVE-NG and the vQFX

Just wanted to give you a short update regarding my attempt to run the vQFX on the latest eve-ng.

Here is how I managed to run it:

1.) Connect to your eve-ng server via ssh and create 2 folders according to the eve-ng naming scheme (important or your vQFX will not be recognized!)

mkdir /opt/unetlab/addons/qemu/vqfxre-15d1X53
mkdir /opt/unetlab/addons/qemu/vqfxpfe-20160609-2

2.) Copy your vmdk-images to the eve-ng server via scp or sftp (I used /tmp as directory)

3.) Convert your harddisks:

/opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 vqfx10k-pfe-20160609-2.vmdk /opt/unetlab/addons/qemu/vqfxpfe-20160609-2/hda.qcow2 
/opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 vqfx10k-re-15.1X53-D60.vmdk /opt/unetlab/addons/qemu/vqfxre-15d1X53/hda.qcow2

4.) Run the script to fix your file-permissions:

/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

5.) Go to your eve-ng webinterface and create 2 nodes inside your lab.
Leave the settings like CPU and RAM at the default.

6.) Enjoy your vQFX 10k on eve-ng 🙂

SRX ssh brute-force countermeasures

It’s always a good idea to secure and also harden your SRX in case it is reachable via the Internet.
Today I labbed a bit to see if this Filter actually works.

 

For this Lab we setup the “system login retry-options”:

set system login retry-options tries-before-disconnect 5
set system login retry-options backoff-threshold 3
set system login retry-options backoff-factor 10
set system login retry-options lockout-period 4

Now to the Options we have:

tries-before-disconnect: Sets the maximum number of times the user is allowed to enter a password to attempt to log in to the device through SSH or Telnet. When the user reaches the maximum number of failed login attempts, the user is locked out of the device.

backoff-threshold: Sets the threshold for the number of failed login attempts on the device before the user experiences a delay when attempting to reenter a password.

backoff-factor: Sets the length of delay in seconds after each failed login attempt. When a user incorrectly logs in to the device, the user must wait the configured amount of time before attempting to log in to the device again.

lockout period: Sets the amount of time in minutes before the user can attempt to log in to the device after being locked out due to the number of failed login attempts specified in the tries-before-disconnect statement.
You can read the full explanations here:
https://www.juniper.net/documentation/en_US/junos/topics/example/system-retry-options-configuring.html

 

 

After that (to see it more easy), we create a syslog-file for just the ssh failed attempts:

set system syslog file ssh-logs any any
set system syslog file ssh-logs match SSHD_LOGIN_FAILED
set system syslog file ssh-logs archive size 1m
set system syslog file ssh-logs archive files 10
set system syslog file ssh-logs structured-data

What this does is basically telling your SRX to log all failed ssh-attempts to a file called ssh-logs.

This way, your SRX is ready to take on almost every script-kiddie brute-force attack and logs every failed attempt.

Be sure to check the file from time to time – and remember: change your passwords from time to time and use at least 64 letters and numbers, hash-signs, virgin-blood and so on –> you get the idea right? 😉

 

vSRX on Hyper-V – I still prefer VMware…

Yesterday with the Release of the new vSRX (15.1X49-D80) I thought “why not give Hyper V a try?”.
I spinned up a Windows Server 2012 R2, installed Hyper-V and deployed the new vSRX.
In fact I was surprised – everything (including Cluster mode) seems to run decent – of course I know that this vSRX has only limited functionality under Hyper-V and can’t scale up very well.
However it was nice to see that the vSRX now runs on VMware, KVM and Hyper-V – what else do you want? 😉

Interface-Mapping can be found here:
Interface Mapping for vSRX in Hyper-V

 

More RAM for the Lab

      No Comments on More RAM for the Lab

What’s better than RAM? Correct – more RAM 😉

My DL360G7 now has a whooping 120GB RAM just for labbing 😛

 

With this I can Lab everything at home and I don’t rely on not redundant Cloud-Services like AWS (yes – I had to mention it).
I can see myself in 30 Years:

JunOS ZTP with Windows DHCP Server (SLAX-Method)

Recently I’m working on some SLAX-Scripting due to a Customer-Project.
I really start to like SLAX, since it can gather a lot of your Switches Data on the Device itself.

