Christians Juniper Blog – Page 12 – Home of JNCIE-SEC#374

Whoa – the J-Net Forum

christianscholz 2017-02-21 4 Comments

Yesterday at 1AM I had the shock of my life – my Account from J-Net (forums.juniper.net) stopped working.
I was welcomed with the Message “Please pick a Username” – when I picked my Username (CHS-929) the System told me “already taken”.
Seems that according to this Forums Post(http://forums.juniper.net/t5/Community-Feedback-and-Direction/Why-i-m-cannot-login-using-my-old-username/td-p/304260) everyone had the Problem – I guess the System somehow had a Problem with the assignment from the Juniper Account to the Forum Account in Single-Sign-On – Cisco? Was that you? 😛 😉

What a relief – I thought I got hacked… Anyways – I will change my Password just to make sure 😉

EX3300 Q-in-Q implementation

christianscholz 2017-01-25 4 Comments

Today one of my Customers asked me to implement Q-in-Q on 2 EX3300-Switches.
Since more and more people asked me on the Forum how I did that, I decided to make this an Article.
Most of the J-Docs only mention parts of this config – so here you have a fully working Q-in-Q config for non-ELS.
If you are interested, I can share Q-in-Q also for ELS.

The Setup is as follows:
2 EX3300 (Q-in-Q Switches)
1 EX3300 (Transfer-Switch)
1 EX3300 and 1 EX2200 (Client-Switches)

Topology (click to enlarge):

So at first in configured Q-in-Q (of course if this is productive you need to install a license):

set system host-name EX3300-1
set chassis alarm management-ethernet link-down ignore
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vl-3001
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching vlan members all
set protocols lldp interface all
set ethernet-switching-options dot1q-tunneling ether-type 0x8100
set vlans vl-10 vlan-id 10
set vlans vl-11 vlan-id 11
set vlans vl-12 vlan-id 12
set vlans vl-20 vlan-id 20
set vlans vl-22 vlan-id 22
set vlans vl-3001 vlan-id 3001
set vlans vl-3001 dot1q-tunneling customer-vlans 10-12
set vlans vl-3001 dot1q-tunneling customer-vlans 20
set vlans vl-3001 dot1q-tunneling customer-vlans 22
set vlans vl-3001 dot1q-tunneling customer-vlans native

set system host-name EX3300-3
set chassis alarm management-ethernet link-down ignore
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vl-3001
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching vlan members all
set protocols lldp interface all
set ethernet-switching-options dot1q-tunneling ether-type 0x8100
set vlans vl-10 vlan-id 10
set vlans vl-11 vlan-id 11
set vlans vl-12 vlan-id 12
set vlans vl-20 vlan-id 20
set vlans vl-22 vlan-id 22
set vlans vl-3001 vlan-id 3001
set vlans vl-3001 dot1q-tunneling customer-vlans 10-12
set vlans vl-3001 dot1q-tunneling customer-vlans 20
set vlans vl-3001 dot1q-tunneling customer-vlans 22
set vlans vl-3001 dot1q-tunneling customer-vlans native

In the next step, I configured the Transit-Switch. This Switch must not be aware of any Q-in-Q or Customer VLAN’s at all:

set system host-name EX3300-2
set chassis alarm management-ethernet link-down ignore
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/0 unit 0 family ethernet-switching vlan members vl-3001
set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/1/1 unit 0 family ethernet-switching vlan members vl-3001
set protocols lldp interface all
set vlans vl-3001 vlan-id 3001

After the Setup was completed, I tested it by adding 2 Switches as “Client-Devices” pinging each other in vlan 10:

set system host-name Client-01
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vl-10
set interfaces vlan unit 10 family inet address 10.10.10.1/24
set vlans vl-10 vlan-id 10
set vlans vl-10 l3-interface vlan.10

set system host-name Client-02
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vl-10
set interfaces vlan unit 10 family inet address 10.10.10.2/24
set vlans vl-10 vlan-id 10
set vlans vl-10 l3-interface vlan.10

Hopefully this will help some of you in configuring Q-in-Q on EX3300 (non-ELS). If you have any Questions or Remarks feel free to comment on this Article. The Switches I used all used JunOS 12.3R12.4

