EVE-NG Professional – First Preview

      4 Comments on EVE-NG Professional – First Preview

This morning something exciting happened: Thanks to Alain, the Head-Dev of EVE I got my Hands on a „Trial-License“ of EVE-NG-PRO, which will come out very very soon. This Post will review some Features and my Lab-Tests. Stay tuned and watch eve-ng.net for News about the Release-Date – if eve PRO is out, you will see it there.

 

 

 

 

 

 

As you can see, EVE-PRO will start with Version 2.0.4-4 and you will be greeted with 3 Modes:
+ Native
+ HTML5
+ HTML5 Desktop

Native and HTML5 are well known from the Community Edition. HTML5 Desktop is based on Docker and in my Opinion the world’s greatest way to Lab – this will change everything…

 

 

 

 

 

 

 

After Login to HTML5-Desktop you are presented with the „Full-blown“ Desktop of your labbing Dreams. It has Wireshark over RDP so you don’t need to install Wireshark on your PC, which is G R E A T if you want to Lab at Work, where you are usually not allowed to install Software or access ssh or access any „cli-opening“ commands. Isn’t this just awesome? Now EVE brings the Term „labbing everywhere“ to a whole new Level. Regardless where you are – even at the Hotel-Bar, where you only have Web browser access – you can login into your Lab and do whatever you want.

 

 

 

 

 

I was amazed, how smooth this actually works – Docker runs really nice on Ubuntu 16.04LTS which EVE is based on. It comes with Firefox and Chromium installed, however Firefox is preferred and used by default. So from HTML5-Desktop you are able to do some things:

+ run EVE in Firefox in Native or HTML-Mode and work normally on it
+ ssh into your EVE-Host and access it’s CLI (for upgrading or downloading new Software etc.)

I started my JNCIE-SEC Lab and tested the Capturing on ge-0/0/1 – worked like a charm – I could see all packets as they would flow in real-life – and all this from my Work-PC which is very strict. No Problems at all.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

My Lab runs smooth as always – and now there is a shiny new „Docker“ node running 😉

Also a new feature ist the NAT Network – you can now add a NAT-Network to your topology – it runs a DHCP-Server for your nodes to fetch an address and access the Internet through the EVE-hosts IP – great if you want your V-Appliances to fetch the latest updates.

Another nice Feature is the possibility to close a running Lab and go to a second Lab. I often had the problem, that due to extremely long boot-time form y full-blown Lab I wouldn’t close my full-blown Lab to test some other things real quick – no more do I have to worry about this. Running labs can be accessed again at any time and are placed under „running“ folder.

 

 

 

 

What I also like is the new “hot add”-Link Feature – you can now finally delete and add links while the Devices are running. I tested this 6 times – 5 times from Juniper to Juniper it worked very nice – one time I had to disable the interface at the cli and enable it again – but since I shut every Interface that I don’t use in real-life also, this is not a problem – after enabling the Interface everything works fine – another sweet feature, which mainly helps my “laziness” to stay lazy – and for quick-testing this feature is really handy – add a note, enable some interfaces, hot-add-link, test and after test, simply destroy – you can pop-up parts of the Lab now in no-time.

 

 

 

 

I was honored to get the chance to test eve-pro and of course I will be one of the first to buy eve-Pro as soon as it gets out to support the amazing devs for this in my opinion „Masterpiece of Lab-Technology“. Stay tuned – in the coming days I will test EVE-NG-Pro „Bare“ VS ESX 6.5 for labbing and do some “pressure-tests” on PRO.

My first J-Coin from “oversea”

      No Comments on My first J-Coin from “oversea”

Everytime I drive home, I talk to my Wife over the Phone (yes, EVERY time). This evening she told me, that Mail from Juniper arrived and I was extremely curious, what it could be. And I must say, that I wasn’t disappointed 😀

Now I have 2 J-Coins – one from EMEA Summit 2017 and one from the Circle – can’t wait to get tham all – I already purchased a Book for all the coins 🙂

 

It’s PoC-Time again

      1 Comment on It’s PoC-Time again

Hi all,

lately I’ve been a little “quiet” – mainly because of my new Job, which is super awesome by the way. Today we prepped a Lab containing 12 QFX5100/EX4600 – and boy do they make noise if they boot up 😀

My new Goal for JNCIE-SEC is May 2018 now so stay tuned – I will post some Labs shortly.

