This isn’t hard stuff at all.  I’m sure there are a couple of cool tricks I don’t know yet, but let’s try anyway.  I”m working on an SRX240 here running 11.1 and some change.

Let’s put interfaces ge-0/0/0.0 and lo0.0 in OSPF area 0. If you know the Junos configuration hierarchy, this will be very easy to you. Even if you don’t, you can stare at the config for a little bit and see what we’re doing.

set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0

This is the only OSPF configuration you need, but guess what?  It won’t work.  Since a Junos device is also a firewall, it will drop OSPF packets as they come into the interface; you have to declare that you do indeed want to accept OSPF packets.  You do this by creating a security zone, putting the right interfaces in the right zone, and then enabling OSPF on that zone.

We’ll create a zone called INSIDE for our purposes here.  Note that there are about billion more steps (I counted) to fully configure your security zones, but that’s way beyond our scope here.

set security zones security-zone INSIDE
     interfaces ge-0/0/0.0
set security zones security-zone INSIDE
     interfaces lo0.0
set security zones security-zone INSIDE
     host-inbound-traffic protocols ospf

You can also allow OSPF on specific interfaces like this. These commands will also put those interfaces in the right security zone.

set security zones security-zone INSIDE
     interfaces ge-0/0/0.0 host-inbound-traffic protocols ospf
set security zones security-zone INSIDE
     interfaces lo0.0 host-inbound-traffic protocols ospf

I’m not sure if you need to do this to lo0.0, but it won’t hurt.

Now you can see your OSPF neighbors come up and start exchanging routing information.  That is, of course, assuming you did everything else right.

Send any blog deadlines questions my way.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

At the beginning of the year, I posted my goals for 2011.  How did I do?  Not too well.  I batted .500, so feel free to boo me.

• Hurry up and finish CCNA Voice : I finished that on 7 February.  Was it worth it?  Not really.  I haven’t used the knowledge, and voice isn’t my thing.  I got it to spice up the resume, but it didn’t really come into play at all.  Oh, well.  It’ll expire in about 2 years.
• Pass CCIE R&S written exam : I got this one finally.  I flunked out at Cisco Live this year, but I redeemed myself on 23 August with a pass.  Jody still owes me a drink since I hold the record for lowest passing score.
• Select a CCIE training vendor : Yeah…I never got to that one.  When I finally got through the written, my job had completely drained my motivation.  I fixed that problem by getting a new job, but that didn’t help free up any time to figure out which vendor I wanted to use.  #fail
• Schedule CCIE R&S lab : That obviously didn’t work out, either, since it’s dependent on selecting a training vendor.  #fail

What does this hold for this year?  Getting some training and scheduling an exam is obviously priority.  Since my new job is going all Juniper, going through those certifications would be next.  Another super-busy year, I’m sure.

Good luck to everyone in 2012.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

We all know that the configuration on a Junos box is very hierarchical. Sometimes it doesn’t make a lot of sense, but it’s all a pretty cascade of code. One of the big messes that I’ve found is the VPN configuration hierarchy; there are way more items to configure than on an IOS device.  To reinforce the stpes in my head, I thought I’d get some of the pieces into a post. These aren’t all the options, but it’s all you need to get a static IPSec tunnel up and running.

That’ll do, pig.  I’ll fire off a real configuration post later.  Feel free to add your pair of pennies since I’m a total Junos n00b.

Send any stocking stuffers questions my way.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

One of the big things that I’m dealing with lately is VRFs.  I’ve implemented some VRF-lite stuff, but I’ve never had any practical experience with the full force of them.  I’m definitely learning here.  Since the blog here is really about my sharing what I’ve learned, let’s go through something that came up recently – terminating VPNs on one VRF while passing traffic to another.

What I’m talking about is the old-school, static IPSec VPNs that we’ve all configured a million (or so) times.  You know the ones with crypto maps applied to interfaces?  Well, we’re going to configured one of those for the VRF called “CUSTOMER1″ terminated on an interface in the “INTERNET” VRF.  

