![\"\"](\"https://blog.msbnet.co.uk/media/posts/10/img_5f1341cc595bd.png\")
...I can dream :)
\n\n
Unfortunately, Cloudflare suffered an outage yesterday. Here's the blurb:
\n\n\nToday a configuration error in our backbone network caused an outage for Internet properties and Cloudflare services that lasted 27 minutes. We saw traffic drop by about 50% across our network. Because of the architecture of our backbone this outage didn’t affect the entire Cloudflare network and was localized to certain geographies.
\nhttps://blog.cloudflare.com/cloudflare-outage-on-july-17-2020/
\n
\n
Cloudflare went into some depth to describe the problem which was nice to see. The following snippet is from the router in question.
\nfrom {\n prefix-list 6-SITE-LOCAL;\n}\nthen {\n local-preference 200;\n community add SITE-LOCAL-ROUTE;\n community add ATL01;\n community add NORTH-AMERICA;\n accept;\n}\n\n
\n\nAs there was backbone congestion in Atlanta, the team had decided to remove some of Atlanta’s backbone traffic. But instead of removing the Atlanta routes from the backbone, a one line change started leaking all BGP routes into the backbone. The correct change would have been to deactivate the term instead of the prefix-list.
\n
\n
We've all been there, I'm sure!
\nThat moment you commit a BGP change and a sense of dread floods every part of your body as you realise you've just broken the internet. Sometimes, it's nice to have a way to check your work because even the most diligent engineers can make mistakes.
\nKompressor is a project I've been working on that is designed to help busy network engineers, not replace them :)
\nhttps://github.com/msbnetcouk/Kompressor
", "author": { "name": "Michael Bowen" }, "tags": [ "Networks & Security" ], "date_published": "2020-07-18T19:52:44+01:00", "date_modified": "2020-11-14T18:25:22+00:00" }, { "id": "https://blog.msbnet.co.uk/kompressor/", "url": "https://blog.msbnet.co.uk/kompressor/", "title": "Kompressor", "summary": "Kompressor You're a project network engineer. You arrive at the office. The group calendar shows there are twenty services to migrate this week. You've never logged in to these firewalls before. You've never seen the services that need to be migrated before. Each firewall is…", "content_html": "![\"\"](\"https://blog.msbnet.co.uk/media/posts/8/img_5ebdc54d89f7b.png\")
Kompressor
\n\n
You're a project network engineer.
\nYou arrive at the office. The group calendar shows there are twenty services to migrate this week.
\nYou've never logged in to these firewalls before.
You've never seen the services that need to be migrated before.
Each firewall is considered critical national infrastructure.
Lives could be at stake.
There's at least two other engineers on your team. There is no work scheduling or queue. You've no idea who has started work on what.
\nAfter thumbing through the 200 page LLD for the information you need, you login to the first firewall.
\nYou issue the command show system commit to find at least two other people have committed changes to this box today. You can see at least half of the change is present in the config but due to the length and complexity, it's not immediately obvious, from the CLI, whether this change has been successful.
\nYou catch a glimpse of the time. It's lunchtime and you've achieved nothing.
\n\n
msbnet::Kompressor - https://github.com/msbnetcouk/Kompressor
", "author": { "name": "Michael Bowen" }, "tags": [ "Networks & Security" ], "date_published": "2020-05-14T23:32:40+01:00", "date_modified": "2020-11-14T18:26:15+00:00" }, { "id": "https://blog.msbnet.co.uk/the-best-tool-for-the-job/", "url": "https://blog.msbnet.co.uk/the-best-tool-for-the-job/", "title": "The best tool for the job?", "summary": "For SRE, any manual, structurally mandated operational task is abhorrent. As a contract network engineer, I tend to move around a bit. I get to work in lots of different places with lots of different people which is quite fun. Recently, I was asked to…", "content_html": "\n\nFor SRE, any manual, structurally mandated operational task is abhorrent.
\n
\n
As a contract network engineer, I tend to move around a bit. I get to work in lots of different places with lots of different people which is quite fun. Recently, I was asked to configure a few boxes (Juniper SRXs) for a service that was being migrated. In some places, the work changes day by day but occasionally, you start to see the same jobs come around which opens up the inevitable question... \"Is there a better way?\"
\nWhat's my definition of better? Minimum effective dose, as Tim Ferriss says.
\nBefore heading straight to the Ansible (or similar CoolTooling of the moment) download page, it's worth remembering that I could be gone any day and some organisations take months (I tried to get TCPping added to the toolset whitelist in one such place...) to sign off new tooling. This is especially true in roles that demand Security Clearance. It's also worth remembering that junior engineers cut their teeth on jobs like this where visibility of the syntax is essential. To this end, the XML equivalent of the commit is not always desirable.
\nA rough outline of the service configuration, in this particular, instance was as follows:
\n# Set up the interface with the appropriate VLAN, IP address and subnet mask:
set interfaces ge-0/0/4 vlan-tagging
set interfaces ge-0/0/4 unit 333 vlan-id 333
set interfaces ge-0/0/4 unit 333 family inet address 10.33.33.1/29
# Add the interface to the relevant VRF:
set routing-instances LOB interface ge-0/0/4.333
# Add the interface and prefix to the address book within the relevant zone:
set security zones security-zone SERVICE1 address-book address SERVICE1NET 10.33.33.0/29
set security zones security-zone SERVICE1 interfaces ge-0/0/4.330
# Create the prefix list and the BGP community:
set policy-options prefix-list SERVICE1NET 10.33.33.0/29
set policy-options community SERVICE1 members 65001:333
# Create the export policy to tag the community:
set policy-options policy-statement Export_to_LOB term SERVICE1 from prefix-list SERVICE1NET
set policy-options policy-statement Export_to_LOB term SERVICE1 then community add SERVICE1
set policy-options policy-statement Export_to_LOB term SERVICE1 then accept
# Create the security policy:
set security policies from-zone SERVICE1 to-zone LOB policy SERVICE1_Access match source-address SERVICE1NET
set security policies from-zone SERVICE1 to-zone LOB policy SERVICE1_Access match destination-address any
set security policies from-zone SERVICE1 to-zone LOB policy SERVICE1_Access match application any
set security policies from-zone SERVICE1 to-zone LOB policy SERVICE1_Access then permit
set security policies from-zone SERVICE1 to-zone LOB policy SERVICE1_Access then log session-init
The same VLAN ID was used for this service at each site which means we have four variables we need to consider:
\n1. The base interface (ge-0/0/4)
2. The interface IP (10.33.33.1/29)
3. The address-book entry (10.33.33.0/29)
4. The prefix-list entry (10.33.33.0/29)
With the last two being identical, we'll only need to supply three arguments as the input to whichever script we create to generate a complete configuration to be pushed to the device. Part of me immediately wondered if I could just use the first two. It seemed possible the prefix-list entry might take 10.33.33.1/29 as input and automatically convert it to 10.33.33.0/29 for me:
\n{primary:node0}[edit]\nroot@msbnet_node0# set policy-options prefix-list SERVICE1NET 10.33.33.1/29 \nerror: host portion is not zero (10.33.33.0/29): 10.33.33.1/29\nNegative on that, Houston!
\nFine! What about the address-book entry, though?
\n{primary:node0}[edit]\nroot@msbnet_node0# set security zones security-zone SERVICE1 address-book address SERVICE1NET 10.33.33.1/29 \n\n{primary:node0}[edit]\nroot@msbnet_node0# commit check \n[edit security zones security-zone SERVICE1 address-book]\n 'address SERVICE1NET'\n Invalid address entry\nerror: configuration check-out failed\nThat's a negative, too, it seems!
\nSo I created a batch script which took those three essential arguments, swapped them into the variables in a template and then echoed the results to a file. That worked well enough for that day as I needed to get those services live ASAP but that night, I wondered how I might be able to get that down to just two arguments and have the script work out the network address itself. I had no idea how I was going to do this but I did have the vaguest recollection, from my CCNA days, bouncing around the back of my head...
\n\n\nComputers deduce their network address by performing a logical AND on the binary equivalent of the IP address.
\n
\n
So I started Googling 'logical AND' and then rummaging through StackOverflow and GitHub. Someone must have solved this problem before...?