I am writing a quick How-to for using SLAX to automate your ZTP with the Windows DHCP-Server.
Most Customers use Linux DHCP-Server since you can specify Options and “Configs” for every IP / Device.
With the SLAX-Method you no longer need to configure your DHCP-Server once a new Device comes up – you just have to provide the config and that’s it – highly dynamic, highly hardened, highly customizable – stay tuned for more Infos.

Whoa – the J-Net Forum

Yesterday at 1AM I had the shock of my life – my Account from J-Net (forums.juniper.net) stopped working.
I was welcomed with the Message “Please pick a Username” – when I picked my Username (CHS-929) the System told me “already taken”.
Seems that according to this Forums Post(http://forums.juniper.net/t5/Community-Feedback-and-Direction/Why-i-m-cannot-login-using-my-old-username/td-p/304260) everyone had the Problem – I guess the System somehow had a Problem with the assignment from the Juniper Account to the Forum Account in Single-Sign-On – Cisco? Was that you? 😛 😉

What a relief – I thought I got hacked… Anyways – I will change my Password just to make sure 😉

 

EX3300 Q-in-Q implementation

Today one of my Customers asked me to implement Q-in-Q on 2 EX3300-Switches.
Since more and more people asked me on the Forum how I did that, I decided to make this an Article.
Most of the J-Docs only mention parts of this config – so here you have a fully working Q-in-Q config for non-ELS.
If you are interested, I can share Q-in-Q also for ELS.

The Setup is as follows:
2 EX3300 (Q-in-Q Switches)
1 EX3300 (Transfer-Switch)
1 EX3300 and 1 EX2200 (Client-Switches)

Topology (click to enlarge):

So at first in configured Q-in-Q (of course if this is productive you need to install a license):

set system host-name EX3300-1
set chassis alarm management-ethernet link-down ignore
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vl-3001
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching vlan members all
set protocols lldp interface all
set ethernet-switching-options dot1q-tunneling ether-type 0x8100
set vlans vl-10 vlan-id 10
set vlans vl-11 vlan-id 11
set vlans vl-12 vlan-id 12
set vlans vl-20 vlan-id 20
set vlans vl-22 vlan-id 22
set vlans vl-3001 vlan-id 3001
set vlans vl-3001 dot1q-tunneling customer-vlans 10-12
set vlans vl-3001 dot1q-tunneling customer-vlans 20
set vlans vl-3001 dot1q-tunneling customer-vlans 22
set vlans vl-3001 dot1q-tunneling customer-vlans native
set system host-name EX3300-3
set chassis alarm management-ethernet link-down ignore
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vl-3001
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching vlan members all
set protocols lldp interface all
set ethernet-switching-options dot1q-tunneling ether-type 0x8100
set vlans vl-10 vlan-id 10
set vlans vl-11 vlan-id 11
set vlans vl-12 vlan-id 12
set vlans vl-20 vlan-id 20
set vlans vl-22 vlan-id 22
set vlans vl-3001 vlan-id 3001
set vlans vl-3001 dot1q-tunneling customer-vlans 10-12
set vlans vl-3001 dot1q-tunneling customer-vlans 20
set vlans vl-3001 dot1q-tunneling customer-vlans 22
set vlans vl-3001 dot1q-tunneling customer-vlans native

In the next step, I configured the Transit-Switch. This Switch must not be aware of any Q-in-Q or Customer VLAN’s at all:

set system host-name EX3300-2
set chassis alarm management-ethernet link-down ignore
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching vlan members vl-3001
set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/1 unit 0 family ethernet-switching vlan members vl-3001
set protocols lldp interface all
set vlans vl-3001 vlan-id 3001

After the Setup was completed, I tested it by adding 2 Switches as “Client-Devices” pinging each other in vlan 10:

set system host-name Client-01
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vl-10
set interfaces vlan unit 10 family inet address 10.10.10.1/24
set vlans vl-10 vlan-id 10
set vlans vl-10 l3-interface vlan.10
set system host-name Client-02
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vl-10
set interfaces vlan unit 10 family inet address 10.10.10.2/24
set vlans vl-10 vlan-id 10
set vlans vl-10 l3-interface vlan.10

Hopefully this will help some of you in configuring Q-in-Q on EX3300 (non-ELS). If you have any Questions or Remarks feel free to comment on this Article. The Switches I used all used JunOS 12.3R12.4

 

UPDATE:
This Article is now also officially listed in Junipers TechWiki (http://forums.juniper.net/t5/Switching/How-To-Configuring-Q-in-Q-Between-Two-EX3300-Devices/tac-p/304182#M32) 🙂