Computer Networks: 2018

Wednesday, December 19, 2018

Juniper - Firewall filter and policer

In this post, we are going to see how to filter and rate limit the traffic from JR2 (Juniper) to CR1(Cisco)

OSPF is configured between routers and end to end connectivity is there between JR2 to CR1. We are applying firewall out filter on JR1 ge-0/0/1 which is connected to CR1

Firewall filter:

Below is the firewall filter configuration

root@JR1# edit firewall family inet filter JR2_TO_CR1

[edit firewall family inet filter JR2_TO_CR1]
root@JR1# show
term ALLOW_ICMP {
from {
source-address {
222.222.222.2/32;
}
protocol icmp;
}
then {
policer P1;
count JR2_CR1;
log;
}
}
term ALLOW_OSPF {
from {
protocol ospf;
}
then accept;
}
term CATCH_ALL {
then {
reject;
}
}

Above filter is applied in ge-0/0/1 towards out

ge-0/0/1 {
unit 0 {
family inet {
filter {
output JR2_TO_CR1;
}
address 10.10.0.1/24;

root@JR1> show firewall filter JR2_TO_CR1

Filter: JR2_TO_CR1
Counters:
Name Bytes Packets
JR2_CR1 22060 137

root@JR1# run show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
22:31:28 pfe A ge-0/0/0.0 ICMP 222.222.222.2 100.100.100.1
22:31:28 pfe A ge-0/0/0.0 ICMP 222.222.222.2 100.100.100.1
22:31:28 pfe A ge-0/0/0.0 ICMP 222.222.222.2 100.100.100.1
22:31:28 pfe A ge-0/0/0.0 ICMP 222.222.222.2 100.100.100.1
22:31:28 pfe A ge-0/0/0.0 ICMP 222.222.222.2 100.100.100.1
22:31:28 pfe A ge-0/0/0.0 ICMP 222.222.222.2 100.100.100.1
22:31:28 pfe A ge-0/0/0.0 ICMP 222.222.222.2 100.100.100.1
22:31:28 pfe A ge-0/0/0.0 ICMP 222.222.222.2 100.100.100.1
22:31:28 pfe A ge-0/0/0.0 ICMP 222.222.222.2 100.100.100.1
22:31:28 pfe A ge-0/0/0.0 ICMP 222.222.222.2 100.100.100.1

From JR2:

root@JR2> ping 100.100.100.1 source 222.222.222.2 rapid
PING 100.100.100.1 (100.100.100.1): 56 data bytes
!!!!!
--- 100.100.100.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.584/2.919/3.788/0.443 ms

Rate Limiting :

Below configuration is applied in JR1 to rate limit the traffic from JR2 to CR1

[edit firewall policer P1]
root@JR1# show
if-exceeding {
bandwidth-limit 64k;
burst-size-limit 4k;
}
then discard;

This configuration is applied in the firewall filter as non terminating action . Refer above config under firewall filter

We could see below result while pinging the CR1 from JR2 with high byte size. Intermittent packet loss.

root@JR2> ...ce 222.222.222.2 rapid count 10 size 1600
PING 100.100.100.1 (100.100.100.1): 1600 data bytes
!!.!!!.!!.
--- 100.100.100.1 ping statistics ---
10 packets transmitted, 7 packets received, 30% packet loss
round-trip min/avg/max/stddev = 3.128/33.187/88.808/33.498 ms

From JR1:

root@JR1> show firewall filter JR2_TO_CR1

Filter: JR2_TO_CR1
Counters:
Name Bytes Packets
JR2_CR1 22480 142
Policers:
Name Bytes Packets
P1-ALLOW_ICMP 4500 3

Sunday, December 2, 2018

Juniper - BGP implementation

iBGP between vMX-1 and vMX-2

Static route
IGP (ospf)

eBGP between vMX-1 and vMX-3

iBGP with Static route

1. Interface configuration

root@vMX-1> show configuration interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 10.1.12.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32

2. Routing configuration

root@vMX-1> show configuration routing-options | display set
set routing-options static route 2.2.2.2/32 next-hop 10.1.12.2 < -- Static route
set routing-options autonomous-system 65000 < -- BGP AS

3. BGP neighbor configuration

root@vMX-1> show configuration protocols | display set

set protocols bgp group iBGP type internal

set protocols bgp group iBGP neighbor 2.2.2.2 local-address 1.1.1.1

local-address command is used to specify that iBGP messages should be sourced from the loopback address.

Cisco IOS command no auto-summary is not required. Junos doesn't have the concept of classful or classless networking. CIDR is used exclusively.

