Tuesday 30 June 2020

Configuring NetFlow in Cisco (IOS-XR and Nexus OS) and Juniper (JunOS)


Cisco IOS-XR:
The NetFlow use these 3 maps to configure

Step1. EXPORTER MAP - configure parameters like export destination IP, udp port (only supported transport protocol), source interface

IPv4:
flow exporter-map NETFLOW-EXPORTER-MAP
 version v9

  transport udp 9991
  source Loopback0
  destination 192.168.30.100

IPv6:
flow exporter-map IPv6-NETFLOW-EXPORTER-MAP
 version v9

  transport udp 9991
  source Loopback0
  destination 192.168.30.100


Note: destination  udp port can be from  <1024-65535> (this is where Netflow is listening)


Step2. MONITOR MAP includes flow record map and flow exporter map. Some of the attriubtes that can be configured like number of cache entries and timeout. Record that supports are ipv4, ipv6 and mpls.

IPv4:
flow monitor-map NETFLOW-MONITOR-MAP
 record ipv4
 exporter NETFLOW-EXPORTER-MAP
 cache timeout active 10
 cache entries 1000

IPv6:
flow monitor-map IPv6-NETFLOW-MONITOR-MAP
 record ipv6
 exporter IPv6-NETFLOW-EXPORTER-MAP
 cache timeout active 10
 cache entries 1000


3.SAMPLER MAP - configure the packet rate (one out of n packets) to sample

sampler-map NETFLOW-SAMPLER-MAP
 random 1 out-of 100

sampler-map IPv6-NETFLOW-SAMPLER-MAP
 random 1 out-of 100

Note: Sampling interval to use random mode for sampling packets of 1 through 65535 units

Application:
Apply in interface (can be applied in L3 bundle or physical interface, on single or both direction)
configure
  interface Te0/0/0/0
   flow ipv4 monitor NETFLOW-MONITOR-MAP sampler NETFLOW-SAMPLER-MAP ingress
   flow ipv6 monitor IPv6-NETFLOW-MONITOR-MAP sampler NETFLOW-SAMPLER-MAP ingress



Cisco Nexus:

[Pre-config] Enable netflow 
configure 
 feature netflow

Step1. Configure EXPORTER MAP

flow exporter ExporterMap
  description Exporter Map to Netflow Server
  destination 192.168.30.100 use-vrf management
  transport udp 9991
  source mgmt0
  version 9
    option exporter-stats timeout 120
    option sampler-table timeout 120

Step2. Configure MONITOR MAP

flow monitor MonitorMap
  record netflow-original
  exporter ExporterMap

where:netflow-original  is the traditional IPv4 input NetFlow with origin ASs
 or can use a customized flow record

e.g.
flow record CustomRecord
  match ipv4 source address
  match ipv4 destination address
  match ip protocol
  match ip tos
  match transport source-port
  match transport destination-port
  collect transport tcp flags
  collect counter bytes
  collect counter packets

flow monitor MonitorMap
  record CustomRecord
  exporter ExporterMap


Step3. Configure SAMPLER MAP
sampler SamplerMap
  mode 1 out-of 100

Application:
configure
 interface Eth1/1
 ip flow monitor MonitorMap input sampler SamplerMap



Juniper (JunOS):

Step1. Configure EXPORTER MAP
set services flow-monitoring version9 template NETFLOW_MONITOR template-refresh-rate seconds 15
set services flow-monitoring version9 template NETFLOW_MONITOR option-refresh-rate seconds 15
set services flow-monitoring version9 template NETFLOW_MONITOR ipv4-template

Step2. Configure MONITOR MAP

set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 port 9991
set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 source-address 192.168.1.100
set forwarding-options sampling instance NETFLOW_INSTANCE family inet output flow-server 192.168.30.100 version9 template NETFLOW_MONITOR
set forwarding-options sampling instance NETFLOW_INSTANCE family inet output inline-jflow source-address 192.168.1.100

Step3. Configure SAMPLER MAP
set forwarding-options sampling instance NETFLOW_INSTANCE input rate 100
set forwarding-options sampling instance NETFLOW_INSTANCE input run-length 0


Application:
set interfaces ge-0/0/0 unit 0 family inet sampling input

Wednesday 24 June 2020

Configuring Banner or Login Message in Cisco and Juniper


Taking Cisco's  Sample Legal Banner message from their Network Security Baseline page.
Sample Legal Banner Notification Configuration
! Present a legal notification banner approved by company legal counsel
banner login #
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or 
criminal penalties.
All activities performed on this device are logged and monitored.
#
!

Here's how to configure for:
Cisco

RP/0/0/CPU0:R3#configure 
Wed Jun 24 05:33:02.134 UTC
RP/0/0/CPU0:R3(config)#banner login #
Enter TEXT message. End with the character '#'
*************************************************************************
        UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this 
device.Unauthorized attempts and actions to access or use this system may
result in civil and/or criminal penalties. 
All activities performed on this device are logged and monitored.

*************************************************************************
#
RP/0/0/CPU0:R3#commit
Sample Output:


Juniper

darwin@vMX-1>configure
darwin@vMX-1#set system login message "\n*************************************************************************\n       UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and actions to access or use this system may \nresult in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n\n*************************************************************************\n\n"

darwin@vMX-1#commit

As per Juniper website, message can be formatted using these following characters:

\n—New line
\t—Horizontal tab
\'—Single quotation mark
\"—Double quotation mark
\\—Backslash

Sample output:


Thursday 18 June 2020

Sample Juniper Firewall Configuration to Protect Routing Engines


Here's sample firewall configuration in protecting the box and its services.

