Tutorials

Basic JUNOS Configuration

Jan 20th

Posted by Colby in Juniper

7 comments

Today we’ll go over a very basic JUNOS configuration, we will configure the hostname, user account, IP addresses and a default route. The purpose of this article is to provide a look and feel for JUNOS.

First let’s login and take care of the basics:

root> configure
[edit]
root# set system host-name Olive1
[edit]
root# set system login user colby class super-user authentication plain-text-password
New password:
Retype new password:
[edit]
root# commit and-quit
commit complete
Exiting configuration mode

This is a simple config, we enter configuration mode, we set the hostname of the router then we configure a user named “colby” in the “super-user” class. “Super-user” is a pre-defined class in JUNOS, this class has full control of the router.

Anyone familiar with IOS can see that this is pretty different. The commands all start with “set” and they can be quite a bit longer. Let’s take a look at the hierarchical view of what we just did:

system {
    host-name Olive1;
    login {
        user colby {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$IKhmMCbo$XNAWMDS"; ## SECRET-DATA
            }
        }
    }
}

Definitely not what I’m used to, but not so bad. Now we’ll configure the same thing with multiple commands from the hierarchy:

Read more...

, , ,

Lock and Key ACLs

Jan 14th

Posted by Colby in Tutorials

7 comments

A coworker recently came to me for help with an issue. We have a server sitting behind a router at one of our remote sites. Certain people need RDP access to this server, but we do not want it open to the world, this seems like an ideal scenario for Lock and Key access lists. Lock and Key ACLs are a way to permit temporary access to a resource. Static ACLs either allow or deny, they can create temporary openings to suit a specific need. In our example it will be a telnet server behind a router. Here’s the topology:

Here we see a host on one side of R1 (Fa0/0) and a server on the other side (Fa1/0). In this example we want very limited access to Telnet on that server. Here’s our config:

interface FastEthernet0/0
 description To Host
 ip address 192.168.1.1 255.255.255.0
 ip access-group Telnet in
!
interface FastEthernet1/0
 description To Server
 ip address 192.168.2.1 255.255.255.0
!
ip access-list extended Telnet
 dynamic allow_telnet permit tcp any host 192.168.2.2 eq telnet
 deny   tcp any host 192.168.2.2 eq telnet
 permit ip any any
!
username allow password 0 allow
username allow autocommand access-enable host timeout 10
Read more...

, , , , ,

Private VLAN Tutorial

Jan 12th

Posted by Colby in Tutorials

5 comments

Today we’ll go over Private VLANs (PVLANs) in Cisco IOS. PVLANs segregate VLANs even further than normal, they are basically VLANs inside of VLANs. The ports share a subnet, but can be prevented from communicating. They use different port types:

Promiscuous ports – These will be the “open ports” of the PVLANs, they can communicate with all other ports.
Community ports – These ports can communicate with other community ports and promiscuous ports.
Isolated ports – These can ONLY communicate with promiscuous ports.

There are different uses for PVLANs. They are used by service providers to allow customer security while sharing a single subnet. Another use could be for DMZ hosts in an enterprise environment. If one host is compromised its ability to inflict damage to the other hosts will be severely limited. That’s the scenario we’ll be using today. This is our topology:

Read more...

, , , , ,

Playing With EEM

Jan 5th

Posted by Colby in Tutorials

2 comments

Yesterday someone asked me how to periodically save the running config using an EEM (Embedded Event Manager) applet. I’d never used EEM before (I’m terrified of code), but I decided to do some research to see how it could be done. It was surprisingly easy. Here’s what EEM is according to Cisco:

Embedded Event Manager (EEM) is a powerful and flexible subsystem in Cisco IOS that provides real-time network event detection and onboard automation. Using EEM, customers can adapt the behavior of their network devices to align with their business needs.

This applet was needed so the work done by his helpdesk team would be written to the config. They are given very limited access and are unable to execute the “wr” command. The first thing I gave him was this:

event manager applet WR_CONFIG
event syslog pattern ".*%SYS-5-CONFIG_I.*"
action 1.1 cli command "enable"
action 1.2 cli command "wr"
action 1.3 syslog msg "Config changed by user, new config has been written"
Read more...

, , , , ,

MPLS and BGP Lab Guide, Part 6

Dec 31st

Posted by Colby in Labs

3 comments

This is the sixth post in the series, the goal of the series is to provide a guide for the MPLS and BGP Lab I posted awhile back. The labs consists of MPLS VPNs and BGP along with some OSPF, NAT, IPSEC and GRE exposure. I will be posting the files needed for this lab at the bottom. Here’s the topology and the requirements:


(click image for fullsize)

Requirements:
Internet
* The two Internet routers should serve as transit ASes. No other routers should permit transit traffic.
* Internet sites (modeled by loopbacks) should be accessible by all lan IPs.

Read more...

, , , , , , , , ,

TCL Ping Script

Dec 29th

Posted by Colby in Tutorials

8 comments

TCL is a scripting language built into IOS (since 12.3(2)T according to Cisco.com), it can be very handy. I use this TCL script quite a bit, but it’s always few and far between, so I find myself Googling for it every time. I decided to post it here so I always know where to find it, heh. This TCL script it pretty basic, you just type it out in a text editor and past it in the console.

Here’s a simple example:

foreach address {
 192.168.10.1
 192.168.15.1
 192.168.25.1} { ping $address }

With that we get this:

EDGE#tclsh
EDGE(tcl)#foreach address {
+> 192.168.10.1
+> 192.168.15.1
+> 192.168.25.1} { ping $address }
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.15.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.25.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

We could get a bit more complex using some extended ping options, like this:

foreach address {
 192.168.10.1
 192.168.15.1
 192.168.25.1} { ping $address source lo254 repeat 3 }

In this one we are pinging with a source address of Loopback 254, and only sending 3 pings. It looks like this:

EDGE#tclsh
EDGE(tcl)#foreach address {
+> 192.168.10.1
+> 192.168.15.1
+> 192.168.25.1} { ping $address source lo254 repeat 3 }
 
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.254.254
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 1/3/4 ms
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 192.168.15.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.254.254
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 1/3/8 ms
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 192.168.25.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.254.254
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 1/3/4 ms

Short post, just something I needed a place for. Hope it’s useful to some readers.

, , , , ,
« First...«23456»...Last »