An era has ended and another era starts – taking my Juniper-Career to the next Level

      No Comments on An era has ended and another era starts – taking my Juniper-Career to the next Level

Maybe some of you already heared it – Beginning tomorrow (1st of February 2018) I will no longer be working for Dimension Data.
In the recent years the Juniper-Projects were getting few and so I decided to take my career to the next level by moving to Telonic.
I’m very excited to get the opportunity to work at a “Juniper-Focused” Company and getting the Opportunity to work even closer with Juniper and Juniper-Focused colleagues. The first big step to achieve this is to finally get the JNCIE-SEC, which due to lost time I couldn’t complete when working at DiData. Thank you DiData for all the good years and “see you soon” – the IT-World is a small Village 🙂

Disable IPv6 Router-Advertisements on Windows Server 2012 / 2016

      No Comments on Disable IPv6 Router-Advertisements on Windows Server 2012 / 2016

Lately I did a huge amount of IPv6-Setups and I noticed something in the vCenter: All the Boxes with static IP’s still had 2 IPv6-Adresses (one static and one per RA-Feature).

Since I didn’t want them to use the address that they got from the RA and disabling RA at the Router was not an option I googled a bit and found this:

netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disabled
netsh interface ipv6 set teredo disabled
netsh interface ipv6 isatap set state disabled
netsh interface ipv6 6to4 set state disabled

Tadaa – only my static IP is left 😉
Maybe this does not impact anything – but still it feels wrong to me that a static IPv6 Host gains a second address from the same subnet…

Maybe this will help you on your way to IPv6 – if so please leave a comment

On Linux you would simply put this into your /etc/sysconfig/network (for RHEL/CentOS):

IPV6_AUTOCONF=no

 

 

 

 

NAT64 with vSRX 15.1X49-D120

      No Comments on NAT64 with vSRX 15.1X49-D120

Yesterday, as part of my JNCIE-SEC Training, I reviewed NAT64 with the following Topology:

 

I pinged from Win to Winserver with Traffic going over Gemini(vSRX 15.1X49-D120), Pisces (vMX 17.3R1-S1.6), Pyxis (vMX 17.3R1-S1.6) and Virgo (vSRX 15.1X49-D120).

So far everything seems to run fine – sometimes a single ping gets dropped but with 1% loss this is okay for me:

For me the D120 runs stable and so far I did not experience any problems.
Below I pasted the configs in case anyone wants to recreate this Lab:

 

Gemini:

set version 17.3R1-S1.6
set system host-name Gemini
set system root-authentication encrypted-password "$6$JlBYr7De$HiDZ2uPKQrJ3D0Lh87Zna/5QekoDwa3SqYT8CWLWfzhYN4yqjvK3HwqUHRcm7Tm1oJYWiUpnbf9/x7mieYAnN/"
set security forwarding-options family inet6 mode flow-based
set security nat source rule-set V64-src from zone CLIENTS
set security nat source rule-set V64-src to zone WAN
set security nat source rule-set V64-src rule 01 match source-address 2001:d88::/64
set security nat source rule-set V64-src rule 01 match destination-address 172.16.7.100/32
set security nat source rule-set V64-src rule 01 then source-nat interface
set security nat static rule-set V64 from zone CLIENTS
set security nat static rule-set V64 rule 01 match destination-address 2001:d88::253/128
set security nat static rule-set V64 rule 01 then static-nat prefix 172.16.7.100/32
set security nat proxy-ndp interface ge-0/0/1.0 address 2001:d88::253/128
set security policies from-zone CLIENTS to-zone WAN policy P64 match source-address any
set security policies from-zone CLIENTS to-zone WAN policy P64 match destination-address any
set security policies from-zone CLIENTS to-zone WAN policy P64 match application any
set security policies from-zone CLIENTS to-zone WAN policy P64 then permit
set security zones security-zone WAN interfaces ge-0/0/4.0 host-inbound-traffic system-services ping
set security zones security-zone CLIENTS interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set interfaces ge-0/0/1 unit 0 family inet6 address 2001:d88::1/64
set interfaces ge-0/0/4 unit 0 family inet address 172.16.2.2/24
set routing-options static route 0.0.0.0/0 next-hop 172.16.2.1
set routing-options static route 0.0.0.0/0 preference 255

 