ICMP:
ICMP message types are essential for network administration and troubleshooting. There are quite a number of ICMP parameters, you can refer to IANA ICMP Parameters for the list or if you want to learn more details about ICMP can refer to RFC792.
Here's the 4 types I consider useful for troubleshooting and need to be allowed.


Type 0 — Echo Reply --> response from target to host
Type 8 — Echo Request--> host to target
Type 11 — Time Exceeded --> returned to host when doing traceroute
Type 3 — Destination Unreachable --> for MTU path discovery

Pre-config (create a policer)
set firewall policer limit-128k if-exceeding bandwidth-limit 128k
set firewall policer limit-128k if-exceeding burst-size-limit 15k
set firewall policer limit-128k then discard

Juniper Configuration:
set firewall family inet filter FIREWALL-RE term ICMP_PING from protocol icmp
set firewall family inet filter FIREWALL-RE term ICMP_PING from icmp-type echo-request
set firewall family inet filter FIREWALL-RE term ICMP_PING from icmp-type echo-reply
set firewall family inet filter FIREWALL-RE term ICMP_PING then policer limit-128k
set firewall family inet filter FIREWALL-RE term ICMP_PING then count ICMP
set firewall family inet filter FIREWALL-RE term ICMP_PING then accept

set firewall family inet filter FIREWALL-RE term ICMP_TTL from protocol icmp
set firewall family inet filter FIREWALL-RE term ICMP_TTL from icmp-type time-exceeded
set firewall family inet filter FIREWALL-RE term ICMP_TTL from icmp-type unreachable
set firewall family inet filter FIREWALL-RE term ICMP_TTL then policer limit-128k
set firewall family inet filter FIREWALL-RE term ICMP_TTL then accept

SSH:
It is recommended to use SSH for remote access for better security. Telnet is strictly discourage because of unencrypted communication for potential network sniffing.

Juniper Configuration:
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from source-prefix-list SSH-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from protocol tcp
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from port ssh
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS then count REMOTE_ACCESS
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS then accept

set policy-options prefix-list SSH-PREFIX-LIST 192.168.10.101/32
set policy-options prefix-list SSH-PREFIX-LIST 192.168.10.102/32

where: 192.168.10.101 & 102 are the authorized IPs that are allowed to SSH into the device.


AAA(Tacacs):
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from source-prefix-list TACACS-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from source-port tacacs
set firewall family inet filter FIREWALL-RE term AAA_ALLOW then count AAA
set firewall family inet filter FIREWALL-RE term AAA_ALLOW then accept

set policy-options prefix-list TACACS-PREFIX-LIST  192.168.10.200/32

where: 192.168.10.200 is Tacacs Server


SNMP:
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from source-prefix-list SNMP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from destination-port snmp
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW then count SNMP
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW then accept

set policy-options prefix-list SNMP-PREFIX-LIST  192.168.20.200/32

where: 192.168.20.200 is SNMP Polling Server


NTP:
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from source-prefix-list NTP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from port ntp
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then policer limit-128k
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then count NTP
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then accept

set policy-options prefix-list NTP-PREFIX-LIST  192.168.30.200/32

where: 192.168.30.200 is NTP Server


IP Protocols
OSPF
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW from protocol ospf
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW then count OSPF
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW then accept

LDP
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from port 646
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then count LDP
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then accept
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then accept

RSVP
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW from protocol rsvp
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW then count RSVP
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW then accept

PIM
set firewall family inet filter FIREWALL-RE term PIM_ALLOW from protocol pim
set firewall family inet filter FIREWALL-RE term PIM_ALLOW then count PIM
set firewall family inet filter FIREWALL-RE term PIM_ALLOW then accept

IGMP
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW from protocol igmp
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW then count IGMP
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW then accept

MSDP
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from port msdp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW then count MSDP

BGP
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from source-prefix-list BGP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from port bgp
set firewall family inet filter FIREWALL-RE term BGP_ALLOW then count BGP
set firewall family inet filter FIREWALL-RE term BGP_ALLOW then accept

set policy-options prefix-list BGP-PREFIX-LIST  192.168.40.0/24

Others
BFD
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from source-port 49152-65535
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from destination-port 3784
set firewall family inet filter FIREWALL-RE term BFD_ALLOW then count BFD
set firewall family inet filter FIREWALL-RE term BFD_ALLOW then accept

Traceroute
set firewall family inet filter FIREWALL-RE term TRACEROUTE from protocol udp
set firewall family inet filter FIREWALL-RE term TRACEROUTE from destination-port 33434-33678
set firewall family inet filter FIREWALL-RE term TRACEROUTE then policer limit-128k
set firewall family inet filter FIREWALL-RE term TRACEROUTE then count TRACEROUTE
set firewall family inet filter FIREWALL-RE term TRACEROUTE then accept

FINALLY.... need to put this "discard" statement at the end.

set firewall family inet filter FIREWALL-RE term REJECT_ALL then count REJECT_ALL
set firewall family inet filter FIREWALL-RE term REJECT_ALL then discard


Apply:
set interfaces lo0 unit 0 family inet filter input FIREWALL-RE


How does it looks like?

