Category: Network

Juniper EX switches configuration examples

General commands

show mac-address table

show ethernet-switching table brief

show switches that directly conected

show lldp neighbors

config vlan

set vlans  Floor_Users vlan-id 90
set vlans Floor_Users l3-interface vlan.90
set interfaces vlan unit 90 family inet address 10.10.10.254/24

assign vlan to port

set interfaces  unit 0 family ethernet-switching vlan members

upgrade (mybe needed – set system services ftp, when upgrading 8200 need to upgrage both Route Engines)

request system software add ftp://a:123456@10.10.10.81/jinstall-ex-3200-9.6R1.13-domestic-signed.tgz

enable SSH

set system services ssh

show ip addresses

show interfaces terse

show all ports info

show interfaces extensive

load factory-default

load factory-default

show rollback 10

file show /var/db/config/juniper.conf.10.gz

show int statistics at real time

run monitor interface ge-0/0/0

like tcpdump

run monitor traffic interface ge-0/0/0

to add config from notepad

load update terminal

static route

 set routing-options static route 192.168.16/24 next-hop 1.1.1.1

start terminal monitor

monitor start /var/log/messages

stop terminal monitor

monitor stop

check what is going to be commited

show | compare

time

show system uptime

show modules / hardware

show chassis hardware

Show ospf interfaces

show ospf interface

ospf – redis static

set protocols ospf export redistribute-into-OSPF
set policy-options policy-statement redistribute-into-OSPF term static from protocol static
set policy-options policy-statement redistribute-into-OSPF term static then accept?

LACP -switches

set chassis aggregated-devices ethernet device-count 5
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-0/0/1 ether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 10.10.0.254/24

LACP – J routers

set chassis aggregated-devices ethernet device-count 5
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ge-0/0/0 gigether-options 802.3ad ae0
set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 10.10.0.254/24

password recovery

* reload the switch
* stop the boot by presing the "space bar"
* choose 'recovery'
boot -s

NTP

set system ntp server 1.1.1.1
exit
set date ntp

create rescue config

request system configuration rescue save

set managment ip at stack

set interfaces vme unit 0 family inet address 10.10.10.235/24

connect to a specific switch from a stack

request session member

install image from USB

1. Put the new code(desired version of JUNOS) on a USB which is formatted under FAT32 and insert on the back of the switch where you can find the USB slot.
2. Reboot the device and when it says loading press spacebar to take us to loader prompt (loader>).
3. Type the following command to reinstall junos from this prompt
    loader>install --format file:///filename.tgz
    * where filename is like eg: jinstall-ex-9.2R1.5-domestic-signed.tgz

copy log files from specific unit

request session member 5
start shell user root
! -Password-
tar -zcvf varlog-mem5.tar.gz /var/log/
mv varlog-mem5.tar.gz /var/tmp/
exit
file copy fpc5:/var/tmp/varlog-mem5.tar.gz fpc0:/var/tmp 
! Then open with web - Maintain --> Files --> temp

show alarms

(use to check why the alarm led is red)-

show system alarms

vrrp

set interfaces vlan unit   family inet address x.x.x.x /24 vrrp-group  virtual-address x.x.x.x  priority < priority>

vrrp – backup master (Specify that the backup router can process packets with an IP destination address of the virtual address)

ip vrrp 22 accept-data

ECMP

(equal cost multi path)

set policy-options policy-statement load-balancing-policy then load-balance per-packet
set routing-options forwarding-table export load-balancing-policy

allow NSM to connect to the switch

set system services netconf ssh

dhcp snooping

set ethernet-switching-options secure-access-port vlan all examine-dhcp

bpdu guard

set protocols rstp bpdu-block-on-edge  
set protocols rstp interface all edge

port mirroring

set ethernet-switching analyzer analyzer1 input ingress interface ge-0/0/0
set ethernet-switching analyzer analyzer1 input egress interface ge-0/0/0
set ethernet-switching analyzer analyzer1  output interface ge-0/0/2

LLDP – MED

(the switch tells the ip phone what is the voice vlan)

set vlans  description voice-vlan
set vlans  interface ge-0/0/2.0
set interfaces  unit 0 family ethernet-switching vlan members 
set interfaces   unit 0 family ethernet-switching port-mode access
set ethernet-switching-options voip interface  .0 vlan 
set ethernet-switching-options voip interface  .0 forwarding-class assured-forwarding
set protocols lldp-med interface

tacacs

(use “load merge terminal” to load this format of config)

system {
    time-zone Asia/Jerusalem;
    authentication-order tacplus;
    root-authentication{
        encrypted-password "$1$gzwtefgipDYmub7XcCTEU4/"; ## SECRET-DATA
    }
    tacplus-server {
          secret "$9$y45645XxjqfT9CRhSyMX-dsYgJ"; 
         secret "$9$vD4574745dV.5Fnu0ylKvxdsYoaZj"; 
    }

    accounting {
        events [ login change-log interactive-commands ];
        destination {
            tacplus;
        }
    }
}