Pisces:

set version 17.3R1-S1.6
set system host-name Pisces
set system time-zone Europe/Berlin
set system management-instance
set system root-authentication encrypted-password "$6$6s/YdPmc$90tCKZVCyj46dNrOPlj1wlQU.ieTTJtuELT2sUNC8dOF8GtyKxmwPwbhG9ZXFiM.KCN.eHkY4hBJpuUdM6BCk/"
set interfaces ge-0/0/0 unit 0 family inet address 10.10.0.2/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.0.133/24
set interfaces ge-0/0/3 unit 0 family inet address 172.16.1.1/24
set interfaces ge-0/0/4 unit 0 family inet address 172.16.2.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.254
set routing-options static route 0.0.0.0/0 preference 255
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/3.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/4.0 passive

 

Pyxis:

set version 17.3R1-S1.6
set system host-name Pyxis
set system root-authentication encrypted-password "$6$v9SuA11k$QrLyhORoCn6JZlQ5zb9SeZ.e30ePX8AumXv2xbQZNs12JOvmoM9dbBa7TJOijtdDz2QiThnTRxETqpaoD.oz//"
set interfaces ge-0/0/0 unit 0 family inet address 10.10.0.1/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.0.143/24
set interfaces ge-0/0/5 unit 0 family inet address 172.16.3.1/24
set interfaces ge-0/0/6 unit 0 family inet address 172.16.4.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.254
set routing-options static route 0.0.0.0/0 preference 255
set routing-options static route 172.16.7.0/24 next-hop 172.16.3.2
set protocols ospf export OSPF_ext
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/5.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/6.0 passive
set policy-options policy-statement OSPF_ext from protocol static
set policy-options policy-statement OSPF_ext then accept

 

Virgo:

set version 17.3R1-S1.6
set system host-name Virgo
set system root-authentication encrypted-password "$6$JlBYr7De$HiDZ2uPKQrJ3D0Lh87Zna/5QekoDwa3SqYT8CWLWfzhYN4yqjvK3HwqUHRcm7Tm1oJYWiUpnbf9/x7mieYAnN/"
set security policies from-zone WAN to-zone DMZ policy P64 match source-address any
set security policies from-zone WAN to-zone DMZ policy P64 match destination-address any
set security policies from-zone WAN to-zone DMZ policy P64 match application any
set security policies from-zone WAN to-zone DMZ policy P64 then permit
set security zones security-zone WAN interfaces ge-0/0/5.0 host-inbound-traffic system-services ping
set security zones security-zone DMZ interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set interfaces ge-0/0/1 unit 0 family inet address 172.16.7.1/24
set interfaces ge-0/0/5 unit 0 family inet address 172.16.3.2/24
set routing-options static route 0.0.0.0/0 next-hop 172.16.3.1
set routing-options static route 0.0.0.0/0 preference 255

vSRX D120 is out – and runs fine on EVE

      No Comments on vSRX D120 is out – and runs fine on EVE

The new vSRX15.1X49-D120 is out and of course I already spinned it up with EVE 😉

What should I say – it runs just fine – just like D100 and D110.
The D120 brings 2 new Features:

+ Support for applying IEEE802.1 rewrite rules to inner and outer VLAN tags [QoS]

+ Packet size configuration for IPsec datapath verification [VPN]

Many People asked me if it is ok to run vSRX on EVE on Virtualbox on Linux on Bare-Metal.
I personally think this is a bad idea, because every Layer you add, will impact your Performance significantly.
I recommend EVE-Bare (EVE on Bare-Metal) if you really want to run big Labs.
But be careful – some Servers (like the HP-Ones) need a special treatment regarding the network interfaces.
You can find more Infos in the EVE-Forums.

NAT64 – Practical Example

      No Comments on NAT64 – Practical Example

On my way to JNCIE, NAT64 is also a Topic – below you will find a working example of how I achieved this – comments are welcomed 🙂

Site 1 (running 15.1 code)

