Monday, September 30, 2013

Juniper SRX210 configuration for JNCIA-SP study

Since, out of the box, the SRX210 is for all intents and purposes, a firewall, some adjustments have to be made to make it work for Service provider study. Bear with me, I'm in a bit over my head still and clawing my way out.

This came from Jeremy Merideth's blog, which it doesn't appear that he is currently maintaining, but great info in here and a thanks to him. How to get an SRX out of default Juniper config:

http://runningsecure.blogspot.com/2011/06/screenos-background.html


SRX Default Config


For the purpose of this blog I will be configuring an SRX100.
When either taking an SRX out of the box or entering the following commands, you will get the Juniper default configuration.

root@host# load factory-default
root@host# set system root-authentication plain-text-password
root@host# commit and-quit
root@host> request system reboot

Personally I prefer to work from a blank canvas, so the following commands removes all Juniper applied config, adds a few tweaks and gives us a starting point to build up our configurations.

Remove the interface Ethernet Switching
root@host# delete interfaces fe-0/0/1 unit 0 family ethernet-switching
"Repeat for interfaces range 1-7"
root@host# delete interfaces vlan unit 0 family inet address 192.168.1.1/24
root@host# delete interfaces vlan unit 0 family inet

Remove the fe0/0/0.0 interface from Security Zone
root@host# delete security zones security-zone untrust interfaces fe-0/0/0.0

Remove the Zone Interfaces and Policies
root@host# delete security zones security-zone trust host-inbound-traffic
root@host# delete security zones security-zone trust interfaces vlan.0

Remove Default Policies
root@host# delete security policies from-zone trust to-zone untrust

Remove Default Web Management
root@host# delete system services web-management http interface vlan.0
root@host# delete system services web-management https interface vlan.0

Remove NAT rule
root@host# delete security nat source rule-set trust-to-untrust

Remove Screening on Untrust Zone
root@host# delete security zones security-zone untrust screen

Remove Existing Name Servers and add Google ones
root@host# delete system name-server 208.67.222.222
root@host# delete system name-server 208.67.220.220
root@host# set system name-server 8.8.8.8
root@host# set system name-server 8.8.4.4
root@host# delete system services dhcp

Remove Default Security Zones
root@host# delete security zones security-zone untrust
root@host# delete security zones security-zone trust

root# run show configuration | display set
set version 11.1R2.3
set system root-authentication encrypted-password "$1$sF9Tjm/m$zu6xvdjAUIqeeHSP69Vfm0"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http
set system services web-management https system-generated-certificate
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0
set interfaces fe-0/0/1 unit 0
set interfaces fe-0/0/2 unit 0
set interfaces fe-0/0/3 unit 0
set interfaces fe-0/0/4 unit 0
set interfaces fe-0/0/5 unit 0
set interfaces fe-0/0/6 unit 0
set interfaces fe-0/0/7 unit 0
set interfaces vlan unit 0
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

And then how to set it up to more closely emulate an MX series SP switch from the Juniper Forums:


Cleaned up the rack some, and added some cable management. The second ADVA (GE206V) is just waiting for some MM fiber jumpers to arrive. (quite literally, possibly, on a slow boat from china)

Need to sell a couple more racks and I'll have enough to pull the trigger on a Juniper EX2200 to more fully simulate the types of circuits we'll be performing break/fix on.



Sunday, September 29, 2013

New tabs for CCNP, JUNOS, and MEF-CECP(Metro/Carrier Ethernet)

So cleaned up the pages some, and going forward will be tagging posts so they will be easy to pull up by hitting the menu button at the top of the Blog for whatever you want to look at.

Juniper Blog ?

With the new position I'm starting, I'm probably going to need to delve MUCH more into JUNoS, so I'm wondering if I should just add a separate page to this blog, (or find a more logical way to separate the posts within this one) or start a new one.

For that matter, I might want to start a separate Carrier Ethernet page or Blog.

I'll sit and think on it for a bit. I don't know that I'll have time to be posting to multiple separate blogs, Especially, when the racing blog starts up in earnest next year again with what will, hopefully, be a pretty interesting F-prepared BMW Z-3 build from a stripped shell.

Dunno, I'll think about it while I'm setting up the Carrier Ethernet simulation network with the Junipers and ADVA's.



Friday, September 27, 2013

Well, I guess I'm an "Engineer" now...

My start date is today for my new position as "Engineer, Network Operation Center"

Some companies might call us Tier 3, and I'll be off the phones for the most part, unless it is a engineer to engineer conference, requiring more advanced troubleshooting. Going on Salary as well. Not sure how I feel about that. I'll have to see how they handle that.

Our Commercial NOC is growing from 40+ analysts, to upwards of 120, including the 12 engineers, that I am one of.

It's been a great experience coming from climbing poles, and outside plant to the logical side. I look forward to new and greater challenges.

Sunday, September 22, 2013

Home Network Baller Status ?

Is home network "Baller" status achieved when your home router becomes a Juniper SRX210 ?
Sold the ADSL PIM out of it for $100, making it a net $285.00 purchase, which is a pretty good deal for one of the SRX210high memory versions.

Racks in, Racks out. I was getting a bit worried, but it appears that the U.S. must have a large percentage of people on the same payday weeks. About exactly 2 weeks from the last time I cleaned out my stocks, I'm almost cleaned out again.

Sold 5 systems over the last few days. Configuring what I have left to be a pretty nice rack for the Labkeeper.net/Packetlife.net Beta.

