Discussing the IT landscape and impacts of the COVID-19 pandemic

You should check out the Twitter Handles of the Ambassadors soon.
I just had the greatest time discussing the impact on the IT landscape during the COVID-19 pandemic.

This Juniper Networks Ambassador Roundtable featured Michael Marcellin, CMO at Juniper, and from the Ambassadors Stefan Fouant, Chris Parker, Nick Ryce, Paul Clarke, Andrew Alston, Tom Dwyer and myself.
You will soon find it also on this blog πŸ™‚

vSRX 3.0 Template for EVE-NG

Here you find the vSRX 3.0 custom template for your EVE-NG.

Add this file (named vsrx30.yml) to your /opt/unetlab/html/templates/intel/ folder:


# Copyright (c) 2016, Andrea Dainese
# Copyright (c) 2016, Alain Degreffe
# Copyright (c) 2017, Alain Degreffe
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#     * Redistributions of source code must retain the above copyright
#       notice, this list of conditions and the following disclaimer.
#     * Redistributions in binary form must reproduce the above copyright
#       notice, this list of conditions and the following disclaimer in the
#       documentation and/or other materials provided with the distribution.
#     * Neither the name of the UNetLab Ltd nor  the name of EVE-NG Ltd nor the
#       names of its contributors may be used to endorse or promote products
#       derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL  BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
---
type: qemu
name: vSRX3-0
cpulimit: 1
icon: JuniperSRX.png
cpu: 2
ram: 4096
eth_name:
- fxp0/mgmt
eth_format: ge-0/0/{0}
ethernet: 6
qemu_nic: virtio-net-pci
console: telnet
qemu_arch: x86_64
qemu_options: -machine type=pc-1.0,accel=kvm -cpu qemu64,+ssse3,+sse4.1,+sse4.2,+x2apic,+aes,pclmulqdq  -serial
  mon:stdio -nographic   -nodefconfig -nodefaults -rtc base=utc

Don’t forget to include it in your custom_templates file at /opt/unetlab/html/includes/custom_templates.yml:

custom_templates:
- name: JATP
  listname: 'Juniper JATP Appliance (SkyATP on Premise)'
- name: PACKETFENCE
  listname: 'PacketFence OpenSource NAC'
- name: CSRX
  listname: 'Juniper cSRX'
- name: vsrx30
  listname: 'Juniper vSRX3.0'
- name: jspacelogcollector
  listname: 'JunOS Space Log Collector'

Compared to the vSRX-NG Template, which took the vSRX 3.0 6-7min to fully boot, this “new” template (which is basically a linux based template) takes roughly 2-3min to fully boot with 19.4 and 20.1 πŸ˜‰

Enjoy your unleashed vSRX3.0 πŸ™‚
Feel free to ask questions / suggestions in the comments here πŸ™‚

EVE-NG Update in IPv6 only environments

The newest eve-ng ( 2.0.6-42(+43+44)-PRO // 2.0.3-108-Community) introduces a lot of cool new features for making your daily work easier than ever, that I will cover in the next few days.

I had some issues while updating my eve-ng (because I run my eve-ng IPv6 only – and yes – v6 ONLY)

If you have v4 only or Dual-Stack, this “problem” is something, that you will not face.
All IPv6 only guys can keep on reading.

During the upgrade, the eve-ng-pro package (I’m sure community does the same) disabled IPv6 since having IPv6 enabled during the update process could break stuff – great for my eve-ng because this way my installation is safe, but bad for my connectivity because if you run IPv6 only like I do – you’ve guessed it – game over for remote access πŸ˜€

Here’s how I “rehabilitated” my eve-ng:
Luckily, I have ILO Access to my Server – else, due to COVID-19 and travel “restrictions” this would have been a whole other game…

I opened a Remote Console and logged into eve-ng after giving it some time for the update.
First was a reboot (you should always do this after upgrades).
When it was reachable again, I logged in and looked inside my Syslog file, how ipv6 was disabled.
I found out, that /opt/ovf/ovfstartup.sh disabled ipv6 completely (sysctl -w net.ipv6.conf.all.disable_ipv6=1).

Usually, the script reflects the settings in your /opt/unetlab/html/includes/config.yml (that you edit by setting stuff via web-interface). I’m sure, that this file was changed by the updater from:

#Disable ipv6 on EVE Host
grep -q 'ipv6.*0' /opt/unetlab/html/includes/config.yml 2>/dev/null && sysctl -w net.ipv6.conf.all.disable_ipv6=1
grep -q 'ipv6 ' /opt/unetlab/html/includes/config.yml 2>/dev/null || sysctl -w net.ipv6.conf.all.disable_ipv6=0

to the new “update settings”:

#Disable ipv6 on EVE Host
grep -q 'ipv6.*0' /opt/unetlab/html/includes/config.yml 2>/dev/null && sysctl -w net.ipv6.conf.all.disable_ipv6=1
grep -q 'ipv6 ' /opt/unetlab/html/includes/config.yml 2>/dev/null || sysctl -w net.ipv6.conf.all.disable_ipv6=1

so that regardless of your settings in the web-interface it would make sure, that ipv6 is disabled.