Policer:
lab@vMX-1> show configuration firewall policer limit-128k 
if-exceeding {
    bandwidth-limit 128k;
    burst-size-limit 15k;
}
then discard;

Firewall:
lab@vMX-1> show configuration firewall 
family inet {
    filter FIREWALL-RE {
        term ICMP_PING {
            from {
                protocol icmp;
                icmp-type [ echo-request echo-reply ];
            }
            then {
                policer limit-128k;
                count ICMP;
                accept;
            }
        }
        term ICMP_TTL {
            from {
                protocol icmp;
                icmp-type [ time-exceeded unreachable ];
            }
            then {
                policer limit-128k;
                accept;
            }
        }
        term REMOTE_ACCESS {            
            from {
                source-prefix-list {
                    SSH-PREFIX-LIST;
                }
                protocol tcp;
                port ssh;
            }
            then {
                count REMOTE_ACCESS;
                accept;
            }
        }
        term AAA_ALLOW {
            from {
                source-prefix-list {
                    TACACS-PREFIX-LIST;
                }
                protocol tcp;
            }
        }
        term SNMP_ALLOW {
            from {
                source-prefix-list {    
                    SNMP-PREFIX-LIST;
                }
                protocol udp;
                destination-port snmp;
            }
            then {
                count SNMP;
                accept;
            }
        }
        term NTP_ALLOW {
            from {
                source-prefix-list {
                    NTP-PREFIX-LIST;
                }
                protocol udp;
                port ntp;
            }
            then {
                policer limit-128k;
                count NTP;
                accept;
            }                           
        }
        term OSPF_ALLOW {
            from {

Prefix-sets

lab@vMX-1> show configuration policy-options 
prefix-list SSH-PREFIX-LIST {
    192.168.10.101/32;
    192.168.10.102/32;
}
prefix-list TACACS-PREFIX-LIST {
    192.168.10.200/32;
}
prefix-list SNMP-PREFIX-LIST {
    192.168.20.200/32;
}
prefix-list NTP-PREFIX-LIST {
    192.168.30.200/32;
}
prefix-list BGP-PREFIX-LIST {
    192.168.40.0/24;
}


                protocol ospf;
            }
            then {
                count OSPF;
                accept;
            }
        }
        term LDP_ALLOW {
            from {
                protocol [ tcp udp ];
                port 646;
            }
            then {
                count LDP;
                accept;
            }
        }
        term RSVP_ALLOW {
            from {
                protocol rsvp;          
            }
            then {
                count RSVP;
                accept;
            }
        }
        term PIM_ALLOW {
            from {
                protocol pim;
            }
            then {
                count PIM;
                accept;
            }
        }
        term IGMP_ALLOW {
            from {
                protocol igmp;
            }
            then {
                count IGMP;
                accept;
            }                           
        }
        term MSDP_ALLOW {
            from {
                protocol [ tcp udp ];
                port msdp;
            }
            then count MSDP;
        }
        term BGP_ALLOW {
            from {
                source-prefix-list {
                    BGP-PREFIX-LIST;
                }
                protocol tcp;
                port bgp;
            }
            then {
                count BGP;
                accept;
            }
        }
        term BFD_ALLOW {
            from {                      
                protocol udp;
                source-port 49152-65535;
                destination-port 3784;
            }
            then {
                count BFD;
                accept;
            }
        }
        term TRACEROUTE {
            from {
                protocol udp;
                destination-port 33434-33678;
            }
            then {
                policer limit-128k;
                count TRACEROUTE;
                accept;
            }
        }
        term REJECT_ALL {
            then {
                count REJECT_ALL;       
                discard;
            }
        }
    }
}
policer limit-128k {
    if-exceeding {
        bandwidth-limit 128k;
        burst-size-limit 15k;
    }
    then discard;
}

Apply in interface loopback

lab@vMX-1> show configuration interfaces lo0 
unit 0 {
    family inet {
        filter {
            input FIREWALL-RE;
        }
    }
}

Wednesday 17 June 2020

Hidden Command to support 3rd-Party Transceivers for Cisco

service unsupported-transceiver

Why considered hidden? Because you won't see it in the command.
Sample output:

RP/0/RSP1/CPU0:CORE1#ser?
service
RP/0/RSP1/CPU0:CORE1#service ?
  redundancy  Service Director related commands.

Applying:

Cisco IOS-XE
Router1(config)#service unsupported-transceiver
Warning: When Cisco determines that a fault or defect can be traced to
the use of third-party transceivers installed by a customer or reseller,
then, at Cisco's discretion, Cisco may withhold support under warranty or
a Cisco support program. In the course of providing support for a Cisco
networking product Cisco may require that the end user install Cisco
transceivers if Cisco determines that removing third-party parts will
assist Cisco in diagnosing the cause of a support issue.

Cisco IOS-XR
RP/0/RSP1/CPU0:CORE1#configure
RP/0/RSP1/CPU0:CORE1(config)#service unsupported-transceiver
RP/0/RSP1/CPU0:CORE1(config)#show configuration
Wed Jun 17 19:08:29.229 SST
Building configuration...
!! IOS XR Configuration 5.3.3
service unsupported-transceiver
end

Additional:
There's this command "transceiver permit pid all" applied under the interface.

RP/0/RSP1/CPU0:CORE1(config)#commit

RP/0/RSP1/CPU0:CORE1(config)#interface GigabitEthernet0/1/0/0
RP/0/RSP1/CPU0:CORE1(config-if)#transceiver permit ?
  pid  Permit pluggable pid (Product ID) all
RP/0/RSP1/CPU0:CORE1(config-if)#transceiver permit pid all


IP Service Level Agreements (SLA) , Embedded Event Manager (EEM) and Policy-Based Routing (PBR) in Cisco IOS



Objective: The PBR policy will be removed facing Uplink-Router once it detected that the server is unreachable.

Policy-based routing (PBR) is a method used to make routing decisions based on policies.



