Dr Ahriakin's Singalong JNCIE-Sec Blog

13567

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Playing with logical systems at the moment, just some of the simpler side with completely separate instances (i.e. no logical tunneling between). It's interesting seeing the differences with Juniper's approach vs. Cisco's multi-context. I think the ASA does the multi-tenant approach (i.e. the contexts are intended for different administrative domains) better, whereas the SRX is more tightly integrated. Yes you can do multi-tenant, but the separation is not quite as extreme. That in itself can be helpful though too as you have more l-sys interaction options, just depends on the context (pun intended). Next I want to play around with logical-tunnels and see what I can do with FBF etc. to really get some finer control over traffic flow and running different services per l-sys...maybe get around that IDP and NAT64 bug - NAT64 between l-sys over an LT and run IDP on the last leg as just v4? Have to see if that works...lots of options :)
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Native IPv4, IPv6 and NAT64 across 2 logical systems with some filter based forwarding thrown in for good luck....that was fun :)

    The syntax for using IPv6 inside a routing-instance is a little odd in that it's recursive. What I mean is that you have to reference your IPv6 table as a RIB just as you do in the common routing-options but you need to statically reference the instance name from within itself (it won't auto-complete either, this was from hit-and-miss troubleshooting).

    The example below illustrates this where we're going to use FBF to use a different default route for separately defined/filtered traffic. The new forwarding instance of "Redirect-Table-1" needs to reference rib "Redirect-Table-1.inet6.0".
    [B][edit routing-instances][/B]
    Redirect-Table-1 {
        instance-type forwarding;
        routing-options {
            rib Redirect-Table-1.inet6.0 {
                static {
                    route 0::0/0 next-hop aaaa:bbbb:cccc:dddd::2;
                }
            }
        }
    }
    
    
    
    
    [I]Here's the rest of the relevant config if you're interested.[/I]
    
    [B][edit routing-options][/B]
    interface-routes {
        rib-group {
            inet6 IPv6-RIB;
        }
    }
    #
    #
    rib inet6.0 {
        static {
            route 0::0/0 next-hop aaaa:bbbb:cccc:dddd::1;
        }
    }
    #
    #
    rib-groups {
        IPv6-RIB {
            import-rib [ inet6.0 Redirect-Table-1.inet6.0 ];
        }
    }
    
    
    [B][edit firewall filter][/B]
    family inet6 {
        filter Lab-Ingress-IPv6 {
            term Bypass-Redirect {
                from {
                    destination-prefix-list {
                        Bypass-List-IPv6;
                    }
                }
                then accept;
            }
            term Redirect-Web {
                from {
                    prefix-list {
                        Lab-Hosts;
                    }
                    destination-port [ 80 3128 ];
                }
                then {
                    count Redirect-Web;
                    routing-instance Redirect-Table-1;
                }
            }
            term Permit-ANY-ANY {
                then accept;
            }
        }
    }
    
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    The going has been slow (I think the lack of entries here kinda makes the obvious :) ). I did get playing around with some deeper NAT configs again, the most interesting one lately was using port-overload-factor for source-NAT. It's a feature that was introduced in 11.2 I believe that uses a full source+dst mapping for NAT instead of simply source so providing the connection conditions are right you can increase the connections per IP in the pool up to 32x. There is a limitation in that only 16 addresses per chassis can use the feature but I'm guessing that will increase with code revisions as it smacks of software table size limitations.


    Example setting the overload to 16x (~1mil PAT xlates)
    [edit security nat]
    source {
        pool Public-Pool-1 {
            routing-instance {
                transit-traffic;
            }
            address {
                192.0.2.0/32;
            }
            [B]port port-overloading-factor 16[/B];
        }
    
    
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Another simple command I'm learning to love - "help apropos xxxx" . Can't remember the syntax or even base stanza for a certain function but you know part of the keyword then pop it in. It is context sensitive, so it will search from whatever stanza you are in down, remember to head back to TOP if you are truly lost.
    Today I was trying to remember where to configure security policy drop options based on whether they reference the NAT or Native IP of the end host (since you write a policy to a host with a destination NAT using the Native IP even though traffic will/should be using the NAT as the DST IP the SRX will by default allow traffic matching the Native also, you have to explicitly tell it not to if that is not desirable (which in most cases it is not)).

