Skip to main content

Posts

Showing posts from 2011

Subnet Master Demo for Android

I thought I would challenge myself to write a mobile app. I personally have an iPhone, but didn't want to invest in a MAC to develop an application and then having it rejected by apple. So I opted for and android based app. I had a look around at the subnet calculator market and though I could do a better job. So here is my effort

https://market.android.com/details?id=net.networkingguru.SubnetMaster



All the coding was done over a few weekends. There are still lot of refining required, but I feel it is ready for a beta release.



From IOS to Junos – JNCIA Result - PASS

I done the exam, and I am please to say I passed. So the lab-ing and the two PDFs

JNCIA-Junos_SG_part_1_09-16-2010.pdf
JNCIA-Junos_SG_part_2_09-16-2010.pdf

And a bit of surfing the web were enough. That is not to say everything in the exam was familiar, I did have to think seriously about some questions which puzzled me.
So the next step will be to go for specialist, but because of workload, it's going to take a little longer that 15 Days.

From IOS to Junos – Final Day – Part 5 (Services)

It's a Wrap
This is the last on this series, it has been hard work fitting in the time (very late evenings) and frustration trying to dump my notes into wordpress. I need to do more reading before the end of the week as I have booked the JNCIA-Junos exam. The start of the Journey has been interesting, and I hope to reach my first mile stone JNCIA-Junos, then I decide if I can go much further with the resource I have at my disposal.


Services and Users Part

NTP
I had some issues getting NTP synced on the last video, I eventually worked it out so here is the final installment.




Final word
That me finished this series, I hope people find to useful, I know I have found it of great value albeit a tiring one.

From IOS to Junos – Final Day – Part 4 (BGP)

This serious show clearly how tiredness cause simple mistakes :)










Some Troubleshooting



From IOS to Junos - Final Day - Part 3 (OSPF)

and we continue



From IOS to Junos - Final Day - Part 2 (RIP)

This is me trying to get RIP working from memory, remember I only began to work on JUNOS one week ago, so it is painful in places

RIP Part 1



RIP Part 2



From IOS to Junos - Final Day - Part 1

In this final day I have reset the Lab then proceeded to reconfigure all the devices and capture the process on video. You can watch all my mistakes and also see how I jump around to troubleshoot some basic routing issues between the redistribution between routing protocols.


Factory Reset

Basic Configuration

Interface Check

From IOS to Junos – Day 5

Notes from the day
*** BGP into OSPF

I forgot you need to export from a protocol into the next protocol.

root@Junos4# edit protocols ospf



[edit protocols ospf]

root@Junos4# delete import BGPtoOSPF

[edit protocols ospf]

root@Junos4# set export BGPtoOSPF



[edit protocols ospf]

root@Junos4# commit

commit complete



**** Before

root@Junos2> show route



inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both



10.254.200.1/32    *[RIP/100] 00:25:02, metric 2, tag 0

> to 10.254.254.1 via em0.0

10.254.200.2/32    *[Direct/0] 00:25:24

> via lo0.10

10.254.200.3/32    *[OSPF/10] 00:23:59, metric 1

> to 172.31.1.3 via em1.0

10.254.200.4/32    *[OSPF/10] 00:23:59, metric 1

> to 172.31.1.4 via em1.0

10.254.200.6/32    *[OSPF/10] 00:23:59, metric 1

> to 172.31.1.5 via em1.0

10.254.200.7/32    *[OSPF/10] 00:23:59, metric 1

> to 172.31.1.2 via em1.0

10.254.254.0/30    *[Direct/0] 00:25:24

> via em0.0

10.254.254.2/32    *[Local/0] 00:25:24

Local via em0.0

17…

From IOS to Junos – Day 4

Not much done tonight, have been really busy.