Voip QOS marking

class-of-service{
	classifiers {
	    dscp juniper_dscp_classifier {
	        import default;
	        forwarding-class voice {
	            loss-priority low code-points 101110;
	        }
	    }
	    ieee-802.1 juniper_ieee_classifier {
	        import default;
	        forwarding-class voice {
	            loss-priority low code-points 011;
	        }
	    }
	}
	forwarding-classes {
	    class voice queue-num 7;
	    class expedited-forwarding queue-num 5;
	    class assured-forwarding queue-num 1;
	    class best-effort queue-num 0;
	}
	interfaces {
	    vlan {
	        unit 12 {
	            classifiers {
	                dscp juniper_dscp_classifier;
	            }
	        }
	    }
	}
}

access-lists of ip addresses that allowd to access the switch (use “load merge terminal” to load that format of config)

interfaces{
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input Telnet-access-filter;
	}
           }
        }
    }
}
firewall {
  family inet {
    filter Telnet-access-filter {
        term team_X {
            from {
                source-address {
                    x.x.x.x/32;
                    x.x.x.x/32;
                  }
                protocol tcp;
            }
            then accept;
        }
        term team_Y {
            from {
                source-address {
                    y.y.y.y/32;
                    y.y.y.y/32;
                }
                protocol tcp;
            }
            then accept;
        }
        term Access_from_forbidden_addresses {
            from {
                source-address {
                    127.0.0.0/8;
                }
                protocol tcp;
            }
            then discard;
        }
        term OSPF {
            from {
                protocol ospf;
            }
            then accept;
        }
        term icmp {
            from {
                protocol icmp;
            }
            then accept;
        }
        term accept_DHCP {
            from {
                protocol udp;
            }
            then accept;
        }
    }
  }
}

4200 EX Switches

set that if disconnecting cascade cables from stack of 2 switches that the switches will not became layer 2

set virtual-chassis no-split-detection

show units at stack

show virtual-chassis                                   
0 (FPC 0)  Prsnt    BQ0209341890 ex4200-48p      128  Master*    1  vcp-0      
1 (FPC 1)  Prsnt    BN0209364440 ex4200-24p      128  Linecard   3  vcp-0      
2 (FPC 2)  Prsnt    BQ0209341900 ex4200-48p      128  Backup     0  vcp-0      
3 (FPC 3)  Prsnt    BQ0209341917 ex4200-48p      128  Linecard   2  vcp-0      

Member ID for next new member: 4 (FPC 4)

change units number

(the serial is also at the back of the switch, no restart needed, the new master became master after few minutes)

set virtual-chassis preprovisioned
set virtual-chassis member 0 serial-number BN0209364440 role routing-engine
set virtual-chassis member 1 serial-number BQ0209341917 role routing-engine
set virtual-chassis member 2 serial-number BQ0209341900
set virtual-chassis member 3 serial-number BQ0209341890

8200 EX Switches

set managment ip when having 2 routing engines

delete int me0
edit groups 
set re0 system host-name Name1 
set re0 interfaces me0 unit 0 family inet address 10.10.10.12/24 
set re1 system host-name Name2
set re1 interfaces me0 unit 0 family inet address 10.10.10.22/24 
top 
set apply-groups [re0 re1]

turn off a module

(disable)

set chassis fpc  power off

set the switchover without only 10 packet loss

set chassis redundancy graceful-switchover

connect to backup routing engine

request routing-engine login backup

show modules

show chassis hardware

change active CPU

request chassis routing-engine master switch

cancel switchover at fuiler/reload command

deactivate chassis redundancy graceful-switchover

Auto save config aldo to backup

(“commit” saves only to the present Routing Engine)

commit synchronize

Run commands at a linecard

root@st-grande06-scb0:RE:0% lcdd 2 chassism
chassism#show mac ge-2/0/1 
chassism#show phy ge-2/0/1

Configuring Dynamic VLAN assignment on ProCurve switches

Introduction

The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configure VLANs

Create VLANs, define IP address and IP helper-address

VLAN 30

name “VLAN30”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

VLAN 40

name “VLAN40”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20

Configure RADIUS/802.1x

Define RADIUS server IP address and shared secret

radius-server host 192.168.20.20 key secret12

Configure 802.1x authentication type

aaa authentication port-access eap-radius

Configure ethernet ports 1-2 as authenticator ports

aaa port-access authenticator 1-2

Activates 802.1x port-access authentication on ports

aaa port-access authenticator active

Create Active Directory Groups

Authentication to the individual VLANs will be by Active Directory group membership for user or computer, therefore we need to create the appropriate the groups for use later in the NPS radius server policy.