Scenario: Server1 providing web caching to customers for faster web page loading. Since there is route-map in place to route their http/https traffic to the next hop which is Server1, what if this server suddenly goes down?, the expected behaviour is  the customer won't be able to access websites.

Pre-setup:
1. Configure ACL for http/https 
Router1#
ip access-list extended  ACL-WEB
 permit tcp any any eq www
 permit tcp any any eq 443

2. Configure the route-map to match the ACL for http/https and set next-hop to the Server1 that provides the web caching services
Router1#
route-map ROUTE-MAP-PBR permit 10
 match ip address ACL-WEB
 set ip next-hop 192.168.1.11

3. Configure the IP and apply the PBR in this interface as it is facing the customers. (Assumption: L3 routing is configured between Router1 and Uplink-Router e.g. IGP or BGP)
Router1#
interface fa0/0
 description Connection to Uplink-Router
 ip address 172.20.10.2 255.255.255.252
 ip policy route-map ROUTE-MAP-PBR
 load-interval 30

4. Configure the SVI to become the Server's Gateway IP
Router1#
vlan 100
 name Server Farm Vlan

interface Vlan100
 description Server Gateway
 ip address 192.168.1.1 255.255.255.0
 ip verify unicast source reachable-via any
 load-interval 30

5. Configure L2 for interface facing Server-Switch
Router1#
interface fa1/0
 description Server-Switch
 switchport
 switchport access vlan 100
 switchport mode access
 load-interval 30
 spanning-tree portfast

Solution: Setup IP SLA to track the Server1 network reachability. If server is down, event manager will kicks in as it tracks the IP SLA (track 1)

A. Configure IP SLA:
Router1#
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip sla 1
 icmp-echo 192.168.1.11 source-ip 192.168.1.1
 threshold 500
 timeout 500
 frequency 5

where:
 For IP SLAs operations, the following configuration guideline is recommended:
(frequency seconds ) > (timeout milliseconds ) > (threshold milliseconds )                                                            
B. Configure Event manager:
Router1#
 event manager session cli username "admin"
 event manager applet PBR-REMOVE
 description REMOVE PBR IN EVENT OF SERVER DOWN
 event track 1 state down
 trigger occurs 1
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "interface fa0/0"
 action 1.3 cli command "no ip policy route-map ROUTE-MAP-PBR"
 action 1.4 cli command "exit"
 action 1.5 syslog msg "Server Unreachable. PBR removed"

What does this do?
It is like a script:
login as username "admin" (local account) that is authorized to run all of the CLI commands. EEM does not require authentication, so need to add password. Execute the following:
configure terminal
interface fa0/0
no ip policy route-map ROUTE-MAP-PBR
exit

After this is done, it will send a log saying "Server Unreachable. PBR removed"

Any keyword will do, then can use to trigger NMS server to alerts once received that log
Enjoy!

Cisco IOS-XR vs Juniper Commands Cheat Sheet

Here's the Cisco IOS-XR commands vs Juniper OS commands
      CISCO IOS-XR              JUNIPER         
                                  BASIC                       
           show                                           show                    
          | include                | match
          ..formal |                                      display set             
           configure                    configure/edit
           shutdown                                        disable                
           no shutdown delete interface <interface> disable
            no                                           delete                   
           clear               clear
            show running-config                        show configuration         
            show version            show version
           show tech-support                    request support information       
    show configuration (after change)    show | compare (after change)
        clear counters <interface>          clear interface statistics <int>      
      clear line <line><line number>   request system logout <username>
            terminal length <num>                 set cli screen-length <num>     
            terminal width <num>       set cli screen-width <num>
                terminal monitor                     monitor start messages       
           terminal monitor disable          monitor stop messages
                  show clock                           show system uptime         
               show processes cpu          show system processes
                show logging                           show log messages          
                      ping                    ping
                  traceroute                                traceroute            
           show ip interface brief            show interface terse
                  show route                      show route forwarding-table     
              show route static        show route protocol static
               show route summary                     show route summary          
                show protocols            show route protocol
                show route ipv6                     show route table inet6.0      
            show interface be<xx>           show interface ae<xx>
        monitor interface <interface>            monitor interface <interface>    
                    reload            request system reboot
                   show users                          show system users          
          show diag / show inventory          show chassis hardware
                  show history                           show cli history         
                      dir             show system storage
                show enviroment                     show chassis environment      
              show memory summary        show chassis routing-engine
              show platform                           show chassis fpc            
          show controllers <interface> show interface diagnostic optics <int>
             show access-lists                          show firewall             
                          OSPF                    
               show osfp neighbor                      show ospf neighbor         
               show ospf database           show ospf database
               show ospf interface                     show ospf interface        
               show route ospf         show route protocol ospf 
                                         ISIS                     
             show clns neighbor                       show isis adjacency         
             show isis database             show isis database
                show isis route                         show isis route           
             show isis topology         show isis route topology  
             show isis interface                    show isis interface           
                                         BGP                      
                    show bgp                       show route protocol bgp        
                 show bgp summary             show bgp summary
               show bgp neighbors                  show bgp neighbors
           show bgp neighbor <ip> advshow route advertising-protocol bgp<ip>
      show bgp neighbor <ip>routes          show route received-protocol bgp <ip> 
        show bgp ipv6 unicast summary            show bgp summary
         show bgp all all summary                      show bgp summary 
    show bgp ipv6 unicast neigh <ip> advshow route advertising-protocol bgp<ip>
 show bgp ipv6 unicast neighbor <ip> routes  show route received-protocol bgp<ip> 
                show bgp regexp        show route aspath-regex
               show route bgp                       show route protocol bgp       
                                       MPLS                      
          show mpls ldp summary                         show ldp overview         
             show mpls interface             show mpls interface
        show mpls ldp neighbor brief                      show ldp neighbor       
              show rsvp interface              show rsvp interface
               show rsvp neighbors                       show rsvp neighbors      
                                  MULTICAST                    
              show mfib/mrib route                     show multicast route       
                show pim interface             show pim interface
                show pim neighbor                       show pim interface        
                show igmp interface             show igmp interface

Monday 15 June 2020

Upgrading JunOS Software



Assumption: JunOS is downloaded and stored in an FTP server.

