Disable IPv6 Router-Advertisements on Windows Server 2012 / 2016

Lately I did a huge amount of IPv6-Setups and I noticed something in the vCenter: All the Boxes with static IP’s still had 2 IPv6-Adresses (one static and one per RA-Feature).

Since I didn’t want them to use the address that they got from the RA and disabling RA at the Router was not an option I googled a bit and found this:

Tadaa – only my static IP is left ๐Ÿ˜‰
Maybe this does not impact anything – but still it feels wrong to me that a static IPv6 Host gains a second address from the same subnet…

Maybe this will help you on your way to IPv6 – if so please leave a comment

On Linux you would simply put this into your /etc/sysconfig/network (for RHEL/CentOS):

 

 

 

 

NAT64 with vSRX 15.1X49-D120

Yesterday, as part of my JNCIE-SEC Training, I reviewed NAT64 with the following Topology:

 

I pinged from Win to Winserver with Traffic going over Gemini(vSRX 15.1X49-D120), Pisces (vMX 17.3R1-S1.6), Pyxisย (vMX 17.3R1-S1.6) and Virgo (vSRX 15.1X49-D120).

So far everything seems to run fine – sometimes a single ping gets dropped but with 1% loss this is okay for me:

For me the D120 runs stable and so far I did not experience any problems.
Below I pasted the configs in case anyone wants to recreate this Lab:

 

Gemini:

 

Pisces:

 

Pyxis:

 

Virgo:

vSRX D120 is out – and runs fine on EVE

The new vSRX15.1X49-D120 is out and of course I already spinned it up with EVE ๐Ÿ˜‰

What should I say – it runs just fine – just like D100 and D110.
The D120 brings 2 new Features:

+ Support for applying IEEE802.1 rewrite rules to inner and outer VLAN tags [QoS]

+ Packet size configuration for IPsec datapath verification [VPN]

Many People asked me if it is ok to run vSRX on EVE on Virtualbox on Linux on Bare-Metal.
I personally think this is a bad idea, because every Layer you add, will impact your Performance significantly.
I recommend EVE-Bare (EVE on Bare-Metal) if you really want to run big Labs.
But be careful – some Servers (like the HP-Ones) need a special treatment regarding the network interfaces.
You can find more Infos in the EVE-Forums.

NAT64 – Practical Example

On my way to JNCIE, NAT64 is also a Topic – below you will find a working example of how I achieved this – comments are welcomed ๐Ÿ™‚

Site 1 (running 15.1 code)

 

Site 2 (running 17.3 code)

Hope this helps you all

JunOS Service restart via cronjob

Some days ago we had trouble on one of our QFXes where the jdhcpd deamon would consume 100% CPU and “crash” – resulting in users not getting IP’s anymore.
While TAC is still investigating, I made a quick Workaround for this – the DHCP-Sheriff ๐Ÿ˜‰

 

This Script restarts the Service if the load of the Service is above 1% (adjustable) – this can be easily adopted to other services and thresholds.

1.) Login as root and in shell type: vi /var/tmp/dhcp-sheriff.sh

2.) Press “i” and paste the above lines, followed by “[Esc-Button]”. Save and Quit with :wq

3.)
chmod +x /var/tmp/dhcp-sheriff.sh

4.)
crontab -e
0 */8 * * * sh /var/tmp/dhcp-sheriff.sh (executes it every 8h)

5.)

crontab -l
0 */8 * * * sh /var/tmp/dhcp-sheriff.sh

6.) in cli check after job has finished to run via show log dhcp-sheriff.log

 

Feel free to use this to your advantage – hopefully this will be a workaround for you in urgent-times until a fix is released.
This is only a workaround – do not use this in production for a long time / use at your own risk.

Firefly Perimeter – OSPF over GRE over IPsec

After attending the JNCIE-SEC bootcamp last week, I saw that one topic was barely mentioned: The way of running OSPF over GRE over IPsec. Since this setup is barely used (because of various reasons) I thought, that this is post-worthy – so here you have a working config (running on Fireflyย 12.1X47-D35.2

 

Topology:

Config for Firefly-A:

 

Config for Firefly-B:

Hope, that this helps you if you ever have to do this or need to learn this…
Remember – this is just a sample – please use stringer ciphers if possible ๐Ÿ˜‰

The JNCIE-Exam is getting closer and closer…

NAT64/46

      No Comments on NAT64/46

Today I experimented with NAT64 / NAT46 a bit.
The Setup to test this is relatively easy:

I took 2 Windows-Servers (2008R2), one with only IPv4 and one with only IPv6.
The 2 SRX’es are dual-stack capable and have a transfer-subnet (IPv4) between them.

Test-Scenario: Serverv4 pings Serverv6’s “v4-Address”, which is actually a “Proxy-Address” on the SRX and gets the reply – without requiring the v6-Server to have an IPv4-Address. Reverse should be the same: The v6-Server pings a v6-Address but in the Background it is the v4-only Server that replies. This worked very nice and I hope to see more of that in the Future at the customers sites – and I bet I will since IPv6 gains more and more attraction here in Germany ๐Ÿ˜‰

How to get rid of Frame 0 and oinker on cli

Have you ever experienced the message

when labbing with your vSRX / vQFX / vMX or even with hardware?

 

Calm down – this is nothing to worry about.

 

With the following code your device will “silently drop” the messages for you:

Finally my CLI is calm again ๐Ÿ˜‰

Source:ย https://kb.juniper.net/InfoCenter/index?page=content&id=KB19723

SRX100 in DimensionData Style

As you all know, I work for DimensionData in Germany. As a matter of fact i really like to mention this wherever I go – it’s my personality to do so because I only work for COmpany’s that I’m “proud” of – else it wouldn’t make sense to work there right?

I recently thought of pimping my old SRX100B with the NeonGreen from DiData – and it turned out pretty damn well for my first time spraypainting ๐Ÿ™‚

 

What do you think?
My next Project will be a fire-red SRX240 I have inside my Lab ๐Ÿ˜‰