Segment Routing on JUNOS – The basics

Anybody who’s been to any seminar, associated with any major networking systems manufacturer or bought any recent study material, will almost certainly have come across something new called segment routing &…

Source: Segment Routing on JUNOS – The basics

Issuing Junos Commands Using Ansible raw Module

If you want to issue something quick on a lot of devices, you don’t need to write a whole Ansible playbook to do that.  In fact you don’t really need the Junos module installed.

Ansible expects there to be Python on the managed device.  As you can read in this PacketPushers blog, it pushes the module out to the device and tries to execute it there.  Junos is going to get on-box Python at some point, but right now that’s roadmap (or SOPD if you must).

Suppose you want to find out what version of software you have on a your lab device, here’s a quick way to do that.

$ ansible 192.168.30.20 -m raw -a "show version" -u username -k
SSH password:
192.168.30.20 | SUCCESS | rc=0 >>
fpc0:
--------------------------------------------------------------------
Model: ex2200-24t-4g
JUNOS Base OS boot [12.3R12.4]
JUNOS Base OS Software Suite [12.3R12.4]
JUNOS Kernel Software Suite [12.3R12.4]
JUNOS Crypto Software Suite [12.3R12.4]
JUNOS Online Documentation [12.3R12.4]
JUNOS Enterprise Software Suite [12.3R12.4]
JUNOS Packet Forwarding Engine Enterprise Software Suite [12.3R12.4]
JUNOS Routing Software Suite [12.3R12.4]
JUNOS Web Management  Continue reading

Ansible and Junos Notes

I’m working on a project to push out configs to Juniper devices and upgrade them if necessary.  In the first instance I thought about writing it all in Python, but there’s really no need because quite a lot of legwork has already been done for you in the form of ‘PyEz’ and the Junos Ansible core modules.

Juniper give you a few examples to get you started, but don’t really explain what each of the lines in the YAML file does, but I guess they expect you to figure that out.  Below are a few notes on things I discovered – perhaps obvious to some, but they might help someone else.

‘No module named jnpr.junos’ When Running Ansible

In the examples Juniper give, they don’t tell you that the Ansible module ‘Juniper.junos’ relies on a Python module called ‘jnpr.junos’.  (It is mentioned elsewhere if you look for it.)

So if you’ve done an ‘ansible-galaxy install Juniper.junos’ you could be forgiven for thinking that you’ve downloaded the modules you need.  You then gaily go on to have a crack at the example given above, but get this error:

$ ansible-playbook juniper-test.yml

PLAY [Get info] *********************************************************

TASK  Continue reading

JBAS011469 Error in Junos Space

Just went onto a customer’s Junos Space/Security Director installation to discover that their SRX5800 was showing as ‘out of sync’.    I tried to do a ‘Resynchronize with Network’ from the Device Operations menu, but this failed with the following error:

Error while reading config from device: <devicename> javax.persistence. TransactionRequiredException: JBAS011469: Transaction is required to perform this operation (either use a transaction of extended persistence context)

JBAS011469 error in Space 15.2

Unfortunately (like most Space-related errors) there’s nothing about this in Juniper’s knowledgebase – the only hit I found on a Google search was a similar error, but with a different cause that had been fixed.   So I thought I’d put this here in case it helps anyone.  

The solution in the end was to update the DMI schema for the device. The SRX5800 had been upgraded from 12.1R3.5 to 12.3X48-D30.7 but the schema within Space had not.  I downloaded the appropriate schema, and now the device re-syncs just fine.

Setting up vSRX and Space in VMware Fusion

I’m going to be travelling a bit in the near future and wanted an easy, laptop-based Juniper device and Junos Space instance to mess with. I’ve recently made some headway with CLI configlets and wanted to build on what I’ve got working.

I already run VMware Fusion on the Mac in order to run Ubuntu and Windows, so I figured that was the best thing to use. What I wanted was two VMs that could see each other and be accessed from the host machine, but without them being dependent on the host’s interfaces being up. Wifi access would be chargeable, and wired impossible – without making an ethernet loopback plug to bring the Mac’s interface up artifically, that is. So that ruled out both bridged and NAT type connections. What I needed was some kind of internal network within the host – Fusion seems to call this a ‘Private to my Mac’ connection.