Verification:

root@vMX-1> show bgp neighbor 2.2.2.2 | match Established

Type: Internal State: Established Flags: <Sync>

root@vMX-1> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

1.1.1.1/32 *[Direct/0] 00:46:28

> via lo0.0

2.2.2.2/32 *[Static/5] 00:44:45

> to 10.1.12.2 via ge-0/0/0.0

10.1.12.0/24 *[Direct/0] 00:46:28

> via ge-0/0/0.0

10.1.12.1/32 *[Local/0] 00:46:28

Local via ge-0/0/0.0

iBGP with IGP (OSPF)

Routing configuration:

root@vMX-1> show configuration protocols ospf | display set

set protocols ospf area 0.0.0.0 interface ge-0/0/0.0

set protocols ospf area 0.0.0.0 interface lo0.0 passive

Verification:

root@vMX-1> show ospf neighbor

Address Interface State ID Pri Dead

10.1.12.2 ge-0/0/0.0 Full 2.2.2.2 128 32

root@vMX-1> show bgp summary

Groups: 1 Peers: 1 Down peers: 0

Table Tot Paths Act Paths Suppressed History Damp State Pending

inet.0

0 0 0 0 0 0

Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...

2.2.2.2 65000 7 6 0 1 2:27 0/0/0/0 0/0/0/0

eBGP

vMX-1

root@vMX-1> show configuration protocols bgp | display set

set protocols bgp group iBGP type internal

set protocols bgp group iBGP neighbor 2.2.2.2 local-address 1.1.1.1

set protocols bgp group eBGP type external

set protocols bgp group eBGP neighbor 10.1.13.3 peer-as 65001

vMX-3

root@vMX-3> show configuration protocols bgp | display set

set protocols bgp group eBGP type external

set protocols bgp group eBGP neighbor 10.1.13.1 peer-as 65000

Next, need to create export policy to advertise loopback address

1. Policy creation:

set policy-options policy-statement EBGP_ADV_LOOPBACK term ADV_LO0 from protocol direct

set policy-options policy-statement EBGP_ADV_LOOPBACK term ADV_LO0 from route-filter 1.1.1.1/32 exact

set policy-options policy-statement EBGP_ADV_LOOPBACK term ADV_LO0 then accept

2. Applying the policy to BGP:

set protocols bgp group eBGP neighbor 10.1.13.3 export EBGP_ADV_LOOPBACK

Verification:

root@vMX-1> show route protocol bgp

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

3.3.3.3/32 *[BGP/170] 00:03:13, localpref 100

AS path: 65001 I, validation-state: unverified

> to 10.1.13.3 via ge-0/0/1.0

root@vMX-1> show route receive-protocol bgp 10.1.13.3

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)

Prefix Nexthop MED Lclpref AS path

* 3.3.3.3/32 10.1.13.3 65001 I

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

Monday, November 26, 2018

Juniper vMX - Single Area OSPF

Juniper vMX - Single Area OSPF

Configuration:

vMX-1

set system host-name
set system root-authentication plain-text-password
set protocols lldp interface all

set interfaces ge-0/0/0 unit 0 description "vMX-2"
set interfaces ge-0/0/0 unit 0 family inet address 10.42.12.1/24
set interfaces ge-0/0/1 unit 0 description "vMX-3"
set interfaces ge-0/0/1 unit 0 family inet address 10.42.13.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32

OSPF
set protocols ospf area 0 interface ge-0/0/0.0
set protocols ospf area 0 interface ge-0/0/1.0
set protocols ospf area 0 interface lo-0.0 passive

vMX-2

set system host-name vMX-2
set system root-authentication plain-text-password
set protocols lldp interface all

set interfaces ge-0/0/0 unit 0 description "vMX-1"
set interfaces ge-0/0/0 unit 0 family inet address 10.42.12.2/24
set interfaces ge-0/0/1 unit 0 description "vMX-3"
set interfaces ge-0/0/1 unit 0 family inet address 10.42.23.2/24
set interfaces lo0 unit 0 family inet address 2.2.2.2/32

OSPF
set protocols ospf area 0 interface ge-0/0/0.0
set protocols ospf area 0 interface ge-0/0/1.0
set protocols ospf area 0 interface lo-0.0 passive

vMX-3

set system host-name vMX-3
set system root-authentication plain-text-password
set protocols lldp interface all

set interfaces ge-0/0/0 unit 0 description "vMX-1"
set interfaces ge-0/0/0 unit 0 family inet address 10.42.13.3/24
set interfaces ge-0/0/1 unit 0 description "vMX-2"
set interfaces ge-0/0/1 unit 0 family inet address 10.42.23.3/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/32

OSPF
set protocols ospf area 0 interface ge-0/0/0.0
set protocols ospf area 0 interface ge-0/0/1.0
set protocols ospf area 0 interface lo-0.0 passive

set routing-options router-id 33.33.33.33 < -- Manually changing RID

Verification :

show lldp neighbor
show interface terse
ping <ip> rapid
show ospf neighbor
show ospf interface brief
show route protocol ospf terse <prefix>
show ospf overview
show ospf overview | match "Router ID"

show configuration interface
show configuration protocol ospf
show configuration routing-option router-id
show configuration system