\nAfter several minutes of ingesting a dizzying array of complex sounding terms, I decided to re-familiarise myself with the basics. From Wikipedia:
\n\n\nLogical conjunction is often used for bitwise operations, where 0 corresponds to false and 1 to true:
\n0 AND 0 = 0
\n
0 AND 1 = 0
1 AND 0 = 0
1 AND 1 = 1The AND of a set of operands/inputs is true if and only if ALL of it's operands are true.
\n
\n
It was at this point I realised I'd been googling the wrong thing. It seemed what I was actually trying to achieve was a 'bitwise AND'. It is the bitwise AND which takes a normal number (or tiny integer if you prefer), converts it to it's binary form and then performs a logical AND on it. This subtle difference cost me a good few hours!
\nA quick example for our use case:
\n\n
An IP (IPv4) address is said to be a 32 bit address, written in 'dot decimal' notation. A better description might be that it's four lots of 8 bit addresses (octets) wedged together by a period/full stop: 10.33.33.1
\nAn 8 bit address simply means there are a maximum of 8 bits or place holders available to represent a number. imagine a table, with 8 fields, that are labelled like this:
\n| 128 | \n64 | \n32 | \n16 | \n8 | \n4 | \n2 | \n1 | \n
| \n | \n | \n | \n | \n | \n | \n | \n |
You can place the digit one or zero in any field. The maximum value we can represent is 255. We would do this by placing the digit one in all eight columns. If we wanted to represent a number higher than 255, we'd need more bits. Going left, each additional field added would double the size of the one that preceded it.
\nBack to 8 bits. Let's work out, for example, my age in binary. I'm 37.
\nStarting from the leftmost bit, sometimes referred to as the most significant bit, navigate from left to right until you find a column where your age fits within either perfectly or with a remainder:
\n128 = no
64 = no
32 = yes, remainder 5!
| 128 | \n64 | \n32 | \n16 | \n8 | \n4 | \n2 | \n1 | \n
| \n | \n | 1 | \n\n | \n | \n | \n | \n |
We've now accounted for 32 out of the 37 total years. Where do we put the remaining 5?
\n16 = no
8 = no
4 = yes, remainder 1!
| 128 | \n64 | \n32 | \n16 | \n8 | \n4 | \n2 | \n1 | \n
| \n | \n | 1 | \n\n | \n | 1 | \n\n | \n |
2 = no
1 = yes, perfect fit!
| 128 | \n64 | \n32 | \n16 | \n8 | \n4 | \n2 | \n1 | \n
| \n | \n | 1 | \n\n | \n | 1 | \n\n | 1 | \n
Put zeros in any remaining columns:
\n| 128 | \n64 | \n32 | \n16 | \n8 | \n4 | \n2 | \n1 | \n
| 0 | \n0 | \n1 | \n0 | \n0 | \n1 | \n0 | \n1 | \n
Now write out the set of zeros and ones and we have my age, in 8 bit binary: 00100101
\nArmed with this information, let's attempt to, manually, perform a bitwise AND on the IP address we've specified earlier against the subnet mask we also specified; 10.33.33.1/29.
\nLet's do the IP first. Take each octet in turn and convert it into the binary equivalent.
\n00001010.00100001.00100001.00000001 = 10.33.33.1
\nThis leaves us with the subnet mask. Sometimes, the subnet mask will be written in the same format as the IP address - dot decimal - and sometimes it will be written in shorthand or 'CIDR' notation. /29 is an example of CIDR notation.
\n/29 simply means the first 29 bits of the subnet mask, from the most significant bit, are set to one. The remaining bits will be set to zero.
\nFor prefixes longer than 24 bits (the overwhelming majority of all prefixes you're likely to configure on Customer Edge devices), the first three octets will always be 'maxed out'. This means we can skip to the last octet just like we did before. Let's set the first five bits of the last octet to one and see what value that gives us:
\n| 128 | \n64 | \n32 | \n16 | \n8 | \n4 | \n2 | \n1 | \n
| 1 | \n1 | \n1 | \n1 | \n1 | \n0 | \n0 | \n0 | \n
128 + 64 + 32 + 16 + 8 = 248
\n![\"\"](\"https://blog.msbnet.co.uk/media/posts/6/img_5e485db32d8aa.png\")
The calculator appears to agree!
To summarise:
/29 = 8 bits.8 bits.8 bits.5 bits
/29 = 11111111.11111111.11111111.11111000
/29 = 255.255.255.248
\n
Now that we have the binary representation of both, we can attempt the logical AND. We do this by comparing the most significant bit of A with the most significant bit of B with the all or nothing mindset that epitomises a logical AND.
\nWe'll put the result into C. If they're not both 1, the result is 0.
\nWhy are we doing this again? We hope the result of performing a logical AND on A (IP address) and B (subnet mask) will yield the network/base address in C which will save us from having to manually work it out and submit it as a script argument for the next 100 potential sites. We'll use the & operator below to indicate we're performing a logical AND.
\nA: 00001010.00100001.00100001.00000001 (10.33.33.1)
B: 11111111.11111111.11111111.11111000 (255.255.255.248)
First octet
0&1=0
0&1=0
0&1=0
0&1=0
1&1=1
0&1=0
1&1=1
0&1=0
Second octet
0&1=0
0&1=0
1&1=1
0&1=0
0&1=0
0&1=0
0&1=0
1&1=1
Third octet
0&1=0
0&1=0
1&1=1
0&1=0
0&1=0
0&1=0
0&1=0
1&1=1
Fourth octet
0&1=0
0&1=0
0&1=0
0&1=0
0&1=0
0&0=0
0&0=0
1&0=0
Result
C: 00001010.00100001.00100001.00000000 (10.33.33.0) <------ As expected, the network address is zero in this instance. The theory holds!
Now, the actual work can begin. Let's remind ourselves of the desired outcome. I want to run a script and specify the absolute minimum number of arguments in order to generate the configuration for SERVICE1. Something like:
\nscript.bat <ARG1> <ARG2>
SERVICE1.bat ge-0/0/4 10.33.33.1/29
The quickest way forward now would be to create a first draft of sorts that simply accepts a prefix as input and then echoes the subsequent network address back to us.
\n\n
@echo off\nset ADDR=\"%1\"\nset C=255.255.255.\nfor /f \"tokens=4 delims=./\" %%a in (%ADDR%) do set OCTET4=%%a\nfor /f \"tokens=1,2,3 delims=.\" %%x in (%ADDR%) do set OCTET123=%%x.%%y.%%z.\nfor /f \"tokens=2 delims=/ \" %%m in (%ADDR%) do set SLASH=%%m\nset /a MASKOCTET4=\"255 - (255 >> (%SLASH%-24))\"\nset SUBNETMASK=%C%%MASKOCTET4%\nset /a SUBN=\"%OCTET4% & %MASKOCTET4%\"\necho.\necho NETWORK ADDRESS: %OCTET123%%SUBN%/%SLASH%\necho SUBNET MASK: %SUBNETMASK%\n
Save this file with a .bat extension (prefix.bat) and then call it from a command prompt:
\nC:\\Users\\Michael>prefix 10.33.33.1/29\n\nNETWORK ADDRESS: 10.33.33.0/29\nSUBNET MASK: 255.255.255.248\n
Job done!
\nSo what exactly are we doing here? Essentially, we chop up the prefix into more usable chunks before re-assembling it and spitting it out at the end. We also perform a logical shift (where, using the table above, we simply fast forward over the bits) to calculate MASKOCTET4 using the CIDR notation from the prefix to calculate how many bits to shift right. Finally, we perform the bitwise AND on the fourth octet of the prefix vs the fourth octet of the calculated subnet mask.