There’s some terminology for these VRFs, actually.  The INTERNET VRF, which has the tunnel endpoint is called the front VRF (FVRF); CUSTOMER1 is called the internal VRF (IVRF).  I’ll try to remember to use those terms, but I make no promises.

First, we need to create the VRFs themselves.  Since the endpoints are in two different VRFs, we’ll need to have some routes leaked from the IVRF to the FVRF.  I could write 847829843828 words on route leaking and not cover everything in my limited experience, so you’ll have to look that up on your own if you don’t know what I’m talking about.  Route-target 65000:1 is exported from INTERNET and imported into CUSTOMER1

ip vrf INTERNET
rd 65000:1
route-target export 65000:1
!
ip vrf CUSTOMER1
rd 65000:101
route-target import 65000:1

At this point, we just put the interfaces in the right VRF along with their addresses.  We’ll also configure an ISAKMP policy just like we’ve done a million times.

crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 2
!
interface Ethernet0/0
 ip vrf forwarding INTERNET
 ip address 192.0.2.1 255.255.255.0
!
interface Ethernet0/1.1
 encapsulation dot1Q 1
 ip vrf forwarding CUSTOMER1
 ip address 192.168.201.1 255.255.255.0

Next we’ll create a keyring that’s referenced by the IVRF.  This will make the key for the remote end available for use by that VRF.

crypto keyring KEY1 vrf INTERNET
  pre-shared-key address 192.0.2.101 key TEST.KEY

Now we create and ISAKMP profile, which is really the blood and guts that make all this work.  An ISAKMP profile references some of the important pieces of the tunnel – the IVRF in which to place the traffic, the keyring to use, and tunnel endpoint, and the FVRF where the tunnel terminates.

crypto isakmp profile CUSTOMER1-PROFILE
   vrf CUSTOMER1
   keyring KEY1
   match identity address 192.0.2.101 255.255.255.255 INTERNET

We’ll then create the ACL for interesting traffic. I’ll save some trees and not go through that since this should be pretty easy by now.

Now we can create the crypto map. This will be just like any other crypto map you’ve ever made with one exception; this is where you include that nifty ISAKMP profile we just made.

crypto map CM 100 ipsec-isakmp
 set peer 192.0.2.101
 set transform-set TS
 set isakmp-profile CUSTOMER1-PROFILE
 match address CUSTOMER1-TRAFFIC

Just like in other cases, we need to add a static route to make sure the router sends the packets destined for the remote end of the tunnel out the right interface. Since the FVPN is INTERNET, we’ll add static routes for that VRF. We’ll do the same for the tunnel endpoint just in case the default routes doesn’t go the right way.

ip route vrf INTERNET 192.0.2.101 255.255.255.0 192.0.2.2
ip route vrf INTERNET 10.0.0.0 255.255.255.0 192.0.2.2

Now the tunnel should be up, right? Probably not. If you take a close look, you’ll see that the FVRF has the route to the remote network, but the IVRF – the one that will use the tunnel – doesn’t. We’ll need to use MPBGP to leak those routes from one VRF to another. Did I mention that route leaking can get long-winded and that I’m not going to get into it? Yeah…it can get that bad. Just trust me that this works.

What we’re going to do is to start up BGP for both VRFs. At the same time, we’ll redistribute the static routes that we added above from the FVRF into the IVRF. Since we set up our imported and exported route-targets in the VRF definition, the static routes will magically appear in both VRFs.

router bgp 65000
bgp router-id 192.0.2.1
!
address-family ipv4 vrf INTERNET
 redistribute static
 exit-address-family
!
address-family ipv4 vrf CUSTOMER1
 exit-address-family

If we do a show ip route vrf CUSTOMER1, we’ll see the static routes from the INTERNET VRF. They’re real easy to spot. :)

...
B        10.0.0.0 [20/0] via 192.0.2.102 (INTERNET), 00:00:05
...
B        192.0.2.1 [20/0] via 192.0.2.102 (INTERNET), 00:00:05
...

That should do it. Now you should be able to talk from your local network in the CUSTOMER1 VRF and talk through a tunnel that’s established on the INTERNET VRF.