Step1: Download the necessary image from the FTP server. Save it in the /var/tmp folder.
user1@SRX-Router1> file copy ftp://user1@172.25.11.254/junos-vsrx-x86-64-19.2R1.8.tgz /var/tmp/   
Password for user1@172.25.11.254:
/var/home/user1/...transferring.file.........ush100% of 1127 MB 5426 kBps 00m00s


Step2: Verify the software package

user1@SRX-Router1> file list /var/tmp | match junos 
junos-vsrx-x86-64-19.2R1.8.tgz

user1@SRX-Router1> file list detail /var/tmp | match junos 
-rw-r--r--  1 user1   wheel  1182081022 Jun 2  12:57 junos-vsrx-x86-64-19.2R1.8.tgz


Step3: Upgrade the device (sample output below)
user1@SRX-Router1> request system software add /var/tmp/junos-vsrx-x86-64-19.2R1.8.tgz reboot
NOTICE: Validating configuration against junos-vsrx-x86-64-19.2R1.8.tgz. 
NOTICE: Use the 'no-validate' option to skip this if desired. 
Checking compatibility with configuration
Initializing... 
Verified manifest signed by PackageProduction_12_1_0 
Verified junos-vsrx-x86-64-19.2R1.8.tgz signed by PackageProduction_19_2_0 
Using /var/tmp/junos-vsrx-x86-64-19.2R1.8.tgz 
Checking junos requirements on / Avaiuser1le space: 542690 require: -228484 
Saving boot file package in /var/sw/pkg/junos-vsrx-x86-64-19.2R1.8.tgz 
Verified manifest signed by PackageProduction_19_2_0 
Hardware Database regeneration succeeded 
Validating against /config/juniper.conf.gz mgd: commit complete 
Validation succeeded rm: /cf/var/validate/chroot/mfs/var/etc/pam.conf: Operation not permitted 
rm: /cf/var/validate/chroot/mfs/var/etc: Directory not empty 
rm: /cf/var/validate/chroot/mfs/var: Directory not empty 
rm: /cf/var/validate/chroot/mfs: Directory not empty 
rm: /cf/var/validate/chroot: Directory not empty 
Installing package '/var/tmp/junos-vsrx-x86-64-19.2R1.8.tgz' ... 
Verified junos-boot-vSRX-x86-64-19.2R1.8.tgz signed by PackageProduction_19_2_0 
Verified junos-vsrx-x86-64-19.2R1.8 signed by PackageProduction_19_2_0 
Available space: 521688 require: 4724 
WARNING: junos-vsrx-x86-64-19.2R1.8 is already installed, 
WARNING: moving it aside. 
Saving boot file package in /var/sw/pkg/junos-boot-vSRX-x86-64-19.2R1.8.tgz 
JUNOS 19.2R1.8 will become active at next reboot 
Saving package file in /var/sw/pkg/junos-vsrx-x86-64-19.2R1.8.tgz ... 
Saving state for rollback ... Rebooting ... shutdown: [pid 12377] 
Shutdown NOW!
user1@SRX-Router1>  *** FINAL System shutdown message from root@SRX-Router1 ***


Step4: Verify package after reboot.
lab@SRX-Router1> show version
 Hostname: SRX-Router1 
Model: srx 
Junos: 19.2R1.8 
JUNOS OS Kernel 64-bit
JNPR-11.0-20190517.f0321c3_buil [20190517.f0321c3_builder_stable_11]
JUNOS OS libs [20190517.f0321c3_builder_stable_11] 
JUNOS OS runtime [20190517.f0321c3_builder_stable_11] JUNOS OS time zone information [20190517.f0321c3_builder_stable_11] JUNOS OS libs compat32 [20190517.f0321c3_builder_stable_11] 
JUNOS OS 32-bit compatibility [20190517.f0321c3_builder_stable_11] 
JUNOS py extensions [20190621.152752_builder_junos_192_r1] J
UNOS py base [20190621.152752_builder_junos_192_r1] 
JUNOS OS vmguest [20190517.f0321c3_builder_stable_11] lab@SRX-Router1> show version Hostname: SRX-Router1 Model: vsrx 
Junos: 19.2R1.8 
JUNOS OS Kernel 64-bit
JNPR-11.0-20190517.f0321c3_buil [20190517.f0321c3_builder_stable_11]
JUNOS OS libs [20190517.f0321c3_builder_stable_11] 
JUNOS OS runtime [20190517.f0321c3_builder_stable_11] JUNOS OS time zone information [20190517.f0321c3_builder_stable_11] JUNOS OS libs compat32 [20190517.f0321c3_builder_stable_11] 
JUNOS OS 32-bit compatibility [20190517.f0321c3_builder_stable_11] 
JUNOS py extensions [20190621.152752_builder_junos_192_r1] J
UNOS py base [20190621.152752_builder_junos_192_r1] 
JUNOS OS vmguest [20190517.f0321c3_builder_stable_11] 