\nThe easiest way to see what's going on is to echo the variables out as we're setting / calculating them:
\n@echo off\necho.\nset ADDR=\"%1\"\nset C=255.255.255.\nfor /f \"tokens=4 delims=./\" %%a in (%ADDR%) do set OCTET4=%%a\necho OCTET4: %OCTET4%\nfor /f \"tokens=1,2,3 delims=.\" %%x in (%ADDR%) do set OCTET123=%%x.%%y.%%z.\necho OCTET123: %OCTET123%\nfor /f \"tokens=2 delims=/ \" %%m in (%ADDR%) do set SLASH=%%m\necho SLASH: %SLASH%\nset /a MASKOCTET4=\"255 - (255 >> (%SLASH%-24))\"\necho MASKOCTET4: %MASKOCTET4%\nset SUBNETMASK=%C%%MASKOCTET4%\nset /a SUBN=\"%OCTET4% & %MASKOCTET4%\"\necho SUBN: %SUBN%\necho.\necho NETWORK ADDRESS: %OCTET123%%SUBN%/%SLASH%\necho SUBNET MASK: %SUBNETMASK%\n
Save this file with a .bat extension (prefix_debug.bat) and then call it from a command prompt and try a few prefixes:
\nC:\\Users\\Michael>prefix_debug 10.33.33.1/29\n\nOCTET4: 1\nOCTET123: 10.33.33.\nSLASH: 29\nMASKOCTET4: 248\nSUBN: 0\n\nNETWORK ADDRESS: 10.33.33.0/29\nSUBNET MASK: 255.255.255.248\n\nC:\\Users\\Michael>prefix_debug 10.33.33.1/28\n\nOCTET4: 1\nOCTET123: 10.33.33.\nSLASH: 28\nMASKOCTET4: 240\nSUBN: 0\n\nNETWORK ADDRESS: 10.33.33.0/28\nSUBNET MASK: 255.255.255.240\n\nC:\\Users\\Michael>prefix_debug 10.33.33.1/27\n\nOCTET4: 1\nOCTET123: 10.33.33.\nSLASH: 27\nMASKOCTET4: 224\nSUBN: 0\n\nNETWORK ADDRESS: 10.33.33.0/27\nSUBNET MASK: 255.255.255.224\n\nC:\\Users\\Michael>prefix_debug 10.33.33.103/29\n\nOCTET4: 103\nOCTET123: 10.33.33.\nSLASH: 29\nMASKOCTET4: 248\nSUBN: 96\n\nNETWORK ADDRESS: 10.33.33.96/29\nSUBNET MASK: 255.255.255.248\n\nC:\\Users\\Michael>prefix_debug 10.33.33.221/27\n\nOCTET4: 221\nOCTET123: 10.33.33.\nSLASH: 27\nMASKOCTET4: 224\nSUBN: 192\n\nNETWORK ADDRESS: 10.33.33.192/27\nSUBNET MASK: 255.255.255.224\n
\n
A few minutes later, we have a script that takes just the two essential arguments and will run on any Windows box without installing any additional software. A far cry from full blown automation but infinitely more scalable than find and replace?
", "author": { "name": "Michael Bowen" }, "tags": [ "Networks & Security" ], "date_published": "2020-02-16T16:24:43+00:00", "date_modified": "2020-11-14T18:26:37+00:00" }, { "id": "https://blog.msbnet.co.uk/vsrx-your-personal-laptop-firewall/", "url": "https://blog.msbnet.co.uk/vsrx-your-personal-laptop-firewall/", "title": "vSRX - your personal laptop firewall!", "summary": "I love to lab. One of the problems of running anything in a 'lab' environment, however, is that it can be a bit too clinical. Traffic generation can become a chore. Earlier this week, I was using Vagrant to spin up some vSRX labs on…", "content_html": "I love to lab.
\nOne of the problems of running anything in a 'lab' environment, however, is that it can be a bit too clinical. Traffic generation can become a chore. Earlier this week, I was using Vagrant to spin up some vSRX labs on my laptop when it occurred to me that I could probably just gateway my native traffic through a VM.
\nThere's probably a few ways to achieve this but here are the steps I followed:
\n1. sudo apt update
2. sudo apt install virtualbox
3. wget https://releases.hashicorp.com/vagrant/2.2.6/vagrant_2.2.6_x86_64.deb (earlier versions are plagued with bugs)
4. sudo dpkg -i vagrant_2.2.6_x86_64.deb
5. vagrant plugin install vagrant-host-shell
6. vagrant plugin install vagrant-junos
7. mkdir vsrx
8. cd vsrx
9. vagrant init juniper/ffp-12.1X47-D15.4
10. vagrant up
\n
Michael@schumacher:/vsrx$ vagrant status\nCurrent machine states:\n\ndefault running (virtualbox)\n\nThe VM is running. To stop this VM, you can run `vagrant halt` to\nshut it down forcefully, or you can run `vagrant suspend` to simply\nsuspend the virtual machine. In either case, to restart it again,\nsimply run `vagrant up`.\n\nMichael@schumacher:/vsrx$ vagrant ssh default\n--- JUNOS 12.1X47-D15.4 built 2014-11-12 02:13:59 UTC\nroot@vsrx% cli\nroot@vsrx> show interfaces terse \nInterface Admin Link Proto Local Remote\nge-0/0/0 up up \nge-0/0/0.0 up up inet 10.0.2.15/24 \ngr-0/0/0 up up \nip-0/0/0 up up \nlsq-0/0/0 up up \nlt-0/0/0 up up \nmt-0/0/0 up up \nsp-0/0/0 up up \nsp-0/0/0.0 up up inet \n inet6 \nsp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16\n 10.0.0.6 --> 0/0\n 128.0.0.1 --> 128.0.1.16\n 128.0.0.6 --> 0/0\ndsc up up \ngre up up \nipip up up \nirb up up \nlo0 up up \nlo0.16384 up up inet 127.0.0.1 --> 0/0\nlo0.16385 up up inet 10.0.0.1 --> 0/0\n 10.0.0.16 --> 0/0\n 128.0.0.1 --> 0/0\n 128.0.0.4 --> 0/0\n 128.0.1.16 --> 0/0\nlo0.32768 up up \nlsi up up \nmtun up up \npimd up up \npime up up \npp0 up up \nppd0 up up \nppe0 up up \nst0 up up \ntap up up \nvlan up down\n\nroot@vsrx> exit \n\nroot@vsrx% exit\nlogout\nConnection to 127.0.0.1 closed.\n\nMichael@schumacher:/vsrx$ vagrant destroy -f\n==> default: Forcing shutdown of VM...\n==> default: Destroying VM and associated drives...\n
\n
So that gets us a basic vSRX up and running.
\nNext, we'll need to define an inside (tap0) interface and an outside (wlan0) interface that we can bridge the VM to. Wireless access points tend to be picky about allowing foreign MACs through the front door so we'll allow the native adapter to authenticate to the AP but we'll remove the ability to initialise the IP stack, before gifting the native MAC to vSRX.
\n\n
First, let's check the MAC address on wlan0:
\nMichael@schumacher:/vsrx$ ifconfig wlan0 | grep ether\n ether a1:b1:c1:d1:e1:f1 txqueuelen 1000 (Ethernet)\n
\n
Next, let's replace the Vagrantfile. Don't forget to pop your MAC address in there:
\nVagrant.configure(2) do |config|\n config.vm.box = \"juniper/ffp-12.1X47-D15.4\"\n config.vm.provider \"virtualbox\" do |vb|\n vb.memory = 512\n vb.cpus = 2\n vb.gui = false\n end\n\nconfig.vm.define \"vsrx\" do |vsrx|\n vsrx.vm.host_name = \"vSRX\"\n vsrx.vm.network \"public_network\", auto_config: false, bridge: \"wlan0\", :mac => \"a1b1c1d1e1f1\"\n vsrx.vm.network \"public_network\", auto_config: false, bridge: \"tap0\"\n vsrx.vm.provision \"file\", source: \"scripts/vsrx.sh\", destination: \"/tmp/vsrx.sh\"\n vsrx.vm.provision :host_shell do |host_shell|\n host_shell.inline = 'vagrant ssh vsrx -c \"/usr/sbin/cli -f /tmp/vsrx.sh\"'\n end\n end\nend\n
\n
We'll also need to create a 'scripts' directory within the vsrx folder to hold the vsrx.sh file we've referenced above. Vagrant commandeers ge-0/0/0 for management, which leaves us with ge-0/0/1 for wlan0 and ge-0/0/2 for our virtual adapter, tap0:
\nconfigure\n\nset system services web-management http interface ge-0/0/2.0\n\nset security zones security-zone untrust interfaces ge-0/0/1 host-inbound-traffic system-services dhcp \nset security zones security-zone untrust host-inbound-traffic system-services ping\n\nset security zones security-zone trust interfaces ge-0/0/2 host-inbound-traffic system-services protocols all\nset security zones security-zone trust host-inbound-traffic system-services all\n\nset routing-instances INTERNET instance-type virtual-router\nset routing-instances INTERNET interface ge-0/0/1.0\nset routing-instances INTERNET interface ge-0/0/2.0\n\nset security nat source rule-set TRUST-TO-UNTRUST from zone trust\nset security nat source rule-set TRUST-TO-UNTRUST to zone untrust\nset security nat source rule-set TRUST-TO-UNTRUST rule TRUST-TO-INTERNET match source-address 10.88.88.0/24\nset security nat source rule-set TRUST-TO-UNTRUST rule TRUST-TO-INTERNET match destination-address 0.0.0.0/0\nset security nat source rule-set TRUST-TO-UNTRUST rule TRUST-TO-INTERNET then source-nat interface\n\nset interfaces ge-0/0/1 description \"Bridged - wlan0\"\nset interfaces ge-0/0/1 unit 0 family inet dhcp\n\nset interfaces ge-0/0/2 description \"Bridged - tap0\"\nset interfaces ge-0/0/2 unit 0 family inet address 10.88.88.1/24\n\ncommit and-quit\n
The vsrx.sh is simply the config we will automatically push to the device every time it's instantiated.