My version of Fusion is 7.1.2 – it doesn’t seem to be the ‘Pro’ version, but I can’t confirm this. For some reason, the help isn’t vey helpful. You do some Googling and VMware Workstation information comes up, or help pages about what appear to be Continue reading

Junos Space Log Collector – Utilities

The Juniper documentation on log collector is a bit sparse to be honest, and once it is installed, SSHing to it doesn’t seem to produce a configuration menu any more.  In order to change its config, there are some scripts, but I had to dig around for them:

[root@LOG-COLLECTOR bin]# ls
adhoc.py disableExport.sh logcollectorWatchdog.py selfhealingES.py
agentScript.sh elasticDiskAllocation.py logcollectorWatchdog.pyc selfhealingES.pyc
agentUtilityScript.sh elasticDiskRollover.sh logcolmon.py startService.sh
bashUtils.sh enableExport.sh logcolmon.pyc stopService.sh
cleanZipLogs.sh generateReponse.pl lsStatisticsupdate.sh subsequentBootupdate.sh
collectSystemLogs.sh getMountLocation.sh monitorPacketDrop.sh support-diagnostics.sh
configureMailSetup.sh getRebootDetails.pl mountNfs.sh syslogForwardToggle.sh
configureNameServer.sh getSystemInfo networkScript.sh updateEtcHosts.sh
configureNode.sh getZipLogs.pl resizeFS.sh updateIndexerip.sh
configureNtp.sh initConf.pl resourceMonitoring validateIpAddress.sh
configureTimeZone.sh loadFirewal.sh rootWrapper whiteList.sh

[root@LOG-COLLECTOR bin]#

They are in this directory:

[root@LOG-COLLECTOR bin]# pwd
/opt/jnpr/bin
[root@LOG-COLLECTOR bin]#

An important thing to be sure of is that log collector does not have two interfaces – it should have only eth0.   If it gets an IP address on eth1, you might find that logging does not work.  This is probably because it received a DHCP address on eth1, Continue reading

EVPN – the basics

Forgotten ‘maintenance’ password for Junos Space

The maintenance users password can be reset in Junos Space if you still have access via the CLI:

• SSH to the Space host
• Log in as the admin user
• Choose the debug option on the menu (6 or 7, depending on whether this is a VM or an appliance).  Just press the number, not the number followed by return!
• Put in the admin user’s password again.  You’re now in the Centos shell.
• Issue the command ‘htpasswd -sb /var/www/maintenance/maintPW maintenance <newpassword>‘

Simple as that…   I was never sure why an additional maintenance password was required as well as the admin user and the GUI super user password.  Makes it a pain to keep a record of, but there you go – presumably there’s a good reason.

Location of images on Junos Space after upload

Just a note for my own reference really –

The images you upload via the GUI to upgrade Space end up on the filesystem in /var/cache/jboss/jmp/<imageversion> directory.  In that directory is the actual image, plus a file called appVersionListFile.txt – this file seems to tell the system what other Space apps it is compatible with.

It seems to upload the image into this directory, and then extracts all the various .rpm files from it into /var/cache/jboss/jmp/payloads/<imageversion> directory.

I confirmed this by performing an ‘rm -rf <imageversion>’ on both the above directories, then uploading another image via the GUI again.  Both directories re-appeared.  I doubt this is recommended by TAC though, so do this at your own peril.

Junos Space – checking processes are running

After two miserable nights trying to upgrade Space 13.1R1.6 to 14.1R1.9,  I finally called up JTAC for some assistance.  For some reason the upgrade started, but never finished – the GUI remaining in ‘maintenance mode’ for several hours.

What they did:

Checked the services – all were showing as down:

service jmp-watchdog status

service jboss status

service jboss-dc status

Tried to start jboss-dc, but it complained that it couldn’t write or create /var/log/jboss.

Did the following to change ownership from root:root on the /var/log directory:

chown jboss:root /var/log

Did this:

service jboss-dc start

service jboss start

At this point the GUI started showing ‘Junos space is preparing to start  up’, and after 20 minutes it changed to say the applications were deploying.

PHPBB and website integration

I needed to integrate a website login with a phpBB3 forum recently, and this blog post came in really useful:  http://www.3cc.org/blog/2010/03/integrating-your-existing-site-into-phpbb3/

The only issue with it was the logout section – it uses $_GET, but when I implement this I get a message saying that this is an ‘illegal use of $_GET’.

Instead, the logout code that worked for me was this – it uses request_var() instead:

<?php
$cp = request_var('cp', '');
if ($cp == "logout") {
$user->session_kill();
$user->session_begin();
echo "Logged out";
}
?>

Freeradius setup on Ubuntu 14.04

Frustrated with a dilapidated installation of Freeradius 1.x in our lab, and conscious that it is unsupported any more, I decided to install a new Freeradius server.