UPDATE:
This Article is now also officially listed in Junipers TechWiki (http://forums.juniper.net/t5/Switching/How-To-Configuring-Q-in-Q-Between-Two-EX3300-Devices/tac-p/304182#M32) 🙂

JND-SEC

christianscholz 2017-01-23 1 Comment

This week is about Designing Security Solutions the Juniper-Way: JND-SEC in Cologne.
So far the course is really “dry” and “theoretical” – I will post an Update of our Topologies as soon as we designed some so stay tuned 😉

Redesign of Lab – Done

christianscholz 2017-01-16 No Comments

This weekend my Goal was to redesign my Lab at home for the JNCIE-SEC.

Came out pretty nice – all running on my DL360G7 🙂

The Pro-Side is, that I can create multiple topologies and load, save and reset them via Python-Scripting 🙂

First Topology:

Happy New Year 2017

christianscholz 2017-01-01 No Comments

I wish all of you a happy new year 2017!

This Year will be tough for me – my JNCIE-SEC is in front of me…
But with passion for JunOS and the SRX I will take and master this challenge 😉

EX2200-C Recommended JunOS (15.1R5) broken – Temperature-Sensor-Crisis…

christianscholz 2016-12-17 1 Comment

Just updated 30 Switches (EX2200-C) to the new recommended OS (15.1R5). Every Switch – and I mean EVERY one shows “broken” temperature-Sensors after the new Version comes up.

christianscholz@OEK-EX2200C-01> show chassis environment  
Class Item                           Status     Measurement
Power FPC 0 Power Supply 0           OK        
Temp  FPC 0 GEPHY1                   Failed    
      FPC 0 GEPHY2                   Failed

A downgrade to 15.1R4 solved this – however what the f happened there?
Juniper moved from the 12-Tree to the 15-Tree (recommended) and didn’t notice this bug so far…

Will investigate more into this.

EDIT 04.06.2017: Juniper released 15.1R6.7 for the EX2200-C – this somehow “fixed” the Issue (is set my Temp-Sensor to 0-degree making my Alarm go away)

vQFX 10k Testlab on ESX 6.0 / 6.5

christianscholz 2016-12-11 23 Comments

Currently the vQFX is neither officially supported for ESX, neither for ESX 6.0 / 6.5.
My Goal is always to have the latest Versions in place – so all the Tutorials for ESX 5.5 are uninteresting for me.

Here are the steps to make the vQFX run on ESX 6.0 / 6.5:

1.) Download the vmdk images from Juniper (RE + PFE)

2.) Upload both files into your datastore

3.) Convert the vmdk images:
vmkfstools -i vqfx10k-re-15.1X53-D60.vmdk vqfx10kRE.vmdk -d thin
vmkfstools -i vqfx10k-pfe-20160609-2.vmdk vqfx10kPFE.vmdk -d thin

4.) Create a new V-Switch for inter-chassis-communication between pfe and re with Promiscious-mode enabled ant MTU of 9000 (Jumbo-Frames)

5.) Create the necessary VM’s:
vQFX-RE:
1 CPU – 2 Cores
5 GB RAM
OS: FreeBSD (64bit)
Adapter: BusLogic – ignore the “not recommended” Warning
Disk: vqfx10kRE.vmdk
Add at least 2 NIC’s:
1st NIC (E1000) – OOB-Management
2nd NIC (E1000) – inter-chassis-communication between PFE and RE
3rd to 10th NIC (E1000) – Data-Links

vQFX-PFE:
1 CPU – 1 Core
2 GB RAM
OS: FreeBSD (64bit)
Adapter: BusLogic – ignore the “not recommended” Warning
Disk: vqfx10kPFE.vmdk
1st NIC (E1000) – OOB-Management
2nd NIC (E1000) – inter-chassis-communication between PFE and RE

6.) Run both VMs

vQFX RE:
login : root
pwd : Juniper

Go to “cli” and configure em0 for OOB-Management.