\n\n
Next, let's bring up the virtual interface and fire some DNS into resolv.conf:
\nip tuntap add tap0 mode tap\nip addr add 10.88.88.111/24 dev tap0\nip link set dev tap0 up\nip route add default via 10.88.88.1\n\necho \"nameserver 8.8.8.8\" >> /etc/resolv.conf\n
\n
Let's not forget to disable any IP allocation on the wireless interface. Do the same for IPv6, too. All traffic must go via vSRX:
\n![\"\"](\"https://blog.msbnet.co.uk/media/posts/5/img_5e001a4b79d7f.png\")
\n
Time to bring up the VM and test:
\nroot@vSRX> ping routing-instance INTERNET 8.8.8.8 \nPING 8.8.8.8 (8.8.8.8): 56 data bytes\n64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=30.447 ms\n64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=14.362 ms\n64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=15.521 ms\n64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=14.575 ms\n64 bytes from 8.8.8.8: icmp_seq=4 ttl=57 time=15.369 ms\n64 bytes from 8.8.8.8: icmp_seq=5 ttl=57 time=17.851 ms\n^C\n--- 8.8.8.8 ping statistics ---\n6 packets transmitted, 6 packets received, 0% packet loss\nround-trip min/avg/max/stddev = 14.362/18.021/30.447/5.671 ms\n\n
\n
Silky smooth but does the host, my laptop, actually have internet connectivity?
\nMichael@schumacher:/vsrx$ ping bbc.co.uk\nPING bbc.co.uk (151.101.128.81) 56(84) bytes of data.\n64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=1 ttl=59 time=14.7 ms\n64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=2 ttl=59 time=18.3 ms\n64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=3 ttl=59 time=15.3 ms\n64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=4 ttl=59 time=15.2 ms\n64 bytes from 151.101.128.81 (151.101.128.81): icmp_seq=5 ttl=59 time=15.4 ms\n^C\n--- bbc.co.uk ping statistics ---\n5 packets transmitted, 5 received, 0% packet loss, time 4002ms\nrtt min/avg/max/mdev = 14.743/15.812/18.377/1.307 ms\n\nMichael@schumacher:/vsrx$ route\nKernel IP routing table\nDestination Gateway Genmask Flags Metric Ref Use Iface\ndefault _gateway 0.0.0.0 UG 0 0 0 tap0\n10.88.88.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0\nlink-local 0.0.0.0 255.255.0.0 U 1000 0 0 virbr0\n172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0\n192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0\n192.168.123.0 0.0.0.0 255.255.255.0 U 0 0 0 green_net\n192.168.124.0 0.0.0.0 255.255.255.0 U 0 0 0 red_net\n\n\nroot@vSRX> show security flow session | match icmp \n In: 10.88.88.111/2 --> 151.101.128.81/13698;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84\n Out: 151.101.128.81/13698 --> 10.14.41.109/29492;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84\n In: 10.88.88.111/3 --> 151.101.128.81/13698;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 84\n Out: 151.101.128.81/13698 --> 10.14.41.109/22708;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84\n\n\n
Job done!
\n\n
If you prefer, you could manage the firewall from the web interface, jweb, too:
\n![\"\"](\"https://blog.msbnet.co.uk/media/posts/5/img_5e001e006aaf0.png\")
\n
Login with root / Juniper:
\n![\"\"](\"https://blog.msbnet.co.uk/media/posts/5/img_5e001e7db59b8.png\")
Problems? Just 'vagrant destroy' and start again. Other things to consider? Do you really need to keep UFW running? :)
", "author": { "name": "Michael Bowen" }, "tags": [ "Networks & Security" ], "date_published": "2019-12-23T02:21:45+00:00", "date_modified": "2020-11-14T18:27:20+00:00" }, { "id": "https://blog.msbnet.co.uk/pseudowire-headend-termination-part2/", "url": "https://blog.msbnet.co.uk/pseudowire-headend-termination-part2/", "title": "Pseudowire Headend Termination - PART2", "summary": "As network engineers, I think it's fair to say we like to try and spend our time making a difference? Despite being considered the 'bread and butter' of the Service Provider world, provisioning and decommissioning are two areas that can still demand our attention. More…", "content_html": "As network engineers, I think it's fair to say we like to try and spend our time making a difference?
\nDespite being considered the 'bread and butter' of the Service Provider world, provisioning and decommissioning are two areas that can still demand our attention. More specifically:
\n\n\n\"Isn't this what network engineers do, though, Michael?\"
\n
\n
Is your home fitted with taps?
\nImagine, if, several times a day, you were asked to go and draw water from the well, as a matter of urgency. Dumbfounded, you would probably find yourself pointing at the sink whilst mouthing the words, \"Taps... but we have taps?\" Just me, perhaps.
\nThe lab has changed slightly from the previous article. We are now up to 5 vMX routers. The latest addition, LIx, based at the Llanelli site, is now the BNG:
\n![\"\"](\"https://blog.msbnet.co.uk/media/posts/4/img_5daced12c5579.png\")
\n
GOAL: Modify the network so as to allow our colleagues in the Provisioning or Customer Service departments to be able to help the customer directly. This allows us to focus on support exceptions, research or revenue generating opportunities.
\n\n\n\"If a human operator needs to touch your system during normal operations, you have a bug.\"
\n
Carla Geisser, Google SRE
\n
In this example, I've simulated attaching a BT GEA cablelink circuit (single tagged) to the network. These are used to connect GEA FTTC/FTTP subscribers via Openreach's access network. What's the minimum required effort to successfully provision and decommission any associated IPoE subscribers?
\nThe final two steps include RADIUS and a beefed up dynamic profile on the BNG, LIx.
