Ramblings of a network engineer and tech enthusiast: September 2016

JunOS SRX on GNS3 (running JunOS vSRX FireFly inside remote GNS3VM)

Things have come a long way with GNS3 ( I was an early user since waaaaay back, and also contributed as a crowd funder when it got a new lease of life a couple years ago - if something helps your career, and hobby, share what you can afford ).

I recently upgraded to the latest version (1.5.2), to try some Juniper labs. And it is much easier now.

TLDR; You still have the readonly VMDK image issue, but once you've converted the image to qcow2, it just works, and the console just works :)

1) Get the GNS3 Client up and running and run the GNS3VM somewhere on the same layer-2 network (I have the GNS3VM running on an ESXi host (with ESXi Nested Virtulisation enabled), and run the GUI/Client on my Mac).

2) Get a copy of JunOS FireFly (.ova) - I'm sure you can figure it out.

3) Extract the .ova file (If you don't have a copy of Linux, you can always use your new GNS3VM! - I.e. copy the .ova file using SCP to somewhere on the GNS3VM and run these commands on there)

tar -xvf junos-vsrx-12.1X46-D25.7-domestic.ova

4) The disk type for the FireFly images is "streamOptimized" which is read only. We need to change this to QCOW2 to make R/W as QEMU cannot cope otherwise.

qemu-img convert -O qcow2 junos-vsrx-12.1X46-D25.7-domestic-disk1.vmdk junos-vsrx-12.1X46-D25.7-domestic.img

5) Back in GNS3 Client; GNS3 -> Preferences -> QEMU -> QEMU VMs

5.1) Click "New"

5.2) Choose "Run the QEMU VM on the GNS3 VM" (assumes you have added GNS3VM to the GNS3 Client).

5.3) Give the VM a name, related to the Image version etc.

5.4) Give at leat 2GB of RAM (whilst getting things stable its best to satisfy the requirements, dont set lower than 512MB per VM).

5.5) Browse to the .img file you extracted in step 3 and click "Next"

(If you used your GNS3VM to run the tar and qemu-img commands, you will need to copy the .img file back to your client so you can upload the .img file here into GNS3 using the Client).

6) Edit your JunOS instance as needed (adding more interfaces etc), and save.

7) Drag the new JunOS Instance onto your GNS3 map, click "Start", click "Console" and enjoy :)

Prioritising Important Traffic with QoS on Cisco IOS

Here are the commands that I use to enable basic upstream QoS on a Cisco 887VA on VSDL2 FTTC Fibre. Remember that you can/should only queue/shape/police on egress..

For home Internet their is little point shaping downloads (egress shaping on the inside interface), but shaping your upstream will have a big impact on keeping your downloads fast, and VoIP calls running without jitter, all when your kids are running torrents, games or something ;)
NB: consuming upload capacity impedes the download capacity, due to the contention introduced on the upstream ACKs.

If you are an office, then yes you should definitely shape downstream (egress on the inside interface) to ensure that "flows" are playing nice and sharing the total download bandwidth across all users.

class-map match-any CLSMP-High
description High Prio and Realtime
match access-group name HighPrio
match dscp ef
match dscp cs7
match dscp cs6
!
policy-map PLCMP-Shaped
class CLSMP-High
priority percent 90 <- Priority drops packets above figure
class class-default
fair-queue
bandwidth percent 10 <- Bandwidth is allowed to "borrow" from root
policy-map PLCMP-Shaper
class class-default
shape average 20000000
service-policy PLCMP-Shaped
!
interface Ethernet0.101
service-policy output PLCMP-Shaper
!
ip access-list extended HighPrio
permit tcp any any ack <- This is important (TCP packets with the ACK flag set)
permit icmp any any
permit tcp any any tos min-delay
permit udp any any eq domain
permit udp any any eq ntp
#Add VoIP stuff here too :) (Or even better, create a separate class)

rt1#show access-lists HighPrio
Extended IP access list HighPrio
10 permit tcp any any ack (35488476 matches)
30 permit icmp any any (17365 matches)
40 permit tcp any any tos min-delay (8 matches)
50 permit udp any any eq domain (345229 matches)
60 permit udp any any eq ntp (160793 matches)

rt1#show policy-map interface ethernet 0.101
Ethernet0.101

Service-policy output: PLCMP-Shaper

Class-map: class-default (match-any)
54539399 packets, 20315187264 bytes
5 minute offered rate 9000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/33001/0
(pkts output/bytes output) 54504938/20266047087
shape (average) cir 20000000, bc 80000, be 80000
target shape rate 20000000

Service-policy : PLCMP-Shaped

queue stats for all priority classes:
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/1303/0
(pkts output/bytes output) 35886434/8950446892

Class-map: CLSMP-High (match-any)
36009819 packets, 9010338472 bytes
5 minute offered rate 3000 bps, drop rate 0000 bps
Match: access-group name HighPrio
36009736 packets, 9010327411 bytes
5 minute rate 3000 bps
Match: dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Match: dscp cs7 (56)
14 packets, 1404 bytes
5 minute rate 0 bps
Match: dscp cs6 (48)
66 packets, 9792 bytes
5 minute rate 0 bps
Priority: 90% (17999 kbps), burst bytes 449950, b/w exceed drops: 197


Class-map: class-default (match-any)
18529581 packets, 11304849987 bytes
5 minute offered rate 6000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/31301/0/31301
(pkts output/bytes output) 18498444/11259866445
Fair-queue: per-flow queue limit 16 packets
bandwidth 10% (1999 kbps)

PS; If you are wondering why the Priority queue size is so high (90%) on the class "CLSMP-High" with only 10% for the rest? This is because packets above the 90% throughput rate get aggressively dropped for "priority", even when there is spare capacity. Whereas the Bandwidth queue can borrow from the other queues and grow larger than its 10% definition.