Sunday 14 June 2020

Configuring Port-Channel and VLAN in Juniper



Objective: To configure port-channel and associate it to vlan.
Servers will use Juniper-Router as their gateway and uplink to Internet. Server-switch have Layer 2 (access mode) connectivity to Juniper-Router. (see Fig.1)

 Fig.1



1. Configure the Vlan (interface vlan will be the server's gateway)
Juniper-Router#
configure
set vlans VLAN-8 description Server-Farm
set vlans VLAN-8 vlan-id 8
set vlans VLAN-8 l3-interface irb.8

set interfaces irb unit 8 description "Server Farm Vlan"
set interfaces irb unit 8 family inet address 192.168.8.1/24

2. Configure port-channel

set interfaces ae10 description "Port-channel to Server-Switch"
set interfaces ae10 aggregated-ether-options link-speed 1g
set interfaces ae10 aggregated-ether-options lacp active
set interfaces ae10 unit 0 family ethernet-switching interface-mode access
set interfaces ae10 unit 0 family ethernet-switching vlan members VLAN-8


3. Configure physical members
set interfaces ge-0/0/0 description "Connection to Server-Switch fa1/0"
set interfaces ge-0/0/0 gigether-options 802.3ad ae10

set interfaces ge-0/0/1 description "Connection to Server-Switch fa2/0"
set interfaces ge-0/0/1 gigether-options 802.3ad ae10

4. Commit all changes
commit

Verification and sample output:
Server1 = 192.168.8.20
Server2 = 192.16 8.8.21

ARP:
Juniper-Router> show arp interface ae10.0
MAC Address       Address         Name                      Interface               Flags
00:11:ab:cd:ef:00 192.168.8.20   192.168.8.20              ae10.0                  none
00:11:ab:cd:ef:01 192.168.8.21    192.168.8.21             ae10.0                  none
Total entries: 2

{master}

Ping:
user1@Juniper-Router-re0> ping 192.168.8.20 source 192.168.8.1  count 2
PING 192.168.8.20 (192.168.8.20 ): 56 data bytes
64 bytes from 192.168.8.20 : icmp_seq=0 ttl=64 time=1.162 ms
64 bytes from 192.168.8.20 : icmp_seq=1 ttl=64 time=1.098 ms

--- 192.168.8.20  ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.098/1.130/1.162/0.032 ms

{master}
    
Check Port-channel:

user1@Juniper-Router-re0> show lacp interfaces ae10
Aggregated interface: ae10
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-0/0/0     Actor    No    No   Yes  Yes  Yes   Yes     Slow    Active 
      ge-0/0/0     Partner    No    No   Yes  Yes  Yes   Yes     Slow    Active
      ge-0/0/1    Actor    No    No   Yes  Yes  Yes   Yes     Slow    Active
      ge-0/0/1    Partner    No    No   Yes  Yes  Yes   Yes     Slow    Active


Check Vlan:
user1@Juniper-Router-re0> show vlans VLAN-8
Routing instance        VLAN name             Tag          Interfaces
default-switch          VLAN-100              100


Verify the traffic:
monitor interface ae10.0
monitor interface ge-0/0/0
monitor interface ge-0/0/1

Here's the Cisco version for this -->  Configuring Port-Channel and VLAN in Cisco Nexus


Configuring Port-Channel and VLAN in Cisco Nexus



Objective: To configure port-channel and associate it to vlan.
Servers will use Cisco-NXOS as their gateway and uplink to Internet. Server-switch have Layer 2 (access mode) connectivity to Cisco-NXOS router. (see Fig.1)

 Fig.1


1. Configure the Vlan (interface vlan will be the server's gateway)
Cisco-NXOS#
configure
vlan 8
  name Server-Farm

interface Vlan8
  description Server Farm Vlan
  no shutdown
  ip address 192.168.8.1/24

2. Configure port-channel
 interface port-channel10
   description Port-channel to Server-Switch
   switchport access vlan 8

3. Configure physical members
 interface eth1/1
 description Connection to Server-Switch fa0/1
 switchport access vlan 8
 channel-group 10 mode active
 no shutdown

interface eth1/2
 description Connection to Server-Switch fa2/0
 switchport access vlan 8
 channel-group 10 mode active
 no shutdown


Verification and sample output:
Server1 = 192.168.8.20
Server2 = 192.16 8.8.21

ARP:
Cisco-NXOS# show ip arp vlan8

Flags: * - Adjacencies learnt on non-active FHRP router
       + - Adjacencies synced via CFSoE
       # - Adjacencies Throttled for Glean
       CP - Added via L2RIB, Control plane Adjacencies
       PS - Added via L2RIB, Peer Sync
       RO - Re-Originated Peer Sync Entry
       D - Static Adjacencies attached to down interface

IP ARP Table
Total number of entries: 2
Address         Age       MAC Address     Interface       Flags
192.168.8.20 00:15:47  0011.abcd.ef00  Vlan8
192.168.8.21 00:15:47  0011.abcd.ef01  Vlan8

Ping:
Cisco-NXOS# ping 192.168.8.20 source 192.168.8.1
PING 192.168.8.20 (192.168.8.20) from 192.168.8.1: 56 data bytes
64 bytes from 192.168.8.20: icmp_seq=0 ttl=63 time=0.62 ms
64 bytes from 192.168.8.20: icmp_seq=1 ttl=63 time=0.441 ms
64 bytes from 192.168.8.20: icmp_seq=2 ttl=63 time=0.454 ms
64 bytes from 192.168.8.20: icmp_seq=3 ttl=63 time=0.54 ms
64 bytes from 192.168.8.20: icmp_seq=4 ttl=63 time=0.394 ms
--- 192.168.8.20 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.394/0.489/0.62 ms

Check Port-channel:
Cisco-NXOS# show int port-channel 10 | i Members
  Members in this channel: Eth1/1, Eth1/2

Check Vlan:
Cisco-NXOS# show vlan
8  Server-Farm                    active    Po10

Verify the traffic:
show int port-channel1
show int vlan8
show int eth1/1
show int eth1/2

Here's the Juniper version for this -->  Configuring Port-Channel and VLAN in Juniper


Thursday 11 June 2020

Out of Band (OOB) Management Configuration in Cisco IOS-XR (SSH,SNMP,NTP,AAA,Syslog)



Objective: To separate management traffic from data/customer traffic in your Cisco XR routers. 
Preferably, Data and Management are into 2 separate network domains.