\nThe RADIUS config:
\nset access radius-server 10.10.11.9 secret \"$9$YQ4JUqmT/CujHCuO1yrYgoJjH\"\nset access radius-server 10.10.11.9 timeout 6\nset access radius-server 10.10.11.9 retry 5\nset access radius-server 10.10.11.9 max-outstanding-requests 1000\n\nset access profile ACCESS1 authentication-order radius\nset access profile ACCESS1 radius authentication-server 10.10.11.9\nset access profile ACCESS1 radius accounting-server 10.10.11.9\nset access profile ACCESS1 radius options nas-identifier LIx\nset access profile ACCESS1 accounting order radius\nset access profile ACCESS1 accounting accounting-stop-on-failure\nset access profile ACCESS1 accounting accounting-stop-on-access-deny\nset access profile ACCESS1 accounting immediate-update\nset access profile ACCESS1 accounting coa-immediate-update\nset access profile ACCESS1 accounting address-change-immediate-update\nset access profile ACCESS1 accounting update-interval 60\nset access profile ACCESS1 accounting statistics volume-time\n\nset access-profile ACCESS1\n
\n
The dynamic 'client' profile to instantiate the logical interface:
\nset dynamic-profiles VLAN-BASIC interfaces \"$junos-interface-ifd-name\" unit \"$junos-interface-unit\" no-traps\nset dynamic-profiles VLAN-BASIC interfaces \"$junos-interface-ifd-name\" unit \"$junos-interface-unit\" proxy-arp restricted\nset dynamic-profiles VLAN-BASIC interfaces \"$junos-interface-ifd-name\" unit \"$junos-interface-unit\" vlan-tags outer \"$junos-stacked-vlan-id\"\nset dynamic-profiles VLAN-BASIC interfaces \"$junos-interface-ifd-name\" unit \"$junos-interface-unit\" vlan-tags inner \"$junos-vlan-id\"\nset dynamic-profiles VLAN-BASIC interfaces \"$junos-interface-ifd-name\" unit \"$junos-interface-unit\" family inet unnumbered-address lo0.0\nset dynamic-profiles VLAN-BASIC interfaces \"$junos-interface-ifd-name\" unit \"$junos-interface-unit\" family inet unnumbered-address preferred-source-address 203.0.113.1\n\n
\n
The dynamic 'service' profile for the goodies. This is where we'll dynamically shape the downstream, police the upstream and classify EF traffic from the subscriber. This could be targeted at gamers or voip users:
\nset dynamic-profiles EAD-PROFILE variables DNSTREAM default-value 10m\nset dynamic-profiles EAD-PROFILE variables UPSTREAM default-value 2m\nset dynamic-profiles EAD-PROFILE variables UPSTREAM uid\nset dynamic-profiles EAD-PROFILE variables POLICER default-value policerv4\nset dynamic-profiles EAD-PROFILE variables POLICER uid\nset dynamic-profiles EAD-PROFILE variables IFILTER default-value ifilterv4\nset dynamic-profiles EAD-PROFILE variables IFILTER uid\nset dynamic-profiles EAD-PROFILE variables OFILTER default-value ofilterv4\nset dynamic-profiles EAD-PROFILE variables OFILTER uid\nset dynamic-profiles EAD-PROFILE interfaces \"$junos-interface-ifd-name\" unit \"$junos-underlying-interface-unit\" family inet filter input \"$IFILTER\"\nset dynamic-profiles EAD-PROFILE interfaces \"$junos-interface-ifd-name\" unit \"$junos-underlying-interface-unit\" family inet filter output \"$OFILTER\"\nset dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER scheduler-map SMAP_BE_EF\nset dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER shaping-rate \"$DNSTREAM\"\nset dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER overhead-accounting frame-mode\nset dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER overhead-accounting bytes -4\nset dynamic-profiles EAD-PROFILE class-of-service interfaces \"$junos-interface-ifd-name\" unit \"$junos-underlying-interface-unit\" output-traffic-control-profile SHAPER\nset dynamic-profiles EAD-PROFILE class-of-service interfaces \"$junos-interface-ifd-name\" unit \"$junos-underlying-interface-unit\" classifiers dscp EAD_CLASSIFIER\nset dynamic-profiles EAD-PROFILE class-of-service scheduler-maps SMAP_BE_EF forwarding-class BE scheduler BE_SCH\nset dynamic-profiles EAD-PROFILE class-of-service scheduler-maps SMAP_BE_EF forwarding-class EF scheduler EF_SCH\nset dynamic-profiles EAD-PROFILE class-of-service schedulers BE_SCH transmit-rate remainder\nset dynamic-profiles EAD-PROFILE class-of-service schedulers BE_SCH priority low\nset dynamic-profiles EAD-PROFILE class-of-service schedulers EF_SCH transmit-rate 128k\nset dynamic-profiles EAD-PROFILE class-of-service schedulers EF_SCH transmit-rate rate-limit\nset dynamic-profiles EAD-PROFILE class-of-service schedulers EF_SCH priority strict-high\nset dynamic-profiles EAD-PROFILE firewall family inet filter \"$IFILTER\" interface-specific\nset dynamic-profiles EAD-PROFILE firewall family inet filter \"$IFILTER\" term term1 then policer \"$POLICER\"\nset dynamic-profiles EAD-PROFILE firewall family inet filter \"$IFILTER\" term term1 then service-accounting\nset dynamic-profiles EAD-PROFILE firewall family inet filter \"$IFILTER\" term rest then accept\nset dynamic-profiles EAD-PROFILE firewall family inet filter \"$OFILTER\" interface-specific\nset dynamic-profiles EAD-PROFILE firewall family inet filter \"$OFILTER\" term term1 then service-accounting\nset dynamic-profiles EAD-PROFILE firewall family inet filter \"$OFILTER\" term rest then accept\nset dynamic-profiles EAD-PROFILE firewall policer \"$POLICER\" if-exceeding bandwidth-limit \"$UPSTREAM\"\nset dynamic-profiles EAD-PROFILE firewall policer \"$POLICER\" if-exceeding burst-size-limit 15k\nset dynamic-profiles EAD-PROFILE firewall policer \"$POLICER\" then discard\n\n
\n
We'll also need a sprinkle of CoS:
\nset class-of-service forwarding-classes class BE queue-num 0\nset class-of-service forwarding-classes class BE priority low\nset class-of-service forwarding-classes class AF queue-num 1\nset class-of-service forwarding-classes class AF priority low\nset class-of-service forwarding-classes class EF queue-num 2\nset class-of-service forwarding-classes class EF priority high\nset class-of-service forwarding-classes class NC queue-num 3\nset class-of-service forwarding-classes class NC priority high\n\nset class-of-service classifiers dscp EAD_CLASSIFIER forwarding-class BE loss-priority high code-points be\nset class-of-service classifiers dscp EAD_CLASSIFIER forwarding-class EF loss-priority low code-points ef\n\n
\n
Some final tweaks to the DHCP server config. Here we include a pre-defined prefix for the username (the cablelink ID) as well as the interface name which allows us to build a unique, dynamic, username. The reauthenticate lease-renewal cvar is particularly useful for what comes next in our FreeRADIUS setup:
\nset system services dhcp-local-server group ps0 authentication password Juniper1\nset system services dhcp-local-server group ps0 authentication username-include user-prefix OGHP12345678\nset system services dhcp-local-server group ps0 authentication username-include interface-name\nset system services dhcp-local-server group ps0 interface ps0.0\nset system services dhcp-local-server group ps0 reauthenticate lease-renewal\n\n
\n
When we hope to empower our non-technical colleagues, it becomes necessary to disambiguate. Finding some sort of frontend to your RADIUS solution may be key. In this instance, I'm using FreeRADIUS on top of pfSense.
\nThis is the point where you can probably handover to another department to populate the usernames:
\n![\"\"](\"https://blog.msbnet.co.uk/media/posts/4/img_5dad395a4bf28.png\")
\n
If we double click on Elon's username we are presented with a myriad of options. Scroll all the way down and you'll see something like this:
\n![\"\"](\"https://blog.msbnet.co.uk/media/posts/4/img_5dad3a89995d6.png\")
\n
That final box is all we really need. It took some time to get the dynamic profile set up just so but from here, the customer 'service profile' can be configured by any of your non-technical colleagues. Initially, it might have been set to |ERX-Service-Activate:1 += \"EAD-PROFILE(40m, 10m)\" which simply denotes a 40Mb/s downstream speed and a 10Mb/s upstream speed. If the customer calls up wanting to be upgraded to an 80/20 service, a quick edit in that box |ERX-Service-Activate:1 += \"EAD-PROFILE(80m, 20m)\" will automatically see the customer's speed updated shortly after.
\nNo need to ask them to power cycle kit and risk them breaking something and causing more calls / truck rolls. When the DHCP lease expires, the dynamic profile will check back here for any updates. What's the lease expiry in our IPv4 exhausted world? Typically 1 - 4 hours but it can be whatever you want.