BGP today :)

Notes from the day
Tried to acccess Junos4 10.254.200.4 but ssh failed.
Because of rushing yesterday I have not enabled ssh

configure
set system services ssh
commit

Entering configuration mode
Users currently editing the configuration:
root terminal v0 (pid 1364) on since 2011-10-05 19:18:27 UTC, idle 00:00:54
[edit]

[edit]
root@Junos4# set interfaces em1 unit 0 family i
^
'i' is ambiguous.
Possible completions:
> inet IPv4 parameters
> inet6 IPv6 protocol parameters
> iso OSI ISO protocol parameters
[edit]
root@Junos4# set interfaces em1 unit 0 family inet address 10.254.253.1/30

[edit]
root@Junos4# commit
commit complete

[edit]
root@Junos4#

root@Junos4# set routing-options autonomous-system 9999

[edit]
root@Junos4# edit protocols bgp

[edit protocols bgp]
[edit protocols bgp]
root@Junos4# set group 4to5 peer-as 9998
[edit protocols b…

From IOS to Junos - Day 3

Once I have configure everything I am going to wipe the lab and start again seeing if I can clean up some of the mess, but I won't post line by line here, I will just post the final configs.
Notes from the day

OSPF Today.

set host name and domain name to all ospf routers
set system host-name
set system root-authentication plain-text-password

apply interface configuration to all ospf routers

now do ospf???

I haven't looked at a book yet so doing this by feel
Junos2
configure protocols
set ospf area 0 interface em1

Junos3
edit protocol interface em0

Junos 3 immediately formed a neighbot with Junos 2

do the same for 4,6 and 7

ok a quick peak at a book and look like I can just add the intefaces into the area

edit protocols
set ospf area 0 interface lo0.10 passive

can see all loopback at junos 3

*** redist into rip
root@Junos2>
http://forums.juniper.net/t5/Routing/redistribute-RIP-routes-to-OSPF/td-p/22294

root@Junos2> configure
Entering configuration mode

[edit]
root@Junos2# edit policy-options

[edit…

Windows 2008 RADIUS for CISCO Device Authentication

Network Device Authentication
 (I wrote this ages ago but though I would transfer to my blog site)

It is not uncommon to discover infrastructures with authentication policies in place for Windows Admin Access using Active Directory accounts, only to find the network devices are being accessed using a common user name and password. It would be ideal if the Active Directory accounts that are used to administer the Windows environment could be used to administer the network devices too. (This article is specific to Cisco Network Devices)



One solution is to purchase a Cisco Secure Access Control Server, this can use accounts in the Active Directory. The product is quite extensive and has many more feature than just logon authentication.

Device administration: Authenticates administrators, authorizes commands, and provides an audit trail
Remote Access: Works with VPN and other remote network access devices to enforce access policies
Wireless: Authenticates and authorizes wireless users and hos…

From IOS to Junos – Day 2

Notes from the day
I am just going to dump my text notes for the day, you have no idea how long it would take to format this stuff, and hell I do it to share, not to make profit.


** when I had shutdown after the previous days works,
I had a thought that the loopback 0 (only loopback adaptor in Junos)
would probably be done using unit numbers, as soon a I woke up and checked my
twitter I had a tweet from @networkjanitor
"In regards to Junos Loopbacks you can have multiple unit interfaces
and they can go diff vrfs"

so first task today is remove existing loopback 0 unit 0 address
and create new loopback 0 unit 10 address.

root@Junos1# edit interfaces lo0

[edit interfaces lo0]

root@Junos1# edit unit 0

[edit interfaces lo0 unit 0]

root@Junos1# show
family inet {
address 10.254.200.1/32;
}

[edit interfaces lo0 unit 0]
root@Junos1# delete family inet address 10.254.200.1/32

[edit interfaces lo0 unit 0]
root@Junos1# commit
commit complete

[edit interfaces lo0]
root@Junos1# edit unit 10

[edit interfa…

Dell Latitude D830 SSD Upgrade

Slow Laptop Syndrome
I have a LATITUDE D830 : INTEL CORE 2 DUO T7500 4GB Ram from 2008, I did get a fairly high specification at the time, so it has always had pretty decent performance. However I haven't been using it for a while and when I did it seemed slow compared to my Core 5i desktop computer. (I use Windows 7 ultimate with the latest updates)

Laptop for Work
Now I might be doing a fair bit of travelling to customer sites in the near future and the last thing I want is a poorly performing Laptop, so I decide to ditch all the crap I had on it like iTunes, movies, miscellaneous software and cut back to a basic "work" PC. After all I do have iPhone, iPad and new kindle (soon) for all my multi media needs.

