Juniper TechFest2021 (virtual)

This year, the TechFest from Juniper Networks is taking place online (hopefully for the last time because I REALLY miss live Events). There are SO many Courses to explore, and overall the content is excellent. Regardless if you want to polish your EVPN-skills, learn about SRv6 or spend time exploring the countless MIST Sessions – there’s a lot to discover this year, and it’s very interactive πŸ™‚ Make sure to check out the content. In a couple of days, I will also release some Blog-Articles about MIST and why I think it’s awesome πŸ˜‰

I’m having a great time online πŸ˜‰ πŸ˜€

Next EVE-NG talk

      3 Comments on Next EVE-NG talk

Join me on my next talk about EVE-NG and Juniper (October 19, 9:00 AM CET).

This time I will talk about the Installation of EVE-NG, why you want bare over virtual, where to get the needed images from Juniper (vSRX, vQFX, vMX), and how to start building a lab.

It’s free:

You can also bring your questions because at the end there will be a Q&A Section for exactly that – I want to help you getting your Lab to the next level or starting with a small lab – the possibilities are endless.

Looking forward to a great event πŸ™‚ Sign up today and reserve your seat as there will be no recording πŸ™‚

EVE-NG 4.0.1-56 is out

      No Comments on EVE-NG 4.0.1-56 is out

Folks – EVE-NG 4.0.1-56 is out.
This release brings a ton of improvements (the Team did an outstanding job again) and also introduces 2 new Juniper Templates: 128T and Apstra AOS πŸ™‚ You can now play with Junipers SD-WAN Solution (128T) or Deploy your very own EVPN-VXLAN Fabric in EVE (Apstra AOS). Make sure to update your Servers asap πŸ™‚

Another day – another “Certification”

I just got my newest “Certification” – and nope – it’s indeed a non-Juniper one πŸ˜€

Berechtigung nach Β§ 21 Absatz 5 Satz 1
Krankenhausstrukturfonds-Verordnung (KHSFV)

That one is needed if you want to work with the hospitality and medical sector when working with funds that can be accessed to help digitalize the hospitals / medical systems.

Much needed here in Germany as most of the systems are still, let’s say, “stoneage” or software-islands without any interoperability or defined standards – Germany is a bit slower when it comes to digitalization (after all, the Internet is new to us – germans get this joke).

The test validates your understanding of all parts of the funding and also basically verifies that you know, what you are doing from accessing funds, it-security, how the systems and parts need to be interoperable, and so on πŸ˜‰

EVE-NG 4.0.1-15-Cluster released – All the Lab Graphs in the world

ICYMI – EVE-NG just released the latest version of the EVE-Cluster (4.0.1-15). This version brings some more nice gadgets to play with: Traffic-Graphs πŸ™‚

4.0.1-15 brings graphs to your Lab environment

This is a convenient and interesting feature when dealing with all kinds of generated Traffic in and out of your Lab, between nodes, or between “helper-nodes” and your Lab. If you don’t want to fire up Wireshark to see if Traffic is really flowing, you can now easily use the graphs. This is currently a “Pro-Only” feature and another good reason to switch to EVE-NG Pro πŸ™‚ As you can see, the Team is constantly evolving the software more and more – and every time you think that this is the perfect release – the Team surprises us again πŸ™‚ As always – great Job / Tippin my Fedora πŸ˜‰

EVE-NG Pro 4.0: Brace yourselves – CLUSTER is coming…

Did it really happen? Hell yeah – it finally happened πŸ™‚
One of the most requested features of all time is coming to life – and boy is it fun πŸ™‚

I had the honor of trying it a few days before the release, and I’m impressed with how good it works considering this is an FRS – which makes it even more amazing. With the Cluster update, new possibilities arise. You can now scale your Labs even more, and the best part is: you don’t even need to worry about images on the satellites. But wait – what’s a satellite? Let me show you.

EVE-NG is (considering it’s a Standalone-Server) a “master” Server. This means that you login to this server and use it to manage your Topology. If you want to add more Resources (additional Servers), they are considered “satellites” – they provide the needed horsepower for your master to run additional nodes. In most systems, you need to do the “imaging” yourself – meaning that for every node that you want to start, the image needs to be present on the satellite (since it obviously needs the harddisk file). With EVE this is different – you simply select the satellite that your node should run on, and EVE takes care of the image distribution – how awesome is that???

What about updates, you ask? Well – the EVE team has got you covered πŸ˜‰ You just update your master, and the master will push the agent update to your satellite and update it – while you sip a coffee or do other tasks. While the GNS3 folks update all the servers, you can enjoy time with the family πŸ˜›

NoHate I’m sure the GNS folks will forgive me for this πŸ˜‰

And do you know the best part? You don’t need to pay for a Cluster-License. That’s right – all the sweet awesomeness of EVE-Clustering at the cost of the Pro-Edition. When I heard about this, I was EXTREMELY grateful – now your only limit is your budget for new Servers, but since that is infinite, you can scale your labs to new heights πŸ™‚

What? You want to know how the communication between the master and the satellite works? Alright:

EVE communicates over vxlan between the satellites and the master. And if this wasn’t cool enough for you: What if I told you that EVE uses wireguard (yes, you read correctly) to secure the connections. Every console session, every ssh-connection, every network you create between the master and the sat – no one will be able to sniff the good stuff you have created. Awesome, right? I have never seen anything like this before – most Vendors give a shit about security and the EVE-Team just showed us all how it’s done!

Congrats to the Team for this really awesome release!

