One step closer to a viable JNCIA-ENT/SEC lab

Just need to unload one SRX at a decent profit, and pick up a second EX switch with the proceeds. Might spring for a 3200 or 4200 if one comes along cheap enough.

CCP aka Cisco Configuration Professional

I've had a real dearth of posts lately, due to both inherent craziness at work, and a couple other projects that I'm working on.

The HomeLab business was dry for a few months, then picked up with a vengeance right at Christmas. I sold 7 configured Labs over a two week period, ending the very last day of the year. Now that everything is shipped, I can get back to the projects I've been working on.

One of the projects will be... sometimes I forget the title of the Blog, "CCNP or Bust". It probably seems to the outsider, that it's more Bust than CCNP, but because of the limited use of Cisco gear at my day/night job, having the CCNP is less of a driving force. Becoming a well rounded network engineer, is more of a concern with the MEF-CECP a much more desired certification where I work.

That said, I'll be back focusing on the CCNP between February and the end of March, with a desired completion date of March 27th. There is a good reason for this, so the posts will probably be coming in a flurry between the beginning of February and that date.

I likely will be trying to take Switch around the end of Feb. So as the kids say... "It's on like Donkey Kong"

I have a few toys coming as well. I have a Dell Precision workstation, a T3600, identical to the workstations we have at work arriving today. Only thing it's missing are the dual W7000 Video cards that they (for whatever reason) Spec'ed our systems with. It's a bit of an example of what it's like to work at a company in which most of the people, apparently, even our IT department, don't really have a good grasp on what we do. $1300 for dual 4GB video cards, but only 4Gb of system ram. One can only chuckle. I picked up the entire workstation, with 8GB of system ram, for likely, less than my company paid for ONE of the video cards in my workstation at work. I estimate we probably overspent around $30,000 on our workstations.
I picked this up to run ESXi vm's for various reasons, including the evaluation version of Cisco Unified Connection manager, eventually.

I also have two more Juniper SRX210's on the way to facilitate a focus on the JNCIA-ENT after the CCNP is finished. At some point, I'd like to get out of NOC work, and into a 9-5, Monday through Friday position. I don't mind dealing with the occasional emergency network situation, but after nearly 8 years of constant Fiber cut/Network outage management, it's beginning to wear on me.


That all said I do have a subject here, and it aligns with one of my other projects, to be named later...

Cisco Configuration Pro. Something one will have to have some experience with for some of the new CCNA tests, and likely the CCNP when a likely revamp of those come.

I've set it up seriously for the first time. I have an 1841 discovered and now a 3560.

There are a few simple configurations you will need to get a node discovered.

• interface configured on the network you have your PC running CCP on.
• username, privilege, and secret password for the device.
• VTY configured with priviledge, local login, and transport inputs set

and that's pretty much it

Need another SRX

Looks like the EX2200's don't have the layer 3 capabilities I'd need to have it be set up with provider bridging functions. I wasn't sure, but now know.

So... I'll be needing to pick up another SRX sooner than later, as the SRX does.

Need to be able to run this configuration to emulate the MX commands:

user@beb1> show configurationrouting-instances {pbn-1-for-eline {instance-type virtual-switch;interface ge-2/0/0.1;interface pip0.0;bridge-domains {bd1 {vlan-id 10;}eline-svlans {vlan-id-list [ 2100 ];}}pbb-options {peer-instance pbbn-1;}service-groups {eline1 {service-type eline;pbb-service-options {isid 10100 interface ge-2/0/0.1;}}}}}

EX2200 password recovery

Enter configuration mode in the CLI:
user@switch> cli
Set the root password. For example:,
user@switch# set system root-authentication plain-text-password


whoops...Anyway, it's here: and you may need to have a (free) Juniper account set up to get to it. I have a J-TAC account due to work.


http://kb.juniper.net/InfoCenter/index?page=content&id=KB14102&actp=RSS&smlogin=true



Jist of it is, you power the device on, hit the spacebar when you get this prompt:

Hit [Enter] to boot immediately, or space bar for command prompt.

Then, once it gets to this prompt: loader>, you type boot -s, which starts it in single user mode

Then, you will get this prompt:

Enter full path name of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery

Then, in my case, it went to a normal, non-configure prompt, where I moved to configure mode, and then set a new system, plain text password:

user@switch# set system root-authentication plain-text-password

Then, obviously, commit and reboot.