root@vSRX-15.1X49-D100> show configuration | display set | no-more 
set version 15.1X49-D100.6
set system host-name vSRX-15.1X49-D100
set system root-authentication encrypted-password "$5$oAlcMo29$MTj5S03CKi45fpyJ9qtT26dCwD48K9l1Cc3muAOzF11"
set system services ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security log mode stream
set security log report
set security nat source pool src-pool-120 address 172.16.120.0/24
set security nat source pool src-pool-120v6 address 2001:db8:120::/64
set security nat source rule-set rs-v4-out from zone DMZv4
set security nat source rule-set rs-v4-out to zone trust
set security nat source rule-set rs-v4-out rule r1 match source-address 172.16.100.0/24
set security nat source rule-set rs-v4-out rule r1 match destination-address 172.16.110.0/24
set security nat source rule-set rs-v4-out rule r1 then source-nat pool src-pool-120
set security nat source rule-set rs-v6-out from zone DMZv6
set security nat source rule-set rs-v6-out to zone trust
set security nat source rule-set rs-v6-out rule r1v6 match source-address 2001:db8::/64
set security nat source rule-set rs-v6-out rule r1v6 match destination-address 2001:db8:110::/64
set security nat source rule-set rs-v6-out rule r1v6 then source-nat pool src-pool-120v6
set security nat source rule-set V64-src from zone DMZv6
set security nat source rule-set V64-src to zone DMZv4
set security nat source rule-set V64-src rule 1 match source-address 2001:db8::/64
set security nat source rule-set V64-src rule 1 match destination-address 172.16.100.1/32
set security nat source rule-set V64-src rule 1 then source-nat interface
set security nat destination pool dst-v4-pool address 172.16.100.1/32
set security nat destination pool dst-v6-pool address 2001:db8::1/128
set security nat destination rule-set dst-v4-in from zone trust
set security nat destination rule-set dst-v4-in rule r1 match destination-address 172.16.120.1/32
set security nat destination rule-set dst-v4-in rule r1 then destination-nat pool dst-v4-pool
set security nat destination rule-set dst-v4-in rule r1v6 match destination-address 2001:db8:120::1/128
set security nat destination rule-set dst-v4-in rule r1v6 then destination-nat pool dst-v6-pool
set security nat static rule-set V64 from zone DMZv6
set security nat static rule-set V64 rule 1 match destination-address 2001:db8::8888/128
set security nat static rule-set V64 rule 1 then static-nat prefix 172.16.100.1/32
set security nat static rule-set v46 from zone DMZv4
set security nat static rule-set v46 rule 2 match source-address 172.16.100.1/32
set security nat static rule-set v46 rule 2 match destination-address 88.88.88.88/32
set security nat static rule-set v46 rule 2 then static-nat prefix 2001:db8::1/128
set security nat proxy-arp interface ge-0/0/0.100 address 172.16.120.1/32
set security nat proxy-arp interface ge-0/0/2.0 address 88.88.88.88/32
set security nat proxy-ndp interface ge-0/0/0.200 address 2001:db8:120::1/128
set security nat proxy-ndp interface ge-0/0/1.0 address 2001:db8::8888/128
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone DMZv4 policy Policy01 match source-address any
set security policies from-zone trust to-zone DMZv4 policy Policy01 match destination-address any
set security policies from-zone trust to-zone DMZv4 policy Policy01 match application any
set security policies from-zone trust to-zone DMZv4 policy Policy01 then permit
set security policies from-zone DMZv4 to-zone trust policy Policy01 match source-address any
set security policies from-zone DMZv4 to-zone trust policy Policy01 match destination-address any
set security policies from-zone DMZv4 to-zone trust policy Policy01 match application any
set security policies from-zone DMZv4 to-zone trust policy Policy01 then permit
set security policies from-zone trust to-zone DMZv6 policy Policy01 match source-address any
set security policies from-zone trust to-zone DMZv6 policy Policy01 match destination-address any
set security policies from-zone trust to-zone DMZv6 policy Policy01 match application any
set security policies from-zone trust to-zone DMZv6 policy Policy01 then permit
set security policies from-zone DMZv6 to-zone trust policy Policy01 match source-address any
set security policies from-zone DMZv6 to-zone trust policy Policy01 match destination-address any
set security policies from-zone DMZv6 to-zone trust policy Policy01 match application any
set security policies from-zone DMZv6 to-zone trust policy Policy01 then permit
set security policies from-zone DMZv4 to-zone DMZv6 policy Policy01 match source-address any
set security policies from-zone DMZv4 to-zone DMZv6 policy Policy01 match destination-address any
set security policies from-zone DMZv4 to-zone DMZv6 policy Policy01 match application any
set security policies from-zone DMZv4 to-zone DMZv6 policy Policy01 then permit
set security policies from-zone DMZv6 to-zone DMZv4 policy Policy01 match source-address any
set security policies from-zone DMZv6 to-zone DMZv4 policy Policy01 match destination-address any
set security policies from-zone DMZv6 to-zone DMZv4 policy Policy01 match application any
set security policies from-zone DMZv6 to-zone DMZv4 policy Policy01 then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/0.100 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/0.100 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces ge-0/0/0.200 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/0.200 host-inbound-traffic system-services ssh
set security zones security-zone DMZv4 interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone DMZv6 interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 100 vlan-id 100
set interfaces ge-0/0/0 unit 100 family inet address 10.10.100.2/24
set interfaces ge-0/0/0 unit 200 vlan-id 200
set interfaces ge-0/0/0 unit 200 family inet6 address 2001:999::2/64
set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db8::ffff/64
set interfaces ge-0/0/2 unit 0 family inet address 172.16.100.254/24
set interfaces fxp0 unit 0
set routing-options rib inet6.0 static route 2001:db8:110::/64 next-hop 2001:999::1
set routing-options static route 172.16.110.0/24 next-hop 10.10.100.1