I will cover the Clusterfeatures in my next talk at the Juniper Open-Learning Series
(Tuesday, March 2, 2021 7:00 AM PST):
Make sure to register your seat early πŸ™‚ There might even be a prize to win this time πŸ˜‰

EVE-NG Pro 3.0.1-17 update is out

The EVE-NG Team just released the latest Update for the Pro Edition.

  • New templates for Catalyst 8000, FreeNAS, Android, and many more
  • Template updates
  • Node icons library

The update also fixed a “security flaw” in guacamole, where the guacadmin password was still set to “guacadmin.” Apparently, not many users were aware of that, and some even put the EVE straight into the www instead of having a decent firewall between the EVE and the www.

Seriously, guys – it’s 2021 – this should not even be a concern.
Exposing a Solution to the www without changing every tiny setting and password is like crying out loud, “hack me fast plz” – this happens automated nowadays, by the way!

My advice is always to have a decent Firewall between you (somewhere in the www) and your Lab.
Use a VPN to connect to it, and you are safe!

And to all the Users out there calling it a “backdoor” or “hack of the century”:

I suggest you first learn what a backdoor is and then start flaming πŸ˜‰
May I recommend
If you are lazy, here’s a summary: Backdoor means bypassing normal authentication or encryption – this was never the case here. It was just a default user that allowed this – nothing fancy… This user’s password is “scrambled” now, so you don’t need to cry anymore…
Shoutouts to the copycats from pnetlab who tried so hard to throw some dirt πŸ˜‰

If you use IPv6 only (like me), make sure to change the ovfstartup script (opt/ovf/ after the update so that your Server is reachable via v6 again:

#Disable ipv6 on EVE Host
grep -q 'ipv6.*0' /opt/unetlab/html/includes/config.yml 2>/dev/null && sysctl -w net.ipv6.conf.all.disable_ipv6=1
grep -q 'ipv6 ' /opt/unetlab/html/includes/config.yml 2>/dev/null || sysctl -w net.ipv6.conf.all.disable_ipv6=1
<strong>grep -q 'ipv6.*1' /opt/unetlab/html/includes/config.yml 2>/dev/null && sysctl -w net.ipv6.conf.all.disable_ipv6=0</strong>

The last line is important – save the changes and reboot your server.
Your IPv6 should be reachable again πŸ™‚
That’s all I have for you today – stay safe, folks!

vQFX and vMX custom Icons for EVE-NG

Nothing beats a stunning Topology in EVE-NG so I attached you the images that I use for the vQFX and vMX RE. I’m still creating a nice PFE image and of course the vSRX image – that follows here later πŸ™‚


Juniper Open Learning: Using EVE-NG with Juniper Topologies – Slides

Since so many of you asked for it: Of course I can share the Slides πŸ™‚

Here you find the Slides from the Session held on 15.09.2020

Adding IPv6 to your PfSense OpenVPN to access IPv6 content in IPv4-only networks

Yesterday I played with the OpenVPN Settings in my PfSense at home and thought:
Will it be possible to enable IPv6 through my VPN so that I can access my IPv6 only Content even when I’m staying at my parents-in-law where I only have a crappy 1&1 IPv4 DSL?
Turns out: HELL YEAH πŸ˜€

This was way easier than I thought, but I thought I share it with you.
This article is based on the following assumptions:
– You already have your OpenVPN running over IPv4
– Your Server has connection over IPv4 and IPv6 (basically, you are dual-homed so that the Server can access the content and serve it to you)
– You have a free /64 Subnet for your clients to use that is routed towards your Server’s GW IP

Start by navigating to VPN –> OpenVPN. Next to the “Server,” hit the Edit button.
You should now see a similar screen to the one below:

You can leave the Protocol to IPv4 only. I want my Clients to have IPv6 Access everywhere. Enabling the Protocol for both IP-Families does not make sense to me. If I have v6 connectivity already, I can surf away – this only makes sense if you also want to connect via IPv6 in IPv6-only networks but still get your IPv6 Prefix due to ACLs and such.

If you scroll down, you see the IPv6-Tunnel-Network. Insert your /64 prefix in there. PfSense will take care of the Rest for you (DHCPv6, Gateway creation, and so on) so that your clients know how to reach the IPv6 World and get an IPv6 address from your subnet. I also ticked “force all Traffic through the tunnel.” If you don’t check this box, your Client will get an IPv6 Address assigned and will then try to talk IPv6 directly (which will fail in IPv4-only networks obviously) to the resources out there.

You want to make sure, that your Clients are able to resolve IPv6 FQDN’s so don’t forget to add at least one IPv6 Nameserver IP to your DNS Section of the Settings.

If you scroll down a little further, you will see the “Gateway creation” section. Initially, mine was set to IPv4 only – change this to “Both” so that PfSense automatically creates the Gateways for you. You can do that manually, but why make life harder than it needs to be? IPv6 is straightforward – and we should leave it this way πŸ™‚

Hit the “Safe” Button and that’s basically it.

At least I thought… πŸ˜‰

Remember: You just enabled IPv6 for your Tunnel, but your Client is still using the old config-file for IPv4 only!
So either go to the “Client Export” Section and download the new config file or add this to your current config:


I added it just below the IPv4 tun mode so my file begins with:

dev tun<br>tun-ipv6<br>...<br>...<br>...

That’s it. Connect to your Server again and BAM – IPv6 tunneled through IPv4 πŸ™‚
Hope this helps you to enjoy IPv6 everywhere!