7.) Enjoy – Repeat steps 1-5 for as many Switches as you want 🙂

Edit on 16.02.2017:

I want to thank Alexander Marhold for providing a Script that sets the correct mac-adresses to the corresponding interfaces.
http://forums.juniper.net/t5/Ethernet-Switching/vQFX10k-15-1X53-D60-on-ESXi-Installation-and-Running-with-up-to/td-p/303493

I have written a procedure for the vMX and adapted it for the vQFX which does this automatically on each commit

The script sets the correct mac address on any configured XE interface ( taken from the corresponding em(+3) interface,.

the mac address is visible under current address in show interface

Only if there is a mac adress set in the configuration, that one will be overwritten with the correct one.

If the interface belongs to an ae-set, then there will be no mac adress set, as the mac-address is set by the ae

if the config contains an interface without a corresponding em-interface , it signals an error on commit

Installation on RE

> file copy <location>/set-em-mac-to-xe-ae-vQFX.slax /var/db/scripts/commit/

>edit

# set system scripts commit allow-transients

# set system scripts commit file set-em-mac-to-xe-ae-vQFX.slax

# commit

Hope that helps to install vQFx10k on ESXi, I assume that the mac-seting is also needed on VMware Workstation but I have not tested it.

Another hint: there are a bunch of et,xe… interfaces with DHCP in the startup-factory-default, clear them all before starting with your configuration.

and yes independent of your ESXi physical interfaces the interfaces are 10gig XE interfaces.

Download: set-em-mac-to-xe-ae-vQFX.zip

IPsec Site-to-Site Tunnel between SRX100 and PfSense (Policy-Based VPN)

christianscholz 2016-12-02 4 Comments

Today (with the help of my friend and skillful netadmin Malte) we finally figured out how to bring up an IPsec Site-to-Site Policy-based VPN with multiple phase2-entries behind the PfSense and a single subnet behind the SRX100.

For this to work with a Policy-Based VPN (since PfSense can’t do route-based VPN) you need to create a policy for each combination of the subnets so that juniper can generate the correct proxy-id’s. If you miss one, you end up with an error like:

Last Tunnel Down Reason: More than two SA pairs

Here’s the config from the J-Point of view:

set security ike proposal ike-proposal-colocation authentication-method pre-shared-keys
set security ike proposal ike-proposal-colocation dh-group group2
set security ike proposal ike-proposal-colocation authentication-algorithm sha-256
set security ike proposal ike-proposal-colocation encryption-algorithm aes-256-cbc
set security ike proposal ike-proposal-colocation lifetime-seconds 28800

set security ike policy ike-policy-colocation mode aggressive
set security ike policy ike-policy-colocation proposals ike-proposal-colocation
set security ike policy ike-policy-colocation pre-shared-key ascii-text <SECRET>

set security ike gateway ike-gate-colocation ike-policy ike-policy-colocation
set security ike gateway ike-gate-colocation dynamic hostname <HOSTNAME colocation>
set security ike gateway ike-gate-colocation local-identity hostname <LOCAL HOSTNAME>
set security ike gateway ike-gate-colocation external-interface fe-0/0/0

set security ipsec proposal ipsec-proposal-colocation protocol esp
set security ipsec proposal ipsec-proposal-colocation authentication-algorithm hmac-sha-256-128
set security ipsec proposal ipsec-proposal-colocation encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-proposal-colocation lifetime-seconds 3600

set security ipsec policy ipsec-policy-colocation proposals ipsec-proposal-colocation

set security ipsec vpn ipsec-vpn-colocation ike gateway ike-gate-colocation
set security ipsec vpn ipsec-vpn-colocation ike ipsec-policy ipsec-policy-colocation
set security ipsec vpn ipsec-vpn-colocation establish-tunnels immediately

set security address-book global address NW_loc2_1-1-1 1.1.1.0/24
set security address-book global address NW_loc2_1-1-2 1.1.2.0/24
set security address-book global address NW_loc2_1-1-254 1.1.254.0/24
set security address-book global address NW_Local_LAN 2.2.2.0/24

set security policies from-zone external to-zone junos-host policy allow-icmp-any match source-address any
set security policies from-zone external to-zone junos-host policy allow-icmp-any match destination-address SRX-WAN
set security policies from-zone external to-zone junos-host policy allow-icmp-any match application junos-ping
set security policies from-zone external to-zone junos-host policy allow-icmp-any match application junos-ike
set security policies from-zone external to-zone junos-host policy allow-icmp-any match application custom-ipsec
set security policies from-zone external to-zone junos-host policy allow-icmp-any then permit