Pre-requisite:
UTP cables (for each RSP management port in case for switchover) are connected to a network switch to access the OOB management gateway

Management IP Configuration

1. Configure the vrf for management
vrf management
 description VRF for Out-of-Band
 address-family ipv4 unicast

2. Set the physical IP address on each RSP management port. There are total of 2 ports per RSP. For this example, we will use port 0

RSP0:
interface MgmtEth0/RSP0/CPU0/0
 description OOB RSP0
 vrf management
 ipv4 address 10.10.10.100 255.255.255.0
 no shutdown


RSP1:
interface MgmtEth0/RSP1/CPU0/0
 description OOB RSP1
 vrf management
 ipv4 address 10.10.10.101 255.255.255.0
 no shutdown

3. Configure virtual IP for dual RP management
ipv4 virtual address vrf management 10.10.10.102/24
ipv4 virtual address use-as-src-addr

4. Configure vrf static default route to the management gateway
Gateway = 10.10.10.1
router static vrf management address-family ipv4 unicast 0.0.0.0/0 10.10.10.1


**SSH Configuration*
Authorized IP to SSH in: 10.20.20.20

control-plane
 management-plane
   out-of-band
   interface MgmtEth0/RSP0/CPU0/0
    allow SSH peer
     address ipv4 10.20.20.20

   interface MgmtEth0/RSP1/CPU0/0
    allow SSH peer
     address ipv4 10.20.20.20

ACL:
line default
access-class ingress SSH-ACL

ipv4 access-list SSH-ACL
 10 permit ipv4 host 10.20.20.20
 20  deny ipv4 any any log


**SNMP Configuration**
SNMP Polling Server = 10.20.20.20
SNMP Trap Server = 10.30.30.30
SNMP Community = MyP0llingP455
Trap Community = trapcommunity123

Control Plane:
control-plane
 management-plane
   out-of-band

   interface MgmtEth0/RSP0/CPU0/0
   allow SNMP peer
     address ipv4 10.20.20.20

  interface MgmtEth0/RSP1/CPU0/0
   allow SNMP peer
     address ipv4 10.20.20.20

SNMP Polling:
ipv4 access-list SNMP-ACL
 10 permit ipv4 host 10.20.20.20 any

snmp-server vrf management
snmp-server community MyP0llingP455 RO SystemOwner IPv4 SNMP-ACL

SNMP Traps:
snmp-server host 10.30.30.30 traps trapcommunity123

**Syslog Configuration**
Remote Syslog Server IP = 10.50.50.50

logging 10.50.50.50 vrf management severity notifications

**NTP Configuration**
NTP Server IP = 10.40.40.40

ntp
server vrf management 10.40.40.40

Optional (NTP Security):
ntp 
access-group vrf management ipv4 peer ALLOW-NTP-SERVERS
access-group vrf management ipv4 serve BLOCK-NTP
access-group vrf management ipv4 serve-only BLOCK-NTP
access-group vrf management ipv4 query-only BLOCK-NTP


ipv4 access-list ALLOW-NTP-SERVERS
 10 permit ipv4 host 10.40.40.40 any 

ipv4 access-list BLOCK-NTP
 10 deny ipv4 any any 

**AAA Configuration**
Tacacs Server1 IP = 10.55.55.56
Tacacs Server2 IP = 10.55.55.57

configure:
aaa group server tacacs+ TACACS
aaa group server tacacs+ TACACS vrf management
aaa group server tacacs+ TACACS server-private 10.55.55.56
aaa group server tacacs+ TACACS server-private 10.55.55.57

Output:
aaa group server tacacs+ TACACS
 vrf management
 server-private 10.55.55.56 port 49
  key 7 071B204F711918160405041E006A
 !
 server-private 10.55.55.57 port 49
  key 7 09584F0A26151601181B0B382F64

**FTP Configuration** (Optional for FTP transfers)
ftp client vrf management username ftpuser1
ftp client vrf management password clear ftppassword1


Note: Netflow traffic should not go through the management ports because of the traffic volume and may cause high CPU utilization. Also take note, that can OOB configuration can also be done using loopback interface, but will not be covered in this tutorial.