EX2200 in the rack...

came last night, but had to get caught up in my Python class. Still need to password restore it.


Pics or it didn't happen...

Juniper EX2200 on the way

Barring any of the occasional EBay/Paypal issues, I should have an EX2200 added to the Carrier Ethernet rack within the week possibly. Surely by next week.

I have the devices partially set up now, and am working on an E-line configuration through the SRX210 from the ADVA 825.

Once the EX2200 comes in it will be run (Rack Server)HOST A -(1gig copper)- ADVA825 -(1gig copper)- SRX210 (1gig copper)- EX2200 -(1 gig MM fiber)- ADVA 206v -(1gig fiber)- HOST B(Cisco 3560)

Juniper SRX210 configuration for JNCIA-SP study

Since, out of the box, the SRX210 is for all intents and purposes, a firewall, some adjustments have to be made to make it work for Service provider study. Bear with me, I'm in a bit over my head still and clawing my way out.

This came from Jeremy Merideth's blog, which it doesn't appear that he is currently maintaining, but great info in here and a thanks to him. How to get an SRX out of default Juniper config:

http://runningsecure.blogspot.com/2011/06/screenos-background.html

SRX Default Config

For the purpose of this blog I will be configuring an SRX100.
When either taking an SRX out of the box or entering the following commands, you will get the Juniper default configuration.

root@host# load factory-default
root@host# set system root-authentication plain-text-password
root@host# commit and-quit
root@host> request system reboot

Personally I prefer to work from a blank canvas, so the following commands removes all Juniper applied config, adds a few tweaks and gives us a starting point to build up our configurations.

Remove the interface Ethernet Switching
root@host# delete interfaces fe-0/0/1 unit 0 family ethernet-switching
"Repeat for interfaces range 1-7"
root@host# delete interfaces vlan unit 0 family inet address 192.168.1.1/24
root@host# delete interfaces vlan unit 0 family inet

Remove the fe0/0/0.0 interface from Security Zone
root@host# delete security zones security-zone untrust interfaces fe-0/0/0.0

Remove the Zone Interfaces and Policies
root@host# delete security zones security-zone trust host-inbound-traffic
root@host# delete security zones security-zone trust interfaces vlan.0

Remove Default Policies
root@host# delete security policies from-zone trust to-zone untrust

Remove Default Web Management
root@host# delete system services web-management http interface vlan.0
root@host# delete system services web-management https interface vlan.0

Remove NAT rule
root@host# delete security nat source rule-set trust-to-untrust

Remove Screening on Untrust Zone
root@host# delete security zones security-zone untrust screen

Remove Existing Name Servers and add Google ones
root@host# delete system name-server 208.67.222.222
root@host# delete system name-server 208.67.220.220
root@host# set system name-server 8.8.8.8
root@host# set system name-server 8.8.4.4
root@host# delete system services dhcp

Remove Default Security Zones
root@host# delete security zones security-zone untrust
root@host# delete security zones security-zone trust

root# run show configuration | display set
set version 11.1R2.3
set system root-authentication encrypted-password "$1$sF9Tjm/m$zu6xvdjAUIqeeHSP69Vfm0"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http
set system services web-management https system-generated-certificate
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0
set interfaces fe-0/0/1 unit 0
set interfaces fe-0/0/2 unit 0
set interfaces fe-0/0/3 unit 0
set interfaces fe-0/0/4 unit 0
set interfaces fe-0/0/5 unit 0
set interfaces fe-0/0/6 unit 0
set interfaces fe-0/0/7 unit 0
set interfaces vlan unit 0
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies
set vlans vlan-trust vlan-id 3

set vlans vlan-trust l3-interface vlan.0

And then how to set it up to more closely emulate an MX series SP switch from the Juniper Forums:

Cleaned up the rack some, and added some cable management. The second ADVA (GE206V) is just waiting for some MM fiber jumpers to arrive. (quite literally, possibly, on a slow boat from china)

Need to sell a couple more racks and I'll have enough to pull the trigger on a Juniper EX2200 to more fully simulate the types of circuits we'll be performing break/fix on.

Juniper Blog ?

With the new position I'm starting, I'm probably going to need to delve MUCH more into JUNoS, so I'm wondering if I should just add a separate page to this blog, (or find a more logical way to separate the posts within this one) or start a new one.

For that matter, I might want to start a separate Carrier Ethernet page or Blog.