Add a user to each of the groups

070512_1543_configuring1

Windows 20008 R2 NPS (RADIUS) Configuration

Create an appropriately named NPS Policy to authorise users for each VLAN

070512_1543_configuring2

Configure a “Condition” of Windows Group value of DOMAINNAME\GroupName

070512_1543_configuring3

Configure the “Authentication Methods” as “Microsoft: Protected EAP (PEAP)”

070512_1543_configuring4

Configure “RADIUS Attributes”

Tunnel-Medium-Type = 802

Tunnel-Pvt-Group-ID = VLAN Name or VLAN ID e.g “VLAN30” or “30”

Tunnel-Type = Virtual LANs (VLAN)

070512_1543_configuring5

Configure Windows 7 computer to authenticate

Open Windows services and change the startup type of the service “Wired AutoConfig” to Automatic. Click Start service

Open “Network and Sharing Center”. Click “Change adapter settings”

Click “Local Area Connection” > “Properties” > “Authentication”

Ensure “Enable IEEE 802.1x authentication” is ticked

Ensure “Microsoft: Protected EAP (PEAP)” is selected from the dropdown box. Click Settings

If the client computers do not have a trusted root certificate un-check the tick box “Validate server certificate”. If you do have an internal CA and all client computers have the root CA in the computer certificate store leave checked.

If the client computer is not joined to the domain and you wish to prompt for authentication, select “Configure” and un-check “Automatic use my Windows logon….”

The steps above can also be configured via Group Policy

Testing

Connect a computer to a port configured for authentication

If using a non-domain joined computer and you have previously un-checked the tick box “Automatic use my Windows logon….” a balloon will appear “Additional information is needed to connect to this network”. Click the balloon and enter your domain credentials.

070512_1543_configuring6

If you are on a domain joined computer, the authentication will be transparent to the user (you will not see the prompt for authentication as above).

From the switch, the command “Show port-access authenticator” will display useful troubleshooting information

When a user account is a member of “VLAN30” windows group, they will be authorised on the RADIUS server and the port will be dynamically assigned to VLAN 30.

070512_1543_configuring7

If the user is successfully authenticated and is a member of “VLAN40” group the port would be dynamically assigned to VLAN 40.

070512_1543_configuring8

 

Junos Basics – Aggregated Ethernet Interfaces (LACP)

In my previous Junos Basics post I covered configuring an 802.1Q Trunk between a Juniper EX2200C and a Cisco 2960S. This post will expand upon the previous one by bundling two interfaces together on each switch to form an aggregated link for the trunk.

There are a few proprietary standards for aggregating ethernet links, but Juniper uses the IEEE 802.3ad standard and Cisco can also be configured to use this. The 802.3ad standard is known as Link Aggregation Control Protocol (LACP). LACP can be configured in either Active or Passive mode – in Active mode a switch will always try and form an LACP link with the other side, and in Passive mode a switch will form an LACP link if the other side is in Active mode.

microbfd-sessions

On the Cisco side, the config steps are very simple:

  • specify the interfaces to be aggregated
  • set the protocol to LACP
  • create a Channel Group and specify the LACP mode
  • set the Port Channel interface as a trunk
  • specify which VLAN’s are allowed over the trunk
Cisco2960S(config)#int range gi1/0/47-48
Cisco2960S(config-if-range)#channel-protocol lacp
Cisco2960S(config-if-range)#channel-group 1 mode passive
Cisco2960S(config)#interface po1
Cisco2960S(config-if)#switchport mode trunk
Cisco2960S(config-if)#switchport trunk allowed vlan 100,200

Onto the Juniper side, the first step is to specify the number of aggregated links on the switch:

rich@EX2200C# set chassis aggregated-devices ethernet device-count 1

Next, we have to remove the logical unit configuration from the interfaces that are to be bundled, as logical units are not allowed on aggregated links:

delete interfaces ge-0/1/1 unit 0
delete interfaces ge-0/1/0 unit 0

Next, set the interfaces to use LACP (802.3ad) and to be members of a logical aggregated ethernet port (ports begin with ae):

set interfaces ge-0/1/0 ether-options 802.3ad ae0
set interfaces ge-0/1/1 ether-options 802.3ad ae0