\nWant to disconnect a user for non-payment? Simply change their RADIUS password:
\n![\"\"](\"https://blog.msbnet.co.uk/media/posts/4/img_5dad3dc87777b.png\")
Want to issue a static IP? Just pop one in this box:
\n![\"\"](\"https://blog.msbnet.co.uk/media/posts/4/img_5dad3e5ecac28.png\")
root@LIx> show subscribers \nInterface IP Address/VLAN ID User Name LS:RI\nps0.3221225476 13 default:default \nps0.3221225476 203.0.113.111 OGHP12345678.ps0:13 default:default\n
\n
If, for some reason, you want to login to the router, there are a few commands you can issue to check all is well:
\nroot@LIx> show subscribers extensive \nType: VLAN\nLogical System: default\nRouting Instance: default\nInterface: ps0.3221225476\nInterface type: Dynamic\nUnderlying Interface: ps0\nDynamic Profile Name: VLAN-BASIC\nDynamic Profile Version: 1\nState: Active\nSession ID: 7\nPFE Flow ID: 14\nVLAN Id: 13\nLogin Time: 2019-10-21 06:22:38 BST\n\nType: DHCP\nUser Name: OGHP12345678.ps0:13\nIP Address: 203.0.113.111\nIP Netmask: 255.255.255.0\nLogical System: default\nRouting Instance: default\nInterface: ps0.3221225476\nInterface type: Static\nUnderlying Interface: ps0.3221225476\nMAC Address: 20:cf:30:23:ca:a6\nState: Active\nRadius Accounting ID: 8\nSession ID: 8\nPFE Flow ID: 14\nVLAN Id: 13\nLogin Time: 2019-10-21 06:22:38 BST\nService Sessions: 1\nDHCP Options: len 42\n35 01 01 3d 07 01 20 cf 30 23 ca a6 0c 02 71 6c 3c 08 4d 53\n46 54 20 35 2e 30 37 0e 01 03 06 0f 1f 21 2b 2c 2e 2f 77 79\nf9 fc\nDHCP Header: len 44\n01 01 06 00 cc e4 5d 08 00 00 80 00 00 00 00 00 00 00 00 00\n00 00 00 00 00 00 00 00 20 cf 30 23 ca a6 00 00 00 00 00 00\n00 00 00 00\nIP Address Pool: TEST-NET-3\nAccounting interval: 3600\n\n Service Session ID: 9 \n Service Session Name: EAD-PROFILE\n Service Session Version: 1\n State: Active\n Family: inet\n IPv4 Input Filter Name: ifilterv4_UID1019-ps0.3221225476-in\n IPv4 Output Filter Name: ofilterv4_UID1020-ps0.3221225476-out\n Service Activation time: 2019-10-21 06:22:39 BST\n Dynamic configuration: \n DNSTREAM: 40m\n IFILTER: ifilterv4_UID1019\n OFILTER: ofilterv4_UID1020\n POLICER: policerv4_UID1018\n UPSTREAM: 10m\n\n
\n
Check the dynamically created traffic control profile:
\nroot@LIx> show class-of-service traffic-control-profile SHAPER_UID1017 \nTraffic control profile: SHAPER_UID1017, Index: 4294967363\n Shaping rate: 40000000\n Scheduler map: SMAP_BE_EF_UID1016\n Overhead accounting mode: Frame Mode\n Overhead bytes: -4\n
\n
Check the dynamically created scheduler map:
\nroot@LIx> show class-of-service scheduler-map SMAP_BE_EF_UID1016 \nScheduler map: SMAP_BE_EF_UID1016, Index: 4294967357\n\n Scheduler: BE_SCH_UID1014, Forwarding class: BE, Index: 4294967360\n Transmit rate: remainder, Rate Limit: none, Buffer size: remainder, Buffer Limit: none, Priority: low\n Excess Priority: unspecified\n Drop profiles:\n Loss priority Protocol Index Name\n Low any 1 <default-drop-profile> \n Medium low any 1 <default-drop-profile> \n Medium high any 1 <default-drop-profile> \n High any 1 <default-drop-profile> \n\n Scheduler: EF_SCH_UID1015, Forwarding class: EF, Index: 4294967361\n Transmit rate: 128000 bps, Rate Limit: rate-limit, Buffer size: remainder, Buffer Limit: none, Priority: strict-high\n Excess Priority: unspecified\n Drop profiles:\n Loss priority Protocol Index Name\n Low any 1 <default-drop-profile> \n Medium low any 1 <default-drop-profile> \n Medium high any 1 <default-drop-profile> \n High any 1 <default-drop-profile>\n
\n
Check the policer and accounting stats:
\nroot@LIx> show firewall \n\nFilter: __default_bpdu_filter__ \n\nFilter: ifilterv4_UID1019-ps0.3221225476-in \nCounters:\nName Bytes Packets\n__junos-dyn-service-counter 29317545 138097\nPolicers:\nName Bytes Packets\npolicerv4_UID1018-term1-ps0.3221225476-in 1506492 1015\n\nFilter: ofilterv4_UID1020-ps0.3221225476-out \nCounters:\nName Bytes Packets\n__junos-dyn-service-counter 80939623 99292\n\n\n
\n
Check if the subscriber is making use of the QoS in the dynamic profile?
\nroot@LIx> show interfaces queue ge-0/0/0 | find EF \nQueue: 2, Forwarding classes: EF\n Queued:\n Packets : 212186 135 pps\n Bytes : 17415738 81920 bps\n Transmitted:\n Packets : 212186 135 pps\n Bytes : 17415738 81920 bps\n Tail-dropped packets : 0 0 pps\n RL-dropped packets : 0 0 pps\n RL-dropped bytes : 0 0 bps\n RED-dropped packets : 0 0 pps\n Low : 0 0 pps\n Medium-low : 0 0 pps\n Medium-high : 0 0 pps\n High : 0 0 pps\n RED-dropped bytes : 0 0 bps\n Low : 0 0 bps\n Medium-low : 0 0 bps\n Medium-high : 0 0 bps\n High : 0 0 bps\n\n
Yes!
\nAs always, there is so much more that can be done but hopefully I've provided the foundations from which you can try and seize more control of your working day whilst providing a high quality and consistent experience to your paying customers.
\n\n
Configs
\n", "author": { "name": "Michael Bowen" }, "tags": [ "Networks & Security" ], "date_published": "2019-10-21T06:22:20+01:00", "date_modified": "2020-11-14T18:27:29+00:00" }, { "id": "https://blog.msbnet.co.uk/pseudowire-headend-termination-in-8-steps-part1/", "url": "https://blog.msbnet.co.uk/pseudowire-headend-termination-in-8-steps-part1/", "title": "Pseudowire Headend Termination - in 8 steps - PART1", "summary": "PROBLEM: Swansea, Newport and Cardiff subscribers have been, temporarily, terminated on vACX hardware at those sites. The vACX routers are typically used for mobile backhaul and generally don't have the 'grunt' to terminate subscribers. They don't support per-unit-scheduling, for example. We need to get them…", "content_html": "PROBLEM: Swansea, Newport and Cardiff subscribers have been, temporarily, terminated on vACX hardware at those sites. The vACX routers are typically used for mobile backhaul and generally don't have the 'grunt' to terminate subscribers. They don't support per-unit-scheduling, for example. We need to get them off these routers.
\nGOAL: Terminate all subscribers from the Access Provider at Cardiff, on to the new vMX960 at Llanelli.
\nJuniper's Configuring the Broadband Edge as a Service Node Within Seamless MPLS Network Designs article was the main inspiration for this post.