Send any Juniper configs questions my way.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

I am really excited about the new position.  Since I haven’t started yet, I’m not going to reveal who the company is, but you’ve all seen the name.  They’re forming a new group to handle specialty services for customers, and I’ll be working for the manager of that team as the Senior Network Engineer.  My future boss is a CCIE, so that’s a great start; we didn’t even have a CCNA at my current company until about 2007.  The job is going to be great, and the wife and I are both up for new adventures.

So, why am I leaving?  I’m going to take the high road here and not whine about all the little issues, but there are several that pushed me to look for a new job.  For one, my current company is primarily in print media – newspapers, magazines, books, etc.  When was the last time that you read a newspaper?  Hell, I haven’t read a newspaper in 13 years and I work for a newspaper company.  Sales of print media have been dropping quickly since this whole Interwebs came about, and revenue from the online versions of media are less than 10% of those from print.  It’s just a matter of time before the whole industry goes away, and I wanted to move on gracefully.  Scrambling for a job in this economic climate wouldn’t be a happy place.

The most pressing reason for leaving the company, though, is the fact that the IT services are in the process of moving to a new joint venture company headed by NIIT Technologies.  While this opens up a much broader world, there is always the question of how long my job will be in place with the new company.  I’ve spent the last 4 weeks meeting with the NIIT guys, and they are absolutely wonderful.  They know their stuff, ask the right questions, and do their homework when learning about the network.  Without a doubt, I’d enjoy working with them, but the my group’s future (and even the future of the whole new company) is no longer a certainty.  Again, it’s time to move on gracefully.

Now we have to move to the big city of Atlanta.  I have a small apartment there to live in while we work to sell the house.  The wife is staying for nowto get the house ready to sale, but I’ll make the 5-hour drive on weekends to help out.  It’ll be a struggle for the next few months until the house is sold, but it’ll definitely be worth it in the end.

I start the new job on Monday, 7 November, so I’ll be making my way up with my TV and blow-up mattress this weekend to start the adventure.  My last day with my current company is actually tomorrow, so I’ll be on the road to headquarters to hand in all my stuff.  Hands will be shaked (?), lunch will be eaten, “do they have any openings” jokes will be told.

Most importantly, though, something bigger and better will begin.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

I got a call from one of our business units looking for some routing help.  We don’t usually care about their production networks, but they were seeing some funky traceroutes, so I agreed to try and help them out.

They sent over two fresh traceroutes from a host on a 7600.  In one of them, the trace went to the 7600 and then on down the line as expected.  In the other, the trace showed the 7600, another router’s far interface IP (that is, an interface not facing the 7600), then the 7600′s interface facing that router.  Every few minutes, the path was switch between the two.  The dude told me that they were an OSPF shop, so I asked him to send me the standard show ip route and show ip ospf database commands so I could see what’s going on.  The word “unexpected” comes to mind when trying to describe what I found.  So do other words that aren’t very appropriate.

The 7600, the main router at the main campus, was in OSPF area 50.  The router that showed up in the trace was also in area 50.  The same was true for every other router at that location, so I figured that area 0 was at another location.  Nope.  All routers at all locations (probably around 20 total) were all in area 50, and area 0 was nowhere to be found.  I always thought you could run a single non-backbone OSPF area, but I never understood why you would actually choose to do so.  If you want one area, that’s fine, but why not make it area 0?

That single area was working so I didn’t ask too many questions and looked again at the outputs they sent over.  I chuckled a bit when I noticed that the routes to the target network were showing up as an OSPF type-2 external.  I got a copy of the config at the far network and, lo and behold, I found that there is a single network statement for the transit network back to the main campus along with redistribute connected subnets.  For some reason, instead of actually advertising networks natively in OSPF, all the networks with hosts on them were being redistributed.  I wasn’t there to redesign their network, so I just sighed out loud and kept looking.

I got a copy of the OSPF config for the main campus’s 7600 to see if would show why the traceroute was weirding out on them.  Here’s the part where I actually laughed out loud on the phone.  Right in the middle of the config, I see “area 50 nssa”.  Yes, this single non-backbone area with no real costs being advertised was configured as a not-so-stubby area.  Not only did they go out of their way to make it a non-backbone area but they also wanted it as a stub area.  Since they had all the other networks redistributing into the area, they had to make it NSSA.  It’s a week later, and I still roll my eyes.