Ubuntu 14.04.3 LTS is the platform I am installing it on, and this is a relatively fresh installation of Ubuntu server.   It needs to serve access-requests from a Redback and a Juniper router in our lab for both PPP and DHCP clients.

Install freeradius using ‘apt-get install freeradius’.  This pulls down Freeradius 2.1 as can be seen below:

Setting up freeradius (2.1.12+dfsg-1.2ubuntu8.1)

Edit the /etc/freeradius/clients.conf file to permit all hosts on the lab network (192.168.3.0/24) to be ‘clients’ of my new Freeradius server – as long as they use  a shared secret when authenticating.  To do this, include the following section:

client 192.168.3.0/24 {
      secret = testing123
      shortname = labnet-3
}

Copy /etc/freeradius/users to /etc/freeradius/users.originalfile so that we have a backup in case everything goes wrong.

Edit the /etc/freeradius/users file and  create a new user:

andrew Cleartext-Password := "password"
 Reply-Message = "Hello %{User-Name}"

Save the users file.

Test this locally Continue reading

Python script to generate RADIUS users

Just for future reference, I wrote this quick script using python to generate RADIUS users in the Freeradius /etc/raddb/users file.  Makes light work of what I used to do rather painfully in Excel:

__author__ = 'amulheirn'

# Create lots of radius users for /etc/raddb/users file

interface = 'ge-0/2/0'        # Local source interface
ipaddr = '89.20.80.'          # First three octets of IP addr
startuser = 1                 # Start of the user range
enduser   = 20                # End of the user

for i in range (startuser, enduser):
    print 'user%[email protected]     Cleartext-Password := "password"' % (i)
    print '                        Service-Type := "Framed-User",'
    print '                        Framed-Protocol := "PPP",'
    print '                        Framed-IP-Address := "%s%d",' % (ipaddr, i)
    print '                        Context-Name := "tuk_llu",'

    
print "======[END]====="

Microsoft on Macs – ARGH!

I moved my Mum onto a Mac a few years ago, and the calls for support dropped off dramatically.  She’s a very non-technical user, but tries hard to get to grips with the modern technology.

She’s recently decided she’d like to put some photos in a Word document, and write a message underneath – to send round to people at Christmas, you know?  How hard can that be?

Over the phone, I told her to go to Photos, select the photo and do Edit | Copy from the menu.  Then go to Word and do Edit | Paste to put it in the document.

Nope.

Tried it on my Mac, and sure enough, Word doesn’t know there’s anything in the clipboard to paste!   But if you open anything else (e.g. Textedit) it works fine.

Not really sure whose problem this is, since Word is able to paste in an image that is not in Photos (i.e. an image on the hard disk).  Instructions for that are here:  https://support.office.com/en-in/article/Add-or-replace-a-picture-in-Office-for-Mac-2011-c0a7f0d4-ed59-4183-8fe1-ed615b94cf80?ui=en-US&rs=en-IN&ad=IN

For a novice user like mum, finding that simple things like cutting and pasting are broken is extremely confusing. Of course she thinks it is her Continue reading

Searching for routes with non-IP address next-hops

I am searching in a series of large Redback config files for certain things, and I’m beginning to find Regex and Atom really powerful for this.  The files are sometimes 20,000 lines long, and there are over 100 of them.

Of course I should script this, and someone more script savvy than me would do that in a trice, but I’ve come up with a part manual solution.  Perhaps I will build it into a script later.

What I need to do is search each file for any ‘ip route’ commands that have a named interface as a next-hop rather than an IP address.   So to do this, I am doing inverse-matching on four sets of numbers separated by dots.

I also need to exclude the keyword ‘context’ and the interface ‘null0’. This took me a while to figure out.

Here’s my pattern match:

ip route [0-9]+.[0-9]+.[0-9]+.[0-9]+/[0-9]+ (?![0-9]+.[0-9]+.[0-9]+.[0-9]+|context|null0)

This matches the string:

 ip route 172.21.0.0/16 MADEUPINTERFACE

But not:

 ip route 172.16.4.0/24 10.0.0.1

The expression is not very accurate, since it could match IP addresses like 999.999.999.999, but that does not matter in Continue reading

Managing Junos Commit Time

I’ve been working with an ISP that is going to be using a large amount of configuration in the ‘groups’ section.  The statements there will be inherited into the main configuration using the ‘apply-groups’ statement.