So far so good.

I changed the second line back (grep -q ‘ipv6 ‘ /opt/unetlab/html/includes/config.yml 2>/dev/null || sysctl -w net.ipv6.conf.all.disable_ipv6=0) and rebooted my eve-ng – TADAA – pnet0 has it’s IPv6 address back πŸ™‚

I also modified the script a bit because in IPv6 only networks it would always show you “no ip address on pnet0” on the console instead of your usual “login to http://…..” – after modifying it, it now also shows IPv6 on the console – but the next update will probably break that since I manually edited the file (you shouldn’t do that until you know EXACTLY what you are doing – I repeat – this is NO NO stuff πŸ˜›

Here’s what I did:

Change:

IP="$(ifconfig ${INTERFACE} 2> /dev/null | grep 'inet addr' | cut -d: -f2 | cut -d' ' -f1 | grep -E "^[0-9]+.[0-9]+.[0-9]+.[0-9]+$")"

on interface pnet0 to this:

IP="$(ip -o -6 addr show pnet0 | sed -e 's/^.*inet6 \([^ ]\+\).*/\1/' | grep -v ^fe80)"

It still shows /64 behind the URL because I don’t really know how to use awk but hey – it’s a start πŸ˜‰
The endgame would be to set the URL to https://[2001…..]/ since IPv6 needs braces [ ] in the URL – but that’s just cosmetic.

In the next few days, I will try to upload more Articles and Videos but due to COVID-19, my workload has increased by roughly 900%… Stay Safe guys!

New Video Series is online

You asked for it – now it finally happened: My new Video Series covering EVE-NG with Juniper Gear is online – well at least it will be if youtube finally manages to “prepare” it… I will release the Videos on a weekly / bi-weekly basis (depending on other Projects) and I will cover all questions in the series. Feel free to subscribe, so that you never miss a Video again πŸ™‚ I will also shout via Twitter once the Video is live.


Some of you might wonder what “Netchron” is. Netchron is a Company, that I founded back in 2010. I used it mainly for educational purposes and also for legal reasons. Now, Netchron launches again – this time bigger than ever πŸ˜‰

Here’s the Link: https://www.youtube.com/watch?v=DYI5_XC1iHE&t=723s

5-Year Juniper Champion

Just realized, that I started to participate in the Champions-Program back in 2015 which makes this year already Special πŸ™‚

Remember to check your status from time to time at https://jpartnertraining.juniper.net/ and refresh your knowledge there. I Manly use the J-Partner-Training to learn new Stuff and for the introduction of new License-Models and other Partner important Topics.

The second benefit is that as Champion you are entitled to Vouchers, that you can claim as a reward every year. On top of that, the Juniper folks also give you access to an O’Reilly Juniper Book (PDF-download) of your choice. I now have 5, because this is also recurring every year along with the Vouchers. This is a great opportunity for partners to certify the employees (at least 2 attempts per participating candidate if they are Ingenious Champions) if they cannot attend a Session where certification is free. Spread the word if you don’t know about this.

Also, your Company gets a nice Banner for the Website:

What are you waiting for? Get (or renew) your Champion Status now

My 2019 Journey and 2020 Goals

Time to reflect the Year 2019 in Terms of Certification and see what 2020 hopefully brings πŸ™‚

2019 was mostly a Re-Certify Year for me because I prepared for my 2 Expert Exams (JNCIE-DC and JNCIE-ENT) and also launched some amazing Projects regarding EVE-NG. I did both first attempts for the E-Exams in 2019 and I am certain, that I will be able to pass them in 2020.


In 2020 in terms of Certification, I will additionally look at LPIC and PaloAlto. Nothing else in 2020, because I was very active for the re-certify process so that I don’t have to re-certify much in 2020 – however 2021 will be hard so I might do some in late 2020, depending on the status then.

My TOP-3 non-certify hot-topics in 2020 are:
IPv6 (gaining even more knowledge)
Python (extremely needed in my opinion if you are a Network-Engineer)
Ansible (out of pure interest)

And as you might have heard, I will build my very own DataCenter in 2020 next to my House. I’m not talking about a room in my house – I’m talking about a separate building with everything a DC needs to have πŸ™‚

What are your Goals for 2020?

