Friday, November 29, 2013

Restrict SSH access to Management IP address ranges - Juniper EX Switches

People from Cisco world would always wonder that how to restrict ssh access to a Juniper EX switch to fewer hosts or ranges

Here is how you do it..

Add IP address to Loopback interface

set interface lo0 unit 0 family inet address 127.0.0.1/32

Create a filter with allowed hosts or subnets

Term "SSH" permits Source Managements addresses

set firewall family inet filter RE_MANAGEMENT term SSH from source-address 10.80.0.0/21
set firewall family inet filter RE_MANAGEMENT term SSH from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH then count allow.ssh
set firewall family inet filter RE_MANAGEMENT term SSH then accept

Term "SSH_BLOCK" denies any other IP addresses trying to SSH to the box

set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then count discard.ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then discard

and then a permit all rule

set firewall family inet filter RE_MANAGEMENT term default then accept

In Juniper world all the control traffic is processed via Loopback interfaces even if they were destined on any other interface on switch hence we will apply the filter inbound to Lo0 interface.

set interfaces lo0 unit 0 family inet filter input RE_MANAGEMENT

You can see the couters using below command

show firewall filter RE_MANAGEMENT    

Filter: RE_MANAGEMENT                                          
Counters:
Name                                                Bytes              Packets
allow.ssh                                           38023                  370
discard.ssh                                             0                    0

and thats it !! you're  done...and your switch's ssh access is now protected.

Wednesday, October 30, 2013

Auto Voice/VoIP VLAN and Data Vlan assignment to Phone and Desktop on Extreme Switch using LLDP

There are cases where one needs to deploy the VoIP phones in the existing network and due to lack of internal cabling you cant connect IPphones separately to switches.

The VoIP phones are usually connected to the switch and a Desktop is connected to IPphone as show below




In this scenario we can use LLDP ( Link layer discovery protocol) to advertise the Voice vlan details to IPphone so that we can get IP addresses on VoIP LAN and can add priority to the VoIP traffic. 

Basic requirement : The VoIP phone should be LLDP capable

Below is the configuration required on Extreme Switch

Create Voice Vlan and we will use default Vlan for the Data Network

create vlan "VOICE"
configure vlan VOICE tag 100
configure vlan Default add ports 1:1 untagged
configure vlan VOICE add ports 1:1 tagged

Configure LLDP on the interface

configure lldp transmit-interval 5
enable lldp ports 1:1
configure lldp port 1:1 advertise port-description
configure lldp port 1:1 advertise system-name
configure lldp port 1:1 advertise system-capabilities
configure lldp port 1:1 advertise management-address


configure lldp port 1:1 advertise vendor-specific dot1 vlan-name vlan VOICE
configure lldp port 1:1 advertise vendor-specific med policy application voice vlan VOICE dscp 46

This is it and switch is now configured to advertise Voice Vlan via LLDP to the phone and Data Vlan will be sent as untagged

Happy Calling..!!

Wednesday, September 4, 2013

Routing Instaces VRF on Juniper EX2200 is now Supported..!!

I have just learned that routing instances are now supported on Juniper EX-2200 series switches from Junos 12.3R1 version onwards. It is very handy feature and is analogous to Cisco's VRF-Lite.


Tuesday, September 3, 2013

VPN between Fortigate and vmWare vShield Edge

Here is the step by step configuration of VPN between Fortigate and vShield Edge

Fortigate configuration

Create addresses on the Fortigate


Create Phase-1 and Phase-2 on Fortigate



Add VPN policy on Fortigate


Now Configure vShield Edge from vShield Manager

Enable VPN



Add default configuration


Add Site 


Add Site details



Check the status as shown




Enjoy..!!

Juniper EX Series Switches - Policing / Ratelimiting traffic

If you are from Cisco world and just been asked to rate limit traffic on Juniper EX series switches then this is how you will accomplish it.

First configure a policer under firewall

policer TEST-POLICER {
    if-exceeding {
        bandwidth-limit 10485760;
        burst-size-limit 1966080;
    }
    then discard;

}

Then you will need to configure firewall filter first just like an ACL in Cisco

family ethernet-switching {
    filter TEST-POLICE {
        term 1 {
            from {
                source-address {
                    0.0.0.0/0;
                }
                destination-address {
                    0.0.0.0/0;
                }
            }
            then policer TEST-POLICER;
        }
    }
}

The firewall filter can have multiple statements and you can apply different policers to "term"s. the above filter will apply the policer to all traffic. If your filters are specific and you want to restrict only few hosts or networks then you can have another term "default" without any action defined which will ensure that rest of the traffic is not policed

term default


Now apply the filter in the ingress on the RVI or the Interface;

show interfaces ge-0/0/42 
unit 0 {
    family ethernet-switching {
        port-mode access;
        vlan {
            members 422;
        }
        filter {
            input TEST-POLICE;
        }
    }
}

Please note that you cannot assign policers on the output direction as this is restricted in Juniper and will throw error when applying it.

You will need to create a shaper and apply it on the interface to shape the traffic to desired rate

show class-of-service 
interfaces {
    ge-0/0/42 {
        shaping-rate 10485760;
    }

}

Have Fun..!!

Fortigate VPN Debug log filter for IKE

During debugging VPN on Fortigate you may see logs from other active VPN's as well and if you running your firewall in MSP environment and have multiple customers hosted and they have VPN's then its not your good day...!!

Use below filters to make your life easy when debugging VPN IKE on Fortigates

diag  vpn ike  log-filter ?
clear        erase the current filter
dst-addr4    the IPv4 destination address range to filter by
dst-addr6    the IPv6 destination address range to filter by
dst-port     the destination port range to filter by
interface    interface that IKE connection is negotiated over
list         display the current filter
name         the phase1 name to filter by
negate       negate the specified filter parameter
src-addr4    the IPv4 source address range to filter by
src-addr6    the IPv6 source address range to filter by
src-port     the source port range to filter by
vd           index of virtual domain. -1 matches all


Once the filter is in place, you can then run debug using below command;

diag debug application ike -3


Saturday, June 23, 2012

OSPF Network Types

  • Broadcast : This network type uses 224.0.0.5 and 224.0.0.6, DR/BDR election is done between the neighbors.
  • Point-to-point: This network type uses multicast address 224.0.0.5 and no DR BDR election is performed between the neighbors
  • Point-to-Multipoint:  This network type uses multicast address 224.0.0.5 and no DR BDR election is performed between the neighbors. Hosts installs /32 routes for the endpoints.
  • Non-Broadcast: This network type used unicast instead of multicast. Neighbors needs to be defined statically and DR/BDR elections is done.
  • Point-to-Multipoint Non Broadbcast: Attributes of both Point-to-multipoint and Non-broadcast networks.

Restrict SSH access to Management IP address ranges - Juniper EX Switches

People from Cisco world would always wonder that how to restrict ssh access to a Juniper EX switch to fewer hosts or ranges Here is how y...