set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 match source-address NW_loc2_1-1-1
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 match destination-address NW_Local_LAN
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 match application any
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 then permit tunnel pair-policy vpnpolicy-internal-colocation-1
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 match source-address NW_loc2_1-1-2
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 match destination-address NW_Local_LAN
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 match application any
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 then permit tunnel pair-policy vpnpolicy-internal-colocation-2
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 match source-address NW_loc2_1-1-254
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 match destination-address NW_Local_LAN
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 match application any
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 then permit tunnel pair-policy vpnpolicy-internal-colocation-3

set security nat source rule-set internal-to-external from zone internal
set security nat source rule-set internal-to-external to zone external
set security nat source rule-set internal-to-external rule no-nat-internal match source-address 2.2.2.0/24
set security nat source rule-set internal-to-external rule no-nat-internal match destination-address 1.1.1.0/24
set security nat source rule-set internal-to-external rule no-nat-internal match destination-address 2.2.21.0/24
set security nat source rule-set internal-to-external rule no-nat-internal then source-nat off
set security nat source rule-set internal-to-external rule nat-internal match source-address 2.2.2.0/24
set security nat source rule-set internal-to-external rule nat-internal match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-external rule nat-internal then source-nat interface

set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 match source-address NW_Local_LAN
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 match destination-address NW_loc2_1-1-1
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 match application any
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 then permit tunnel pair-policy vpnpolicy-colocation-internal-1
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 match source-address NW_Local_LAN
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 match destination-address NW_loc2_1-1-2
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 match application any
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 then permit tunnel pair-policy vpnpolicy-colocation-internal-2
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 match source-address NW_Local_LAN
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 match destination-address NW_loc2_1-1-254
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 match application any
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 then permit tunnel pair-policy vpnpolicy-colocation-internal-3

set applications application custom-ipsec protocol udp
set applications application custom-ipsec destination-port 4500

set security zones security-zone external host-inbound-traffic system-services ike

Took us some time to figure out why we still had some problems but in the end we found the culprit:

security ipsec policy ipsec-policy-colocation perfect-forward-secrecy keys group5

Seems to me, that PfSense and Juniper don’t play very nice when PFS is enabled.
After deleting the PFS-Group all 3 subnets went up and traffic was able to flow.

Hopefully this short article can save you some pain in the ass 😉

New Site – New Rules – New Cloud

christianscholz 2016-11-22 No Comments

As you may have noticed, this Website has just been migrated to Canada – wait – what????

I finally took the last Step to go “full Cloud” – so all my V-Servers are now Cloud based at OVH.

Therefore, this Site now is located in Canada – this might affect latency – however most of my followers will be happy, since they live in the US 😉

If you have any Questions on how I managed to get all my 33VM’s alone into the Cloud in 1 Night without disruption feel free to contact me.

In the next few Months my Posts will heavily increase, as my JNCIE-SEC Training has started – stay tuned 😉

SRX Security Policy at Group-Level – Careful what you wish for…

christianscholz 2016-05-26 No Comments

Just struggled with this one and thought that this might be helpful.

To log every denied packet on my SRX-100 (Living-Room and HomeOffice-Room) I use groups so I don’t accidentally forget to set the “log session-init” at the bottom of each zone.
But today I wondered why my Traffic that was passing from Zone1 to Zone2 didn’t show up in the logs – there was no configuration at all for this Zones and here’s the tricky part, that you find when searching extremely careful in the Juniper Docs:

set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match source-address any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match application any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then deny
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then log session-init
set apply-groups default-deny-group

This will only work if any Rule has been defined under the [security policies] section – if there is no Rule, the “Group-Rule” will not be created and therefore the traffic will not be visible.

If the above group is applied to the [security policies] hierarchy, it will not automatically populate the required policies; but will populate policies only for the zones that have security policies already configured. (http://kb.juniper.net/InfoCenter/index?page=content&id=KB25700&actp=search)

Today I’ve learned something new and this shows that you can never learn enough 😉