I'll sit and think on it for a bit. I don't know that I'll have time to be posting to multiple separate blogs, Especially, when the racing blog starts up in earnest next year again with what will, hopefully, be a pretty interesting F-prepared BMW Z-3 build from a stripped shell.

Dunno, I'll think about it while I'm setting up the Carrier Ethernet simulation network with the Junipers and ADVA's.

Junipers Router JWEB

Since I posted the Cisco GUI for the 3560, I thought, since the J2300 came in today, that I'd post a pic of the Jweb interface page on the juniper. This is old as the hills, as this thing came with Junos 7.3, circa 2004.

It's pretty similar. One wonders why we don't use these more.

The rack is definitely looking more interesting, if not more useful.

The Cyclades Term server and the Adva Carrier ethernet switch came in today as well. I haven't begun to sort out the Cyclades yet, which is linux based, and the Adva came with a DC power supply, so I'll have to wait for the AC P/S I ordered today to come, assuming it was the right one. There's not a lot of info on the ADVA site, and my login credentials to the Adva customer portal is at work.

I can already tell that the Adva SFP's are not going to be the killer, but it's going to be the Juniper SFP's on whatever EX switch I end up getting that is going to break the bank.

I'll say one thing, physically, everything about a Juniper or an Adva device appears to be of higher quality than on any Cisco device I've had. The Adva, made in Germany, is on a much higher plane of quality than the other two. Probably comparing apples and oranges, but just an observation. I've now worked with Cisco, Juniper, Alcatel, Marconi, Nortel, and Adva routing and switching gear, and the Adva stuff seems to be more like Nortel used to be, if anything, over-engineered.

The rack with it's new additions.

I spent about an hour configuring the wrong T1 interface in the Juniper, thinking I had missed some crucial option in the T1-options, not realizing that T1-0/0/0 is actually T1-0/0/2, after the FE0/0/0, and FE0/0/1. anyway, I'm pinging J2300 to 1841 on T1 interfaces for the first time.

To contrast the config differences:

J2300

   t1-0/0/2 {

        mtu 1504;

        clocking internal;

        encapsulation ppp;

        t1-options {

            timeslots 1-24;

            buildout 0-132;

            line-encoding b8zs;

            framing esf;

        }

        unit 0 {

            family inet {

                address 10.0.0.3/24;

1841

interface Serial0/0/0

 ip address 10.0.0.1 255.255.255.0

 encapsulation ppp

 no fair-queue

 service-module t1 cablelength short 110ft

 service-module t1 timeslots 1-24

New equipment trickling in... and another Juniper acquisition

After selling 5 systems over about a week and a half, my entire CCNA rack was bare, and ALL of my access servers went to good Cisco studying homes, I had to reload.

So I now have here, or on the way:

Cisco:

10 x 2960-TTL
2 x 2610xm 128/32
3 x 2611xm
3 x 2610 64/32
1 x 2620
1 x 2509rj access server

Term Servers:

2 x Avocent Cyclades TS-3000

Juniper:

J2300 Router

SRX 210b Service Access switch (a 3:30am ebay auction win for $200 !)

ADVA:

FSP-150CC - GE206V Carrier Ethernet Access switch

So my own study rack will be getting much more interesting and fiber based, in line with some coming changes at work in which my job will becoming much more Juniper (and Cisco) based again soon.

I'm replacing the rental racks access servers with the Avocent Cyclades TS-3000

These support SSH, GUI based management, and by-port authentication, which will result in a more seamless studying experience, allowing use of more effective tabbed terminal emulation which the menu-based setup I had didn't really accomplish well. The fact that I picked up two of them for half the price of a single cisco 2511 didn't hurt either. Hopefully they will work.

The start of the Juniper lab is exciting as well. I'll have to integrate it into the CCNP lab for now, with another SRX 210, and a couple EX2200 or 3200's still needed to build the stand-alone lab.

Changing direction a little bit

I still have one CCNA rack, and the CCNP R&S rack built, but I've started to make a few purchases to diversify training.

I picked up a Juniper 2300 rtr today, NIB for $100. Not even sure if that was a good deal or not. It appears to be.



Also picked up an ADVA  FSP150CCF-GE206V , CARRIER ETHERNET ACCESS switch.



The ADVA may only interest those that I work with in Carrier transport. I'm going to build a carrier access network with mixed Juniper and Adva to enhance my ethernet skills, hopefully the SFP purchases won't break the bank.