I purchased a "Corsair 120GB Force 3 SSD 2.5" SATA-III 6Gb/s Read = 550MB/s, Write = 510MB/s" from ebuyer.com. Now I am guessing that SATA-II rather that SATA-III on the system board, but the price difference between SATA-II and SATA-III was nothing …

From IOS to Junos - Day 1

Notes from the day
I am just going to dump my text notes for the day, you have no idea how long it would take to format this stuff, and hell I do it to share, not to make profit.
cli
configure system
set root-authentication plain-text-password

set host-name Junos1
set domain-name jlab.com

commit

====== Lets get ip connectivity up and running

top
edit interfaces

set em0 unit 0 family inet address 192.168.1.70/24
**note unit 0 is logical and not physical but a bit like cisco default pysical interface
makes more sense in Junos

commit
***exit into operational mode >
ping 192.168.1.11 ---- working yippee

SSH and Telnet access
just check that I cannot telnet to ssh to routers

configure services

**should be in configure system

**tried configure system but could not jump to there, had to go to top then

configure system

set services telnet
set services ssh

**LOL - was trying to connect and still got "connection refused" have forgot to commit

commit

**Got connected with SSH - used root
**The server has disc…

From IOS to Junos Series - Foreword

IOS to JUNOS challenge
I have set myself a small challenge of obtaining JNCIA-Junos in the next few week. To assist in achieving this to supplement the study material on the Juniper web site, I have set myself up a small lab environment using VMWare EXSi 5.0 Hypervisor and Juniper Olive (JUNOS 10.1). I got great help from http://routerjockey.com/2009/10/03/running-junos-under-vmware/

I currently have the following at my disposal from the Juniper web site:

JNCIA-Junos_SG_part_1_09-16-2010.pdf
JNCIA-Junos_SG_part_2_09-16-2010.pdf

I also bought two kindle books

JUNOS Enterprise Routing [Kindle Edition] By: Doug Marschke, Harry Reynolds
JUNOS Enterprise Switching [Kindle Edition] By: Doug Marschke, Harry Reynolds

The exam blue print can be found here http://www.juniper.net/us/en/training/certification/resources_jnciajunos.html

I hope to tick these off as I work through my lab. I have quickly written the following objects for myself which I will expand as I progress on my journey.

Host Name
Managemen…

Working on a Live Power Outlet - Would you ?

Health and Safety at Work
So your better half has decided that they want the sockets in the Lounge changed from Plastic to Chrome Plated. What do you do ? Put on your rubber boots and gloves and start to work being really careful not to touch an exposed wire! or do you switch the circuit off then perform the upgrade ensuring everything is correct. I know my preferred method!
Danger is my middle name
Now in networking terms being a Cisco CCIE I often have to put on my rubber boots and gloves because working on any configuration on a Cisco IOS Router (except new ASR9K) that is effectively what you are doing. One wrong command and you are gonna get a shock!
Need to read more
I never really gave this much consideration, I just accepted it as the way it is. Now I see this as complacency on my part. Anyway my competency was challenged when I started to read into Juniper JUNOS. (Don't worry if any one seen Juniper it on my computer screen at work, I just flipped over to YouTube).
Cisco please …

Cisco IOU and VMware vSwitch

I have been looking around the interweb seeing Cisco IOU kicking around,I began to wonder how you could integrate this into an environment where you can build a lab with connections to external devices. e.g Firewalls, ACS server, other vendor routers etc. Particularly how would I build a test environment assuming that I could legitimately use IOU.  Anyway after looking a the article  http://inetpro.org/wiki/Connect_IOU_with_real_networks_or_dynamips I could how this could be done with a physical machine, but how would this relate to an IOU machine in ESX Vmware. I would have multiple NICs tied to different VLANS, then use IOU2Net to connect interfaces in IOU to these different network; easy!!!