Then we need to set the LACP mode for our new aggregated interface. We’ll make the Juniper side Active, so that it initiates the transmissison of LACP packets:

set interfaces ae0 aggregated-ether-options lacp active

Finally, we need to set the aggregated link to be a trunk, and tell it which VLAN’s to trunk:

set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members [SALES IT]

To verify our config, we’ll start on the Cisco side and check the Etherchannel summary:

Cisco2960S#show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+------------------------
1      Po1(SU)         LACP      Gi1/0/47(P) Gi1/0/48(P)

Then we can confirm the trunk config:

Cisco2960S#show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Po1         on               802.1q         trunking      1

Port        Vlans allowed on trunk
Po1         100,200

Port        Vlans allowed and active in management domain
Po1         100,200

Port        Vlans in spanning tree forwarding state and not pruned
Po1         100,200

And on the Juniper side:

rich@EX2200C> show lacp interfaces
Aggregated interface: ae0
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-0/1/0       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/1/0     Partner    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-0/1/1       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/1/1     Partner    No    No   Yes  Yes  Yes   Yes     Slow   Passive
    LACP protocol:        Receive State  Transmit State          Mux State
      ge-0/1/0                  Current   Slow periodic Collecting distributing
      ge-0/1/1                  Current   Slow periodic Collecting distributing

From the above output we can see that our individual interfaces are both Active, with the partner end Passive. For a detailed explanation of the output see this article from Juniper, but suffice to say the Mux State of Collecting and Distributing means the LACP protocol is working correctly.

We can also confirm the trunk is up and trunking for VLAN’s 100 and 200:

rich@EX2200C> show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ae0.0        up     IT                  200   tagged   unblocked
                    SALES               100   tagged   unblocked

I hope this has been a useful explanation.  In my next Junos Basics post I’ll cover first hop redundancy using VRRP.

Những việc cần làm để thiết kế hệ thống hạ tầng thông tin

Đã từng một thời, với những “thắc mắc biết hỏi cùng ai” về thiết kế mạng:

* Hệ thống mạng trên thực tế đang hoạt động được thiết kế như thế nào ?

* Mô hình mạng cần phải thiết kế ra sao cho từng đối tượng khách hàng (SMB, Enterprise, Banking, …) ?

* Phải chọn thiết bị mạng (Switch, Router, Firewall, …) tối ưu nhất trong từng thiết kế ?

* Ứng dụng những kiến thức đã học trong viêc thiết kế một hệ thống mạng trong thực tế như thế nào ?

Tại thời điểm đó, cũng có chút kiến thức học được, tuy nhiên việc áp dụng các kiến thức đã học áp dụng vào thực tế chỉ là con số 0 tròn trĩnh, hay nói cách khác, đó là một cảm giác “có võ công nhưng khi gặp cao thủ để tỉ thí thì không biết dùng như thế nào”, một cảm giác … thực sự rất khó chịu… đó là:

– Học về HSRP/VRRP/GLBP, hiểu rõ các giao thức này hoạt động ra sao, hiểu rõ phải cấu hình thế nào, hiểu rõ phải troubleshoot ra sao nếu có sự cố,… nhưng lại không biết phải dùng ở đâu trong mô hình mạng.

– Học về Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), PVST+, Rapid-PVST, MST: hiểu rõ làm sau để cấu hình Root Bridge, Root Port, Load Sharing với STP, sự khác biệt giữa STP, RSTP, PVST+, Rapid-PVST, MST, ưu và nhược điểm của từng loại. Nhưng… lại không hiểu phải dùng như thế nào trong thực tế…

– Học về thiết kế mạng mô hình 3 lớp: Core/Distribution/Access… hiểu rõ vai trò của từng lớp, nhưng lại không thể design nổi hệ thống mạng cho 1 doanh nghiệp vừa và nhỏ (SMB), hay thậm chí ngay cả khái niệm SMB, ENT, … cũng còn rất mơ mơ hồ hồ.

– Và rất nhiều những điều tương tự …

Đã từng tự hỏi, là do đâu có phải là:

– Thiếu kiến thức về sản phẩm: Vâng, tuy rằng tôi đã được trang bị 1 hệ thống kiến thức nền tảng tuy nhiên lại không biết hoặc chưa hiểu được:

– Khái niệm Modular Switch (Catalyst 6500, Catalyst 4500, Nexus 7000, …): thế nào là linecard, là supervisor, là fans tray, là power supply, vv..

