Author: Nguyễn Hải Thương

Setting up a virtual lab topology with Juniper vSRX

Up until now, I’ve been doing most of my studies on real hardware. This was okay with Cisco gear, but Juniper hardware isn’t as cheap on the second hand market. Second, I always loose vast amounts of time reconfiguring appliances on the console, cabling them up, reconfiguring switchports and installing physical or virtual test machines. I recently installed an ESXi whitebox, with loads of RAM and compute power idle, so why not start virtualizing my labs?

The Juniper vSRX Integrated Virtual Firewall, formerly known as Firefly Perimeter, is a virtual appliance that brings all the features of the SRX firewalls to your virtual layer. Even better, you can use the full-featured trial version of the appliance for 60 days. Perfect for labbing purposes!

In this post, I will go through the steps of setting up the virtual appliance and giving it a basic configuration. Below is the topology I will be implementing and using for some parts of my JNCIS-SEC studies. I haven’t found an “official” installation guide from Juniper -although I haven’t really looked either- but the below scenario works for me.

Continue reading “Setting up a virtual lab topology with Juniper vSRX”

Useful Brocade FOS CLI Commands

Below is a list of useful Brocade CLI commands that I keep at my desk for reference.  They’re divided up into categories for Zoning, Show, Port, Time/Date, License, Banner, Password, SNMP, User Config, Firmware, and Miscellaneous.

Zoning Commands

alicreate “Name”, “domain,port#” Used to create an alias
alicreate “Name”,”portname1; portname2″ To create multiple ports under a single alias
alidelete “Name” To delete an alias
aliadd “Name”, “domain,port#” To add additional ports to an alias
aliremove “Name”, “domain,port#” To remove a port from the alias
alishow “AliName” To show the alias configuration on the switch
zonecreate “Zone Name”, “alias1; alias2″ To create zones based on alias
zonedelete “ZoneName” To delete a zone
zoneadd “ZoneName”, “alias name” To add additional alias into the zone
zoneremove “ZoneName”, “alias name” To remove an alias from the zone
zoneshow “zoneName” To show the zone configuration information
cfgcreate “Configname”, “Zone1; Zone2″ To create configurations by adding in zones
cfgdelete “ConfigName” To delete a configuration
cfgadd “ConfigName”, “Zone3″ To add additional zones in the configuration
cfgremove “ConfigName”, “Zone3″ To remove a zone from the configuration
cfgshow “ConfigName” To show the details of that configuration
cfgenable “ConfigName” To enable a configuration on the switch
cfgsave To have the effective configuration to be written into the flash memory

Show Commands

 psshow Displays the status of the power supply
fansshow Displays the status of the fans
tempshow Displays the status of the temperature readings
sensorshow Displays the status of the sensor readings
nsshow Displays information in the name server
nsshow -t Displays information in the name server
nsshow -r Displays the information in the name server along with the state change registration details
nscamshow Displays detailed information of all the devices connected to all the switches in the fabric (Remote Name Servers)
nsallshow Displays the 24 bit address of all devices that are in the fabric
licenseshow Displays all the licenses that have been added in the switch
date Displays the current date set on the switch
bannershow Displays the banner that will appear when logging in using the CLI or web tools
httpcfgshow Displays the JAVA version the switch expects at the management console
switchname Displays the name of the switch
fabricshow Displays information of all the switches in the fabric
userconfig –show -a Displays the account information like role , description , password exp date , locked status
switchstatusshow Displays the overall status of the switch
switchstatuspolicyshow Displays policy set for the switch regarding Marginal(Yellow) or Down(Red) error status
portshow To show the port status
portcfgshow Displays the speed set for all ports on all slots and other detailed port information
configshow fabric.ops Displays the parameters of the switch. Ensure all switches in a fabric have the same parameters in order to communicate
configshow fabric.ops.pidFormat Displays the PID set for a switch Core , Native or Extended edge
switchuptime OR uptime Displays the uptime for the switch
firmwareshow Displays the firmware on the switch
version Displays the current firmware version on the switch
hashow Displays the status of local and remote CP’s. High availability , heartbeat and synchronization