How did this happen?  When this business unit was being turned up, they actually outsourced the initial build to a company who will not be named here.  They’re the ones who put in this creative OSPF configuration that I’m putting in my hall of shame (if I had one).  They’re also the ones who caused the reported problem.  After a few more hours of looking around, our guys discovered that the other company put in a new VPN endpoint configured with the IP of the SVI of the 7600.  IP conflicts aren’t good, eh?  Once that was changed, everything returned to normal.

A fun few hours indeed.  At least it was entertaining.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

I’ve already used the phrases “skin of my teeth” and “a pass is a pass” on Twitter today for good reason.  Passing is a score of 790, and I blew that away with a 790.  One more lapse in concentration and I would have been making up more excuses instead of smiling.  I think I’ve mentioned this before, but I have this weird reaction to taking exams where I don’t get nervous at all until after I’m finished.  Walking into the testing center, I was fine.  Walking out, I was shaking like Northern Virginia.  It was so bad that I could barely hold on to the door knob when trying to leave, so I guess that I’m really prouder than I thought I was.

The exam was a total piece of crap.  Nearly every diagram was so compressed and blurry that I couldn’t see them at all.  Most of the time I can infer what the diagram is showing, but, when your bridge priorities are listed there, it’s pretty hard to find root ports.  Absolutely horrible.  There were the inevitable spelling errors in there, too.  Most of those are fine, but STP and SPT are two different topics that are both covered on this exam.  I had no problems figuring out which one they were talking about, but it’s pretty unacceptable to have spelling errors in this exam.  Of course, there were also the questions that I feel are unanswerable.  Switches in VTP transparent mode behave differently from version 1 to version 2, eh?

After being recommended at Cisco Live this year, I added the Boson ExSIM-Max to the pile of prep materials.  It not only helped teach a few new things, but it cleared up a bunch of foggy details.  I’m sure that using any other study materials will do the same to some extent, but the Boson stuff provided something else – it helped to teach me to take the exams.  I was able to go through the questions and practice figuring out what was being asked, which choices were completely wrong, and how to not get utterly frustrated with the questions.  Practice makes perfect, right?

The wife came with me to take her ICND1 exam.  She did better than she thought she would, but, alas, no dice this time.  She says that she’s glad she’s been through it now and knows exactly what to study.  I’m trying to convince her to start her own blog since she’s starting up her cert journey from such a unique place.  We’ll see how that works out.

What’s next?  I have to find a company to help me prep for the lab now.  I’m sure that’s not cheap at all.  Maybe I should just blindly sit the lab and see what happens.  Maybe not.  :)

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

Of course, being the inquisitive network guys that we are, we went on to discuss methods for making OSPF advertise the configured network instead of the single IP.  The guys mentioned two methods – to redistribute the connected interfaces and to manually set the OSPF network type on the loopback.  We were using IPv4 during the session, but I went back and added some IPv6 addresses and processes to compare.

The Basics

The whole lab consisted of R101 and R102 connected via their e0/0 interfaces; R101 also has a loopback interface as the guinea pig.  Here are the interesting lines of config on R101; I think you can figure out the configs on R102.

interface Loopback0
 ip address 172.16.0.1 255.255.255.0
 ipv6 address 2001:DB8:101::1/64
 ipv6 ospf 1 area 0
!
interface Ethernet0/0
 ip address 10.0.0.101 255.255.255.0
 ipv6 enable
 ipv6 ospf 1 area 0
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.0.0.255 area 0
 network 172.16.0.0 0.0.0.255 area 0
!
ipv6 router ospf 1
 router-id 192.0.2.101
 log-adjacency-changes

So, what would I expect to see in the routing table on R102?  From our discussions, I would guess that 172.16.0.1/32 and 2001:db8:101::1/128 would show up.