\n![\"\"](\"https://blog.msbnet.co.uk/media/posts/2/img_5d86180f2f221.png\")
\n
\n
Let's log on to Llanelli and get cracking! Before we begin, let's check reachability to the loopbacks:
\nroot@Llanelli> ping 172.16.99.1 count 1 \nPING 172.16.99.1 (172.16.99.1): 56 data bytes\n64 bytes from 172.16.99.1: icmp_seq=0 ttl=64 time=0.066 ms\n\n--- 172.16.99.1 ping statistics ---\n1 packets transmitted, 1 packets received, 0% packet loss\nround-trip min/avg/max/stddev = 0.066/0.066/0.066/0.000 ms\n\nroot@Llanelli> ping 172.16.99.2 count 1 \nPING 172.16.99.2 (172.16.99.2): 56 data bytes\n64 bytes from 172.16.99.2: icmp_seq=0 ttl=64 time=93.739 ms\n\n--- 172.16.99.2 ping statistics ---\n1 packets transmitted, 1 packets received, 0% packet loss\nround-trip min/avg/max/stddev = 93.739/93.739/93.739/0.000 ms\n\nroot@Llanelli> ping 172.16.99.3 count 1 \nPING 172.16.99.3 (172.16.99.3): 56 data bytes\n64 bytes from 172.16.99.3: icmp_seq=0 ttl=64 time=21.710 ms\n\n--- 172.16.99.3 ping statistics ---\n1 packets transmitted, 1 packets received, 0% packet loss\nround-trip min/avg/max/stddev = 21.710/21.710/21.710/0.000 ms\n\nroot@Llanelli> ping 172.16.99.4 count 1 \nPING 172.16.99.4 (172.16.99.4): 56 data bytes\n64 bytes from 172.16.99.4: icmp_seq=0 ttl=63 time=281.251 ms\n\n--- 172.16.99.4 ping statistics ---\n1 packets transmitted, 1 packets received, 0% packet loss\nround-trip min/avg/max/stddev = 281.251/281.251/281.251/0.000 ms\n\n
\n
\n
Finally, commit the configuration at both sites. Llanelli displays the follow message upon commit:
\nroot@Llanelli# commit and-quit \n[edit system services subscriber-management]\n 'enable'\n warning: Chassis configuration for subscriber-management has been changed. A system reboot is mandatory. Please reboot the system NOW. Continuing without a reboot might result in unexpected system behavior.\n\nMessage from syslogd@Llanelli at Sep 20 17:18:05 ...\nLlanelli fpc0 CMLC: Going disconnected; Routing engine chassis socket closed abruptly \ncommit complete\nExiting configuration mode\n\n
If we take a sneaky peak at the PFE directly after the commit, we see the following:
\nroot@Llanelli> show chassis fpc \n Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%)\nSlot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer\n 0 Offline ---Restarted by cli command---\n 1 Empty \n 2 Empty \n 3 Empty \n 4 Empty \n 5 Empty \n 6 Empty \n 7 Empty \n 8 Empty \n 9 Empty \n 10 Empty \n 11 Empty \n\n
Enabling tunnel services caused the PFE to restart. It is at this point it gives birth to the logical tunnel interface, lt-0/0/10, amongst others. Periodically check the chassis to see if the PFE has come back up:
\nroot@Llanelli> show chassis fpc \n Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%)\nSlot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer\n 0 Online Testing 20 0 30 33 32 2047 7 0\n 1 Empty \n 2 Empty \n 3 Empty \n 4 Empty \n 5 Empty \n 6 Empty \n 7 Empty \n 8 Empty \n 9 Empty \n 10 Empty \n 11 Empty \n\n
Excellent! Now reboot the routing engine as indicated after the commit:
\nroot@Llanelli> request system reboot \nReboot the system ? [yes,no] (no) yes \n\n \n*** FINAL System shutdown message from root@Llanelli *** \n\nSystem going down IMMEDIATELY \n\n \nWaiting (max 60 seconds) for system process `vnlru' to stop... done\nWaiting (max 60 seconds) for system process `bufdaemon' to stop... done\nWaiting (max 60 seconds) for system process `syncer' to stop... \nSyncing disks, vnodes remaining... 0 0 0 done\nAll buffers synced.\nUptime: 1h4m47s\nKhelp module \"jsocket\" can't unload until its refcount drops from 4 to 0.\nRebooting...\ncpu_reset: Stopping other CPUs\n
Once the routing engine has come back up, it whistles to the packet forwarding engine to come hither. Once they're back in sync, we can proceed:
\nroot@Llanelli> show chassis fpc \n Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%)\nSlot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer\n 0 Online Absent 0 0 0 0 0 0 0 0\n 1 Empty \n 2 Empty \n 3 Empty \n 4 Empty \n 5 Empty \n 6 Empty \n 7 Empty \n 8 Empty \n 9 Empty \n 10 Empty \n 11 Empty \n\n
Not yet.
\nroot@Llanelli> show chassis fpc \n Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%)\nSlot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer\n 0 Online Testing 40 0 17 4 1 2047 7 0\n 1 Empty \n 2 Empty \n 3 Empty \n 4 Empty \n 5 Empty \n 6 Empty \n 7 Empty \n 8 Empty \n 9 Empty \n 10 Empty \n 11 Empty\n
Job done.
\n\n
Now let's check the pseudowire has come up:
\nroot@Llanelli> show l2circuit connections status \nLayer-2 Circuit Connections:\n\nLegend for connection status (St) \nEI -- encapsulation invalid NP -- interface h/w not present \nMM -- mtu mismatch Dn -- down \nEM -- encapsulation mismatch VC-Dn -- Virtual circuit Down \nCM -- control-word mismatch Up -- operational \nVM -- vlan id mismatch CF -- Call admission control failure\nOL -- no outgoing label IB -- TDM incompatible bitrate \nNC -- intf encaps not CCC/TCC TM -- TDM misconfiguration \nBK -- Backup Connection ST -- Standby Connection\nCB -- rcvd cell-bundle size bad SP -- Static Pseudowire\nLD -- local site signaled down RS -- remote site standby\nRD -- remote site signaled down HS -- Hot-standby Connection\nXX -- unknown\n\nLegend for interface status \nUp -- operational \nDn -- down \nNeighbor: 172.16.99.4 \n Interface Type St Time last up # Up trans\n ps0.0(vc 1) rmt Up Sep 20 17:29:48 2019 1\n Remote PE: 172.16.99.4, Negotiated control-word: Yes (Null)\n Incoming label: 16, Outgoing label: 299872\n Negotiated PW status TLV: No\n Local interface: ps0.0, Status: Up, Encapsulation: ETHERNET\n Flow Label Transmit: No, Flow Label Receive: No\n\n
It has!
\n\n
Now, let's check that our Cardiff subscribers have found their way over to us:
\nroot@Llanelli> show subscribers \nTotal subscribers: 0, Active Subscribers: 0\n
Oh dear. What have I missed?
\n\n
A quick glance at Cardiff's access port highlights the error of my ways. I've enabled the CVLANs on the pseudowire instead of the SVLAN. Easily corrected:
\nroot@Cardiff> show configuration interfaces ge-0/0/3 | display set \nset interfaces ge-0/0/3 description \"Access Provider 1\"\nset interfaces ge-0/0/3 flexible-vlan-tagging\nset interfaces ge-0/0/3 encapsulation flexible-ethernet-services\nset interfaces ge-0/0/3 unit 1 encapsulation vlan-ccc\nset interfaces ge-0/0/3 unit 1 vlan-id-range 2-10\t<--------- CVLANs\n\n\nroot@Cardiff> edit \nEntering configuration mode\nroot@Cardiff# set interfaces ge-0/0/3 unit 1 vlan-id 101 \nroot@Cardiff# commit and-quit \ncommit complete\nExiting configuration mode\n
\n
Let's check if that worked:
\nroot@Llanelli> show subscribers \nInterface IP Address/VLAN ID User Name LS:RI\nps0.3221225472 0x8100.101 0x8100.2 default:default \nps0.3221225473 0x8100.101 0x8100.3 default:default \nps0.3221225474 0x8100.101 0x8100.4 default:default \nps0.3221225475 0x8100.101 0x8100.5 default:default \nps0.3221225476 0x8100.101 0x8100.6 default:default \nps0.3221225477 0x8100.101 0x8100.7 default:default \nps0.3221225478 0x8100.101 0x8100.8 default:default \nps0.3221225479 0x8100.101 0x8100.9 default:default \nps0.3221225480 0x8100.101 0x8100.10 default:default \nps0.3221225472 203.0.113.2 ps0:101-2 default:default \nps0.3221225473 203.0.113.3 ps0:101-3 default:default \nps0.3221225474 203.0.113.4 ps0:101-4 default:default \nps0.3221225475 203.0.113.5 ps0:101-5 default:default \nps0.3221225476 203.0.113.6 ps0:101-6 default:default \nps0.3221225477 203.0.113.7 ps0:101-7 default:default \nps0.3221225478 203.0.113.8 ps0:101-8 default:default \nps0.3221225479 203.0.113.9 ps0:101-9 default:default \nps0.3221225480 203.0.113.10 ps0:101-10 default:default\n
Can we ping a subscriber?