– Một Switch thế nào được gọi là “mạnh”, cùng các khái niệm để định nghĩa độ “mạnh” này của 1 thiết bị

Ví dụ: trên dòng Switch 3750-X: 160 Gbps switching fabric, 101.2 mpps forwarding rate, 10GbE uplinks, …

– Khái niệm về VSS trên dòng Switch 6500, Stack-Wise trên dòng Switch 3750 series, Flex-Stack trên dòng Switch 2960S (lưu ý, đây là những tính năng cực kỳ quan trọng trong thiết kế hệ thống mạng với nhiều đặc điểm nổi trội mà sẽ được đề cập chi tiết trong các bài viết sau).

– Các tính năng (feature) hỗ trợ trên từng dòng thiết bị là khác nhau do được thiết kế với những mục đích khác nhau, như: Switch 2960 series chỉ hỗ trợ các tính năng Layer 3 ở mức rất hạn chế so với Switch 3750/4500/6500 series do 2960 được thiết cho lớp Access …

– Đặc trưng của từng đối tượng khách hàng, ví dụ: khi thiết kế hệ thống mạng cho khách hàng là SMB thì sẽ rất khác với khách hàng Enterprise,…

– Chưa có kinh nghiệm thực tế… -> vậy phải làm sao để có ?? Học từ ai ?? Học ở đâu ??

Và tôi đã trải qua 1 đoạn thời gian mò mẫm, như bước đi trong 1 đường hầm tối tăm như thế, và cho đến bây giờ, tôi vẫn đang đi trong đường hầm, có khác chăng đó là đường hầm với một “tia sáng le lói” dẫn đường

Hiểu rõ những khó khăn đã từng trải qua cùng với mong muốn được chia sẽ, trao đổi và học hỏi nhằm làm giàu thêm về kỹ năng thiết kế mạng.

Xin phép được bắt đầu chuỗi bài viết chuyên đề “Thiết kế mạng, từ lý thuyết đến thực tiễn”.

JunOS: Copy & Paste configuration directly on terminal.

The command load replace terminal can be used to copy a configuration from a text file to a Juniper device.

After executing this command the router will start accepting configuration data via the paste option.

To exit this mode use the CTRL-D or ^D, this will exit from the terminal mode and return back to device prompt.

Example Follows:

root@gw-srx-01# load replace terminal   
[Type ^D at a new line to end input]
interfaces {
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                filter {
                    input INPUT_RETH0.0_Filter;
                }
                address 10.0.0.1/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
}
^D
load complete
 
[edit]
root@gw-srx-01# commit

VLAN Difference between Juniper and Cisco Switches

A VLAN (Virtual Local Area Network) is a logical LAN segment which have unique broadcast domain. Basically, VLAN divides one physical switch to multiple logical switch. You can configure hundreds of VLANs in one EX series switch. No matter if its EX4200, EX3200 or EX2200. Today I will show you VLAN difference between Juniper and Cisco switches.

VLAN Difference between Juniper and Cisco Switches

There are two port modes in Juniper switch i.e. access mode or trunk mode. The interface in access mode connects to a network device, such as laptop or an IP phone. The interface in trunk mode connects to other switches in the network. There are many differences between Juniper and Cisco switches.

  1. In Cisco switches the default port mode is dynamic desirable auto but in Juniper switch the default port mode is access mode.
  2. In Cisco switches the default VLAN is untagged and is the native VLAN i.e. VLAN 1 but in Juniper there is no default native VLAN. You must configure it manually.
  3. In Cisco switches the trunk ports accept all VLANs in the range of 1 to 4095 by default but in Juniper, trunk ports do not support any VLANs. You have to make it support manually.
  4. In Juniper switches, VLAN named Default is present by default and all the interfaces are under this default VLAN.
  5. Unlike Cisco switches Juniper switches doesn’t support VTP (VLAN Trunking Protocol) or DTP (Dynamic Trunking Protocol). Juniper switches support GVRP (Generic Attribute Registration Protocol) though.
  6. Juniper switches has two port modes i.e. access and trunk mode. Cisco switches have five port modes i.e. dynamic auto, dynamic desirable, access, trunk and nonegotiate mode.
  7. Juniper switches support 802.1Q protocol for trunk ports. Cisco switches support both 802.1Q and ISL (Inter Switched Link) protocols.

How to measure bandwidth between two computers on the same network

In this article we will explain you how to measure bandwidth between two computers on the same network, by using Iperf software and related utilities. Iperf is a free software tool that can measure the bandwidth between two nodes in a computer network and the quality of a network link.