Port Settings

portcfgshow Displays the port settings
portcfg rscnsupr [slot/port] –enable A registered state change registration is suppressed when a state change occurs on the port
portcfg rscnsupr [slot/port] –disable A registered state change registration is sent when a state change occurs on the port
portname To assign a name for a port
portdisable To disable a port or slot
portenable To enable a port or slot
portcfgpersistentdisable To disable a port , status would not change even after rebooting the switch
portcfgpersistentenable To enable a port , status would not change even after rebooting the switch
portshow To show the port status
portcfgspeed , To set speed for a port#te – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
switchcfgspeed To set speed for all the ports on the switch Note – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
portcfgshow Displays the speed set for all ports on all slots and other detailed port information
portcfgdefault To set the port settings to default
portcfglongdistance To set the long distance mode . Default is L0(Normal), as per distance will display LE <=10 kms , L0.5 <=25kms , L1 <=50 kms, L2<=100kms , LD=auto , LS = Static
portcfgeport Used to disable a port from being a E port

Time and Date Settings

date Displays the current date set on the switch
tsclockserver 10.10.1.1 Instruction for the principal switch to synchronize time with the NTP server (specify the  ip address of the NTP server)
tsclockserver LOCL Instruction to stop NTP server synchronization (Local time of the switch)
date mmddhhmmyy To set the time of the switch when the NTP server synchronization is cancelled
tstimezone -5 To set the time zone for individual switches

License Commands

licenseshow Displays all the licenses that are added in the switch
licenseadd To add a new license to the switch
licenseremove To remove a license from the switch
licenseidshow Based on Switch WWN

Banner Commands

bannershow Displays the banner that will appear when logging in using the CLI or web tools
bannerset To set the banner which will appear when logging in using the CLI or web tools
bannerset “” To remove the bannerset (two quotes)

Password commands

passwd To change the password for that particular login
passwdcfg –set -lowercase 3 uppercase 1 -digits 2 -punctuation 2 -minlength 10 -history 3 To set the password rules
passwdcfg –set -minpasswordage 1 To set the minimum password age in Days
passwdcfg –set -maxpasswordage 30 To set the maximum password age in Days
passwdcfg –set -warning 23 To set a warning for the expiration Days remaining
passwdcfg –set -lockoutthreshold 5 To set the account lockout thresh hold
passwdcfg –set -lockoutduration 30 To set the account lockout duration in Minutes
passwdcfg –setdefault To restore the password policy to Factory settings (min length – 8, history -1 , lockoutduration – 30)

SNMP Commands

snmpconfig snmpconfig for 5.0 above fos
agtcfgset snmp config for fos below 5.0
snmpmibcapset for choosing the MIB’s for the snmp settings

User Configuration

userconfig –show -a / userconfig –show Displays all the account information like role , description , password expiration date , locked status
userconfig –add john -r admin -d “John Doe” To add a new account -r = role , -d = description
userconfig –show john Displays all the information for the account john
userconfig –change -e no To Disable an account , usually default a/cs like admin and user . But ensure before disabling the admin a/c there is another a/c with admin rights
userconfig –change -e yes To Enable an account

Firmware commands

configupload Saves the switch config as an ASCII text file to an FTP server
configdownload To restore a switch configuration from ASCII text file Note – Need to disable the switch before downloading the config file
configure => cfgload attributes : [y] => Ensure secure config upload / download : [y] Fabric OS v 4.4 & above provides Secure File Copy Protocol (SCP) during upload or download of configurations
firmwaredownload To download the firmware to be installed on the switch
firmwareshow To be run after installing the firmware on the switch
version Displays the current firmware version on the switch
fastboot Needs to be run after installing the firmware. This does not include the post.
reboot Needs to be run after installing the firmware. This includes the post.

Miscellaneous commands

killtelnet To kill a particular session which is using telnet
configure To configure a switch
quietmode To switch off the quiet mode
quietmode 1 To suppress messages to the console
switchname Displays the switch name
switchname “EXAMPLE” To assign a switch name
bannerset To set the banner which will appear when logging in using the CLI or web tools
timeout Displays the timeout time set for Telnet session on the switch
timeout 10 To set a specific timeout time for the Telnet session
switchuptime or uptime Displays the uptime for the switch
switchcfgspeed To set speed for all the ports on the switch Note – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
fastboot To reboot the switch without post
reboot To reboot the switch with the post
switchstatusshow Displays the overall status of the switch
switchstatuspolicyshow Displays policy set for the switch regarding Marginal(Yellow) or Down(Red) error status
switchstatuspolicyset To change the policy set for the switch regarding Marginal(Yellow) or Down(Red) error status

 

Basic commands on Alcatel Omniswitch

Introduction

This page is based on the notes I took when managing Alcatel Omniswitchs 6600, 6800 in 2007 and later 6850. The full documentation can be found on Alcatel-Lucent website.