I'll have a bid out shortly for a couple Juniper EX3200's as well. The SRX210's will probably have to wait a bit.

Basic JUNOS OSPF configuration

this is pretty basic:

And some the typical check your work commands. Pretty much the same as Cisco.

Next JUNOS walkthroughs

Next JUNOS walkthrough will be OSPF configuration, then BGP, and then likely Firewall Filters.

I'll likely get something up tonight.

Basic Junos interface configuration

Thought I'd just throw these in here. Pretty self explanatory. I show the options available for each step of the command.

You can go directly to setting the interface IP without going into edit interface level by typing the whole command.

set interfaces em0 unit 0 family inet address 0.0.0.0/24 

Obviously the ability to enter the subnet mask in CIDR is different, and pretty handy.

Junos router initial login and configuration

Ok, I've built a small mixed Cisco/Juniper Network for OSPF studying and here is some of what I've learned as I go.

To start with, after dragging your Junos device(assuming you have your QEMU junos instance, or however you are getting to Junos up in GNS3), you will open console and get this, or something similar:

Note: when getting out of Junos windows, you have to ctrl+Alt. 

It's important to note that this boot process on your machine may take quite awhile. I don't know if it is processor or ram limited, but on my fairly robust Core i5 box with 16 gb ram, it takes 5 minutes or so. Some people on the GNS3 forums were making the assumption that they weren't getting in, I think, simply because they didn't wait long enough.

Eventually you will get a login prompt.

(you won't see the password request  on first access)

At the login prompt, you will want to enter ROOT access, so amazingly, you type "ROOT" Which will get you to the root access. Then to get to CLI from there, if a password has not been set, you once again, surprisingly, type "CLI" ;-)

And then you are here...

now to enter config level, you can type configure, or Edit.

From here, for example, you can configure the host-name etc.

FYI, if you want to run show commands from configure level, like using "do" in IOS, you need to type "run"

I'll run a show interface for the ethernet 0 interface. Note: The interface is named "em0"

To save any changes in the Junos, you will have to set the Root-Authentication. This allows multiple options but for training sake, I'm using a Plain-Text-password.

Once this is set, you can use the "commit" command to save the configuration.

That's all for now. I'll add a configuring an interface post later tonight.

***edit*** 

Yeah, obviously haven't gotten to this yet. Probably tonight.

More IOS/Junos OSPF

For those wanting to begin training in Junos and have Junos on Olive here is the Juniper learning portal link to Junos as a Second Language. You'll have to register to gain access.

https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=3310

Added another Junos Router and am working with Stubs and NSSA's

cisco - Juniper ospf configuration

It's coming along... Slowly

One of the things I've found is that in the Graphical representation, on the Junos routers, GNS3 doesn't apparently always label the ports correctly. em0/e0 isn't always on the correct side as it is represented in Dynamips.

But we have neighborship.

R2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1         128   FULL/BDR        00:00:39    192.168.6.1     Ethernet1/0

cisco:

R2(config)#do sh run | b int
interface Serial0/0
 ip address 192.168.1.2 255.255.255.0
 serial restart-delay 0
 clock rate 64000
!
interface Serial0/1
 ip address 192.168.3.2 255.255.255.0
 serial restart-delay 0
!
interface Serial0/2
 ip address 192.168.2.2 255.255.255.0
 serial restart-delay 0
!
interface Serial0/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Ethernet1/0
 ip address 192.168.6.2 255.255.255.0
 ip flow ingress
 ip flow egress
 ip ospf network broadcast
 full-duplex
!
interface Ethernet1/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/3
 no ip address
 shutdown
 half-duplex
!
router eigrp 100
 network 192.168.1.0
 network 192.168.2.0
 auto-summary
!
router ospf 1
 router-id 6.6.6.6
 log-adjacency-changes
 network 192.168.6.0 0.0.0.255 area 0


Juniper config

JunOS on GNS3

Ok. Apparently, I was making the whole junos on GNS3 out to be a lot more difficult than it is now, it seems, at least for me. The version of OLIVE I sourced already had all the modifications to QEMU, and FreeBSD made, so I didn't have to do anything but set the path to the instance of OLIVE.

Anyway, if you can source a usable version of Olive(the one I found already had QEMU patched for UDP out of the box), and are running at least GNS3 V7.4 on a Vista machine as I am, I can verify it works out of the box, and the setup is similar to QEMU hosts.

After years of simply monitoring Juniper interfaces, now I am configuring them...