Idea is to run Iperf on both computers and measure bandwidth between them, where one computer is a client and the other is a server. Computer is assigned as a client (or server) within the application by using appropriate switches.

Iperf is a console application, which means you have to type commands in terminal (command prompt). If you find that annoying, try a graphical front-end for Iperf called Jperf – a graphical front-end written in Java, and it will be mentioned in the section regarding how to measure bandwidth between computer and Android smartphone (I performed a test and took screenshots in my home network).

Iperf:

OK, let’s get to work and perform a simple bandwidth test, and other features will be provided in examples and the further reading section.

How to measure bandwidth between two computers in network by using Iperf

You can see this concept on how to measure bandwidth between two computers on the same network in the chart below:

IPERFmeasureBandwidth

OK, you’ve downloaded Iperf (I downloaded v2) and copied it on computers that you want to measure bandwidth between them; open command prompt and run Iperf on the computer you want to be a server (there is no formal rule on which computer must have a server or client role. Any computer can be a client or a server), and type the command: iperf.exe -s

iperfserver

Use this tip to open the command prompt on specific path (where you have put Iperf): navigate to folder which contains your Iperf executable (iperf205, in my case), hold the Shift key and right mouse click on that folder; extended contextual menu will appear where you have to click on Open command window here option.

OpenCommandWindow

In my case, I used a computer with Windows 7 as a server and computer with Windows 8.1 as a client. On the diagram above, you can see that server is marked with “1”, because that’s always the first step – to define a server. Take a note of your server’s IP address (if you don’t know it), and the easiest way to achieve that, provided that you are already in command prompt, is by typing ipconfig command (IP address on the diagram is: 10.1.1.1).

When it comes to a client, take a look at the diagram – I marked it as “2”; open your command prompt on the client computer and type: iperf -c server_address

iperfclient

And that’s it, default settings are enough to show you the bandwidth between two computers in your network. Of course, you can add some extra switches to use this software according to your needs.

This method we used to measure bandwidth is through TCP tests; besides that, you can measure jitter (latency variation) or datagram loss with an UDP test.

I mentioned iperf v3, which is a rewrite of Iperf from scratch, with the goal of a smaller, simpler code base and a library version of the functionality that can be used in other programs. Iperf3 is not backwards compatible with iperf2.x. Opinions on which version is better are divided, so many users would still recommend you Iperf 2.0.x. (Iperf 3 is not as well respected).

Iperf usage examples:

  • iperf -s —> runs iperf in the server mode.
  • iperf -c 10.1.1.1 –>  runs iperf in the client mode, where the server’s IP address is 10.1.1.1 (by default, only the bandwidth from the client to the server is measured).
  • iperf -c 10.1.1.1 -r –> connects back to the client allowing the bi-directional bandwidth measurement.
  • iperf -c 10.1.1.1 -d –> implies simultaneous bi-directional bandwidth measurement. If you want to test the bandwidths sequentially, use the -r argument (see the previous example).
  • iperf -c 10.1.1.1 -w 4000 –> w switch defines TCP window size – amount of data that can be buffered during a connection without a validation from the receiver (it can be between 2 and 65,535 bytes).
  • server side: iperf -s -p 12000 and client side: iperf -c 10.1.1.1 -p 12000 –> p switch must be set on both sides and its value defines a communication port. By default, the Iperf client connects to the Iperf server on the TCP port 5001 and the bandwidth displayed by Iperf is the bandwidth from the client to the server.
  • iperf -c 10.1.1.1 -t 30 –> specifies the test duration time in seconds (default is 10 seconds).
  • iperf -c 10.1.1.1 -t 30 -i 3 –> i argument specifies the interval in seconds between periodic bandwidth reports.
  • iperf -h –> provides you with detailed help starting with command format: iperf [-s|-c host] [options], then explanation of the arguments/switches, etc.

Great reference manual that describes how to use these switches (e.g. how to use -u switch to perform UDP test) can be found here: https://iperf.fr/ , and here: https://code.google.com/p/iperf/wiki/ManPage

How to measure bandwidth between computer and Android device on the same network

As I mentioned in the beginning (where I placed download links) there is a software Iperf for Android, that can turn your smartphone or tablet into a iperf server or client. My test environment is as follows:

  • Server: Samsung Galaxy S2 smartphone (GT-I9100), rooted and with Cyanogen Mod custom ROM,
  • Klijent: Fujitsu Amilo laptop, Windows 8.1, x64, where I tested both Iperf and Jperf.