So as I sit back and dream of what could be if Cisco would release a version that I could be use in such a way, I realized a problem. "promiscuous mode" - this is require for traffic to traverse from the real work back into the IOU instance, however if you add new NICs to a vSwitch in E…

Multicast Traffic Generator without a PC

I have suffered the pain of trying to troubleshoot Multicast issues over the past few years (mainly across MPLS), however initially I struggled to find way of generating my own traffic independent of any application that was experiencing issues. Most of the time being the network guy I would not have access to run the application (sender) at one site and the client (receiver) at another site. I also would not be in the position to install my own sender + receiver devices on the network, so I was stuck with the tools available to me on the Cisco routers/switches at each end of the network.

Looking at the http://www.cisco.com/en/US/tech/tk828/technologies_tech_note09186a0080093f21.shtml they assume that you are able to control the sender and receiver;  they have not mention two of the most valuable tools in my opinion to begin troubleshooting multicast.

ping
ip igmp join-group

It does mention "show ip mroute count" and "show ip mroute" which are indeed valuable.

Maybe it …

Break the Network Emulators out of the Cloud

Cisco IOU and JunoSphere
Recently both Cisco and Juniper have announced the availability of online resources to provide hands on training over the internet. They have built software emulators in the cloud that can be accessed remotely for a cost. These solutions are based purely around the certification programs and therefore are pretty rigid in the topology that are provided, not to mention the re-occurring cost.

http://www.juniper.net/us/en/company/press-center/press-releases/2011/pr_2011_05_16-03_01.html
https://learningnetworkstore.cisco.com/market/prod/listSubCatLearnLab.se.work?TRGT=85&/nxt/rcrs/=2559
Rack Rentals
There are training providers such as Internetwork Expert (http://www.ine.com/) and IPexpert (http://www.ipexpert.com/) who provide rack rentals based on their training materials. These guy cannot possibly compete going forward. To keep these sustainable they will need to reduce the overhead of building physical racks, providing power and space for the racks. Using emula…

Weird CatOS to IOS Trunk Problem – Cannot Ping

I was setting this very basic configuration up the other evening and could not get basic L3 connectivity up and running.



I have a ASR 1002 on one side and an Catalyst 6509 running Hybrid CATOS and IOS. The configuration is basically to connect two devices for routing using 802.1q vlans. Here is the configs, but I cannot ping between the devices.
ASR1002

interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2.700
encapsulation dot1Q 700
ip address 172.24.253.17 255.255.255.252
ip ospf network point-to-point

6509 – Switch

set vlan 700   3/3
clear trunk 3/3  1-699,701-1005,1025-4094
set trunk 3/3  on dot1q 700
set spantree portfast    3/3 enable trunk
end

6509 - MSFC

interface Vlan700
ip address 172.24.253.18 255.255.255.252
ip ospf network point-to-point
end


I could not see any issue, so to confirm try and establish if it was some trunking issue, I remove the trunk and used the main interface on the ASR1000 and access port to vlan on the 6509 and I could ping between th…

QoS:What happens at the Service Provider PE ?

A while back I wrote an article on DSCP QoS over MPLS http://etherealmind.com/dscp-qos-over-mpls-thoughts/ , since that time I have been working on some service provider networks and thought this would be a good opportunity to expand what happens at the PE with regards to DSCP to Experimental bit mapping(Traffic Class).


CE to PE
I have put together a diagram to help illustrate how many different service providers customers traffic is aggregated at the service providers PE.

