Thursday, December 9, 2021

Deploying junos image and slax script files with Ansible ( for new EX switch juniper )

 In this port I will show you a simple playbook that scp a junos image file to a EX4200 switch along with  slax scripts to /var/db/script


This env was done in a virtualenv that was initially setup. You need to install via  pip junos-eznc module into your virtual-env

pip3 install junos-eznc
 or
pip install junos-eznc

The playbook is a very simple and uses a static username+password combination that we use during our unboxing and initial upgrade process


Both root-authentication and ssh services have to be set. If you use any other account othe user than root, it must be present in your junos-cfg. Root account regardless needs to be  defined.

configure

   set system services ssh

   set system root-authentication myinitailsetup

commit comment "setup new EX"

Here's the playbook;



We have a custom inventory file in our directory that we will serve the files. In this directory you will list your switch(s) by address.



TIP: if you want to run multiple tasks at the same time use the statement  below in your playbook

strategy: free

If all goes well the device will reboot and finish the installation




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \






Posted by at No comments:

Tuesday, November 9, 2021

simple grab configuration in json with ansible

 Here's a simple cfg grab pulled from netconf using ansible 


---

- name: Grab_Cfg_Netconf

  hosts: all 

  gather_facts: no

   

 

 

  tasks:

   - name: Get Configuration from device 

     netconf_get:

       display: json 

     register: config 

   - name: PrintConfig

     debug:

       var: config.output










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

         o
      /      \ 

Posted by at No comments:

Monday, November 1, 2021

HOWTO:Tag External-Type 2 routes for redistribution of direct connect routes Juniper SRX

 In this we will explore how to inject a direct connect route as a type2 and tag the route.

The network in this case is attached to my lo0 interface. This interface is NOT participate in any ospf area

e.g 

root@HOMESRX# show interfaces lo0 | display set 

set interfaces lo0 unit 0 family inet address 192.255.255.255/32

set interfaces lo0 unit 0 family inet address 192.255.55.254/28

set interfaces lo0 unit 0 family inet address 192.255.155.254/28

set interfaces lo0 unit 0 family inet6 address 2001:db8:8:8:8::1/128


So we have a requirement to inject only 192.255.55.240/28 as a type 2 external ospf and tag is 6788



So the steps are;

  •  to set a prefix-list with the specific route
  •  Build a policy-statement
  •  and finally apply the export statement for the policy


Here's the junos cfg;







The downstream show the tag has been set and received on the ospf neighbor;














NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:

Thursday, June 17, 2021

FRR opensource routing to CME MDP

 In this blog we will look at a simple  but effective means for deploying multicast router over frr to the CME multicast data platform


https://www.cmegroup.com/confluence/display/EPICSANDBOX/CME+Market+Data+Platform+Connectivity#CMEMarketDataPlatformConnectivity-Figure:GRETunnelwithinIPSecTunnel


note: You typically will get a ipv4 address that will be used for the pim-RP

Traffic for pim-joins and multicast will be delivered via the gre interface ( gre1 in my example )


You will need to install snapd & frr and have your gre1 interface defined b4 starting .



  sudo yum install snapd


  yum install -y https://github.com/FRRouting/frr/releases/download/frr-5.0.1/frr-5.0.1-2018070501.el7.centos.x86_64.rpm

   

  sudo snap install frr

   


 sudo systemctl enable --now snapd.socket

sample frr.conf


[kfelix@mcastrt1 ~]#  /var/lib/snapd/snap/bin/frr.vtysh -c "show running"

Building configuration...


Current configuration:

!

frr version 7.5.1

frr defaults traditional

hostname mcastrt1.yourdomain.com

log file /var/log/pimd

log stdout

no ipv6 forwarding

ip multicast rpf-lookup-mode longer-prefix

ip pim rp 69.50.112.254 224.0.0.0/4

ip mroute 69.50.112.0/25 10.247.x.xx

no service integrated-vtysh-config

!

ip route 69.50.112.0/25 10.247.4.145

ip route 69.50.112.254/32 10.247.x.xx

!

interface dummy255

 description test-dummy-interface-for-joins

 ip igmp

 ip igmp join 224.0.28.85

 ip igmp version 2

 ip pim

 multicast

!

interface gre1

 description CME MDP GRE-tunnel

 ip pim

 multicast

!

interface pimreg

 ip pim

 multicast

!

line vty

!

end


The dummy255 interface was crafted for testing and before enable igmp for the LAN interface.











NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:

Tuesday, June 15, 2021

fortios how to recover ipsec-vpn PSK string in text format

 One of the colleague was working on fortios conversion and needed a means to gather the existing PSK from the vpn ipsec in text format. 




Here's a simple method for extracting this details by using a API call


The API entry point is ;

"https://x.x.x.x/api/v2/cmdb/vpn.ipsec/phase1-interface?plain-text-password=1?


The full http get would look like the following ;

curl -k -H "Authorization: Bearer zw7q8QyGrHwtfrn8tkGyfNbnGGN7js" "https://192.168.1.99/api/v2/cmdb/vpn.ipsec/phase1-interface?plain-text-password=1?access_token=zw7q8QyGrHwtfrn8tkGyfNbnGGN7js"

The output and field for "psksecret": will show the text value.



That's a simple method to reverse the encrypted field to cleartext for VPN PSK.







Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \



Posted by at No comments:

Wednesday, May 26, 2021

SDWAN fortios ipv6

 Okay here's a new twist . Can you do SDWAN with ipv6 ? Will yes.


Okay so a friend of mine is looking at SDWAN and they are in a all ipv6 environment. I'm going to demo ho w you do SDWAN on fortigate and with ipv6. Keep in mind SDWAN ipv6 addr-mode and configuration is done from cli-only.


Okat 1st what I did was use my 2 ipv6 SIT-tunnels. These are used for ipv6 connectivity since my local-ISP does not even offer ipv6.


Here's a basic tunnel setup;

config system sit-tunnel

    edit "HE"

        set source 199.188.xxx.xxx

        set destination 216.66.80.26

        set ip6 2001:470:1f07:427::2/64

    next

    edit "CH"

        set source 199.188.xxx.xxx

        set destination 85.202.203.249

        set ip6 2a09:4c0:fe0:7a::2/64

    next

end

Next we stick these two interfaces in a SDWAN zone. I named mine simply ipv6;


config system sdwan

    set status enable

    config zone

        edit "virtual-wan-link"

        next

        edit "ipv6"

        next

    end

    config members

        edit 1

            set interface "HE"

            set zone "ipv6"

        next

        edit 2

            set interface "CH"

            set zone "ipv6"

        next

    end


You will need a ipv6 policy in order to use the sdwan and traffic exiting to the ipv6 backbone



config firewall policy

    edit 6

        set name "ipv6-sdwan"

        set uuid 9e0adc14-bdb6-51eb-0138-794f8740485f

        set srcintf "internal"

        set dstintf "ipv6"

        set srcaddr6 "all"

        set dstaddr6 "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set nat enable

    next

end


Notice I used "nat" egress since I have 2 different originating networks so we need to SNAT. My inside lan is configured using private address;



config system interface

    edit "internal"

        set vdom "root"

        set ip 192.168.1.99 255.255.255.0

        set allowaccess ping https ssh snmp

        set type hard-switch

        set stp enable

        set role lan

        set snmp-index 6

        config ipv6

            set ip6-address 2001:db8:99::1/64

            set ip6-allowaccess https ssh snmp

            set ip6-send-adv enable

            config ip6-prefix-list

                edit 2001:db8:99::/64

                next

            end

        end

    next

end


Now you can build sdwan rules & health checks and such but you have to use cli and set the addr-mode type


e.g



       edit "quad9"

            set addr-mode ipv6

            set server "2620:fe::9"

            set detect-mode prefer-passive

            set threshold-warning-packetloss 20

            set threshold-alert-packetloss 30

            set members 1 2

        next

    end

    config service

        edit 2

            set name "ipv6-tunnels"

            set addr-mode ipv6

            set input-device "internal"

            set priority-members 2

            set dst6 "sjc"

            set src6 "all"

        next

    end


So treat the sdwan fo ipv6 in the same fashion a ipv4.













NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Posted by at No comments:
Subscribe to: Posts (Atom)