Sunday, November 25, 2018

Nexus vPC Consistency check failure

vPC consistency check failure:

Consistency check failed due to two reasons

Configuration inconsistency
Type 2 (QoSMgr Qos configuration incompatible)

Primary switch

N3K1# sh vpc

Legend:

(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 1

Peer status : peer adjacency formed ok

vPC keep-alive status : peer is alive

Configuration consistency status : failed

Per-vlan consistency status : failed

Configuration inconsistency reason: TLV Utils invalid arg passed in api

Type-2 consistency status : failed

Type-2 inconsistency reason : QoSMgr Qos configuration incompatible

vPC role : primary

Number of vPCs configured : 44

Peer Gateway : Enabled

Dual-active excluded VLANs : -

Graceful Consistency Check : Enabled

Auto-recovery status : Enabled, timer is off.(timeout = 240s)

Delay-restore status : Timer is off.(timeout = 30s)

Delay-restore SVI status : Timer is off.(timeout = 10s)

Operational Layer3 Peer-router : Disabled

vPC Peer-link status

---------------------------------------------------------------------

id Port Status Active vlans

-- ---- ------ -------------------------------------------------

1 Po100 up 1,500,519,599,697

vPC status

----------------------------------------------------------------------------

Id Port Status Consistency Reason Active vlans

-- ------------ ------ ----------- ------ ---------------

1 Po1 up failed Global compat check 500,519,599

failed

2 Po2 up failed Global compat check 500,519,599

Secondary switch

N3K2#sh vpc

Legend:

(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 1

Peer status : peer adjacency formed ok

vPC keep-alive status : peer is alive

Configuration consistency status : failed

Per-vlan consistency status : success

Configuration inconsistency reason: TLV Utils invalid arg passed in api

Type-2 consistency status : success

vPC role : secondary

Number of vPCs configured : 44

Peer Gateway : Enabled

Dual-active excluded VLANs : -

Graceful Consistency Check : Enabled

Auto-recovery status : Enabled, timer is off.(timeout = 240s)

Delay-restore status : Timer is off.(timeout = 30s)

Delay-restore SVI status : Timer is off.(timeout = 10s)

Operational Layer3 Peer-router : Disabled

vPC Peer-link status

---------------------------------------------------------------------

id Port Status Active vlans

-- ---- ------ -------------------------------------------------

1 Po100 up 1,500,519,599,697

vPC status

----------------------------------------------------------------------------

Id Port Status Consistency Reason Active vlans

-- ------------ ------ ----------- ------ ---------------

1 Po1 down* failed Global compat check -

failed

2 Po2 down* failed Global compat check -

failed

Action Taken :

1) Internal storage got corrupted.
---
1) Event:E_DEBUG, length:71, at 756769 usecs after Fri Jun 29 19:19:02 2018

[18] nve_mgr_mcecm_type1_glbl_cfg_compat_check: unable to get local tlv
---
2) Compared the configuration on N3K 01 and 02 and all are same.
3) Reloaded both N3Ks one by one, then fixed the TLV inconsistency
4) Reloaded the N3K-01 by ascii option, then cleared the QosMgr inconsistency

Tuesday, June 26, 2018

Aruba Wifi - Troubleshooting commands

Troubleshooting steps

1. Identify the affected client mac address and enable debug as below

(config)#logging level debugging user-debug <mac>

2. Run below command to get debug logs

#show debug

logging level debugging network process dhcpd subcat dhcp - DHCP logs

show log network all

3. To get the name of the AP in which client is connected

#show user-table | include <mac>

4. Below commands to get client activities

#show log user-debug all | include <mac>
#show auth-tracebuf | include <mac>
#show ap remote debug mgmt-frames ap-name <ap-name> | include <mac>
#show ap client trail-info

5. To find interference in the environment

#show ap monitor ap-list ap-name <ap-name>

6. Refer below link to troubleshoot packet

https://www.arubanetworks.com/techdocs/Troubleshooting/ArubaOS/Client_Ping_Loss/Web_Help_Index.htm

7. To check AP uptime, serial no , Model

#show ap database sort-by uptime
#show ap database group <name>
#show ap details advanced ap-name <name> | include Serial
#show ap details advanced ap-name <name>

8. AP debug

#show ap debug system-status ap-name SDL1A-IDF209-WAP07
#Show ap debug counters

https://www.semfionetworks.com/uploads/2/9/8/3/29831147/arubaos_commands_-_reference_sheet_v1.2.pdf

Computer Networks

Wednesday, December 19, 2018

Juniper - Firewall filter and policer

Juniper - Firewall filter and policer

Firewall filter:

Rate Limiting :

Sunday, December 2, 2018

Monday, November 26, 2018

Juniper vMX - Single Area OSPF

Sunday, November 25, 2018

Nexus vPC Consistency check failure

Tuesday, June 26, 2018

Aruba Wifi - Troubleshooting commands

Paloalto - Auto commit failure after upgrade

Report Abuse

Labels