 

Site 2 (running 17.3 code)

root@vSRX-17.3R1> show configuration | display set | no-more 
set version 17.3R1.10
set system host-name vSRX-17.3R1
set system root-authentication encrypted-password "$6$6FZUak4n$6INXuka82AT9lXhhvNmBPd8KQa0gokqcOwV1.MFqsrwqNY0DInH2EggK8vQUDXJHJpX.CDZ466cGLP.NB/Bf81"
set system services ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security nat source pool src-pool-110 address 172.16.110.0/24
set security nat source pool src-pool-110v6 address 2001:db8:110::/64
set security nat source rule-set rs-v4-out from zone DMZv4
set security nat source rule-set rs-v4-out to zone trust
set security nat source rule-set rs-v4-out rule r1 match source-address 172.16.100.0/24
set security nat source rule-set rs-v4-out rule r1 match destination-address 172.16.120.0/24
set security nat source rule-set rs-v4-out rule r1 then source-nat pool src-pool-110
set security nat source rule-set rs-v6-out from zone DMZv6
set security nat source rule-set rs-v6-out to zone trust
set security nat source rule-set rs-v6-out rule r1v6 match source-address 2001:db8::/64
set security nat source rule-set rs-v6-out rule r1v6 match destination-address 2001:db8:120::/64
set security nat source rule-set rs-v6-out rule r1v6 then source-nat pool src-pool-110v6
set security nat source rule-set V64-src from zone DMZv6
set security nat source rule-set V64-src to zone DMZv4
set security nat source rule-set V64-src rule 1 match source-address 2001:db8::/64
set security nat source rule-set V64-src rule 1 match destination-address 172.16.100.1/32
set security nat source rule-set V64-src rule 1 then source-nat interface
set security nat destination pool dst-v4-pool address 172.16.100.1/32
set security nat destination pool dst-v6-pool address 2001:db8::1/128
set security nat destination rule-set dst-v4-in from zone trust
set security nat destination rule-set dst-v4-in rule r1 match destination-address 172.16.110.1/32
set security nat destination rule-set dst-v4-in rule r1 then destination-nat pool dst-v4-pool
set security nat destination rule-set dst-v4-in rule r1v6 match destination-address 2001:db8:110::1/128
set security nat destination rule-set dst-v4-in rule r1v6 then destination-nat pool dst-v6-pool
set security nat static rule-set V64 from zone DMZv6
set security nat static rule-set V64 rule 1 match destination-address 2001:db8::9999/128
set security nat static rule-set V64 rule 1 then static-nat prefix 172.16.100.1/32
set security nat static rule-set v46 from zone DMZv4
set security nat static rule-set v46 rule 2 match source-address 172.16.100.1/32
set security nat static rule-set v46 rule 2 match destination-address 99.99.99.99/32
set security nat static rule-set v46 rule 2 then static-nat prefix 2001:db8::1/128
set security nat proxy-arp interface ge-0/0/0.100 address 172.16.110.1/32
set security nat proxy-arp interface ge-0/0/2.0 address 99.99.99.99/32
set security nat proxy-ndp interface ge-0/0/0.200 address 2001:db8:110::1/128
set security nat proxy-ndp interface ge-0/0/1.0 address 2001:db8::9999/128
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone DMZv4 policy Policy01 match source-address any
set security policies from-zone trust to-zone DMZv4 policy Policy01 match destination-address any
set security policies from-zone trust to-zone DMZv4 policy Policy01 match application any
set security policies from-zone trust to-zone DMZv4 policy Policy01 then permit
set security policies from-zone DMZv4 to-zone trust policy Policy01 match source-address any
set security policies from-zone DMZv4 to-zone trust policy Policy01 match destination-address any
set security policies from-zone DMZv4 to-zone trust policy Policy01 match application any
set security policies from-zone DMZv4 to-zone trust policy Policy01 then permit
set security policies from-zone trust to-zone DMZv6 policy Policy01 match source-address any
set security policies from-zone trust to-zone DMZv6 policy Policy01 match destination-address any
set security policies from-zone trust to-zone DMZv6 policy Policy01 match application any
set security policies from-zone trust to-zone DMZv6 policy Policy01 then permit
set security policies from-zone DMZv6 to-zone trust policy Policy01 match source-address any
set security policies from-zone DMZv6 to-zone trust policy Policy01 match destination-address any
set security policies from-zone DMZv6 to-zone trust policy Policy01 match application any
set security policies from-zone DMZv6 to-zone trust policy Policy01 then permit
set security policies from-zone DMZv4 to-zone DMZv6 policy Policy01 match source-address any
set security policies from-zone DMZv4 to-zone DMZv6 policy Policy01 match destination-address any
set security policies from-zone DMZv4 to-zone DMZv6 policy Policy01 match application any
set security policies from-zone DMZv4 to-zone DMZv6 policy Policy01 then permit
set security policies from-zone DMZv6 to-zone DMZv4 policy Policy01 match source-address any
set security policies from-zone DMZv6 to-zone DMZv4 policy Policy01 match destination-address any
set security policies from-zone DMZv6 to-zone DMZv4 policy Policy01 match application any
set security policies from-zone DMZv6 to-zone DMZv4 policy Policy01 then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/0.100 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/0.100 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces ge-0/0/0.200 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/0.200 host-inbound-traffic system-services ssh
set security zones security-zone DMZv4 interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone DMZv6 interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 100 vlan-id 100
set interfaces ge-0/0/0 unit 100 family inet address 10.10.100.1/24
set interfaces ge-0/0/0 unit 200 vlan-id 200
set interfaces ge-0/0/0 unit 200 family inet6 address 2001:999::1/64
set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db8::ffff/64
set interfaces ge-0/0/2 unit 0 family inet address 172.16.100.254/24
set interfaces fxp0 unit 0
set routing-options rib inet6.0 static route 2001:db8:120::/64 next-hop 2001:999::2
set routing-options static route 172.16.120.0/24 next-hop 10.10.100.2