Managing the configuration files

Alcatel Omniswitchs can operate in two modes: working and certified (show running-directory to know in which mode the switch is). In working mode, the configuration can be modified, while it is no possible in certified mode (well, actually, it is). When booting, if working and certified configuration files are different, the switch will boot in certified mode. Configuration files are stored in certifed/boot.cfg and working/boot.cfg (they can be directly edited with “vi”).

Continue reading “Basic commands on Alcatel Omniswitch”

Policy Based Routing on Cisco Catalyst 3750

I want to share how I configured basic configuration Policy Based Routing (PBR) on Cisco.

To give you an idea here is a sample diagram how the PBR works.

This is a setup of network with 2 ISP, if you want to separate the users for using different ISP.

Config on cataly 3750

STEP 1. First set your Vlan SVI’s
!

interface Vlan2
ip address 10.2.0.1 255.255.0.0
!
interface Vlan4
ip address 10.4.0.1 255.255.0.0
!
interface Vlan3
ip address 10.5.0.1 255.255.0.0
!
interface Vlan5
ip address 10.5.0.1 255.255.0.0
!

STEP 2. Create Access-list, for filtering
access-list 10 permit 10.2.0.0 0.0.255.255
access-list 10 permit 10.4.0.0 0.0.255.255
access-list 20 permit 10.3.0.0 0.0.255.255
access-list 20 permit 10.5.0.0 0.0.255.255

STEP 3. Now create Route-map;

route-map routetoISP1 permit 10
match ip address 10
set ip next-hop 10.0.0.1
!
route-map routetoISP2 permit 20
match ip address 20
set ip next-hop 10.0.0.2
!

and now for here put the MAGIC!

!
interface Vlan2
ip address 10.2.0.1 255.255.0.0
 ip policy route-map routetoISP1
!
interface Vlan4
ip address 10.4.0.1 255.255.0.0
 ip policy route-map routetoISP1
!
interface Vlan3
ip address 10.5.0.1 255.255.0.0
ip helper-address 10.0.0.4
 ip policy route-map routetoISP2
!
interface Vlan5
ip address 10.5.0.1 255.255.0.0
 ip policy route-map routetoISP2
!

Here is the final config.

!
interface Vlan2
ip address 10.2.0.1 255.255.0.0
ip policy route-map routetoISP1
!
interface Vlan4
ip address 10.4.0.1 255.255.0.0
ip policy route-map routetoISP1
!
interface Vlan3
ip address 10.5.0.1 255.255.0.0
ip helper-address 10.0.0.4
ip policy route-map routetoISP2
!
interface Vlan5
ip address 10.5.0.1 255.255.0.0
ip policy route-map routetoISP2
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
access-list 10 permit 10.2.0.0 0.0.255.255
access-list 10 permit 10.4.0.0 0.0.255.255
access-list 20 permit 10.3.0.0 0.0.255.255
access-list 20 permit 10.5.0.0 0.0.255.255
route-map routetoISP1 permit 10
match ip address 10
set ip next-hop 10.0.0.1
!
route-map routetoISP2 permit 20
match ip address 20
set ip next-hop 10.0.0.2
!

Cấu hình DHCP trên Cisco

I : Cấu Hình DHCP Server

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#service dhcp
Router1(config)#ip dhcp pool 192.168.6.128/25
Router1(dhcp-config)#network 192.168.6.128 255.255.255.128
Router1(dhcp-config)#default-router 192.168.6.200
Router1(dhcp-config)#dns-server 210.245.31.130
Router1(dhcp-config)#lease 2
Router1(dhcp-config)#exit
Router1(config)#ip dhcp excluded-address 192.168.6.129 192.168.6.140
Router1(config)#ip dhcp excluded-address 192.168.6.200 192.168.6.254
Router1(config)#end
Router1#

Continue reading “Cấu hình DHCP trên Cisco”

Upgrade Software Nortel ERS 8600

Here’s a question that I’ve been asked over and over again.

How can I upgrade the software of a Nortel ERS 8600 Switch?