This is a clever way of writing commands once and having them apply to multiple parts of the configuration.  At a basic level you could match on interfaces beginning with ‘ge-‘ or ‘xe-‘ and set an MTU on them all using one group statement. This MTU setting would not appear in the main configuration unless the configuration was displayed using “show | display inheritance”. There’s a nice explanation of how groups work over at this Packetpushers blog.

The downside is that if large amounts of configuration work is done in groups, applying the config can become slow during the ‘commit’ process.  

What happens under the hood when the user issues a commit in Junos?  You can see what happens if you issue a ‘commit | display detail’.  There is an example in this KB article.   As you can see there is a lot of parsing for commit-scripts, interface ranges and apply-groups at the start.  The config in these needs to be expanded and incorporated Continue reading

Managing Junos Commit Time

I’ve been working with an ISP that is going to be using a large amount of configuration in the ‘groups’ section.  The statements there will be inherited into the main configuration using the ‘apply-groups’ statement.

This is a clever way of writing commands once and having them apply to multiple parts of the configuration.  At a basic level you could match on interfaces beginning with ‘ge-‘ or ‘xe-‘ and set an MTU on them all using one group statement. This MTU setting would not appear in the main configuration unless the configuration was displayed using “show | display inheritance”. There’s a nice explanation of how groups work over at this Packetpushers blog.

The downside is that if large amounts of configuration work is done in groups, applying the config can become slow during the ‘commit’ process.  

What happens under the hood when the user issues a commit in Junos?  You can see what happens if you issue a ‘commit | display detail’.  There is an example in this KB article.   As you can see there is a lot of parsing for commit-scripts, interface ranges and apply-groups at the start.  The config in these needs to be expanded and incorporated Continue reading

Networking Heresy?

Software Defined Networking, and it’s latest incarnation SD-WAN seem to be all the rage at the moment.  Having seen presentations from vendors large and small on the subject recently at Networking Field Day 10 I am still given to thinking there are a few things that get glossed-over by the vendors quite often.  Foremost in my mind, is this (potentially heretical thought):

It is all very well creating virtual or ‘overlay’ networks which run over other networks to suit your purposes, but as someone famous once said, you can’t change the laws of physics.   Packets must ultimately flow across a medium – wires, fibres or waves.  The media doesn’t give a flying fart whether the packet is naked, or clothed in layers of MPLS or GRE headers – if that medium is congested and doesn’t support any form of packet prioritisation, your data is down the dunny.

There’s a trade-off here that perhaps not many people understand when they are shown smooth presentations by manufacturers.  It seems to me that:

1. Efficient use of network connectivity requires deep understanding from end to end. That’s why you employ network engineers.
2. Efficient deployment of network connectivity requires abstraction and overlays to increase ease of deployment (which equals loss of understanding of lower layer protocols).
3. Continue reading

Networking Heresy?

Software Defined Networking, and it’s latest incarnation SD-WAN seem to be all the rage at the moment.  Having seen presentations from vendors large and small on the subject recently at Networking Field Day 10 I am still given to thinking there are a few things that get glossed-over by the vendors quite often.  Foremost in my mind, is this (potentially heretical thought):

It is all very well creating virtual or ‘overlay’ networks which run over other networks to suit your purposes, but as someone famous once said, you can’t change the laws of physics.   Packets must ultimately flow across a medium – wires, fibres or waves.  The media doesn’t give a flying fart whether the packet is naked, or clothed in layers MPLS or GRE headers – if that medium is congested and doesn’t support any form of packet prioritisation, your data is down the dunny.

There’s a trade-off here that perhaps not many people understand when they are shown smooth presentations by manufacturers.  It seems to me that:

1. Efficient use of network connectivity requires deep understanding from end to end.
2. Efficient deployment of network connectivity requires abstraction and overlays (which equals loss of understanding of lower layer protocols).
3. Efficient operation of network connectivity…  well… let’s hope it’ll be fine so long Continue reading

Atom editor – high CPU usage

Just downloaded Atom – a ‘hackable’ editor that has a really slick user interface on the Mac.   It’s really nice application, but weighs in at 200MB!

I was doing some work on a few router config files – about 2MB each file – when I noticed the fan spin up on the computer.  Looking at the process list, ‘Atom Helper’ and Apple’s spell-check processes were both running very high.  There’s not much point in having spell-check on a router config I guess, so I disabled it – problem fixed…