\nroot@Llanelli> ping 203.0.113.2 count 3 \nPING 203.0.113.2 (203.0.113.2): 56 data bytes\n64 bytes from 203.0.113.2: icmp_seq=0 ttl=255 time=34.714 ms\n64 bytes from 203.0.113.2: icmp_seq=1 ttl=255 time=40.958 ms\n64 bytes from 203.0.113.2: icmp_seq=2 ttl=255 time=41.267 ms\n\n--- 203.0.113.2 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max/stddev = 34.714/38.980/41.267/3.019 ms\n\n
Job done!
\nWe've covered the basics of pseudowire headend termination.
In part 2, we'll look at RADIUS and CoS profiles, assuming I can coax vMX to comply :)
\n
Versions
vMX: 18.2R1.9
IOS: 15.2(4)M7
Configs
2_Llanelli
2_Swansea
2_Newport
2_Cardiff
2_AccessProvider1
I was recently asked to set up a LAN extension for a customer. After a spot of research, I was very impressed by this particular method which I've illustrated below.
\nBased on IETF RFC 4447 (Pseudowire Setup and Maintenance Using the Label Distribution Protocol).
\n\n
\n\nLayer 2 services (such as Frame Relay, Asynchronous Transfer Mode, and Ethernet) can be \"emulated\" over an MPLS backbone by encapsulating the Layer 2 Protocol Data Units (PDU) and transmitting them over \"pseudowires\".
\n
\n
The service provider network is coloured orange and represents four towns/cities.
The customer network is coloured green with one site in Llanelli and one in Cardiff.
Goal
Extend the 10.77.11.0/24 network from Llanelli to Cardiff.
\n
![\"\"](\"https://blog.msbnet.co.uk/media/posts/1/img_5d448a31a20b8.png\")
\n
The end result should look like this when pinging the Llanelli site from Cardiff:
\nTurboKart-LLA#show ip int br\nInterface IP-Address OK? Method Status Protocol\nFastEthernet0/0 unassigned YES NVRAM administratively down down \nGigabitEthernet1/0 unassigned YES NVRAM up up \nGigabitEthernet1/0.11 10.77.11.1 YES NVRAM up up \nGigabitEthernet2/0 unassigned YES NVRAM administratively down down \nGigabitEthernet3/0 unassigned YES NVRAM administratively down down \nGigabitEthernet4/0 unassigned YES NVRAM administratively down down \n\nTurboKart-LLA#ping 10.77.11.2\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 10.77.11.2, timeout is 2 seconds:\n!!!!!\nSuccess rate is 100 percent (5/5), round-trip min/avg/max = 48/594/1012 ms\n\n
\n
I'm using vMX 18.2R1.9 for the service provider network. You can get a free trial from Juniper's website.
The customer network employs version 15.2 of the trusty C7200-ADVENTERPRISEK9-M.
\n
Configuring the service provider network
vMX is a hungry beast, requiring 2GB of RAM for the virtual control plane and 4GB for the virtual forwarding plane so, first things first, we'll configure the FPC for lite-mode. This reduces the requirement to 1GB and 2GB, respectively:
set chassis fpc 0 lite-mode\n
\n
Next, pop an address on the loopback and then IP the core facing interfaces. Nothing fancy here. Enable the MPLS family on each interface, too:
\nset interfaces lo0 unit 0 family inet address 172.16.99.1/32\nset interfaces lo0 unit 0 family mpls\n\nset interfaces ge-0/0/1 unit 0 family inet address 10.10.1.1/24\nset interfaces ge-0/0/1 unit 0 family mpls\n\nset interfaces ge-0/0/2 unit 0 family inet address 10.10.2.1/24\nset interfaces ge-0/0/2 unit 0 family mpls\n
\n
Next, enable OSPF, LDP and MPLS under the protocols stanza:
\nset protocols mpls interface lo0.0\nset protocols mpls interface ge-0/0/1.0\nset protocols mpls interface ge-0/0/2.0\n \nset protocols ospf area 0.0.0.0 interface lo0.0 passive\nset protocols ospf area 0.0.0.0 interface ge-0/0/1.0\nset protocols ospf area 0.0.0.0 interface ge-0/0/2.0\n\nset protocols ldp interface ge-0/0/1.0\nset protocols ldp interface ge-0/0/2.0\nset protocols ldp interface lo0.0\n
\n
That's the core configuration wrapped up. Repeat for all four routers, tweaking the IPs.
\n\n
Configuring the access ports
For the customer-specific configuration, we'll need to configure an access port at each BT exchange (Llanelli and Cardiff) and a pseudowire (l2circuit) to transport the contents of that access port/VLAN to the other site. In this instance, we transport seven VLANs; 10 - 16. The following additional config is required:
\n
Llanelli Exchange
set interfaces ge-0/0/3 description \"Access port\"\nset interfaces ge-0/0/3 flexible-vlan-tagging\nset interfaces ge-0/0/3 encapsulation flexible-ethernet-services\nset interfaces ge-0/0/3 unit 1000 description \"TurboKart - Llanelli\"\nset interfaces ge-0/0/3 unit 1000 encapsulation vlan-ccc\nset interfaces ge-0/0/3 unit 1000 vlan-id-range 10-16\n\nset protocols l2circuit neighbor 172.16.99.4 interface ge-0/0/3.1000 virtual-circuit-id 1000\nset protocols l2circuit neighbor 172.16.99.4 interface ge-0/0/3.1000 encapsulation-type ethernet\nset protocols l2circuit neighbor 172.16.99.4 interface ge-0/0/3.1000 ignore-mtu-mismatch\n
\n
Cardiff Exchange
set interfaces ge-0/0/3 description \"Access port\"\nset interfaces ge-0/0/3 flexible-vlan-tagging\nset interfaces ge-0/0/3 encapsulation flexible-ethernet-services\nset interfaces ge-0/0/3 unit 1000 description \"TurboKart - Cardiff\"\nset interfaces ge-0/0/3 unit 1000 encapsulation vlan-ccc\nset interfaces ge-0/0/3 unit 1000 vlan-id-range 10-16\n\nset protocols l2circuit neighbor 172.16.99.1 interface ge-0/0/3.1000 virtual-circuit-id 1000\nset protocols l2circuit neighbor 172.16.99.1 interface ge-0/0/3.1000 encapsulation-type ethernet\nset protocols l2circuit neighbor 172.16.99.1 interface ge-0/0/3.1000 ignore-mtu-mismatch\n
\n
All done, time to test.
Let's ping our fictitious customer's Llanelli site from VLAN 11 at Cardiff:
TurboKart-CAR#show ip int br \nInterface IP-Address OK? Method Status Protocol\nFastEthernet0/0 unassigned YES NVRAM administratively down down \nGigabitEthernet1/0 unassigned YES NVRAM up up \nGigabitEthernet1/0.11 10.77.11.2 YES NVRAM up up \nGigabitEthernet2/0 unassigned YES NVRAM administratively down down \nGigabitEthernet3/0 unassigned YES NVRAM administratively down down \nGigabitEthernet4/0 unassigned YES NVRAM administratively down down \n\nTurboKart-CAR#sh run int g1/0.11\nBuilding configuration...\n\nCurrent configuration : 100 bytes\n!\ninterface GigabitEthernet1/0.11\n encapsulation dot1Q 11\n ip address 10.77.11.2 255.255.255.0\nend\n\nTurboKart-CAR#ping 10.77.11.1\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 10.77.11.1, timeout is 2 seconds:\n!!!!!\nSuccess rate is 100 percent (5/5), round-trip min/avg/max = 544/816/1676 ms\n\n
Job done!
\nThere's lots more we could do here to compliment this setup so stay tuned :)
", "author": { "name": "Michael Bowen" }, "tags": [ "Networks & Security" ], "date_published": "2019-08-03T16:26:10+01:00", "date_modified": "2020-11-14T18:27:46+00:00" } ] }