I.e. if the traffic in the class "CLSMP-High" is only 1% full, the traffic in the class "class-default" can still use the remaining 99%.
But if the traffic in the "CLSMP-High" is 99%, 9% will get dropped regardless of the size of "class-default".

This is due to the fact that the internal queues/buckets for "Priority" type queues, always get forwarded first, and so can starve other queues of resources. However in the case of shaping upload traffic, this is quite common (unless you are hosting servers, and you need to account for them).

OpenBSD Packet Flow with PF (Packet Filter)

I created a diagram to show the flow of packets through OpenBSD with PF

* This was started using an old black and white, unlabelled and unnamed diagram I found years ago without a name or apparent owner. So I took what was there and extended it a fair bit to this (I seem to have lost the original sadly).

Basic but useful & set-and-forget Cisco stuff

Cisco Debug Stuff

1) Safe(r) Debugging

Any network engineer should be aware of the overhead debugging creates on the CPU as it demands packets are process switched, especially on a Cisco router which can cause it to stall or crash on busy systems.

However if you use buffered logging to a file instead, whilst still hard work for the device, the CPU will have a much better time and is less likely to crash;

no logging console debug <- Exclude debug (7) logs from console
logging console 4 <- Enable log to console @syslog (0 - 4)
NB; Logging to the Console is dangerous and many crashes happen due to log write speed being far greater than the TTY console speed thus overflowing the TTY buffer.

logging buffered debug <- Enable temp log to file buffer @syslog (0 - 7)
logging buffered 16384 debugging <- Make the rolling log longer

clear log <- Clear the log

debug dhcp detail <- Enable some debugging

debug ip dhcp server event <- Enable some debugging

show log <- Show the log

show debug <- Show which debug functions are enabled

undebug all <- Turn off all debugging

NB; debug's are syslog level 7 messages (the highest of the 8 levels).

Hint; The above example will show you the elusive DHCP Client ID / Fingerprint for a client, to allow you to define a static DHCP reservation on Cisco routers! ;)

2) Debugging packets to/from a specific Host

access-list 101 permit tcp host 172.16.0.10 gt 1024 10.10.0.0 0.0.255.255 eq 22 <- E.g. match src 172.16.0.10 accessing servers on 22
interface gigabitEthernet 0/0

no ip route-cache <- Force "process switching" on

terminal monitor <- If SSH session

logging console <- If Console session

debug ip packet 101 detail

undebug all <- Turn of all debugging processes

Cisco Logging and Tracking Stuff

Console Logging

[no] logging console <- Log to the console
[no] logging buffer <- Log to internal memory buffer
terminal monitor <- Clone all logs to the Terminal TTY (SSH Connection)
logging monitor informational <- Show all logs on SSH TTY from "0 to 6"
line vty 0 15
(config-line)#logging synchronous <- Make logs and CLI input display nicely
logging 10.2.2.2 <- Send logs to remote syslog server

logging console 6   <- This shows all logs from 0 - 6 (excludes 7)

1) Persistent Syslog Logging (Crash/Assert Debugging)

logging buffered 40960
logging persistent url flash:/syslogs size 131072 filesize 32768

Logs should now be written to flash, making them available after a reload or assert fail etc. I successfully relied on this recently to debug an SSL-VPNv3 AIM which kept crashing a router when users sent lots of data over an SSL tunnels. Turned out to be an software issue with DTLS.

Often logs never reach the syslog server when assert fails are occurring, and so local logging may be the only way to find the root cause of the assert.

2) Persistent Logging of all user CLI commands (Auditing)

Cisco supports tracking and logging of all CLI VTY commands.

archive
log config
record rc
logging enable             <- Enable command logging
notify syslog contenttype plaintext  <- Notify terminal

To see the command history typed by all admins;
rt2#show archive log config all
idx sess user@line Logged command
125    16          admin@vty0     |interface GigabitEthernet0/1
126    16          admin@vty0     | ip ospf 1 area 0
127    16          admin@vty0     | ipv6 ospf 1 area 0
128    16          admin@vty0     | router ospf 1
129    16          admin@vty0     | no router-id
130    16          admin@vty0     | router-id 172.16.31.254

3) Persistent Configuration History (Configuration Rollbacks)

Cisco supports being able to store a rolling log of up to 14 previous configurations, and also supports replace and rollback functionality;

archive
path flash:/startup-config <- Backup location
maximum 14                  <- Number of previous configs to remember
rollback filter adaptive    <- Enable rollback
write-memory                <- Enable auto config backup during 'wr'

Each time you save with "write memory" or "copy run start", the configuration will be saved with a time stamp to the path location.