Install Iperf for Android onto your Android device and run this application; type iperf -s or just -s in the text field and tap on off button (Aus, in my case, because my phone interface is in German). So you’ll get something similar to this (An is On):

Andriperf0

Note server’s IP address from the screenshot: 192.168.1.3

Run Iperf on the client computer and type the next command (make sure you use an IP from your server):

IperfForAndroid

Android application will show info when a client connects to it:

Show connected clients on Iperf for Android

Jperf can be associated with Iperf to provide a graphical frontend written in Java. So, if you’d like to try Jperf, you must have Java Runtime installed onto your operating system (I have Java JRE 8). Download Jperf from the download link I provided; extract the downloaded archive, find jperf.bat and run it:

JperfGraph-1024x576

In the screenshot above can be seen that I chose client mode, entered the IP address of my server (smartphone), and set test duration to 20 seconds (instead 10, which is default). Graph is provided to show you measured bandwidth between my computer and smartphone in my home network.

[ Further reading ]:

Wikipedia: http://en.wikipedia.org/wiki/Iperf
IPERF for Windows (native Windows port, not Cygwin), trial: http://www.iperfwindows.com/
Iperf3-Cygwin-GUI: http://sourceforge.net/projects/iperf3cygwingui/?source=recommended
Iperf2 vs Iperf3: https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/iperf-and-iperf3/
bwctl (ensures that just one test is executed in a moment): https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/bwctl/

 

Juniper SRX Simple Internet Gateway Setup Guide

This guide was written for someone that wants to configure a Juniper SRX firewall as a simple home or business Internet gateway. You will need some tech savvy since I have written the instructions for the CLI and not J-Web, by doing it this way I can keep the instructions short and to the point.

SRXEnviroment

General Configuration

Thse are things that we need to take care of before getting to far into things.
set system host-name Internet_Gateway
set system root-authentication plain-text-password

#I like to have domain name services so that I do name resolution although this is not really needed and can be omitted.

set system name-server 8.8.8.8

#Setup a user other than root for administration, this is a good practice since it is never good for root to login remotely.

set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication plain-text-password

#For accurate date and time in logs configure an NTP server, in my case I used a publicly available server.

 set system ntp server 192.95.20.208

Interface Configuration

#This is our internet facing link and it will pull IP configuration via DHCP from our provider.

 set interfaces ge-0/0/0 description Internet_Link
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server

#I would like interface fe-0/0/2 to 0/0/7 to be a member of vlan 100 and behave like a switch.

set interfaces interface-range interface-trust member fe-0/0/2
set interfaces interface-range interface-trust member fe-0/0/3
set interfaces interface-range interface-trust member fe-0/0/4
set interfaces interface-range interface-trust member fe-0/0/5
set interfaces interface-range interface-trust member fe-0/0/6
set interfaces interface-range interface-trust member fe-0/0/7

#Family ethernet-switching will allow the range of ports to behave like a switch while belonging to vlan-trust which is where they will find the gateway IP.

set interfaces interface-range interface-trust unit 0 family ethernet-switching vlan members vlan-trust

#This will be the gateway for the LAN devices on fe-0/0/2 to 0/0/7.

set interfaces vlan unit 100 family inet address 192.168.1.1/24

#Let’s create the vlan-trust and attache vlan.100 which was the L3 interface we created above.

set vlans vlan-trust vlan-id 100
set vlans vlan-trust l3-interface vlan.100

Test

To see if DHCP is working on ge-0/0/0 issue the following command, you should see IP information from you Internet Service Provider.
admin@Internet_Gateway show system services dhcp client

Logical Interface name         ge-0/0/0.0
Hardware address        80:71:1f:b4:07:c0
Client status           bound
Address obtained        10.5.5.5
Update server           enabled
Lease obtained at       2013-05-08 19:14:06 UTC
Lease expires at        2013-05-08 23:14:06 UTC

DHCP options:
Name: server-identifier, Value: 10.5.5.254
Code: 1, Type: ip-address, Value: 255.255.255.0
Name: router, Value: [ 10.5.5.1 ]
Name: domain-name, Value: corp.test.com
Name: name-server, Value: [ 10.5.5.253 ]

LAN DHCP

Since we just finished configuring the LAN we should setup DHCP which will provide local addresses to devices in vlan-trust.

set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.50
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 default-lease-time 3600
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1

#This statement propagate-settings will take configuration from the client DHCP on ge-0/0/0 if not otherwise specified, most importantly name-server which changes from ISP to ISP and is very important otherwise name resolutions on the LAN won’t work.

set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0

Test

Lets see if the PC(s) connected to ports fa-0/02 to 0/0/7 are getting DHCP leases.
admin@Internet_Gateway> show system services dhcp binding
IP address       Hardware address   Type     Lease expires at
192.168.1.50     32:aa:a7:5e:17:45  dynamic  2013-05-08 20:14:02 UTC

Security Zones

We are going configure a zone for the LAN (Trust) and for our Internet (Untrust)

set security zones security-zone untrust description "Internet Link - DHCP Configured"

#Note we are allowing DHCP since the Internet facing interface will be a client.