    [edit security policies from-zone UNTRUST to-zone TRUST policy Permit-ANY-WebServers]
    me@labsrx# help apropos translated
    #
    #
    set then permit destination-address drop-translated
    Drop the policy if NAT translated
    set then permit destination-address drop-untranslated
    Drop the policy if NAT untranslated


    Neat :)
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I booked my first iNetZero lab session for this sunday. Their 12am CET slot works out perfectly for me, being 7 hours ahead that means a 5pm CST start (the day previous). I had received 2 vouchers with the workbook and reservation was painless and quick. I'll let you know how the actual experience was next week.
    Study wise I'm working primarily on the O'Reilly JunOS Security book again this week, about a quarter of the way through on what will be my 3rd read in a year. I did get sidetracked with 'show snmp mib walk' though, really cool for production when you're trying to optimize your NMS views, and I found at least one important KPI that doesn't seem to have a standard show command - viewing connections-per-second. Here's an example using a HA cluster:

    > show snmp mib walk jnxJsNodeSessionCreationPerSecond

    jnxJsNodeSessionCreationPerSecond.0 = xxxxx
    jnxJsNodeSessionCreationPerSecond.1 = 0
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    You can try this command for monitoring cps - show security monitoring performance

    This is a high-end SRX, not sure how this compares on a branch SRX. It breaks it down per SPC, but if you look at the CP, it should give you the total for the SRX. Sorry I'm too lazy to fire up some test traffic right now to give this display some numbers :) I'm not sure when this command made it into Junos; 10.4 maybe? 11.1? Not sure.
    {secondary:node0}
    user@node> show security monitoring performance session node 0 fpc 7 pic 0 
    node0:
    --------------------------------------------------------------------------
    fpc  7  pic  0
    Last 60 seconds:
     0:       2   1:       2   2:       2   3:       2   4:       2   5:       2
     6:       2   7:       2   8:       2   9:       2  10:       2  11:       2
    12:       2  13:       2  14:       2  15:       2  16:       2  17:       2
    18:       2  19:       2  20:       2  21:       2  22:       2  23:       2
    24:       2  25:       2  26:       2  27:       2  28:       2  29:       2
    30:       2  31:       2  32:       2  33:       2  34:       2  35:       2
    36:       2  37:       2  38:       2  39:       2  40:       2  41:       2
    42:       2  43:       2  44:       2  45:       2  46:       2  47:       2
    48:       2  49:       2  50:       2  51:       2  52:       2  53:       2
    54:       2  55:       2  56:       2  57:       2  58:       2  59:       2
    
    {secondary:node0}
    user@node>
    
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Cool, thanks. I use 'show security monitor performance spu' a lot just never thought to go digging along that syntax line for what I'd consider a session stat (it should really be under something like 'show security flow cp-session summary' imho).

    Anyway spent the night recabling my lab, imaged the SRXs to 11.1 (had a few variants of 11.4 on there, best to make it the official build at this stage) wiped off the existing configs and set them up from scratch again, it doesn't hurt to go back and do the basics. Played around with services like NTP, peering with public servers, then peering between the SRXs etc.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I checked out that command (show security monitoring performance session) looks like it's total sessions per SPU though not the actual rate. Methinks it's time for a feature request to our SE.


    From a 5800, CP active on Node0. The CP shows 0, the first flow SPU shows the current total for it's part of the pie.
    [B]show security monitoring performance session node 0 fpc 0 pic 0[/B]
    node0:
    --------------------------------------------------------------------------
    fpc  0  pic  0
    Last 60 seconds:
     0:       0   1:       0   2:       0   3:       0   4:       0   5:       0
     6:       0   7:       0   8:       0   9:       0  10:       0  11:       0
    12:       0  13:       0  14:       0  15:       0  16:       0  17:       0
    18:       0  19:       0  20:       0  21:       0  22:       0  23:       0
    24:       0  25:       0  26:       0  27:       0  28:       0  29:       0
    30:       0  31:       0  32:       0  33:       0  34:       0  35:       0
    36:       0  37:       0  38:       0  39:       0  40:       0  41:       0
    42:       0  43:       0  44:       0  45:       0  46:       0  47:       0
    48:       0  49:       0  50:       0  51:       0  52:       0  53:       0
    54:       0  55:       0  56:       0  57:       0  58:       0  59:       0
    