To see all saved previous configurations;

rt2#show archive
The maximum archive configurations allowed is 14.
There are currently 2 archive configurations saved.
The next archive file will be named flash:/startup-config-<timestamp>-2
Archive # Name
   1        flash:/startup-configOct-13-20-32-53.733-BST-0
   2        flash:/startup-configOct-13-20-40-49.870-BST-1 <- Most Recent

To load a specific previous configuration immediately;

configure replace flash:startup-config-Oct-20-22-56-13.799-BST-1

4) Timed Configuration Rollbacks

Do not use "reload in X" to protect from critical changes gone wrong, use automatic rollbacks instead with 'confirmed' changes (Introduced in 12.3(7)T IOS). revert is similar to replace however provides a transactional log style context over full config replace.

1) To rollback to a specific previous configuration automatically (WITHOUT RELOADING!); You will have 5 minutes to make your changes, and if the changes are a success, you must run "configure confirm" to accept your changes before the 5 minutes is up to cancel the rollback.

configure replace flash:startup-config-Oct-20-22-56-13.799-BST-1 time 5

Make your risky changes ... When happy, cancel the rollback with;

configure confirm

To rollback immediately;

configure revert now

2) To automatically rollback only the most recent changes made within a 10 minute window, if "configure confirm" is not typed before the window is over;

configure terminal revert timer 10
Make your risky changes
configure confirm

When entering a change period/window like this, the CLI configuration is locked to stop other VTY admins making changes at the same time.
After confirming the commit, or after the rollback, the CLI lock is automatically released.

To see any locks;
show configuration lock

NB; You will receive a "rolling back in 1 minute" warning in both examples.

For production deployments I recommend also installing "Rancid" (http://www.shrubbery.net/rancid/) or similar to maintain a config history with CVS/SVN/GIT etc, located on a different host for redundancy. For smaller networks, or networks with only a few devices, storing a history of configs on the flash: is often enough.

General Helpful Cisco Things

1) Command aliases

Built in aliases;

p for ping.
h for help.
lo for logout.
u for undebug.
w for where.

Create custom aliases to type less;
alias exec ... <- Privileged Mode (router# prompt).
alias configure ... <- Global Configuration Mode (router(config)# prompt).
alias interface ... <- Interface Configuration Mode (router(config-if)# prompt).

Here are the aliases I use;
alias interface ns no shutdown

alias exec s show run
alias exec save copy running-config startup-config

alias exec siib show ip interface brief
alias exec sis show interface status
alias exec sir show ip route

alias exec si6ib show ipv6 interface brief
alias exec si6r show ipv6 route

alias exec c configure terminal
alias configure b router bgp 9999

2) Cisco Flash

Upgrading the flash memory

1) Backup the existing Flash to tftp server;

archive tar /create tftp://<tftp_server>/flashbackup.tar flash:

2) Insert new (hopefully larger) Flash card.

3) Erase compact flash memory card (Class B Format - Low End File System);
erase slot0:
erase flash:

NB; The Class B system is very basic and slow (r/w), but you can often use cards larger than the officially supported maximum, if you do not format. You should format if size is supported.

4) Format compact flash memory card (Class A/C Format - DOS File System);

format slot0:

format flash:

NB; slotX: is usually external, and flash: is usually internal. But on many models flash: also refers to an external slot. Yay cisco consistency.

5) Restore flash backup to new flash;

archive tar /xtract tftp://<tftp_server>/flashbackup.tar flash:

3) Working with the flash

Read/print any local text file in flash out directly to VTY console;

more flash:syslogs/log_20160928-211019

Show all storage systems;

dir all

Delete storage directories;

delete /f /r flash:/<directory>

4) Copying files to / from flash

a) Enable SCP server on Cisco;

This assumes you already have SSH version 2 etc working. To allow SCP file copies to work, you need to be able to SSH in and be dropped directly into Privileged mode (enable is not needed).

aaa new-model

aaa authentication login default local

username <user> privilege 15 secret <secretpassword>

aaa authorization exec default local <- Drops you at '<host>#' without requiring 'enable' (negate this after upgrade complete)

ip scp server enable <- Enable SCP (negate this after works are complete)

b) Copy from Flash to Computer

scp admin@172.16.1.1:flash:/c3825-adventerprisek9-mz.150-1.M1.bin /var/tmp

c) Copy from Computer to Flash

scp /var/tmp/c3825-adventerprisek9-mz.151-4.M10.bin admin@172.16.1.1:flash:/c3825-adventerprisek9-mz.151-4.M10.bin

NB; Adding "flash:" in the commands may not be required on all systems.

d) Verify your uploaded firmware's MD5 matches the one shown on the Cisco site;

verify /md5 filesystem:filename [md5-hash]

http://www.cisco.com/c/en/us/td/docs/ios/fundamentals/configuration/guide/15_1s/cf_15_1s_book/cf_config-rollback.html

28 September 2016