EVE-NG in IPv6-only Environments

Shortly before the holidays, the EVE-Team made us all another huge Christmas Present. And I’m not talking about the 30% off for the PRO Edition which you totally should check out on www.eve-ng.net. I’m talking about the ability to run EVE-NG in IPv6-only Environments. YES – it happened πŸ˜€

The latest EVE-NG-Pro ( 2.0.6 – 31 ) already introduced the ability to run v6 on the MGMT-Interface of your EVE (manually, but now possible), however, the Pro-Licensing-Server was only reachable via IPv4.
That changed yesterday πŸ™‚

You can now talk to the Lic-Server via IPv4 and IPv6, enabling your EVE-NG-Pro to always fetch a valid license regardless of your IP underlay. This enables a lot of folks the ability to run EVE-NG where only IPv6 is provided (Asia or Germany if you signed up with Unitymedia for example).

Here’s how I “tweaked” my EVE to run in v6-only (Hetzner Server, therefore the Default-Gateway of fe80::1):

# The primary network interface
iface eth0 inet manual
auto pnet0

iface pnet0 inet6 static
  # Main IPv6 Address of the Server
  address 2a01:xxxx:xxxx:xxxx::xxxx
  netmask 64
  gateway fe80::1
  dns-nameservers 2001:4860:4860::8844 2001:4860:4860::8888

As you can see this Server now runs on v6 only via pnet0 (eth0, WAN).
You can access the Web interface via v6, the Server itself can reach out to the License-Server and all Labs run as usual (internally you can of course still use v4).

In the next step, I will tweak the Server so that your internal v4-Addresses-only Hosts will be translated via NAT64 to reach the internet πŸ™‚ That will be posted probably at the end of this week πŸ™‚

I will not try NAT66, because I think that NAT66 is the most stupid Idea ever and breaks the concept of IPv6 in a fundamental way…

I will also try SLAAC with the EVE-NAT-Cloud – with v6 you have so many possibilities and will never run out of addresses again.

I’m a big supporter of IPv6 as you know and running EVE in v6 only is a huge Improvement. Some of you might think “meh – calm down – it’s only another IP Notation”. I can assure you, that it’s far more than that. And if you look at ALL Vendors out there, they all still have a huge way to go until we can live in an IPv6 only world and finally dump v4, NAT and all other evil stuff created out of Address shortage πŸ˜›

Happy Holidays

The Value of Specialization – Why the new CCNA is a disaster

The end of the year is near, and it’s time to reflect a bit about what happened in 2019 in terms of Certification in the Industry of Networking. And there was some shocking, almost ridiculous news this year. Some of you might have heard it – Cisco “Re-Designed” their Certification Track for the CCNA, which will become active in 2020, and they will also introduce a “Cisco Specialist” between the CCNA and CCNP. I wonder whom they try to copy with this “CCNS” πŸ˜‰ However, they seem to have failed.

How you might ask? Let me explain this a bit. If you look at the new Certification Path it looks like this:

Noticed something? The CCNA and “CCNS” are spanned over ALL the 5 Topics. We live in a world where AI will sooner or later dominate the “Allround-IT-Guys,” and Cisco is trying actively to make new network engineers allrounders… When I heard the news, I was shocked that they seem to forget where they came from and why everyone pursued the CCNA Tracks – because the Tracks started at the very basic in every Topic.

Unfortunately, they seem to have forgotten the benefit of specialization. Specialization is essential and needed because that’s where the difference between “I know the basics” and “I KNOW the Basics in my field” will happen. Who needs an engineer that knows all topics “at the surface” up to the Specialist Level? This is what a good AI can do (and replace) today – I don’t need someone to tell me that OSPF is down, I don’t need someone to tell me that my phone is not working because a VLAN is missing somewhere… And most of all: I don’t care about collaboration if I work inside a SoC with no Telephony or WiFi at all – instead, I want to learn about the Security-specific Topics to build my Security career from the very beginning.

It makes the CCNA “worthless”, in my opinion, and that’s the main reason why I let my CCNA expire earlier this year – because it tells you NOTHING about my actual knowledge inside the area that I work in.

Network Engineers need to take a step back from “I know everything a bit” because allrounders are no longer demanded and needed because we have software for that. Even a monkey can operate such software – we need to make the shift towards “I’m a specialist in my area, and no one can fool me there.”

That’s what Juniper, for example, is aiming at with the introduction of the Career-Tracks at the Associate Level. They start basically where your Career starts without all the possible other areas and technologies. At Cisco, you now need to learn stuff that you will never have to deal with, and that does not give you any benefit at all to get your CCNP with a specialization active – Ridiculous if you ask me. I don’t know about you but my time is way too valuable to learn stuff that I will most likely never use – there are too many other interesting, specialized things to learn about to improve myself.

That’s why in 2020, the CCNA will most likely be “worthless” because putting 5 Tracks into one Exam just for the sake of reducing the exams is just not the right way, in my opinion. I’m curious about your opinion. Do you think that allrounders are better than specialized Staff? What’s your daily experience? Feel free to leave a comment because I’m very, very interested in that.