R102#sh ip route
[ SNIP ]
172.16.0.0/32 is subnetted, 1 subnets
O        172.16.0.1 [110/11] via 10.0.0.101, 00:00:03, Ethernet0/0
R102#show ipv6 route
[ SNIP ]
O   2001:DB8:101::1/128 [110/10]
     via FE80::A8BB:CCFF:FE00:6500, Ethernet0/0

Hey!  I’m right for once.  Of course, that’s not really “right” (for definitions of the word). What if I have a service module on my router with an unnumbered IP address bound to the loopback interface. I’m thinking of something like a Unity Express (!).  You want to advertise the whole network or else you can’t get to the module. Let’s look at our two options to fix that.

Redistribute Connected

I removed the loopback interface from both OSPFv2 and OSPFv3 processes and redistributed the connected interfaces (don’t forget the subnets option in OSPFv2).  Here’s what the routing tables on R102 look like now.

R102#sh ip route
[ SNIP ]
172.16.0.0/24 is subnetted, 1 subnets
O E2     172.16.0.0 [110/20] via 10.0.0.101, 00:00:06, Ethernet0/0
R102#sh ipv6 route
[ SNIP ]
OE2 2001:DB8:101::/64 [110/20]
     via FE80::A8BB:CCFF:FE00:6500, Ethernet0/0

We can now see the network as an E2 route with a proper mask in both routing protocols.  I don’t like this solution, though, because I have a serious obsessive-compulsive disorder that won’t let me settle with having an internal route show up as external in OSPF.  Let’s try the other solution and see if we have any better luck.

OSPF Network-type

For this part of the experiment, I removed the redistribute commands and added the looback interface back into the routing processes.   When I manually configured the loopback interface as an OSPF point-to-point network, the networks were advertised as the network without being external.  No more nervous ticks caused by my OCD!

! R101 config
interface Loopback0
 ip address 172.16.0.1 255.255.255.0
 ip ospf network point-to-point
 ipv6 address 2001:DB8:101::1/64
 ipv6 ospf network point-to-point
 ipv6 ospf 1 area 0
end

R102#sh ip route
[ SNIP ]
172.16.0.0/24 is subnetted, 1 subnets
O        172.16.0.0 [110/11] via 10.0.0.101, 00:01:04, Ethernet0/0
R102#sh ipv6 route
[ SNIP ]
O   2001:DB8:101::/64 [110/11]
     via FE80::A8BB:CCFF:FE00:6500, Ethernet0/0

Send any type-2002 LSAs questions my way.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

The exam consisted of 77 questions over a 2 hour window. That’s plenty of time to finish; I think I had 48 minutes left when I was through, so time wasn’t a problem. There were only 2 or 3 questions where I was totally lost, so the technology wasn’t a problem. The big problem, like always, was the usual crap questions that are in these exams. Some didn’t provide all the required information. Some were impractical examples of deployments you would never use in the field. Some were on deprecated technologies. Hell, I had one that involved CatOS. Really? CatOS? Since I only failed by about 2 questions (like I always do), these shenanigans are magnified in my mind. It really irks me how these exams are being done; foggy questions don’t really measure ability.

I did have one great advantage last week that I’ve never had – I took the exam at Cisco Live and had 489247248 CCIEs around me willing to help. Since I took the exam on Sunday, I was able to ask people face-to-face for advise on what I need to do to pass, and the consensus was that I needed to practice how to answer questions the way Cisco wants you to answer them since the material wasn’t really that hard. The suggested next steps ran the gamut, too. Some suggested just firing from the hip for answers – the whole “your first guess is always right” theory. Others suggested that I just brute force the exam. Still others even suggested brain dumps along with the idea that we’ve all put in our time and effort already and that the terrible questions shouldn’t be what’s holding us back.

You guys know me by now.  I’m definitely not going to give up or anything stupid like that.  I’ll probably take a week off to recover from Cisco Live and then head back to the studies.  I’ll do the usual brute force method, but I’m going to grab a copy of the Boson exams (which were also suggested) to supplement.  I would guess that I’ll try again around the first of August, but we’ll see.

Send any beatin’ sticks questions my way.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

http://www.sinclair.org.au/keith/networking/frame_relay.html

–
Corrections requested.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts