Cisco ASA Dual ISP setup

This post describes and tests some configurations to support multiple ISP or WAN connections on an ASA running FOS9. Im using an ASA 5506X for this demo and my software version does not use the bridge-groups out of the box so all the ports are routed by default. Ima Laos using a couple of other Cisco routers in a simple network to test the connections.

To start with lets set up a standard Dual ISP setup which just relies on a floating static route.

Stage 1 – Set up the interfaces

interface GigabitEthernet1/1
 nameif ISP1
 security-level 0
 ip address 10.0.0.2 255.255.255.252 
!             
interface GigabitEthernet1/2
 nameif ISP2
 security-level 0
 ip address 10.1.1.2 255.255.255.252 

Stage 2 – Add the routes
We want ISP1 to be the primary and it to fall back to the secondary if it fails.

route ISP1 0.0.0.0 0.0.0.0 10.0.0.1 1 
route ISP2 0.0.0.0 0.0.0.0 10.1.1.1 200

A quick check of the routing table shows:

ciscoasa# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, ISP1
C        10.0.0.0 255.255.255.252 is directly connected, ISP1
L        10.0.0.2 255.255.255.255 is directly connected, ISP1
C        10.1.1.0 255.255.255.252 is directly connected, ISP2
L        10.1.1.2 255.255.255.255 is directly connected, ISP2

When I pull the cable out of the interface Gi1/1 (ISP1) and re-check:

ciscoasa# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.1.1.1 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [200/0] via 10.1.1.1, ISP2
C        10.1.1.0 255.255.255.252 is directly connected, ISP2
L        10.1.1.2 255.255.255.255 is directly connected, ISP2

So that all works…. however the design we need here means that it is VERY unlikely it will ever failover as the line protocol will always remain up as we will either uses. modem or another router as the gateway. A new option is needed here, using a tracking object.

The new topology is a bit different and uses an intermediate switch/router on ISP1 so we can monitor something that is not direly connected.

The first stage is create an SLA object:

sla monitor 1
 type echo protocol ipIcmpEcho 1.1.1.1 interface ISP1
sla monitor schedule 1 life forever start-time now

Im monitoring the loopmback interface on my ISP router – but that’s via an extra L3 hop on the switch. We can test it works with the following:

ciscoasa# show sla monitor configuration 
SA Agent, Infrastructure Engine-II
Entry number: 1
Owner: 
Tag: 
Type of operation to perform: echo
Target address: 1.1.1.1
Interface: ISP1
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

ciscoasa# show sla monitor operational-state 
Entry number: 1
Modification time: 01:08:31.696 UTC Tue Oct 15 2019
Number of Octets Used by this Entry: 2056
Number of operations attempted: 3228
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 06:55:31.697 UTC Thu Oct 17 2019
Latest operation return code: OK
RTT Values:
RTTAvg: 1       RTTMin: 1       RTTMax: 1
NumOfRTT: 1     RTTSum: 1       RTTSum2: 1

One that’s all running we can attach it to a tracking object as follows:

track 1 rtr 1 reachability

which can be verified:

ciscoasa# sh track 
Track 1
  Response Time Reporter 1 reachability
  Reachability is Up
  6 changes, last change 00:37:56
  Latest operation return code: OK
  Latest RTT (millisecs) 1
  Tracked by:
    STATIC-IP-ROUTING 0

Now we can add the tracking object onto the default route.

route ISP1 0.0.0.0 0.0.0.0 10.0.0.1 1 track 1
route ISP2 0.0.0.0 0.0.0.0 10.1.1.1 200

So now we can check the routing table….

ciscoasa# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, ISP1
C        10.0.0.0 255.255.255.0 is directly connected, ISP1
L        10.0.0.2 255.255.255.255 is directly connected, ISP1
C        10.1.1.0 255.255.255.252 is directly connected, ISP2
L        10.1.1.2 255.255.255.255 is directly connected, ISP2

I’ve now broken the network north of the directly connected router and south of 1.1.1.1

ciscoasa# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.1.1.1 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [200/0] via 10.1.1.1, ISP2
C        10.0.0.0 255.255.255.0 is directly connected, ISP1
L        10.0.0.2 255.255.255.255 is directly connected, ISP1
C        10.1.1.0 255.255.255.252 is directly connected, ISP2
L        10.1.1.2 255.255.255.255 is directly connected, ISP2

ciscoasa# sh track
Track 1
  Response Time Reporter 1 reachability
  Reachability is Down
  7 changes, last change 00:00:17
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0

ciscoasa# sh sla monitor operational-state 1
Entry number: 1
Modification time: 01:08:31.701 UTC Tue Oct 15 2019
Number of Octets Used by this Entry: 2056
Number of operations attempted: 3239
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 07:06:31.702 UTC Thu Oct 17 2019
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0       RTTMin: 0       RTTMax: 0
NumOfRTT: 0     RTTSum: 0       RTTSum2: 0

That failed over and now its plugged in and back to normal. Notice the ‘operational frequency of the SLA is 60 seconds so that could do woyj some tuning!

Posted in Cisco | Tagged , , , , | Comments Off on Cisco ASA Dual ISP setup

Juniper EX switches – those error lights!

When we spin up a new EX 2200 switch the Alarm light always comes on. This post shows how to trace the issue and fix the problem. Then hopefully your switch will not have that annoying/alarming red/amber light on it all the time! Im using an EX2200 (JUNOS 12.3R9.4) and have loaded the factory default config.

Lets check for system alarms

root> show system alarms 
1 alarms currently active
Alarm time               Class  Description
2015-02-12 14:38:59 UTC  Major  Management Ethernet Link Down

This is telling us that we are not plugged into the management port – which is not a problem. Lets fix that:

root# set chassis alarm management-ethernet link-down ignore

Now when its committed, the red light is off!

Posted in Juniper | Tagged , , | Comments Off on Juniper EX switches – those error lights!

Cisco Anyconnect – Disconnect and Reconnect at login

We have all had that experience when the Cisco Anyconnect client immediately disconnects after you have logged on and then starts reconnecting again. Its not life threatening, just irritating. The issue appears to be caused by an MTU mismatch, but this can be tweaked on the ASA based on the profile. This post shows how to fix the problem at the ASA CLI.

The config needs to added to the default remote profile under the webvpn stanza, however we don’t like messing around with default policies so we will modify the custom group policy for our remote users.

group-policy REMOTE-POLICY internal
group-policy REMOTE-POLICY attributes
 dns-server value x.x.x.x x.x.x.x
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelall
 webvpn
  anyconnect mtu 1300

And that’s it!

Posted in Cisco | Tagged , , , | Comments Off on Cisco Anyconnect – Disconnect and Reconnect at login

Juniper BGP on SRX – Basic EBGP setup

So I have an SRX300 with an external Draytek 130 attached giving DSL connectivity. the next task is to create a BGP session so we can announce the routed subnet back to our MPLS VPN. This will move onto multiple lines with some route selection included. In the first instance we need to establish the peering session, and the internet is full of the instructions on how do this. The next stage is a announcing a prefix which is not so well documented.

Our AS: 65111
Core AS: 65000
Our DSL IP: 192.168.1.244/32
Core DSL gateway: 192.168.250.6
Local LAN: 192.168.20.0/24 – this is to be advertised

Stage 1: Set up the BGP AS

 
root# set routing-options autonomous-system 65111

Stage 2: Set up a group (like a Cisco Peer-Group)

set protocols bgp group UPSTREAM type external
set protocols bgp group UPSTREAM peer-as 65000
set protocols bgp group UPSTREAM neighbor 192.168.250.6

Stage 3: We like authentication on BGP sessions!

set protocols bgp group UPSTREAM authentication-key my_secret_key

At this point we can see the session is set up. This can be verified with:

root> show bgp summary 
Groups: 1 Peers: 1 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0               
                       1          1          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.250.6         65000        144        153       0       2       22:26 1/1/1/0              0/0/0/0  

Notice we a have received 1 route from the other side, which in our case is a default route. This can be checked with:

root> show route protocol bgp 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[BGP/170] 00:24:19, localpref 100
                      AS path: 65000 I, validation-state: unverified
                    > to 192.168.250.6 via pp0.0

However we are still not announcing our local route back to the upstream router.

Stage 4: Create a routing policy

The policy will be called EXP-POLICY and is set to just export the local 192.168.20.0/24 prefix

root# set policy-options policy-statement EXP-POLICY term 1 from route-filter 192.168.20.0/24 exact
root# set policy-options policy-statement EXP-POLICY term 1 then accept

Stage 5: Attach the policy

root# set protocols bgp group UPSTREAM export EXP-POLICY

Now we can check the announced routes! Note that the route needs to be in the UP state for the announcement to work.

root> show route advertising-protocol bgp 192.168.250.6    

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 192.168.20.0/24         Self                                    I
Posted in Juniper | Tagged , , | Comments Off on Juniper BGP on SRX – Basic EBGP setup

Juniper SRX ADSL setup with Draytek 130 Modem

The next challenge is to add a second DSL account onto the same SRX110 or in the case of the SRX300 just add a DSL connection. The SRX300 has no PIM slots so cannot get a DSL card added. The way Juniper implement this is to use a ‘pp’ interface which equates roughly to a Cisco Dialler interface. So one the pp interface is created and configured, we need to link it to a physical interface and plug in the Draytek modem. I don’t have any other modems to hand but I suspect any ADSL/VDSL modem would do.

Step 1: Assign our physical WAN port
I’m using fe-0/0/0 as its the default WAN port on the SRX110

root# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether

Step 2: Setup and configure the pp0 (Dialer) interface and chap options

root# set interfaces pp0 unit 0 ppp-options chap default-chap-secret your_password
root# set interfaces pp0 unit 0 ppp-options chap local-name your_username
root# set interfaces pp0 unit 0 ppp-options chap passive

Step 3: Set the PPOE options and link the physical interface

root# set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
root# set interfaces pp0 unit 0 pppoe-options idle-timeout 0
root# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3
root# set interfaces pp0 unit 0 pppoe-options client

Step 4: Set up the layer3 info on the pp0
This is a dynamic IP address account so we just let the SRX negotiate.

root# set interfaces pp0 unit 0 family inet mtu 1492
root# set interfaces pp0 unit 0 family inet negotiate-address

Step 5: Routing
We need to add a default route to get internet traffic

root# set routing-options static route 0.0.0.0/0 next-hop pp0.0

Testing
As we are using an external modem, we can’t get much info about the DSL connection. The main tests are ppp related:

root> show ppp summary 
Interface      Session type  Session phase      Session flags
pp0.0          PPP           Network    

root> show ppp statistics 
Session statistics from PPP process
  Total sessions: 1 
    Sessions in disabled phase    : 0
    Sessions in establish phase   : 0
    Sessions in authenticate phase: 0 
    Sessions in network phase     : 1
    Bundles in pending phase      : 0      

Lets get some pppoe data:

root> show pppoe interfaces 
pp0.0 Index 82
  State: Session up, Session ID: 6, 
  Service name: None, 
  Session AC name: Vigor2000 PPPoE, Configured AC name: None, 
  Remote MAC address: 00:1d:aa:8b:c2:e0, 
  Session uptime: 17:06:31 ago, 
  Auto-reconnect timeout: 3 seconds, Idle timeout: Never, 
  Underlying interface: fe-0/0/0.0 Index 81

A last general and probably best show command is:

root> show interfaces pp0 brief 
Physical interface: pp0, Enabled, Physical link is Up
  Type: PPPoE, Link-level type: PPPoE, MTU: 1532, Speed: Unspecified
  Device flags   : Present Running
  Interface flags: Point-To-Point SNMP-Traps

  Logical interface pp0.0 
    Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE
    PPPoE:
      State: SessionUp, Session ID: 6,
      Session AC name: Vigor2000 PPPoE, Remote MAC address: 00:1d:aa:8b:c2:e0,
      Configured AC name: None, Service name: None,
      Auto-reconnect timeout: 3 seconds, Idle timeout: Never,
      Underlying interface: fe-0/0/0.0 (Index 81)
    Security: Zone: untrust
    Allowed host-inbound traffic : dhcp tftp
    inet  my_dsl_address      --> my_dsl_next_hop
Posted in Juniper | Tagged , , , , , | Comments Off on Juniper SRX ADSL setup with Draytek 130 Modem

Juniper SRX ADSL setup

This is the first post on WAN connection setups. I’ll be using and SRX110 was it has a built in ADSL/VDSL port. I’ll be connecting to a dynamic IP ADSL service based in the UK. The service is a BT type configuration. The SRX has been loaded with the factory default config prior to this exercise.

Step 1: Disable the pt interface
We are using the ‘at’ interface for the ADSL so the ‘dual personality’ port needs setting up.

root# deactivate interfaces pt-1/0/0 

Step 2: Set up the ‘at’ interface

root# set interfaces at-1/0/0 encapsulation atm-pvc
root# set interfaces at-1/0/0 atm-options vpi 0
root# set interfaces at-1/0/0 dsl-options operating-mode auto
root# set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-vc-mux
root# set interfaces at-1/0/0 unit 0 vci 0.38
root# set interfaces at-1/0/0 unit 0 ppp-options chap default-chap-secret "your_password"
root# set interfaces at-1/0/0 unit 0 ppp-options chap local-name "your_username"
root# set interfaces at-1/0/0 unit 0 ppp-options chap passive
root# set interfaces at-1/0/0 unit 0 family inet negotiate-address

Step 3: Correct the interfaces in the zones
We need to swap the pt interface for the at interface in the default security setup.

root# delete security zones security-zone untrust interfaces pt-1/0/0.0
root# set security zones security-zone untrust interfaces at-1/0/0.0

Step 4: Add the default route

root# set routing-options static route 0.0.0.0/0 next-hop at-1/0/0.0
Posted in Juniper | Tagged , , , | Comments Off on Juniper SRX ADSL setup

Netapp Replace a failed drive : 7-Mode

Here at work we are dedicated Netapp zealots, so are fully bought into to Ontap. That said there are occasions when we need to replace a drive in a 7Mode appliance which give us all the shivers was we left this behind long ago. So here is a quick how to on what to do. For the uninitiated, simply replacing the failed drive is not enough in most cases as we have auto assign turned off. If the drive is not manually assigned to a controller, it will sit in the ‘un-owned’ state and will not be a spare for any aggregate.

Step1: Swap the drive
Complete the mechanics of the swap.

Step 2: Check the drive is seen. Do this on the controller you want the drive to belong to.

CONTROLLER1> disk show -n
  DISK       OWNER                    POOL   SERIAL NUMBER         HOME                    DR HOME
------------ -------------            -----  -------------         -------------           -------------
0b.01.9      Not Owned                  NONE   KZBMBNDR

Step 3: Assign to the controller, note I want it on CONTROLLER1

CONTROLLER1> disk assign 0b.01.9

Note that there are no reassuring ‘OK’ messages!

Step 4: Check there are no unowned drives

CONTROLLER1> disk show -n
disk show: No unassigned disks

Step 5: check it has become a spare (output clipped for brevity)

CONTROLLER1> vol status -s

Pool1 spare disks (empty)

Pool0 spare disks

RAID Disk       Device          HA  SHELF BAY CHAN Pool Type  RPM  Used (MB/blks)    Phys (MB/blks)
---------       ------          ------------- ---- ---- ---- ----- --------------    --------------
Spare disks for block checksum
spare           0b.01.9         0b    1   9   SA:B   0   SAS 10000 857000/1755136000 858483/1758174768

All looks good!

Posted in Netapp | Tagged , , , , | Comments Off on Netapp Replace a failed drive : 7-Mode

Cisco Dynamic L2L VPN setup

Todays challenge is to set up an L2L VPN tunnel between an Cisco ASA running IKEv1 and Cisco 927 with a dynamic IP address. The 927 is behind a NAT firewall so needs to be managed through the tunnel so the tunnel has to come up without intervention and it also needs to work without any LAN ports connected.

Stage 1 – ASA Setup for the head end.
The ASA needs to be st up using the dynamic map configuration described I a earlier post

crypto dynamic-map DYNOMAP 10 set ikev1 transform-set MY_TRANSFORMSET
crypto dynamic-map DYNOMAP 10 set reverse-route
crypto map VPN 999 ipsec-isakmp dynamic DYNOMAP
crypto map VPN interface OUTSIDE

And the special tunnel group for the dynamic L2L

tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****

Stage 2 – C927 set for IPsec VPN
Normally we would use a tunnel interface but in this case the ASA does not support that setup so we are doing. tunnel-less version:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2

crypto isakmp key my_secret_key! address W.X.Y.Z   

crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac 
 mode tunnel

crypto map GC_MAP 10 ipsec-isakmp 
 set peer W.X.Y.Z
 set transform-set MY_TRANSFORM_SET 
 match address TRAFFIC

ip access-list extended TRAFFIC
 permit ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

Then apply this to the WAN port

interface GigabitEthernet4
 description *** WAN ***
 ip address a.b.c.d 255.255.255.252
 crypto map GC_MAP

Assuming you have the NAT setup correctly we can assume that works fine.

Stage 3 – Keeping the tunnel alive.
I have used an SLA object to ping a server on the other side ever 5 seconds to trigger the tunnel. This allows us to log into the router via the tunnel.

ip sla 1
 icmp-echo 192.168.6.10 source-interface Vlan1
 frequency 5
ip sla schedule 1 life forever start-time now

Stage 4 – About these LAN cables
The SLA will not work if the VLAN1 interface is down. To make the VLAN1 interface come up there needs to be a live cable on a switch port of the router. Cisco has a sneaky command to sort this issue out:

interface Vlan1
 description *** LAN ***
 no autostate

So that’s about it!

Posted in Cisco | Tagged , , , , | Comments Off on Cisco Dynamic L2L VPN setup

Juniper VRRP setup

I know Cisco support VRRP and GRRP but I’ve always used HSRP as my redundant gateway of choice. In the scope of the JN0-348 the only redundant gateway is VRRP (Virtual Router Redundancy Protocol). Its similar to HSRP so should not pose much of a config challenge. Let’s run over a few facts:

Router Roles:
VRRP Router – any router participating in the VRRP process.
Master Router – the router doing the forwarding.
Backup Router – the router that will take the forwarding role on in the event of a failure
Virtual Router – the IP address which is the ‘dummy’

Communication:
All the VRRP routers must connect via a common LAN segment and uses multicast IP 224.0.0.18 with a TTL of 255. default timer is 1 second

Master Election:
By configurable priority with 100 being the default. Higher is better. The other option is to assign the Virtual IP to the physical interface of the box you want to be the master. Preemption is off by default and tuneable.

State:
Init – the router is still initialising. Matster, Backup and Transition (between master and backup etc).

Configuration:
The config is a subset of the ip address of the interface. The VRRP Group number must be consistent across all VRRP routers sharing the VIP.
On SRX1

root# set interfaces ge-0/0/5 unit 0 family inet address 172.16.55.251/24 vrrp-group 55 virtual-address 172.16.55.1
root# set interfaces ge-0/0/5 unit 0 family inet address 172.16.55.251/24 vrrp-group 55 priority 120
root# set interfaces ge-0/0/5 unit 0 family inet address 172.16.55.251/24 vrrp-group 55 preempt

On SRX2

root@SRX2# set interfaces fe-0/0/1 unit 0 family inet address 172.16.55.252/24 vrrp-group 55 virtual-address 172.16.55.1

Verification SRX1:

root> show vrrp summary  
Interface     State       Group   VR state       VR Mode    Type   Address 
ge-0/0/5.0    up             55   master          Active    lcl    172.16.55.251      
                                                            vip    172.16.55.1   

Verification SRX2:

root@SRX2> show vrrp summary    
Interface     State       Group   VR state       VR Mode    Type   Address 
fe-0/0/1.0    up             55   backup          Active    lcl    172.16.55.252      
                                                            vip    172.16.55.1     

Saving that 3rd IP address!
We now we can assign the ‘hot’ IP to an actual interface, so here is how it looks from SRX2 point of veiw:

root@SRX2# show interfaces fe-0/0/1          
description "*** LAN PORT ***";
unit 0 {
    family inet {
        address 172.16.55.1/24 {
            vrrp-group 55 {
                virtual-address 172.16.55.1;
                priority 255;
            }
        }
    }
}

Note that when I changed the IP on the fe-0/0/1 interface it ripped out all the VRRP config as its all ‘downstream’ of the IP address. The verification now looks like:

root@SRX2> show vrrp summary 
Interface     State       Group   VR state       VR Mode    Type   Address 
fe-0/0/1.0    up             55   master          Active    lcl    172.16.55.1        
                                                            vip    172.16.55.1     

and the SRX1 which was formerly the master looks like:

root> show vrrp summary 
Interface     State       Group   VR state       VR Mode    Type   Address 
ge-0/0/5.0    up             55   backup          Active    lcl    172.16.55.251      
                                                            vip    172.16.55.1        

So the final test was to pull the cable out of the master (SRX2) and check it fails over nicely. Here is the extract from the log file:

Sep 23 15:37:02   vrrpd[1972]: VRRPD_NEW_MASTER: Interface ge-0/0/5.0 (local address 172.16.55.251) became VRRP master for group 55 with master reason masterNoResponse
Posted in Juniper | Tagged , , , | Comments Off on Juniper VRRP setup

Juniper SRX – I just want a router!

Working on the JN0-348 exam prep requires a router or two for BGP, IS-IS and other stuff that is not supported on an EX switch. Step forward the SRX 320 firewall which does all the good stuff and has a firewall built in as well! The one issue is that for study purposes the firewall just gets in the way so this posts the instructions to convert the system into as close to a router as possible. I also use some SRX110 appliances but they don’t have the required software revision on them for the current exam, but its not far off. The config is slightly different on the SRX110 as the interfaces are 100mbps.

Stage 1 – Bin the security settings

root# delete security

Stage 2 – Remove DHCP

root# delete system services dhcp-local-server
root# delete access 

Stage 3 – Remove the Autoinstallation

root# delete system autoinstallation

Stage 4 – Sort out the VLANs

root# delete vlans vlan-trust
root# delete interfaces ge-0/0/1.0 family ethernet-switching vlan members vlan-trust 
root# delete interfaces ge-0/0/2.0 family ethernet-switching vlan members vlan-trust 
root# delete interfaces ge-0/0/3.0 family ethernet-switching vlan members vlan-trust 
root# delete interfaces ge-0/0/4.0 family ethernet-switching vlan members vlan-trust 
root# delete interfaces ge-0/0/5.0 family ethernet-switching vlan members vlan-trust 
root# delete interfaces ge-0/0/6.0 family ethernet-switching vlan members vlan-trust 
root# set vlans default vlan-id 1 l3-interface irb.0
root# set interfaces ge-0/0/1.0 family ethernet-switching vlan members default
root# set interfaces ge-0/0/2.0 family ethernet-switching vlan members default
root# set interfaces ge-0/0/3.0 family ethernet-switching vlan members default
root# et interfaces ge-0/0/4.0 family ethernet-switching vlan members default
root# set interfaces ge-0/0/5.0 family ethernet-switching vlan members default
root# set interfaces ge-0/0/6.0 family ethernet-switching vlan members default

Stage 5 – Remove the inspection engine from the packet path

root# set security forwarding-options family inet6 mode packet-based
root# set security forwarding-options family mpls mode packet-based
root# set security forwarding-options family iso mode packet-based

Stage 6 – Reboot

Everybody loves a reboot.

So here it is in a single copy passable block:

delete security
delete system services dhcp-local-server
delete access
delete system autoinstallation
delete interfaces ge-0/0/1.0 family ethernet-switching vlan members vlan-trust 
delete interfaces ge-0/0/2.0 family ethernet-switching vlan members vlan-trust 
delete interfaces ge-0/0/3.0 family ethernet-switching vlan members vlan-trust 
delete interfaces ge-0/0/4.0 family ethernet-switching vlan members vlan-trust 
delete interfaces ge-0/0/5.0 family ethernet-switching vlan members vlan-trust 
delete interfaces ge-0/0/6.0 family ethernet-switching vlan members vlan-trust 
delete vlans vlan-trust
set vlans default vlan-id 1 l3-interface irb.0
set interfaces ge-0/0/1.0 family ethernet-switching vlan members default
set interfaces ge-0/0/2.0 family ethernet-switching vlan members default
set interfaces ge-0/0/3.0 family ethernet-switching vlan members default
set interfaces ge-0/0/4.0 family ethernet-switching vlan members default
set interfaces ge-0/0/5.0 family ethernet-switching vlan members default
set interfaces ge-0/0/6.0 family ethernet-switching vlan members default
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based
Posted in Juniper | Tagged , , , | Comments Off on Juniper SRX – I just want a router!