Upgraded a few of the XM routers I have left to have the ability to run 12.4T and IPV6 and advanced security features like Zone Based Firewalls. 192/48 is required.


A Few 2651xm Routers old Boot Roms


Now with upgraded Boot Rom allowing 256 mb of NVRAM

Monday, September 16, 2013

Rack Cam back running

Rack cam as living proof that I am, in fact, still studying for my CCNP. Big changes coming at work, and I might actually need it now.

Working HSRP labs tonight. If you watch the switches, you might even see ports changing status...

But if you are watching my switches to see if they change status, you probably need some help...and not the lab rack kind.

;-)

Thursday, September 12, 2013

Carrier Ethernet rack coming along... Working on Radius Authentication to become a part of Packetlife.net's LabKeeper.net beta testing.

Picked up my second ADVA to almost complete my Carrier Ethernet NID acquisitions. I'll probably try to pick up a Cisco ME3400 as well, but those end up costing nearly as much as the Junipers do.

I should be able to do some simulations and practice what we preach at work soon.

The one on top is an FSPCCf-825 with 4 x 10/100 copper access ports, 1 x gig copper access port, 1 x gig fiber access port, and two copper and two fiber network ports.

The one on the bottom is an FSP 150CC ge-206 and is all fiber with six access and two network ports.

ADVA's are made in Germany, and the quality shows.





Working hard on CCNP switch study to hopefully test for SWITCH by the end of the month.

I'm working on getting at least one lab live on the labkeeper.net system that Packetlife.net Author, Jeremy Stretch has put together. It's an amazing bit of work he's done, and should allow us to get racks out to people to use much easier. Might kill my business, but I was never really in this to make a killing, just help pay for my own racks. Hopefully, soon, I'll be a busy network engineer and have no time for the business anyway.



Monday, September 9, 2013

CCNA rack try-b4-u-buy are back available... Donations would be wonderfulness !!!

As it says, the rack in the previous post is available to schedule for Try-b4-u-Buy.

See the Rack schedule page, or the CCNA topology page for scheduling button. It's blocked out until mid-day tomorrow as I have to make changes to the topology to fit the new rack config.

I'm probably going to limit this to one scheduling per day and see how it goes. If it get's out of hand, and it appears that someone is attempting to re-sell time, I'll discontinue it, and/or only give access to people through E-bay contact.



Sunday, September 8, 2013

Cable building day... and New racks for sale

I tend to dread these days.

I don't know if it's flashbacks to my BICSI commercial cabling days, or if I'm just lazy, but I hate building cables.

With the selling of my semi-custom CCNA and CCNP racks, I have to build quite a few of them, especially when I use 2509/11 RJ access servers.

These ones do end up pretty aesthetically pleasing though. I don't think anyone is selling racks this complete on Ebay.




Sunday, September 1, 2013

Putty Manager+Avocent Access server = Heaven in studying...






















Don't forget to configure keepalives or you'll lose your sessions everytime the window times out. I'm trying every 15 seconds, and see if there is any kind of issue.




Cable pinout for Terminal Servers, NM modules, etc.

I've been meaning to make this post for a while, and as I'm building roll-over cables for the Avocent TS-3000, I thought it would be a good time to get most of the cable pinouts for custom cables all into one place for myself and others.

If you are using other types of modules in CCNP and up, It's my estimation that you are probably spending too much $$$. I've been getting 56k modules nearly free, and WIC-T1's for as low as $3.50 a piece. In comparison, it's difficult to get a WIC-1T for less than $10.00 and then you have to spend another $10.00 for one cable. I can build much more easily managed cabling for T-1 modules for around $.25 per cable.



Here is Cisco's PDF:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.10/installation/guide/Pinouts.pdf

My nothing fancy guide




Terminal server roll-over cable:



signal     pin     signal
RTS    1 - 8    RTS
DTR    2 - 7    DTR
TXD    3 - 6    TXD
GND   4 - 5   GND
GND   5 - 4   GND
RXD   6 - 3    RXD
DSR    7 - 3    DCD
CTS    8 - 1    CTS

T-1 cross-over cable for back to back connection:





Typical T1 configuration:

ip address 10.1.12.2 255.255.255.0
no fair-queue
no dce-terminal-timing-enable
service-module t1 clock source internal
service-module t1 timeslots 1-24

other side the same except:

diff IP, of course, and:

service-module t1 clock source line



56k 4 wire cross-over for back to back connection:





56k 4 wire back-to-back typical config:


special considerations:



ip address 192.168.1.1 255.255.255.0
service-module 56k clock source internal
service-module 56k network-type dds

otherside:


ip address 192.168.1.2 255.255.255.0
service-module 56k clock source line
service-module 56k network-type dds



Avocent Cyclades to ADVA rj45-rj45



This one took me longer to wrap my head around while learning more about Digital signalling.

I had these to work with:



Cyclades RJ45 to DCE DB-25 pinouts






And the ADVA documentation for the RJ45 to DB-9 pinout.


Once I figured out that the cyclades to DCE was more or less straight through, it made sense.


This resulted in my T568B end on the cyclades to the ADVA end:

1 wht/org - pin 8 (RTS - RTS)
2 org        - pin 3 (DTR - DTR)
3 wht/grn - pin 6 (Txd - Txd)
4 blu        - pin 4 (GND - GND)
5 wht/blu  - pin 7 (CTS - CTS)
6 grn         - pin 5 (Rxd - Rxd)
7 wht/brn - pin 1 (not used DCD - DCD)
8 brn        - pin 2 DSR - DSR

I'll add more as I use them.