Hope this helps you all

JunOS Service restart via cronjob

      No Comments on JunOS Service restart via cronjob

Some days ago we had trouble on one of our QFXes where the jdhcpd deamon would consume 100% CPU and “crash” – resulting in users not getting IP’s anymore.
While TAC is still investigating, I made a quick Workaround for this – the DHCP-Sheriff 😉

#!/bin/bash

current=$(top | grep jdhcpd | awk '{ print $10 }')
desired="1.00%"


if [ ${current%.*} -eq ${desired%.*} ] && [ ${current#*.} \> ${desired#*.} ] || [ ${current%.*} -gt ${desired%.*} ]; then

echo "$(date)" >> /var/log/dhcp-sheriff.log >> /var/log/dhcp-sheriff.log
echo The current load of dhcp-service is above desired value - restarting the service >> /var/log/dhcp-sheriff.log
echo "${current} >= ${desired}" >> /var/log/dhcp-sheriff.log
cli restart dhcp-service
echo "" >> /var/log/dhcp-sheriff.log;

else

echo "$(date)" >> /var/log/dhcp-sheriff.log
echo The current load of dhcp-service is below desired value - no action needed >> /var/log/dhcp-sheriff.log
echo "${current} <= ${desired}" >> /var/log/dhcp-sheriff.log
echo "" >> /var/log/dhcp-sheriff.log;

fi

 

This Script restarts the Service if the load of the Service is above 1% (adjustable) – this can be easily adopted to other services and thresholds.

1.) Login as root and in shell type: vi /var/tmp/dhcp-sheriff.sh

2.) Press “i” and paste the above lines, followed by “[Esc-Button]”. Save and Quit with :wq

3.)
chmod +x /var/tmp/dhcp-sheriff.sh

4.)
crontab -e
0 */8 * * * sh /var/tmp/dhcp-sheriff.sh (executes it every 8h)

5.)

crontab -l
0 */8 * * * sh /var/tmp/dhcp-sheriff.sh

6.) in cli check after job has finished to run via show log dhcp-sheriff.log

 

Feel free to use this to your advantage – hopefully this will be a workaround for you in urgent-times until a fix is released.
This is only a workaround – do not use this in production for a long time / use at your own risk.