[caption id="attachment_183" align="aligncenter" width="300" caption="CEtoPEQoS"][/caption]





We can see in this example that each customer has different bandwidth requirements for voice and other traffic. We should also note that the PE is where we change from IP VRF domains to the MPLS domain of the Service Provider, once traffic is inside the MPLS we lose the ability to identify traffic on a per customer basis (in relation to QoS). When the traffic moves from the IP VRF domains t…

ASR1006 Dual Route Processors Password Recovery - Tip

I recently ran into an issue when trying to perform dual route processors password recovery on a Cisco  ASR1006
Problem
After breaking into rommon mode and using confreg to ignore the startup configuration, during the rest the ASR1006 loaded the startup configuration!!!!!!!!
Solution
So quick and simple, I pulled one of the RP and preformed password recovery running on a single RP. All went according to the Cisco documentation

http://www.cisco.com/en/US/docs/routers/asr1000/install/guide/routers/asr1_hwc.html#wp1045971



After the system running on a single RP was recovered and fully booted I waiting for 5 minutes just to be sure; then I inserted the second RP and allowed everything to sync up.



All was well again :) phew



Note: The system was previously fully functioning with dual RPs; a configuration error was made during Tacacs+ configuration which resulted in lockout.


Summary
I hit an issue recovering and ASR with dual RPs, so rather that spending hour researching, I decided very quickly to go …

No Service Password Recovery - It is not the end of the world

Myth
Having a chat with some people and this came up in conversation, "no service password recovery" and people seemed to be taking it quite literally. e.g. if you forget your password the devices it is dead and needs to go back to Cisco, not being a security guy I though ok, but it was bothering me. So a quick lookup on cisco http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html
Fact
In fact what this feature does is prevent you from getting access to the startup configuration, you can recover the device to FACTORY DEFAULT - the config has gone. Of course will have a backup of the config so it should be no big deal to switch this feature on every device, assuming the device supports it.



Take Note of the comments : "

Before deploying this feature, TEST the password recovery. Some platforms (based on ROMMON version) are EXTREMELY hard to recover.

http://blog.ioshints.info/2007/12/recovering-from-disabled-password.html

"

Thanks Ivan

Are you VRF aware?

Virtual Routing and Forwarding
VRFs Virtual Routing and Forwarding Instances have been about for a long time in the world of service providers, we are now seeing VRFs capabilities as part of the world outside service providers.

VRFs have their own routing instance in a router (own routing table) and the instance is assigned generally assigned to an interface, the interface then only applys to that particular VRF. So for example you could have a Management VRF and this is connected to a separate management network.
Management Processes need to know
If you assign an interface in a VRF for management then the management processes:

TACACS
SNMP
SSH
TELNET
NTP
NETFLOW
etc.....

need to know "be VRF aware", because typically they will be running against the Global (Default) routing table.
Examples
TACACS
aaa group server tacacs+ Management
server-private 10.100.100.1 timeout 15 key mysecretket
ip vrf forwarding Management-VRF
ip tacacs source-interface Loopback10
NETFLOW
flow exporter MYFLOW destinatio…

What is Carrier Ethernet

A New Ethernet ?
I was recently working with Cisco ASR9000s and when looking at the different line card options I came across the phrase "Carrier Ethernet", I didn't know if I had missed the mail shot telling me that the Ethernet Standard had changed.

From Cisco's ASR 9000 Series Ethernet Line Card data sheet "The Cisco ASR 9000 Series Line Cards together with the Cisco ASR 9000 Series platforms are designed to provide the fundamental infrastructure for scalable CarrierEthernet and IP/MPLS networks"

So what is CarrierEthernet? In its most simplistic form it is the ability to emulate  Ethernet services across the WAN. It makes more sense if instead of reading CarrierEthernet read Carrier Ethernet Services.





E-Line = Point to Point
E-LAN = Multipoint
ETree = Point to Multipoint

These topology definitions alone do not cover what Carrier Ethernet is; Carrier Ethernet include standards and SLAs that are required in essence so you can compare offerings from different Ser…