My first J-Coin from “oversea”

Everytime I drive home, I talk to my Wife over the Phone (yes, EVERY time). This evening she told me, that Mail from Juniper arrived and I was extremely curious, what it could be. And I must say, that I wasn’t disappointed ๐Ÿ˜€

Now I have 2 J-Coins – one from EMEA Summit 2017 and one from the Circle – can’t wait to get tham all – I already purchased a Book for all the coins ๐Ÿ™‚

 

An era has ended and another era starts – taking my Juniper-Career to the next Level

Maybe some of you already heared it – Beginning tomorrow (1st of February 2018) I will no longer be working for Dimension Data.
In the recent years the Juniper-Projects were getting few and so I decided to take my career to the next level by moving to Telonic.
I’m very excited to get the opportunity to work at a “Juniper-Focused” Company and getting the Opportunity to work even closer with Juniper and Juniper-Focused colleagues. The first big step to achieve this is to finally get the JNCIE-SEC, which due to lost time I couldn’t complete when working at DiData. Thank you DiData for all the good years and “see you soon” – the IT-World is a small Village ๐Ÿ™‚

Disable IPv6 Router-Advertisements on Windows Server 2012 / 2016

Lately I did a huge amount of IPv6-Setups and I noticed something in the vCenter: All the Boxes with static IP’s still had 2 IPv6-Adresses (one static and one per RA-Feature).

Since I didn’t want them to use the address that they got from the RA and disabling RA at the Router was not an option I googled a bit and found this:

Tadaa – only my static IP is left ๐Ÿ˜‰
Maybe this does not impact anything – but still it feels wrong to me that a static IPv6 Host gains a second address from the same subnet…

Maybe this will help you on your way to IPv6 – if so please leave a comment

On Linux you would simply put this into your /etc/sysconfig/network (for RHEL/CentOS):

 

 

 

 

NAT64 with vSRX 15.1X49-D120

Yesterday, as part of my JNCIE-SEC Training, I reviewed NAT64 with the following Topology:

 

I pinged from Win to Winserver with Traffic going over Gemini(vSRX 15.1X49-D120), Pisces (vMX 17.3R1-S1.6), Pyxisย (vMX 17.3R1-S1.6) and Virgo (vSRX 15.1X49-D120).

So far everything seems to run fine – sometimes a single ping gets dropped but with 1% loss this is okay for me:

For me the D120 runs stable and so far I did not experience any problems.
Below I pasted the configs in case anyone wants to recreate this Lab:

 

Gemini:

 

Pisces:

 

Pyxis:

 

Virgo:

vSRX D120 is out – and runs fine on EVE

The new vSRX15.1X49-D120 is out and of course I already spinned it up with EVE ๐Ÿ˜‰

What should I say – it runs just fine – just like D100 and D110.
The D120 brings 2 new Features:

+ Support for applying IEEE802.1 rewrite rules to inner and outer VLAN tags [QoS]

+ Packet size configuration for IPsec datapath verification [VPN]

Many People asked me if it is ok to run vSRX on EVE on Virtualbox on Linux on Bare-Metal.
I personally think this is a bad idea, because every Layer you add, will impact your Performance significantly.
I recommend EVE-Bare (EVE on Bare-Metal) if you really want to run big Labs.
But be careful – some Servers (like the HP-Ones) need a special treatment regarding the network interfaces.
You can find more Infos in the EVE-Forums.

NAT64 – Practical Example

On my way to JNCIE, NAT64 is also a Topic – below you will find a working example of how I achieved this – comments are welcomed ๐Ÿ™‚

Site 1 (running 15.1 code)

 

Site 2 (running 17.3 code)

Hope this helps you all

JunOS Service restart via cronjob

Some days ago we had trouble on one of our QFXes where the jdhcpd deamon would consume 100% CPU and “crash” – resulting in users not getting IP’s anymore.
While TAC is still investigating, I made a quick Workaround for this – the DHCP-Sheriff ๐Ÿ˜‰

 

This Script restarts the Service if the load of the Service is above 1% (adjustable) – this can be easily adopted to other services and thresholds.

1.) Login as root and in shell type: vi /var/tmp/dhcp-sheriff.sh

2.) Press “i” and paste the above lines, followed by “[Esc-Button]”. Save and Quit with :wq

3.)
chmod +x /var/tmp/dhcp-sheriff.sh

4.)
crontab -e
0 */8 * * * sh /var/tmp/dhcp-sheriff.sh (executes it every 8h)

5.)

crontab -l
0 */8 * * * sh /var/tmp/dhcp-sheriff.sh

6.) in cli check after job has finished to run via show log dhcp-sheriff.log

 

Feel free to use this to your advantage – hopefully this will be a workaround for you in urgent-times until a fix is released.
This is only a workaround – do not use this in production for a long time / use at your own risk.

Firefly Perimeter – OSPF over GRE over IPsec

After attending the JNCIE-SEC bootcamp last week, I saw that one topic was barely mentioned: The way of running OSPF over GRE over IPsec. Since this setup is barely used (because of various reasons) I thought, that this is post-worthy – so here you have a working config (running on Fireflyย 12.1X47-D35.2

 

Topology:

Config for Firefly-A:

 

Config for Firefly-B:

Hope, that this helps you if you ever have to do this or need to learn this…
Remember – this is just a sample – please use stringer ciphers if possible ๐Ÿ˜‰

The JNCIE-Exam is getting closer and closer…