Wednesday 10 June 2020

Configuring Network Time Protocol (NTP) the Secured way in Cisco Routers and Switches (IOS, IOS-XE, IOS-XR, NX-OS)


Cisco IOS
e.g.
Vlan10 =  interface management vlan
NTP Server = 192.168.10.100

conf t
1. Configure ACL to deny NTP requests and query
access-list 100 remark to block NTP requests and query
access-list 100 deny   any

2. Configure ACL to allow only the NTP servers to peer or synch with
access-list 200 remark NTP to peer 
access-list 200 permit 192.168.10.100
access-list 200 deny  any

3. Configure NTP 
conf t
ntp source Vlan10
ntp access-group peer 200 
ntp access-group serve 100
ntp access-group serve-only 100
ntp access-group query-only 100
ntp update-calendar
ntp server 192.168.10.100

Cisco IOS-XE 

Loopback0=  source interface for NTP
NTP Server = 192.168.10.100

1. Configure ACL to deny NTP requests and query
ip access-list standard Deny-NTP-Servers
 deny   any

2. Configure ACL to allow only the NTP servers to peer or synch with
ip access-list standard Allow-NTP-Servers
 permit 192.168.10.100
 
3. Configure NTP
conf t
ntp source Loopback0
ntp access-group peer Allow-NTP-Servers
ntp access-group serve Deny-NTP-Servers
ntp access-group serve-only Deny-NTP-Servers
ntp access-group query-only Deny-NTP-Servers
ntp server 192.168.10.100

Verify:
show ntp association
show ntp status

Cisco IOS-XR

Loopback0=  source interface for NTP
NTP Server = 192.168.10.100

1st option:
1. Configure ACL to deny NTP requests and query
ipv4 access-list Deny-NTP-Servers
 10 remark ACL to block requests NTP servers
 20 deny ipv4 any any 

2. Configure ACL to allow only the NTP servers to peer or synch with
ipv4 access-list Allow-NTP-Servers
 10 remark NTP servers to peer and synch
 20 permit ipv4 host 192.168.10.100
 30 deny ipv4 any any

3. Configure NTP
configure
ntp server 192.168.10.100
ntp access-group ipv4 peer Allow-NTP-Servers
ntp access-group ipv4 serve Deny-NTP-Servers
ntp access-group ipv4 serve-only Deny-NTP-Servers
ntp access-group ipv4 query-only Deny-NTP-Servers
ntp source Loopback0
ntp update-calendar

(It will be something like this)
ntp
 server 192.168.10.100
 access-group ipv4 peer Allow-NTP-Servers
 access-group ipv4 serve Deny-NTP-Servers
 access-group ipv4 query-only Deny-NTP-Servers
 source Loopback0
 update-calendar

Cisco NX-OS (Nexus)

mgmt0 =  source interface for NTP
NTP Server = 192.168.10.100

1. Configure ACL to allow only the NTP servers to peer or synch with and deny everything
ip access-list ACL-VTY
  10 permit tcp 192.168.10.50/32 any eq 22
  100 permit udp 192.168.10.100/32 any eq ntp
  110 deny ip any any log

2. Configure the ACL in the management interface
interface mgmt0
  ip access-group ACL-VTY in
  vrf member management

line vty
    access-class ACL-VTY in

3. Configure NTP
ntp distribute
ntp server 192.168.10.100 use-vrf management
ntp source-interface  mgmt0
ntp commit


VERIFICATION:

CiscoDevice#show ntp status
Clock is synchronized, stratum 2, reference is 192.168.10.100
nominal freq is 250.0000 Hz, actual freq is 249.9955 Hz, precision is 2**20
ntp uptime is 645584404 (1/100 of seconds), resolution is 4016
reference time is E28AC896.7F0B30EE (10:48:54.496 SST Wed Jun 10 2020)
clock offset is 3.1247 msec, root delay is 0.55 msec
root dispersion is 36.20 msec, peer dispersion is 0.12 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000017836 s/s
system poll interval is 1024, last update was 2218 sec ago.

CiscoDevice#show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
*~192.168.10.100    .GPS.            1     87   1024   377  0.538   3.124  0.123
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured



Tacacs (Authentication and Accounting) Configuration in Juniper


Tacacs/AAA/ISE Server: 192.168.10.222
Tacacs Password: tacpassword1
Router's Management IP: 192.168.0.4 (under mgmt_junos routing instance)

Assumption: There's an existing local account e.g. "user1" 
set system login user user1 class super-user
set system login user user1 authentication plain-text-password
(passwordhere)

1. Configure the tacacs server IP
set system tacplus-server 192.168.10.222 routing-instance mgmt_junos 
set system tacplus-server 192.168.10.222 secret tacpassword1
set system tacplus-server 192.168.10.222 single-connection
set system tacplus-server 192.168.10.222 source-address 192.168.0.4

2. Configure authentication order (if tacacs cannot authenticate, will ask for local access user1)
set system authentication-order tacplus
set system authentication-order password

3. Configure accounting:
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus server 192.168.10.222 secret tacpassword1
set system accounting destination tacplus server 192.168.10.222 single-connection
set system accounting destination tacplus server 192.168.10.222 source-address 192.168.0.4


Optional (Firewall settings)

set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from source-prefix-list TACACS-SERVERS
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from protocol tcp
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from source-port tacacs
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT then count TACACS-PERMIT
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT then accept
set firewall policer tacacs-policer if-exceeding bandwidth-limit 1m
set firewall policer tacacs-policer if-exceeding burst-size-limit 10k
set firewall policer tacacs-policer then discard

set policy-options prefix-list TACACS-SERVERS apply-path "system tacplus-server <*>"
set policy-options prefix-list TACACS-SERVERS 192.168.10.222/32


Note:
If you happen to receive this message below, pls. do the following to fix.
Sample Log:
Sep  6 10:30:01.044 2020  SRX1-re0 sshd[5580]: %AUTH-3: User remote is authenticated successfully but no logical login-id configured.

Also, for you not to configure local accounts.
FIX:
Create a user account  that has no password, but class matching your tacacs (eg: super-user)

Configure:
set system login class super-user idle-timeout 10
set system login class super-user permissions all
set system login user user101 class super-user