    
    [B]show security monitoring performance session node 0 fpc 0 pic 1[/B]
    node0:
    --------------------------------------------------------------------------
    fpc  0  pic  1
    Last 60 seconds:
     0:  143790   1:  144818   2:  143713   3:  144565   4:  143469   5:  144361
     6:  143310   7:  144517   8:  143483   9:  144609  10:  143549  11:  144485
    12:  143404  13:  144406  14:  143352  15:  144404  16:  143394  17:  144360
    18:  143326  19:  144374  20:  143303  21:  144370  22:  143342  23:  144422
    24:  143402  25:  144470  26:  143385  27:  144489  28:  143449  29:  144631
    30:  143591  31:  144824  32:  143708  33:  144669  34:  143544  35:  144817
    36:  143725  37:  144752  38:  143575  39:  144602  40:  143493  41:  144579
    42:  143459  43:  144484  44:  143458  45:  144405  46:  143345  47:  144450
    48:  143444  49:  144404  50:  143383  51:  144292  52:  143275  53:  144195
    54:  143165  55:  144197  56:  143208  57:  144116  58:  143044  59:  144049
    
    
    [B]show snmp mib walk jnxJsNodeSessionCreationPerSecond[/B]
    jnxJsNodeSessionCreationPerSecond.0 = 12466
    jnxJsNodeSessionCreationPerSecond.1 = 0
    
    
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Well I just took the plunge, booked my Lab for 03/19/2013 in Sunnyvale. Better get off my ass and moving faster icon_study.gificon_study.gificon_study.gif.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AldurAldur Member Posts: 1,460
    Just remember, if you fail the first task you fail the exam. ;) Just kiddin, good luck :D
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Ah. Just finished up that first Inetzero lab session. Man it's been a LONG time since I crammed like that...well kinda crammed, I did take some reading breaks since this is early days but it was a good CLI workout. Things did not start well in that the workbook had the expected links to initial configs, that contains a readme.txt explaining that they no longer keep the configs there and to email support...who are on Central European Time (I'm CST, 7 hours behind). So there I am at 5mins to Sunday Midnight their time and not a hope in hell of getting a response. TBH it's as much my fault since I should have checked the download earlier. Anyway since the initial steps are for the most part not topography reliant (setting up mgmt, users, system services etc) I went ahead with what I could. Verification of the later tasks like clustering would have to just go by config checks since I had no working L2/L3 network to go with but it was still valuable. Like I said I took it slow, this run through the workbook is meant to highlight my weaknesses and I'm allowing plenty of time for side-reading as I go (like going through the HA chapter in the O'Reilly security book from scratch, or trying to hunt down detailed information on NTP authentication options (which aren't rocket science but the docs are pretty bad for it)). I got through 3 out of the 8 chapters (chapter 9 is a full lab, each preceding chapter is a functionally related set of tasks). So that covered Management/Permissions/Services, Chassis Clustering and Security policies. It started pretty easily but definitely got pretty involved by the policies section. There were some good little gotchas and thought-provoking sub-tasks so it definitely kept me on my toes. Overall I think the workbook is pretty good, while I can't be definitive without having sat the real thing it's comparable in quality to the CCIE workbooks from IPexpert and INE I've used previously. So plus one InetZero, their workbook may be the only game in town right now but it's also a good one.
    Rack control itself was pretty straightforward. Start off with Web-Auth for the session and then telnet to the Console and Out-Of-Band mgmt IPs. Responsiveness was great and I had no disconnections. I created an mRemote folder set for all connections and I'll post them up here if InetZero have no objections, I'll check with them tomorrow. Might save someone else some time.

    InetZero responded and apologised about the config gaff and have reset my voucher (so a refund in essence). CCIE rack rental had a lot of similar issues so I'm not pissed, I still got some work done regardless and will book some more sessions for next weekend.