It’s actually very easy and only takes a few minutes (along with a reboot). If you have dual CPUs (8690SF, 8691SF, 8692SF) your going to need to upgrade both CPUs. If your running in a HA (High Availability) configuration you probably shouldn’t be reading this. I’ll assume that anyone with dual CPUs is running them in a standby configuration. I generally like to upgrade the standby CPU first and then upgrade the primary CPU, the switch will fail over to the standby CPU once the primary CPU starts to reboot.

You’ll need a TFTP server to host the software files. I generally use the TFTP server that comes with Linux (CentOS), however, you can use TFTPD32 by Philippe Jounin on Windows XP/2003. Just drop the TFTPD32 files in the same directory with the Nortel ERS 8600 software release and run the executable.

Continue reading “Upgrade Software Nortel ERS 8600”

AP Conversion using MODE Button

If you already read one of my previous post (Lightweight to Autonomous (vice versa) Conversion…) you may konw one way of doing this AP conversion.

In this post we will see how to do the same task using Mode/Reset button of the Access point. Number 1 in the below diagram shows this Reset button of the given AP.

Continue reading “AP Conversion using MODE Button”

Cấu hình Virtual-Chassis & License Juniper Ex3300

I. Cài License trên switch Ex3300 Stand-alone

  • Bước 1: Đăng nhập vào mode Operational (CLI)
  • Bước 2: Sử dụng một trong 2 câu lệnh sau để cài license

user@host> request system license add filename | url
filename: tên file license lưu trên thiết bị
url: địa chỉ nơi lưu trữ file license

user@host> request system license add terminal
Tại dấu nháy lệnh, nhập license key.
Nếu license key hợp lệ, không có thông báo lỗi xuất hiện. Ngược lại, sẽ có thông báo lỗi xuất hiện.
Nhấn tổ hợp phím “Ctrl + D” để thoát khỏi mode license.

  • Ví dụ: Cài license từ FTP
    user@host> request system license add ftp://username@password:192.168.1.1/license.config
  • Ví dụ: cài license từ file license đặt trên thư mục gốc / của thiết bị
    user@host> request system license add /license.configCài License trên switch Ex3300 Virtual-chassis

Để cài License trên các thiết bị Ex3300, ta có thể cài License cho từng thiết bị trước khi thiết lập Virtual chassis hoặc có thể cài License sau khi thiết lập Virtual chassis.

1.Thiết lập Virtual Chassis

1.1. Kiểm tra phiên bản JUNOS trên 2 thiết bị Ex3300

Các thiết bị Switch Ex3300 khi tham gia vào một Virtual-chassis phải được cài cùng một phiên bản JunOS.

Để kiểm tra phiên bản JunOS, tại mode Operational thực hiện câu lệnh sau:

VC_Juniper_3300

1.2. Chuyển cấu hình của 2 thiết bị Ex3300 về mặc định

Trước khi cấu hình các thiết bị Ex3300 tham gia Virtual chassis, nên chuyển cấu hình của các thiết bị về mặc định.

Tại mode Configuration, thực hiện lệnh:

user@host# load factory-default

user@host# commit

1.3. Lấy serial number của các switch Ex3300

VC_Juniper_3300_02

1.4 Cấu hình Virtual chassis trên thiết bị sẽ làm Master

VC_Juniper_3300_03

1.5. Gắn dây Virtual chassis

Mặc định, port 2 và 3 trên tất cả các module uplink khi gắn vào Ex3300 sẽ hoạt động ở cấu hình mặc định là Virtual chassis port (VCP).

ex3300-virtual-chassis

Tiến hành gắn dây nối port 2 và port 3 trên module uplink của 2 thiết bị Ex3300 với nhau.

1.6. Khởi động thiết bị thứ 2 và kiểm tra Virtual chassic

Kiểm tra trạng thái Virtual Chassis

VC_Juniper_3300_04

Nếu cấu hình Virtual chassis thành công, status của các member sẽ là “Prsnt”. Nếu chỉ có 2 thiết bị Ex3300 thì Role của một thiết bị sẽ có trạng thái “Master” và thiết bị còn lại sẽ là “Backup”. Nếu có trên 2 thiết bị Ex3300 thì tất cả các thiết bị còn lại (ngoại trừ “Master” và “Backup”) sẽ có Role là “Line-card

Kiểm tra trạng thái các cổng Uplink

VC_Juniper_3300_05