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

#Allow any service/protocol to the internal interface. (Should be safe in our case)

set security zones security-zone trust description "Local Area Network"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

#Attach vlan.100 to the trust zone.

set security zones security-zone trust interfaces vlan.100

Source NAT

Since 19.168.1.0/24 is private and won’t be routed on the Internet we will need to source NAT this internal subnet to our Internet facing egress interface.
set security nat source rule-set internal-to-internet description “NAT anything from trust zone to untrust (LAN to Internet)”

set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface

Policies

Allow anything from trust to untrust (LAN to Internet) Since there is an implicit deny by default traffic from trust to untrust will automatically be dropped and doesn’t need a policy.

set security policies from-zone trust to-zone untrust policy defaul-permit match source-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match destination-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match application any
set security policies from-zone trust to-zone untrust policy defaul-permit then permit

Management

This is a simple Internet gateway so lets enable SSH and HTTPS access from the inside LAN only.

set system services ssh protocol-version v2
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.100

Full Configuration

For those who would just like to copy and paste the entire configuration into the SRX.

set system host-name Serenity
set system root-authentication encrypted-password "$1$QgzUP4DH$dbmMYIKqw.I0b2KSIK1gB0"
set system name-server 8.8.8.8
set system login user lleroux uid 2000
set system login user lleroux class super-user
set system login user lleroux authentication encrypted-password "$1$FKKuZxhz$j0Yu8AYMW0x4JbH0CxkVZ1"
set system services ssh protocol-version v2
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.100
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.50
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 default-lease-time 3600
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0
set system ntp server 192.95.20.208
set interfaces interface-range interface-trust member fe-0/0/2
set interfaces interface-range interface-trust member fe-0/0/3
set interfaces interface-range interface-trust member fe-0/0/4
set interfaces interface-range interface-trust member fe-0/0/5
set interfaces interface-range interface-trust member fe-0/0/6
set interfaces interface-range interface-trust member fe-0/0/7
set interfaces interface-range interface-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/0 description Internet_Link
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server
set interfaces vlan unit 100 family inet address 192.168.1.1/24
set security nat source rule-set internal-to-internet description "NAT anything from trust zone to untrust (LAN to Internet)"
set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface
set security policies from-zone trust to-zone untrust policy defaul-permit match source-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match destination-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match application any
set security policies from-zone trust to-zone untrust policy defaul-permit then permit
set security zones security-zone untrust description "Internet Link - DHCP Configured"
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust description "Local Area Network"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.100
set vlans vlan-trust vlan-id 100
set vlans vlan-trust l3-interface vlan.100

Virtual Chassis on EX2200 switches

The Juniper Virtual Chassis technology allows you to combine multiple physical switches into one logical switch stack, which reduces the management overhead of dealing with many switches. Because all members are acting as a single device, with a proprietary control protocol underneath, there is no need for Spanning Tree and its blocked links. It also has dual routing engine support, albeit with some feature limitations on the EX2200 platform.

Continue reading “Virtual Chassis on EX2200 switches”

Setting up a virtual lab topology with Juniper vSRX

Up until now, I’ve been doing most of my studies on real hardware. This was okay with Cisco gear, but Juniper hardware isn’t as cheap on the second hand market. Second, I always loose vast amounts of time reconfiguring appliances on the console, cabling them up, reconfiguring switchports and installing physical or virtual test machines. I recently installed an ESXi whitebox, with loads of RAM and compute power idle, so why not start virtualizing my labs?

The Juniper vSRX Integrated Virtual Firewall, formerly known as Firefly Perimeter, is a virtual appliance that brings all the features of the SRX firewalls to your virtual layer. Even better, you can use the full-featured trial version of the appliance for 60 days. Perfect for labbing purposes!

In this post, I will go through the steps of setting up the virtual appliance and giving it a basic configuration. Below is the topology I will be implementing and using for some parts of my JNCIS-SEC studies. I haven’t found an “official” installation guide from Juniper -although I haven’t really looked either- but the below scenario works for me.

Continue reading “Setting up a virtual lab topology with Juniper vSRX”