    Overall I think it was a good session. Bloody exhausted though icon_redface.gif
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Aldur wrote: »
    Just remember, if you fail the first task you fail the exam. ;) Just kiddin, good luck :D

    Way to help boost the confidence Mr Aldur :P

    One thing to keep in mind when you do go for the lab, read the scenarios very carefully. Perhaps they fixed up some of the wording now, but some very talented engineers I know went completely the wrong way with some of their configurations because they misunderstood what was being asked, and it cost them the exam icon_sad.gif They would have had no trouble correctly configuring the scenario, if only they realized what was being asked. When in doubt, ask questions of the proctor and he may help clarify the task or nudge you along the correct path.

    I'm sure that's not new advice, just a friendly reminder. Looks like you've done lab exams before, so at least some of those first time nervous jitters should be gone :)
  • AldurAldur Member Posts: 1,460
    Definitely a good reminder to always check with the proctor when in doubt about a task. I remember checking quiet often to clarify things. The exam seemed pretty well written when I took it recently, much better than when I took the exam when it was in the alpha stages, so you shouldn't have too many problems in that regards.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Aye I remember it well from the the Cisco side, one thing I definitely learned between the first and 2nd attempts was the devil was in the details.

    Have a case of the Flu at the moment so no techy work. I will book another lab session for this weekend though. Maybe 2, March is not that far away...

    The Connections-per-second thing above though it turns out you can get it from the CLI, pretty close to what Zoidberg had suggested just a slightly different syntax. It lists it after each SPU but it is the global chassis CPS value restated each time and not cumulative (I matched it against the SNMP value and expected rates for this unit).
    [B]> show security monitoring fpc 0 node 0[/B]
    
    node0:
    --------------------------------------------------------------------------
    FPC 0
      PIC 0
        CPU utilization      :    x %
        Memory utilization   :   xx %
        Current flow session :    0
        Max flow session     :    0
        Current CP session   : xxxxxxxx
        Max CP session       : 12000000
    [B]Session Creation Per Second (for last 96 seconds on average): 11219[/B]
    [I]  PIC 1
        CPU utilization      :   yy %
        Memory utilization   :   yy %
        Current flow session : yyyyyyy
        Max flow session     : 1048576
        Current CP session   :    0
        Max CP session       :    0
    Session Creation Per Second (for last 96 seconds on average): 11219[/I]
    
    
    
    [B]> show snmp mib walk jnxJsNodeSessionCreationPerSecond[/B]
    jnxJsNodeSessionCreationPerSecond.0 = 11714
    jnxJsNodeSessionCreationPerSecond.1 = 0
    
    
    
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    I knew it was in there somewhere. Just hard to remember which without firing up some traffic ;)

    Do you have just the 1 SPC? It has been a long time since I looked at that command, but I thought the values differed per SPU. I thought it worked that looking at the stats for the CP shows the number of new sessions created globally, as the CP knows all. Then each flow SPU will report the number of new sessions being created on them. In the case of a single SPC, where you have one SPU as CP and one SPU as flow, the number on the CP and the flow SPU would look the same. If you had another SPU, the cps reported per SPC should be roughly the CP cps / 3 flow SPU.
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Alright. Time to stop being a slacker and fire up my test boxes to make sure I remember what I am talking about :)
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Ok. Here are my quick and dirty results.


    So this one seems to show the current number of sessions per SPU, not a cps. Though, you could do the math to measure that value between the time intervals.
    > show security monitoring performance session node 0 fpc 3 pic 1    
    node0:
    --------------------------------------------------------------------------
    fpc  3  pic  1
    Last 60 seconds:
     0:  414719   1:  415095   2:  412903   3:  413290   4:  411118   5:  411459
     6:  409203   7:  409499   8:  407340   9:  407568  10:  405340  11:  405414
    12:  403188  13:  403362  14:  401148  15:  401238  16:  399024  17:  399001
    

    And the same command on the CP gave me nothing.
    > show security monitoring performance session node 0 fpc 3 pic 0    
    node0:
    --------------------------------------------------------------------------
    fpc  3  pic  0
    Last 60 seconds:
     0:       0   1:       0   2:       0   3:       0   4:       0   5:       0
     6:       0   7:       0   8:       0   9:       0  10:       0  11:       0
    12:       0  13:       0  14:       0  15:       0  16:       0  17:       0
    


    Not sure what this is telling me.
    > show security monitoring performance spu node 0 fpc 3 pic 0    
    node0:
    --------------------------------------------------------------------------
    fpc  3  pic  0
    Last 60 seconds:
     0:   5   1:   8   2:   6   3:   9   4:   6   5:   6
     6:   6   7:   9   8:   6   9:   9  10:   6  11:   9
    12:   6  13:   9  14:   6  15:   9  16:   6  17:   9
    
    > show security monitoring performance spu node 0 fpc 3 pic 1        
    node0:
    --------------------------------------------------------------------------
    fpc  3  pic  1
    Last 60 seconds:
     0:   0   1:   0   2:   0   3:   2   4:   0   5:   3
     6:   2   7:   4   8:   3   9:   3  10:   3  11:   4
    

    And this one gave me nothing. Great. Love it when features disappear in new code :S
    > show security monitoring fpc 3 node 0 | match Second 
    Total Session Creation Per Second (for last 96 seconds on average):    0
    IPv4  Session Creation Per Second (for last 96 seconds on average):    0
    IPv6  Session Creation Per Second (for last 96 seconds on average):    0
    Total Session Creation Per Second (for last 96 seconds on average):    0
    IPv4  Session Creation Per Second (for last 96 seconds on average):    0
    IPv6  Session Creation Per Second (for last 96 seconds on average):    0 
    

    And snmp seemed closest. It was higher than the cps being sent from my test box, but I'm assuming this is including session close rate as well. Or, it may be an average value over 30, 60, 90 seconds.
    > show snmp mib walk jnxJsNodeSessionCreationPerSecond    
    jnxJsNodeSessionCreationPerSecond.0 = 0
    jnxJsNodeSessionCreationPerSecond.1 = 47650
    
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I tested it on a 5800 with 7 SPCs, all 13 flow SPUs show the same values (allowing for minor traffic variance between commands) that match to the SNMP side. So yup it is definitely at least trying to show the global CPS value under each SPU. This was on 11.4R6.5.

    I think your show commands above were giving zeroes as from the SNMP output it looks like Node1 was active on that cluster.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Looking at it now, node1 is active for rg1. I was pretty sure I was on node0 for rg0 and rg1 when I played with this yesterday. Oh well. Need more sleep and more caffeine I guess :)
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I've done that a few times on maintenance windows, log in bleary eyed, then have a second or 2 of panic thinking there's an outage...then blink and check the other node...oh...:)
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Ya, one of those weeks. I was too distracted and annoyed that my op scripts got wiped off my box that I neglected to do a simple show chassis cluster status, so I assumed my lab was the way I left it. Always a mistake, too many people know the password haha.

    I get that panic from my customer now and then. They log into node1, do a show security flow session, and discover that all the sessions show 0 bytes sent and received, and then they freak out. Need to point out that those are the node0 backup sessions, and even though you're logged into node1, that command **** all sessions starting with node0, unless you tell it otherwise.

    7 SPCs? Very nice. Always cool to bump into other people with loaded 5800s... it's way more fun than Aldur and his rack of 210s ;) Hehe

    Do you do dual-control links? I haven't played with those on the 5800s yet, only on my 3600s. Though I may have enough lab gear now where I can get away with borrowing some REs for some play time. Just curious how well that works on the 5800s and if you've run into any interesting challenges with it.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    And getting ready to bump some to 9 SPCs (damn I wish I could do a Spinal-Tap '11' but then there'd be none of those pesky IOC things in there). Moooaaarrr Powarrrr !!!!!!!
    I haven't played with dual links, since it's not going into split-brain unless the fabric-link fails also that'd be planning for triple failure ( I like direct runs so there's no common point of failure for either link except the cables themselves).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AldurAldur Member Posts: 1,460
    zoidberg wrote: »
    7 SPCs? Very nice. Always cool to bump into other people with loaded 5800s... it's way more fun than Aldur and his rack of 210s ;) Hehe

    Awww, now you've gone done and hurt my feelings icon_sad.gif And by the way it's a rack of 100s, sheesh :p

    But seriously now, I am kind of jealous, we typically use the branch stuff in Ed services so I don't get to play with the big bad boxes.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Ahriakin wrote: »
    Moooaaarrr Powarrrr !!!!!!!

    Oh ya, there is much more power coming soon ;) I wish I could brag about my lab and really make Aldur feel like he's missing out (hehe), but I'm not certain what is and isn't public yet...
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Ahriakin wrote: »
    I haven't played with dual links, since it's not going into split-brain unless the fabric-link fails also that'd be planning for triple failure ( I like direct runs so there's no common point of failure for either link except the cables themselves).

    Ditto. That's why I haven't played with them on the 5800s.

    I've had challenges with the 3600 CRMs and dual-ctl-links, but there's a firmware update available that seems to be taking care of those headaches.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Indeed, I have the new performance matrix and just put in for a quote for some of those nice new toys :) . Our network changes at an insane rate and we're always bugging our SE for the next big thing so we went through your 2013 roadmap end of last year..can't wait to get my hands on some.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    they're shiny ... and heavy! haha. it's pretty impressive what they can do. looking forward to the network upgrades this year. :)
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Today was a mixed bag. I decided to focus on a set scenario rather than individual areas. The goal, OSPF peering internally between 1 standalone SRX and a cluster, that segment using a std. RETH on the cluster. The opposite side using standalone interfaces peering with 2 different routers via BGP to simulate multiple discrete WAN links. Then to try and use pre-empt, filtering and IP-monitoring to have the RETH follow the active BGP path from the standalones. I got as far as the base topology and peering but then realised I couldn't do IP-Monitoring on my small branch boxes in 11.1, so upgraded to 11.4 again before calling it quits for the day...I figured since I'd gone that far I should see it through even if it meant blurring software revision boundaries.

    I think if I set RG1 to pre-empt (RETH side) for Node0, BGP to favour the peer on that chassis aswell then set IP-Monitoring to check Peer-A's WAN link address it should kinda work. Like I said I'm trying avoid Z-path forwarding if possible and have stateful redundancy 'follow the route'.

    Anyway good practice as I haven't worked with Dynamic routing or IP-Monitoring on these before, hell I was straining to try and remember how to set it up on the Cisco routers I was using as BGP peers icon_redface.gif
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Busy busy day....tired tired Ahriakin. Methinks I overdid it a bit. I spent the afternoon working on the scenario above, focusing more on the routing side as it turns out since by my Cisco and Juniper route-fu is weak, but I got multiple OSPF and BGP instances with filtering working across it correctly. I didn't get the IP-Monitoring side working yet, but had to stop right as I got to it since I had the next InetZero lab session to do. Soo, a bite of food and on to the lab workbook.
    Today was UTM, my weakest area by far and one I was dreading since I never use it and skimmed through just enough to pass it on the JNCIS-Sec. It was a actually a really good session. The lab itself was clear and well written and pretty challenging, with the end tasks having you revisit some of the earlier policies as you added more features and the like. Again terminal access was flawless, no crashes or loss of console connectivity that can happen with different rack vendors. I had a quick read of the O'Reilly security book chapter on it beforehand and then dove in. This is definitely an area where the actual configuration is MUCH easier than the texts make it seem. Yes there are a ton of options but as long as you don't get over zealous in your Stanza navigation it's very intuitive. Jumping section by section and then simply using 'set ?' can get you through a lot...but slowly....that's the key when deciding to spend more time on something or not, I know I could take a good stab a this in the lab but it would take me much longer than I could afford relying on working it out as I go. So even though it now worries me much less I will definitely be revisiting this one again soon.

    Sooo, 3 hours left on my session but I'm calling it a day. I need to remind the missus who the strange man sitting in here is.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Actually it looks like my little scenario would be better off using Conditional Route Advertizement, came across that one today on the 11.4 Security Configuration Guide, and that's what I shall be playing with tonight. Basically you use the inside Reth active status (well really which node the next-hop is active on) as a Conditional parameter that is then applied into your route export policy. So with 2 Standalone Wan links you set the redistribution policy for Wan1 to match your list only if those routes are active on Node0, block it otherwise, reverse for Wan2...at least that's what I think it's meant to do, have to play around with it to be sure :). It's designed to avoid Z-path forwarding which is exactly what I want.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.